The Office of the Superintendent of Financial Institutions (OSFI) recently released the final version of its revised "Guideline B-10 on Outsourcing Business Activities, Functions and Processes" (Guideline).
In the last issue of the TLQ, we provided federally regulated financial entities (FREs) with an overview of the proposed changes. Now that the final Guideline has been released, what must FREs do to comply — and when?
You are party to an outsourcing agreement.
You must review your agreement to ensure that it:
- specifies the measures, to be taken by the service provider for ensuring that continuation of the outsourced business activity, will anticipate not only problems affecting the service provider’s operation but also events, including reasonably foreseeable events;
- includes a provision that requires the service provider to address any material deficiencies uncovered during its regular tests of its business recovery system, in addition to notifying you of the tests’ results (because you are expected to provide a summary of these results to OSFI upon reasonable notice);
- identifies the physical location of the performance of the services when indicating "where" the service provider will provide the service; and
- 4.provides for the development and maintenance of a business continuity plan that is "appropriate" if you are party to intra-group material outsourcing agreements. (Unfortunately, the Guideline does not provide any guidance as to what this new qualification entails.)
When? Right away. There is no transitional period provided to ensure compliance with the Guideline, unless your outsourcing agreement was entered into prior to December 15, 2004 or was obtained as a result of an acquisition — in which case, you must ensure compliance with the first three requirements above "at the first opportunity," such as the time the outsourcing contract, agreement or statement of work (where applicable) is substantially amended, renewed or extended.
You are planning to substantially amend your outsourcing agreement.
In the past, you were only required to undertake a due diligence process assessing the risks associated with your outsourcing arrangement in selecting a service provider or renewing a contract or outsourcing agreement. Under the revised Guideline, you are now expected to undertake this process any time your agreement is substantially amended. The Guideline does not give any indication of what, in OSFI’s view, would constitute a "substantial" amendment. At a minimum, any material change to the nature of the services being provided (such as the addition of a new service tower), the scope of the services being provided (such as the addition of a new business unit or a significant new volume of business), or the way the services are being delivered (such as a change in the location from which the services are delivered or a subcontracting of a significant portion of the services), would likely fall into this category.
You have just obtained an outsourcing arrangement as a result of an acquisition.
If you have obtained outsourcing arrangements through an acquisition, you are expected to comply with the Guideline at the first opportunity, such as the time the outsourcing contract, agreement or statement of work is substantially amended, renewed or extended.
You have multiple outsourcing arrangements with the same provider. When assessing the materiality of an outsourcing arrangement, you must now take into account the impact that multiple outsourcing arrangements with a single service provider may have, in the aggregate, on you. OSFI expects you to consider the relevant risk management expectations set out under its risk management program — to the extent feasible and reasonable in the circumstances. You must therefore reassess the materiality of all outsourcing arrangements previously qualified as "immaterial," taking into account this new factor; if, in the aggregate, all such agreements taken as a whole are material, they must meet the standards established in the Guideline and may need to be renegotiated to achieve this.
When? Right away.
The annual review of your provider is coming up.
Your annual review of your service provider to ascertain its ability to continue to deliver the service in the manner expected is now to be commensurate with the level of risk involved with each particular outsourcing arrangement (determined further to the due diligence processes required by the Guideline). In addition, since your review must now also assess the use and performance of significant subcontractors, you should ensure that the outsourcing arrangements with your providers provide you with the necessary flexibility to adequately perform this subcontractor assessment and administer appropriate remedies if the results of the review are not satisfactory.