On April 24, 2023, the Canada Office of the Superintendent of Financial Institutions (OSFI) released the final version of the Third-Party Risk Management Guideline (B-10) (the Final Guideline). This comes after OSFI released a draft version of the Final Guideline for public comment (the Consultation) in April 2022 (the DraftGuideline). You can read our summary of and comments on the Draft Guideline here.
It is important to note that the Final Guideline applies to all federally regulated financial institutions in Canada (FRFIs and each an FRFI). However, the Final Guideline does not apply to, among others, foreign insurers operating in Canada on a branch basis (Branches). This is a change from the predecessor Guideline B-10 (Outsourcing of Business Activities, Functions and Processes) last revised by OSFI in 2009 (the Prior Guideline), as the Prior Guideline applied to the outsourcing arrangements of, among others, FRFIs operating in Canada on a branch basis. In releasing the Final Guideline, OSFI notes that Branches should follow OSFI Guideline E-4: Foreign Entities Operating in Canada on a Branch Basis (Guideline E-4) when structuring their respective third-party arrangements.
OSFI highlighted that it is also in the process of revising Guideline E-4, which is welcome news as the current Guideline E-4 still references provisions of the Prior Guideline, which has now been replaced by the Final Guideline.
This article provides a summary of the key changes to the Draft Guideline following the Consultation, and includes certain key considerations for FRFIs when entering into any third-party arrangements going forward.
I. OSFI’s responses to feedback from the Consultation
OSFI notes that the Final Guideline incorporates the following revisions, which take into account certain responses that OSFI received from the Consultation.
OSFI notes that respondents to the Consultation expressed concern that the scope of the Draft Guideline was broad and that the compliance expectations set out may be too onerous for certain third-party arrangements. In response, OSFI added a section to the Guideline clarifying its expectation that FRFIs should only apply the Guideline in a manner proportionate to the level of risk and criticality of each third-party arrangement. OSFI has also clarified that where a third-party is subject to government regulation or supervision, the FRFI may take this into consideration as part of its risk assessment under the Final Guideline.
OSFI also clarified that employment contracts are excluded from the definition of “third-party arrangements” captured by the Final Guideline.
b) Level of prescription
Respondents to the Consultation noted that certain language in the Draft Guideline was overly prescriptive. The Final Guideline adjusts expectations regarding due diligence and written arrangements, making them less prescriptive with the aim of reinforcing OSFI’s risk-based, principled approach.
Another item that arose during the Consultation was that it may be difficult for FRFIs to impose expectations contained the Draft Guideline on certain subcontractors. In the Final Guideline, OSFI clarified that it expects FRFIs to manage subcontractor risk (including the monitoring of such risk) according to the level of risk and criticality of the applicable third-party arrangement.
d) Concentration risk
The Final Guideline defines “concentration risk” as either (i) “Institution-specific concentration risk,” where the risk of loss or harm to the FRFI results from its overreliance on a single third-party, subcontractor or geography, or (ii) “systemic concentration risk,” which refers to a risk arising from a concentration of the provision of services by one third-party to multiple FRFIs. In the Consultation, industry stakeholders noted that it would be difficult for individual FRFIs to assess concentration risk.
In response, OSFI clarified that FRFIs should take all reasonable steps to assess concentration risk associated with their own third-party arrangements across relevant dimensions, including geography, suppliers and subcontractors.
e) Overlap with other OSFI Guidelines
To address concerns that the subject matter of the Draft Guideline overlapped with other OSFI guidelines, OSFI provided additional clarity in the Final Guideline regarding how the Final Guideline interacts in certain circumstances with other OSFI guidelines (i.e. where such guidelines complement each other, and when one guideline takes precedence over the other).
f) Transition period
There was also concern from industry stakeholders regarding the length of time that may be required to amend third-party arrangements prior to the expected effective date of the final version of the Draft Guideline. This led OSFI to introduce a May 1, 2024, effective date for all FRFI third-party arrangements subject to the Final Guideline.
II. New expected OSFI outcome
The Final Guideline sets out six expected outcomes for FRFIs to achieve through managing third-party risk (the Draft Guideline contained five expected outcomes). This new, sixth expected outcome was added to the Draft Guideline’s existing “Technology and Cyber Risk in Third-Party Arrangements” section (Cyber Risk Section) and provides that technology and cyber operations carried out by third parties must be transparent, reliable and secure. Apart from the addition of the foregoing new expected outcome, the contents of the Cyber Risk Section remain relatively unchanged in the Final Guideline. However, OSFI did clarify that an FRFI who contracts for cloud computing services should consider to what degree it can replace or terminate its relationship with a cloud service provider, and where its ability to do the foregoing may be limited, the FRFI should develop certain strategies to mitigate such risk.
III. Dealing with the absence of written contracts
In the Final Guideline, OSFI clarifies that the absence of a written contract does not negate the presence of a third-party arrangement and its associated risks (which makes sense from a legal perspective, as binding agreements do not have to be in writing). Ultimately, OSFI expects FRFIs’ third-party risk management programs to address such contractual relationships (whether written or not).
IV. Next steps for FRFIs conducting insurance business in Canada
In our view, the Final Guideline provides welcome clarity on how FRFIs may review and modify their third-party arrangements to comply with OSFI’s new Third-Party Risk Management Guideline. However, it is still unclear how third-party arrangements entered into by Branches will be governed. As noted above, the Final Guideline refers third-party arrangements involving branches to OSFI Guideline E-4 (which still includes guidance on third-party arrangements set out in the Prior Guideline). Therefore, we expect OSFI to make certain revisions to Guideline E-4, among others, as it implements the Final Guideline.
As an immediate next step and to prepare for the May 1, 2024, the effective date of the Final Guideline, FRFIs should review and update all legacy contractual arrangements for compliance with the Final Guideline. OSFI notes that such updates should be completed by the May 1, 2024, effective date, or as soon as possible thereafter.
Dentons Canada’s corporate and regulatory insurance group would be pleased to assist with FRFIs’ review of any legacy or new contracts for compliance with the Final Guideline.
For more information on this topic, please contact the authors Laurie LaPalme, Derek Levinsky and Jesse Collins-Swartz.