On April 24, 2023, the Office of the Superintendent of Financial
Institutions (OSFI), Canada's federal financial institutions
regulator, released its much-anticipated new Guideline B-10: Third-Party Risk Management
(Guideline). The release of the final Guideline follows the
publication of a draft on April 27, 2022, and subsequent
consultation period. Below, we have included a summary of key
changes made to the draft Guideline.
The new Guideline will replace OSFI's current Guideline B-10:
Outsourcing of Business Activities, Functions and Processes, which
was originally issued in 2001 and was last revised in 2009. The
Guideline sets out OSFI's third-party risk management (TPRM)
expectations for federally regulated financial institutions in
Canada (FRFIs) and contributes to the financial services
industry's best practices for contracting with third parties.
Relative to the current Guideline B-10, the new Guideline addresses
a more comprehensive set of risks to reflect the contemporary,
expanding third-party ecosystem.
The Guideline will require financial institutions to re-evaluate
their approach to managing relationships, including contracting,
with a wide array of third parties.
The Guideline proposes a number of changes to OSFI's current
Guideline B-10. Specifically, it places a greater emphasis on
governance and risk-management programs. It also sets
outcome-focused, principle-based expectations on the management of
third-party risks, although several requirements remain fairly
prescriptive. The new Guideline expands the scope of the current
Guideline B-10 to include a wider range of third-party arrangements
(beyond just outsourcing), considers a wider range of risks (such
as criticality and concentration risk), and provides guidance on
standardized contracts.
Importantly, the Guideline replaces the current
materiality threshold for applicability with a risk-based
approach and indicates that risk and criticality should be
considered when determining the intensity with which to apply the
expectations set out in the Guideline. It also prescribes more
rigorous expectations for high-risk and critical
third-party arrangements and includes an updated list of minimum
contractual terms and due diligence considerations for such
arrangements.
The new Guideline relies in part on findings from OSFI's 2019
Third-Party Risk Study, feedback from
OSFI's 2020 Technology Risk Discussion Paper,
industry's response to OSFI's Technology and Cyber Risk Management Guideline
(B-13) and to an earlier draft of the Guideline.
Effective Date
The new Guideline B-10 will come into effect on May 1,
2024. OSFI indicates that this transition period is
intended to provide FRFIs sufficient time to self-assess and build
TPRM programs that comply with the new requirements.
Third-party arrangements commencing on or after May 1, 2024, are
expected to comply with all applicable sections of the new
Guideline. Importantly, FRFIs are expected to review and update
legacy arrangements entered into prior to May 1, 2024, at the
earliest appropriate contract renewal or revision point to meet the
expectations of the Guideline by its implementation date or as soon
as possible thereafter.
Scope
The scope of the Guideline is much broader than the existing
Guideline B-10, as it re-sets OSFI's expectations for managing
risks associated with third-party arrangements, rather than
focusing on material outsourcing arrangements. What constitutes a
"third-party arrangement" is defined broadly in the
Guideline and only narrow exceptions are recognized, such as
arrangements between a FRFI and its customers or employees. Service
arrangements between a FRFI and an affiliate are included in the
new definition of a third-party arrangement and accordingly will
continue to be subject to the requirements of the Guideline, in
addition to the existing self-dealing requirements in the
legislation.
Foreign bank branches and foreign insurance company branches
operating in Canada are excluded from the application of the
Guideline but remain subject to requirements in respect of
outsourcing arrangements under OSFI's Guideline E-4, as
discussed further below.
OSFI notes that the Guideline is not intended to impede the
establishment of an open banking framework by the federal
government, which OSFI refers to as consumer-directed data
mobility within the financial sector, consistent with recent
terminology proposed by the federal Advisory Committee on Open
Banking. Once that framework is designed, OSFI notes that it may
provide additional guidance.
Governance
The Guideline places a greater emphasis on effective governance
of third-party arrangements. OSFI expects FRFIs to implement clear
governance and accountability structures with comprehensive risk
strategies and frameworks to ensure ongoing operational and
financial resilience.
A FRFI is ultimately accountable for all business activities,
functions and services it outsources to third parties, and for
managing the risks associated with third-party arrangements and
interactions. Accordingly, OSFI expects a FRFI to establish an
enterprise-wide TPRM framework that sets out clear
accountabilities, responsibilities, policies and processes for
identifying, managing, mitigating, monitoring and internally
reporting on risks relating to the use of third parties. The
Guideline sets out the key elements of what should be included in a
TPRM framework. FRFIs should consider assessing their vendor
management programs against the new governance requirements of the
Guideline to identify and address any material gaps.
Third-Party Risk Management and Mitigation
OSFI expects that under a FRFI's TPRM program:
- risks posed by third parties will be identified and assessed;
- these risks will be managed and mitigated within the FRFI's risk-appetite framework; and
- third-party performance will be monitored and assessed, and any risks and incidents will be proactively addressed.
In adopting a risk-based approach, OSFI expects FRFIs to manage
third-party risks in a manner that is proportionate to the level of
risk and complexity of the FRFI's third-party ecosystem, for
which the Guideline introduces and defines the concept of
criticality. Criticality denotes importance to the FRFI's
operations, strategy, financial condition or reputation, and it
emphasizes the impact of a risk event, irrespective of the
likelihood of such risk event occurring.
OSFI expects FRFIs to assess the risk and criticality of a
third-party arrangement throughout its lifecycle. This includes
assessment prior to entering into the arrangement, regularly during
the course of the arrangement (at a frequency and scope
proportionate to the level of criticality) and after any material
change has occurred in the arrangement. The due diligence to be
conducted by a FRFI in respect of the third-party arrangement
should be proportionate to the assessed level of risk and
criticality. OSFI also notes that, if appropriate, a FRFI should
maintain an inventory of third parties delineated by level of risk
and criticality.
OSFI outlines several key factors that FRFIs should consider when
determining the level of risk and criticality. These include the
probability of the third party or its subcontractors failing to
meet expectations due to insolvency or operational disruption, the
third party's use of subcontractors, the FRFI's ability to
assess the third party's controls, the substitutability and
financial health of the third party, and other relevant risks
associated with the use of a third party. The Guideline also
includes more detailed guidance on subcontracting
arrangements.
As with the current Guideline B-10, FRFIs are generally expected
under the Guideline to document their arrangements with third
parties in a written agreement. Annex 2 of the Guideline provides
certain minimum provisions that an agreement with a third party
must address for high-risk and critical arrangements. Many of these
provisions largely mirror the contractual terms that Guideline B-10
currently mandates, but the Guideline has made some changes to the
list. The body of the Guideline provides guidance on expected
contractual provisions, and this should be reviewed in conjunction
with Annex 2 in considering whether an agreement complies with the
Guideline (and preparing any associated contracting checklists). In
conducting such reviews, a FRFI should also review and consider the
Technology and Cyber Risk Management Guideline
(B-13) and Technology and Cyber Security Incident Reporting
Advisory, as each contains provisions that may be relevant to
third-party arrangements.
OSFI also expects a FRFI to monitor its third-party arrangements to
verify the third party's ability to continue to meet its
obligations and effectively manage risks. The Guideline notes that
both the FRFI and the third party should have documented processes
in place to identify, track and remediate incidents that could
impact the third party's ability to deliver the contracted
goods or services. Importantly, a FRFI is also expected to ensure
that agreements with third parties contain adequate provisions to
enable the FRFI to comply with its broad reporting requirements
under OSFI's Technology and Cyber Security Incident Reporting
Advisory that requires reporting of technology and
cybersecurity incidents.
The Guideline maintains the current requirement that an agreement
with a third party must give both the FRFI and OSFI the right to
assess the third party through audit rights and sets out more
granular audit provisions to be included in the agreement.
The Guideline expressly recognizes that there are certain
third-party arrangements for which a customized contract may not be
feasible. In these situations, OSFI still expects the FRFI's
TPRM program to address these relationships, and where applicable,
formally accept risks presented by such standardized
contracts.
The Guideline also sets out expectations in respect of arrangements
with a FRFI's external auditor, similar to analogous provisions
under the current Guideline B-10.
The Guideline notes that all of the expectations set out above are
considered minimum expectations for critical third-party
arrangements and those that pose a high risk to the FRFI.
Technology and Cyber Risk in Third-Party Arrangements
In recognition of elevated technological and cyber risks, the
final section of the Guideline describes OSFI's additional
expectations about how a FRFI should address these risks in its
arrangements with third parties. The final section also specifies
that technology and cyber operations carried out by third parties
must be transparent, reliable and secure.
Recognizing the prevalence of cloud services and the need to create
cloud-specific requirements, OSFI expects FRFIs to specifically
consider cloud portability when entering an arrangement (and
mitigants in the absence of portability). The regulator also
expects FRFIs to ensure that cloud adoption occurs in a planned and
strategic manner that optimizes interoperability while operating
within the FRFI's stated risk appetite.
Foreign Branches
Foreign bank branches and foreign insurance company branches
operating in Canada (Branches) are excluded from the application of
the Guideline. This is a departure from the current Guideline B-10,
which has specific provisions addressing outsourcing arrangements
between a Branch and its home office and other affiliates.
Importantly, OSFI's new Guideline E-4: Foreign Entities Operating in
Canada on a Branch Basis that took effect in 2022 states that
if the home office performs material functions on behalf of the
Branch, either directly or through its own outsourcing
arrangements, OSFI expects the Branch to document such
arrangements.
OSFI also notes in a footnote to Guideline E-4 that this
documentation should incorporate the contract for services elements
outlined in Guideline B-10. Subject to clarifications from OSFI,
this suggests that Branch service arrangements with the home office
may need to incorporate the updated contractual terms for
third-party agreements set out in Annex 2 of the Guideline.
OSFI has indicated that it is currently reviewing
Guideline E-4 and expects to issue clarifications later this year
aimed at ensuring that risks related to Canadian operations are
appropriately managed within the domestic legal and regulatory
frameworks. These updates may clarify the interaction between
Guideline E-4 and Guideline B-10.
Changes Since Draft Guideline
OSFI notes that the final Guideline is based on the
feedback received during the consultation period relating to the
draft Guideline. Submissions urged OSFI to clarify the
Guideline's scope, make it more principles-based with a greater
emphasis on a risk-based approach, respond to concerns regarding
subcontractor and concentration risks, provide for a transition
period and address overlap with other Guidelines.
A comparison of the final Guideline against the draft indicates
that relatively modest changes have been made to its text, but that
the changes improve practicality in some regards. Of note, the
final Guideline:
- clarifies that the risk and criticality of a third-party arrangement are to be considered in determining the intensity of applying expectations set out in the Guideline;
- assigns a greater importance to criticality and indicates that it can be used to scale risk assessments (as noted above, criticality is defined and relates to the impact of a risk event on the FRFI, irrespective of its likelihood);
- clarifies that example due diligence considerations (Annex 1) and provisions for contractual agreements (Annex 2) are only required for high-risk and critical agreements, instead of all third-party arrangements (which better aligns with the materiality standard from 2009 iteration of Guideline B-10);
- revises certain of OSFI's expectations relating to contractual agreements with third parties, such that they are now less prescriptive, including in relation to the segregation of FRFI data and records while in the custody of a third-party, exit planning, and the FRFI's receipt of a right to audit and receive audit reports relating to a third party's subcontractors;
- adds certain other expectations for contractual agreements with third parties, including that the FRFI should receive notification of change in ownership, material non-compliance with regulatory requirements, or litigation relating to the third party (Annex 2h);
- defines the concept of risk acceptance as relating to a decision of a FRFI to accept an identified risk and not take any, or further, mitigating actions; and OSFI acknowledges that risk acceptance may be applicable in the case of standardized agreements entered into without negotiation, provided that the FRFI's TPRM program still addresses such relationships; and
- clarifies that a legal review may not be necessary for a low-risk, short-term third-party arrangement.
Next Steps for FRFIs
The Guideline will require FRFIs to re-evaluate their approach
to managing relationships, including contracting, with a wide array
of third parties, and require them to assess existing third-party
arrangements for compliance and update agreements as necessary. In
performing such assessments, FRFIs should consider Guideline B-10
along with the requirements of other guidelines and advisories that
have been enacted or updated recently to assess their compliance
position against all relevant OSFI requirements.
OSFI will hold an information session for members of industry on
May 18, 2023, from 1 p.m. to 2:30 p.m. ET. Registration is
available before May 17 at 12 p.m. ET at: Information Session: Guideline B-10.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.