On March 11, 2009, the Office of the Superintendent of Financial Institutions of Canada (OSFI) released a revised version of Guideline B-10, Outsourcing of Business Activities, Functions and Processes. The revised guideline contains the first changes since December 2003.
The guideline is a crucial directive from OSFI to federally regulated entities (FREs), notably most banks, trust companies and insurance companies in Canada, regarding their outsourcing activities. The guideline outlines a set of prudent practices, procedures and standards to be applied to outsourcing arrangements, while leaving the FRE with the flexibility to structure and manage its operations as it deems suitable.
The following are the key changes in the revised guideline:
- There is now arguably a lower threshold for determining whether a contract is “material” and would thus be subject to a full risk-management analysis and program. The original guideline provided that an outsourcing arrangement would be subject to the risk-management program if it is “clearly material.” The revised guideline removes the word “clearly,” meaning that an outsourcing arrangement will be subject to the risk-management program simply if it is material (section 4).
- FREs will need to consider the application of the guideline not only when conducting due diligence reviews of potential service providers and when a contract is originally entered into, or subsequently renewed, but now also upon any substantial amendment to the contract (section 7.1).
- Outsourcing contracts must detail the physical locations from which a service provider (and presumably its subcontractors) actually provides the services (section 7.2.1(a)).
- FREs should conduct a review of the service provider’s ability to continue to deliver the service in the manner expected. The FRE would conduct this review in a manner commensurate with the level of risk involved. The review would likely include an assessment of the service provider’s circumstances and the performance of any significant subcontractors (section 7.3.3).
- The obligations have now been reduced for performing a full risk-management program for arrangements between affiliates in Canada or foreign parent companies (section 4).
- FREs will need to consider the possibility that multiple outsourcing arrangements provided by the same service provider could in aggregate make the contracts material and therefore subject to the guideline, even if none of the arrangements alone would be considered material (section 6).
- An FRE must not only scrutinize a service provider’s business-recovery plans at the time of entering into a contract but also ensure that the service provider regularly tests its business-recovery system as it pertains to the outsourcing arrangement and remedies any important deficiencies. The revised guideline also states that, upon request, the FRE will provide to OSFI the business-recovery test results as they relate to the outsourced activity (section 7.2.1(g)).
- The guideline has always required that FREs obtain the right for OSFI to audit the service provider in certain circumstances. Previously, the guideline indicated that OSFI would typically exercise that audit right only in “extreme circumstances” (such as when there are concerns about solvency of the FRE). That limitation has now been removed, suggesting that OSFI may be more likely to exercise its audit right, whether or not there are “extreme circumstances” (section 7.2.1(h)).
- Any outsourcing arrangements inherited by an FRE as part of an acquisition must be brought into compliance “at the first opportunity,” such as at the time an outsourcing contract or statement of work is substantially amended, renewed or extended (section 2).
Section 8 of the guideline previously contained the obligation for an FRE to obtain OSFI’s prior approval to outsource data processing to a service provider outside Canada if that data related to the preparation and maintenance of certain key corporate, accounting and customer records. The revised guideline has deleted this obligation to reflect an earlier policy change by OSFI, when such obligation was repealed by Bill C-37, An Act to amend the law governing financial institutions and to provide for related and consequential changes, in April 2007.
Implications for Banks and Other Federally Regulated Institutions
To a large extent, these amendments reflect sound contracting and business practices, like the guideline generally, and do not represent significant changes. OSFI indicated that the changes are only “clarifications” and not specific new obligations. For this reason, OSFI has decided that no transition period would be required for existing contracts to be altered to comply with the revised guideline.
However, despite OSFI’s view, the revisions have introduced new obligations and refinements that will undoubtedly affect when and how an FRE must analyze its outsourcing contracts and business practices. In particular, existing contracts may need to be amended to specify the physical locations for the provision of services and include the new obligations regarding business-recovery planning and reporting. FREs should also consider whether multiple contracts with a vendor that were previously characterized as non-material may in aggregate become material and therefore subject to the guideline.