OSFI Announces New Guidelines to Manage Third Party Risks
The Office of the Superintendent of Financial Institutions (OSFI) has released its Guideline B-10 – Third-Party Risk Management (“Guideline”) for all federally regulated financial institutions (FRFIs), excluding foreign bank branches and foreign insurance company branches. The Guideline sets out OSFI’s third-party risk management expectations for FRFIs and places emphasis on governance and risk management programs. The measures are intended to enable FRFIs to manage and oversee third-party relationships effectively.
Background
Since 2001, OSFI has provided guidance on outsourcing activities to FRFIs in its Guideline B-10: Outsourcing of Business Activities, Functions and Processes (revised in 2003 and 2009) (“Previous Guideline”). The Previous Guideline only applied to outsourcing activities and provided guidance for FRFI’s risk management processes and contractual terms with outsourcers.
In response to novel third-party risks arising from a more complex and expanded third-party ecosystem relied upon by FRFIs, OSFI released the new Guideline that applies not only to outsourcing arrangements but to all “third-party arrangements”. Third-party arrangements are defined to include any type of business or strategic arrangement entered into by a FRFI with a third party under a written contract or otherwise (which now includes cloud service providers and technology companies). As a result of this modification, more third-party relationships with FRFIs would be subject to OSFI's supervision under the Guideline.
The Guideline sets out an updated list of terms to be addressed in third-party contracts and provides guidance on standardized contracts. Most importantly, the Guideline also replaces the materiality threshold in the Previous Guideline with a risk-based approach.
Key aspects of the Guideline are summarized below.
Highlights of the Guideline
Governance
The Guideline emphasizes an efficient and sound governance practice for third-party arrangements, as FRFIs are accountable for business activities, functions and services outsourced to third parties, and for managing risk arising from third-party arrangements. Accordingly, FRFIs are expected to establish a third-party risk management framework (TPRMF) that sets out clear responsibilities, policies and processes for identifying, managing, mitigating, monitoring and reporting on risks relating to the use of third parties. The Guideline sets out key elements to aid FRFIs in preparing their own TPRMF.
The senior management of FRFIs must ensure they are satisfied that the business activities performed by third parties comply with applicable legislative and regulatory requirements and their TPRMF.
Third-Party Risk Management Program and Mitigation
The Guideline introduces a risk-based approach to FRFI’s management of risks associated with third-party arrangements based on the “level of risk” and “criticality” of the service provider. OSFI expects that third-party arrangements with higher levels of risk and criticality should be subjected to more frequent, rigorous and robust assessment.
OSFI expects that under a FRFI’s third-party risk management program:
- risks posed by third parties will be identified and assessed;
- these risks will be managed and mitigated within the FRFI’s risk appetite framework;
- third party performance will be continually monitored and assessed, and any risks and incidents will be proactively addressed; and
- technology and cyber operations carried out by third parties are transparent, reliable and secure.
The level of risk and criticality are expected to be assessed on a continuous basis, as opposed to an emphasis on assessing the materiality at the outset of the relationship as was the case in the Previous Guideline. The Guideline sets out various factors that can be adopted by FRFIs to assist in determining the level of risk and criticality. These include the third party’s use of subcontractors, the FRFI’s ability to assess the third party’s controls, financial health of the third party, the degree of the FRFI’s reliance on the third party (including substitutability) and other relevant financial and non-financial risks associated with the use of a third party. The Guideline also includes more detailed guidance on subcontracting arrangements.
Agreements with Third-Party Entities
As with the Previous Guideline, FRFIs are expected under the Guideline to document their arrangements with third parties in a written agreement. OSFI also expects FRFIs to include in written agreements for high-risk and critical arrangements the provisions set out in Annex 2 of the Guideline. The third-party agreements are expected to set out each party’s responsibility as it relates to the confidentiality, availability and integrity of records and data.
OSFI recognizes there may be circumstances in which a FRFI cannot negotiate contracts with third parties. In such cases, the FRFI should ensure its third-party risk management program covers the relationship, including mitigation controls and business continuity mechanisms for potential risks. FRFIs should also ensure their third-party risk management program addresses third-party arrangements with no written contract.
OSFI also expects that FRFIs’ third-party arrangements allow them timely access to accurate information to assist in overseeing third-party performance and should include procedures for the third party to report events that may materially affect the risks and delivery of the service. The FRFI should have the right to conduct an independent audit of a third party and ensure that the agreements contain adequate provisions to enable the FRFI to comply with its broad reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory.
Technology And Cyber Risk In Third-Party Arrangements
The Guideline requires clear roles and responsibilities to be established for technology and cyber controls. In setting these responsibilities, the FRFI should consider the risk and criticality of its arrangement and, where necessary, should establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standards or recognized industry standards, notably in the areas of access management, and data security and protection.
Recognizing the rise of cloud services, OSFI expects FRFIs to ensure that cloud adoption is implemented strategically and also expects FRFIs to consider cloud portability when entering an arrangement with a cloud service provider as well as the risks of portability and mitigants in the absence of portability.
For further information about the Guideline, please contact any member of our Financial Services Regulatory Group.
Authors
Insights
-
Financial Services Regulatory
Anti-Money Laundering Obligations for Factors, Cheque Cashers, and Financing/Leasing Entities; Declaration and Record Keeping Requirements for Traders
Recent amendments to regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “PCMLTFA”) introduce anti-money laundering compliance obligations for factors, cheque… -
Banking and Financial Services
Canadian Securities Regulators Publish Temporary Exemptions For Derivatives Data Reporting Requirements
On February 20, 2025, the Canadian Securities Administrators (CSA) introduced temporary exemptions from certain derivative data reporting requirements relating to unique product identifiers for… -
Banking and Financial Services
Practical Law The Journal - Canadian Interest Rate Transition from CDOR to CORRA
The article, “Canadian Interest Rate Transition from CDOR to CORRA” authored by Michael Bertrand, has been republished in Practical Law The Journal, December 2024 Year in Review Issue.The article… -
Financial Services Regulatory
FINTRAC Advisory Concerning Financial Transactions Related to High-Risk Countries Identified by the FATF
On November 18, 2024, the Financial Transactions and Reports Analysis Centre (FINTRAC) issued an updated advisory (the “Advisory”) concerning financial transactions related to countries identified by… -
Acquisition Finance
In-Depth: Acquisition and Leveraged Finance - Edition 11 - Canada
David Nadler, David Wiseman, Dan Dedic, Caroline Descours, Cathy Costa-Faria, Chris Baxter and Zhiyao Chen have co-authored the Canada Chapter in Lexology's In-Depth: Acquisition and… -
Banking and Financial Services
Canadian Securities Regulators Publish Temporary Exemptions For Derivatives Data Reporting Requirements
On October 31, 2024, the Canadian Securities Administrators (CSA) introduced temporary relief from certain derivative data reporting requirements under the Trade Reporting Rules identified…
Featured Work
-
Restructuring
Endo International plc completes global restructuring
Goodmans LLP acted as Canadian legal counsel to the Endo Group (or the “Company”) in connection with its restructuring initiatives, transaction matters, negotiated resolutions with Canadian… -
Restructuring
Xplore completes CBCA recapitalization and restructures satellite business through RVO
Goodmans LLP acted as Canadian legal counsel to Xplore Inc. in connection with its recapitalization, restructuring, financing, regulatory, governance and business initiatives, including its review of… -
Restructuring
Tacora Resources Inc.’s CCAA restructuring
Goodmans LLP acted as counsel to Cargill, Incorporated and Cargill International Trading Pte Ltd. (collectively “Cargill”), in connection with the restructuring proceedings of Tacora Resources Inc… -
Mergers and Acquisitions
Andlauer Healthcare Group to be acquired by UPS
Goodmans LLP is acting for Andlauer Healthcare Group (“AHG”) in connection with a definitive arrangement agreement with affiliates of UPS under which UPS has agreed to acquire AHG via an all-cash… -
Aging and Health Care
Welltower winds down joint venture with Chartwell
Goodmans LLP acted for Welltower Inc. in connection to the winding down of its 11-year joint venture with Mississauga-based Chartwell Retirement Residences, which has seen them partner on the… -
Capital Markets
Northwest Healthcare Properties Real Estate Investment Trust announces inaugural unsecured debentures offering
Goodmans LLP advised Northwest Healthcare Properties REIT in connection with a private placement offering of $500 million aggregate principal amount of senior unsecured debentures of the REIT in two…
News & Events
-
Banking and Financial Services
Goodmans Lawyers Once Again Recognized in the Lexpert Special Editions: Finance 2025 and Mergers and Acquisitions 2025
We are proud to announce the Lexpert Special Editions: Finance 2025 and Mergers and Acquisitions 2025 once again feature Goodmans lawyers among Canada's experts.Congratulations to… -
Banking and Financial Services
Francesca Guolo at the IIAC’s Short Sales: Meeting a Reasonable Expectation to Settle Webinar
On March 24th, Goodmans partner Francesca Guolo spoke at the webinar, “Short Sales: Meeting a Reasonable Expectation to Settle” held by the Investment Industry Association of Canada. The webinar… -
Aging and Health Care
The Canadian Legal Lexpert Directory 2025 Once Again Recognizes Goodmans
We are proud to announce Goodmans LLP continues to be recognized in the 2025 edition of The Canadian Legal Lexpert Directory.Congratulations to the 96 Goodmans lawyers recognized as leaders across…