On April 27, 2022, the Office of the Superintendent of Financial Institutions (OSFI), Canada’s federal financial institutions regulator, released its much-anticipated new Draft Guideline B-10: Third-Party Risk Management (Draft Guideline). The Draft Guideline is intended to replace OSFI’s current Guideline B-10 on Outsourcing of Business Activities, Functions and Processes, which was originally issued in 2001 and was last revised in 2009. The Draft Guideline sets out OSFI’s third-party risk management expectations for federally regulated financial institutions in Canada (FRFIs) and contributes to industry best practices for contracting with third parties. It is intended to address a more comprehensive set of risks to reflect the contemporary, expanding third-party ecosystem.
Foreign bank branches and foreign insurance company branches operating in Canada are excluded from the application of the new Draft Guideline but remain subject to requirements in respect of outsourcing arrangements under OSFI’s Guideline E-4, as discussed further below.
The scope of the Draft Guideline is much broader than the existing Guideline B-10, as it re-sets OSFI’s expectations for managing risks associated with third-party arrangements, rather than focusing on material outsourcing arrangements. What constitutes a “third-party arrangement” and “third party risk” are defined broadly in the Draft Guideline and only narrow exceptions are recognized, such as arrangements between a FRFI and its customers. Service arrangements between a FRFI and an affiliate are included in the new definition of a third-party arrangement and accordingly will continue to be subject to the requirements of the Draft Guideline, in addition to the existing self-dealing requirements in the legislation.
OSFI also notes that the Draft Guideline is not intended to impede the establishment of an open banking framework by the federal government, which OSFI refers to as consumer-directed data mobility within the financial sector, consistent with recent terminology proposed by the federal Advisory Committee on Open Banking. Once that framework is designed, OSFI notes that it may provide additional guidance.
The revised, modernized Draft Guideline relies in part on findings from OSFI’s 2019 Third-Party Risk Study, feedback from OSFI’s 2020 Technology Risk Discussion Paper, and industry’s response to OSFI’s draft Technology and Cyber Risk Management Guideline (Guideline B-13).
If adopted in its current form, the Draft Guideline will require financial institutions to re-evaluate their approach to managing relationships, including contracting, with a wide array of third parties.
The Draft Guideline proposes a number of changes to OSFI’s current guidance. Specifically, it places a greater emphasis on governance and risk management programs. It also sets outcome-focused, principle-based expectations on the management of third-party risks, although several requirements remain fairly prescriptive. The Draft Guideline expands the scope of Guideline B-10 to include a wider range of third-party arrangements (beyond just outsourcing) and considers a wider range of risks (such as criticality and concentration risk). OSFI also proposes an updated list of terms to be addressed in third-party contracts and provides guidance on standardized contracts. Importantly, the Draft Guideline also replaces the current materiality threshold for applicability with a risk-based approach.
This bulletin highlights some of the key requirements of the Draft Guideline.
The Draft Guideline places a greater emphasis on effective governance of third-party arrangements. OSFI expects FRFIs to implement clear governance and accountability structures with comprehensive risk strategies and frameworks to ensure ongoing operational and financial resilience.
A FRFI is ultimately accountable for all business activities, functions and services it outsources to third parties, and for managing the risks associated with third-party arrangements and interactions. Accordingly, OSFI expects a FRFI to establish an enterprise-wide third-party risk management framework that sets out clear accountabilities, responsibilities, policies and processes for identifying, managing, mitigating, monitoring and internally reporting on risks relating to the use of third parties. The Draft Guideline sets out the key elements of what should be included in a third-party risk management framework. FRFIs should consider assessing their vendor management programs against the new governance requirements of the Draft Guideline to identify and address any material gaps.
THIRD-PARTY RISK MANAGEMENT AND MITIGATION
OSFI expects that under a FRFI’s third-party risk management program:
risks posed by third parties will be identified and assessed;
these risks will be managed and mitigated within the FRFI’s risk appetite framework; and
third-party performance will be continually monitored and assessed, and any risks and incidents will be proactively addressed.
In adopting a risk-based approach, OSFI expects FRFIs to manage third-party risks in a manner that is proportionate to the level of risk and complexity of the FRFI’s third-party infrastructure, for which the Draft Guideline introduces the concept of “criticality”. It is defined as the degree of impact of the third-party arrangement on the FRFI’s risk profile, operations, strategy and/or financial condition.
OSFI expects FRFIs to assess risk and criticality of a third-party arrangement throughout its lifecycle. This includes assessment prior to entering into the arrangement, regularly during the course of the arrangement and after any material change has occurred in the arrangement. The due diligence to be conducted by a FRFI in respect of the third-party arrangement should be ongoing and proportionate to the assessed level of risk and criticality.
OSFI outlines several key factors that FRFIs should consider when determining the level of risk and criticality. These include the third party’s use of subcontractors, the FRFI’s ability to assess the third party’s controls, substitutability, financial health of the third party and other relevant risks associated with the use of a third party. The Draft Guideline also includes more detailed guidance on subcontracting arrangements.
As with the current Guideline B-10, FRFIs are expected under the Draft Guideline to document their arrangements with third parties in a written agreement. Annex 2 of the Draft Guideline provides certain minimum provisions that an agreement with a third party must address. Many of these provisions largely mirror the contractual terms that Guideline B-10 currently mandates but the Draft Guideline has made some changes to the list.
OSFI also expects a FRFI to monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks. Importantly, the Draft Guideline notes that both the FRFI and the third party should have documented processes in place to identify, track and remediate incidents that could impact the third party’s ability to deliver the contracted goods or services.
The Draft Guideline also maintains the current requirement that an agreement with a third party must give both the FRFI and OSFI the right to assess the third party through audit rights and sets out more granular audit provisions to be included in the agreement. Importantly, a FRFI is also expected to ensure that agreements with third parties contain adequate provisions to enable the FRFI to comply with its broad reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory that requires reporting of technology and cybersecurity incidents.
The Draft Guideline expressly recognizes that there are certain third-party arrangements for which a customized contract may not be feasible. In these situations, OSFI still expects FRFIs to appropriately manage risk through the third-party risk management program in a manner that is proportionate to the level of risk and criticality of the relationship. The Draft Guideline also sets out expectations in respect of arrangements with a FRFI’s external auditor, similar to analogous provisions under the current Guideline B-10.
The Draft Guideline notes that all of the expectations set out above are considered minimum expectations for critical third-party arrangements and those that pose a high risk to the FRFI.
TECHNOLOGY AND CYBER RISK IN THIRD-PARTY ARRANGEMENTS
In recognition of the elevated risks presented by technology and cyber risk, the final section of the Draft Guideline describes OSFI’s additional expectations surrounding how technology and cyber risk are to be addressed in a FRFI’s arrangements with third parties. Recognizing the prevalence of cloud services and the necessity to create cloud-specific requirements, OSFI expects a FRFIs to specifically consider cloud portability when entering an arrangement, and to also ensure that cloud adoption occurs in a planned and strategic manner that optimizes interoperability, while at the same time operating within the FRFI’s stated risk appetite.
Foreign bank branches and foreign insurance company branches operating in Canada (Branches) are excluded from the application of the Draft Guideline. This is a departure from the current Guideline B-10, which has specific provisions addressing outsourcing arrangements between a Branch and its home office and other affiliates. Importantly, OSFI’s new Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis that took effect earlier in 2022 states that if the home office performs material functions on behalf of the Branch, either directly or through its own outsourcing arrangements, OSFI expects the Branch to document such arrangements. OSFI also notes in a footnote to Guideline E-4 that this documentation should incorporate the contract for services elements outlined in Guideline B-10. Subject to clarifications from OSFI, this suggests that Branch service arrangements with the home office may need to incorporate the updated contractual terms third-party agreements that will be set out in Annex 2 of the new Draft Guideline.
The consultation on the Draft Guideline is open until July 27, 2022. Following the consultation, OSFI expects to issue a final updated guideline in the fall of 2022.