Third-Party Risk Management Guideline

Document Properties

  • Type of Publication: Draft Guideline
  • Category: Sound Business Practices and Prudential Limits
  • No: B-10
  • Date: April 2022

A. Overview

Federally regulated financial institutions (FRFIs) engage in business and strategic arrangements with external parties—entities or individuals—to perform business activities, functions, and services in support of their own operations or their business strategy.

These types of external arrangements, or third-party arrangements, can be beneficial to the FRFI by introducing efficiencies, driving innovation, managing shifting operational needs, and improving services. However, there are potential risks that can arise from third-party arrangements that can threaten the FRFI’s operational and financial resilience.

The Office of the Superintendent of Financial Institutions (OSFI) expects that FRFIs practice effective risk management and retain ultimate accountability for all their business activities, functions, and services, whether they are performed in-house or through a third-party arrangement.

To that end, FRFI’s are required to provide to OSFI, upon request, information related to their business and strategic arrangements with third parties, risk management, and control environments, to support supervisory monitoring and review work.Footnote 1 OSFI expects to be promptly notified of substantive issues affecting the soundness of the FRFI due to a third-party arrangement.

In all cases, OSFI’s supervisory powers should not be constrained, irrespective of whether an activity is conducted in-house, outsourced, or otherwise obtained from a third party.

A1. Purpose and Scope

This Guideline sets out OSFI’s expectations for managing risks associated with third-party arrangements.

This Guideline applies to all FRFIs, excluding foreign bank branches and foreign insurance company branches.Footnote 2

FRFIs should implement the expectations in this Guideline proportionate to their size, the nature, scope, and complexity of their operations, and their risk profile.

A2. Definitions

A ‘third-party arrangement’ is any business or strategic arrangement between the FRFI(s) and an entity(ies) or individuals, by contract or otherwise (e.g., another form of agreement or the conduct of the parties). Arrangements with FRFI customers (e.g., depositors and policyholders) are excluded from this definition.

Such arrangements include, among other things:

  • outsourced activities, functions, and services;Footnote 3

  • use of independent professionals;

  • brokers (e.g., mortgage, insurance, deposit brokers);

  • utilities (e.g., power sources, telecommunications);

  • financial market infrastructuresFootnote 4 (e.g., payments systems, clearing and settlement systems, other FRFIs in cases where the FRFI does not have direct access to financial market infrastructures);

  • services provided by parent holding companies, affiliates, and subsidiaries, or through joint ventures and partnerships; and

  • other relationships involving the provision of services or the storage, use or exchange of data (such as cloud service providers, managed service providers, technology companies that deliver financial services).Footnote 5

‘Third-party risk’ is the risk to the FRFI’s operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement. Third-party risk scenarios could include, but would not be limited to:

  • insolvency of the third party;

  • operational disruption at the third party due to people, inadequate or failed processes and systems, or from external events (e.g., cyber incidents);

  • insolvency of or operational disruption at a material subcontractorFootnote 6;

  • political, geographic, legal, environmental, or other risks impeding the third party or its material subcontractors from providing services according to its arrangement with the FRFI;

  • risks arising from interconnections between multiple third parties and multiple FRFIs;

  • corruption of FRFI data or FRFI data breaches;Footnote 7 and

  • loss of data by the third party.

‘Concentration risk’ is the risk of loss or harm to the FRFI or to the broader financial system arising from reliance on a small number of and/or geographically concentrated third-party providers or subcontractors. Third-party provider, subcontractor and geographic concentration have the potential to increase overall risk to FRFIs and the financial services industry by:

  • making substitutability of the third party more difficult;
  • increasing the likelihood that the insolvency of or an operational disruption at a third party or its subcontractor has ramifications on the FRFI or throughout the financial services industry;
  • exposing the FRFI or the financial services industry to increased impact of natural disasters or other external events; and
  • reducing the market power of FRFIs vis-à-vis the third party to negotiate favorable arrangements.

‘Criticality’ is the degree of impact of the third-party arrangement on the FRFI’s risk profile, operations, strategy and/or financial condition. A critical third-party arrangement is one where the third party performs a function or service that is integral to the FRFI’s provision of a significant operation, function, or service. That is, a failure in performance of the third party could cause significant harm to the FRFI’s operations and/or reputation.

The criticality of the third-party arrangement is an important input into the assessment of both:

  • the third-party arrangement’s level of risk; and

  • the FRFI’s overall operational and financial resilience.

A3. Outcomes

This Guideline presents five expected outcomes for FRFIs to achieve through managing third-party risk. These outcomes contribute to the FRFI’s operational and financial resilience and help safeguard its reputation.

Graphic Description - Five expected outcomes for FRFIs to achieve through managing third-party risk
  1. Governance and accountability structures are clear with comprehensive risk management strategies and frameworks in place to contribute to ongoing operational and financial resilience.
  2. Risks posed by third parties are identified and assessed.
  3. Risks posed by third parties are managed and mitigated within the FRFI’s risk appetite framework.
  4. Third party performance is continually monitored and assessed, and risks and incidents are proactively addressed.
  5. The FRFI’s risk management program is dynamic and actively captures and appropriately manages a range of third-party relationships and interactions.

A4. Related Guidance

This Guideline should be read in conjunction with applicable legislation and relevant OSFI guidance, including but not limited to, Guideline E-21 on Operational Risk Management, Guideline B-13 on Technology and Cyber Risk Management, and the Corporate Governance Guideline.

1. Governance

Outcome: Governance and accountability structures are clear with comprehensive risk strategies and frameworks in place to contribute to ongoing operational and financial resilience.

1.1. Accountability

Principle 1: The FRFI is ultimately accountable for all business activities, functions, and services outsourced to third parties and for managing the risks related to third-party arrangements.

1.1.1. The FRFI retains accountability for services outsourced to a third party and for managing the risks related to all third-party arrangements and interactions

The FRFI has the flexibility to arrange its operations in a way that achieves its business and strategic objectives. However, the FRFI retains accountability for all its business activities, functions, and services outsourced through third-party arrangements, for data exchanged with the third party or data to which the third party has access, and for managing risks arising from third-party arrangements.

The FRFI’s Senior Management should be satisfied that business activities, functions, and services performed by third parties are done in a safe and sound manner, and in compliance with applicable legislative and regulatory requirements and the FRFI’s own internal policies, standards, and processes. The FRFI’s senior management should also be satisfied that third-party arrangements are in alignment with the FRFI’s risk appetite and managed proportionate to the level of risk and criticality.

Please refer to OSFI’s Corporate Governance Guideline for OSFI’s expectations of FRFI Boards of Directors in regard to business strategy, risk appetite and operational, business, risk and crisis management policies.

1.2. Third-Party Risk Management Framework (TPRMF)

Principle 2: The FRFI should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third parties.

1.2.1. TPRMF is enterprise-wide, governs the lifecycle of third-party arrangements, and is dynamic

The FRFI should establish a TPRMF that provides an enterprise-wide view of its exposures to third parties. The TPRMF should reflect the FRFI’s risk appetite and be consistent with its operational or enterprise risk management frameworks.

The TPRMF should be developed to span the lifecycle of a third-party arrangement, from sourcing and due diligence of a third-party provider to potential exit from the third-party arrangement. The TPRMF should set out how the FRFI will identify and assess; manage and mitigate; and monitor and report on third-party risk.

OSFI expects the FRFI to regularly review and update its TPRMF, and to make continuous improvements based on implementation, effectiveness and other lessons learned (e.g., past incidents).

1.2.2. TPRMF captures key elements

At minimum, the TPRMF should establish and govern the following elements:

  • accountability for third-party risk management, including for relevant oversight functions;

  • clear roles and responsibilities for overseeing and managing third-party arrangements and associated risk management processes;

  • third-party risk appetite and measurement (e.g., limits, thresholds and key risk indicators);

  • methodology for assessing the level of risk and criticality of third-party arrangements;

  • policies, standards, systems and processes governing third-party risk, which are approved, regularly reviewed and consistently implemented enterprise-wide;

  • processes and systems for identifying, assessing, managing, monitoring, measuring, and reporting on third-party compliance with contractual provisions and/or service level agreements, including processes for managing exceptions and incidents;

  • processes for identifying, assessing, managing, monitoring, measuring, and reporting on third-party risks (including, among others, technology, cyber, concentration, business continuity, strategic and financial risks), and the contribution of third-party arrangements in aggregate to the FRFI’s overall level of risk; and

  • aggregate reporting to Senior Management on third-party risk exposure and trends to inform the FRFI’s current and emerging risk profile, including an inventory of third-party providers delineated by level of risk and criticality of the provider.

2. Third-Party Risk Management Program

OSFI expects the FRFI to manage third-party risks in a manner that is proportionate to the level of risk and complexity of the FRFI’s third-party ecosystem. OSFI expects the FRFI to assess its third-party arrangements regularly, with higher-risk and more critical arrangements subjected to more frequent and rigorous assessment.

For critical third-party arrangements and those that pose a high risk to the FRFI, OSFI expects that all expectations set out in Section 2 be considered minimum expectations.

2.1. Risk-Based Approach

2.1.1. Risk assessment criteria are comprehensive and scalable

The FRFI’s criteria to assess the risks of third-party arrangements should be comprehensive and focus on higher-risk arrangements, while maintaining oversight of other arrangements in accordance with the FRFI’s risk-based approach. Assessment criteria should also be reviewed periodically to ensure that they remain current for the risk landscape.

2.1.2. The level of criticality of the third party is determined

Determining the level of criticality is an important part of sound risk management. The criticality of a third-party arrangement should influence the nature and frequency of the FRFI’s risk management activities. Criticality should also be reviewed periodically.

2.1.3. Level of risk and criticality are assessed

In determining the level of risk and criticality, the FRFI should consider, among other things:

  • the third party’s use of subcontractors;

  • the potential for loss or harm to the FRFI in the event that the third party or material subcontractor fails to meet expectations, due to service disruption, outage, cyber security breaches or any other reason;

  • the ability of the FRFI to assess controls at the third party and continue to meet regulatory and legal requirements in respect of activities performed by the third party, particularly in the case of disruption;

  • substitutability of the third party, including the portability and timeliness of a transfer of services;

  • the potential impact on business operations if the FRFI needed to exit the third-party arrangement and transition to another service provider or bring the business activity in-house;

  • the financial health of the third party and the potential “step-in” risk, whereby the FRFI is required to provide financial support to the third party or take over the third party’s business;

  • the degree of the FRFI’s or the industry’s reliance on or concentration of the third party (see Section 2.2.3); and

  • any other relevant financial and non-financial risks associated with the use of the third party.

2.1.4. Rigour of risk management activities matches the level of risk and criticality

The robustness and frequency of the FRFI’s third-party risk management activities (e.g., risk assessment, mitigation, monitoring, measuring, and reporting) should be proportionate to the level of risk and criticality associated with the third-party arrangement.

2.2. Risk Identification and Assessment

Outcome: Risks posed by third parties are identified and assessed.

Principle 3: Before entering a third-party arrangement—and, periodically thereafter, proportionate to the level of risk and criticality of the arrangement—the FRFI should identify and assess the risks of the arrangement. Specifically, the FRFI should conduct risk assessments to decide on third-party selection; (re)assess the risk and criticality of the arrangement; and plan for adequate risk mitigation and oversight.

2.2.1. Risk Assessment

2.2.1.1. Risk and criticality of the arrangement are assessed throughout its lifecycle

The FRFI should conduct risk assessments of each third-party arrangement to determine the risk and criticality of the arrangement, considering both risks created and reduced (e.g., using suppliers in various jurisdictions to reduce geographic concentration) by the arrangement, as well as potential mitigants.

The FRFI should conduct such assessments:

  • prior to entering into the third-party arrangement (see Section 2.2.2);

  • regularly throughout the lifecycle of the arrangement at a frequency and scope proportionate to the level of risk and criticality; and

  • whenever there is material change in the arrangement or third party (including disruption at the third party or in the service provided).

Such risk assessments should, at minimum:

  • determine whether the arrangement aligns with the FRFI’s risk appetite for third-party risk and other relevant risks;

  • establish the level of risk and criticality; and

  • develop a plan, with appropriate intensity of monitoring and mitigating actions, to manage the arrangement within the FRFI’s risk appetite.

2.2.2. Due Diligence

Principle 4: The FRFI should undertake due diligence prior to entering contracts or other forms of arrangement with a third party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement.

2.2.2.1. A due diligence process is established

The FRFI should establish due diligence processes for third-party arrangements to apply initially and on an ongoing basis, including documented risk escalation, approval and acceptance processes.

2.2.2.2. Due diligence is performed proportionate to level of risk and criticality

The FRFI should conduct due diligence proportionate to the level of risk and criticality of each third-party arrangement:

  • prior to entering into the arrangement;

  • as part of the contract renewal process; and

  • periodically on an ongoing basis proportionate to the level of risk and criticality or whenever there are material changes to the third-party arrangement, such as the nature of the arrangement or its criticality.

Due diligence should consider all relevant qualitative (i.e., operational) and quantitative (i.e., financial) factors related to the third-party arrangement. A non-exhaustive list of factors to consider is set out in Annex 1 of this Guideline.

2.2.2.3. Out-of-Canada arrangements are considered

When considering arrangements with third parties based outside of Canada (or Canadian third parties with material subcontractors located outside of Canada), the FRFI should pay particular attention to the legal requirements of relevant jurisdictions, as well as the potential political, legal, security, economic, environmental, social, and other risks that may impede the ability of the third party to provide services.

2.2.3. Concentration Risk

2.2.3.1. Concentration risk is assessed

To determine the appropriate level of mitigation, the FRFI should assess concentration risk both prior to entering a contract or agreement and on an ongoing basis. Processes established should take reasonable steps to assess concentration risk over multiple dimensions including geography, supplier, and subcontractor. Throughout the process, concentration should be considered within the FRFI’s business functions/units and legal entities, and across the FRFI’s entire organization.

2.2.4. Supply Chain Management

Principle 5: The FRFI should assess, manage, and monitor the risks of subcontracting arrangements entered by third parties, including the impact of these arrangements on concentration risk.

Subcontracting risk stems from the complexity and interdependency of the third-party’s supply chain. Subcontracting diminishes the FRFI’s ability to manage the risk related to such arrangements and can increase the overall risk related to the use of certain third parties.

2.2.4.1. Risks related to subcontracting practices are identified and understood

The FRFI should assess whether the existence of material subcontracting might negatively impact their operational and financial resilience during a significant disruption within the third party’s supply chain, and whether this impact could outweigh the benefits of the arrangement.

Prior to entering a third-party arrangement, the FRFI should identify and understand risk factors related to the third party’s subcontracting practices, including, at minimum:

  • level of subcontracting, including whether there are material subcontractors;

  • geographic locations of subcontractors and any associated political, security, economic, environmental, social, and other risks;

  • ability of subcontractors to provide services in alignment with the performance standards and controls outlined in the third-party contract, including through disruption; and

  • ability of subcontractors to meet legal and regulatory requirements.

2.2.4.2. Visibility into the use of subcontractors is established

The FRFI should also ensure that they have ongoing line of sight into the third party’s use of subcontractors. Among other ways, the FRFI might achieve this by:

  • contractual provisions prohibiting the use of subcontractors for certain functions;

  • requiring that the FRFI be informed, in writing and on a timely basis, when a subcontractor is retained, or substituted, to carry out some of the functions contracted for the third party to perform;

  • reserving a right of the FRFI to refuse a subcontractor; and

  • contractual provisions allowing the FRFI to commission or conduct an audit of the subcontractor.

2.2.4.3. Evidence that the third party can manage subcontractor risk

The FRFI should ensure that the third party has the capacity to monitor and manage risks arising from the use of subcontractors, including, where feasible, through audit rights and/or access to independent audit reports.

In addition, the FRFI should evaluate and consider the impact of use of subcontractors on the concentration risk of third-party arrangements (refer to 2.2.3 above).

2.3. Risk Management and Mitigation

Outcome: Risks posed by third parties are managed and mitigated within the FRFI’s Risk Appetite Framework.

2.3.1. Agreements / Contracting

Principle 6: The FRFI should enter into written arrangements that set out the rights and responsibilities of each party.

2.3.1.1. Clear responsibilities are set out in the agreement

OSFI expects third-party arrangements to be supported by a written contract or other agreement (e.g., service level agreement) that sets out the rights and responsibilities of each party and which has been reviewed by the FRFI’s legal counsel. OSFI recognizes that there are certain third-party arrangements for which a customized contract may not be feasible, or for which a formal contract or agreement may not exist. Please see Section 3 of this Guideline for OSFI expectations related to such third-party arrangements.

2.3.1.2. The third party is expected to comply with FRFI’s provisions

To manage the risks associated with each third-party arrangement, the FRFI should structure its written agreement with the third party in a manner that allows it to meet the expectations set out in this Guideline. At a minimum, OSFI expects the FRFI to include in written agreements the provisions that are set out in Annex 2 of this Guideline.

2.3.2 Data Security and Controls (including Data Location)

Principle 7: Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data.

2.3.2.1. Responsibilities for security of records and data are established

Third-party agreements are expected to set out each party’s responsibilities for the confidentiality, availability and integrity of records and data. Agreements should establish, among other things:

  • the scope of the records and data to be protected;

  • availability of the records and timely access to data by the FRFI and OSFI, upon request;

  • controls and monitoring over the third party’s use of the FRFI’s systems and information;

  • clear responsibilities of each party in managing data security;

  • which party is liable for any losses that might result from a security breach; and

  • notification requirements if there is a breach of security.

In addition, these agreements should specify that the FRFI’s data and records be isolated from those of other clients at all times, including during the transfer process and under adverse conditions (e.g., disruption of services). Data and records should be subject to the same standard of protection at the third party as they would be at the FRFI.

2.3.2.2. Record Keeping Requirements

The Bank Act, Insurance Companies Act, and the Trust and Loan Companies Act (collectively, the FRFI Statutes), contain requirements with respect to certain records that FRFIs must prepare and maintain (the Records).Footnote 8 OSFI expects the Records to be updated and accurate as at the end of each business dayFootnote 9, and that the Records will be sufficiently detailed to enable:

  • OSFI to conduct an examination and inquiry into the business and affairs of the FRFI;

  • OSFI to manage the FRFI’s assets, prior to the appointment of a liquidator, should the Superintendent take control of the FRFI’s assets; and

  • The liquidator to conduct an effective liquidation of the FRFI’s assets.

Electronic Records must be capable of being reproduced in intelligible written form within a reasonable period of time. OSFI expects electronic Records to be accessible and intelligible without incurring additional costs and by using readily available commercial applications. For certain types of information, such as reinsurance arrangements or files on more complex activities, reproduced electronic Records may not be sufficient for OSFI's review and the executed copy may need to be available, upon OSFI's request.

The FRFI Statutes require FRFIs to keep copies of the Records at its head office, or at such other place in Canada as the directors of the FRFI think fit. If the Records are in electronic form, complete copies must be kept on a computer server(s) physically located at the places stipulated in the FRFI Statutes.Footnote 10

Certain FRFIs are exempted from the requirement to keep copies of the Records at the above noted places in Canada. In those circumstances, the FRFI must provide OSFI with immediate, direct, complete and ongoing access to the Records that are stored outside Canada.Footnote 11

2.3.3. Information Rights and Audit

Principle 8: The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. The FRFI should also have the right to conduct or commission an independent audit of a third party.

2.3.3.1. The third party provides the FRFI with information and reporting

The third-party agreement should specify the type and frequency of information to be reported to the FRFI by the third party. This should include reports that allow the FRFI to assess whether performance measures are being met and any other information required for the FRFI’s monitoring program, including risk measures (see Section 2.4).

2.3.3.2. The third party reports events that could materially impact the FRFI

The agreement should include requirements and procedures for the third party to report events in a timely manner to the FRFI that may have the potential to materially affect the risks and delivery of the service.

2.3.3.3. Service performance and controls are evaluated, and audit rights established, as appropriate

The agreement should give the FRFI and OSFI the right to evaluate the risk management practices related to the service provided. Specifically, the FRFI and OSFI should be able to evaluate the risks arising from the arrangement or appoint independent auditors to evaluate the risk management practices related to service provided and the risks arising from the relationship on the FRFI’s or on OSFI’s behalf. The FRFI and OSFI should also be able to access audit reports in respect of the service being performed for the FRFI.

The FRFI should employ a range of audit and information gathering methods (e.g., independent reports provided by third parties, individually performed or pooled audits).

2.3.4. Business Continuity Planning and Testing

Principle 9: The FRFI’s agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should have contingency plans for its critical third-party arrangements.

2.3.4.1. Business continuity and recovery capabilities are established and tested

Third-party agreements should require the third party, at minimum, to:

  • outline the third party’s measures for ensuring continuity of services in the event of disruption;

  • test regularly the third party’s business continuity and disaster recovery programs as they pertain to services provided to the FRFI;

  • notify the FRFI of test results; and

  • address any material deficiencies.

Among other things, the FRFI’s business continuity and disaster recovery plans should:

  • address severe but plausible situations (either temporary or permanent) where the third party could fail to continue providing service;

  • set out backup systems and redundancies commensurate with the criticality of the service provided; and

  • ensure the FRFI has in its possession, or can readily access, all necessary records to allow the FRFI to sustain business operations, meet statutory obligations, and provide all information as may be required by OSFI, in the event of disruption to third-party services.Footnote 12

As applicable, joint design and testing of business continuity plans and disaster recovery plans should be considered between the third party and the FRFI, commensurate with the criticality of the service.

2.3.5. Exit Strategy/Planning

2.3.5.1. Exit strategies are developed to ensure continuity of critical services

The FRFI should establish exit plans proportionate to the level of risk and criticality of individual third-party arrangements to ensure continuity of the FRFI’s operations through normal and stressed times. Such documented plans should:

  • encompass both planned and unplanned exits, such as a provider’s default, non-performance or prolonged disruption, and establish triggers for invoking exit/contingency plans;

  • establish a set of activities to perform when exiting because of stressed circumstances, such as following the failure or insolvency of the service provider (a “playbook” for stressed exit);

  • establish a set of activities to perform when exiting through a planned and managed exit due to commercial, performance, or strategic reasons (a “playbook” for non-stressed exit);

  • take into account contractual provisions impacting exit, such as notification requirements and provisions obliging the third party to provide services over a prescribed period of time following notification of termination;

  • contain sufficient detail (e.g., alternative options or providers, supported by timelines, costs, resourcing, revenue impacts, and interim workarounds) as to allow rapid execution;

  • address severe but plausible scenarios and set out documented plans for each scenario; and

  • be reviewed regularly, and more frequently in the event of material changes to the third-party arrangements.

2.4. Monitoring and Reporting

Outcome: Third-party performance is continually monitored and assessed, and risks and incidents are proactively addressed.

Principle 10: The FRFI should monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks.

2.4.1. Oversight of Third-Party Provider

2.4.1.1. The FRFI monitors its third-party arrangement(s)

The FRFI should monitor its third-party arrangement(s) to ensure that the service is being delivered in accordance with the terms of the agreement, and that the third party remains financially sound.

Monitoring should also cover regular oversight of current and emerging risks and risk acceptancesFootnote 13 and compliance of the third-party arrangement with the FRFI’s risk policies and procedures and OSFI’s expectations. Monitoring should be conducted at the individual arrangement level, as well as at an aggregate business unit, segment, platform, and enterprise level.

The extent and frequency of monitoring should be proportionate to the level of risk and criticality of the third-party arrangement.

2.4.1.2. Metrics confirm residual risk remains within risk appetite

The FRFI should establish processes to confirm regularly that the residual risk of their third-party arrangements, individually and in aggregate, remains within the FRFI’s risk appetite. To facilitate this outcome, the FRFI should establish and report metrics and associated thresholds to alert senior management when a threshold is being approached as well as triggers for invoking the FRFI’s escalation process.

2.4.2 Incident Management and Reporting

Principle 11: Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to ensure ongoing operational and financial resilience and maintain risk levels within the FRFI’s risk appetite.

2.4.2.1. The third-party has clearly defined incident management processes

As part of an effective third-party risk management program, the FRFI should ensure that its third parties have clearly defined and documented processes for identifying, investigating, escalating, remediating and notifying the FRFI in a timely manner of incidents—including subcontractor incidents—that could directly or indirectly impact the third party’s ability to deliver the contracted goods and/or services.

2.4.2.2. Incident reporting and notification requirements of the third party support FRFI compliance with OSFI’s incident reporting requirements

The FRFI should ensure that its written agreements with third parties contain adequate provisions to enable the FRFI to comply with its reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory. Such provisions could include, among other things, requirements to promptly notify the FRFI of technology and cybersecurity incidents (at the third party or the subcontractor) including providing information on each incident in line with the Advisory.

2.4.2.3. Internal incident management process is established

The FRFI should also have clearly defined internal processes for effectively managing and escalating third-party incidents and for subsequently tracking remediation. The processes established should clearly define accountabilities at all levels of the FRFI and triggers for escalation within the FRFI.

2.4.2.4. Incidents are investigated, analysed and results are shared

To ensure that remediation actions are sufficient, the FRFI should request that the third party perform root cause analysis and share the results for any incidents, commensurate with the severity/potential impact of the incident on the FRFI. The FRFI should also perform its own root cause analysis, as appropriate. Remediation actions should be monitored by the FRFI.

3. Special Arrangements

Outcome: The FRFI’s risk management program is dynamic and actively captures and appropriately manages a range of third-party arrangements and interactions.

3.1. Standardized Contracts/Special Arrangements

Customized contracts can be effective tools for the mitigation of third-party risk. However, FRFIs may often receive, or use, products or services from providers, such as utilities, internet providers, financial market infrastructures, and others, under pre-defined terms and conditions in standard contracts with a limited ability to tailor contract terms.

3.1.1. Third parties without contracts still carry risks

The absence of a written arrangementFootnote 14 does not obviate the existence of a third-party relationship. While the FRFI may not have direct relationships with all third parties they interact with, risks may still arise from these relationships.

3.1.2. Risks of third parties with no contracts or standardized contracts are managed

In situations where a standardized or no formal contract or agreement supports the arrangement, OSFI still expects the FRFI to have a third-party risk management program that covers the relationship, and that is proportionate to the level of risk and criticality of the third-party relationship. In such cases, the FRFI’s risk assessment should consider inherent risks, mitigating controls and other factors to arrive at the final risk rating for these arrangements.

Among the mitigating actions and controls that the FRFI may consider are the development of redundancies, workarounds, business continuity measures, and other resiliency mechanisms.

3.2. Third-Party Arrangements with the External Auditor

Arrangements with the external auditor can give rise to conflicts of interest.

3.2.1. External auditors comply with auditor independence standards when providing third-party services

Prior to obtaining management consulting services from its external auditor, the FRFI should assure itself that its external auditor would be in compliance with the relevant auditor independence standards of the Canadian accounting profession, as well as any other applicable auditor independence requirements, in respect of such services to be performed by the external auditor.

3.2.2. The FRFI does not obtain actuarial or internal audit services from its external auditor unless certain conditions apply

Unless it is reasonable to conclude that the results of the service will not be subject to audit procedures during an audit of the FRFI’s financial statements, the FRFI should not obtain the following services from its external auditor:

  • Any actuarial service.Footnote 15

  • Any internal audit service related to the internal accounting controls, financial systems, or financial statements of the FRFI. This does not prohibit the external auditor from providing a non-recurring service to evaluate a discrete item or program, if the service is not, in substance, the outsourcing of an internal audit function.

4. Technology and Cyber Risk in Third-Party Arrangements

OSFI recognizes that technology and cyber risk in third-party arrangements present elevated vulnerabilities to the FRFI. In addition to minimum expectations articulated earlier in this guideline, the FRFI should consider additional controls to manage technology and cyber risks stemming from its third-party arrangements.

4.1. Clear roles and responsibilities are established for technology and cyber controls

As set out earlier in this guideline, and emphasized in Annex 2, establishing clear roles and responsibilities between the FRFI and the third party is essential to managing risk and limiting ambiguity between the parties. When setting responsibilities for technology and cyber controls, the FRFI should consider the risk and criticality of its arrangement. Where necessary, the FRFI should establish more granular descriptions of the roles, responsibilities, and procedures that apply to each party when managing the configuration of products and systems.

4.2. Third parties comply with the FRFI’s technology and cyber standards

Where necessitated by risk and criticality, the FRFI should establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standards—or recognized industry standards—for mitigating risk, notably in the areas of access management and data security and protection. Footnote 16

4.3. Cloud-specific requirements are established

The FRFI should develop cloud-specific requirements to ensure that cloud adoption occurs in a planned and strategic manner. These specific requirements should optimize interoperability while operating within the FRFI’s stated risk appetite. They should also augment existing FRFI controls and standards, notably in the areas of data protection, key management, and container management.

These requirements should be accompanied by robust cloud governance to provide proper oversight and monitoring of compliance with the FRFI’s risk management practices and alignment to the broader technology strategy.

4.4. Cloud portabilityFootnote 17 is considered

In addition to planning appropriate exit strategies (see Section 2.3.5), the FRFI should also consider portability when entering an arrangement with a cloud service provider and as part of the design and implementation process in cloud adoption.

The FRFI should consider strategies (e.g., multi-cloud design) to build resilience and mitigate cloud service provider concentration risk.

Annex 1 – Examples of Due Diligence Consideration

Before entering an arrangement with a third party—whether written or not—and on an ongoing basis thereafter, the FRFI should perform due diligence. At minimum, due diligence should consist of the following non-exhaustive factors:

  1. Experience, technical competence, and capacity of the third party to implement and support the activities it is being engaged to provide, including, where applicable, the experience, technical competence, and capacity of material subcontractors;

  2. Financial strength of the third party to deliver successfully on the third-party arrangement;

  3. Compliance with applicable laws, rules, regulations and regulatory guidance within Canada and other relevant jurisdictions;

  4. Potential reputation risk associated with the third-party relationship or its services, including existence of any recent or pending litigation, investigation or complaints against the third party;

  5. Strength of the third party’s risk management programs, processes, and internal controls as well as the reporting environment (the FRFI should determine if there is alignment with the FRFI’s risk management processes and controls);

  6. The third party’s capacity to:

    • manage technology and cyber risks in accordance with the expectations outlined in OSFI’s Guideline B-13: Technology and Cyber Risk Management and

    • provide the FRFI with sufficient and timely information to comply with its reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory;

  7. Strength of the third party’s information security programs including their alignment with the FRFI’s programs;

  8. The third party’s capacity to provide critical services through disruption by examining its business continuity and disaster recovery plans, including the quality of such plans and the frequency and results of testing;

  9. The third party’s reliance on, and capacity to, manage subcontractors;

  10. Impact of the third-party arrangement, including its subcontractors, on concentration risk;

  11. Geographic location of the third party’s and its material subcontractors’ operations;

  12. Ability and ease of substituting the third party with another third party and impact of such substitution on the FRFI’s operations;

  13. Portability of applications/services provided by a third party to another third party or the FRFI;

  14. Third party’s insurance coverage;

  15. Third party’s business objectives, human resource policies, service philosophies, business culture, and their alignment with those of the FRFI; and

  16. Potential for political or legal risks related to the jurisdiction of the third party, or the jurisdictions of any material subcontractors.

Annex 2 – Minimum Provisions for Third-Party Agreements

This annex provides a non-exhaustive list of provisions that FRFIs should include in duly executed agreements with third parties (tailored to the circumstances of the third-party arrangement):

  1. Nature and scope of the arrangement: The agreement should specify the nature and scope of the arrangement, including provisions that address the frequency, content and format of services, duration of the agreement, and physical location of the services being provided.

  2. Roles and Responsibilities: The agreement should clearly establish the roles and responsibilities of the FRFI and the third party and any material subcontractors of the third party, including for managing technology and cyber risks and controls.

  3. Use of subcontractors:The agreement should establish parameters on the use of subcontractors and require the third party to notify the FRFI of any subcontracting of services so that the FRFI may conduct due diligence, as well as assess and manage the risk of the subcontractors and any potential impacts from a change in service.

  4. Pricing: The agreement should set out the basis for calculating fees relating to the services being provided.

  5. Performance measures: The agreement should establish performance measures that allow each party to determine whether the commitments set out in the agreement are being fulfilled.

  6. Ownership and access: The agreement should identify and establish ownership of all assets (intellectual and physical) related to third-party arrangements, including assets generated or purchased pursuant to the arrangement. The agreement should also specify whether and how the third party has the right to use the FRFI’s assets (e.g., data, hardware and software, system documentation or intellectual property), including authorized users, and the FRFI’s right of access to those assets.

  7. Security of records and data: The agreements should govern the confidentiality, integrity, security, and availability of records and data.

  8. Notifications to the FRFI: The agreement should require the third party to notify the FRFI of:

    1. incidents/events (at the third party or a subcontractor) that impact or could potentially impact services provided, the FRFI’s customers/data or the FRFI’s reputation;

    2. technology and cyber security incidents (at the third party or a subcontractor) to enable the FRFI to comply with its reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory;

    3. significant organizational/operational changes.

  9. Dispute resolution: The agreement should incorporate a protocol for resolving disputes. The agreement should also specify whether the third party must continue providing the service during a dispute and the resolution period, as well as the jurisdiction, governing law(s), and rules under which the dispute will be settled.

  10. Regulatory compliance: The agreement should enable the FRFI to comply with all applicable legislative and regulatory requirements, including, but not limited to, location of records and privacy of client information.

  11. Business continuity and recovery: The agreement should require the third party to outline measures for ensuring continuity of services in the event of disruption including testing and reporting expectations and mitigation requirements, as well as requirements of the third party to monitor and manage technology and cyber security risk.

  12. Default and termination: The agreement should specify what constitutes a default, or right to terminate, identify remedies, and allow for opportunities to cure defaults or terminate the agreement. Appropriate notice should be required for termination of the service and, where applicable, the FRFI’s assets should be returned in a timely fashion. Any data and records should be returned to the FRFI in a format that allows the FRFI to sustain business operations without unreasonable expense.

    The agreement should not contain any terms that inhibit OSFI, or any other resolution authority or financial compensation scheme, from carrying out their mandate in times of stress or resolution. For example, the agreement should, among other things, remain valid and enforceable in resolution provided there is no default in payment obligations.

  13. Insurance: The agreement should require the third party to obtain and maintain appropriate insurance and disclose the general terms and conditions of the insurance coverage. The agreement should also require the third party to notify the FRFI in the event of significant changes in insurance coverage.

  14. Prudent risk management: The agreement should include any additional provisions necessary for the FRFI to prudently manage its risks in compliance with this Guideline.

Footnotes

Footnote 1

In accordance with supervisory information requirements set out in the Bank Act, the Insurance Companies Act, and the Trust and Loan Companies Act.

Return to footnote 1

Footnote 2

‘Foreign bank branches’ refers to foreign banks authorized to carry on business in Canada on a branch basis under Part XII.1 of the Bank Act. ‘Foreign insurance company branches’ refers to foreign entities that are authorized to insure in Canada risks on a branch basis under Part XIII of the Insurance Companies Act.

Return to footnote 2

Footnote 3

An outsourced activity, function or service is one that is, or could be, undertaken by the FRFI itself and is a type of third-party arrangement.

Return to footnote 3

Footnote 4

For clarity, the third-party risk management expectations set out in this Guideline are not intended to replace or substitute for, but rather to serve in addition to, appropriate counterparty credit risk and market risk management activities applied in respect of financial market infrastructures.

Return to footnote 4

Footnote 5

OSFI recognizes that a federally endorsed framework will be developed to govern consumer-directed data mobility within the financial sector. This guideline is not intended to impede the establishment or operations of such a framework. Once the framework is designed, OSFI may provide relevant guidance as appropriate.

Return to footnote 5

Footnote 6

Throughout this document, the term “subcontractors” refers broadly to the third party’s supply chain.

Return to footnote 6

Footnote 7

In cases where data is being exchanged between the FRFI and a third party or where the third party has access to FRFI systems, data corruption and breaches may occur at the third party, the FRFI location or while the data is in transit.

Return to footnote 7

Footnote 8

Please see s. 238 of the Bank Act, s. 261 of the Insurance Companies Act, and s. 243 of the Trust and Loan Companies Act.

Return to footnote 8

Footnote 9

Records that change less frequently than daily remain accurate until they change. Accordingly, Records should be updated daily or at the frequency with which they change.

Return to footnote 9

Footnote 10

Please see ss. 239(1) of the Bank Act, ss. 262(1) of the Insurance Companies Act, and ss. 244(1) of the Trust and Loan Companies Act.

Return to footnote 10

Footnote 11

Please see ss. 239(3.1) of the Bank Act, ss. 262(3.1) of the Insurance Companies Act, and ss. 244(3.1) of the Trust and Loan Companies Act.

Return to footnote 11

Footnote 12

Please see Sections 2.3.2.1 and 2.3.2.2 of this Guideline.

Return to footnote 12

Footnote 13

Risk acceptance refers to a decision to accept an identified risk and not take any, or further, mitigating actions.

Return to footnote 13

Footnote 14

The preference is always to have the arrangement documented in a contract; however, OSFI recognizes that there may be situations where obtaining a contract is challenging.

Return to footnote 14

Footnote 15

For this purpose, actuarial services relate to the determination of an amount to be recorded in the financial statements of the FRFI or work normally undertaken by its appointed actuary. They do not include services that involve assisting the FRFI in understanding the methods, models, assumptions and inputs used, and advising management on the appropriate actuarial methods and assumptions that will be used. Consistent with Guideline E-15 (Appointed Actuary: Legal Requirements, Qualifications and Peer Review), the FRFI may use an actuary working in the company's external auditor firm for the external review of the appointed actuary's work and reports.

Return to footnote 15

Footnote 16

Refer to Guideline B-13 - Technology and Cyber Risk Management for OSFI’s expectations on FRFI technology and cyber risk management.

Return to footnote 16

Footnote 17

NIST 500-291, version 2: NIST Cloud Computing Standards Roadmap defined portability the ability for data to be moved from one cloud system to another or for applications to be ported and run on different cloud systems at an acceptable cost.

Return to footnote 17