OSFI Announces New Guidelines to Manage Third Party Risks

The Office of the Superintendent of Financial Institutions (OSFI) has released its Guideline B-10 – Third-Party Risk Management (“Guideline”) for all federally regulated financial institutions (FRFIs), excluding foreign bank branches and foreign insurance company branches. The Guideline sets out OSFI’s third-party risk management expectations for FRFIs and places emphasis on governance and risk management programs. The measures are intended to enable FRFIs to manage and oversee third-party relationships effectively.

Background

Since 2001, OSFI has provided guidance on outsourcing activities to FRFIs in its Guideline B-10: Outsourcing of Business Activities, Functions and Processes (revised in 2003 and 2009) (“Previous Guideline”). The Previous Guideline only applied to outsourcing activities and provided guidance for FRFI’s risk management processes and contractual terms with outsourcers.

In response to novel third-party risks arising from a more complex and expanded third-party ecosystem relied upon by FRFIs, OSFI released the new Guideline that applies not only to outsourcing arrangements but to all “third-party arrangements”. Third-party arrangements are defined to include any type of business or strategic arrangement entered into by a FRFI with a third party under a written contract or otherwise (which now includes cloud service providers and technology companies). As a result of this modification, more third-party relationships with FRFIs would be subject to OSFI's supervision under the Guideline.

The Guideline sets out an updated list of terms to be addressed in third-party contracts and provides guidance on standardized contracts. Most importantly, the Guideline also replaces the materiality threshold in the Previous Guideline with a risk-based approach.

Key aspects of the Guideline are summarized below.

Highlights of the Guideline

Governance

The Guideline emphasizes an efficient and sound governance practice for third-party arrangements, as FRFIs are accountable for business activities, functions and services outsourced to third parties, and for managing risk arising from third-party arrangements. Accordingly, FRFIs are expected to establish a third-party risk management framework (TPRMF) that sets out clear responsibilities, policies and processes for identifying, managing, mitigating, monitoring and reporting on risks relating to the use of third parties. The Guideline sets out key elements to aid FRFIs in preparing their own TPRMF.

The senior management of FRFIs must ensure they are satisfied that the business activities performed by third parties comply with applicable legislative and regulatory requirements and their TPRMF.

Third-Party Risk Management Program and Mitigation

The Guideline introduces a risk-based approach to FRFI’s management of risks associated with third-party arrangements based on the “level of risk” and “criticality” of the service provider. OSFI expects that third-party arrangements with higher levels of risk and criticality should be subjected to more frequent, rigorous and robust assessment.

OSFI expects that under a FRFI’s third-party risk management program:

• risks posed by third parties will be identified and assessed;
• these risks will be managed and mitigated within the FRFI’s risk appetite framework;
• third party performance will be continually monitored and assessed, and any risks and incidents will be proactively addressed; and
• technology and cyber operations carried out by third parties are transparent, reliable and secure.

The level of risk and criticality are expected to be assessed on a continuous basis, as opposed to an emphasis on assessing the materiality at the outset of the relationship as was the case in the Previous Guideline. The Guideline sets out various factors that can be adopted by FRFIs to assist in determining the level of risk and criticality. These include the third party’s use of subcontractors, the FRFI’s ability to assess the third party’s controls, financial health of the third party, the degree of the FRFI’s reliance on the third party (including substitutability) and other relevant financial and non-financial risks associated with the use of a third party. The Guideline also includes more detailed guidance on subcontracting arrangements.

Agreements with Third-Party Entities

As with the Previous Guideline, FRFIs are expected under the Guideline to document their arrangements with third parties in a written agreement. OSFI also expects FRFIs to include in written agreements for high-risk and critical arrangements the provisions set out in Annex 2 of the Guideline. The third-party agreements are expected to set out each party’s responsibility as it relates to the confidentiality, availability and integrity of records and data.

OSFI recognizes there may be circumstances in which a FRFI cannot negotiate contracts with third parties. In such cases, the FRFI should ensure its third-party risk management program covers the relationship, including mitigation controls and business continuity mechanisms for potential risks. FRFIs should also ensure their third-party risk management program addresses third-party arrangements with no written contract.

OSFI also expects that FRFIs’ third-party arrangements allow them timely access to accurate information to assist in overseeing third-party performance and should include procedures for the third party to report events that may materially affect the risks and delivery of the service. The FRFI should have the right to conduct an independent audit of a third party and ensure that the agreements contain adequate provisions to enable the FRFI to comply with its broad reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory.

Technology And Cyber Risk In Third-Party Arrangements

The Guideline requires clear roles and responsibilities to be established for technology and cyber controls. In setting these responsibilities, the FRFI should consider the risk and criticality of its arrangement and, where necessary, should establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standards or recognized industry standards, notably in the areas of access management, and data security and protection.

Recognizing the rise of cloud services, OSFI expects FRFIs to ensure that cloud adoption is implemented strategically and also expects FRFIs to consider cloud portability when entering an arrangement with a cloud service provider as well as the risks of portability and mitigants in the absence of portability.

For further information about the Guideline, please contact any member of our Financial Services Regulatory Group.