Yesterday, the Office of the Superintendent of Financial Institutions (OSFI) began a consultation on an updated Draft Guideline B-10 – Third-Party Risk Management. The draft guideline sets out enhanced third-party risk management expectations for federally regulated financial institutions such as banks, insurance companies, and some credit unions (FRFIs).
OSFI has provided guidance on outsourcing to FRFIs since 2001 in its B10- Outsourcing Guideline. That Guideline has evolved with revisions in 2003 and again in 2009. The guidance has shaped FRFI’s risk management processes and contractual terms with outsourcers since its inception.
The current B-10 Guideline was widely recognized as being difficult to apply to many modern outsourcings including to cloud computing arrangements, arrangements that have multiplied over time while many forms of traditional outsourcings have waned. Still, OSFI announced more than 10 years ago that the B10 Guideline applied to cloud transactions just as it did for traditional outsourcings.
OSFI is now proposing to adapt the guideline in important ways “to reflect a more comprehensive set of third-party risks” in light of the “expanded third-party ecosystem” of suppliers that FRFI’s are relying on to deliver services. According to OSFI the draft revised guideline now places a greater emphasis on governance and risk management programs, and sets outcomes-focused, principles-based expectations for FRFIs on the sound management of third-party risk.
The draft guideline does not only cover outsourcings, it will now cover “third party arrangements” which is defined as “any business or strategic arrangement between the FRFI(s) and an entity(ies) or individuals, by contract or otherwise (e.g., another form of agreement or the conduct of the parties).” Arrangements that fall within this definition include among other things: outsourced activities, functions, and services, use of independent professionals, telecom providers, financial market infrastructures such as payment systems, and other relationships involving the provision of services or the storage, use or exchange of data (such as cloud service providers, managed service providers, technology companies that deliver financial services).
The draft guideline includes a definition of third-party risk which extends significantly beyond the current concept of outsourcing risk. ‘Third-party risk’ is defined to be the “risk to the FRFI’s operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement.” Third-party risk scenarios could include, but would not be limited to insolvency of the third party, operational disruption at the third party due to people, inadequate or failed processes and systems, or from external events (e.g., cyber incidents), insolvency of or operational disruption at a material subcontractor, political, geographic, legal, environmental, or other risks impeding the third party or its material subcontractors from providing services according to its arrangement with the FRFI, risks arising from interconnections between multiple third parties and multiple FRFIs, corruption of FRFI data or FRFI data breaches, and loss of data by the third party.
The draft guideline replaces the previous binary approach (“material” vs. “non-material” outsourcing) with a risk-based approach. It introduces the concept of “criticality” of third-party arrangements.
“Criticality” is defined as “the degree of impact of the third-party arrangement on the FRFI’s risk profile, operations, strategy and/or financial condition. A critical third-party arrangement is one where the third party performs a function or service that is integral to the FRFI’s provision of a significant operation, function, or service. That is, a failure in performance of the third party could cause significant harm to the FRFI’s operations and/or reputation.”
Third parties are expected to be managed according to individual levels of risk and criticality.
Contractual implications of the guideline
There is no question that the guideline will, if finalized in its current form, be more extensive in its application, require increased risk management processes within FRFIs and significant additional diligence of counter parties, more attention to supply chain management, and even more contractual terms to be negotiated with third parties down through the supply chain. If the current B10 Guideline created contractual challenges, expect much more if the guideline is finalized in its current form.
The draft guideline makes it clear that to “manage the risks associated with each third-party arrangement, the FRFI should structure its written agreement with the third party in a manner that allows it to meet the expectations set out in the Guideline. OSFI has included in an Annex minimum terms it expects the FRFI to include in written agreements.
The current B-10 Guideline also contains minimum terms OSFI expects to be in contracts. The draft guideline has dropped some specific terms in the current guideline but has replaced them with a much broader package of terms that will need included in agreements with third parties.
Some examples of the types of contractual terms that will be required under the draft guideline are summarized below.
Technology and Cyber Risk
OSFI expects there will be clear roles and responsibilities established for technology and cyber controls. The guidance will require, where necessary, that contracts contain granular descriptions of the roles, responsibilities, and procedures that apply to each party when managing the configuration of products and systems.
OSFI expects third parties comply with the FRFI’s technology and cyber standards. Where necessitated by risk and criticality, “the FRFI should establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standards—or recognized industry standards—for mitigating risk, including in in the areas of access management and data security and protection”. According the guideline, “Data and records should be subject to the same standard of protection at the third party as they would be at the FRFI.” This standard deviates from the current B-10 Guideline which requires that (ideally) the security and confidentiality policies adopted by the service provider would be commensurate with those of the FRFI, should meet a reasonable standard in the circumstances, and that they be appropriate.
OSFI has also re-enforced its desire to ensure that contracts with outsourcers including cloud providers “enable the FRFI to comply with its reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory.” The draft guideline states that such “provisions could include, among other things, requirements to promptly notify the FRFI of technology and cybersecurity incidents (at the third party or the subcontractor) including providing information on each incident in line with the Advisory.”
The guideline is even more specific when dealing with contractual requirements for notification. It states that the “agreement should require the third party to notify the FRFI of incidents/events (at the third party or a subcontractor) that impact or could potentially impact services provided, the FRFI’s customers/data or the FRFI’s reputation; technology and cyber security incidents (at the third party or a subcontractor) to enable the FRFI to comply with its reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory; ” as well as significant organizational/operational changes.
The draft guideline also backs up this requirement with a diligence requirement of the third party’s capacity to manage technology and cyber risks in accordance with the expectations outlined in OSFI’s Guideline B-13: Technology and Cyber Risk Management and to ”provide the FRFI with sufficient and timely information to comply with its reporting requirements under OSFI’s Technology and Cyber Security Incident Reporting Advisory”.
The draft guideline also would require the third-party to have a clearly defined incident management processes for identifying, investigating, escalating, remediating and notifying the FRFI in a timely manner of incidents—including subcontractor incidents—that could directly or indirectly impact the third party’s ability to deliver the contracted goods and/or services.
FRFIs would also have to establish cloud-specific requirements to augment existing FRFI controls and standards, notably in the areas of data protection, key management, and container management. The requirements also includes the ned to address exit strategies and portability of data.
The draft guideline omits certain audit requirements in the current B10 Guideline, but significantly augments the audit terms that will need to be in third party contracts.
Principle 8 (Information Rights and Audit) states “The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. The FRFI should also have the right to conduct or commission an independent audit of a third party.” This requirement is supplemented with further details in the draft guideline.
The third-party agreement must specify “the type and frequency of information to be reported to the FRFI by the third party. This should include reports that allow the FRFI to assess whether performance measures are being met and any other information required for the FRFI’s monitoring program, including risk measures. The agreement must also include “requirements and procedures for the third party to report events in a timely manner to the FRFI that may have the potential to materially affect the risks and delivery of the service.”
The agreement must also “give the FRFI and OSFI the right to evaluate the risk management practices related to the service provided. Specifically, the FRFI and OSFI should be able to evaluate the risks arising from the arrangement or appoint independent auditors to evaluate the risk management practices related to service provided and the risks arising from the relationship on the FRFI’s or on OSFI’s behalf. The FRFI and OSFI should also be able to access audit reports in respect of the service being performed for the FRFI.” The draft guideline does not, however, expressly require, as the current B10 Guideline does, making working papers available to OSFI.
The draft guideline also introduces some potential flexibility into the audit methods by permitting “a range of audit and information gathering methods (e.g., independent reports provided by third parties, individually performed or pooled audits).”
The draft guideline would continue to require contracts to flow down audit terms to subcontractors as well as to have a degree of control over the use of subcontractors. It states that the “FRFI should also ensure that they have ongoing line of sight into the third party’s use of subcontractors. Among other ways, the FRFI might achieve this by: contractual provisions prohibiting the use of subcontractors for certain functions; requiring that the FRFI be informed, in writing and on a timely basis, when a subcontractor is retained, or substituted, to carry out some of the functions contracted for the third party to perform; reserving a right of the FRFI to refuse a subcontractor; and contractual provisions allowing the FRFI to commission or conduct an audit of the subcontractor”.
The draft guideline bolsters these obligations to flow down terms to subcontractors by requiring other measures to “ensure that the third party has the capacity to monitor and manage risks arising from the use of subcontractors, including, where feasible, through audit rights and/or access to independent audit reports.”
Business Continuity Planning and Testing
The FRFI’s agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should have contingency plans for its critical third-party arrangements. These requirements are spelled out in detail in the draft guideline.
The draft guideline would require FRFI’s to develop exit strategies to ensure continuity of critical services. The specifics are also detailed in the draft guideline.
Other terms taken from Annex 2 of the draft guideline are as follows:
Nature and scope of the arrangement: The agreement should specify the nature and scope of the arrangement, including provisions that address the frequency, content and format of services, duration of the agreement, and physical location of the services being provided.
Roles and Responsibilities: The agreement should clearly establish the roles and responsibilities of the FRFI and the third party and any material subcontractors of the third party, including for managing technology and cyber risks and controls.
Use of subcontractors: The agreement should establish parameters on the use of subcontractors and require the third party to notify the FRFI of any subcontracting of services so that the FRFI may conduct due diligence, as well as assess and manage the risk of the subcontractors and any potential impacts from a change in service.
Pricing: The agreement should set out the basis for calculating fees relating to the services being provided.
Performance measures: The agreement should establish performance measures that allow each party to determine whether the commitments set out in the agreement are being fulfilled.
Ownership and access: The agreement should identify and establish ownership of all assets (intellectual and physical) related to third-party arrangements, including assets generated or purchased pursuant to the arrangement. The agreement should also specify whether and how the third party has the right to use the FRFI’s assets (e.g., data, hardware and software, system documentation or intellectual property), including authorized users, and the FRFI’s right of access to those assets.
Dispute resolution: The agreement should incorporate a protocol for resolving disputes. The agreement should also specify whether the third party must continue providing the service during a dispute and the resolution period, as well as the jurisdiction, governing law(s), and rules under which the dispute will be settled.
Regulatory compliance: The agreement should enable the FRFI to comply with all applicable legislative and regulatory requirements, including, but not limited to, location of records and privacy of client information.
Business continuity and recovery: The agreement should require the third party to outline measures for ensuring continuity of services in the event of disruption including testing and reporting expectations and mitigation requirements, as well as requirements of the third party to monitor and manage technology and cyber security risk.
Default and termination: The agreement should specify what constitutes a default, or right to terminate, identify remedies, and allow for opportunities to cure defaults or terminate the agreement. Appropriate notice should be required for termination of the service and, where applicable, the FRFI’s assets should be returned in a timely fashion. Any data and records should be returned to the FRFI in a format that allows the FRFI to sustain business operations without unreasonable expense.
The agreement should not contain any terms that inhibit OSFI, or any other resolution authority or financial compensation scheme, from carrying out their mandate in times of stress or resolution. For example, the agreement should, among other things, remain valid and enforceable in resolution provided there is no default in payment obligations.
Insurance: The agreement should require the third party to obtain and maintain appropriate insurance and disclose the general terms and conditions of the insurance coverage. The agreement should also require the third party to notify the FRFI in the event of significant changes in insurance coverage.
Prudent risk management: The agreement should include any additional provisions necessary for the FRFI to prudently manage its risks in compliance with this Guideline.
OSFI will host an information session (via Zoom) for financial institutions and other interested stakeholders on Wednesday, May 4 at 2:00 p.m. (ET) to provide an overview of Draft Guideline B‑10 and an opportunity to raise questions. The link to register can be found here.
OSFI welcomes public comments on proposed changes to Guideline B‑10 and is particularly interested in feedback on the clarity and granularity of detail of OSFI’s risk management expectations. Comments can be submitted to firstname.lastname@example.org by July 27, 2022.
OSFI expects to issue the final Guideline in the fall of 2022, along with a non-attributed summary of comments received and OSFI’s response.
The proposed updated B10 Guideline will require FRFI’s to re-evaluate their risk management processes and contracting practices. This will have to include a review of current templates and agreements for critical services. This will need to be done by both FRFIs and service providers to FRFIs to ensure a smooth transition to OSFI’s update standards. This will not be easy as it may well require that service providers (including foreign based providers) adapt their current forms and processes to comply with these new Canadian regulatory requirements.