With respect to outsourcing arrangements, federally regulated entities (FREs) are well aware of the expectations of the Office of the Superintendent of Financial Institutions (OSFI) set out in Guideline B-10: Outsourcing of Business Activities, Functions and Processes (Guideline B-10). But OSFI’s expectations with respect to outsourcing arrangements extend beyond Guideline B-10, and compliance with Guideline B-10 is not enough.
Guideline B-10 is the primary guideline with respect to material outsourcing arrangements. It sets out OSFI’s expectations for FREs that outsource or contemplate outsourcing one or more of their business activities to a service provider, including the implementation of an outsourcing policy and the assessment of the risk and materiality of outsourcing arrangements. As between an FRE and its service provider, OSFI expects:
- the FRE to retain ultimate accountability for all outsourced activities;
- that OSFI’s supervisory powers should not be constrained, irrespective of whether an activity is conducted in-house, outsourced or otherwise obtained from a third party; and
- the FRE to document all of its material outsourcing arrangements in a written contract for services.
However, OSFI’s expectations regarding outsourcing do not end with Guideline B-10. OSFI is generally placing an increased emphasis on enterprise-wide risk management, as we are also seeing from regulators in other countries. For example, the Office of the Comptroller of the Currency in the United States has recently published risk management guidance that applies to third-party relationships generally. Therefore in addition to Guideline B-10, when considering any material or non-material outsourcing or other service arrangement, FREs should bear in mind their overall risk appetite as well as all of the following guidance, practices, expectations and requirements.
THE THREE LINES OF DEFENCE
Although not formalized in any OSFI guidance or advisory, OSFI has suggested through public remarks and industry presentations that FREs consider implementing the “three lines of defence” in the assessment and monitoring of outsourcing arrangements.
The three lines of defence have been identified by the Basel Committee on Banking Supervision (Basel Committee) as the recommended global industry practice for sound operational risk governance. The three lines of defence are:
- business line management;
- an independent corporate operational risk management function; and
- an independent review.
The Basel Committee provides a global forum for regular cooperation on banking supervisory matters. Its objective is to enhance understanding of key supervisory issues and improve the quality of banking supervision worldwide. Canada is one of the member countries represented on the Basel Committee and OSFI is the competent authority for the implementation of Basel Committee recommendations in Canada.
The Basel Committee describes the three lines of defence as follows:
Business line management, which is responsible for identifying and managing the risks inherent in the products, activities, processes and systems for which it is accountable.
A functionally independent corporate operational risk management function, which should generally complement the business line’s operational risk management activities. The degree of independence of this line of defence will vary among FREs. This function may include the operational risk measurement and reporting processes, risk committees and responsibility for board reporting. A key function of this line of defence is to challenge the business lines’ input to and outputs from the FRE’s risk management, risk measurement and reporting systems. The corporate operational risk management function should have a sufficient number of personnel skilled in the management of operational risk to effectively address its many responsibilities.
Independent review and challenge of the FRE’s operational risk management controls, processes and systems. Those performing these reviews must be competent and appropriately trained and not involved in the development, implementation and operation of the FRE’s operational risk management framework. This review may be done by internal audit or by staff independent of the process or system under review, but may also involve suitably qualified external parties. In cases where the audit activities have been outsourced, senior management should consider the effectiveness of the underlying arrangement as well as the suitability of relying on an outsourced function as a third line of defence.
The Basel Committee – and OSFI – recognizes that the structure and activities of the three lines of defence will often vary, depending on an FRE’s portfolio of products, activities, processes and systems, the FRE’s size and its risk management approach.
In assessing an FRE’s outsourcing arrangements, we expect that OSFI may consider both compliance with Guideline B-10 and how the three lines of defence have been implemented. OSFI has recently mentioned some common findings from a review of FRE outsourcing arrangements and reported that the second and third lines of defence were sometimes missing. FREs should consider how they have implemented the Basel Committee's three lines of defence within their risk management framework generally and specifically when assessing and monitoring outsourcing arrangements.
RECORD KEEPING IN CANADA
With respect to location of records, Guideline B-10 provides that certain records of entities carrying on business in Canada must be maintained in Canada, in accordance with the applicable financial institutions statutes, and that an FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfil its mandate. OSFI Guidelines E-4A – Role of the Chief Agent and Record Keeping Requirements and E-4B – Role of the Principal Officer and Record Keeping Requirements (collectively, Record Keeping Guidelines) elaborate on the type and form of records that must be maintained in Canada.
The Record Keeping Guidelines apply specifically to Canadian branches of foreign insurance companies and foreign banks (collectively, Branches). However, OSFI has also pointed other types of FREs to the Record Keeping Guidelines as a source of OSFI’s expectations regarding the maintenance of records in Canada. Therefore all FREs should be aware of these guidelines, in particular when entering into outsourcing arrangements with service providers who are located outside of Canada or who provide some or all of their services from a location outside of Canada.
The Record Keeping Guidelines provide that where the processing of records related to a Branch’s business occurs at a location other than the principal office or chief agency, the records must be backed up as appropriate and provided to the Branch to ensure that records maintained in Canada are up to date at the end of each business day. The Record Keeping Guidelines specifically note that downloading of records to the Canadian Branch is only required when the records have changed from the previous day.
In respect of the form of records, the financial institutions statutes provide that an FRE has the option of preparing and maintaining records in hard copy or electronically, provided that electronic records can be reproduced “in intelligible written form within a reasonable period of time”. The Record Keeping Guidelines provide that OSFI expects to be able to obtain such information without incurring additional cost and using readily available commercial applications. However, OSFI maintains discretion to require that certain records be maintained in hard copy.
In entering into outsourcing arrangements that involve the processing or maintenance of any records that an FRE must maintain in Canada, the FRE should ensure that the service provider – whether it is an affiliate or a third party – is able to provide the services to the FRE in a manner that will allow the FRE to meet the legal requirements applicable to the FRE and OSFI’s expectations set out in the Record Keeping Guidelines.
OSFI recently released Cyber Security Self-Assessment Guidance (Cyber Security Guidance) for FREs which included a self-assessment template that set out the “desirable properties and characteristics of cyber security practices that could be considered by a FRE when assessing the adequacy of its cyber security framework and when planning enhancements to its framework” (see our October 2013 Blakes Bulletin: OSFI Releases Cyber Security Self-Assessment Guidance). The template specifically refers to the assessment and mitigation of cyber risk arising from material outsourcing arrangements and critical IT service providers. The assessment of cyber risk should be built into the existing risk management framework of FREs, including with respect to the assessment of outsourcing arrangements.
OUTSOURCING TO RELATED PARTIES
Under the various financial institutions statutes, FREs, other than foreign branches, are generally prohibited from entering into related party transactions unless such transactions are permitted under the statute and, in some cases, approved by the Superindendent. In addition, an FRE is required to have an internal policy on related party transactions. The statutes permit an FRE to enter into a written service contract with a related party for services used in the ordinary course of business, provided that the service arrangement is on terms and conditions that are at least as favourable to the FRE as market terms and conditions. In addition to all of the other guidance noted above, FREs should bear this statutory requirement in mind with respect to service arrangements with related parties, and should also ensure that any such arrangements comply with the FRE’s internal policy on related party transactions.