OSFI’s New Guideline B-10: Third-Party Risk Management

On April 24, 2023, the Office of the Superintendent of Financial Institutions (OSFI), Canada’s federal financial institutions regulator, released its much-anticipated new Guideline B-10: Third-Party Risk Management (Guideline). The release of the final Guideline follows the publication of a draft on April 27, 2022, and subsequent consultation period. Below, we have included a summary of key changes made to the draft Guideline.

The new Guideline will replace OSFI’s current Guideline B-10: Outsourcing of Business Activities, Functions and Processes, which was originally issued in 2001 and was last revised in 2009. The Guideline sets out OSFI’s third-party risk management (TPRM) expectations for federally regulated financial institutions in Canada (FRFIs) and contributes to the financial services industry’s best practices for contracting with third parties. Relative to the current Guideline B-10, the new Guideline addresses a more comprehensive set of risks to reflect the contemporary, expanding third-party ecosystem.

The Guideline will require financial institutions to re-evaluate their approach to managing relationships, including contracting, with a wide array of third parties. 

The Guideline proposes a number of changes to OSFI’s current Guideline B-10. Specifically, it places a greater emphasis on governance and risk-management programs. It also sets outcome-focused, principle-based expectations on the management of third-party risks, although several requirements remain fairly prescriptive. The new Guideline expands the scope of the current Guideline B-10 to include a wider range of third-party arrangements (beyond just outsourcing), considers a wider range of risks (such as criticality and concentration risk), and provides guidance on standardized contracts.

Importantly, the Guideline replaces the current materiality threshold for applicability with a risk-based approach and indicates that risk and criticality should be considered when determining the intensity with which to apply the expectations set out in the Guideline. It also prescribes more rigorous expectations for high-risk and critical third-party arrangements and includes an updated list of minimum contractual terms and due diligence considerations for such arrangements.

The new Guideline relies in part on findings from OSFI’s 2019 Third-Party Risk Study, feedback from OSFI’s 2020 Technology Risk Discussion Paper, industry’s response to OSFI’s Technology and Cyber Risk Management Guideline (B-13) and to an earlier draft of the Guideline.

Effective Date

The new Guideline B-10 will come into effect on May 1, 2024. OSFI indicates that this transition period is intended to provide FRFIs sufficient time to self-assess and build TPRM programs that comply with the new requirements.

Third-party arrangements commencing on or after May 1, 2024, are expected to comply with all applicable sections of the new Guideline. Importantly, FRFIs are expected to review and update legacy arrangements entered into prior to May 1, 2024, at the earliest appropriate contract renewal or revision point to meet the expectations of the Guideline by its implementation date or as soon as possible thereafter.

Scope

The scope of the Guideline is much broader than the existing Guideline B-10, as it re-sets OSFI’s expectations for managing risks associated with third-party arrangements, rather than focusing on material outsourcing arrangements. What constitutes a “third-party arrangement” is defined broadly in the Guideline and only narrow exceptions are recognized, such as arrangements between a FRFI and its customers or employees. Service arrangements between a FRFI and an affiliate are included in the new definition of a third-party arrangement and accordingly will continue to be subject to the requirements of the Guideline, in addition to the existing self-dealing requirements in the legislation.

Foreign bank branches and foreign insurance company branches operating in Canada are excluded from the application of the Guideline but remain subject to requirements in respect of outsourcing arrangements under OSFI’s Guideline E-4, as discussed further below.

OSFI notes that the Guideline is not intended to impede the establishment of an open banking framework by the federal government, which OSFI refers to as consumer-directed data mobility within the financial sector, consistent with recent terminology proposed by the federal Advisory Committee on Open Banking. Once that framework is designed, OSFI notes that it may provide additional guidance.

Governance

The Guideline places a greater emphasis on effective governance of third-party arrangements. OSFI expects FRFIs to implement clear governance and accountability structures with comprehensive risk strategies and frameworks to ensure ongoing operational and financial resilience.

A FRFI is ultimately accountable for all business activities, functions and services it outsources to third parties, and for managing the risks associated with third-party arrangements and interactions. Accordingly, OSFI expects a FRFI to establish an enterprise-wide TPRM framework that sets out clear accountabilities, responsibilities, policies and processes for identifying, managing, mitigating, monitoring and internally reporting on risks relating to the use of third parties. The Guideline sets out the key elements of what should be included in a TPRM framework. FRFIs should consider assessing their vendor management programs against the new governance requirements of the Guideline to identify and address any material gaps.

Third-Party Risk Management and Mitigation

OSFI expects that under a FRFI’s TPRM program:

• risks posed by third parties will be identified and assessed;

• these risks will be managed and mitigated within the FRFI’s risk-appetite framework; and

• third-party performance will be monitored and assessed, and any risks and incidents will be proactively addressed. 

In adopting a risk-based approach, OSFI expects FRFIs to manage third-party risks in a manner that is proportionate to the level of risk and complexity of the FRFI’s third-party ecosystem, for which the Guideline introduces and defines the concept of criticality. Criticality denotes importance to the FRFI’s operations, strategy, financial condition or reputation, and it emphasizes the impact of a risk event, irrespective of the likelihood of such risk event occurring.

OSFI expects FRFIs to assess the risk and criticality of a third-party arrangement throughout its lifecycle. This includes assessment prior to entering into the arrangement, regularly during the course of the arrangement (at a frequency and scope proportionate to the level of criticality) and after any material change has occurred in the arrangement. The due diligence to be conducted by a FRFI in respect of the third-party arrangement should be proportionate to the assessed level of risk and criticality. OSFI also notes that, if appropriate, a FRFI should maintain an inventory of third parties delineated by level of risk and criticality.

OSFI outlines several key factors that FRFIs should consider when determining the level of risk and criticality. These include the probability of the third party or its subcontractors failing to meet expectations due to insolvency or operational disruption, the third party’s use of subcontractors, the FRFI’s ability to assess the third party’s controls, the substitutability and financial health of the third party, and other relevant risks associated with the use of a third party. The Guideline also includes more detailed guidance on subcontracting arrangements.

As with the current Guideline B-10, FRFIs are generally expected under the Guideline to document their arrangements with third parties in a written agreement. Annex 2 of the Guideline provides certain minimum provisions that an agreement with a third party must address for high-risk and critical arrangements. Many of these provisions largely mirror the contractual terms that Guideline B-10 currently mandates, but the Guideline has made some changes to the list. The body of the Guideline provides guidance on expected contractual provisions, and this should be reviewed in conjunction with Annex 2 in considering whether an agreement complies with the Guideline (and preparing any associated contracting checklists). In conducting such reviews, a FRFI should also review and consider the Technology and Cyber Risk Management Guideline (B-13) and Technology and Cyber Security Incident Reporting Advisory, as each contains provisions that may be relevant to third-party arrangements.

OSFI also expects a FRFI to monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks. The Guideline notes that both the FRFI and the third party should have documented processes in place to identify, track and remediate incidents that could impact the third party’s ability to deliver the contracted goods or services. Importantly, a FRFI is also expected to ensure that agreements with third parties contain adequate provisions to enable the FRFI to comply with its broad reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory that requires reporting of technology and cybersecurity incidents.

The Guideline maintains the current requirement that an agreement with a third party must give both the FRFI and OSFI the right to assess the third party through audit rights and sets out more granular audit provisions to be included in the agreement.

The Guideline expressly recognizes that there are certain third-party arrangements for which a customized contract may not be feasible. In these situations, OSFI still expects the FRFI’s TPRM program to address these relationships, and where applicable, formally accept risks presented by such standardized contracts.

The Guideline also sets out expectations in respect of arrangements with a FRFI’s external auditor, similar to analogous provisions under the current Guideline B-10.

The Guideline notes that all of the expectations set out above are considered minimum expectations for critical third-party arrangements and those that pose a high risk to the FRFI.

Technology and Cyber Risk in Third-Party Arrangements

In recognition of elevated technological and cyber risks, the final section of the Guideline describes OSFI’s additional expectations about how a FRFI should address these risks in its arrangements with third parties. The final section also specifies that technology and cyber operations carried out by third parties must be transparent, reliable and secure.

Recognizing the prevalence of cloud services and the need to create cloud-specific requirements, OSFI expects FRFIs to specifically consider cloud portability when entering an arrangement (and mitigants in the absence of portability). The regulator also expects FRFIs to ensure that cloud adoption occurs in a planned and strategic manner that optimizes interoperability while operating within the FRFI’s stated risk appetite.

Foreign Branches

Foreign bank branches and foreign insurance company branches operating in Canada (Branches) are excluded from the application of the Guideline. This is a departure from the current Guideline B-10, which has specific provisions addressing outsourcing arrangements between a Branch and its home office and other affiliates. Importantly, OSFI’s new Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis that took effect in 2022 states that if the home office performs material functions on behalf of the Branch, either directly or through its own outsourcing arrangements, OSFI expects the Branch to document such arrangements.

OSFI also notes in a footnote to Guideline E-4 that this documentation should incorporate the contract for services elements outlined in Guideline B-10. Subject to clarifications from OSFI, this suggests that Branch service arrangements with the home office may need to incorporate the updated contractual terms for third-party agreements set out in Annex 2 of the Guideline.

OSFI has indicated that it is currently reviewing Guideline E-4 and expects to issue clarifications later this year aimed at ensuring that risks related to Canadian operations are appropriately managed within the domestic legal and regulatory frameworks. These updates may clarify the interaction between Guideline E-4 and Guideline B-10.

Changes Since Draft Guideline

OSFI notes that the final Guideline is based on the feedback received during the consultation period relating to the draft Guideline. Submissions urged OSFI to clarify the Guideline’s scope, make it more principles-based with a greater emphasis on a risk-based approach, respond to concerns regarding subcontractor and concentration risks, provide for a transition period and address overlap with other Guidelines.

A comparison of the final Guideline against the draft indicates that relatively modest changes have been made to its text, but that the changes improve practicality in some regards. Of note, the final Guideline:

• clarifies that the risk and criticality of a third-party arrangement are to be considered in determining the intensity of applying expectations set out in the Guideline;

• assigns a greater importance to criticality and indicates that it can be used to scale risk assessments (as noted above, criticality is defined and relates to the impact of a risk event on the FRFI, irrespective of its likelihood);

• clarifies that example due diligence considerations (Annex 1) and provisions for contractual agreements (Annex 2) are only required for high-risk and critical agreements, instead of all third-party arrangements (which better aligns with the materiality standard from 2009 iteration of Guideline B-10);

• revises certain of OSFI’s expectations relating to contractual agreements with third parties, such that they are now less prescriptive, including in relation to the segregation of FRFI data and records while in the custody of a third-party, exit planning, and the FRFI’s receipt of a right to audit and receive audit reports relating to a third party’s subcontractors;

• adds certain other expectations for contractual agreements with third parties, including that the FRFI should receive notification of change in ownership, material non-compliance with regulatory requirements, or litigation relating to the third party (Annex 2h);

• defines the concept of risk acceptance as relating to a decision of a FRFI to accept an identified risk and not take any, or further, mitigating actions; and OSFI acknowledges that risk acceptance may be applicable in the case of standardized agreements entered into without negotiation, provided that the FRFI’s TPRM program still addresses such relationships; and

• clarifies that a legal review may not be necessary for a low-risk, short-term third-party arrangement.

Next Steps for FRFIs

The Guideline will require FRFIs to re-evaluate their approach to managing relationships, including contracting, with a wide array of third parties, and require them to assess existing third-party arrangements for compliance and update agreements as necessary. In performing such assessments, FRFIs should consider Guideline B-10 along with the requirements of other guidelines and advisories that have been enacted or updated recently to assess their compliance position against all relevant OSFI requirements.

OSFI will hold an information session for members of industry on May 18, 2023, from 1 p.m. to 2:30 p.m. ET. Registration is available before May 17 at 12 p.m. ET at: Information Session: Guideline B-10.

Contact Us for Further Guidance

Our teams are actively assisting clients with updating contracting practices and supplier agreements to address the Guideline. For further information or guidance, please contact:

David Feldman               +1-416-863-4021
Robert Percival               +1-416-863-5297
Robert Tremblay            +1-416-863-3304
Paul Belanger                 +1-416-863-4284
Vladimir Shatiryan         +1-416-863-4154

or any other member of our Technology or Financial Services Regulatory groups.