Canada: Outsourcing For Financial Institutions – B-10 Is Not Enough

With respect to outsourcing arrangements, federally regulated entities (FREs) are well aware of the expectations of the Office of the Superintendent of Financial Institutions (OSFI) set out in Guideline B-10: Outsourcing of Business Activities, Functions and Processes (Guideline B-10). But OSFI's expectations with respect to outsourcing arrangements extend beyond Guideline B-10, and compliance with Guideline B-10 is not enough.


Guideline B-10 is the primary guideline with respect to material outsourcing arrangements. It sets out OSFI's expectations for FREs that outsource or contemplate outsourcing one or more of their business activities to a service provider, including the implementation of an outsourcing policy and the assessment of the risk and materiality of outsourcing arrangements. As between an FRE and its service provider, OSFI expects:

  • the FRE to retain ultimate accountability for all outsourced activities;
  • that OSFI's supervisory powers should not be constrained, irrespective of whether an activity is conducted in-house, outsourced or otherwise obtained from a third party; and
  • the FRE to document all of its material outsourcing arrangements in a written contract for services.

However, OSFI's expectations regarding outsourcing do not end with Guideline B-10. OSFI is generally placing an increased emphasis on enterprise-wide risk management, as we are also seeing from regulators in other countries. For example, the Office of the Comptroller of the Currency in the United States has recently published risk management guidance that applies to third-party relationships generally. Therefore in addition to Guideline B-10, when considering any material or non-material outsourcing or other service arrangement, FREs should bear in mind their overall risk appetite as well as all of the following guidance, practices, expectations and requirements.


Although not formalized in any OSFI guidance or advisory, OSFI has suggested through public remarks and industry presentations that FREs consider implementing the "three lines of defence" in the assessment and monitoring of outsourcing arrangements.

The three lines of defence have been identified by the Basel Committee on Banking Supervision (Basel Committee) as the recommended global industry practice for sound operational risk governance. The three lines of defence are:

  • business line management;
  • an independent corporate operational risk management function; and
  • an independent review.

The Basel Committee provides a global forum for regular cooperation on banking supervisory matters. Its objective is to enhance understanding of key supervisory issues and improve the quality of banking supervision worldwide. Canada is one of the member countries represented on the Basel Committee and OSFI is the competent authority for the implementation of Basel Committee recommendations in Canada.

The Basel Committee describes the three lines of defence as follows:

First Line

Business line management, which is responsible for identifying and managing the risks inherent in the products, activities, processes and systems for which it is accountable.

Second Line

A functionally independent corporate operational risk management function, which should generally complement the business line's operational risk management activities. The degree of independence of this line of defence will vary among FREs. This function may include the operational risk measurement and reporting processes, risk committees and responsibility for board reporting. A key function of this line of defence is to challenge the business lines' input to and outputs from the FRE's risk management, risk measurement and reporting systems. The corporate operational risk management function should have a sufficient number of personnel skilled in the management of operational risk to effectively address its many responsibilities.

Third Line

Independent review and challenge of the FRE's operational risk management controls, processes and systems. Those performing these reviews must be competent and appropriately trained and not involved in the development, implementation and operation of the FRE's operational risk management framework. This review may be done by internal audit or by staff independent of the process or system under review, but may also involve suitably qualified external parties. In cases where the audit activities have been outsourced, senior management should consider the effectiveness of the underlying arrangement as well as the suitability of relying on an outsourced function as a third line of defence.

The Basel Committee – and OSFI – recognizes that the structure and activities of the three lines of defence will often vary, depending on an FRE's portfolio of products, activities, processes and systems, the FRE's size and its risk management approach.

In assessing an FRE's outsourcing arrangements, we expect that OSFI may consider both compliance with Guideline B-10 and how the three lines of defence have been implemented. OSFI has recently mentioned some common findings from a review of FRE outsourcing arrangements and reported that the second and third lines of defence were sometimes missing. FREs should consider how they have implemented the Basel Committee's three lines of defence within their risk management framework generally and specifically when assessing and monitoring outsourcing arrangements.


With respect to location of records, Guideline B-10 provides that certain records of entities carrying on business in Canada must be maintained in Canada, in accordance with the applicable financial institutions statutes, and that an FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfil its mandate. OSFI Guidelines E-4A – Role of the Chief Agent and Record Keeping Requirements and E-4B – Role of the Principal Officer and Record Keeping Requirements (collectively, Record Keeping Guidelines) elaborate on the type and form of records that must be maintained in Canada.

The Record Keeping Guidelines apply specifically to Canadian branches of foreign insurance companies and foreign banks (collectively, Branches). However, OSFI has also pointed other types of FREs to the Record Keeping Guidelines as a source of OSFI's expectations regarding the maintenance of records in Canada. Therefore all FREs should be aware of these guidelines, in particular when entering into outsourcing arrangements with service providers who are located outside of Canada or who provide some or all of their services from a location outside of Canada.

The Record Keeping Guidelines provide that where the processing of records related to a Branch's business occurs at a location other than the principal office or chief agency, the records must be backed up as appropriate and provided to the Branch to ensure that records maintained in Canada are up to date at the end of each business day. The Record Keeping Guidelines specifically note that downloading of records to the Canadian Branch is only required when the records have changed from the previous day.  

In respect of the form of records, the financial institutions statutes provide that an FRE has the option of preparing and maintaining records in hard copy or electronically, provided that electronic records can be reproduced "in intelligible written form within a reasonable period of time". The Record Keeping Guidelines provide that OSFI expects to be able to obtain such information without incurring additional cost and using readily available commercial applications. However, OSFI maintains discretion to require that certain records be maintained in hard copy.

In entering into outsourcing arrangements that involve the processing or maintenance of any records that an FRE must maintain in Canada, the FRE should ensure that the service provider – whether it is an affiliate or a third party – is able to provide the services to the FRE in a manner that will allow the FRE to meet the legal requirements applicable to the FRE and OSFI's expectations set out in the Record Keeping Guidelines.


OSFI recently released Cyber Security Self-Assessment Guidance (Cyber Security Guidance) for FREs which included a self-assessment template that set out the "desirable properties and characteristics of cyber security practices that could be considered by a FRE when assessing the adequacy of its cyber security framework and when planning enhancements to its framework" (see our October 2013 Blakes Bulletin: OSFI Releases Cyber Security Self-Assessment Guidance). The template specifically refers to the assessment and mitigation of cyber risk arising from material outsourcing arrangements and critical IT service providers. The assessment of cyber risk should be built into the existing risk management framework of FREs, including with respect to the assessment of outsourcing arrangements.


Under the various financial institutions statutes, FREs, other than foreign branches, are generally prohibited from entering into related party transactions unless such transactions are permitted under the statute and, in some cases, approved by the Superindendent. In addition, an FRE is required to have an internal policy on related party transactions. The statutes permit an FRE to enter into a written service contract with a related party for services used in the ordinary course of business, provided that the service arrangement is on terms and conditions that are at least as favourable to the FRE as market terms and conditions. In addition to all of the other guidance noted above, FREs should bear this statutory requirement in mind with respect to service arrangements with related parties, and should also ensure that any such arrangements comply with the FRE's internal policy on related party transactions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions