Introduction
Financial institutions are increasingly experimenting with agentic AI, autonomous artificial intelligence agents that can make decisions and take independent actions much like a human representative. Unlike traditional software or even generative AI , agentic AI systems can plan tasks and execute transactions or other operations with minimal human intervention. In a bank or insurance company, this could mean an AI that approves loans, executes trades, manages investment portfolios, or handles customer service queries end-to-end. The rise of such “digital employees” holds great promise for efficiency and innovation, but it also raises complex legal questions. Who is accountable if an AI agent’s decision causes financial loss or breaches a law? What regulatory frameworks govern the use of these autonomous systems in finance, especially in Canada versus the European Union?

What is ‘Agentic AI’?
Agentic AI refers to AI systems endowed with a degree of autonomy in decision-making, allowing them to pursue goals and perform actions without needing step-by-step human input. In practical terms, an agentic AI in finance might analyze data and initiate transactions, adjust investment positions, or approve or decline a credit application on its own, within prescribed parameters. For example, an AI trading agent could continuously monitor market conditions and execute trades under certain strategies, or an AI underwriting agent might gather customer information, assess risk, and bind an insurance policy automatically. These systems are a step beyond conventional algorithms and they are often built on advanced models that can plan and reason through multi-step tasks.

With this autonomy comes legal significance. Decisions that were once made by human employees may now be made by AI. and those decisions carry real consequences. A simple generative AI might draft an email for a banker; an agentic AI might send that email out to a client or regulator. If the content or decision is wrong, the mistake is no longer hypothetical and the AI’s action could trigger liability.

From AIDA to Sectoral Guidance
At present, Canada does not have a comprehensive AI-specific statute in force to regulate private-sector use of AI, even in high-stakes industries like finance. The federal government’s first attempt at a broad AI law, the proposed Artificial Intelligence and Data Act (AIDA) within Bill C-27, did not come to fruition. In early 2025, Bill C-27 died on the order paper when Parliament was prorogued, effectively halting AIDA’s progress. AIDA would have established Canada’s first overarching framework for “high-impact” AI systems, but its demise means there is currently a gap in statutory law addressing AI governance and Canadian institutions operate under a patchwork of existing laws and emerging guidance when deploying agentic AI.

Existing statutes and common law provide some coverage, even if not explicitly tailored to AI. Key pillars include privacy law, human rights law, consumer protection law, and general tort and contract law. For instance, if an AI system in a bank makes decisions using personal information, that bank must still obey privacy requirements under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) or equivalent provincial laws. Likewise, human rights legislation prohibits discrimination in services so an AI that, say, unintentionally biases against a protected group could land a financial institution in legal hot water. +

Beyond these general laws, sector-specific regulators in Canada are stepping in with guidance to fill the void. A notable development for federally regulated financial institutions (FRFIs) is the Office of the Superintendent of Financial Institutions (OSFI) updating its risk management expectations to explicitly address AI. In September 2025, OSFI released the final version of Guideline E-23 (Model Risk Management), which imposes requirements on how banks and insurers govern all models, explicitly including AI and machine learning models. This Guideline (effective May 2027) compels financial institutions to implement an enterprise-wide model risk management framework: maintain inventories of AI models, assign risk ratings to models, perform thorough testing and validation, and ensure ongoing monitoring and oversight throughout a model’s lifecycle.

Another important piece of Canadian regulation comes from the provinces, particularly in the realm of privacy and automated decision-making. Québec’s Law 25 contains some of the most advanced provisions on automated decision systems in Canada. Under Québec’s law, organizations must inform individuals when a decision about them is made exclusively through an automated process and, upon request, provide the person with “the reasons and the principal factors” that led to the decision. Notably, Québec’s requirements apply to any automated decision using personal information. This is even broader than the transparency rights under Europe’s GDPR, which kick in only for decisions that significantly affect someone’s rights. In the financial context, if a Québec client is denied a loan or flagged for fraud by an AI with no human intervention, the institution must disclose that an automated decision was made and explain the core logic.

In the public sector, the federal government adopted a Directive on Automated Decision-Making (for federal agencies) that, while not binding on private companies, offers a glimpse of best practices like algorithmic impact assessments and human rights due diligence for AI. For financial firms, OSFI, alongside bodies like the Financial Consumer Agency of Canada (FCAC), has convened industry forums and issued advisory reports on AI. These emphasize principles such as Explainability, Data quality, solid Governance, and Ethics (the “EDGE” principles) to guide responsible AI use. All these insights are pushing financial institutions in Canada to proactively strengthen their AI oversight, even before any new AI-specific laws arrive.

The EU AI Act and Financial Services
In contrast to Canada’s piecemeal approach, the European Union has forged ahead with a comprehensive regulatory regime for AI. The centerpiece is the EU Artificial Intelligence Act, a landmark law adopted in 2024 (with core provisions slated to apply in 2026). The AI Act uses a risk-based framework, placing AI systems into tiers of risk and imposing corresponding obligations. At the top, certain AI uses are deemed “unacceptable risk” and banned outright. Below that, a broad category of “high-risk AI systems” will be permitted but heavily regulated. Crucially, many financial applications of AI fall into the high-risk bucket by design. Annex III of the AI Act explicitly lists AI systems for evaluating creditworthiness of individuals as high-risk, except those used purely for anti-fraud purposes. Similarly, AI systems used in insurance for calculating premiums or risks are classified as high-risk. Even AI that manages “essential private services” like banking services could be high-risk if its decisions might appreciably affect individuals.

What does being “high-risk” under the EU AI Act entail? The law imposes a stringent set of requirements on providers and users of such AI. AI providers bear the brunt of obligations and they must implement risk management across the AI’s lifecycle, ensure high-quality training data, build technical documentation and logs, and design the system for human oversight, accuracy, robustness, and cybersecurity. For example, a fintech company that sells an AI trading algorithm in the EU will need to document its testing, put in place quality controls, and allow auditors/regulators to scrutinize how it works. AI users, such as a bank using a third-party AI tool, also have obligations, though fewer. Users must properly monitor the AI’s operation, ensure human oversight as required, and comply with the provider’s usage instructions. In practice, a European bank deploying an agentic AI for credit decisions will need procedures to double-check the AI’s outputs, especially before taking adverse actions like denying credit, and to inform customers of their rights and how the AI influences decisions.

EU financial regulators are integrating AI considerations into sectoral rules. For instance, EU banking and securities laws already require safeguards for algorithmic trading. For instance, under MiFID II and related regulations, trading algorithms must have risk controls and firms must prevent “disorderly trading conditions.” Those existing rules will operate in parallel with the AI Act (which covers broader issues like data bias and transparency). We also see European supervisory authorities (like the European Banking Authority) developing guidelines on outsourcing and cloud which implicitly cover AI-as-a-service, ensuring banks assess third-party AI providers for reliability and compliance. And, complementing the AI Act’s preventative approach, the EU is working on an AI Liability Directive to make it easier for people harmed by AI-driven decisions to seek compensation. The EU’s stance is proactive and precautionary and it explicitly regulates high-risk AI uses common in finance and spreads accountability across the AI’s value chain (developers and deployers). This is a notable point of comparison with Canada where currently a financial firm’s use of AI is governed more by general principles and regulator expectations than by AI-specific statutes.

Practical Takeaway