Financial Services Update
OSFI is currently accepting comments from the public and the financial industry on the revised version of the Third Party Risk Management Guideline B-10 (Draft Guideline). The comment period for the public consultation process has been extended from July 27, 2022 to September 30, 2022. The OSFI expects to issue a final version of the draft guidelines by the end of 2022.
On April 27, 2022, OSFI released revisions to the draft policy. The draft policy supersedes OSFI Guideline B-10 on outsourcing of business activities, functions and processes issued in 2009. FRFIs) when outsourcing services to third parties.
The proposed changes in the draft guideline were supported by OSFI’s 2019 Third-Party Risk Study. The revised draft policy also includes comments received by OSFI during the consultation and comment period for Technology and Cyber Risk Management Policy B-13 (Guideline B-13) issued in July 2022. The proposed changes will ensure consistency between the draft policy and more recent policies issued by OSFI, including Policy B-13 and Corporate Governance Policy.
Important changes proposed by the draft directive
The draft guidance is broader than its predecessor, sets higher expectations for FRFIs, and broadens the scope of the guidance. The draft directive proposes the following key changes:
- Extending the scope of “outsourcing agreements” to a broader category of “outsourcing agreements”. The draft policy defines third-party agreements as commercial or strategic agreements between the FRFI(s) and a company or individual, contractual or otherwise. This definition excludes agreements between FRFIs and FRFI customers.
- Widening the focus from “outsourcing risk” to “third-party risk”. Third-party risk refers to the risk to the FRFI’s operational and financial resilience or reputation if a third party fails to provide goods and services, protect data or systems, or otherwise perform activities consistent with the agreements. Examples of third-party risk include political, geographic, legal, or environmental risks that affect a third party.
- Governance and risk management programs adopted by the FRFI must encompass the life cycle of an agreement with third parties.
- Replacing the distinction between “essential” and “non-essential” outsourcing with a “risk-based approach”.
results and principles
The proposed changes in the draft guideline reflect the five outcomes outlined by OSFI. The results focus on the management of third-party risks and aim to:
- Ensure governance and accountability structures are clear and comprehensive risk strategies and frameworks are in place to contribute to ongoing operational and financial resilience;
- identify and assess risks posed by third parties;
- management and mitigation of risk posed by third parties under the FRFI’s Risk Appetite Framework;
- Ensuring that third party performance is continuously monitored and evaluated and risks and incidents are proactively addressed; and
- Ensure that the FRFI’s risk management program is dynamic and actively captures and appropriately manages a range of agreements and interactions with third parties.
To achieve the above results, OSFI established 11 principles that inform policy design:
- principle 1: The FRFI is ultimately responsible for all business activities, functions and services that have been outsourced to third parties and for managing the risks associated with third-party arrangements.
- Principle 2: The FRFI should establish a Third-Party Risk Management Framework (TPRMF) that establishes clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting risks associated with third-party use.
- Principle 3: Before entering into an arrangement with a third party, and periodically thereafter according to the level of risk and criticality of the arrangement, the FRFI should identify and assess the risks of the arrangement. In particular, the FRFI should conduct risk assessments to decide on the selection of third party suppliers; (Re)assessment of the risk and criticality of the agreement; and plan for appropriate risk mitigation and oversight.
- Principle 4: The FRFI should conduct due diligence prior to entering into any contract or other form of arrangement with a third party, on an ongoing basis and proportionate to the level of risk and criticality of the arrangement.
- Principle 5: The FRFI should assess, manage and monitor the risks of subcontracting agreements entered into by third parties, including the impact of these agreements on concentration risk.
- Principle 6: The FRFI should have written agreements that set out the rights and obligations of each party.
- Principle 7: During the term of the agreement with a third party, the FRFI and the third party should implement and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data.
- Principle 8: The FRFI’s arrangements with third parties should provide the FRFI with timely access to accurate and comprehensive information to assist the FRFI in monitoring the performance and risks of third parties. The FRFI should also have the right to conduct or commission an independent third-party review.
- Principle 9: The FRFI’s agreement with the third-party provider should include the ability to continue operations during a disruption, including maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should have contingency plans for its critical third party arrangements.
- Principle 10: The FRFI should monitor its arrangements with third parties to verify the third party’s ability to continue to meet its obligations and effectively manage risk.
- Principle 11: Both the FRFI and its third party should have documented processes in place to effectively identify, investigate, escalate, track and resolve incidents to ensure ongoing operational and financial resilience and to maintain risk levels within the FRFI’s risk appetite .
Outsourcing to FINTECH companies
FRFIs that have outsourcing agreements with FINTECH companies or receive services from FINTECH companies should consider how the draft policy will improve their obligations. FRFIs may need to revise their agreements with FINTECH third parties to ensure compliance with the proposed guidance in the draft policy. Likewise, FRFIs entering into or renewing outsourcing arrangements should consider the new obligations proposed in the draft directive.
The draft policy does not impose any direct requirements on FINTECH companies that provide services to FRFIs. However, FINTECH companies should be aware of the risk monitoring and oversight programs that FRFIs must implement. These programs are likely to increase reporting requirements for FINTECH companies that provide services to FRFIs.
The foregoing is a summary of the changes introduced by the Draft Guideline B-10 on Third-Party Risk Management. If you have specific questions, we invite you to contact a member of our financial services team.