OSFI Announces New Guidelines to Manage Third Party Risks
The Office of the Superintendent of Financial Institutions (OSFI) has released its Guideline B-10 – Third-Party Risk Management (“Guideline”) for all federally regulated financial institutions (FRFIs), excluding foreign bank branches and foreign insurance company branches. The Guideline sets out OSFI’s third-party risk management expectations for FRFIs and places emphasis on governance and risk management programs. The measures are intended to enable FRFIs to manage and oversee third-party relationships effectively.
Background
Since 2001, OSFI has provided guidance on outsourcing activities to FRFIs in its Guideline B-10: Outsourcing of Business Activities, Functions and Processes (revised in 2003 and 2009) (“Previous Guideline”). The Previous Guideline only applied to outsourcing activities and provided guidance for FRFI’s risk management processes and contractual terms with outsourcers.
In response to novel third-party risks arising from a more complex and expanded third-party ecosystem relied upon by FRFIs, OSFI released the new Guideline that applies not only to outsourcing arrangements but to all “third-party arrangements”. Third-party arrangements are defined to include any type of business or strategic arrangement entered into by a FRFI with a third party under a written contract or otherwise (which now includes cloud service providers and technology companies). As a result of this modification, more third-party relationships with FRFIs would be subject to OSFI's supervision under the Guideline.
The Guideline sets out an updated list of terms to be addressed in third-party contracts and provides guidance on standardized contracts. Most importantly, the Guideline also replaces the materiality threshold in the Previous Guideline with a risk-based approach.
Key aspects of the Guideline are summarized below.
Highlights of the Guideline
Governance
The Guideline emphasizes an efficient and sound governance practice for third-party arrangements, as FRFIs are accountable for business activities, functions and services outsourced to third parties, and for managing risk arising from third-party arrangements. Accordingly, FRFIs are expected to establish a third-party risk management framework (TPRMF) that sets out clear responsibilities, policies and processes for identifying, managing, mitigating, monitoring and reporting on risks relating to the use of third parties. The Guideline sets out key elements to aid FRFIs in preparing their own TPRMF.
The senior management of FRFIs must ensure they are satisfied that the business activities performed by third parties comply with applicable legislative and regulatory requirements and their TPRMF.
Third-Party Risk Management Program and Mitigation
The Guideline introduces a risk-based approach to FRFI’s management of risks associated with third-party arrangements based on the “level of risk” and “criticality” of the service provider. OSFI expects that third-party arrangements with higher levels of risk and criticality should be subjected to more frequent, rigorous and robust assessment.
OSFI expects that under a FRFI’s third-party risk management program:
- risks posed by third parties will be identified and assessed;
- these risks will be managed and mitigated within the FRFI’s risk appetite framework;
- third party performance will be continually monitored and assessed, and any risks and incidents will be proactively addressed; and
- technology and cyber operations carried out by third parties are transparent, reliable and secure.
The level of risk and criticality are expected to be assessed on a continuous basis, as opposed to an emphasis on assessing the materiality at the outset of the relationship as was the case in the Previous Guideline. The Guideline sets out various factors that can be adopted by FRFIs to assist in determining the level of risk and criticality. These include the third party’s use of subcontractors, the FRFI’s ability to assess the third party’s controls, financial health of the third party, the degree of the FRFI’s reliance on the third party (including substitutability) and other relevant financial and non-financial risks associated with the use of a third party. The Guideline also includes more detailed guidance on subcontracting arrangements.
Agreements with Third-Party Entities
As with the Previous Guideline, FRFIs are expected under the Guideline to document their arrangements with third parties in a written agreement. OSFI also expects FRFIs to include in written agreements for high-risk and critical arrangements the provisions set out in Annex 2 of the Guideline. The third-party agreements are expected to set out each party’s responsibility as it relates to the confidentiality, availability and integrity of records and data.
OSFI recognizes there may be circumstances in which a FRFI cannot negotiate contracts with third parties. In such cases, the FRFI should ensure its third-party risk management program covers the relationship, including mitigation controls and business continuity mechanisms for potential risks. FRFIs should also ensure their third-party risk management program addresses third-party arrangements with no written contract.
OSFI also expects that FRFIs’ third-party arrangements allow them timely access to accurate information to assist in overseeing third-party performance and should include procedures for the third party to report events that may materially affect the risks and delivery of the service. The FRFI should have the right to conduct an independent audit of a third party and ensure that the agreements contain adequate provisions to enable the FRFI to comply with its broad reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory.
Technology And Cyber Risk In Third-Party Arrangements
The Guideline requires clear roles and responsibilities to be established for technology and cyber controls. In setting these responsibilities, the FRFI should consider the risk and criticality of its arrangement and, where necessary, should establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standards or recognized industry standards, notably in the areas of access management, and data security and protection.
Recognizing the rise of cloud services, OSFI expects FRFIs to ensure that cloud adoption is implemented strategically and also expects FRFIs to consider cloud portability when entering an arrangement with a cloud service provider as well as the risks of portability and mitigants in the absence of portability.
For further information about the Guideline, please contact any member of our Financial Services Regulatory Group.
Authors
Insights
-
Banking and Financial Services
OSFI Announces New Guidelines to Manage Third Party Risks
The Office of the Superintendent of Financial Institutions (OSFI) has released its Guideline B-10 – Third-Party Risk Management (“Guideline”) for all federally regulated financial institutions… -
Employment, Pensions and Executive Compensation
Bill C-228: The Pension Protection Act – It’s Time to Prepare
Bill C-228, An Act to amend the Bankruptcy and Insolvency Act, the Companies’ Creditors Arrangement Act and the Pension Benefits Standards Act, 1985, or the Pension Protection Act (PPA) in short… -
Financial Services Regulatory
Budget 2023 Announces Measures to Combat Financial Crime
In Budget 2023, which was tabled in the House of Commons on March 28, the Government of Canada announced its intentions to bolster measures to deter, detect, and prosecute financial crimes, protect… -
Financial Services Regulatory
FINTRAC Advisory Concerning Financial Transactions Related to High-Risk Countries Identified by FATF
On March 20, 2023, the Financial Transactions and Reports Analysis Centre (FINTRAC) issued an advisory (the “Advisory”) concerning financial transactions related to countries identified by the… -
Technology
U.S. District Court Finds NBA Top Shot Moments may be Subject to U.S. Securities Laws
On May 12, 2021, a class action law suit was filed against Dapper Labs, Inc. in the U.S. District Court for the Southern District of New York (the “Court”) alleging that Dapper Labs violated U.S… -
Technology
Canadian Securities Administrators Announce Enhanced Pre-Registration Undertaking Requirements for Crypto Trading Platforms
Further to its December 12, 2022 announcement, the Canadian Securities Administrators (CSA) published Staff Notice 21-332 – Crypto Asset Trading Platforms: Pre-Registration Undertakings (“SN…
Featured Work
-
Mergers and Acquisitions
Classic Fire + Life Safety expands in Western Canada
Goodmans LLP advised Classic Fire + Life Safety, a McCain Capital Partners portfolio company, in its expansion into Western Canada through the acquisitions of Legacy Fire Protection, Photon Electric… -
Restructuring
Stoneway Capital Corporation’s CBCA Proceedings
Goodmans LLP acted as co-counsel to the Term Loan Lenders to Stoneway Capital Corporation in its proceedings before the Ontario Superior Court of Justice (Commercial List) to implement a pre-arranged… -
Mining
Hudbay Minerals to buy Copper Mountain Mining
Goodmans LLP is acting for Hudbay Minerals Inc. in its announcement to acquire all of the issued and outstanding common shares of Copper Mountain Mining Corp. for US$439 million, pursuant to a court… -
Mergers and Acquisitions
Gamut Capital Management to Acquire Extreme Reach
Goodmans LLP is acting for Gamut Capital Management, L.P. (“Gamut”), a leading New York-based middle market private equity firm, in its definitive agreement to acquire Extreme Reach, Inc. (“Extreme… -
Restructuring
Sherritt International Corporation Completes $90 Million Notes Purchase Transaction
Goodmans LLP represented Sherritt International Corporation in its $90 Million Notes Purchase Transaction Pursuant to Oversubscribed Offers… -
Banking and Financial Services
Argonaut Gold Inc. Announces Successful Completion of Magino Financing Package
Goodmans LLP represented Macquarie Bank Limited and a syndicate of lenders in connection with a financing provided to Argonaut Gold Inc. ("Argonaut…
News & Events
-
Banking and Financial Services
Goodmans Partners Recognized in the Lexpert Special Edition: Finance and M&A 2023
We are delighted to announce the Lexpert Special Edition: Finance and M&A 2023 once again features Goodmans partners among Canada's experts.Congratulations to our 29 featured partners:Alan… -
- 06:30 PM Financial Services Regulatory
Francesca Guolo at Joint Staff Notice 23-329 on Short Selling in Canada
On the 8th of December 2022, The Canadian Securities Administrators (CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) published a Joint Staff Notice 23-329 on Short Selling… -
Banking and Financial Services
The Canadian Legal Lexpert Directory 2023 Continues to Recognize Goodmans
We are proud to announce we have once again been recognized in The Canadian Legal Lexpert Directory 2023.85 Goodmans lawyers have been recognized as top-tier in their fields and leaders across…