SR 11-7 meets OSFI E-23: a cross-border model risk crosswalk.
SR 11-7 — the Federal Reserve's 2011 supervisory letter on model risk management, joint with OCC Bulletin 2011-12 — is still the US MRM baseline. OSFI E-23 becomes enforceable on May 1, 2027 in Canada and covers AI/ML systems explicitly. Canadian banks with US subsidiaries must bridge two generations of model risk guidance — one drafted before the modern AI stack existed, one drafted with it in view. The asymmetry is real and operational, not a regulatory rescission. This brief is the crosswalk — pillar by pillar, artifact by artifact.
Why is this crosswalk useful now?
Canadian FSIs with US operations file model-risk documentation under SR 11-7 today. The same institutions face OSFI E-23 enforcement May 1, 2027. US fintechs selling AI to Canadian regulated-banks receive E-23-shaped vendor questionnaires. Duplication is wasteful; misalignment is exam risk.
The two frameworks share architectural DNA. OSFI E-23 was drafted with awareness of SR 11-7's “effective challenge” standard and documentation expectations. Both anchor on four pillars — model development, implementation, validation, governance. Both require independent validation and ongoing monitoring. The substance is ~70–80% identical.
The differences are material. E-23 is explicit on AI/ML systems, including generative and agentic AI. SR 11-7 predates modern AI and leaves generative and agentic AI under-specified; forthcoming US federal banking AI guidance is expected to close the gap but is not yet in force. E-23 names an Appendix A model-inventory format; the US framework leaves inventory format institution-specific. Understanding the specific gaps is the leverage.
How do the four pillars line up?
SR 11-7 and OSFI E-23 both anchor on the same four architectural pillars. One unified artifact answers each.
| Pillar | SR 11-7 (US) | OSFI E-23 (Canada) | Unified Artifact |
|---|---|---|---|
| Model Development | Sound conceptual basis, data quality, testing | Conceptual soundness, data integrity, testing — explicit on AI/ML | Model Card (extended) covering both |
| Model Implementation | Production controls, access, change control | Implementation controls + monitoring program | Deployment Readiness Gate documentation |
| Model Validation | Independent review, outcomes analysis, benchmarking, sensitivity analysis, effective challenge | Independent validation aligned to SR 11-7 language — AI/ML-specific tests required | Independent Validation Report + AI/ML test pack |
| Governance | Policy, inventory, ownership, reporting | Policy + AIRSA-style inventory (Appendix A) + 1LOD/2LOD/3LOD map | AIRSA entry + Governance Operating Model |
Where do generative and agentic AI sit in the US framework today?
SR 11-7 was issued in 2011 by the Federal Reserve (as SR Letter 11-7) and adopted by the OCC (Bulletin 2011-12) and the FDIC (FIL-22-2017). It predates modern generative and agentic AI. Its three-pillar structure — conceptual soundness, ongoing monitoring, outcomes analysis — is routinely applied by examiners to AI/ML models, but the guidance itself does not name generative or agentic AI.
Forthcoming US federal banking AI guidance is expected to address this gap. Until it lands, examiners operate from SR 11-7 lineage plus agency speeches, RFI responses, and examination priorities — not a refreshed rule. The operational reading: the US prudential floor for generative and agentic AI is thin on paper, and Canadian FSIs with US operations cannot rely on a refreshed US standard to govern their GenAI estate. OSFI E-23, together with OSFI's FIFAI supervisory themes, is the operative floor for that estate on both sides of the border.
Federal Reserve SR Letter 11-7, Guidance on Model Risk Management, April 4, 2011. OCC Bulletin 2011-12 (adoption). FDIC FIL-22-2017 (adoption). OSFI Guideline E-23, Model Risk Management, effective May 1, 2027.
What does OSFI E-23 Appendix A require that SR 11-7 does not?
OSFI E-23 Appendix A prescribes a 17-field model-inventory format. Every federally regulated FI and material-model vendor must populate it. Fields include model ID, purpose, materiality, validation status, monitoring status, next review date, inherent risk rating, and residual risk rating.
SR 11-7 requires an inventory but does not prescribe a field schema. Most US institutions maintain inventories in GRC platforms (OpenPages, Archer) with institution-specific schemas. Compliance is at the institution's discretion.
For a Canadian FSI operating in the US, the pragmatic posture is: build the Appendix A 17-field inventory, use it as the source of truth, and export institution-specific subsets for US regulator reporting. Going the other direction — maintaining a US-shape inventory and expanding for OSFI — is more expensive.
OSFI E-23 Appendix A — 17 fields (practitioner summary)
- Model ID
- Unique identifier persisted across environments
- Purpose
- Stated business use and material decision class
- Materiality
- Inherent materiality classification
- Data sources
- Training, evaluation, and production data provenance
- Methodology
- Model family, key methods, feature set
- Owner
- Named 1LOD accountable individual
- Validator
- Named 2LOD validator
- Validation status
- Approved / in-review / remediation / rejected
- Validation date
- Most recent independent validation
- Monitoring program
- Metrics, thresholds, cadence, named reviewer
- Last monitoring review
- Date, outcome, escalations generated
- Known limitations
- Edge cases, failure modes, out-of-scope uses
- Deployment status
- Production / staging / retired / shadow
- Risk classification
- Inherent and residual ratings
- Dependencies
- Upstream data, models, foundation-model vendors
- Next review date
- Scheduled next validation and monitoring review
- Approval history
- Versioned record of material approvals and owners
How should a cross-border institution deliver to both regulators?
One pack. One artifact set. Two regulators satisfied by the same evidence. The table below maps each artifact to the sections of each framework it answers.
The pragmatic posture is to build the evidence once and index it twice. Each artifact is generated by the same pipeline that deploys the model, owned by the same 1LOD team, reviewed by the same 2LOD function, and submitted to each regulator in the shape that regulator expects.
The table below is the institution-facing map: eight artifacts, two regulators, one control library. Canadian FSIs with US exposure and US fintechs selling into Canadian banks use the same map.
| Artifact | Satisfies |
|---|---|
| Model Card (extended AI/ML) | SR 11-7 Section III + OSFI E-23 model development |
| Independent Validation Report | SR 11-7 Section IV + OSFI E-23 validation |
| Monitoring Program | SR 11-7 ongoing monitoring + OSFI E-23 monitoring |
| AIRSA Entry (Appendix A-shaped) | OSFI E-23 Appendix A (primary) + SR 11-7 inventory |
| HITL Architecture | EU AI Act Article 14 + OSFI E-23 Principle 3 (human oversight) |
| Governance Operating Model | SR 11-7 governance + OSFI E-23 governance |
| Incident Response Plan | SR 11-7 (implicit) + OSFI E-23 (explicit) |
| Board Reporting Pack | SR 11-7 + OSFI E-23 governance reporting |
Where do cross-border programs typically fail?
- 01
Dual inventories.
Teams maintain an OSFI-shape inventory and a US-shape inventory and reconcile monthly. The reconciliation is the bug.
- 02
SR 11-7 documentation forklifted to E-23.
The SR 11-7 documentation is re-labeled and submitted to OSFI. The AI/ML-specific sections required by E-23 are missing.
- 03
Independent validation scoped to one regulator.
Validation performed under SR 11-7 standards for US regulator; re-validation performed under E-23 standards for OSFI. Effort duplicated.
- 04
US/Canada AI-scope asymmetry not reflected in artifacts.
SR 11-7 predates modern generative and agentic AI, while OSFI E-23 and the FIFAI supervisory themes cover them explicitly in Canada. If US-facing documentation assumes a narrow model definition and Canadian artifacts assume a symmetric framework, the institution is inconsistent with itself.
- 05
Vendor questionnaires answered differently to Canadian and US banks.
The same AI vendor answers different facts to different bank clients. 2LOD teams compare notes; the vendor loses credibility.
Frequently asked about the crosswalk.
Is SR 11-7 legally binding or guidance?
Supervisory guidance. Examiners apply it during MRM exams; non-conformance yields Matters Requiring Attention (MRA) or Matters Requiring Immediate Attention (MRIA). In practice, binding.
Does OSFI E-23 reference SR 11-7 directly?
Not by citation, but the DNA is visible. OSFI drafted E-23 with awareness of SR 11-7's four-pillar architecture (development, implementation, validation, governance) and its effective-challenge standard. E-23 extends the model beyond traditional statistical models to AI/ML and prescribes an Appendix A inventory schema SR 11-7 does not.
How does ISO/IEC 42001 fit into the crosswalk?
ISO/IEC 42001 is the management-system standard — the operating-model layer. It sits above SR 11-7 and E-23, which are regulator-specific. A mature program satisfies 42001's management requirements and both regulators' content requirements.
Do AI/ML validators need different skills than traditional model validators?
Partially. Statistical validation skills remain core. Additional skills: red-team evaluation, hallucination assessment, grounding attribution, prompt-injection testing. 2LOD teams are expanding staffing to cover.
Can a Canadian fintech satisfy E-23 through its US parent's SR 11-7 documentation?
With a translation pack. The Appendix A inventory and AI/ML-specific artifacts are E-23-unique. Expect 20-30% incremental work on top of a solid SR 11-7 package.
How does RegCore.AI deliver cross-border?
One control library. We build OSFI E-23 Appendix A-shaped AIRSA as the source of truth, Model Cards with AI/ML extensions, Independent Validation Reports satisfying effective-challenge standards, and Governance Operating Models mapped to both regulators. See the AI Governance arm.
One control library. Two regulators. Zero duplication.
Canadian FSIs operating cross-border and US fintechs selling to Canadian banks deserve better than dual inventories and forklifted documentation. We build the evidence once — satisfying SR 11-7, OSFI E-23, and ISO/IEC 42001 in a single pack.