Oversight of AI use in financial services: Alignment between the AMF guideline and OSFI’s Guideline B 13

As artificial intelligence (AI) increasingly becomes a strategic driver within Canadian financial institutions, the regulatory framework governing the use of emerging technologies has also been significantly strengthened in recent years. 

In this context, on July 3 the Autorité des marchés financiers (AMF, Quebec's securities regulator) published, for consultation, its Guideline for the Use of Artificial Intelligence, which outlines the expectations applicable to financial institutions regarding the responsible use of artificial intelligence systems (AIS) (see here for more details). The requirements set out in this guideline were examined in a previous publication. This new framework complements the Office of the Superintendent of Financial Institutions (OSFI)’s Guideline B-13, in effect since January 2024, which governs technology and cyber risk management for federally regulated financial institutions (FRFIs). 

Although distinct in their approaches, the two guidelines pursue converging objectives and will now need to be applied in parallel by financial sector institutions operating both in Quebec and under federal regulation. This coexistence raises a practical challenge: how can these requirements be harmonized to avoid duplicating efforts and ensure consistent implementation?

This overview compares the two regulatory frameworks, highlighting areas of convergence and key integration levers to help institutions establish unified and effective technology governance.

Strategic alignment

While the AMF guideline specifically targets AIS, it builds on the broader technology risk management principles set out by OSFI. Both guidelines are grounded in a risk-based approach, establish clear governance expectations and place a strong emphasis on operational resilience.

Financial institutions can leverage the governance structures, technology validation processes and ongoing monitoring mechanisms already implemented under Guideline B-13 to address many of the AMF’s expectations.

Leveraging points of convergence

To avoid duplicating efforts, financial institutions can capitalize on the many overlaps between the two guidelines. The roles and responsibilities outlined in OSFI’s Guideline B-13 for technology governance can be extended to AIS, notably by assigning an individual to each system and ensuring clear lines of accountability up to senior management. 

Similarly, the technology lifecycle management processes set out in Guideline B-13 (including system development lifecycle practices) can be adapted to incorporate AIS-specific stages such as design, validation and ongoing monitoring, including integrating performance metrics and bias detection mechanisms.

The technology asset inventory required under Guideline B-13 can also be expanded to include the AIS-specific data the AMF requires institutions to track, such as risk ratings, training data and explainability features. Technology incident management protocols can be expanded to cover risks specific to AI, such as model drift, discrimination and bias, hallucinations, or intellectual property infringements.

Data protection is also an obvious point of convergence. OSFI addresses this issue from the perspective of information security, confidentiality and availability, while the AMF sets out additional requirements, particularly regarding data quality and limitations on data use. Internal data protection policies can therefore be harmonized into a single coherent set to cover the specific risks associated with AIS, while building on the technical foundations already in place in accordance with OSFI requirements.

The AMF’s distinctive contributions

The AMF’s guideline imposes a set of new requirements specifically tailored to the challenges associated with using AI in financial services. 

The guideline provides for a modulation of obligations according to the risk rating assigned to each AIS, which influences validation, documentation and supervision requirements. It also emphasizes fair treatment of clients and transparency toward them, in particular by detecting biases and explaining automated decisions. Finally, it incorporates an environmental dimension by requiring greenhouse gas emissions associated with AIS be factored into the risk analysis.

Although these requirements are new, in many cases they can be integrated into the governance, risk management and technology oversight mechanisms already in place under Guideline B 13, provided their scope is broadened to address AI-specific considerations.

Meeting both AMF and OSFI requirements

Rather than multiplying processes, financial institutions may view this as a strategic opportunity to design an internal compliance framework that meets both the requirements of OSFI’s Guideline B-13 and the AMF’s AI expectations. This possibility is based on similarities observed in the regulatory approaches of the two regulatory bodies, particularly for governance, risk management and technology oversight. Such an approach will promote more efficient implementation of this framework for financial institutions subject to the requirements of both bodies, while strengthening the consistency and robustness of technology governance mechanisms.

The authors would like to thank Charles-Antoine Bordeleau, articling student, for his contribution to preparing this legal update.