E-23 guidelines: risk modeling in age of emerging technology risks

In 2017, the Office of the Superintendent of Financial Institutions (OSFI) issued Guideline E-23 governing model risk management. More recently, OSFI issued a draft Guideline (the Guideline) expanding E-23’s scope to include federally regulated financial institutions (FRFIs). The Guideline also expands the definition of a “model” to be all encompassing by capturing all phases of the “model lifecycle” from conception to development and use.

The Guideline recognizes that FRFIs are using artificial intelligence (AI) and machine learning models to inform their decision-making, which potentially exposes them to a heightened risk of financial and operational loss and reputational damage. 

The purpose of the Guideline is to ensure model use is adequately managed and the associated risks are minimized, monitored and mitigated. However, the Guideline makes clear that decisions on how to best manage risk are ultimately the responsibility of the organization. 

OSFI lists seven guiding principles of policies and procedures to be implemented into an organization’s framework as best practices. Key takeaways of these principles include: 

1. Developing, approving and implementing processes and controls that define expectations for each of a model’s lifecycle components. 
2. Considering size and complexity of the organization and a model’s usage within that organization. 
3. Establishing a model risk management framework that reflects the organization’s risk appetite and defines the process and requirements for identification, assessment, management and monitoring throughout a model’s lifecycle. 
4. Maintaining an inventory of all models used and in use. 
5. Implementing policies and procedures specific to each phase of the model lifecycle. 
6. Governing data within models. 
7. Implementing a risk rating scheme that considers quantitative and qualitative criteria. 

These principles are broad and place high standards on FRFIs and other organizations when monitoring and engaging with models. They require each phase of the model lifecycle be assessed individually, proportionately, and continually. OSFI recommends inventory be frequently updated and maintained and stakeholders be engaged throughout the process.

An important principle organizations should be aware of is the suggestion to establish and implement a model risk management framework. The model risk management framework should include various key elements such as: governance and accountability, model risk assessment and reporting, and a model risk rating. Even if the FRFI or other organization acquires a model from an external source, it is expected to establish and maintain a model risk management framework. 

The final guideline is expected to come into effect in July 2025. Additionally, the proposed Artificial Intelligence and Data Act (AIDA) is expected to be adopted this year, with a possible coming into force in 2025. AIDA is intended to hold businesses responsible for AI use by requiring them to implement governance mechanisms and policies and publicly disclose AI use to ensure users can make informed decisions. Compliance with the Guideline could assist organizations caught under AIDA’s disclosure requirements. For example, the Guideline recommends organizations maintain a centralized inventory of all models in use and decommissioned, meaning the Guideline recommends recording what AIDA requires to be disclosed. 

The authors would like to thank Samantha Hawthorne, summer student, for her contribution to preparing this legal update.