On February 22, 2021, the BC Financial Services Authority (the "BCFSA") issued a draft Outsourcing Guideline (the "Outsourcing Guideline"). The Outsourcing Guideline is applicable to all provincially regulated financial institutions incorporated in BC (including BC credit unions) that outsource, or contemplate outsourcing, one or more of their business activities.
The Outsourcing Guideline outlines the BCFSA's expectations for outsourcing risk management practices.
BC credit unions will be required to familiarize themselves with the Outsourcing Guideline, as it will be applicable to any outsourcing arrangements entered into by the credit union. To put it (too) simply, a credit union will be considered to have entered into an outsourcing arrangement where it engages a third party to perform any business activity that the credit union can perform itself. Examples of outsourcing arrangements may include document processing, loan administration and human resources services. The Outsourcing Guideline will not apply in circumstances where the credit union is not legally able to perform the business activity on its own.
What Credit Unions Need to Know
The Outsourcing Guideline applies to all BC credit unions, regardless of size. Credit unions need to be aware that they will retain ultimate accountability for all of their business activities. Outsourcing does not relieve a credit union from that accountability.
The Outsourcing Guideline focuses in large part on the materiality of the outsourcing arrangement in determining what steps credit unions must take in managing the associated risks. The materiality of an outsourcing arrangement will depend on the extent to which it has the potential to have an important influence – whether quantitative or qualitative – on a significant business line of the credit union. In particular, the Outsourcing Guideline stresses that the outsourcing of all or substantially all of a management oversight function (such as financial analysis, compliance or risk management) should always be considered material.
Credit unions are expected to follow the Outsourcing Guideline for all outsourcing arrangements unless the outsourcing is clearly immaterial. However, the particular steps taken by credit unions to mitigate the outsourcing risks will depend on the materiality of the arrangement.
What Credit Unions Need to Do
Credit unions should note that the BCFSA has commenced a 60-day consultation process on the proposed Outsourcing Guideline. During this time, credit unions can submit any feedback or questions on the draft guideline to firstname.lastname@example.org.
Once the Outsourcing Guideline is implemented, assuming it is implemented in substantially the same form as the draft Outsourcing Guideline, credit unions should be prepared to:
(a) develop a process for determining the materiality of outsourcing arrangements;
(b) identify and evaluate the risks associated with existing and proposed outsourcing arrangements;
(c) update their enterprise risk management framework to ensure it accurately includes the managing and monitoring of outsourcing risks;
(d) conduct due diligence on:
(i) service providers, including on service providers' reputations and ability to provide quality service and ensure data protection; and
(ii) any subcontractors under subcontracted outsourcing arrangements;
(e) ensure the Board of Directors and senior management are aware of their respective duties under the Outsourcing Guideline, including approving and implementing the above processes;
(f) document outsourcing arrangements with written contracts that address all relevant conditions, including the requirement to regularly review the contracts for compliance and materiality (see Appendix 5 of the Outsourcing Guideline for a list of terms that should be included in such contracts);
(g) ensure that material outsourcing arrangements have been reviewed by the credit union's legal counsel; and
(h) maintain a centralized list of all material outsourcing arrangements.
Additionally, credit unions should familiarize themselves with the BCFSA's draft Information Security Guideline, released on February 18, 2021. The Information Security Guideline introduces further expectations for credit unions with respect to the mitigation of information security risks relating to data and network systems, and should be read in conjunction with the Outsourcing Guideline.
It is not always easy to get vendors/service providers to agree to include contractual provisions that will tick all of the boxes in the Outsourcing Guideline. The ability to negotiate appropriate changes to standard vendor contracts largely depends on bargaining power. However, there may be situations where a credit union should decide not to use a particular vendor if they will not accommodate. The BCFSA Outsourcing Guideline will, at least, enable BC credit unions to point to a regulatory guideline that requires certain standards, the presence of which will, in many cases, convince vendors that they need to accommodate.
How EKB Can Help
EKB usually conducts reviews on all credit union outsourcing contracts on the basis of the B-10 Outsourcing Guideline, which was implemented by the federal Office of the Superintendent of Financial Institutions ("OSFI"). The B-10 Guideline does not technically apply to BC credit unions, but it sets out a best-practices standard. While there are some differences, the proposed BCFSA Outsourcing Guideline relies heavily on the B-10 Guideline and incorporates many of OSFI's provisions. As such, EKB is already familiar with the obligations imposed by the BCFSA Outsourcing Guideline and is ready to assist credit unions in preparing to meet these new requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.