Proposed Revisions to Guideline B-10 Would Affect Outsourcing by Financial Institutions to FintechsFintechs and other entities that contract with federally regulated financial institutions (FRFIs) should be aware of the possibility of more stringent requirements regarding risk management in their commercial arrangements further to a public consultation by the Office of the Superintendent of Financial Institutions (OSFI). OSFI recently held a public consultation on revised Guideline B-10: Third-Party Risk Management (the proposed guideline). The proposed guideline would be more comprehensive than its existing formulation, Guideline B-10: Outsourcing of Business Activities, Functions and Processes (the existing guideline), to respond to what OSFI sees as novel third-party risks stemming from a more modern, complex and expanded third-party ecosystem relied on by FRFIs. Although the proposed guideline would be binding on FRFIs rather than third-party partners, there are several key takeaways that third-party partners (and FRFIs themselves) should consider in assessing the impact the Proposed Guideline would have on their existing and future arrangements. The proposed guideline would not apply to foreign bank branches or foreign insurance company branches, which are subject to Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis. Why Is OSFI Revising Guideline B-10?FRFIs rely heavily on third-party arrangements throughout their operations. The rapid advancement of technologies has led to a corresponding expansion of the third-party ecosystem that FRFIs use. However, third-party ecosystems bring risks to FRFIs (relating to data management and cybersecurity). The concern identified by OSFI is that some of these risks may not be addressed adequately by the existing guideline. The proposed guideline builds on OSFI's 2019 Third-Party Risk Study, feedback from OSFI's 2020 Technology Risk Discussion Paper, the industry's response to OSFI's draft Technology and Cyber Risk Management Guideline (Guideline B-13) and OSFI's ongoing supervisory and policy work. Risks Associated with Third-Party ArrangementsThe proposed guideline would address two overarching categories of "risk" related to third-party arrangements.
Key TakeawaysExpansion of what Constitutes a "Third-Party Arrangement"The proposed guideline would apply to a broader scope of third-party arrangements than the existing guideline, which only applies to traditional outsourcing arrangements (e.g., back office management, human resources and professional services such accounting). The proposed guideline would expand the concept of "third-party arrangement" to include any business or strategic arrangement entered into by a FRFI with a third party under a written contract or otherwise (which now includes cloud service providers, technology companies and fintechs). As a result of this change, more third-party entities and third-party relationships would be subject to OSFI's purview under the proposed guideline. Sound GovernanceThe proposed guideline would emphasize establishing sound internal governance and risk management programs, as FRFIs are accountable for all business activities that they outsource to third-party arrangements and as a result, a FRFI should establish a third party risk management framework (TPRMF) with clear accountabilities, responsibilities, policies and processes for managing risks related to third parties. The proposed guideline provides a non-exhaustive list of elements to aid FRFIs in preparing their own TPRMF. Third-Party Risk Management ProgramThe proposed guideline would replace the existing binary approach to risk assessment ("material" vs. "non-material" outsourcing) with a risk-based approach in which OSFI expects FRFIs to manage third-party risks in a manner that is proportionate to the level of risk and complexity of a FRFI’s third-party ecosystem. The "criticality" concept described above is a key consideration influencing the nature and frequency of risk management activities (such as risk assessment, mitigation, monitoring, measuring and reporting). The proposed guideline would prescribe that a FRFI assess risks and criticality associated with each third-party arrangement (i) prior to entering, (ii) regularly throughout the lifecycle of the arrangement (proportionate to the level of risk and criticality) and (iii) whenever there is a material change. When considering arrangements with third parties based outside of Canada (or Canadian third parties with material subcontractors located outside of Canada), the FRFI would be expected to pay particular attention to the following: the legal requirements of relevant jurisdictions; and the potential political, legal, security, economic, environmental, social and other risks that may impede the ability of the third party to provide services. According to the proposed guideline, the following factors should be considered by a FRFI when assessing risk and criticality:
Supply Chain Management
The proposed guideline would require FRFIs to consider supply chain management in assessing and mitigating risk. In particular, FRFIs would need to assess, manage and monitor the risks of subcontracting arrangements entered by third parties, including the impact of such arrangements on concentration risk. A FRFI's risk assessment would need to include an understanding of the risk factors related to the subcontracting practices of the third parties they partner with, including the third party's reliance on subcontractors and the ability of subcontractors to meet performance standards and legal and regulatory requirements. Mitigation strategies include using contractual provisions to prohibit the use of subcontractors for certain functions, requiring that the FRFI be informed of the use or change of subcontractors and finally reserving rights for the FRFI to refuse and audit subcontractors. Monitoring and ReportingThe proposed guideline would require the FRFI to monitor its third-party arrangements to verify the third party's ability to continue to meet its obligations and manage risks. In connection with incident management and reporting, the proposed guideline would expand on this requirement as follows:
Electronic Records, Data and Technology ConsiderationsElectronic Record Keeping
OSFI expects that third-party counterparties and FRFIs establish and maintain appropriate measures throughout the life of the third-party arrangement to protect the confidentiality, integrity and availability of records and data by properly assigning responsibilities via contract. Specifically, agreements with third parties should establish:
Agreements should also require that the relevant FRFI’s data and records be isolated from those of other clients at all times, including during the transfer process and under adverse conditions (e.g., disruption of services). Third parties are required to maintain data and records subject to the same standard of protection as held by the FRFIs. OSFI expects electronic records of documents required to be kept under legislation to be accessible and intelligible without incurring additional costs and by using readily available commercial applications. If such records are in electronic form (subject to certain exceptions for foreign FRFIs or foreign branches of Canadian FRFIs), complete copies must be kept on a computer server physically located at the relevant FRFI's head office or another place in Canada (if OSFI has been notified of such place). As a result, it may be challenging for FRFIs to outsource record keeping obligations to third parties. Technology and Cyber Risk in Third-Party ArrangementsThe proposed guideline would require that FRFIs establish clear roles and responsibilities that apply to each party (including third parties), and also establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standards or recognized industry standards for mitigating risk. In adopting cloud services, OSFI recommends that FRFIs establish cloud-specific data security and control requirements that optimize interoperability while operating within an FRFI's stated risk appetite. For example, cloud systems should be implemented in a planned and strategic manner, such as through multi-cloud designs to build resilience and mitigate cloud service provider concentration risk. Next StepsOSFI expects to issue the final form of the proposed guideline sometime in fall 2022 alongside a summary of feedback received. OSFI has stated that the proposed guideline is not intended to hinder the establishment of a federally endorsed framework to govern consumer directed data mobility and it states that such a framework is likely to be proposed in future. How Bennett Jones Can HelpThe Bennett Jones Financial Services and Cybersecurity teams are available to answer any questions you may have and advise on compliance programs and contractual arrangements. The Bennett Jones technology transactions team has extensive experience assisting clients with structuring, drafting and negotiating commercial deals that comply with OSFI Guideline B-10. The team is available to assist you with assessing the impacts of the proposed guideline on your services offering, and helping you with retooling your existing commercial arrangements or entering into new ones to meet the final form of the proposed guideline. Authors
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs. For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com. |