On March 11, 2009, the Office of the Superintendent of Financial Institutions of Canada (OSFI) released a revised version of Guideline B-10, Outsourcing of Business Activities, Functions and Processes. The revised guideline contains the first changes since December 2003.
The guideline is a crucial directive from OSFI to federally regulated entities (FREs), notably most banks, trust companies and insurance companies in Canada, regarding their outsourcing activities. The guideline outlines a set of prudent practices, procedures and standards to be applied to outsourcing arrangements, while leaving the FRE with the flexibility to structure and manage its operations as it deems suitable.
The following are the key changes in the revised guideline:
- There is now arguably a lower threshold for determining whether
a contract is "material" and would thus be subject to a
full risk-management analysis and program. The original guideline
provided that an outsourcing arrangement would be subject to the
risk-management program if it is "clearly material." The
revised guideline removes the word "clearly," meaning
that an outsourcing arrangement will be subject to the
risk-management program simply if it is material (section 4).
- FREs will need to consider the application of the guideline not
only when conducting due diligence reviews of potential service
providers and when a contract is originally entered into, or
subsequently renewed, but now also upon any substantial amendment
to the contract (section 7.1).
- Outsourcing contracts must detail the physical locations from
which a service provider (and presumably its subcontractors)
actually provides the services (section 7.2.1(a)).
- FREs should conduct a review of the service provider's
ability to continue to deliver the service in the manner expected.
The FRE would conduct this review in a manner commensurate with the
level of risk involved. The review would likely include an
assessment of the service provider's circumstances and the
performance of any significant subcontractors (section
- The obligations have now been reduced for performing a full
risk-management program for arrangements between affiliates in
Canada or foreign parent companies (section 4).
- FREs will need to consider the possibility that multiple
outsourcing arrangements provided by the same service provider
could in aggregate make the contracts material and therefore
subject to the guideline, even if none of the arrangements alone
would be considered material (section 6).
- An FRE must not only scrutinize a service provider's
business-recovery plans at the time of entering into a contract but
also ensure that the service provider regularly tests its
business-recovery system as it pertains to the outsourcing
arrangement and remedies any important deficiencies. The revised
guideline also states that, upon request, the FRE will provide to
OSFI the business-recovery test results as they relate to the
outsourced activity (section 7.2.1(g)).
- The guideline has always required that FREs obtain the right
for OSFI to audit the service provider in certain circumstances.
Previously, the guideline indicated that OSFI would typically
exercise that audit right only in "extreme circumstances"
(such as when there are concerns about solvency of the FRE). That
limitation has now been removed, suggesting that OSFI may be more
likely to exercise its audit right, whether or not there are
"extreme circumstances" (section 7.2.1(h)).
- Any outsourcing arrangements inherited by an FRE as part of an
acquisition must be brought into compliance "at the first
opportunity," such as at the time an outsourcing contract or
statement of work is substantially amended, renewed or extended
Section 8 of the guideline previously contained the obligation for an FRE to obtain OSFI's prior approval to outsource data processing to a service provider outside Canada if that data related to the preparation and maintenance of certain key corporate, accounting and customer records. The revised guideline has deleted this obligation to reflect an earlier policy change by OSFI, when such obligation was repealed by Bill C-37, An Act to amend the law governing financial institutions and to provide for related and consequential changes, in April 2007.
Implications for Banks and Other Federally Regulated Institutions
To a large extent, these amendments reflect sound contracting and business practices, like the guideline generally, and do not represent significant changes. OSFI indicated that the changes are only "clarifications" and not specific new obligations. For this reason, OSFI has decided that no transition period would be required for existing contracts to be altered to comply with the revised guideline.
However, despite OSFI's view, the revisions have introduced new obligations and refinements that will undoubtedly affect when and how an FRE must analyze its outsourcing contracts and business practices. In particular, existing contracts may need to be amended to specify the physical locations for the provision of services and include the new obligations regarding business-recovery planning and reporting. FREs should also consider whether multiple contracts with a vendor that were previously characterized as non-material may in aggregate become material and therefore subject to the guideline.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.