OSFI E-23 — Model Risk Management (Canada)
OSFI Guideline E-23 establishes Canada's supervisory expectations for model risk management at federally regulated financial institutions (FRFIs). It covers governance, validation, ongoing monitoring, change management, and third-party model risk. Ledgix evidences each control via the policy lifecycle, the cryptographic ledger, and the signed export.
Status: Full — every control resolves to an artifact Ledgix produces today.
Scope
E-23 applies to federally regulated banks, insurers, and trust companies in Canada (FRFIs). The guideline sets expectations for governance, model validation, ongoing monitoring, model change management, and accountability for third-party models used in material decisions. Coverage here spans all five baseline clauses.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| OSFIE23-5.1 | policy_snapshots / events_jsonl | Model Governance | Each policy version snapshot demonstrates model governance; decision-to-policy linkage evidences application. |
| OSFIE23-5.2 | proof_index / key_history / signatures | Model Validation | Merkle inclusion proof index, key custody, and signed export support independent validation. |
| OSFIE23-5.3 | events_jsonl | Ongoing Monitoring | Time-series operational data supporting performance and usage monitoring. |
| OSFIE23-5.4 | policy_snapshots / checkpoint_chain | Model Change Management | Policy-version sequence with content hashes tracks change history; checkpoint timestamps mark deployment. |
| OSFIE23-5.5 | events_jsonl | Third-Party Model Risk | Each event records the tool invoked and evidence used, providing third-party accountability. |
Evidence types referenced
- policy_snapshots — versioned governance and model-change documentation.
- events_jsonl — per-decision operational data and third-party tool attribution.
- proof_index — Merkle inclusion proofs enabling independent validator re-verification.
- key_history — cryptographic signing-key history with attestation payloads.
- signatures — export-level Ed25519 signature over the manifest.
- checkpoint_chain — checkpoint sequence indicating when policy changes reached production.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting OSFI E-23 — Model Risk Management (Canada) and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/osfi_e23.json - Canonical source: OSFI Guideline E-23 Model Risk Management — osfi-bsif.gc.ca