Office of the Superintendent of Financial Institutions imposes risk management requirements for traditional and AI-based models

The Office of the Superintendent of Financial Institutions (OSFI) recently published Guideline E-23 Model Risk Management (2027) (the Guideline)¹, which sets out comprehensive risk management requirements regarding the use of traditional actuarial models and emerging artificial intelligence and machine learning models. 

The Guideline will be effective as of May 1, 2027, after an 18-month transition period. It will apply to all federally regulated financial institutions (FRFIs), including foreign bank and insurance company branches.

Enterprise-wide model risk management

The Guideline addresses the development that models are increasingly central to decision-making, including in various business areas that have not traditionally relied on them. OSFI aims to minimize FRFIs’ risk of financial and operational losses and reputational damage linked to the increased use of models. 

OSFI’s central requirement is for FRFIs to establish an enterprise-wide model risk management (MRM). The MRM should enable FRFIs to understand and manage model risk across the enterprise and the entire model lifecycle, using a risk-based approach.

The Guideline’s scope is wide, with the components of a model being understood as data input, processing to identify relationships between inputs based on assumptions or statistical techniques (including, but not limited to AI and machine learning), and output in a useful format for business lines and control functions. 

Model governance

FRFIs must ensure model risk is well understood and managed. Senior management should hold an enterprise-wide view of the risks and also establish effective reporting and allocate appropriate resources to support model governance and for reporting to the board of directors regarding model risk. This includes setting up multi-disciplinary teams composed of personnel with the necessary skills and experience to manage model risk. 

The MRM framework to be established by FRFIs must align with their strategic objectives and risk appetites. Models used by FRFIs should be appropriate for their business purposes. Therefore, OSFI expects MRM frameworks to set out processes for identifying, managing and reporting model risk in a manner that fits within the FRFI’s broader governance structure. 

OSFI recognizes that not all model risk can be eliminated and residual model risk may remain after an adequate MRM framework is implemented. In addition, the requirements under the Guideline are subject to proportionality. The approach chosen by an FRFI should reflect its size, business and strategy, as well as its risk profile and interconnectedness with other financial institutions.

Inventory and risk rating

FRFIs should identify and track the models they use or that have been recently decommissioned and must keep a model inventory. The model inventory must be exhaustive, including any model that has been developed in-house as well as by third parties, regardless of ownership.

Based on the model inventory, FRFIs must classify and assess each model’s inherent risk. OSFI expects the rating exercise to be based on both quantitative factors, such as operational or financial impacts, and qualitative factors, such as model complexity, customer impacts and regulatory risk. 

Based on the risk rating, the MRM should set out applicable governance requirements, including frequency, scope and intensity of reviews, documentation, monitoring and model approval. The MRM framework should provide for enhanced scrutiny regarding more critical or complex models compared to less risky models. Furthermore, based on the risk rating, the MRM should outline limits on modal usage, safeguards and contingency planning.

Lifecycle management

As part of a dynamic lifecycle approach, MRM must address model risk during conception, use and decommissioning of models, and policies, procedures and controls under the MRM must provide for ongoing testing, monitoring and review throughout the model lifecycle. To meet this requirement, FRFIs will need to adopt policies allowing for flexibility, particularly to accommodate emerging or evolving technologies and organizational changes. 

The Guideline sets out a series of key stages in a model lifecycle, from model design, data and development to deployment, monitoring and decommissioning. The policies and procedures under the MRM are required to address a series of aspects of each stage in the model lifecycle. In addition, Appendix 1 to the Guideline sets out minimum documentation requirements in relation to models.  

It is important to note that due to the wide scope of the Guideline, relevant data processing is captured as well. OSFI expects FRFIs to implement controls to verify the data quality and its appropriateness. Data and models from third parties must be identified and managed, taking into account both the Guideline and OSFI’s Guideline B-10 Third-Party Risk Management Guideline.

Summary

OSFI recognizes that FRFIs are increasingly relying on a vast set of complex models to inform decision-making. In this context, the Guideline fills gaps left by the stalled Artificial Intelligence and Data Act and aims to balance innovation and risk management with a technology-neutral, principles-based approach. However, OSFI cautions that models should only be used when they contribute meaningfully to decision-making and risk assessment. In this regard, OSFI expects FRFIs to formulate clear statements of a model’s purpose and ensure adequate data, systems, and technology are available for such purpose.

OSFI’s approach is aligned with a recent Quebec Autorité des Marchés Financiers (AMF) publication that sets out an approach to AI risk management based on risk rating and lifecycle management. For further information on the AMF’s draft Guideline on the Use of Artificial Intelligence, please see our recent publication.²