Table of Contents
On April 27, 2022, the Office of the Superintendent of Financial Institutions (OSFI), Canada’s federal economical establishments regulator, released its significantly-expected new Draft Guideline B-10: Third-Social gathering Hazard Administration (Draft Guideline). The Draft Guideline is meant to switch OSFI’s current Guideline B-10 on Outsourcing of Business Functions, Features and Procedures, which was originally issued in 2001 and was last revised in 2009. The Draft Guideline sets out OSFI’s 3rd-social gathering chance management expectations for federally controlled financial establishments in Canada (FRFIs) and contributes to sector best methods for contracting with third get-togethers. It is meant to tackle a far more complete established of threats to mirror the present-day, increasing third-social gathering ecosystem.
Overseas financial institution branches and foreign insurance coverage corporation branches running in Canada are excluded from the software of the new Draft Guideline but stay subject matter to demands in regard of outsourcing preparations underneath OSFI’s Guideline E-4, as mentioned further more underneath.
The scope of the Draft Guideline is a lot broader than the present Guideline B-10, as it re-sets OSFI’s anticipations for running pitfalls linked with third-occasion preparations, instead than concentrating on substance outsourcing preparations. What constitutes a “third-social gathering arrangement” and “third get together risk” are described broadly in the Draft Guideline and only narrow exceptions are identified, these as preparations in between a FRFI and its clients. Provider arrangements concerning a FRFI and an affiliate are provided in the new definition of a third-celebration arrangement and accordingly will proceed to be issue to the prerequisites of the Draft Guideline, in addition to the current self-dealing needs in the legislation.
OSFI also notes that the Draft Guideline is not intended to impede the institution of an open banking framework by the federal federal government, which OSFI refers to as buyer-directed info mobility inside of the fiscal sector, consistent with the latest terminology proposed by the federal Advisory Committee on Open up Banking. At the time that framework is built, OSFI notes that it may provide additional assistance.
The revised, modernized Draft Guideline relies in part on findings from OSFI’s 2019 Third-Bash Danger Review, suggestions from OSFI’s 2020 Technological innovation Danger Dialogue Paper, and industry’s response to OSFI’s draft Technology and Cyber Danger Management Guideline (Guideline B-13).
If adopted in its present variety, the Draft Guideline will need monetary establishments to re-examine their method to handling interactions, which includes contracting, with a wide array of 3rd parties.
The Draft Guideline proposes a range of variations to OSFI’s present guidance. Specially, it sites a bigger emphasis on governance and hazard management systems. It also sets final result-focused, theory-based mostly anticipations on the administration of third-celebration threats, even though numerous specifications continue being quite prescriptive. The Draft Guideline expands the scope of Guideline B-10 to consist of a broader selection of third-get together preparations (beyond just outsourcing) and considers a broader array of dangers (these kinds of as criticality and concentration possibility). OSFI also proposes an current record of phrases to be resolved in 3rd-celebration contracts and provides advice on standardized contracts. Importantly, the Draft Guideline also replaces the latest materiality threshold for applicability with a risk-based solution.
This bulletin highlights some of the critical prerequisites of the Draft Guideline.
GOVERNANCE
The Draft Guideline spots a higher emphasis on effective governance of third-celebration preparations. OSFI expects FRFIs to put into practice very clear governance and accountability buildings with thorough possibility approaches and frameworks to be certain ongoing operational and money resilience.
A FRFI is in the end accountable for all small business pursuits, functions and services it outsources to third get-togethers, and for running the threats affiliated with 3rd-get together preparations and interactions. Accordingly, OSFI expects a FRFI to establish an enterprise-wide third-party chance management framework that sets out very clear accountabilities, tasks, guidelines and processes for identifying, managing, mitigating, checking and internally reporting on threats relating to the use of 3rd functions. The Draft Guideline sets out the crucial features of what really should be integrated in a third-celebration danger management framework. FRFIs should really consider examining their seller management systems from the new governance specifications of the Draft Guideline to discover and deal with any materials gaps.
Third-Party Threat Management AND MITIGATION
OSFI expects that under a FRFI’s third-social gathering hazard management plan:
-
hazards posed by 3rd get-togethers will be identified and assessed
-
these pitfalls will be managed and mitigated in the FRFI’s threat appetite framework and
-
3rd-party performance will be regularly monitored and assessed, and any hazards and incidents will be proactively tackled.
In adopting a hazard-dependent method, OSFI expects FRFIs to deal with 3rd-party risks in a method that is proportionate to the amount of risk and complexity of the FRFI’s 3rd-get together infrastructure, for which the Draft Guideline introduces the principle of “criticality”. It is outlined as the diploma of impact of the third-celebration arrangement on the FRFI’s hazard profile, operations, system and/or money problem.
OSFI expects FRFIs to evaluate risk and criticality of a 3rd-party arrangement throughout its lifecycle. This features assessment prior to moving into into the arrangement, often throughout the system of the arrangement and after any materials change has happened in the arrangement. The because of diligence to be conducted by a FRFI in respect of the 3rd-social gathering arrangement must be ongoing and proportionate to the assessed stage of possibility and criticality.
OSFI outlines many crucial factors that FRFIs ought to contemplate when pinpointing the level of threat and criticality. These incorporate the 3rd party’s use of subcontractors, the FRFI’s skill to evaluate the third party’s controls, substitutability, money well being of the 3rd get together and other applicable risks involved with the use of a 3rd get together. The Draft Guideline also incorporates much more detailed direction on subcontracting preparations.
As with the present-day Guideline B-10, FRFIs are predicted below the Draft Guideline to doc their preparations with 3rd get-togethers in a prepared settlement. Annex 2 of the Draft Guideline gives specific minimal provisions that an agreement with a third party will have to address. Numerous of these provisions largely mirror the contractual terms that Guideline B-10 at this time mandates but the Draft Guideline has designed some adjustments to the checklist.
OSFI also expects a FRFI to check its third-party arrangements to validate the third party’s means to continue on to fulfill its obligations and correctly take care of dangers. Importantly, the Draft Guideline notes that each the FRFI and the third bash ought to have documented procedures in position to establish, monitor and remediate incidents that could affect the third party’s capability to deliver the contracted products or solutions.
The Draft Guideline also maintains the existing necessity that an agreement with a third party should give the two the FRFI and OSFI the ideal to evaluate the third bash by audit legal rights and sets out more granular audit provisions to be incorporated in the settlement. Importantly, a FRFI is also expected to be certain that agreements with 3rd functions contain satisfactory provisions to permit the FRFI to comply with its wide reporting prerequisites under OSFI’s Technologies and Cyber Safety Incident Reporting Advisory that requires reporting of technological know-how and cybersecurity incidents.
The Draft Guideline expressly acknowledges that there are selected 3rd-social gathering arrangements for which a custom made agreement might not be possible. In these cases, OSFI nonetheless expects FRFIs to properly control threat as a result of the 3rd-party chance management system in a way that is proportionate to the degree of risk and criticality of the connection. The Draft Guideline also sets out anticipations in regard of arrangements with a FRFI’s exterior auditor, very similar to analogous provisions under the existing Guideline B-10.
The Draft Guideline notes that all of the anticipations established out above are regarded as minimal expectations for significant 3rd-get together preparations and individuals that pose a substantial danger to the FRFI.
Engineering AND CYBER Possibility IN 3rd-Social gathering Arrangements
In recognition of the elevated risks presented by technology and cyber hazard, the last section of the Draft Guideline describes OSFI’s more anticipations encompassing how know-how and cyber possibility are to be dealt with in a FRFI’s arrangements with 3rd events. Recognizing the prevalence of cloud expert services and the requirement to generate cloud-precise prerequisites, OSFI expects a FRFIs to specifically take into account cloud portability when entering an arrangement, and to also be certain that cloud adoption happens in a prepared and strategic way that optimizes interoperability, when at the very same time functioning in just the FRFI’s stated hazard hunger.
Overseas BRANCHES
Foreign lender branches and international insurance plan business branches working in Canada (Branches) are excluded from the software of the Draft Guideline. This is a departure from the existing Guideline B-10, which has particular provisions addressing outsourcing preparations amongst a Branch and its residence place of work and other affiliates. Importantly, OSFI’s new Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis that took outcome previously in 2022 states that if the home office performs materials functions on behalf of the Department, possibly right or by means of its very own outsourcing arrangements, OSFI expects the Branch to document these arrangements. OSFI also notes in a footnote to Guideline E-4 that this documentation should really integrate the deal for products and services elements outlined in Guideline B-10. Issue to clarifications from OSFI, this suggests that Branch provider arrangements with the property place of work could will need to integrate the current contractual terms third-occasion agreements that will be established out in Annex 2 of the new Draft Guideline.
Next Steps
The consultation on the Draft Guideline is open up until finally July 27, 2022. Next the consultation, OSFI expects to concern a final updated guideline in the tumble of 2022.