Office of the Superintendent of Financial Institutions
OSFI thanks respondents who provided feedback on draft Guideline B-10: Third-Party Risk Management. This summary highlights feedback received together with OSFI’s responses.
OSFI recognizes that federally regulated financial institutions (FRFIs) carry on business in a competitive environment and third-party arrangements can be beneficial in driving efficiency gains, innovation and service improvements. OSFI expects FRFIs to effectively manage the risks related to third-party arrangements. FRFIs are expected to retain accountability for business activities, functions and services provided by a third party.
OSFI revised final Guideline B-10 to clarify the scope and be more principles-based with an increased emphasis on a risk-based approach to managing third-party arrangements. OSFI has also responded to concerns about subcontractor and concentration risks, as well as the transition period for Guideline B-10 to come into effect.
Many respondents expressed concern that the scope of the draft Guideline was broad and that the expectations set out could be too onerous for certain third-party arrangements.
OSFI expects FRFIs to understand all its third-party arrangements and apply risk management activities appropriate to the level of risk and criticality of each arrangement. Higher-risk and more critical arrangements should be subject to more intensive risk management.
To that end, OSFI has added a section to the Guideline clarifying its expectation that FRFIs should apply the Guideline in a manner proportionate to the level of risk and criticality of each third-party arrangement and to the size, nature, scope, complexity, and risk profile of the institution. OSFI has also clarified that where a third party is subject to government regulation or supervision, the FRFI may take this into consideration as part of its risk assessment.
Some respondents identified sections where the language in the draft was viewed as overly prescriptive.
As noted above, OSFI introduced new language to align the Guideline with OSFI’s principles-based approach and to reinforce its expectation that FRFIs should take a risk-based approach to managing third-party arrangements. In addition, expectations regarding due diligence and written arrangements have been revised to reduce their level of prescriptiveness and reinforce alignment with a risk-based approach.
Several respondents indicated it may be difficult to impose the expectations in the Guideline on subcontractors used by the third parties with whom they have entered arrangements.
In response, OSFI made revisions clarifying its expectations concerning how FRFIs can fulfill their responsibilities for managing the risks introduced by subcontracting. OSFI expects FRFIs to manage subcontractor risk according to the level of risk and criticality of the third-party arrangement in question. FRFIs should assess subcontracting risks and scale their monitoring and management of these risks to the level of risk of the arrangement and criticality of services provided by the third party.
Some respondents indicated it would be difficult for individual FRFIs to assess concentration risk.
In response, OSFI has clarified that FRFIs should take all reasonable steps to assess concentration risk associated with their own third-party arrangements across relevant dimensions, including geography, supplier, and subcontractor. For systemic concentration risk, OSFI expects FRFIs to conduct risk assessments to the greatest extent possible. OSFI also encourages FRFIs to consider the benefits and risks of portability when entering arrangements with cloud service providers and mitigants to risks in the absence of portability.
Several respondents perceived overlap between the expectations set out in the draft B-10 Guideline and other OSFI guidelines.
To address this concern, OSFI has revised the Guideline to indicate where the expectations in Guideline B-10 are meant to complement other guidelines, such as Guidelines B-13: Technology and Cyber Risk Management and E-21: Operational Risk Management, and where FRFIs should refer to the expectations set out in those guidelines.
Some respondents informed OSFI that a relatively lengthy transition period may be needed to bring third-party arrangements into compliance with the expectations in the draft B-10 Guideline.
To that end, the Guideline will come into effect May 1, 2024, roughly one year after its publication, to provide FRFIs sufficient time to self-assess and build third-party risk management programs that comply with the new requirements of the Guideline.
Third-party arrangements commencing on or after May 1, 2024, would be expected to comply with all applicable sections of the guideline. FRFIs should review and update legacy arrangements entered into prior to May 1, 2024 at the earliest appropriate contract renewal or revision point to meet the expectations of this Guideline by its implementation date or as soon as possible thereafter.