On April 27, 2022, the Office of the Superintendent of Financial
Institutions (OSFI), Canada's federal financial institutions
regulator, released its much-anticipated new Draft Guideline B-10: Third-Party Risk
Management (Draft Guideline). The Draft Guideline is
intended to replace OSFI's current Guideline B-10 on
Outsourcing of Business Activities, Functions and Processes, which
was originally issued in 2001 and was last revised in 2009. The
Draft Guideline sets out OSFI's third-party risk management
expectations for federally regulated financial institutions in
Canada (FRFIs) and contributes to industry best practices for
contracting with third parties. It is intended to address a more
comprehensive set of risks to reflect the contemporary, expanding
third-party ecosystem.
Foreign bank branches and foreign insurance company branches
operating in Canada are excluded from the application of the new
Draft Guideline but remain subject to requirements in respect of
outsourcing arrangements under OSFI's Guideline E-4, as
discussed further below.
The scope of the Draft Guideline is much broader than the existing
Guideline B-10, as it re-sets OSFI's expectations for managing
risks associated with third-party arrangements, rather than
focusing on material outsourcing arrangements. What constitutes a
"third-party arrangement" and "third party
risk" are defined broadly in the Draft Guideline and only
narrow exceptions are recognized, such as arrangements between a
FRFI and its customers. Service arrangements between a FRFI and an
affiliate are included in the new definition of a third-party
arrangement and accordingly will continue to be subject to the
requirements of the Draft Guideline, in addition to the existing
self-dealing requirements in the legislation.
OSFI also notes that the Draft Guideline is not intended to impede
the establishment of an open banking framework by the federal
government, which OSFI refers to as consumer-directed data
mobility within the financial sector, consistent with recent
terminology proposed by the federal Advisory Committee on Open
Banking. Once that framework is designed, OSFI notes that it may
provide additional guidance.
The revised, modernized Draft Guideline relies in part on findings
from OSFI's 2019 Third-Party Risk Study, feedback from
OSFI's 2020 Technology Risk Discussion Paper, and
industry's response to OSFI's draft Technology and Cyber Risk Management
Guideline (Guideline B-13).
If adopted in its current form, the Draft Guideline will require
financial institutions to re-evaluate their approach to managing
relationships, including contracting, with a wide array of third
parties.
The Draft Guideline proposes a number of changes to OSFI's
current guidance. Specifically, it places a greater emphasis on
governance and risk management programs. It also sets
outcome-focused, principle-based expectations on the management of
third-party risks, although several requirements remain fairly
prescriptive. The Draft Guideline expands the scope of Guideline
B-10 to include a wider range of third-party arrangements (beyond
just outsourcing) and considers a wider range of risks (such as
criticality and concentration risk). OSFI also proposes an updated
list of terms to be addressed in third-party contracts and provides
guidance on standardized contracts. Importantly, the Draft
Guideline also replaces the
current materiality threshold for applicability
with a risk-based approach.
This bulletin highlights some of the key requirements of the Draft
Guideline.
GOVERNANCE
The Draft Guideline places a greater emphasis on effective
governance of third-party arrangements. OSFI expects FRFIs to
implement clear governance and accountability structures with
comprehensive risk strategies and frameworks to ensure ongoing
operational and financial resilience.
A FRFI is ultimately accountable for all business activities,
functions and services it outsources to third parties, and for
managing the risks associated with third-party arrangements and
interactions. Accordingly, OSFI expects a FRFI to establish an
enterprise-wide third-party risk management framework that sets out
clear accountabilities, responsibilities, policies and processes
for identifying, managing, mitigating, monitoring and internally
reporting on risks relating to the use of third parties. The Draft
Guideline sets out the key elements of what should be included in a
third-party risk management framework. FRFIs should consider
assessing their vendor management programs against the new
governance requirements of the Draft Guideline to identify and
address any material gaps.
THIRD-PARTY RISK MANAGEMENT AND MITIGATION
OSFI expects that under a FRFI's third-party risk management program:
- risks posed by third parties will be identified and assessed;
- these risks will be managed and mitigated within the FRFI's risk appetite framework; and
- third-party performance will be continually monitored and assessed, and any risks and incidents will be proactively addressed.
In adopting a risk-based approach, OSFI expects FRFIs to manage
third-party risks in a manner that is proportionate to the level of
risk and complexity of the FRFI's third-party infrastructure,
for which the Draft Guideline introduces the concept of
"criticality". It is defined as the degree of impact of
the third-party arrangement on the FRFI's risk profile,
operations, strategy and/or financial condition.
OSFI expects FRFIs to assess risk and criticality of a third-party
arrangement throughout its lifecycle. This includes assessment
prior to entering into the arrangement, regularly during the course
of the arrangement and after any material change has occurred in
the arrangement. The due diligence to be conducted by a FRFI in
respect of the third-party arrangement should be ongoing and
proportionate to the assessed level of risk and criticality.
OSFI outlines several key factors that FRFIs should consider when
determining the level of risk and criticality. These include the
third party's use of subcontractors, the FRFI's ability to
assess the third party's controls, substitutability, financial
health of the third party and other relevant risks associated with
the use of a third party. The Draft Guideline also includes more
detailed guidance on subcontracting arrangements.
As with the current Guideline B-10, FRFIs are expected under the
Draft Guideline to document their arrangements with third parties
in a written agreement. Annex 2 of the Draft Guideline provides
certain minimum provisions that an agreement with a third party
must address. Many of these provisions largely mirror the
contractual terms that Guideline B-10 currently mandates but the
Draft Guideline has made some changes to the list.
OSFI also expects a FRFI to monitor its third-party arrangements to
verify the third party's ability to continue to meet its
obligations and effectively manage risks. Importantly, the Draft
Guideline notes that both the FRFI and the third party should have
documented processes in place to identify, track and remediate
incidents that could impact the third party's ability to
deliver the contracted goods or services.
The Draft Guideline also maintains the current requirement that an
agreement with a third party must give both the FRFI and OSFI the
right to assess the third party through audit rights and sets out
more granular audit provisions to be included in the agreement.
Importantly, a FRFI is also expected to ensure that agreements with
third parties contain adequate provisions to enable the FRFI to
comply with its broad reporting requirements under
OSFI's Technology and Cyber Security Incident Reporting
Advisory that requires reporting of technology and
cybersecurity incidents.
The Draft Guideline expressly recognizes that there are certain
third-party arrangements for which a customized contract may not be
feasible. In these situations, OSFI still expects FRFIs to
appropriately manage risk through the third-party risk management
program in a manner that is proportionate to the level of risk and
criticality of the relationship. The Draft Guideline also sets out
expectations in respect of arrangements with a FRFI's external
auditor, similar to analogous provisions under the current
Guideline B-10.
The Draft Guideline notes that all of the expectations set out
above are considered minimum expectations for critical third-party
arrangements and those that pose a high risk to the FRFI.
TECHNOLOGY AND CYBER RISK IN THIRD-PARTY ARRANGEMENTS
In recognition of the elevated risks presented by technology and cyber risk, the final section of the Draft Guideline describes OSFI's additional expectations surrounding how technology and cyber risk are to be addressed in a FRFI's arrangements with third parties. Recognizing the prevalence of cloud services and the necessity to create cloud-specific requirements, OSFI expects a FRFIs to specifically consider cloud portability when entering an arrangement, and to also ensure that cloud adoption occurs in a planned and strategic manner that optimizes interoperability, while at the same time operating within the FRFI's stated risk appetite.
FOREIGN BRANCHES
Foreign bank branches and foreign insurance company branches operating in Canada (Branches) are excluded from the application of the Draft Guideline. This is a departure from the current Guideline B-10, which has specific provisions addressing outsourcing arrangements between a Branch and its home office and other affiliates. Importantly, OSFI's new Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis that took effect earlier in 2022 states that if the home office performs material functions on behalf of the Branch, either directly or through its own outsourcing arrangements, OSFI expects the Branch to document such arrangements. OSFI also notes in a footnote to Guideline E-4 that this documentation should incorporate the contract for services elements outlined in Guideline B-10. Subject to clarifications from OSFI, this suggests that Branch service arrangements with the home office may need to incorporate the updated contractual terms third-party agreements that will be set out in Annex 2 of the new Draft Guideline.
NEXT STEPS
The consultation on the Draft Guideline is open until July 27, 2022. Following the consultation, OSFI expects to issue a final updated guideline in the fall of 2022.
For permission to reprint articles, please contact the bulletin@blakes.com Marketing Department.
© 2025 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.