Canada's insurance regulator just dropped comprehensive rules governing AI and predictive models, with insurers facing a May 2027 compliance deadline.
The Office of the Superintendent of Financial Institutions released Guideline E-23 – Model Risk Management on September 11, 2025, establishing a comprehensive framework for how life insurers, property and casualty companies, and fraternal companies must govern, validate, and monitor the models that increasingly drive their business decisions.
The 21-page principles-based guideline takes effect May 1, 2027, giving federally regulated insurers time to overhaul how they manage everything from actuarial pricing models and underwriting algorithms to claims prediction systems and catastrophe modeling tools.
OSFI states in the guideline's overview that the financial services industry is experiencing a rapid rise in digitalization and model applications amplified by the surge in artificial intelligence and machine learning models. "Institutions are increasingly relying on models to support or drive decision-making including in business areas that traditionally did not rely on models."
The new framework starts with a simple requirement: know what models you have. Insurers must create and maintain a comprehensive inventory of every model that carries meaningful risk to their business. That inventory becomes the foundation for everything else, from internal oversight to reports sent to regulators.
Each model gets a risk rating based on factors like how much money the model touches, how complex it is, whether it makes decisions on its own, and what happens if it breaks. A model that underwrites billions in commercial property coverage will naturally get more attention than one that sorts customer service emails.
Data quality gets special attention in the new rules. OSFI wants insurers to prove their data is accurate, relevant, representative of the populations being modeled, compliant with privacy laws, and updated frequently enough to reflect current reality.
The emphasis on data reflects a growing concern about bias. An underwriting model trained on historical data might perpetuate unfair patterns from the past, leading to discrimination that the insurer never intended. OSFI warns that artificial intelligence models can easily absorb these biases and amplify them, creating both legal exposure and reputational damage.
When insurers develop new models or modify existing ones, they must follow documented processes with clear performance standards. Development now requires collaboration among technical teams, business units, compliance staff, legal advisors, and risk managers.
Every model needs independent review. The person or team doing the review cannot be the same people who built the model. Reviews happen when models are first deployed, when they get updated, when performance problems emerge, when underlying data changes significantly, and on a regular schedule tied to the model's risk rating.
Ongoing monitoring presents another challenge. Models drift. The world changes. A pricing algorithm calibrated for pre-pandemic risk patterns might produce nonsense three years later. Insurers must define performance thresholds, watch for breaches, and have backup plans ready when models fail.
For artificial intelligence systems that learn and adapt on their own, monitoring becomes even more challenging. The guideline requires special processes for handling autonomous decision making and re-parametrization.
Senior management cannot delegate these responsibilities. OSFI expects management to define and apply roles and accountabilities for effective model risk management across the enterprise, ensure appropriate personnel are in place with requisite skills particularly for novel technologies, and ensure appropriate communication and reporting of model risk to boards of directors.
The rules apply equally to models developed in-house and those purchased from vendors. An insurer cannot simply buy a catastrophe model from a third party and assume it works correctly. External models require the same assessment, validation, and monitoring as internal ones.
The comprehensive requirements signal OSFI's recognition that models now form the operational backbone of modern insurance companies, and their governance cannot remain an afterthought as the industry accelerates its digital transformation.
