On April 24, 2023, the Office of the Superintendent of Financial Institutions (OSFI) published its final updated Guideline B-10: Third-Party Risk Management Guideline (the “Guideline”), which outlines OSFI’s expectation that Federally Regulated Financial Institutions (FRFIs) take a risk-based approach to manage third-party arrangements. OSFI undertook a 5-month public consultation process following the release of a draft Guideline B-10 last April (“Draft Guideline”), based on which it updated the Draft Guideline with further clarifications regarding the application of and requirements under each expected outcome of the Draft Guideline. In particular, OSFI emphasizes that FRFIs should apply the Guideline in a proportionate manner based on the level of risk and criticality of each third-party arrangement. The Guideline will be effective on May 1, 2024. You can find our bulletin on the Draft Guideline here.
Proportional Approach in the Application of the Guideline
In response to concerns surrounding the Draft Guideline’s broad scope, the final Guideline provides that FRFIs should determine the “intensity” with which to apply its expectations based on the level of the risk and criticality involved. OSFI recognizes that third-party arrangements have a variety of forms and urges FRFIs to apply the Guideline in a manner that is proportionate to 1) the risk and criticality of each third-party arrangement; and 2) the size, nature, scope, complexity of operations, and risk profile of the FRFIs. For example, the Guideline notes that a low-risk third-party arrangement may not require an exit or contingency plan, and a legal review may not be necessary for a low-risk, short-term arrangement.
Adding to the focus on flexibility, the final Guideline acknowledges that certain third-party arrangements may not be negotiable or may not be subject to written contracts. In these cases, FRFIs are expected to manage risks, as appropriate, through monitoring, business continuity measures, contingency planning, and other resiliency mechanisms.
Clarification Regarding Risk Assessment Criteria
The final Guideline reiterates that criticality is an important consideration in the assessment of third-party risk, adding the following criteria in considering criticality and risk:
- the degree to which the third party or subcontractor supports a critical operation of a FRFI;
- the impact on business operations if the FRFI needs to exit the third-party arrangement and transition to another service provider or bring the business activity in-house;
- the probability of the third party or subcontractor failing to meet expectations due to insolvency or operational disruption;
- the information management, data, cyber security, and privacy practices of the third party and its subcontractors; and
- the third party’s use of subcontractors and the complexity of the supply chain;
The final Guideline also redefines “Concentration Risk” as coming in two forms, with institution-specific concentration risk stemming from the overreliance of an FRFI on a single third party, subcontractor, or geography for multiple activities, while systemic concentration risk arises when one third party service provider or geography provides services to multiple FRFIs.
OSFI expects all FRFIs to take reasonable steps to assess the concentration risk associated with their third-party arrangements across “multiple dimensions”, including geography, supplier, and subcontractor, and FRFIs are expected to assess concentration risk to “the greatest extent possible”.
Clarification Regarding Subcontracting Risk
The Guideline requires FRFIs to assess the overall risk arising from their third parties’ subcontractors. This requirement is broader than in the Draft Guideline, which would only have required FRFIs to assess the existence of material subcontracting and whether their impact could outweigh the benefit of their third party arrangements.
To ensure that FRFIs have ongoing visibility into subcontracting risk, the Guideline requires FRFIs to receive ongoing updates and reporting on the third party’s use of subcontractors. The Guideline provides that such monitoring and management of subcontracting risks should be scaled according to the risk level of the arrangement and criticality of services provided by the third party.
The Guideline aims to be less prescriptive and to reinforce expectations regarding due diligence and written arrangements. Relative to the Draft Guideline, the final Guideline limits the application of the diligence factors in Annex 1 to only high-risk and critical third-party arrangements.
Regarding technology and cyber risk with respect to third-party agreements, the Guideline largely reiterates the requirements in the Draft Guideline, but with the introduction of a new outcome that requires that the “technology and cyber operations carried out by third parties are transparent, reliable and secure”.
In considering “cloud portability”, FRFIs are required to “assess the benefits and risks of portability and mitigants in the absence of portability”. The Guideline adopts the definition of “cloud portability” set by the US National Institute of Standards and Technology (NIST), which means “the ability for data to be moved from one cloud system to another or for applications to be ported and run on different cloud systems at an acceptable cost.”
To provide “adequate implementation time to self-assess and build adherence”, the Guideline provides for an extended transition period for FRFIs and is set to be effective from May 1, 2024. Third-party arrangements initiated on or after May 1, 2024, are expected to adhere to all relevant sections of the Guideline.
Going forward, FRFIs should review and update existing arrangements made before May 1, 2024, at the earliest appropriate contract renewal to meet the expectations of the Guideline.