Office of the Superintendent of Financial Institutions
Today, the Office of the Superintendent of Financial Institutions (OSFI) begins consultations on revised
Draft Guideline B-10 – Third-Party Risk Management, which sets out enhanced third-party risk management expectations for federally regulated financial institutions (FRFIs).
The financial industry has long made use of third-party arrangements to introduce efficiency, drive innovation, manage shifting operational needs, and improve service. Increasingly, FRFIs are relying on an expanded third-party ecosystem to execute on and deliver more of their critical activities. This increases the likelihood that these arrangements could impact a FRFI’s operational and financial resilience.
To address these risks, OSFI is enhancing Guideline B-10 to reflect a more comprehensive set of third-party risks within this expanded third-party ecosystem. Revised Guideline B-10 now places a greater emphasis on governance and risk management programs, and sets outcomes-focused, principles-based expectations for FRFIs on the sound management of third-party risk (see
Annex for more details).
Proposed changes to Guideline B-10 are informed by findings from OSFI’s 2019
Third-Party Risk Study, feedback from OSFI’s 2020
Technology Risk Discussion Paper, and industry’s response to OSFI’s draft
Technology and Cyber Risk Management Guideline (Guideline B-13). In response to consultation feedback, OSFI modified its approach to expectations on technology and cyber risk in third-party arrangements. Certain sections of Draft Guideline B-13 have moved to the revised Draft Guideline B-10. Changes are also influenced by observations from OSFI’s ongoing supervisory and policy work.
Separately, OSFI recognizes that a federally endorsed framework will be developed to govern consumer-directed data mobility within the financial sector. This guideline is not intended to impede the establishment or operations of such a framework. Once the framework is designed, OSFI may provide relevant guidance as appropriate.
OSFI welcomes public comments on proposed changes to Guideline B‑10 and is particularly interested in feedback on the clarity and granularity of detail of OSFI’s risk management expectations. Please submit comments to email@example.com by July 27, 2022.
OSFI expects to issue the final Guideline in fall 2022, along with a non-attributed summary of comments received and OSFI’s response.
OSFI will host an information session for financial institutions and other interested stakeholders on Wednesday, May 4 at 2:00 p.m. (ET) to provide an overview of Draft Guideline B-10 and an opportunity to raise questions. CLICK HERE to register for the webinar.
Draft Guideline B-10 applies to a significantly wider variety of third-party arrangements. It proposes to govern not only risks posed by traditional outsourcing arrangements, but also risks posed by external entities that a FRFI engages with on a commercial or strategic basis, including material subcontractors.
Draft Guideline B-10 includes a definition of third-party risk which extends significantly beyond the current concept of outsourcing risk. This definition aims to capture risks that could disrupt a FRFI’s operations from a wider range of external risk factors.
In addition, the revised definition encompasses a series of related risks at third parties, such as technology, cyber, data security, financial, operational, business continuity management, subcontracting/supply chain risks, and concentration risks.
Draft Guideline B-10 sets expectations for FRFIs to adopt a ‘lifecycle’ approach to risk management for third-party arrangements, commensurate with the level of risk of the arrangement.
Draft Guideline B-10 replaces the previous binary approach (“material” vs. “non-material” outsourcing) with a risk-based approach. It also introduces the concept “criticality” of third-party arrangements. Third parties are, therefore, expected to be managed according to individual levels of risk and criticality.
Draft Guideline B-10 has been modernized to present an outcomes-focused, principles-based approach for FRFIs to manage third-party risk. OSFI has established five high-level outcomes, 11 related principles, and a series of risk management expectations to help FRFIs achieve those outcomes.