Yesterday, OSFI released a memorandum reminding financial institutions that its outsourcing B-10 Guideline applies to new technology-based outsourcing arrangements including cloud computing. In the short memorandum, OSFI stated the following:
Information technology plays a very important role in the financial services business and OSFI recognizes the opportunities and benefits that new technology-based services such as Cloud Computing can bring; however, FRFIs should also recognize the unique features of such services and duly consider the associated risks.
As such, and in light of the proliferation of new technology-based outsourcing services, OSFI is reminding all FRFIs that the expectations contained in Guideline B-10 remain current and continue to apply in respect of such services. In particular, FRFIs should consider their ability to meet the expectations contained in Guideline B-10 in respect of a material arrangement, with an emphasis on i) confidentiality, security and separation of property, ii) contingency planning, iii) location of records, iv) access and audit rights, v) subcontracting, and vi) monitoring the material outsourcing arrangements.
OSFI considers the management of outsourcing risks important to ensuring that FRFIs continue to be managed prudently and OSFI will be monitoring this issue as part of its ongoing supervisory work.
The memorandum clearly reflects a warning from OSFI that FRIs need to take into account the B-10 Guideline in new technology based outsourcing arrangements including cloud computing. OSFI did not explain the reasons for the release of the memorandum or the timing of the release.
A summary of B-10 Guideline can be obtained here.
