[co-author: Vanessa Kiraly – Summer Student]
Fintechs and other entities that contract with federally regulated financial institutions (FRFIs) should be aware of the possibility of more stringent requirements regarding risk management in their commercial arrangements further to a public consultation by the Office of the Superintendent of Financial Institutions (OSFI).
OSFI recently held a public consultation on revised Guideline B-10: Third-Party Risk Management (the proposed guideline). The proposed guideline would be more comprehensive than its existing formulation, Guideline B-10: Outsourcing of Business Activities, Functions and Processes (the existing guideline), to respond to what OSFI sees as novel third-party risks stemming from a more modern, complex and expanded third-party ecosystem relied on by FRFIs.
Although the proposed guideline would be binding on FRFIs rather than third-party partners, there are several key takeaways that third-party partners (and FRFIs themselves) should consider in assessing the impact the Proposed Guideline would have on their existing and future arrangements.
The proposed guideline would not apply to foreign bank branches or foreign insurance company branches, which are subject to Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis.
Why Is OSFI Revising Guideline B-10?
FRFIs rely heavily on third-party arrangements throughout their operations. The rapid advancement of technologies has led to a corresponding expansion of the third-party ecosystem that FRFIs use. However, third-party ecosystems bring risks to FRFIs (relating to data management and cybersecurity). The concern identified by OSFI is that some of these risks may not be addressed adequately by the existing guideline.
The proposed guideline builds on OSFI’s 2019 Third-Party Risk Study, feedback from OSFI’s 2020 Technology Risk Discussion Paper, the industry’s response to OSFI’s draft Technology and Cyber Risk Management Guideline (Guideline B-13) and OSFI’s ongoing supervisory and policy work.
Risks Associated with Third-Party Arrangements
The proposed guideline would address two overarching categories of “risk” related to third-party arrangements.
- Third-party risk: This is identified by the OSFI as the risk to a FRFI’s operational and financial health resulting from a third party failing to honour its commitments (such as by failing to provide goods or services, failing to protect data systems, or failing to carry out activities in accordance with the arrangement). Third-party risks could also stem from the insolvency of a third party, political or legal risks, risks arising from the interconnectedness of multiple third parties and multiple FRFIs or loss of data or data breaches.
- Concentration risk: This is identified by the OSFI as the loss or harm to a FRFI or the broader financial system that may flow from an overreliance on only a few or geographically concentrated third-party providers. Concentration risk exposes the FRFI to substitutability risks (e.g., where the third party is not easily replaceable) and higher potential to disruption from localized external events such as poor economic conditions or natural disasters.
- Criticality: This is identified by the OSFI as the degree of impact a third-party arrangement would have on a FRFI’s operations, financial condition or reputation. A “critical” third-party arrangement is one where the third party performs an essential function or service in connection with the FRFI’s operation. Criticality can be seen as a continuum whereby the more critical a third party is to the FRFI, the more severe the impact the FRFI may suffer. As a result, OSFI mandates that risk assessment and mitigation strategies should be implemented proportionally to the criticality of a particular third-party arrangement.
Expansion of what Constitutes a “Third-Party Arrangement”
The proposed guideline would apply to a broader scope of third-party arrangements than the existing guideline, which only applies to traditional outsourcing arrangements (e.g., back office management, human resources and professional services such accounting). The proposed guideline would expand the concept of “third-party arrangement” to include any business or strategic arrangement entered into by a FRFI with a third party under a written contract or otherwise (which now includes cloud service providers, technology companies and fintechs). As a result of this change, more third-party entities and third-party relationships would be subject to OSFI’s purview under the proposed guideline.
The proposed guideline would emphasize establishing sound internal governance and risk management programs, as FRFIs are accountable for all business activities that they outsource to third-party arrangements and as a result, a FRFI should establish a third party risk management framework (TPRMF) with clear accountabilities, responsibilities, policies and processes for managing risks related to third parties. The proposed guideline provides a non-exhaustive list of elements to aid FRFIs in preparing their own TPRMF.
Third-Party Risk Management Program
The proposed guideline would replace the existing binary approach to risk assessment (“material” vs. “non-material” outsourcing) with a risk-based approach in which OSFI expects FRFIs to manage third-party risks in a manner that is proportionate to the level of risk and complexity of a FRFI’s third-party ecosystem. The “criticality” concept described above is a key consideration influencing the nature and frequency of risk management activities (such as risk assessment, mitigation, monitoring, measuring and reporting).
The proposed guideline would prescribe that a FRFI assess risks and criticality associated with each third-party arrangement (i) prior to entering, (ii) regularly throughout the lifecycle of the arrangement (proportionate to the level of risk and criticality) and (iii) whenever there is a material change. When considering arrangements with third parties based outside of Canada (or Canadian third parties with material subcontractors located outside of Canada), the FRFI would be expected to pay particular attention to the following: the legal requirements of relevant jurisdictions; and the potential political, legal, security, economic, environmental, social and other risks that may impede the ability of the third party to provide services.
According to the proposed guideline, the following factors should be considered by a FRFI when assessing risk and criticality:
- the third party’s use of subcontractors;
- the potential for loss or harm to the FRFI in the event that the third party or material subcontractor fails to meet expectations, due to service disruption, outage, cybersecurity breaches or any other reason;
- the ability of the FRFI to assess controls at the third party and continue to meet regulatory and legal requirements in respect of activities performed by the third party, particularly in the case of disruption;
- substitutability of the third party, including the portability and timeliness of a transfer of services;
- the potential impact on business operations if the FRFI needed to exit the third-party arrangement and transition to another service provider or bring the business activity in-house;
- the financial health of the third party and the potential “step-in” risk, whereby the FRFI is required to provide financial support to the third party or take over the third-party’s business;
- the degree of the FRFI’s or the industry’s reliance on or concentration of the third party; and
- any other relevant financial and non-financial risks associated with the use of the third party.
Supply Chain Management
The proposed guideline would require FRFIs to consider supply chain management in assessing and mitigating risk. In particular, FRFIs would need to assess, manage and monitor the risks of subcontracting arrangements entered by third parties, including the impact of such arrangements on concentration risk. A FRFI’s risk assessment would need to include an understanding of the risk factors related to the subcontracting practices of the third parties they partner with, including the third party’s reliance on subcontractors and the ability of subcontractors to meet performance standards and legal and regulatory requirements. Mitigation strategies include using contractual provisions to prohibit the use of subcontractors for certain functions, requiring that the FRFI be informed of the use or change of subcontractors and finally reserving rights for the FRFI to refuse and audit subcontractors.
Monitoring and Reporting
The proposed guideline would require the FRFI to monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and manage risks.
In connection with incident management and reporting, the proposed guideline would expand on this requirement as follows:
- the third party should have clearly defined incident management processes;
- incident reporting and notification requirements of the third party should support FRFI compliance with OSFI’s incident reporting requirements;
- the third party should establish internal incident management processes; and
- the FRFI should request that the third party perform a root cause analysis and share the results of any incidents commensurate with the severity/potential impact of the incident on the FRFI. Remediation actions should be monitored by the FRFI.
Electronic Records, Data and Technology Considerations
Electronic Record Keeping
OSFI expects that third-party counterparties and FRFIs establish and maintain appropriate measures throughout the life of the third-party arrangement to protect the confidentiality, integrity and availability of records and data by properly assigning responsibilities via contract. Specifically, agreements with third parties should establish:
- the scope of the records and data to be protected;
- availability of the records and timely access to data by the FRFI and OSFI, upon request;
- controls and monitoring over the third party’s use of the FRFI’s systems and information;
- clear responsibilities of each party in managing data security;
- which party is liable for any losses that might result from a security breach; and
- notification requirements if there is a breach of security.
Agreements should also require that the relevant FRFI’s data and records be isolated from those of other clients at all times, including during the transfer process and under adverse conditions (e.g., disruption of services). Third parties are required to maintain data and records subject to the same standard of protection as held by the FRFIs.
OSFI expects electronic records of documents required to be kept under legislation to be accessible and intelligible without incurring additional costs and by using readily available commercial applications. If such records are in electronic form (subject to certain exceptions for foreign FRFIs or foreign branches of Canadian FRFIs), complete copies must be kept on a computer server physically located at the relevant FRFI’s head office or another place in Canada (if OSFI has been notified of such place). As a result, it may be challenging for FRFIs to outsource record keeping obligations to third parties.
Technology and Cyber Risk in Third-Party Arrangements
The proposed guideline would require that FRFIs establish clear roles and responsibilities that apply to each party (including third parties), and also establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standards or recognized industry standards for mitigating risk.
In adopting cloud services, OSFI recommends that FRFIs establish cloud-specific data security and control requirements that optimize interoperability while operating within an FRFI’s stated risk appetite. For example, cloud systems should be implemented in a planned and strategic manner, such as through multi-cloud designs to build resilience and mitigate cloud service provider concentration risk.
OSFI expects to issue the final form of the proposed guideline sometime in fall 2022 alongside a summary of feedback received. OSFI has stated that the proposed guideline is not intended to hinder the establishment of a federally endorsed framework to govern consumer directed data mobility and it states that such a framework is likely to be proposed in future.