On April 28, the Office of the Superintendent of Financial Institutions (OSFI) published the final version of Guideline B-10 : Third-Party Risk Management Guideline which sets out OSFI’s expectations for managing risks associated with third-party arrangements.

OSFI first released a draft revised Guideline B-10 on third party risk management framework (TPRMF) for consultation in April 2022.

The Guideline is organized around 11 principles that shall be taken into account by a federally regulated financial institution (FRFI), namely:

• The FRFI is ultimately accountable for managing the risks arising from all types of third-party arrangements.

• The FRFI should establish a TPRMF that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring and reporting on risks relating to the use of third parties.

• The FRFI should identify and assess the risks of a third-party arrangement before entering the arrangement and periodically thereafter.

• The FRFI should undertake due diligence prior to entering contracts or other forms of arrangement with a third party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement.

• The FRFI is responsible for identifying, monitoring and managing risk arising from subcontracting arrangements undertaken by its third parties.

• The FRFI is responsible for identifying, monitoring and managing risk arising from subcontracting arrangements undertaken by its third parties.

• Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data.

• The FRFI’s third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. The FRFI should also have the right to conduct or commission an independent audit of a third party.

• The FRFI’s agreement with the third party should encompass the ability to deliver operations through disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should have contingency plans for its critical third-party arrangements.

• The FRFI should monitor its third-party arrangements to verify the third party’s ability to continue to meet its obligations and effectively manage risks.

• Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to maintain risk levels within the FRFI’s risk appetite.

This Guideline also includes six expected outcomes for FRFIs to achieve through effective third-party risk management (read our previous update here for more information).

The updated Guideline will be effective on May 1, 2024.