Financial Services Update

OSFI is currently accepting comments from the public and financial industry on the revised version of Draft Guideline B-10 on Third-Party Risk Management (Draft Guideline). The comment period for the public consultation process was extended from July 27, 2022, to September 30, 2022. OSFI anticipates that it will issue a final version of the Draft Guideline by the end of 2022.

Background

On April 27, 2022, OSFI published revisions to the Draft Guideline. The Draft Guideline will replace OSFI’s Guideline B-10 ‎on ‎Outsourcing of Business Activities, Functions and Processes, which was issued in 2009. The changes introduced by the Draft Guideline reflect OSFI’s goal of modernizing and strengthening the obligations of Federally Regulated Financial Institutions (FRFIs) when outsourcing services to third-parties.

The proposed changes in the Draft Guideline were supported by OSFI’s 2019 Third-Party Risk Study. The revised Draft Guideline also incorporates comments OSFI received during the consultation and comment period for Guideline B-13 on Technology and Cyber Risk Management (Guideline B-13) issued in July 2022. The proposed changes will ensure consistency between the Draft Guidelines and more recent guidance issued by OSFI, including Guideline B-13 and the Guideline on Corporate Governance.

Important changes proposed by the Draft Guideline

The Draft Guideline is more comprehensive than its predecessor, establishing enhanced expectations for FRFIs and expanding the scope of the guidance. The Draft Guideline proposes the following principal changes:

  • Expansion of scope from “outsourcing arrangements” to a ‎broader category of “third-party arrangements”. The Draft Guidelines define third-party arrangements as any business or strategic arrangement between the FRFI(s) and an entity(ies) or individuals, by contract or otherwise. This definition excludes arrangements between FRFIs and FRFI Customers.
  • Expansion of the focus from “outsourcing risk” to “third-‎party risk”. ‎ Third-party risk refers to the risk to the FRFI’s operational and financial resilience or reputation due to a third-party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangements. Examples of third-party risk include political, geographic, legal, or environmental risks impeding a third-party.
  • Governance and risk management ‎programs adopted by the FRFI need to span the lifecycle of a third-party arrangement.
  • Replacement of the distinction between “material” and “non-material” outsourcing with a “risk-based approach”.

Outcomes and principles

The proposed changes in the Draft Guideline reflect the five outcomes outlined by OSFI. The outcomes focus on managing third-party risk and aim to:

  • Ensure governance and accountability structures are clear with comprehensive risk strategies and frameworks in place to contribute to ongoing operational and financial resilience;
  • Identify and assess risks posed by third-parties;
  • Manage and mitigate risks posed by third-parties within the FRFI’s Risk Appetite Framework;
  • Ensure third-party performance is continually monitored and assessed, and risks and incidents are proactively addressed; and
  • Ensure the FRFI’s risk management program is dynamic and actively captures and appropriately manages a range of third-party arrangements and interactions.

To achieve the above outcomes, OSFI established 11 principles that influence the Draft Guideline:

  • Principle 1: The FRFI is ultimately accountable for all business activities, functions, and services outsourced to third-parties and for managing the risks related to third-party arrangements.
  • Principle 2: The FRFI should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third-parties.
  • Principle 3: Before entering a third-party arrangement—and, periodically thereafter, proportionate to the level of risk and criticality of the arrangement—the FRFI should identify and assess the risks of the arrangement. Specifically, the FRFI should conduct risk assessments to decide on third-party selection; (re)assess the risk and criticality of the arrangement; and plan for adequate risk mitigation and oversight.
  • Principle 4: The FRFI should undertake due diligence prior to entering contracts or other forms of arrangement with a third-party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement.
  • Principle 5: The FRFI should assess, manage, and monitor the risks of subcontracting arrangements entered into by third-parties, including the impact of these arrangements on concentration risk.
  • Principle 6: The FRFI should enter into written arrangements that set out the rights and responsibilities of each party.
  • Principle 7: Throughout the duration of the third-party arrangement, the FRFI and third-party should establish and maintain appropriate measures to protect the confidentiality, integrity, and availability of records and data.
  • Principle 8: The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist the FRFI in overseeing third-party performance and risks. The FRFI should also have the right to conduct or commission an independent audit of a third-party.
  • Principle 9: The FRFI’s agreement with the third-party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should have contingency plans for its critical third-party arrangements.
  • Principle 10: The FRFI should monitor its third-party arrangements to verify the third-party’s ability to continue to meet its obligations and effectively manage risks.
  • Principle 11: Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to ensure ongoing operational and financial resilience and maintain risk levels within the FRFI’s risk appetite.

Outsourcing to FINTECH companies

FRFIs that maintain outsourcing arrangements with FINTECH companies, or receive services from FINTECH companies, should consider how the Draft Guideline will enhance their obligations. FRFIs may need to revise their agreements with third-party FINTECH companies to ensure compliance with the proposed guidance in the Draft Guideline. Similarly, FRFIs entering or renewing outsourcing agreements should be mindful of the new obligations proposed by the Draft Guideline.

The Draft Guideline does not directly impose requirements on FINTECH companies that provide services to FRFIs. However, FINTECH companies should be aware of the risk monitoring and overview programs that FRFIs have to implement. These programs will likely increase the reporting obligations of FINTECH companies providing services to FRFIs.

The foregoing is a summary of changes introduced by Draft Guideline B-10 on Third-Party Risk Management. If you have any specific questions, we invite you to ‎‎contact a member of our Financial Services team.