New framework brings mandatory oversight to retirement calculators, robo-platforms and portfolio models advisors depend on
New federal rules will require wealth advisors to explain how their software makes recommendations and prove they understand what could go wrong.
The Office of the Superintendent of Financial Institutions released Guideline E-23 in September 2025, with an effective date of May 1, 2027, for all federally regulated financial institutions. That means tools from retirement calculators to robo-advisors that carry non-negligible model risk will need formal validation, ongoing monitoring and clear documentation of how they work and where they fall short.
The timing reflects an uncomfortable truth in wealth management. Advisors increasingly depend on sophisticated software to build portfolios, assess risk tolerance and project retirement income. But few can explain what assumptions drive those recommendations or what could go wrong.
OSFI defines a model broadly as any use of theoretical, empirical or judgment-based assumptions, or statistical techniques—including AI and machine-learning methods—to process input data and generate results. A model has three parts: a data input component that may include assumptions, a processing component that identifies relationships between inputs, and a results component that presents outputs in a format useful to business lines and control functions. That definition captures financial planning platforms, portfolio-optimization tools, risk-assessment questionnaires and algorithmic investment engines. If it takes in client information and spits out advice, it qualifies.
The regulator makes clear why this matters now. Financial services companies are leaning harder on digital tools, especially artificial intelligence and machine learning, to make decisions in areas where human judgment once dominated. Bad models can lead to financial losses, operational failures, legal problems and reputation damage.
Under the new framework, institutions must maintain an inventory of every model whose inherent risk is considered non-negligible. Each gets a risk rating based on factors like how much money it influences, how complex it is, whether it makes autonomous decisions and what happens if it fails. Higher ratings mean tighter oversight.
The risk rating determines everything else. How often the model gets reviewed. How much documentation it requires. Who needs to sign off on using it. How closely it gets monitored.
Data quality gets special attention. Information used to build models must be accurate, representative of the people it serves, compliant with privacy laws, traceable to its source and kept current. The guideline notes that flawed data is particularly dangerous in artificial intelligence because these systems can easily pick up unintended patterns and bake them into recommendations.
For AI and machine learning specifically, OSFI acknowledges these tools create unique challenges. They often work as black boxes where even developers struggle to explain individual decisions. Some update themselves based on new data without human intervention. The regulator wants institutions to think hard about how much transparency they need, what controls make sense for autonomous systems and where bias or ethical problems might surface.
Documentation standards are specific. Institutions must explain how models are set up and run, what limits they have, where data comes from and how it gets maintained, what assumptions and methods they use, how expert judgment shapes outputs and what testing was done. Advisors using these tools will need to understand this information well enough to discuss limitations with clients.
Senior management carries responsibility for putting qualified people in charge of model oversight, particularly for new technologies. Teams must include diverse expertise from data science, business units, compliance, legal, ethics, information technology and risk management.
Monitoring goes beyond checking if a model still produces accurate results. Institutions must watch for changes in how the model gets used, shifts in input data quality, updates to external components it depends on and drift in what the model is trying to predict. They need preset triggers that indicate when something has gone wrong and plans for what to do if a model becomes unavailable or stops working properly.
The framework applies proportionally based on an institution’s size, strategy, risk profile, nature, scope and complexity of operations, and interconnectedness. Smaller institutions with simpler operations face lighter requirements than large, interconnected players whose failures could ripple through the financial system.
In the run-up to the May 1, 2027 effective date, institutions are expected to validate tools, write policies, train staff and build monitoring systems. Advisors should expect questions about which software they use, new approval processes for planning tools and training on how models work and where they can mislead.
The practical effect is straightforward. The days of simply trusting what the computer says are ending. Understanding the tools becomes part of the job.
