Document Properties
- Type of publication : Guideline
- Category: Sound Business and Financial Practices
- Date: May 2001
- Revised: December 2003
- Revised: March 2009
- No: B-10
- Audiences: Banks / FBB / Co-op / Life / P&C / T&L
Introduction
Financial institutions outsource business activities, functions
and processes to meet the challenges of technological innovation,
increased specialization, cost control, and heightened competition.
However, outsourcing can increase an institution’s dependence on
third parties, which may increase its risk profile. Many financial
sector regulators have responded by introducing guidance related
to the management of outsourcing risks.
This Guideline sets out OSFI’s expectations for federally regulated
entities (FREs) that outsource, or contemplate outsourcing, one
or more of their business activities to a service provider. These
expectations should be considered prudent practices, procedures
or standards that should be applied according to the characteristics
of the outsourcing arrangement and the circumstances of the FRE.
FREs have the flexibility to configure their operations in the
way most suited to achieving their corporate objectives. However,
this Guideline operates on the premise that FREs retain
ultimate accountability for all outsourced activities.
Furthermore, OSFI‘s supervisory powers should not be constrained,
irrespective of whether an activity is conducted in-house, outsourced,
or otherwise obtained from a third party.
Under this Guideline, FREs are expected to:
- evaluate the risks associated with all existing and proposed
outsourcing arrangements;
- develop a process for determining the materiality of arrangements;
- implement a program for managing and monitoring risks, commensurate
with the materiality of the arrangements;
- ensure that senior management, chief agent or principal officer receives information sufficient to enable them to discharge their duties under this Guideline; and
- refrain from outsourcing certain business activities to the
external auditor (see Section 4.3).
OSFI’s specific expectations may vary, depending on the nature
of the outsourcing arrangement being contemplated and the relationship
between the FRE and the service provider. As outlined in its Supervisory Framework, OSFI
applies a risk-based approach to assessing an FRE’s safety and soundness
on a consolidated basis. Resources are focused on areas of higher
risk and information from other regulators is used as appropriate.
For each activity that OSFI identifies as significant ,
OSFI assesses the level of risk, including regulatory risk, and
considers the impact of risk mitigation by evaluating the quality
of risk management. Institutions that are well managed relative
to their risks will require less supervision. Therefore, as part
of OSFI’s risk- focused supervisory process, an institution’s policies
and procedures for assessing the materiality of outsourcing arrangements
and managing the risks associated with outsourcing arrangements,
may be evaluated against the expectations of this Guideline. In
addition, individual outsourcing arrangements may be subject to
supervisory review.
2. Transition Period
- All arrangements signed on or after December 15, 2004, are
expected to comply with all applicable Sections of the Guideline.
- All arrangements entered into prior to December 15, 2004 are
expected to comply with the following Sections at the first opportunity,
such as the time the outsourcing contract, agreement or statement
of work (where applicable) is substantially amended, renewed or
extended:
- Section 7.1 (Due Diligence Process),
- Section 7.2.1 (Contract for Services),
- Section 7.3.2 (Monitoring the Outsourcing Arrangement),
and
- Section 7.3.3 (Monitoring the Service Provider)
- All arrangements entered into prior to December 15, 2004 are
expected to comply with all other applicable Sections of the Guideline.
- Outsourcing arrangements that an FRE has obtained as a result
of an acquisition are expected to comply with the expectations
set out in the Guideline at the first opportunity, such as the
time the outsourcing contract, agreement or statement of work
(where applicable) is substantially amended, renewed or extended.
3. Definitions
3.1 Outsourcing Arrangement
For the purposes of this Guideline, an outsourcing arrangement
is an agreement between an FRE and a service provider, whereby the
service provider performs a business activity, function or process that is, or
could be, undertaken by the FRE itself. FREs may consult with OSFI
when they are uncertain whether a particular arrangement falls within
this definition. Examples are provided in Annex 1.
3.2 Federally Regulated Entity (FRE)
For the purposes of this Guideline, an FRE is defined as:
- a bank (listed in Schedule I or II) to which the Bank Act applies;
- a body corporate to which the Trust and Loan Companies
Act applies;
- an association to which the Cooperative Credit Associations
Act applies or a central cooperative credit society for which
an order has been made under subsection 473(1) of that Act;
- an insurance company or a fraternal benefit society incorporated,
formed, or continued under the Insurance Companies Act;
- a bank holding company incorporated, formed or continued under
Part XV of the Bank Act;
- an insurance holding company incorporated, formed or continued
under Part XVII of the Insurance Companies Act;
- the Canadian branch of a foreign bank in respect of which an
order under subsection 524(1) of the Bank Act has been
made ;
- the Canadian branch of a foreign company in respect of which
an order under subsection 574(1) of the Insurance Companies
Act has been made.
3.2.1 FRE Group
For the purposes of this Guideline, the FRE group of an entity
referred to in any of 3.2.a) to f), includes the FRE and any of
the following:
- the entity that controls the FRE if that entity is also an
FRE;
- a subsidiary of the FRE; and
- a subsidiary of the entity referred to in a).
3.2.2 Regulated Financial Institution Parent
Group (RFIP Group) - Branches or Subsidiaries with a Regulated Foreign
or Provincial Parent
For the purposes of this Guideline, an RFIP group includes:
- in respect of an entity referred to in 3.2 g), that Canadian
branch, head office, and any other branches or agencies of the
foreign bank;
- in respect of an entity referred to in 3.2 h), that Canadian branch, head office, and any other branches or agencies of the foreign company; and
- in respect of an entity referred to in 3.2 a) to f), the entity
that controls the FRE if that entity is regulated by a foreign
or provincial financial regulatory body.
4. Application of the Guideline
This Guideline applies to all the outsourcing arrangements of
an FRE or an FRE group. In addition, in applying this Guideline,
the FRE is expected to consider the impact on the FRE and on its
consolidated operations, of outsourcing arrangements entered into
by all its subsidiaries and business operations, including those
located in foreign jurisdictions. OSFI expects the FRE to ensure
that its subsidiaries and branches follow the guideline when entering
into material outsourcing arrangements.
All outsourcing arrangements should be subjected to the materiality
assessment set out in Section 6 of the Guideline. OSFI recognizes
that outsourcing arrangements will exhibit varying degrees of materiality
and expects that the robustness of an FRE’s management of outsourcing
risks would be commensurate with the materiality of the arrangement.
With respect to outsourcing arrangements that are deemed material,
the FRE is expected to follow the full risk management program detailed
in Section 7. However, reduced expectations may be applied, in a
manner consistent with Sections 4.1 and 4.2 respectively, where
the material outsourcing arrangement is between an FRE and a member
of an FRE Group, or between an FRE and a member of an RFIP Group.
FREs may consult with OSFI when they are uncertain how to assess
a particular combination of intra-group arrangements.
With respect to outsourcing arrangements that are deemed clearly
immaterial, the FRE is not expected to follow the risk management
program outlined in this Guideline. An FRE should not outsource
certain activities to its external auditor (see Section 4.3).
4.1 Material FRE Intra-group Outsourcing Arrangements
At a minimum, OSFI expects the following to be addressed when
a member of an FRE group enters into a material outsourcing arrangement
with another entity that is a member of the same FRE group (Section
3.2.1):
- an outsourcing agreement that details, among other things,
the scope of the arrangement, the services to be supplied, the
nature of the relationship between the FRE and the service provider,
and procedures governing the subcontracting of services;
- an appropriate business continuity plan;
- a process for monitoring and oversight; and
- legislative requirements relating to location of records (Section
7.2.2).
As appropriate, a parent FRE may address these expectations within enterprise-wide processes or plans, so long as any specific risks to each subsidiary are addressed. As well, a parent FRE may establish the program, approve the policies, and develop and maintain the reporting on behalf of its FRE subsidiaries.
Consistent with the risk-based Supervisory
Framework, OSFI may have additional expectations for FRE
Group arrangements, depending on the risks related to the outsourcing
arrangement and the conclusions of OSFI’s supervisory review.
4.2 Material RFIP Intra-group Outsourcing Arrangements
At a minimum, OSFI expects the following to be addressed when
a Canadian branch or a Canadian subsidiary enters into a material
outsourcing arrangement with a member of its RFIP group (Section
3.2.2):
- a due diligence process that addresses the qualitative aspects
of the arrangement, particularly those pertaining to the unique
operational requirements of the FRE;
- an outsourcing agreement that details, among other things,
the scope of the arrangement, the services to be supplied, the
nature of the relationship between the FRE and the service provider
(e.g., roles, responsibilities and expectations), and that addresses
the items set out in Section 7.2.1, as appropriate;
- procedures governing the subcontracting of services;
- an appropriate business continuity plan;
- a process for monitoring and oversight; and
- legislative requirements relating to location of records (Section
7.2.2).
Consistent with the risk-based Supervisory
Framework, OSFI may have additional expectations for RFIP
Group arrangements, depending on the risks related to the outsourcing
arrangement and the conclusions of OSFI’s supervisory review.
4.3 Outsourcing Arrangements with the External
Auditor
Prior to obtaining non-audit services from its external auditor,
the FRE should assure itself that, for the services to be performed
by the external auditor for that particular FRE, its external auditor
would be in compliance with the relevant auditor independence standards
of the Canadian accounting profession, as well as any other applicable
auditor independence requirements.
In addition, the FRE should not outsource the following activities
to its external auditor:
- Any actuarial service, unless it is reasonable to conclude
that the results of the service will not be subject to audit procedures
during an audit of the FRE's financial statements. For this purpose,
actuarial services relates to the determination of an amount to
be recorded in the financial statements of the FRE or work normally
undertaken by its appointed actuary, and does
not include services that involve assisting the FRE in understanding
the methods, models, assumptions and inputs used, and advising
management on the appropriate actuarial methods and assumptions
that will be used. Consistent with Guideline E-15 (Appointed Actuary:
Legal Requirements, Qualifications and External Review), the FRE
may use an actuary working in the company's external auditor firm
for the external review of the appointed actuary's work and reports.
- Any internal audit service related to the internal accounting
controls, financial systems, or financial statements of the FRE,
unless it is reasonable to conclude that the results of the service
will not be subject to audit procedures during an audit of the
FRE's financial statements. This does not prohibit the external
auditor from providing a non-recurring service to evaluate a discrete
item or program, if the service is not, in substance, the outsourcing
of an internal audit function.
5. Accountability and Control
5.1 FRE Senior Management Responsibilities
A FRE should have appropriate risk management policies and practices that are regularly reviewed. In terms of the specific risks arising from outsourcing, it is expected that, in carrying out this duty, senior management would periodically:
- approve or reaffirm the policies that apply to outsourcing
arrangements (e.g., risk philosophy, materiality criteria, risk
management program and approval limits); and
- review a list of all the FRE’s material outsourcing arrangements
(see Section 7.3.1) and other relevant reports, when appropriate.
Please refer to OSFI’s Corporate Governance Guideline for OSFI’s expectations of FRE Boards of Directors in regards to operational, business, risk and crisis management policies.
5.2 FRE Operational Management Responsibilities
Operational management is responsible for:
- developing outsourcing policies for approval by senior management;
- implementing the policies and any associated procedures;
- periodically reviewing their effectiveness; and
- communicating information pertaining to significant outsourcing risks to senior management in a timely manner.
The policies and procedures are expected to include:
-
1) An outsourcing risk philosophy
The FRE’s outsourcing risk philosophy would generally comprise
a statement of principles, the basis for decision making, and
the parameters for controlling outsourcing risks. Outsourcing
risk philosophies will vary between FREs, but should address
the following:
- Integration of outsourcing arrangements, both individually
and in aggregate, with overall business and strategic objectives.
This could include an identification of any functions that,
for strategic or internal control reasons, the FRE would not
contemplate outsourcing.
- Importance and adequacy of internal expertise and management
frameworks to oversee and manage the outsourced activity and
the relationship with the service provider.
- Business case for outsourcing a significant business activity.
The business case should consider the short- and long-term
cost implications and all relevant prudential matters. When
the service is being supplied from a foreign jurisdiction,
the FRE should identify the issues that may arise as a result
of the differing and potentially conflicting requirements
among jurisdictions. The business case should also consider
the cumulative impacts of all outsourcing arrangements on
the overall safety and soundness of the FRE.
2) A materiality assessment for outsourcing arrangements
This assessment is expected to identify both the processes
for determining the materiality of individual outsourcing arrangements
and the underlying materiality factors such as those set out
in Section 6.
3) An outsourcing risk management program that, at a minimum,
includes the expectations contained in Section 7 and is applied
consistently throughout the FRE, including operations located
in foreign jurisdictions. OSFI expects management to pay particular
attention to business continuity planning on an enterprise-wide
basis.
4) Limits regarding the level or authority that enables the
FRE’s officers to approve outsourcing arrangements of varying
magnitudes, either individually or in aggregate. This system should
be consistent with the outsourcing risk philosophy and materiality
criteria.
5.3 Responsibilities of the Chief Agent or
Principal Officer
OSFI’s expectations of the chief agent or principal officer are
set out in Guideline E-4 (Role
of the Canadian Chief Agent and Record Keeping Requirements). OSFI expects the chief agent or principal officer, and appropriate individuals in the home office with responsibilities related to operations in Canada to take on the corporate governance role normally assumed by senior management. The chief agent or principal officer remains accountable for the business in Canada, regardless of whether a particular business activity takes place in Canada or has been outsourced.
OSFI expects the chief agent or principal officer to ensure that
the branch has risk management policies for outsourcing and that
the expectations set out in Section 5.2 of this Guideline are met.
In particular, the chief agent or principal officer would be expected
to:
- ensure that materiality assessment criteria are developed and
applied;
- ensure that the risk management program is applied; and
- within a reasonable time advise its OSFI lead supervisor manager (either formally or informally) about any events that are likely to have a significant negative impact on the delivery of the service provided for by a material outsourcing arrangement.
6. Materiality Assessment for Outsourcing
Arrangements
As outlined in Section 4, OSFI recognizes that the outsourcing
arrangements undertaken by an FRE will have differing degrees of
materiality and may not be readily classified as either material
or immaterial. In general, OSFI expects that an FRE will design
a risk management program that applies to all its outsourcing arrangements,
except those that are clearly immaterial, and that the risk mitigants
employed under this program will be appropriate to the particular
outsourcing arrangement. As such, the risk management program could
be scaled to apply different requirements depending on the type
of outsourcing arrangement. Those arrangements deemed material should
be subject to the full expectations set out in Section 7, unless
it is reasonable to conclude that a particular expectation is not
appropriate for the outsourcing arrangement in question. OSFI may
review an FRE’s materiality assessment on a case-by-case basis as
part of the supervisory review process.
The materiality of an outsourcing arrangement will depend on the
extent to which it has the potential to have an important influence
– whether quantitative or qualitative – on a significant line of
business of the consolidated operations of the FRE or the Canadian
operations of a foreign branch or subsidiary.
The assessment of the materiality of an outsourcing arrangement
is often subjective and depends on the circumstances faced by an
individual FRE. Without limiting the scope of the materiality assessment,
factors that the FRE should consider include:
- the impact of the outsourcing arrangement on the finances,
reputation and operations of the FRE, or a significant business
line, particularly if the service provider, or group of affiliated
service providers, should fail to perform over a given period
of time;
- the ability of the FRE to maintain appropriate internal controls
and meet regulatory requirements, particularly if the service
provider were to experience problems;
- the cost of the outsourcing arrangement;
- the degree of difficulty and time required to find an alternative
service provider or to bring the business activity ‘in-house’;
and
- the potential that multiple outsourcing arrangements provided
by the same service provider can have an important influence –
in aggregate – on the FRE.
Specific questions an FRE might consider in assessing the materiality
of outsourcing arrangements are set out in Annex 2.
Outsourcing all or substantially all of a management oversight
function should always be considered material, except in circumstances
where the FRE receives such services from another member of the
FRE Group. For the purpose of this Guideline, management oversight
functions include:
- financial analysis;
- compliance;
- any internal audit services related to the internal accounting
controls, financial systems, or financial statements;
- senior management; and
- risk management.
For example, a material arrangement could relate to the outsourcing
of a significant part of the FRE’s information technology function,
investment management, or loan processing. Arrangements that likely
do not represent material outsourcing include those where there
are numerous similar providers in the marketplace and the cost and
inconvenience of switching between providers is low.
Significant changes in the volume or the nature of business conducted
should cause the FRE to reassess an outsourcing arrangement’s materiality.
In cases where an arrangement is reassessed as material, it should
come into compliance with all aspects of this Guideline at the first
opportunity, such as when the outsourcing contract, agreement or
statement of work (where applicable) is substantively amended, renewed
or extended.
7. Risk Management Program for Material Outsourcing
Arrangements
In general, OSFI expects that an FRE will design a risk management
program that applies to all outsourcing arrangements of the FRE
group, except those that are clearly immaterial, and that the risk
mitigants employed will be commensurate with the FRE’s assessment
of the risks associated with the particular outsourcing arrangement.
7.1 Due Diligence Processes
OSFI expects an FRE to conduct an internal due diligence to determine
the nature and scope of the business activity to be outsourced,
its relationship to the rest of the FRE’s activities, and how the
activity is managed.
In selecting a service provider, or substantially amending or
renewing a contract or outsourcing agreement, FREs are expected
to undertake a due diligence process that fully assesses the risks
associated with the outsourcing arrangement, and addresses all relevant
aspects of the service provider, including qualitative (i.e., operational)
and quantitative (i.e., financial) factors (see Annex 3 for a list
of factors that could be included when performing due diligence
of a service provider). When out-of-Canada outsourcing is being
contemplated, the FRE should pay particular attention to the legal
requirements of that jurisdiction, as well as the potential foreign
political, economic and social conditions, and events that may conspire
to reduce the foreign service provider’s ability to provide the
service, as well as any additional risk factors that may require
adjustment to the risk management program.
Due diligence processes will vary depending on the FRE and on
the nature of the outsourcing arrangement being contemplated. For
example, in the case of renewals where no material change has occurred
that would affect the viability of the outsourcing relationship,
it may be appropriate to conduct more streamlined due diligence.
If the service provider is a member of an RFIP Group, a streamlined
due diligence process may be followed that addresses the qualitative
aspects of the arrangement, particularly those pertaining to the
unique operational (e.g., Canadian) requirements of the FRE.
The FRE may rely on a due diligence review of the service provider
that has been performed by an affiliate or home office within the
previous 15 months, provided the review addresses the above-noted
requirements as well as the risks particular to the FRE.
7.2 Policies and Procedures to Manage Risks
Associated with Material Outsourcing Arrangements
7.2.1 Contract for Services
OSFI expects material outsourcing arrangements to be documented
by a written contract that addresses all elements of the arrangement
and has been reviewed by the FRE’s legal counsel. Some of the items
identified below may not be applicable in all circumstances; however,
FREs are expected to address all issues relevant to managing the
risks associated with each outsourcing arrangement to the extent
feasible and reasonable given the circumstances, and having regard
to the interests of the FRE. FRE and RFIP intra-group outsourcing
arrangements can be documented by an outsourcing agreement that
meets the expectations set out in Sections 4.1 and 4.2 respectively.
a) Nature and Scope of the Service Being Provided
The contract or outsourcing agreement is expected to specify the
scope of the relationship, which may include provisions that address
the frequency, content and format of the service being provided.
The contract or outsourcing agreement is expected to detail the
physical location where the service provider will provide the service.
b) Performance Measures
Performance measures should be established that allow each party
to determine whether the commitments contained in the contract are
being fulfilled.
c) Reporting Requirements
The contract or outsourcing agreement is expected to specify the
type and frequency of information the FRE receives from the service
provider. This would include reports that allow the FRE to assess
whether the performance measures are being met and any other information
required for the FRE’s monitoring program (see Section 7.3). In
addition, the contract or outsourcing agreement is expected to include
procedures and requirements for the service provider to report events
to the FRE that may have the potential to materially affect the
delivery of the service.
d) Resolution of Differences
OSFI expects the contract or outsourcing agreement to incorporate
a protocol for resolving disputes. The contract or outsourcing agreement
should specify whether the service provider must continue providing
the service during a dispute and the resolution period, as well
as the jurisdiction and rules under which the dispute will be settled.
e) Defaults and Termination
The contract or outsourcing agreement is expected to specify what
constitutes a default, identify remedies, and allow for opportunities
to cure defaults or terminate the agreement. The FRE is expected
to ensure that it can reasonably continue to process information
and sustain operations in the event that the outsourcing arrangement
is terminated or the service provider is unable to supply the service.
Appropriate notice should be required for termination of service
and the FRE’s assets should be returned in a timely fashion. In
particular, data and records relating to data processing outsourcing
arrangements should be returned to the FRE in a format that would
allow the FRE to sustain business operations without prohibitive
expense.
The contract or outsourcing agreement should not contain wording
that precludes the service from being continued in situations where
the Superintendent takes control of the FRE, or where the FRE is
in liquidation.
f) Ownership and Access
Identification and ownership of all assets (intellectual and physical)
related to the outsourcing arrangement should be clearly established,
including assets generated or purchased pursuant to the outsourcing
arrangement. The contract or outsourcing agreement should state
whether and how the service provider has the right to use the FRE’s
assets (e.g., data, hardware and software, system documentation
or intellectual property) and the FRE’s right of access to those
assets.
g) Contingency Planning
The contract or outsourcing agreement should outline the service
provider’s measures for ensuring the continuation of the outsourced
business activity in the event of problems and events that may affect
the service provider’s operation, including systems breakdown and
natural disaster, and other reasonably foreseeable events. The FRE
should ensure that the service provider regularly tests its business
recovery system as it pertains to the outsourced activity,
notifies the FRE of the test results, and addresses any material
deficiencies. The FRE is expected to provide a summary of the test
results to OSFI upon reasonable notice. In addition, the FRE should
be notified in the event that the service provider makes significant
changes to its business resumption and contingency plans, or encounters
other circumstances that might have a serious impact on the service.
h) Audit Rights
The contract or outsourcing agreement is expected to clearly stipulate
the audit requirements and rights of both the service provider and
the FRE. At a minimum, it should give the FRE the right to evaluate
the service provided or, alternatively to cause an independent auditor
to evaluate, on its behalf, the service provided. This includes
a review of the service provider’s internal control environment
as it relates to the service being provided.
In addition, in all situations, irrespective of whether an activity
is conducted in-house, outsourced, or otherwise obtained from a
third party, OSFI retains its supervisory powers.
Accordingly, an undertaking from the service provider or a provision
in the outsourcing contract, should give OSFI or the Superintendent's
representative the right to:
- exercise the contractual rights of the FRE relating to audit;
- accompany the FRE (or its independent auditor) when it exercises
its contractual audit rights;
- access and make copies of any internal audit reports (and associated
working papers and recommendations) prepared by or for the service
provider in respect of the service being performed for the FRE,
subject to OSFI agreeing to sign appropriate confidentiality documentation
in form and content satisfactory to the service provider; and
- access findings in the external audit of the service provider
(and associated working papers and recommendations) that address
the service being performed for the FRE, subject to the consent
of the service provider’s external auditor and OSFI agreeing to
sign appropriate confidentiality documentation in form and content
satisfactory to the service provider and the external auditor.
OSFI would provide the FRE with reasonable notice of its intent
to exercise its audit rights and would share its findings with the
FRE where appropriate. In the normal course, OSFI would seek to
obtain information it requires through the FRE itself.
i) Subcontracting
The contract or outsourcing agreement is expected to set out any
rules or limitations to subcontracting by the service provider.
In particular, security and confidentiality standards should apply
to subcontracting or outsourcing arrangements by the primary service
provider. Consistent with the principles of this Guideline, the
audit and inspection rights of the FRE and OSFI should continue
to apply to all significant subcontracting arrangements.
j) Confidentiality, Security and Separation of Property
At a minimum, the contract or outsourcing agreement is expected
to set out the FRE’s requirements for confidentiality and security.
Ideally, the security and confidentiality policies adopted by the
service provider would be commensurate with those of the FRE and
should meet a reasonable standard in the circumstances. The contract
or outsourcing agreement should address which party has responsibility
for protection mechanisms, the scope of the information to be protected,
the powers of each party to change security procedures and requirements,
which party may be liable for any losses that might result from
a security breach, and notification requirements if there is a breach
of security.
OSFI expects appropriate security and data confidentiality protections
to be in place. The service provider is expected to be able to logically
isolate the FRE’s data, records, and items in process from those
of other clients at all times, including under adverse conditions.
k) Pricing
The contract or outsourcing agreement should fully describe the
basis for calculating fees and compensation relating to the service
being provided.
l) Insurance
The service provider should be required to notify the FRE about
significant changes in insurance coverage and disclose general terms
and conditions of the insurance coverage.
7.2.2 Location of Records
In accordance with the federal financial institutions legislation,
certain records of entities carrying on business in Canada should be maintained
in Canada. In addition, the FRE is expected to ensure that OSFI
can access in Canada any records necessary to enable OSFI to fulfill
its mandate.
7.2.3 Business Continuity Plan
An FRE’s business continuity plan should address reasonably foreseeable
situations (either temporary or permanent) where the service provider
fails to continue providing service. The business continuity plan
and back-up systems should be commensurate with the risk of a service
disruption. In particular, the FRE’s business continuity plan should
ensure that the FRE has in its possession, or can readily access,
all records necessary to allow it to sustain business operations,
meet its statutory obligations, and provide all information as may
be required by OSFI to meet its mandate, in the event the service
provider is unable to provide the service.
7.2.4 Outsourcing in Foreign Jurisdictions
When the material outsourcing arrangement results in services
being provided in a foreign jurisdiction, the FRE’s risk management
program should be enhanced to address any additional concerns linked
to the economic and political environment, technological sophistication,
and the legal and regulatory risk profile of the foreign jurisdiction(s).
7.3 Monitoring and Oversight of Material Outsourcing
Arrangements
Every FRE engaged in material outsourcing should develop, implement and oversee procedures to monitor and control outsourcing risks in accordance with its outsourcing risk-management policies. The sophistication of the procedures should be commensurate with the size and complexity of the outsourcing arrangement(s) and with the expectations of this Guideline. Management is expected to prepare reports based on the FRE’s monitoring and oversight activities. These reports may outline the success of the outsourcing arrangement and the effectiveness of the risk management program and may be reflected in the documentation delivered to the FRE’s senior management or the branch’s chief agent or principal officer. Reports based on the Canadian branch’s monitoring and oversight activities should either be prepared or reviewed by the chief agent or principal officer.
7.3.1 Centralized List of All Material Outsourcing
Arrangements
The FRE should maintain a centralized list of all its material
outsourcing arrangements.
A parent FRE may maintain the list on behalf of its subsidiaries. The list should contain information pertaining to the name of the service provider, the country where the service is provided, the expiry or renewal date of the contract or outsourcing agreement and the estimated value (dollar amount) of the contract or outsourcing agreement. A template of a centralized list that a FRE could use is provided in Annex 4. The list should be updated on an ongoing basis and should form part of the documentation delivered to the FRE’s senior management or the branch’s chief agent or principal officer. OSFI should have access to the list at any time upon request.
7.3.2 Monitoring the Outsourcing Arrangement
The FRE should monitor all material outsourcing arrangements to ensure that the service is being delivered in the manner expected and in accordance with the terms of the contract or outsourcing agreement. Monitoring may take the form of regular, formal meetings with the service provider and/or periodic reviews of the outsourcing arrangement’s performance measures. Within a reasonable time, the FRE should advise its OSFI lead supervisor manager about any events that are likely to have a significant negative impact on the delivery of the service.
An FRE should review its material outsourcing arrangements to ensure compliance with its outsourcing risk policies and procedures and with the expectations of this Guideline. Reviews of material outsourcing arrangements should be periodically undertaken by the FRE’s internal audit department or another independent review function either internal or external to the FRE, provided it has the appropriate knowledge and skills. The FRE’s senior management, or the chief agent or principal officer when the FRE is a branch, will always retain overall accountability for the outsourcing arrangement.
Reviews
should test the FRE’s risk-management activities for outsourcing
in order to:
- ensure risk-management policies and procedures for outsourcing
are being followed;
- ensure effective management controls over outsourcing activities;
- verify the adequacy and accuracy of management information
reports; and
- ensure that personnel involved in risk-management for outsourcing
are aware of the FRE’s risk-management policies and have the expertise
required to make effective decisions consistent with those policies.
Management should adjust the scope of the review depending on
the nature of the outsourcing arrangement.
7.3.3 Monitoring the Service Provider
At least annually, the FRE should review the service provider
to ascertain its ability to continue to deliver the service in the
manner expected. This review would be commensurate with the level
of risk involved and could include an assessment of the service
provider’s circumstances including its financial strength, prospects
(except in cases involving the parent or home office of a Canadian
subsidiary or branch), technical competence, and use and performance
of significant subcontractors.
- END -
Annex 1 - Examples of Outsourcing Arrangements
The outsourcing domain is diverse and growing. Some examples may
include:
- Information system management and maintenance (e.g., data entry
and processing, data centres, facilities management, end-user
support, local area networks, help desks);
- Document processing (e.g., cheques, credit card slips, bill
payments, bank statements, other corporate payments);
- Application processing (e.g., insurance policies, loan originations,
credit cards);
- Policy administration (e.g., premium collection, policy assembly,
invoicing, endorsements);
- Claims administration (e.g., loss reporting, adjusting);
- Loan administration (e.g., loan negotiations, loan processing,
collateral management, collection of bad loans);
- Investment management (e.g., portfolio management, cash management);
- Marketing and research (e.g., product development, data warehousing
and mining, advertising, media relations, call centres, telemarketing);
- Back office management (e.g., electronic funds transfer, payroll
processing, custody operations, quality control, purchasing);
- Real estate administration (e.g., building maintenance, lease
negotiation, property evaluation, rent collection);
- Professional services related to the business activities of
the FRE (e.g., accounting, internal audit, actuarial); and
- Human resources (e.g., benefits administration, recruiting).
This Guideline generally would not apply to the following:
- Courier services, regular mail, utilities, telephone;
- Procurement of specialized training;
- Discrete advisory services (e.g., legal opinions, certain investment
advisory services that do not result directly in investment decisions,
independent appraisals, trustees in bankruptcy);
- Purchase of goods, wares, commercially available software and
other commodities
- Independent audit reviews;
- Credit background and background investigation and information
services;
- Market information services (e.g., Bloomberg, Moody’s);
- Independent consulting;
- Services the FRE is not legally able to provide;
- Printing services;
- Repair and maintenance of fixed assets;
- Supply and service of leased telecommunication equipment;
- Travel agency and transportation services;
- Correspondent banking services;
- Maintenance and support of licensed software;
- Temporary help and contract personnel;
- Fleet leasing services;
- Specialized recruitment;
- External conferences;
- Clearing and settlement arrangements between members or participants
of recognized clearing and settlement systems;
- Sales of insurance policies by agents or brokers;
- Ceded insurance and reinsurance ceded; and
- Syndication of loans.
Annex 2 - Sample Questions to Assess the Materiality
of Outsourcing Arrangements
In assessing the materiality of a specific outsourcing arrangement,
an FRE may want to consider the following questions, among others:
- What is the relationship between the business activity and
the FRE’s core business?
- What is the outsourcing arrangement’s potential impact on earnings,
solvency, liquidity, funding, capital, reputation, internal expertise
and capacity of the FRE, brand value, or system of internal controls?
- What is the outsourcing arrangement’s importance to achieving
and implementing business objectives, the business strategy and
business plans?
- What is the FRE’s aggregate exposure to a particular service
provider? Is the FRE exposed to additional outsourcing risk as
a result of multiple outsourcing arrangements with a service provider?
- What is the size of contractual expenditures as a share of
non-interest expenses of the FRE or line of business?
- If the service provider is unable to perform the service over
a given period of time:
- What is the expected impact on the FRE’s customers?
- What is the likely impact on the FRE’s reputation?
- Would it have a material impact on the FRE’s risk profile?
- Would the FRE be able to engage an alternative service provider?
How long would it take and what costs would be involved?
Annex 3 - Due Diligence of Service Providers
The due diligence of service providers addressed in Section 7.1
may include, but is not necessarily limited to, examining a service
provider in light of these factors:
- Experience and technical competence of the service provider
to implement and support the outsourced activity (this could include
a review of the experience and technical competence of significant
subcontractors where feasible);
- Financial strength (e.g., most recent audited financial statements
and other relevant information (to the best of the service provider’s
ability));
- Business reputation, complaints, compliance and pending litigation;
- Internal controls, reporting and monitoring environment;
- The service provider’s business resumption and contingency
measures, including recovery testing, for ensuring the continuation
of the outsourced business activity in the event of problems and
events that may affect the service provider’s operation such as
a systems breakdown, natural disaster, an inability of a significant
subcontractor to provide services relevant to the outsourced activity,
and situations where extraordinary demands are placed on a service
provider.
- Reliance on and success in dealing with sub-contractors;
- Insurance coverage; and
- Business objectives, human resource policies, service philosophies,
business culture, and how they fit with those of the FRE.
Annex 4 – Template Centralized List
Name of service provider |
Short description of arrangement |
Type of arrangement (e.g., RFIP-group, FRE- group, third
party arrangement) |
The country or countries from which service(s) are provided |
Expiry or renewal date of the contract or outsourcing
agreement |
The estimated annual spending on the arrangement in the
future year |
The estimated value (dollar amount) of the contract or outsourcing
agreement |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|