C-OSFI Third-Party Risk Management

On Apr. 27, C-OSFI proposed third-party risk management guidelines.

  • OSFI launched consultation on revised draft guideline B-10, on enhanced third-party risk management expectations for federally regulated financial institutions (FRFIs).
  • Reflect more comprehensive set of third-party risks within expanded 3rd-party system.
  • Greater emphasis on governance, risk management programs, sets outcomes-focused, principles-based expectations for FRFIs on sound management of third-party risk.
  • Proposed changes include expanded scope to third-party arrangements, widened risk lens on third-party risk and related risks, enhanced risk focus, modernized guidance.
  • Expanded Scope
  • Draft Guideline B-10 applies to significantly wider variety of third-party arrangements.
  • Propose govern risks by traditional outsourcing arrangements and by external entities FRFI engages with on commercial, strategic basis, including material subcontractors.
  • Widened Risk Lens
  • Includes definition of third-party risk beyond current concept of outsourcing risk.
  • Aims to capture risks disrupt FRFI operations from wider range of external risk factors.
  • Revised definition encompasses series of related risks at third parties, such as cyber, technology, data security, financial, operational, business continuity management.
  • As well as including subcontracting/supply chain risks, and concentration risks.
  • Enhanced Risk Focus
  • Guideline sets expectations for FRFIs to adopt lifecycle approach to risk management for third-party arrangements, commensurate with level of risk of arrangement.
  • Replaces previous binary approach (material vs. non-material outsourcing) with risk-based approach; introduces the concept criticality of third-party arrangements.
  • Third parties expected to be managed according to individual levels of risk, criticality.
  • Modernized Guidance
  • Draft modernized to present outcomes-focused, principles-based approach for FRFIs.
  • OSFI has established five high-level outcomes, 11 related principles, and a series of risk management expectations to help FRFIs achieve those outcomes.
  • Consultation
  • OSFI will host information session for financial institutions, stakeholders, May 4, 2022.
  • Comments on proposed draft guidelines to Guideline B-10 are due by Jul. 27, 2022.
  • Apr. 2023 C-OSFI Final Guideline B-10
  • On Apr. 24, 2023, C-OSFI published its final Third-party risk management guideline.
  • Consultation summary highlighted feedback received together with C-OSFI responses.
  • Risk management expectations for Federally regulated financial institutions (FRFIs).
  • FRFIs expected to take a risk-based approach to managing third-party arrangements.
  • Addressed comprehensive set of third-party risks; reflects principles-based approach.
  • Also, adopted pragmatic approach to managing subcontractor and concentration risk.
  • Did not impede the development of a federal framework for consumer data mobility.
  • Provided adequate implementation time to comply by effective date of May 1, 2024.

Regulators C-OSFI
Entity Types B/D; Bank; IA; Inv Co
Reference PR, Lt, Rsp, Gd B-10, 4/24/2023; PR, 4/27/2022;
Functions BCS; Compliance; C-Suite; Cyber; Financial; Legal; Operations; Outsourcing; Privacy; Reporting; Risk; Technology
Countries Canada
Products Banking; Corporate; Fund Mgt
Regions Am
Rule Type Final
Rule Date 4/27/2022
Effective Date 5/1/2024
Rule Id 136662
Linked to N/A
Reg. Last Update 4/24/2023
Report Section International

Last substantive update on 04/26/2023