The Office of the Superintendent of Financial Institutions of Canada (OSFI) recently released proposed amendments to Guideline B-10 on Outsourcing of Business Activities, Functions and Processes. The Guideline sets out expectations for federally regulated financial entities (FREs) that are outsourcing, or contemplating outsourcing, one or more of their business activities to a service provider. Although OSFI takes the view that FREs should have the flexibility to configure their operations in the way most suited to achieving their corporate objectives, the Guideline operates on the premise that FREs retain ultimate accountability for all outsourced activities. The proposed changes to the Guideline are summarized below.
Removal of the approval requirement for outsourcing to foreign jurisdictions. When Bill C-37, An Act to amend the law governing financial institutions and to provide for related and consequential changes, came into force in 2007, it removed the need for FREs to obtain OSFI’s approval to maintain and process outside Canada information or data relating to the preparation and maintenance of certain corporate, accounting and customer records. OSFI proposes to remove the approval requirement from the Guideline to reflect this development.
Outsourcing arrangements obtained as a result of an acquisition. If an FRE has obtained outsourcing arrangements through an acquisition, the FRE is expected to comply with the Guideline at the first opportunity, such as the time the outsourcing contract, agreement or statement of work (where applicable) is substantially amended, renewed or extended.
Multiple outsourcing arrangements with a single service provider. In assessing the materiality of an outsourcing arrangement, an FRE must take into account the impact that multiple outsourcing arrangements with a single service provider may have, in the aggregate, on the FRE. OSFI expects the FRE to consider the relevant risk management expectations set out under its risk management program — to the extent feasible and reasonable in the circumstances.
Physical location. The revised Guideline clarifies that the outsourcing agreement is expected to detail the physical location of the performance of the services when setting out "where" the service provider will provide the service.
Due diligence process upon amendment. Under the existing Guideline, FREs were only required to undertake a due diligence process assessing the risks associated with the outsourcing arrangement in selecting a service provider or renewing a contract or outsourcing agreement. With the proposed amendments, FREs will be expected to undertake this process any time such an agreement is substantially amended.
Business continuity plans and contingency planning. First, the business continuity plan required to be included in any material outsourcing arrangement between an FRE and another entity of the same group must be appropriate. The Guideline does not provide any guidance as to what this new qualification entails.
Second, the measures to be taken by the service provider for ensuring continuation of the outsourced business activity must anticipate not only problems affecting the service provider’s operation but also events, including reasonably foreseeable events.
Finally, in addition to notifying the FRE of the regular tests performed on its business recovery system, the service provider has the obligation to address any material deficiencies. The FRE is expected to provide a summary of the test results to OSFI upon reasonable notice.
OSFI audit rights. The FRE will receive a notice from OSFI if OSFI chooses to exercise its audit rights as set out in the Guideline. In addition, OSFI must share its findings with the FRE where appropriate.
Monitoring of service providers. As part of an FRE’s annual review of the service provider to ascertain its ability to continue to deliver the service in the manner expected (which review must now be commensurate with the level of risk involved), an FRE must now also assess the use and performance of significant subcontractors.
McCarthy Tétrault Notes:
OSFI takes the position that no substantive changes are being made to the Guideline, and therefore it is not suggesting a new transition period. However, some of the proposed changes may require amendments to existing outsourcing agreements, particularly regarding the physical locations from which services will be provided, as well as business continuity plans and contingency planning. These amendments may impose additional obligations on the service provider. At the same time, amending the outsourcing agreement to address the Guideline changes should presumably not be considered a substantial amendment that would trigger the new due diligence obligations in the draft Guideline.