OSFI response to draft guideline B-10 consultation feedback – Third-party Risk Management

Today, the Office of the Superintendent of Financial Institutions (OSFI) publishes its final revised Guideline B-10: Third-Party Risk Management which sets out enhanced third-party risk management expectations for federally regulated financial institutions (FRFIs). A non-attributed summary of comments received and OSFI’s responses are available.

The financial industry has long made use of third-party arrangements to introduce efficiency, drive innovation, manage shifting operational needs, and improve service. Increasingly, FRFIs are relying on an expanded third-party ecosystem to deliver more of their critical activities. This increases the likelihood that these arrangements could impact a FRFI’s operational and financial resilience.

Guideline B-10 applies to all FRFIs, excluding foreign bank branches and foreign insurance company branches, which are covered by Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis. OSFI is currently reviewing Guideline E-4 and expects to issue clarifications later this year aimed at ensuring risks related to Canadian operations are appropriately managed within the domestic legal and regulatory frameworks.

Guideline B-10:

• Addresses a comprehensive set of third-party risks within an expanded third-party ecosystem, placing emphasis on governance and risk management programs and setting outcomes-focused, principles-based expectations for FRFIs on the sound management of third-party risk.
• Reflects a principles-based approach with increased emphasis on a risk-based approach to managing third-party arrangements, reflecting the expectation FRFIs to understand a broad scope of third-party arrangements but apply the Guideline in a manner that is proportionate to the level of risk and criticality of each arrangement and to the size, nature, scope, complexity, and risk profile of the FRFI.
• Adopts a pragmatic approach to managing subcontractor and concentration risks, with FRFIs managing subcontractor risk according to the level of risk and criticality of the given third-party arrangement, taking reasonable steps to manage concentration risks related to their own third-party arrangements, and assessing systemic concentration risk to the greatest extent possible.
• Does not impede the development of a federal framework for consumer-directed data mobility within the financial sector. Once the framework is designed, OSFI may provide relevant guidance as appropriate.
• Provides adequate implementation time to self-assess and build adherence by an effective date of May 1, 2024, with the expectation that third-party arrangements commencing on or after the effective date adhere to the guideline and those entered into prior are being reviewed and updated at the earliest opportunity so that they adhere to the guideline by its effective date or as soon as possible thereafter.

Information session

OSFI will hold an information session for members of industry on May 18, 2023 from 1 p.m. to 2:30 p.m. ET. To register visit: Information session B-10 before May 17 at noon.