OSFI’s Newly Issued Guideline B-10:
Third-Party Risk Management
Spotlight on Third-Party Risk
Regulators are shining a spotlight on companies to address the ever-increasing risks associated with their external or third-party arrangements. Those include engagement to perform business activities, functions, and services supporting company operations or business strategy. With the shift in recent years of more businesses relying on outsourcing and cloud computing, customers are exposed to a greater risk that their private data and transactions are not protected appropriately. Additionally, risks from third parties can threaten a company’s operational and financial resilience and reputation.Regulators now expect these risks to be managed and mitigated through an effective third-party risk management (TPRM) program.
New Regulations Issued
On April 24, 2023, the Office of the Superintendent of Financial Institutions (OSFI), Canada’s federal financial institutions regulator, released its highly anticipated new Guideline B-10: Third-Party Risk Management.
Ripple Effect from Multiple Regulators
- Multiple Regulations: other regulators (e.g., Financial Services Regulatory Authority of Ontario (FSRA)) are developing their own guidelines while already actively assessing company’s risks associated with their third-party arrangements.
- Regulatory Audits: FSRA is currently conducting audits to evaluate third-party risk. Their results found one in three companies failed and now must implement new strategies, processes, and controls to mitigate risks. OSFI will issue information requests on third-party risk.
- Downstream Impacts: Federally Regulated Financial Institutions (FRFIs), e.g., large insurers and banks, began re-evaluating their own TPRM policies and programs. They are pushing new mandates downstream to their third parties to evaluate, identify, mitigate,
report and monitor third-party risks in order to comply with new regulations.
Purpose
OSFI expects the FRFIs to manage risks, considering risk and criticality, related to all third-party arrangements and emphasizes that the FRFI retains accountability for business activities, functions and services outsourced to a third-party. To that end, FRFIs are required to provide OSFI, upon request, information related to their business and strategic arrangements with third-parties, risk management, and control environments, to support supervisory monitoring and review work.
Deadline
The new Guideline B-10 will take effect on May 1, 2024. OSFI indicates that this transition period aims to provide FRFIs adequate time to self-assess and build effective TPRM programs that comply with all requirements.
Expectations
This Guideline is much broader than the existing B-10 Guideline. Expectations of management are outcome-focused and principle-based for FRFIs to achieve through effective third-party risk management. OSFI’s key outcomes include:
- Effective Governance: governance and accountability structures have a more
significant role and need to be clear with comprehensive risk management strategies and frameworks in place. - Third-Party Risk Management and Mitigation: OSFI expects your TPRM program, using a risk-based approach, will:
o identify and assess risks posed by third-parties.
o manage and mitigate those risks within the FRFI’s risk appetite framework.
o monitor and assess third-party performance – risks and incidents must be proactively addressed.
o allow FRFIs to identify and manage a range of third-party relationships on an ongoing basis.
o address Technology and Cyber risks, as emphasized by OSFI, in arrangements carried out by third-parties to be transparent, reliable and secure.
What Should You Be Doing Now?
B-10 expects you to re-evaluate your relationships, including contracting, with all of your third parties. You should assess both your TPRM policies and program and theirs, along with all downstream responsibilities.
How does this impact your firm?
Contact us at info@jcl.bm or give us a call to set up a consultation
Jennings Consulting Limited is a collaborative effort bringing together highly experienced consultants and business leaders who believe and excel in creating value for the clients: providing strategic insights and solving complex business challenges to increase their revenue, capture operation efficiency, deliver expense reduction and create sustainable businesses.
Our clients are the leading financial services companies in Canada, Bermuda, Bahamas and Barbados – many of whom we have worked with multiple times and supported for as many as 20 years.
.