On April 27, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released Draft Guideline B-10 – Third-Party Risk Management (Draft Guideline B-10) for public comment. Draft Guideline B-10 aims to enhance OSFI’s expectations of Federally Regulated Financial Institutions’ (FRFIs) management of third-party risks.
Draft Guideline B-10 updates the existing OSFI Guideline B-10 – Outsourcing of Business Activities, Functions and Processes (Guideline B-10), which has not been updated since 2010. In its release, OSFI noted that the proposed changes to Guideline B-10 were informed by its findings from several sources, including: (i) OSFI’s 2019 Third-Party Risk Study, (ii) feedback from OSFI’s 2020 Technology Risk Discussion Paper, (iii) public comment received regarding OSFI’s draft Guideline B-13 – Technology and Cyber Risk, and (iv) observations from OSFI’s ongoing supervisory and policy work.
OSFI notes that Draft Guideline B-10 should be read in conjunction with applicable legislation and other relevant OSFI guidance, including but not limited to Guideline E-21: Operational Risk Management, Guideline B-13:Technology and Cyber Risk Management, and the Corporate Governance Guideline.
This article provides a brief overview of the principal changes proposed in Draft Guideline B-10, and further details regarding the ongoing public consultation.
I. Summary of principal changes
OSFI stated the following four principal changes to the Guideline B-10: (i) expanded scope; (ii) widened risk lens; (iii) enhanced risk focus; and (iv) modernized guidance.
Change #1 – Expanded scope
Draft Guideline B-10 applies to a wide range of third-party arrangements. Guideline B-10 presently only applies to a FRFI’s “outsourcing arrangements”, which may or may not be with third parties.
Draft Guideline B-10 defines a “third-party arrangement” as “[A]ny business or strategic arrangement between the FRFI(s) and an entity(ies) or individuals, by contract or otherwise (e.g., another form of agreement or the conduct of the parties). Arrangements with FRFI customers (e.g., depositors and policyholders) are excluded from this definition.”
Examples of applicable third-party arrangements include those with: (i) independent professionals (e.g., audit and accounting firms); (ii) mortgage, insurance and deposit brokers; (iii) power and telecommunications utilities; (iv) affiliates of the FRFI, where such affiliate provides certain services to the FRFI; and (v) persons related to the provision of services, use, and storage of data.
While the revised guidance would expand the scope of arrangements relative to the current application of Guideline B-10, it appears that the existing requirements for outsourced arrangements with related party service providers would no longer apply.
Change #2 – Widened risk lens
Draft Guideline B-10 extends its governance of risks beyond those associated with only outsourcing arrangements to apply to risks related to third-party arrangements more generally (defined as “third-party risks”). OSFI notes that the goal of using the concept of “third-party risk” is to capture a broader scope of risk that could disrupt FRFIs’ operations from a wider range of external factors.
“Third-party risks” are defined by OSFI as “risk to the FRFI’s operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement.” Draft Guideline B-10 notes that “third-party risks” include but are not limited to: (i) insolvency of a third-party or material subcontractor; (ii) operational disruptions at the applicable third-party or material subcontractor; (iii) political, geographic, legal, environmental, or other risks impeding a third-party or its material subcontractors from providing services to the FRFI; and (iv) corruption or loss of FRFI data or data breaches.
It is important to note that OSFI acknowledges that separate guidance dealing with consumer-directed data mobility within the financial sector is forthcoming and such guidance is not intended to conflict with Draft Guideline B-10.
Change #3 – Enhanced risk focus
Draft Guideline B-10 foregoes the materiality threshold in favour of a risk-based approach. Guideline B-10 currently requires the robustness of an FRFI’s management of outsourcing risks to be commensurate with the materiality of the applicable outsourcing arrangement. In Draft Guideline B-10, OSFI notes that it “expects the FRFI to manage third-party risks in a manner that is proportionate to the level of risk and complexity of the FRFI’s third-party ecosystem. OSFI expects the FRFI to assess its third-party arrangements regularly, with higher-risk and more critical arrangements subjected to more frequent and rigorous assessment.”
OSFI defines a critical third-party arrangement as one where the third-party performs a function or service that is integral to the FRFI’s provision of a significant operation, function, or service, where a failure in performance of the third party could cause significant harm to the FRFI’s operations and/or reputation.
Change #4 – Modernized guidance
Draft Guideline B-10 sets out five expected outcomes for FRFIs to achieve through managing third-party risk. Embedded within the five expected outcomes are 11 principles that OSFI expects FRFIs to follow in order to achieve its stated outcomes[1].
- Governance and accountability structures are clear with comprehensive risk strategies and frameworks in place to contribute to ongoing operational and financial resilience.
- Principle 1: The FRFI is ultimately accountable for all business activities, functions, and services outsourced to third parties and for managing the risks related to third-party arrangements.
- Principle 2: The FRFI should establish a third-party risk management framework that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third-parties.
2. Risks posed by third parties are identified and assessed.
- Principle 3: Before entering a third-party arrangement—and, periodically thereafter, proportionate to the level of risk and criticality of the arrangement—the FRFI should identify and assess the risks of the arrangement. Specifically, the FRFI should conduct risk assessments to decide on third-party selection; (re)assess the risk and criticality of the arrangement; and plan for adequate risk mitigation and oversight.
- Principle 4: The FRFI should undertake due diligence prior to entering contracts or other forms of arrangement with a third-party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement.
- Principle 5: The FRFI should assess, manage, and monitor the risks of subcontracting arrangements entered by third-parties, including the impact of these arrangements on concentration risk.
3. Risks posed by third parties are managed and mitigated within the FRFI’s risk appetite framework.
- Principle 6: The FRFI should enter into written arrangements that set out the rights and responsibilities of each party. In this regard, OSFI has included minimum provisions for third-party agreements which are generally consistent with the current requirements in Guideline B-10.
- Principle 7: Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data. FRFIs should be mindful of the record-keeping requirements in the Bank Act, Insurance Companies Act, and the Trust and Loan Companies Act, as applicable.
- Principle 8: The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. The FRFI should also have the right to conduct or commission an independent audit of a third party.
- Principle 9: The FRFI’s agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should have contingency plans for its critical third-party arrangements.
4. Third-party performance is continually monitored and assessed, and risks and incidents are proactively addressed.
- Principle 10: The FRFI should monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks.
- Principle 11: Both the FRFI and its third party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to ensure ongoing operational and financial resilience and maintain risk levels within the FRFI’s risk appetite. In particular, FRFIs should ensure that written agreements with third parties enable them to comply with their reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory.
5. The FRFI’s risk management program is dynamic and actively captures and appropriately manages a range of third-party arrangements and interactions.
- OSFI expects FRFIs to manage risks in situations where a standardized or no formal contract supports the arrangement.
- OSFI notes that arrangements with the external auditor can give rise to conflicts of interest and that FRFIs should not obtain actuarial or internal audit services from its external auditor unless certain conditions apply.
We encourage FRFIs to review Draft Guideline B-10 for additional detail as to OSFI’s expectations.
II. Next steps for industry stakeholders
In our view, the introduction of Draft Guideline B-10 is a welcome development for FRFIs, as it fills certain gaps in the current iteration of Guideline B-10. The Draft Guideline B-10 provides further clarity on the specific principles FRFIs should focus on in connection with mitigating risks associated with its third-party arrangements. In addition, Draft Guideline B-10 is more aligned with OSFI’s principles-based approach to the supervision of FRFIs and the management of risks.
A final version of Draft Guideline B-10 is expected to be issued in the fall of 2022. As part of the public consultation process, OSFI is particularly interested in feedback on the clarity and granularity of OSFI’s risk management expectations. Industry stakeholder comments may be submitted to OSFI at b10@osfi-bsif.gc.ca no later than July 27, 2022.
In addition, OSFI plans to host an information session for FRFIs and other interested stakeholders on Wednesday, May 4, 2022 at 2 pm EST.
Dentons Canada’s Insurance Regulatory group is pleased to assist with any submissions to OSFI and to discuss any questions FRFIs may have regarding the implications of the implementation of the proposed revised guidance.
[1] Please see the text of Draft Guideline B-10 for further OSFI risk management expectations not listed below.