The Office of the Superintendent of Financial Institutions (OSFI) announced April 24 that it has published its final guideline, Guideline B-10: Third-Party Risk Management, which sets out risk management expectations the regulator has in place now for federally regulated financial institutions (FRFIs).

“Third-party arrangements can support efficiency, innovation and service. FRFIs are increasingly relying on third parties in ways that can impact operations and financial resilience,” the regulator states in its announcement about the guideline’s publication. “OSFI expects FRFIs to manage these risks by adhering to this updated guideline.” The guideline reportedly emphasises governance and risk management and includes six expected outcomes for those who effectively manage their third-party risks.

“As the utilization of third-party arrangements has expanded, so too have the attendant risks. Our updated Guideline B-10 will ensure financial institutions mitigate risks related to these arrangements,” says the superintendent of financial institutions, Peter Routledge.

“Increasingly FRFIs are relying on an expanded third-party ecosystem to deliver more of their critical activities. This increases the likelihood that these arrangements could impact a FRFI’s operational and financial resilience,” adds a letter to stakeholders, published alongside the new guideline. “Guideline B-10 applies to all FRFIs, excluding foreign bank branches and foreign insurance company branches.” 

They continue, saying the guideline adopts a pragmatic approach to managing subcontractor and concentration risks. An exit or contingency plan may not be needed for every low-risk arrangement, the guideline states, “nor will subcontracting risk be a significant factor in every third-party arrangement.” Similarly, a legal review may not be necessary for a low-risk, short-term arrangement.

“Fundamental to applying this guideline in a prudent manner is identifying the type and level of risk arising from each third-party arrangement (including subcontracting arrangements), such that the FRFI can manage each third-party arrangement with the appropriate level of intensity,” the guideline continues. “Therefore, OSFI expects the FRFI to understand the risk and criticality of all its third-party arrangements and apply this guideline in a manner that is proportionate.”