Copyright 2008, Blake, Cassels & Graydon LLP
Originally published in Blakes Bulletin on Financial Services/Outsourcing, January 2009
Guideline B-10 on Outsourcing of Business Activities, Functions and Processes (Guideline B-10) sets out the expectations of the Office of the Superintendent of Financial Institutions Canada (OSFI) for federally regulated entities (FREs) that outsource or contemplate outsourcing one or more of their business activities to a service provider. On December 10, 2008, OSFI released, for comment, a draft revised Guideline B-10 (the Proposed Guideline).
This bulletin is divided into two parts:
Part I – For FREs: Changes to Guideline B-10
FREs that outsource one or more of their business activities are probably already familiar with Guideline B-10. However, some of the proposed changes may require a change to their current business practices, policies and procedures governing outsourcing arrangements. We have summarized those proposed changes to Guideline B-10 below in Part I of this bulletin.
Part II – For Service Providers: What is Guideline B-10 and why should you care?
For service providers that provide services to FREs, we have provided in Part II of this bulletin a broad overview of Guideline B-10 and the way in which it will impact your relationship with your FRE customers.
Part I – For Federally Regulated Entities: Changes to Guideline B-10
In the accompanying letter to the Proposed Guideline, OSFI has stated that the changes made to Guideline B-10 are not substantive in nature and are only intended to:
- address changes resulting from the coming into force of Bill C-37, which removed the requirement for FREs to obtain the approval of the Superintendent of Financial Institutions to maintain and process outside of Canada information or data relating to the preparation and maintenance of certain corporate, accounting and customer records
- specify a transition measure for FREs to bring into compliance their outsourcing arrangements that are obtained as part of an acquisition
- clarify the expectation that FREs need to consider the potential influence of multiple outsourcing arrangements, in the aggregate, with a single service provider as part of the FRE's materiality test
- provide a standardized template for a centralized list that FREs could use in order to summarize their material outsourcing arrangements.
Despite OSFI's stated intention, the Proposed Guideline makes a number of substantive changes, namely:
Due Diligence Process
Under the current Guideline B-10, OSFI expects you to undertake a due diligence process that fully assesses the risks associated with the outsourcing arrangement when you (i) enter into, or (ii) renew your service contract or outsourcing agreement. Under the Proposed Guideline, you will also be expected to undertake this due diligence process when you substantially amend the service contract or outsourcing agreement.
Content of Outsourcing Agreement
(a) The Proposed Guideline clarifies that the contracts or outsourcing agreements are to detail the physical location where the service provider will provide the service. This clarification would be particularly important for electronic services.
(b) The requirement for the outsourcing contract to contain a business continuity plan has been changed in the case of intra-group outsourcing arrangements to provide that the business continuity plan must be appropriate. In addition, the outsourcing agreement will need to place obligations on service providers to ensure continuity of services in case of events affecting the service providers' operations, including reasonably foreseeable events (in addition to problems). You should ensure that the service provider tests its business recovery system as it pertains to the outsourced activity and addresses any material deficiencies. You are now expected to provide a summary of the test results to OSFI upon reasonable notice.
OSFI's Audit Rights
The Proposed Guideline has deleted a statement relating to OSFI exercising its right to audit service providers or access the service providers' papers only in extreme circumstances. Instead, the Proposed Guideline provides that OSFI will provide you with reasonable notice of its intent to exercise its audit rights and would share its findings with you where appropriate.
Monitoring of Service Providers
As part of your obligation to monitor the service provider, at least annually, to ascertain its ability to continue to deliver the services in the manner expected, the Proposed Guideline states that your review should be commensurate with the level of risk involved and that it should include, among other matters, an assessment of the use and performance of significant subcontractors.
The Proposed Guideline does not provide for a transition period for FREs to comply with its requirements nor does it contain any grandfathering clause, despite the fact that some of the proposed changes would require amendments to existing outsourcing arrangements.
FREs are invited to provide comments to OSFI, by January 16, 2009, through their industry associations.
Part II – For Service Providers: What is Guideline B-10 and why should you care?
Have you ever had an FRE customer insist on having a contractual right for its regulator to audit and inspect your business or insist that its contract with you set out the address for each facility where you intend to perform services on its behalf? Have you ever wondered why your FRE customer insisted on these types of contractual rights? Well, wonder no more – enter OSFI's Guideline B-10.
What is Guideline B-10?
Guideline B-10 is OSFI's predominant regulatory tool regarding outsourcing. It sets out OSFI's expectations for all FREs that outsource one or more of their business activities. As between an FRE and its service provider, OSFI has three key expectations of the FRE:
- OSFI expects the FRE to retain ultimate accountability for all outsourced activities
- OSFI expects that its supervisory powers should not be constrained, irrespective of whether an activity is conducted in-house, outsourced or otherwise obtained from a third party
- OSFI expects the FRE to document all of its material outsourcing arrangements in a written contract for services.
What does this mean to you as a service provider to an FRE?
Ultimately, these expectations will affect the nature of your service contract with the FRE. As noted above, OSFI expects the FRE to document its material outsourcing arrangements in a written contract for services. This materiality assessment is done by the FRE in accordance with its outsourcing policy. Outsourcing arrangements that are deemed clearly material are expected to follow the risk management program detailed in Guideline B-10; outsourcing arrangements that are clearly immaterial are not expected to follow the risk management program. You should be aware that OSFI's guidance suggests that an outsourcing arrangement that is not clearly immaterial should be treated as material and should be subject to the risk management program detailed in Guideline B-10.
As part of the risk management program, Guideline B-10 mandates that the service contract relating to a material outsourcing arrangement contain specific provisions, including (but not limited to) the following:
Location. Pursuant to Guideline B-10, the service contract is expected to detail where you, as the FRE's service provider, will be providing the service. To this end, the FRE will expect its contract with you to specify the location of each facility, inside and outside of Canada, from where you intend to provide the services for the FRE.
Confidentiality. OSFI expects the service contract to set out the FRE's requirements for confidentiality and security. In addition, Guideline B-10 provides that the security and confidentiality policies adopted by a service provider should be commensurate with those of the FRE and should meet a reasonable standard in the circumstances. OSFI also expects appropriate security and data confidentiality protections to be in place. As the service provider, you will be expected to be able to logically isolate the FRE's data, records and other items in process from those of your other customers at all times, even under adverse conditions.
Contingency Planning. OSFI expects the service contract to outline the service provider's measures for ensuring the continuation of the outsourced business activity in the event of problems affecting the service provider's operations. To this end, your FRE customer will probably include provisions in its service contract with you confirming that you have (or will implement) and will maintain a business continuity plan that provides for the continuation of services in the event of problems affecting your operations, including a breakdown in your system, a natural disaster or business disruption. In addition, Guideline B-10 requires the FRE to ensure that each service provider (i) regularly tests its business recovery plans, (ii) notifies the FRE of test results, and (iii) notifies the FRE in the event that significant changes are made by the service provider to its business recovery and contingency plans or if the service provider encounters other circumstances that might have a serious impact on the service being performed on behalf of the FRE.
Audit Rights. OSFI expects the service contract to clearly stipulate the audit requirements and rights of both parties. As noted above, OSFI expects that, in all situations, including where an activity has been outsourced to a third party service provider, OSFI will retain its supervisory powers over the FRE. To this end, your FRE customer will want to ensure that its contractual audit rights are broad enough that they will extend to OSFI (or a representative of OSFI). Guideline B-10 mandates that the service contract should provide OSFI (or a representative of OSFI) with the right to:
- exercise the contractual rights of the FRE relating to audits
- accompany the FRE or its independent auditor when it carries out its contractual audit
- rights access and make copies of any of internal audit reports prepared by or for you as the service provider in respect of the services being performed for the FRE (including any associated working papers and recommendations), subject to OSFI signing a confidentiality document in form and substance satisfactory to you as the service provider
- access findings in the external audit of the service provider, including any associated working papers and recommendations that address the service being performed for the FRE, subject to OSFI signing a confidentiality document in form and substance satisfactory to you as the service provider.
Alternatively, or in addition to these provisions, your FRE customer may ask you to provide a separate undertaking addressing these audit rights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.