OSFI in 2026: The Complete Regulatory Picture Beyond E-21

E-21 Is Not the Only Thing on OSFI's Radar

If you're a compliance or risk professional at a Canadian financial institution, chances are you've spent a significant portion of 2025 and early 2026 focused on Guideline E-21 and its September 1, 2026 deadline. That's the right priority. But it's not the only regulatory change demanding your attention this year.

OSFI's 2025–26 agenda represents the broadest expansion of its supervisory scope in years. The regulator is moving beyond its traditional focus on financial soundness and capital adequacy into territory that was previously considered outside the prudential lens: institutional integrity, cyber resilience, AI governance, and geopolitical threats. Its departmental plan, published in June 2025, allocated $351 million to these priorities — a signal that this isn't aspirational language. It's operational investment.

This post maps the full landscape. If your compliance team has been heads-down on E-21, this is the view from 30,000 feet.

E-21: The Deadline That Structures Everything Else

Guideline E-21 — Operational Risk Management and Resilience — remains the most consequential near-term requirement. Published August 22, 2024, it replaced the previous version that had been in effect since 2016. The update shifted OSFI's expectations fundamentally: from simply preventing operational risks to demonstrating that institutions can withstand and recover from severe disruptions.

The guideline establishes four pillars — governance, operational risk management, operational resilience, and specialist risk disciplines — with a staggered implementation timeline:

September 1, 2025 — Passed

Section 4: Supporting risk disciplines

Full adherence to business continuity, disaster recovery, crisis management, change management, technology and cyber risk, third-party risk, and data risk management requirements.

September 1, 2026 — 6 months away

Full guideline adherence

Critical operations identified, end-to-end dependency mapping completed, disruption tolerances set and defensible, governance structures operational, scenario testing methodology documented. Assess your readiness here.

September 1, 2027

Scenario testing

Full scenario testing completed for all critical operations, with evidence that operations can be maintained within disruption tolerances during severe but plausible scenarios.

If you need a detailed breakdown of what to prioritize for the September 2026 deadline, we've covered that in depth: what you can realistically get done in five months and a 10-point self-assessment to see where you stand. The rest of this post covers what's happening beyond E-21.

OSFI's Expanded Mandate: Integrity, Security, and Geopolitics

The most significant shift in OSFI's 2025–26 departmental plan isn't a new guideline — it's a new institutional capability. OSFI has established two new units: the National Security Sector and the Integrity and Security Risk Division. Their purpose is to assess whether financial institutions have the policies and procedures necessary to protect against threats such as foreign interference, geopolitical coercion, and insider risks.

These units support expanded powers granted to OSFI under Bill C-47, which reinforces the regulator's ability to intervene in cases of national security or institutional vulnerability. This is new territory for a regulator that historically confined itself to prudential supervision.

What does this mean in practice? Financial institutions should expect:

Closer engagement on integrity risk. OSFI has signaled it may begin offering threat briefings to select institutions and will incorporate integrity-related risk factors into its supervisory framework.
Cyber preparedness as a supervisory priority. OSFI has flagged that priority 1 cyber incidents have nearly tripled since 2022. The regulator is investing in its own cybersecurity infrastructure and will increase scrutiny of how institutions manage cyber threats, insider threats, and data protection.
Internal controls under the spotlight. Discussions that previously sat outside the traditional prudential lens — workforce screening, vendor integrity, information security culture — will become increasingly relevant during supervisory examinations.

The practical implication: governance frameworks and threat readiness will increasingly determine the intensity of regulatory engagement. Institutions that can demonstrate mature, cross-functional resilience programs will face lighter supervision. Those that can't will see more frequent visits, deeper sampling, and faster intervention. OSFI's own data confirms this — four institutions and four pension plans experienced rapid increases in risk classification in 2024-25 alone.

E-23: Model Risk Management Meets AI

On September 11, 2025, OSFI published the updated Guideline E-23: Model Risk Management, effective May 1, 2027. The original E-23 focused on traditional quantitative models. The 2025 update expands its scope dramatically to include risks from AI and machine learning systems.

The key changes:

Broader definition of "model." E-23 now covers both quantitative and non-quantitative models — including AI/ML systems that process input data to generate results used for decision-making, risk assessment, or customer interaction.
Enterprise-wide model risk frameworks. Institutions must establish comprehensive model inventories, data governance controls, functional separation between developers and reviewers, and lifecycle management processes for every model in use.
AI-specific provisions. OSFI explicitly recognizes that "models based on rapidly progressing technologies, like AI, can exacerbate these risks" and that "models characterized by dynamic self-learning and autonomous decision-making may become prevalent." The guideline requires institutions to account for these characteristics in their governance and oversight.
Proportional approach. E-23 applies proportionately based on an institution's size, strategy, risk profile, and operational complexity — meaning smaller institutions aren't expected to implement the same controls as the Big Six.

The May 2027 effective date gives institutions an 18-month transition period. But if you're using AI models for credit scoring, fraud detection, customer segmentation, or operational decision-making — and most institutions are — the gap analysis should be underway now. Waiting until 2027 to start building a model risk framework around your AI systems is the same mistake institutions made with E-21: technically compliant with the timeline, practically too late to do it well.

Capital Adequacy: Basel III Floor Deferred, CAR Updated

In February 2025, OSFI announced it would defer increases to the Basel III standardized capital floor — the level was supposed to rise from 67.5% to 72.5% in 2027. The deferral followed a similar announcement from the UK's Prudential Regulation Authority and reflects a global reality: "there remains uncertainty about when other jurisdictions will fully implement Basel III," and competitive balance requires coordinated implementation.

In practice, this means Canadian banks retain more lending capacity during a period of economic uncertainty — particularly relevant given the ongoing tariff environment with the United States. OSFI committed to notifying affected banks at least two years before resuming any increase.

Separately, OSFI updated the Capital Adequacy Requirements (CAR) Guideline as part of its September 2025 quarterly release. Key changes include:

Maintaining existing criteria for income-producing real estate exposures
Introducing a transition period for Combined Loan Products
Aligning treatment of U.S. government-sponsored entities with U.S. capital standards
Clarifying that CVA framework requirements extend to small and medium-sized banks

These are technical changes, but they matter for capital planning and risk-weighted asset calculations across the industry.

Crypto-Asset Exposure Rules Are Now Final

OSFI finalized two crypto-asset guidelines in early 2025, effective November 2025 or January 2026 depending on fiscal year:

Capital and Liquidity Treatment of Crypto-asset Exposures (Banking) — applies to banks, credit unions, bank holding companies, and foreign bank branches
Capital Treatment of Crypto-asset Exposures (Insurance) — applies to all federally regulated insurers

The guidelines establish frameworks for categorizing crypto-assets, calculating capital requirements (credit, market, and counterparty risk), and managing liquidity risk. For institutions with limited exposure, a simplified approach allows deduction of all crypto-asset exposures from CET1 capital rather than classifying each individually.

These guidelines align with the Basel Committee on Banking Supervision (BCBS) international standards and reflect a balanced approach to crypto-asset regulation that's been a challenge for regulators globally.

Climate Risk Reporting: Scope 3 Delayed

OSFI extended the deadline for Scope 3 greenhouse gas emission disclosure to fiscal year 2028, with off-balance sheet asset Scope 3 disclosures pushed to fiscal year 2029. The extensions align with updates to Canadian Sustainability Standards Board (CSSB) standards released in December 2024.

The regulator also published a one-time Standardized Climate Scenario Exercise (SCSE) report, developed jointly with Quebec's AMF, to enhance the financial sector's understanding of climate-related financial risks. While the exercise is non-binding, it signals that climate risk measurement capabilities will be a growing supervisory expectation.

Revised Administrative Monetary Penalties

OSFI revised its Administrative Monetary Penalty (AMP) framework in September 2025 to better align with its risk appetite and incentivize early remediation. Under OSFI regulations, financial institutions face per diem penalties for compliance failures — currently $500 for institutions with total assets over $10 billion, $250 for those between $250 million and $10 billion, and $100 for smaller institutions. The new framework introduces a revised scaling factor and applies to violations after September 11, 2025.

OSFI does not have discretion when it comes to penalties — they are set by regulation. Waivers are not available. The message is clear: late or inaccurate reporting isn't a discussion, it's a fine.

The Supervisory Exam: What OSFI Expects to See

When OSFI examines your institution, the expectation goes beyond paper compliance. The regulator uses Risk and Control Self-Assessments (RCSAs) as the primary evidence of resilience and compliance. Under E-21, RCSA frameworks must now be linked to critical operations — not just to business functions like "accounting and finance" but to specific operations like "payroll processing" or "customer payments."

Common self-assessment traps that OSFI examiners will look for:

Siloed data. Business units assessing risks only within their own perimeter, missing the interdependencies of shared services and critical operations that span departments.
Stale scenarios. Teams copying risk scenarios from previous years without considering how technology, threats, and processes have changed. This leaves institutions exposed to outdated risk calculations.
Weak root causes. Labeling risks as "human error" without investigating the systemic failures that make those errors inevitable.

The bow-tie method is becoming the standard visual framework for demonstrating line-of-sight to OSFI auditors. The left side maps threats and preventive controls. The knot represents the risk event. The right side maps consequences and recovery barriers — directly connected to your disruption tolerances and recovery chains.

The Compliance Calendar: What's Due When

Already effective

Crypto-asset exposure guidelines, revised AMP framework, CAR updates

Capital and liquidity treatment for crypto-assets, revised penalty scaling, and updated capital adequacy requirements are all in force.

September 1, 2026

E-21 full adherence

Critical operations, dependency maps, disruption tolerances, governance, and scenario testing methodology must be operational.

May 1, 2027

E-23 Model Risk Management

Enterprise-wide model risk framework, AI/ML model inventory and governance, lifecycle management, and independent review processes.

September 1, 2027

E-21 scenario testing

Full scenario testing completed for all critical operations, demonstrating ability to operate within disruption tolerances during severe but plausible scenarios.

Fiscal year 2028

Scope 3 climate disclosure

Disclosure of Scope 3 greenhouse gas emissions. Off-balance sheet assets deferred to fiscal year 2029.

What This Means for Compliance Teams

You're not managing one regulatory change. You're managing five simultaneously — operational resilience (E-21), AI model governance (E-23), expanded cyber and integrity oversight, capital adequacy recalibration, and climate risk reporting. Each has its own timeline, its own governance requirements, and its own evidence standard.

The institutions that handle this well won't treat each guideline as a separate compliance project staffed by a separate team. They'll recognize that the underlying capability OSFI is asking for is the same across all of them: know what you depend on, know what happens when it breaks, and prove you can demonstrate both on demand.

Dependency mapping built for E-21 is the same capability that E-23 needs for understanding model interdependencies. The resilience modeling that satisfies your scenario testing requirements also satisfies the cyber resilience expectations from OSFI's integrity mandate. The governance structures you build for critical operations oversight can be extended to cover AI model risk and climate scenario analysis.

The worst-case scenario is building these capabilities in silos — one for E-21, one for E-23, one for cyber — and discovering eighteen months from now that they don't connect. OSFI has designed these guidelines to reinforce each other. Your implementation should do the same.