OSFI E-23 vs SR 26-2: How Canada and the US Are Diverging on Model Risk Management

In a previous article we outlined key technological impacts brought in the U.S. by the model risk management guidance SR26-2 (issued April 17, 2026) onto the till then prevailing SR11-7. 

In this article we present, instead, an overview of Canada’s finalized OSFI Guideline E-23 (effective May 1, 2027) outlining on one hand its core shifts from previous Canadian rules, dated back to 2017, and contrasting it with the latest U.S. framework, SR 26-2.

‍

1. Latest OSFI E-23 Guideline

OSFI’s updated E-23 guideline establishes a rigorous, enterprise-wide approach to managing model risk, shifting from a checkbox compliance exercise to a dynamic, lifecycle-oriented governance model.

Key Changes

• Scope expansion: The 2017 version focused strictly on Deposit-Taking Institutions (banks). The updated guideline expands to all Federally Regulated Financial Institutions (FRFIs), capturing insurance companies and credit unions for the first time.
• "Model" re-definition: Moving away from just traditional quantitative or capital-calculation engines, E-23 now covers any structured analytical method that processes input data to generate results meaningful to business lines or control functions (e.g., algorithmic pricing, marketing models, and even IT/cyber anomaly detectors).
• AI / ML treatment: Advanced modeling techniques, including machine learning, Generative AI, and autonomous "agentic AI" solutions, are explicitly bound to the framework if they carry non-negligible risk.
• 5-Stage Lifecycle Governance: Models must go through formalized checkpoints across five distinct stages: Design, Review, Deployment, Monitoring, and Decommission. For AI, this mandates specific inclusions like drafting an "explainability plan," checking training data for bias, and performing pre-deployment cyber risk checks.
• Vendor and "Black Box" models: Clear ownership is demanded over vendor and third-party models. If an institution uses a proprietary third-party "black box" model, it must still establish independent governance matching its internal risk appetite

‍

2. Key Divergences: E-23 vs. SR 26-2

The Canadian and U.S. regulators have taken fundamentally opposing philosophical approaches to modernizing model risk. We’ve summarized the main differences in the table below.

Comparison Matrix: OSFI E-23 vs. FED/FDIC/OCC SR 26-2

‍

3. Operationalizing Cross-Border Compliance via the Yields Multi-Governance Solution

Given the key divergences highlighted in section above, for financial institutions operating across both the U.S. and Canada, the clash between OSFI E-23 and SR 26-2 creates a significant structural problem. A single model used across borders might fall under strict AI and model risk governance in Canada, while simultaneously falling under a narrower, materiality-driven scope in the U.S.. Attempting to unify these distinct regulatory regimes into a single, rigid framework is highly impractical, while maintaining separate frameworks leads to large duplication, reconciliation efforts, and fragmented silos between teams.

The Yields Multi-Governance framework solves this operational bottleneck by structuring complexity rather than forcing simplification. It enables institutions to manage these overlapping regulatory realities simultaneously.

Key Capabilities for Dual-Jurisdiction Management

• The "Triplet" Architecture: Yields abandons the traditional assumption that a model belongs to a single framework. Instead, it structures every use case as a triplet: Model (version) x Usage x Governance.
  
  • Model: The underlying analytical or AI component.
  • Usage: The business context in which it operates.
  • Governance: The specific framework assessing it (e.g., E-23, SR 26-2, or an internal MRM / AI policy). By separating these dimensions, a single model can be linked to multiple regional or functional governance frameworks without being duplicated.
• Independent Attributes and Lifecycles: Yields allows each governance framework to independently determine how a use case is represented and processed. For example, when viewing a model under the Canadian OSFI E-23 lens, the platform can expose attributes and workflows specific to AI risk, explainability, data bias, and the strict 5-stage lifecycle. When viewing that identical model under the U.S. SR 26-2 lens, it can expose different attributes focused strictly on risk tiering, materiality, and continuous monitoring. Neither jurisdiction is forced to adopt the other’s structure.
• A "Single Source of Truth" Without Duplication: Core model information is maintained only once as a shared object. This completely eliminates the need for separate teams to register the same model multiple times when it crosses borders. By decomposing overlapping records into reusable building blocks, Yields reduces the number of governed objects and cuts total management effort significantly.
• Unified Cross-Border Visibility & Reuse: A risk manager overseeing North American operations does not see disconnected records. They see the exact same underlying use case appearing under both the U.S. and Canadian governance inventories. This makes the relationship explicit, eliminates manual reconciliation between border teams, and allows validation work completed for one regulatory regime to be efficiently reused by another.
• ‍
• ‍

‍

‍

4. Conclusion

The divergence between OSFI E-23 and SR 26-2 is not a temporary gap that will close on its own. Canada is moving toward a strict, lifecycle-driven framework that applies to every model. The US is tailoring oversight to a model's material risk. For institutions operating on both sides of the border, the same model can fall under two very different sets of expectations at once. And as more jurisdictions tighten their model risk and AI rules, the number of frameworks each team has to satisfy will only grow.

Forcing these regimes into one rigid framework breaks down fast. Running them as separate silos creates duplication and constant reconciliation. Yields solves this by structuring the complexity rather than flattening it. The Triplet architecture (Model × Usage × Governance) lets a single model carry multiple governance lenses without ever being duplicated. Core model information lives once, as a single source of truth, while each regime keeps its own attributes, workflows, and lifecycle.

The payoff is clear oversight across borders, far less manual reconciliation, and validation work that can be reused from one regime to the next. Teams stay in control, and stay ready when the regulator asks, whichever framework they are answering to.

Curious how Multi-Governance handles E-23 and SR 26-2 in one place? Book a demo.

‍