Office of the Superintendent of Financial Institutions
Financial institutions outsource business activities, functions and processes to meet the challenges of technological innovation, increased specialization, cost control, and heightened competition. However, outsourcing can increase an institution's dependence on third parties, which may increase its risk profile. Many financial sector regulators have responded by introducing guidance related to the management of outsourcing risks.
This Guideline sets out OSFI's expectations for federally regulated entities (FREs) that outsource, or contemplate outsourcing, one or more of their business activities to a service provider. These expectations should be considered prudent practices, procedures or standards that should be applied according to the characteristics of the outsourcing arrangement and the circumstances of the FRE.
FREs have the flexibility to configure their operations in the way most suited to achieving their corporate objectives. However, this Guideline operates on the premise that FREs retain ultimate accountability for all outsourced activities. Furthermore, OSFI's supervisory powers should not be constrained, irrespective of whether an activity is conducted in-house, outsourced, or otherwise obtained from a third party.
Under this Guideline, FREs are expected to:
OSFI's specific expectations may vary, depending on the nature of the outsourcing arrangement being contemplated and the relationship between the FRE and the service provider. As outlined in its Supervisory Framework, OSFI applies a risk-based approach to assessing an FRE's safety and soundness on a consolidated basis. Resources are focused on areas of higher risk and information from other regulators is used as appropriate. For each activity that OSFI identifies as significant Footnote 2, OSFI assesses the level of risk, including regulatory risk, and considers the impact of risk mitigation by evaluating the quality of risk management. Institutions that are well managed relative to their risks will require less supervision. Therefore, as part of OSFI's risk- focused supervisory process, an institution's policies and procedures for assessing the materiality of outsourcing arrangements and managing the risks associated with outsourcing arrangements, may be evaluated against the expectations of this Guideline. In addition, individual outsourcing arrangements may be subject to supervisory review.
For the purposes of this Guideline, an outsourcing arrangement is an agreement between an FRE and a service provider, whereby the service provider performs a business activity, function or process Footnote 3 that is, or could be, undertaken by the FRE itself. FREs may consult with OSFI when they are uncertain whether a particular arrangement falls within this definition. Examples are provided in Annex 1.
For the purposes of this Guideline, an FRE is defined as:
For the purposes of this Guideline, the FRE group of an entity referred to in any of 3.2.a) to f), includes the FRE and any of the following:
For the purposes of this Guideline, an RFIP group includes:
This Guideline applies to all the outsourcing arrangements of an FRE or an FRE group. In addition, in applying this Guideline, the FRE is expected to consider the impact on the FRE and on its consolidated operations, of outsourcing arrangements entered into by all its subsidiaries and business operations, including those located in foreign jurisdictions. OSFI expects the FRE to ensure that its subsidiaries and branches follow the guideline when entering into material outsourcing arrangements.
All outsourcing arrangements should be subjected to the materiality assessment set out in Section 6 of the Guideline. OSFI recognizes that outsourcing arrangements will exhibit varying degrees of materiality and expects that the robustness of an FRE's management of outsourcing risks would be commensurate with the materiality of the arrangement.
With respect to outsourcing arrangements that are deemed material, the FRE is expected to follow the full risk management program detailed in Section 7. However, reduced expectations may be applied, in a manner consistent with Sections 4.1 and 4.2 respectively, where the material outsourcing arrangement is between an FRE and a member of an FRE Group, or between an FRE and a member of an RFIP Group. FREs may consult with OSFI when they are uncertain how to assess a particular combination of intra-group arrangements.
With respect to outsourcing arrangements that are deemed clearly immaterial, the FRE is not expected to follow the risk management program outlined in this Guideline. An FRE should not outsource certain activities to its external auditor (see Section 4.3).
At a minimum, OSFI expects the following to be addressed when a member of an FRE group enters into a material outsourcing arrangement with another entity that is a member of the same FRE group (Section 3.2.1):
As appropriate, a parent FRE may address these expectations within enterprise-wide processes or plans, so long as any specific risks to each subsidiary are addressed. As well, a parent FRE may establish the program, approve the policies, and develop and maintain the reporting on behalf of its FRE subsidiaries.
Consistent with the risk-based Supervisory Framework, OSFI may have additional expectations for FRE Group arrangements, depending on the risks related to the outsourcing arrangement and the conclusions of OSFI's supervisory review.
At a minimum, OSFI expects the following to be addressed when a Canadian branch or a Canadian subsidiary enters into a material outsourcing arrangement with a member of its RFIP group (Section 3.2.2):
Consistent with the risk-based Supervisory Framework, OSFI may have additional expectations for RFIP Group arrangements, depending on the risks related to the outsourcing arrangement and the conclusions of OSFI's supervisory review.
Prior to obtaining non-audit services from its external auditor, the FRE should assure itself that, for the services to be performed by the external auditor for that particular FRE, its external auditor would be in compliance with the relevant auditor independence standards of the Canadian accounting profession, as well as any other applicable auditor independence requirements.
In addition, the FRE should not outsource the following activities to its external auditor:
A FRE should have appropriate risk management policies and practices that are regularly reviewed. In terms of the specific risks arising from outsourcing, it is expected that, in carrying out this duty, senior management would periodically:
Please refer to OSFI's Corporate Governance Guideline for OSFI's expectations of FRE Boards of Directors in regards to operational, business, risk and crisis management policies.
Operational management is responsible for:
The policies and procedures are expected to include:
1) An outsourcing risk philosophy
The FRE's outsourcing risk philosophy would generally comprise a statement of principles, the basis for decision making, and the parameters for controlling outsourcing risks. Outsourcing risk philosophies will vary between FREs, but should address the following:
2) A materiality assessment for outsourcing arrangements
This assessment is expected to identify both the processes for determining the materiality of individual outsourcing arrangements and the underlying materiality factors such as those set out in Section 6.
3) An outsourcing risk management program that, at a minimum, includes the expectations contained in Section 7 and is applied consistently throughout the FRE, including operations located in foreign jurisdictions. OSFI expects management to pay particular attention to business continuity planning on an enterprise-wide basis.
4) Limits regarding the level or authority that enables the FRE's officers to approve outsourcing arrangements of varying magnitudes, either individually or in aggregate. This system should be consistent with the outsourcing risk philosophy and materiality criteria.
OSFI's expectations of branch management are set out in Guideline E-4 Foreign Entities Operating in Canada on a Branch Basis. OSFI expects branch management to take on the corporate governance role normally assumed by senior management. Branch management remains accountable for the business in Canada, regardless of whether a particular business activity takes place in Canada or has been outsourced.
OSFI expects branch management to ensure that the branch has risk management policies for outsourcing and that the expectations set out in Section 5.2 of this Guideline are met. In particular, branch management would be expected to:
As outlined in Section 4, OSFI recognizes that the outsourcing arrangements undertaken by an FRE will have differing degrees of materiality and may not be readily classified as either material or immaterial. In general, OSFI expects that an FRE will design a risk management program that applies to all its outsourcing arrangements, except those that are clearly immaterial, and that the risk mitigants employed under this program will be appropriate to the particular outsourcing arrangement. As such, the risk management program could be scaled to apply different requirements depending on the type of outsourcing arrangement. Those arrangements deemed material should be subject to the full expectations set out in Section 7, unless it is reasonable to conclude that a particular expectation is not appropriate for the outsourcing arrangement in question. OSFI may review an FRE's materiality assessment on a case-by-case basis as part of the supervisory review process.
The materiality of an outsourcing arrangement will depend on the extent to which it has the potential to have an important influence – whether quantitative or qualitative – on a significant line of business of the consolidated operations of the FRE or the Canadian operations of a foreign branch or subsidiary.
The assessment of the materiality of an outsourcing arrangement is often subjective and depends on the circumstances faced by an individual FRE. Without limiting the scope of the materiality assessment, factors that the FRE should consider include:
Specific questions an FRE might consider in assessing the materiality of outsourcing arrangements are set out in Annex 2.
Outsourcing all or substantially all of a management oversight function should always be considered material, except in circumstances where the FRE receives such services from another member of the FRE Group. For the purpose of this Guideline, management oversight functions include:
For example, a material arrangement could relate to the outsourcing of a significant part of the FRE's information technology function, investment management, or loan processing. Arrangements that likely do not represent material outsourcing include those where there are numerous similar providers in the marketplace and the cost and inconvenience of switching between providers is low.
Significant changes in the volume or the nature of business conducted should cause the FRE to reassess an outsourcing arrangement's materiality. In cases where an arrangement is reassessed as material, it should come into compliance with all aspects of this Guideline at the first opportunity, such as when the outsourcing contract, agreement or statement of work (where applicable) is substantively amended, renewed or extended.
In general, OSFI expects that an FRE will design a risk management program that applies to all outsourcing arrangements of the FRE group, except those that are clearly immaterial, and that the risk mitigants employed will be commensurate with the FRE's assessment of the risks associated with the particular outsourcing arrangement.
OSFI expects an FRE to conduct an internal due diligence to determine the nature and scope of the business activity to be outsourced, its relationship to the rest of the FRE's activities, and how the activity is managed.
In selecting a service provider, or substantially amending or renewing a contract or outsourcing agreement, FREs are expected to undertake a due diligence process that fully assesses the risks associated with the outsourcing arrangement, and addresses all relevant aspects of the service provider, including qualitative (i.e., operational) and quantitative (i.e., financial) factors (see Annex 3 for a list of factors that could be included when performing due diligence of a service provider). When out-of-Canada outsourcing is being contemplated, the FRE should pay particular attention to the legal requirements of that jurisdiction, as well as the potential foreign political, economic and social conditions, and events that may conspire to reduce the foreign service provider's ability to provide the service, as well as any additional risk factors that may require adjustment to the risk management program.
Due diligence processes will vary depending on the FRE and on the nature of the outsourcing arrangement being contemplated. For example, in the case of renewals where no material change has occurred that would affect the viability of the outsourcing relationship, it may be appropriate to conduct more streamlined due diligence. If the service provider is a member of an RFIP Group, a streamlined due diligence process may be followed that addresses the qualitative aspects of the arrangement, particularly those pertaining to the unique operational (e.g., Canadian) requirements of the FRE.
The FRE may rely on a due diligence review of the service provider that has been performed by an affiliate or home office within the previous 15 months, provided the review addresses the above-noted requirements as well as the risks particular to the FRE.
OSFI expects material outsourcing arrangements to be documented by a written contract that addresses all elements of the arrangement and has been reviewed by the FRE's legal counsel. Some of the items identified below may not be applicable in all circumstances; however, FREs are expected to address all issues relevant to managing the risks associated with each outsourcing arrangement to the extent feasible and reasonable given the circumstances, and having regard to the interests of the FRE. FRE and RFIP intra-group outsourcing arrangements can be documented by an outsourcing agreement that meets the expectations set out in Sections 4.1 and 4.2 respectively.
The contract or outsourcing agreement is expected to specify the scope of the relationship, which may include provisions that address the frequency, content and format of the service being provided. The contract or outsourcing agreement is expected to detail the physical location where the service provider will provide the service.
Performance measures should be established that allow each party to determine whether the commitments contained in the contract are being fulfilled.
The contract or outsourcing agreement is expected to specify the type and frequency of information the FRE receives from the service provider. This would include reports that allow the FRE to assess whether the performance measures are being met and any other information required for the FRE's monitoring program (see Section 7.3). In addition, the contract or outsourcing agreement is expected to include procedures and requirements for the service provider to report events to the FRE that may have the potential to materially affect the delivery of the service.
OSFI expects the contract or outsourcing agreement to incorporate a protocol for resolving disputes. The contract or outsourcing agreement should specify whether the service provider must continue providing the service during a dispute and the resolution period, as well as the jurisdiction and rules under which the dispute will be settled.
The contract or outsourcing agreement is expected to specify what constitutes a default, identify remedies, and allow for opportunities to cure defaults or terminate the agreement. The FRE is expected to ensure that it can reasonably continue to process information and sustain operations in the event that the outsourcing arrangement is terminated or the service provider is unable to supply the service. Appropriate notice should be required for termination of service and the FRE's assets should be returned in a timely fashion. In particular, data and records relating to data processing outsourcing arrangements should be returned to the FRE in a format that would allow the FRE to sustain business operations without prohibitive expense.
The contract or outsourcing agreement should not contain wording that precludes the service from being continued in situations where the Superintendent takes control of the FRE, or where the FRE is in liquidation.
Identification and ownership of all assets (intellectual and physical) related to the outsourcing arrangement should be clearly established, including assets generated or purchased pursuant to the outsourcing arrangement. The contract or outsourcing agreement should state whether and how the service provider has the right to use the FRE's assets (e.g., data, hardware and software, system documentation or intellectual property) and the FRE's right of access to those assets.
The contract or outsourcing agreement should outline the service provider's measures for ensuring the continuation of the outsourced business activity in the event of problems and events that may affect the service provider's operation, including systems breakdown and natural disaster, and other reasonably foreseeable events. The FRE should ensure that the service provider regularly tests its business recovery system as it pertains to the outsourced activity, notifies the FRE of the test results, and addresses any material deficiencies. The FRE is expected to provide a summary of the test results to OSFI upon reasonable notice. In addition, the FRE should be notified in the event that the service provider makes significant changes to its business resumption and contingency plans, or encounters other circumstances that might have a serious impact on the service.
The contract or outsourcing agreement is expected to clearly stipulate the audit requirements and rights of both the service provider and the FRE. At a minimum, it should give the FRE the right to evaluate the service provided or, alternatively to cause an independent auditor to evaluate, on its behalf, the service provided. This includes a review of the service provider's internal control environment as it relates to the service being providedFootnote 8.
In addition, in all situations, irrespective of whether an activity is conducted in-house, outsourced, or otherwise obtained from a third party, OSFI retains its supervisory powersFootnote 9. Accordingly, an undertaking from the service provider or a provision in the outsourcing contract, should give OSFI or the Superintendent's representative the right to:
OSFI would provide the FRE with reasonable notice of its intent to exercise its audit rights and would share its findings with the FRE where appropriate. In the normal course, OSFI would seek to obtain information it requires through the FRE itself.
The contract or outsourcing agreement is expected to set out any rules or limitations to subcontracting by the service provider. In particular, security and confidentiality standards should apply to subcontracting or outsourcing arrangements by the primary service provider. Consistent with the principles of this Guideline, the audit and inspection rights of the FRE and OSFI should continue to apply to all significant subcontracting arrangements.
At a minimum, the contract or outsourcing agreement is expected to set out the FRE's requirements for confidentiality and security. Ideally, the security and confidentiality policies adopted by the service provider would be commensurate with those of the FRE and should meet a reasonable standard in the circumstances. The contract or outsourcing agreement should address which party has responsibility for protection mechanisms, the scope of the information to be protected, the powers of each party to change security procedures and requirements, which party may be liable for any losses that might result from a security breach, and notification requirements if there is a breach of security.
OSFI expects appropriate security and data confidentiality protections to be in place. The service provider is expected to be able to logically isolate the FRE's data, records, and items in process from those of other clients at all times, including under adverse conditions.
The contract or outsourcing agreement should fully describe the basis for calculating fees and compensation relating to the service being provided.
The service provider should be required to notify the FRE about significant changes in insurance coverage and disclose general terms and conditions of the insurance coverage.
In accordance with the federal financial institutions legislation, certain recordsFootnote 10 of entities carrying on business in Canada should be maintained in Canada. In addition, the FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfill its mandate.
An FRE's business continuity plan should address reasonably foreseeable situations (either temporary or permanent) where the service provider fails to continue providing service. The business continuity plan and back-up systems should be commensurate with the risk of a service disruption. In particular, the FRE's business continuity plan should ensure that the FRE has in its possession, or can readily access, all records necessary to allow it to sustain business operations, meet its statutory obligations, and provide all information as may be required by OSFI to meet its mandate, in the event the service provider is unable to provide the service.
When the material outsourcing arrangement results in services being provided in a foreign jurisdiction, the FRE's risk management program should be enhanced to address any additional concerns linked to the economic and political environment, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s).
Every FRE engaged in material outsourcing should develop, implement and oversee procedures to monitor and control outsourcing risks in accordance with its outsourcing risk-management policies. The sophistication of the procedures should be commensurate with the size and complexity of the outsourcing arrangement(s) and with the expectations of this Guideline. Management is expected to prepare reports based on the FRE's monitoring and oversight activities. These reports may outline the success of the outsourcing arrangement and the effectiveness of the risk management program and may be reflected in the documentation delivered to the FRE's senior management or branch management. Reports based on the Canadian branch's monitoring and oversight activities should either be prepared or reviewed by branch management.
The FRE should maintain a centralized list of all its material outsourcing arrangementsFootnote 11. A parent FRE may maintain the list on behalf of its subsidiaries. The list should contain information pertaining to the name of the service provider, the country where the service is provided, the expiry or renewal date of the contract or outsourcing agreement and the estimated value (dollar amount) of the contract or outsourcing agreement. A template of a centralized list that a FRE could use is provided in Annex 4. The list should be updated on an ongoing basis and should form part of the documentation delivered to the FRE's senior management or branch management. OSFI should have access to the list at any time upon request.
The FRE should monitor all material outsourcing arrangements to ensure that the service is being delivered in the manner expected and in accordance with the terms of the contract or outsourcing agreement. Monitoring may take the form of regular, formal meetings with the service provider and/or periodic reviews of the outsourcing arrangement’s performance measures. Within a reasonable time, the FRE should advise its OSFI relationship manager about any events that are likely to have a significant negative impact on the delivery of the service.
An FRE should review its material outsourcing arrangements to ensure compliance with its outsourcing risk policies and procedures and with the expectations of this Guideline. Reviews of material outsourcing arrangements should be periodically undertaken by the FRE's internal audit department or another independent review function either internal or external to the FRE, provided it has the appropriate knowledge and skills. The FRE's senior management, or branch management when the FRE is a branch, will always retain overall accountability for the outsourcing arrangement.
Reviews should test the FRE's risk-management activities for outsourcing in order to:
Management should adjust the scope of the review depending on the nature of the outsourcing arrangement.
At least annually, the FRE should review the service provider to ascertain its ability to continue to deliver the service in the manner expected. This review would be commensurate with the level of risk involved and could include an assessment of the service provider's circumstances including its financial strength, prospects (except in cases involving the parent or home office of a Canadian subsidiary or branch), technical competence, and use and performance of significant subcontractors.
The outsourcing domain is diverse and growing. Some examples may include:
This Guideline generally would not apply to the following:
In assessing the materiality of a specific outsourcing arrangement, an FRE may want to consider the following questions, among others:
The due diligence of service providers addressed in Section 7.1 may include, but is not necessarily limited to, examining a service provider in light of these factors:
As a result of the coming into force of An Act to amend the law governing financial institutions and to provide for related and consequential amendments, S.C. 2007, c. 6
Return to footnote 1 referrer
"Significant" as used by OSFI in "Significant Activities" is defined in the Supervisory Framework. Qualitative and quantitative factors are used to assess the significance of an activity to the achievement of the institution's business objectives and strategies.
Return to footnote 2 referrer
In this Guideline, "activity" refers to activity, function or process.
Return to footnote 3 referrer
This includes the principal office and all of its other offices in Canada.
Return to footnote 4 referrer
This includes the chief agency and all of its other offices in Canada.
Return to footnote 5 referrer
See OSFI Guideline E-15 Appointed Actuary: Legal Requirements, Qualifications and External Review.
Return to footnote 6 referrer
In respect of multiple outsourcing arrangements provided by the same service provider that, albeit individually immaterial, have an important influence - in aggregate - on the FRE, OSFI expects the FRE to consider the relevant risk management expectations set out under section 7 to the extent feasible and reasonable given the circumstances.
Return to footnote 7 referrer
A CICA 5970 report (Auditor's Report on Controls at a Service Organization) or equivalent may be sufficient. Note that a CICA 5970 report focuses on financial reporting controls and does not intend to provide an audit of operations and other controls (such as business continuity planning).
Return to footnote 8 referrer
Under the federal financial institutions legislation, OSFI has a right to access any records of the FRE; Section 613, 614, 643, 644, 957 and 958 of the Bank Act; section 674, 675, 1000, and 1001 of the Insurance Companies Act; section 505 and 506 of the Trust and Loan Companies Act; section 437 and 438 of the Cooperative Credit Associations Act.
Return to footnote 9 referrer
Section 238, 239 and 597 of the Bank Act; section 243, 244 of the Trust and Loan Companies Act; section 261, 262 and 647 of the Insurance Companies Act; section 235, 236 of the Cooperative Credit Associations Act.
Return to footnote 10 referrer
In the case of a Canadian branch of a foreign bank or foreign company, the list should contain information pertaining to its Canadian operations. In the case of any other FRE, the list should contain information pertaining to the Canadian operations and foreign operations of that FRE and of its subsidiaries.
Return to footnote 11 referrer
The onus is on the FRE to ensure that it obtains the relevant information to assess a service provider's financial strength. However, OSFI recognizes that the service provider is required to comply with other legislation (such as securities legislation) and might not be in a position to share certain information with the FRE.
Return to footnote 12 referrer