Third-party Risk Management guideline - Summary response to consultation feedback

Date: April 24, 2023

OSFI thanks respondents who provided feedback on draft Guideline B-10: Third-Party Risk Management. This summary highlights feedback received together with OSFI’s responses.

OSFI recognizes that federally regulated financial institutions (FRFIs) carry on business in a competitive environment and third-party arrangements can be beneficial in driving efficiency gains, innovation and service improvements. OSFI expects FRFIs to effectively manage the risks related to third-party arrangements. FRFIs are expected to retain accountability for business activities, functions and services provided by a third party.

OSFI revised final Guideline B-10 to clarify the scope and be more principles-based with an increased emphasis on a risk-based approach to managing third-party arrangements. OSFI has also responded to concerns about subcontractor and concentration risks, as well as the transition period for Guideline B-10 to come into effect.

Summary response to consultation feedback

Response Consultation Draft Guideline B-10 Final Guideline B-10
Scope Respondents indicated that they perceived the scope as too broad and potentially too onerous for certain types of third-party arrangements. Clarifies OSFI’s expectation that FRFIs should understand a broad scope of third-party arrangements but apply the Guideline in a manner that is proportionate to the level of risk and criticality of each arrangement and to the size, nature, scope, complexity, and risk profile of the institution.
Less prescriptive Respondents identified areas where they felt the expectations were overly prescriptive. Increased emphasis on a risk-based approach to managing third-party arrangements.
Subcontractors Respondents indicated that it is difficult to impose Guideline requirements on subcontractors. Clarifies the responsibilities of FRFIs for managing the risks posed by subcontracting.
Concentration risk Respondents indicated that it would be difficult for individual FRFIs to assess concentration risk. Clarifies OSFI’s expectations of FRFIs with respect to managing different types of concentration risk.
Overlap Respondents identified expectations in Guideline B-10 that may overlap with expectations set out in other OSFI guidelines. Reduces perceived overlap by clarifying where Guideline B-10 is intended to complement other guidelines and when FRFIs should refer to the expectations set out in other guidelines.
Transition period Respondents requested a relatively long transition period. OSFI believes a transition period of one year is reasonable, considering the scope of the new requirements set out in the revised Guideline, with some flexibility for bringing legacy arrangements into compliance by implementation or as soon as possible thereafter.

Scope

Many respondents expressed concern that the scope of the draft Guideline was broad and that the expectations set out could be too onerous for certain third-party arrangements.

OSFI expects FRFIs to understand all its third-party arrangements and apply risk management activities appropriate to the level of risk and criticality of each arrangement. Higher-risk and more critical arrangements should be subject to more intensive risk management.

To that end, OSFI has added a section to the Guideline clarifying its expectation that FRFIs should apply the Guideline in a manner proportionate to the level of risk and criticality of each third-party arrangement and to the size, nature, scope, complexity, and risk profile of the institution. OSFI has also clarified that where a third party is subject to government regulation or supervision, the FRFI may take this into consideration as part of its risk assessment.

Less prescriptive

Some respondents identified sections where the language in the draft was viewed as overly prescriptive.

As noted above, OSFI introduced new language to align the Guideline with OSFI’s principles-based approach and to reinforce its expectation that FRFIs should take a risk-based approach to managing third-party arrangements. In addition, expectations regarding due diligence and written arrangements have been revised to reduce their level of prescriptiveness and reinforce alignment with a risk-based approach.

Subcontractors

Several respondents indicated it may be difficult to impose the expectations in the Guideline on subcontractors used by the third parties with whom they have entered arrangements.

In response, OSFI made revisions clarifying its expectations concerning how FRFIs can fulfill their responsibilities for managing the risks introduced by subcontracting. OSFI expects FRFIs to manage subcontractor risk according to the level of risk and criticality of the third-party arrangement in question. FRFIs should assess subcontracting risks and scale their monitoring and management of these risks to the level of risk of the arrangement and criticality of services provided by the third party.

Concentration risk

Some respondents indicated it would be difficult for individual FRFIs to assess concentration risk.

In response, OSFI has clarified that FRFIs should take all reasonable steps to assess concentration risk associated with their own third-party arrangements across relevant dimensions, including geography, supplier, and subcontractor. For systemic concentration risk, OSFI expects FRFIs to conduct risk assessments to the greatest extent possible. OSFI also encourages FRFIs to consider the benefits and risks of portability when entering arrangements with cloud service providers and mitigants to risks in the absence of portability.

Overlap

Several respondents perceived overlap between the expectations set out in the draft B-10 Guideline and other OSFI guidelines.

To address this concern, OSFI has revised the Guideline to indicate where the expectations in Guideline B-10 are meant to complement other guidelines, such as Guidelines B-13: Technology and Cyber Risk Management and E-21: Operational Risk Management, and where FRFIs should refer to the expectations set out in those guidelines.

Transition period

Some respondents informed OSFI that a relatively lengthy transition period may be needed to bring third-party arrangements into compliance with the expectations in the draft B-10 Guideline.

To that end, the Guideline will come into effect May 1, 2024, roughly one year after its publication, to provide FRFIs sufficient time to self-assess and build third-party risk management programs that comply with the new requirements of the Guideline.

Third-party arrangements commencing on or after May 1, 2024, would be expected to comply with all applicable sections of the guideline. FRFIs should review and update legacy arrangements entered into prior to May 1, 2024 at the earliest appropriate contract renewal or revision point to meet the expectations of this Guideline by its implementation date or as soon as possible thereafter.