OSFI consults on third-party risk management expectations through a revised Guideline B-10

OSFI extends consultation deadline for Draft Guidelines B-10 and B-15

The Office of the Superintendent of Financial Institutions (OSFI) is extending the comment period for the public consultation processes on Draft Revised Guideline B-10 Third-Party Risk Management and Draft Guideline B-15 Climate Risk Management until September 30, 2022.

OSFI will communicate any subsequent changes to the planned publication schedules of these final guidelines at a later date.

Document Properties

Type of Publication: Letter
Date: April 27, 2022
To: All Federally Regulated Financial Institutions

Today, the Office of the Superintendent of Financial Institutions (OSFI) begins consultations on revised Draft Guideline B-10 – Third-Party Risk Management, which sets out enhanced third-party risk management expectations for federally regulated financial institutions (FRFIs).

The financial industry has long made use of third-party arrangements to introduce efficiency, drive innovation, manage shifting operational needs, and improve service. Increasingly, FRFIs are relying on an expanded third-party ecosystem to execute on and deliver more of their critical activities. This increases the likelihood that these arrangements could impact a FRFI’s operational and financial resilience.

To address these risks, OSFI is enhancing Guideline B-10 to reflect a more comprehensive set of third-party risks within this expanded third-party ecosystem. Revised Guideline B-10 now places a greater emphasis on governance and risk management programs, and sets outcomes-focused, principles-based expectations for FRFIs on the sound management of third-party risk (see Annex for more details).

Proposed changes to Guideline B-10 are informed by findings from OSFI’s 2019 Third-Party Risk Study, feedback from OSFI’s 2020 Technology Risk Discussion Paper, and industry’s response to OSFI’s draft Technology and Cyber Risk Management Guideline (Guideline B-13). In response to consultation feedback, OSFI modified its approach to expectations on technology and cyber risk in third-party arrangements. Certain sections of Draft Guideline B-13 have moved to the revised Draft Guideline B-10. Changes are also influenced by observations from OSFI’s ongoing supervisory and policy work.

Separately, OSFI recognizes that a federally endorsed framework will be developed to govern consumer-directed data mobility within the financial sector. This guideline is not intended to impede the establishment or operations of such a framework. Once the framework is designed, OSFI may provide relevant guidance as appropriate.

OSFI welcomes public comments on proposed changes to Guideline B‑10 and is particularly interested in feedback on the clarity and granularity of detail of OSFI’s risk management expectations. Please submit comments to b10@osfi-bsif.gc.ca by July 27, 2022.

OSFI expects to issue the final Guideline in fall 2022, along with a non-attributed summary of comments received and OSFI’s response.

OSFI will host an information session for financial institutions and other interested stakeholders on Wednesday, May 4 at 2:00 p.m. (ET) to provide an overview of Draft Guideline B-10 and an opportunity to raise questions. CLICK HERE to register for the webinar.

Annex

Principal Changes Made to Guideline B-10
Principle Changes	Current Guideline B-10	Revised Draft Guideline B-10
Expanded Scope	Applies to outsourcing arrangements	Applies to third-party arrangements
Widened Risk Lens	Focus on outsourcing risk	Focus on third-party risk and related risks
Enhanced Risk Focus	Reliance on contractual provisions to manage risk	Emphasis on governance and risk management programs
Modernized Guidance	Legal language, dated guidance style	Reorganised and streamlined, sets clear outcomes and principles

Expanded Scope

Draft Guideline B-10 applies to a significantly wider variety of third-party arrangements. It proposes to govern not only risks posed by traditional outsourcing arrangements, but also risks posed by external entities that a FRFI engages with on a commercial or strategic basis, including material subcontractors.

Widened Risk Lens

Draft Guideline B-10 includes a definition of third-party risk which extends significantly beyond the current concept of outsourcing risk. This definition aims to capture risks that could disrupt a FRFI’s operations from a wider range of external risk factors.

In addition, the revised definition encompasses a series of related risks at third parties, such as technology, cyber, data security, financial, operational, business continuity management, subcontracting/supply chain risks, and concentration risks.

Enhanced Risk Focus

Draft Guideline B-10 sets expectations for FRFIs to adopt a ‘lifecycle’ approach to risk management for third-party arrangements, commensurate with the level of risk of the arrangement.

Draft Guideline B-10 replaces the previous binary approach (“material” vs. “non-material” outsourcing) with a risk-based approach. It also introduces the concept “criticality” of third-party arrangements. Third parties are, therefore, expected to be managed according to individual levels of risk and criticality.

Modernized Guidance

Draft Guideline B-10 has been modernized to present an outcomes-focused, principles-based approach for FRFIs to manage third-party risk. OSFI has established five high-level outcomes, 11 related principles, and a series of risk management expectations to help FRFIs achieve those outcomes.