Canada: Outsourcing For Financial Institutions – B-10 Is Not Enough

With respect to outsourcing arrangements, federally regulated entities (FREs) are well aware of the expectations of the Office of the Superintendent of Financial Institutions (OSFI) set out in Guideline B-10: Outsourcing of Business Activities, Functions and Processes (Guideline B-10). But OSFI's expectations with respect to outsourcing arrangements extend beyond Guideline B-10, and compliance with Guideline B-10 is not enough.

GUIDELINE B-10

Guideline B-10 is the primary guideline with respect to material outsourcing arrangements. It sets out OSFI's expectations for FREs that outsource or contemplate outsourcing one or more of their business activities to a service provider, including the implementation of an outsourcing policy and the assessment of the risk and materiality of outsourcing arrangements. As between an FRE and its service provider, OSFI expects:

  • the FRE to retain ultimate accountability for all outsourced activities;
  • that OSFI's supervisory powers should not be constrained, irrespective of whether an activity is conducted in-house, outsourced or otherwise obtained from a third party; and
  • the FRE to document all of its material outsourcing arrangements in a written contract for services.

However, OSFI's expectations regarding outsourcing do not end with Guideline B-10. OSFI is generally placing an increased emphasis on enterprise-wide risk management, as we are also seeing from regulators in other countries. For example, the Office of the Comptroller of the Currency in the United States has recently published risk management guidance that applies to third-party relationships generally. Therefore in addition to Guideline B-10, when considering any material or non-material outsourcing or other service arrangement, FREs should bear in mind their overall risk appetite as well as all of the following guidance, practices, expectations and requirements.

THE THREE LINES OF DEFENCE

Although not formalized in any OSFI guidance or advisory, OSFI has suggested through public remarks and industry presentations that FREs consider implementing the "three lines of defence" in the assessment and monitoring of outsourcing arrangements.

The three lines of defence have been identified by the Basel Committee on Banking Supervision (Basel Committee) as the recommended global industry practice for sound operational risk governance. The three lines of defence are:

  • business line management;
  • an independent corporate operational risk management function; and
  • an independent review.

The Basel Committee provides a global forum for regular cooperation on banking supervisory matters. Its objective is to enhance understanding of key supervisory issues and improve the quality of banking supervision worldwide. Canada is one of the member countries represented on the Basel Committee and OSFI is the competent authority for the implementation of Basel Committee recommendations in Canada.

The Basel Committee describes the three lines of defence as follows:

First Line

Business line management, which is responsible for identifying and managing the risks inherent in the products, activities, processes and systems for which it is accountable.

Second Line

A functionally independent corporate operational risk management function, which should generally complement the business line's operational risk management activities. The degree of independence of this line of defence will vary among FREs. This function may include the operational risk measurement and reporting processes, risk committees and responsibility for board reporting. A key function of this line of defence is to challenge the business lines' input to and outputs from the FRE's risk management, risk measurement and reporting systems. The corporate operational risk management function should have a sufficient number of personnel skilled in the management of operational risk to effectively address its many responsibilities.

Third Line

Independent review and challenge of the FRE's operational risk management controls, processes and systems. Those performing these reviews must be competent and appropriately trained and not involved in the development, implementation and operation of the FRE's operational risk management framework. This review may be done by internal audit or by staff independent of the process or system under review, but may also involve suitably qualified external parties. In cases where the audit activities have been outsourced, senior management should consider the effectiveness of the underlying arrangement as well as the suitability of relying on an outsourced function as a third line of defence.

The Basel Committee – and OSFI – recognizes that the structure and activities of the three lines of defence will often vary, depending on an FRE's portfolio of products, activities, processes and systems, the FRE's size and its risk management approach.

In assessing an FRE's outsourcing arrangements, we expect that OSFI may consider both compliance with Guideline B-10 and how the three lines of defence have been implemented. OSFI has recently mentioned some common findings from a review of FRE outsourcing arrangements and reported that the second and third lines of defence were sometimes missing. FREs should consider how they have implemented the Basel Committee's three lines of defence within their risk management framework generally and specifically when assessing and monitoring outsourcing arrangements.

RECORD KEEPING IN CANADA

With respect to location of records, Guideline B-10 provides that certain records of entities carrying on business in Canada must be maintained in Canada, in accordance with the applicable financial institutions statutes, and that an FRE is expected to ensure that OSFI can access in Canada any records necessary to enable OSFI to fulfil its mandate. OSFI Guidelines E-4A – Role of the Chief Agent and Record Keeping Requirements and E-4B – Role of the Principal Officer and Record Keeping Requirements (collectively, Record Keeping Guidelines) elaborate on the type and form of records that must be maintained in Canada.

The Record Keeping Guidelines apply specifically to Canadian branches of foreign insurance companies and foreign banks (collectively, Branches). However, OSFI has also pointed other types of FREs to the Record Keeping Guidelines as a source of OSFI's expectations regarding the maintenance of records in Canada. Therefore all FREs should be aware of these guidelines, in particular when entering into outsourcing arrangements with service providers who are located outside of Canada or who provide some or all of their services from a location outside of Canada.

The Record Keeping Guidelines provide that where the processing of records related to a Branch's business occurs at a location other than the principal office or chief agency, the records must be backed up as appropriate and provided to the Branch to ensure that records maintained in Canada are up to date at the end of each business day. The Record Keeping Guidelines specifically note that downloading of records to the Canadian Branch is only required when the records have changed from the previous day.  

In respect of the form of records, the financial institutions statutes provide that an FRE has the option of preparing and maintaining records in hard copy or electronically, provided that electronic records can be reproduced "in intelligible written form within a reasonable period of time". The Record Keeping Guidelines provide that OSFI expects to be able to obtain such information without incurring additional cost and using readily available commercial applications. However, OSFI maintains discretion to require that certain records be maintained in hard copy.

In entering into outsourcing arrangements that involve the processing or maintenance of any records that an FRE must maintain in Canada, the FRE should ensure that the service provider – whether it is an affiliate or a third party – is able to provide the services to the FRE in a manner that will allow the FRE to meet the legal requirements applicable to the FRE and OSFI's expectations set out in the Record Keeping Guidelines.

 CYBER SECURITY

OSFI recently released Cyber Security Self-Assessment Guidance (Cyber Security Guidance) for FREs which included a self-assessment template that set out the "desirable properties and characteristics of cyber security practices that could be considered by a FRE when assessing the adequacy of its cyber security framework and when planning enhancements to its framework" (see our October 2013 Blakes Bulletin: OSFI Releases Cyber Security Self-Assessment Guidance). The template specifically refers to the assessment and mitigation of cyber risk arising from material outsourcing arrangements and critical IT service providers. The assessment of cyber risk should be built into the existing risk management framework of FREs, including with respect to the assessment of outsourcing arrangements.

 OUTSOURCING TO RELATED PARTIES

Under the various financial institutions statutes, FREs, other than foreign branches, are generally prohibited from entering into related party transactions unless such transactions are permitted under the statute and, in some cases, approved by the Superindendent. In addition, an FRE is required to have an internal policy on related party transactions. The statutes permit an FRE to enter into a written service contract with a related party for services used in the ordinary course of business, provided that the service arrangement is on terms and conditions that are at least as favourable to the FRE as market terms and conditions. In addition to all of the other guidance noted above, FREs should bear this statutory requirement in mind with respect to service arrangements with related parties, and should also ensure that any such arrangements comply with the FRE's internal policy on related party transactions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
26 Oct 2018, Other, Vancouver, Canada

Cybersecurity, including data privacy and security obligations, has become a critical chapter in every company’s risk management playbook.

30 Oct 2018, Other, Toronto, Canada

Please join us for discussions on recent updates and legal developments in pension and employee benefits as well as employment law issues.

12 Nov 2018, Other, Toronto, Canada

Stories aren’t falsehoods. Stories are the root of all effective human communications: they motivate, animate and clarify. If you aren’t telling stories, you probably aren’t getting your point across.

 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions