On April 27, 2022, the Office of the Superintendent of Financial Institutions (OSFI) released a draft update to its Guideline B-10, Draft Guideline B-10: Third-Party Risk Management (Draft Guideline), which sets out enhanced expectations for federally regulated financial institutions (FRFIs) in managing an expanded scope of third-party risks. The Draft Guideline is a substantial revision to the current Guideline B-10 and places a greater emphasis on governance and risk management plans and specific outcomes and principles. The Draft Guideline is near the end of its three-month public consultation period. Interested stakeholders may still submit their comments to [email protected] until September 30, 2022. The final Guideline B-10 is expected to be issued in fall 2022.
The Draft Guideline offers a new perspective on risk-management expectations through four main changes relative to the existing Guideline B-10.
First, the scope of the Draft Guideline is expanded to include a wider variety of third-party arrangements. The current Guideline B-10 applies to “outsourcing arrangements”, which are arrangements “whereby the service provider performs a business activity, function or process that is, or could be, undertaken by the [FRFI] itself”. In developing the Draft Guideline, OSFI recognizes FRFIs are increasingly relying on a broad range of third parties in delivering critical activities that go beyond outsourcing arrangements. As a result, the Draft Guideline applies to “third-party arrangements” more broadly, which include any business or strategic arrangement with external entities. Examples of arrangements that would be subject to the Guideline include the use of independent professionals, brokers, and utilities (such as telecommunications); use of financial market infrastructure; other relationships involving the provision of services for the storage, use or exchange of data; and, generally any outsourced activities, functions, and services.
Second, the Draft Guideline widens the scope of risk governance beyond outsourcing activities to encompass third party risks generally. The Draft Guideline introduces “third-party risks” as an expanded concept that captures “risk to the FRFI’s operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement”.
Third, the Draft Guideline replaces the materiality threshold in the current guideline and introduces a new “risk-based approach”, which requires a more comprehensive risk management framework that accounts for the level of risk and the criticality associated with individual third-party arrangements. The level of risk and FRFI’s operational and financial resilience are not measured against the “materiality” of the agreement, but through “criticality”, which is defined “as the degree of impact of the third-party arrangement on the FRFI’s risk profile, operations, strategy and/or financial condition.” OSFI provides that the exercise of determining risk should be a multi-pronged assessment that takes into consideration:
- the risks intrinsic in a particular third party (such as insolvency risks and the possibility of operational disruptions),
- the “criticality” of the nature of engagement with that third party, and
- the “concentration risks” associated with reliance on a small number of and/or geographically concentrated third-party providers or subcontractors.
Ultimately, the FRFIs are expected to manage the third-party risks in a manner that is proportionate to the level of risk and complexity of the FRFI’s third-party ecosystem.
OSFI’s Key Expectations as Set Out in the Draft Guideline
The fourth major change in the Draft Guideline is that it introduces a modernized guidance structure that is designed around five overarching outcomes based on 11 principles to enhance the operational and financial resilience of FRFIs. The intended outcomes start with foundational issues to ensure that FRFIs have put into place appropriate governance and accountability structures that deal with third-party engagements. This risk management framework is then expected to be used to identify and assess the risks posed by third parties, to manage and mitigate those risks within the FRFI’s risk appetite, as well as to continually monitor the performance of third parties. Finally, OSFI expects the FRFI’s risk management program to be dynamic and actively capture a range of third-party arrangements and interactions, including those with standardized contracts or those involving technology and cyber risks. Below is a summary of OSFI’s desired outcomes and the principles and other expectations devised by OSFI to help FRFIs achieve these outcomes.
|
|
Governance Generally |
Outcome: Governance and accountability structures are clear with comprehensive risk strategies and frameworks in place to contribute to ongoing operational and financial resilience. |
Accountability
|
Principle 1: The FRFI is ultimately accountable for all business activities, functions, and services outsourced to third parties and for managing the risks related to third-party arrangements. |
Third-Party Risk Management Framework (TPRMF) |
Principle 2: The FRFI should establish a third-party risk management framework that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third parties. Additional Expectations:
|
|
|
Risk Identification and Assessment |
Outcome: Risks posed by third parties are identified and assessed. Principle 3: The FRFI should identify and assess the risks of a third-party arrangement before entering the arrangement and periodically thereafter, proportionate to the level of risk and criticality of the arrangement. Principle 4: The FRFI should undertake due diligence prior to entering any form of arrangement with a third party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement. Principle 5: The FRFI should assess, manage, and monitor the risks of subcontracting arrangements entered by third parties, including the impact of these arrangements on concentration risk. Additional Expectations:
|
Risk Management and Mitigation |
Outcome: Risks posed by third parties are managed and mitigated within the FRFI’s Risk Appetite Framework. Principle 6: The FRFI should enter into written arrangements that set out the rights and responsibilities of each party. Principle 7: The FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data throughout the duration of the third-party arrangement. Principle 8: The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. The FRFI should also have the right to conduct or commission an independent audit of a third party. Principle 9: The FRFI’s agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should have contingency plans for its critical third-party arrangements. Additional Expectations:
|
Monitoring and Reporting |
Outcome: Third-party performance is continually monitored and assessed, and risks and incidents are proactively addressed. Principle 10: The FRFI should monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks. Principle 11: Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to ensure ongoing operational and financial resilience and maintain risk levels within the FRFI’s risk appetite. Additional Expectations:
|
|
|
|
Outcome: The FRFI’s risk management program is dynamic and actively captures and appropriately manages a range of third-party arrangements and interactions. Additional Expectations:
|
|
|
|
Additional Expectations:
|
Takeaways for FRFIs and Third-Party Service Providers
With its wider scope and more extensive assessment of risks, the upcoming revision of Guideline B-10 will require FRFIs to re-evaluate their current practices and processes, conduct additional diligence on third-party service providers, and where needed enhance their third-party risk management frameworks. Aside from updates to internal policies and review mechanisms, federally regulated financial institutions will be required to review, enhance, and update their current agreements and contract templates with third parties for critical offerings. The new Draft Guideline B-10 is intended to complete OSFI’s near-term plans to modernize its risk management guidance (which also includes the introduction of Guideline B-13: Technology and Cyber Risk Management, the final version of which OSFI expects to release in the coming weeks), and the FRFIs now have the opportunity to revisit their risk management practices with a more comprehensive view.