Executive Summary
- Due to the greater adoption and importance of AI and Machine Learning models for financial institutions, OSFI has released an updated model risk management guideline effective May 1st, 2027
- There are important changes for banks and trust companies that they should start planning for, including:
- An expanded definition of what qualifies as a model
- New methods for rating model risk, and an expectation that these ratings drive differential risk management practices
- Expectations of organizations to establish model explainability requirements
- A new emphasis on mitigating risk from model data sources and during model deployment
- These expectations apply to institutions whether they develop their models in house or purchase 3rd party models (i.e., credit or fraud scores)
- Strong model risk management practices can be a competitive advantage – institutions should take this opportunity to strengthen this skill
- Payson Solutions has been helping companies build and effectively mitigate the risk of AI/ML models for nearly a decade and is uniquely positioned to help
Navigating OSFI’s Updated Guideline E-23: Key Implications
Payson Solutions is a boutique consulting firm that helps banks and fintechs improve lending decisions through smarter use of their own data. By helping clients build proprietary models and policies, we have witnessed firsthand how increasingly complex AI/ML models can drive stronger predictive value for companies but also introduce new risks. With OSFI’s updated Guideline E-23 now released, many of our clients have been asking what it means for their business and what actions they need to take to ensure they are meeting the new expectations for managing model risk.
Nearly a decade after OSFI first introduced Guideline E-23, the model risk landscape looks entirely different. Complex ML and generative AI models are now powering critical business decisions, customer interactions, and process automation. In response, OSFI released an updated guide in September 2025 to modernize and clarify its expectations for model risk management in this new environment.
With the updated Guideline E-23 taking effect on May 1st, 2027, we’ve outlined several key changes that banks and trust companies should start preparing for. Institutions that plan proactively can avoid last-minute compliance challenges and leverage model risk management as a competitive advantage.
- Expanded model definition and scope of model risk management
One of the most significant changes in the updated guidance is the expanded definition of a model to explicitly include AI/ML methodologies. Under the previous definition, models were methodologies, approaches, or systems that generated quantitative estimates. The new guideline defines a model as a system that “processes input data to generate results” that are useful to the business. The new expanded definition now encompasses generative AI, decision-support algorithms, and administrative workflow automation – not just financial models. The outputs of these models can be probabilistic, complex, and sometimes non-intuitive. OSFI emphasizes this broader scope by adding operational risk alongside financial and reputational risk to its definition of Model Risk. As a result, more models will need to be inventoried, validated, and managed under model risk frameworks.
OSFI expects institutions to establish defined processes to periodically survey their entire enterprise to identify and track all models, including vendor and third-party models. Every model must be assigned a risk rating, and any model with non-negligible inherent model risk is subject to model lifecycle governance requirements. This is in contrast to the expectation in the 2017 Guideline to identify the most material models (with an emphasis on those that drove decisions on how much capital to hold).
- Model risk ratings drive risk management practices and lifecycle management
The introduction of Model Risk Ratings in the 2027 Guideline replaces the previous Model Risk Materiality classification, which had guided approval standards and prioritized model reviews and validation activities. Institutions will now need defined processes for assigning model risk ratings, supported by clear and measurable criteria for each risk dimension, and incorporating both quantitative and qualitative factors. OSFI emphasizes that governance should be proportional to the model’s level of risk.
The model’s risk rating must now drive key elements of the governance and lifecycle management, including:
- The level of authority required to approve the model
- Documentation requirements
- Differential policies, procedures, and controls across the Model Management Lifecycle (from data gathering and development, to approval, deployment, and monitoring)
- New risk management practices in lifecycle management
A new expectation in the 2027 Guideline is that institutions establish explainability requirements for both the model development process and data inputs. This addresses OSFI’s concern with advanced AI/ML techniques being used to create “black box” models, which may lead to challenges for transparency, accountability, and oversight.
The 2027 Guideline also places a stronger emphasis on developing sound risk management practices for both data used in models and for model deployment. Throughout our careers, we have seen many examples of risks emerging from poorly understood data sources and from issues introduced during deployment. This is especially crucial for AI/ML models, which can easily mirror bias in underlying data or produce unexpected outputs due to implementation issues. Establishing disciplined practices to ensure data sources are well understood and documented, and that production deployments are thoroughly tested, will help institutions mitigate these risks.
- Strong model risk management can drive better results
There is a temptation to treat this regulatory expectation as a check-the-box exercise; however, we have seen institutions turn effective model risk management into a competitive advantage. Companies that manage model risk effectively across a model’s lifecycle can more quickly identify models that need improvement or replacement, resulting in more robust models driving key decisions. At the end of the day, in banking, risk management is the business.
Payson’s Actionable Approach to Meeting Guideline E-23 Expectations
Ensure your model risk management policies and documentation outlines:
- The organization’s approach to assessing and mitigating model risk
- The organization’s appetite for model risk and how it fits into the company’s overall risk management framework
- The processes and requirements to identify, assess, manage, monitor, and report on model risk
- How model risk is communicated at different levels of the organization and to the Board of Directors
- Key roles, responsibilities, and accountability within the model risk management function consistent with the roles outlined by OSFI
Payson In Action: Our team can audit or develop a Model Risk Management Policy to ensure it meets OSFI’s expectations.
Build or review your model inventory system
- Companies are required to maintain an up-to-date inventory of all models at the enterprise level, regardless of their risk rating
- Ensure that required documentation and information are captured for models with non-negligible risk ratings
Payson In Action: Our team can audit existing systems or assist in building a comprehensive model inventory to meet these requirements.
Establish or review processes and best practices for managing the model lifecycle
- OSFI has set expectations for companies to establish policies, procedures, and controls that apply across the model lifecycle and are commensurate with the risk rating of the model
- Beyond compliance, a consistent approach across the lifecycle can help organizations design and build more effective models and achieve better business outcomes, such as reducing credit losses and preventing fraud
Payson In Action: Our team can audit existing practices or help establish best-in-class processes to manage the lifecycle of a company’s models.
Ensure model documentation meets requirements
- Part of the updated 2027 Guideline is ensuring that all models, including internal and external models, have sufficient documentation detailing:
- How the model should be set up and run, including its limitations
- Model assumptions and methodology
- Processes for creating and maintaining the data used to develop the model
Payson In Action: Our team can audit existing documentation and help establish enterprise-wide standards to ensure all model documentation meets regulatory expectations.
Build your talent and support training
- A key element of Guideline E-23 is ensuring that companies have a cross-functional team with the resources, skills, and experience to manage model risk effectively
- The guidance places particular emphasis on expertise in emerging technologies such as AI to ensure that organizations are adequately prepared to handle novel risks
Payson in Action: Our team brings practical experience with advanced AI/machine learning models, model risk assessment, and effective challenge and oversight, helping organizations build stronger models, reduce regulatory risk, and support better business outcomes.
Why Payson Solutions Is Uniquely Positioned to Help
Payson Solutions combines deep expertise in credit risk strategy and financial products with hands-on experience helping companies meet OSFI’s expectations. We assist organizations in realizing the value of predictive models while establishing policies and processes to effectively mitigate model risk. Across dozens of engagements, teams have relied on our experience to build, validate, and optimize models that support data-driven strategies from acquisition through collections. Our founder, Brent Reynolds, brings extensive experience as the former Chief Credit Officer, Model Risk Officer, and head of Customer Experience for Capital One in Canada.
Ready to get more value from your models while meeting regulatory expectations?
Let's chat.
https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/guideline-e-23-model-risk-management-2027
Share your thoughts