Overview

It is no secret that the supply chain is an increasingly frequent target for bad actors and a source of vulnerability as organizations outsource more and more of their operations and infrastructure. Cyber incidents and other service outages affecting the supply chain can have catastrophic results and carry the potential to knock wide swaths of the economy offline, especially when financial institutions are impacted. It is over this backdrop that Canada's regulator of financial institutions, the Office of the Superintendent of Financial Institutions (OFSI), issued its Guideline, updated most recently in April 2023.

The Guideline sets out OFSI's third-party risk management expectations for FRFIs, excluding foreign bank branches and foreign insurance company branches (see list of FRFIs here). The Guideline establishes a flexible set of best practices for FRFIs to follow when relying on third-party arrangements. Non-FRFIs may wish to refer to the Guidelines when adopting their own third-party risk management strategies.

The Guideline presents six expected outcomes achieved through effective third-party risk management:

1. Governance and accountability structures are clear with comprehensive risk management strategies and frameworks in place.
2. Risks posed by third parties are identified and assessed.
3. Risks posed by third parties are managed and mitigated within the FRFI's risk appetite framework.
4. Third-party performance is monitored and assessed, and risks and incidents are proactively addressed.
5. The FRFI's third-party risk management program allows the FRFI to identify and manage a range of third-party relationships on an ongoing basis.
6. Technology and cyber operations carried out by third parties are transparent, reliable, and secure.

The Guideline is meant to be read in conjunction with applicable legislation (e.g., the Bank Act) and other OFSI guidance, such as Guideline E-21 (Operational Risk Management), Guideline B-13 (Technology and Cyber Risk Management), and the Corporate Governance Guideline. This Insight article provides a brief overview of the Guideline and its principal implications.

11 underlying principles

The Guideline is underpinned by 11 principles relating to an FRFI's governance and third-party risk management:

1. Accountability: The FRFI is ultimately accountable for managing the risks arising from all types of third-party arrangements.
2. Third-Party Risk Management Framework: The FRFI should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting risks relating to the use of third parties.
3. Risk assessment: The FRFI should identify and assess the risks of a third-party arrangement before entering the arrangement and periodically thereafter. Risk assessments should be proportionate to the criticality of an arrangement. Specifically, the FRFI should conduct risk assessments to decide on third-party selection; (re)assess the risk and criticality of the arrangement; and plan for adequate risk mitigation and oversight.
4. Due diligence: The FRFI should undertake due diligence prior to entering contracts or other forms of arrangement with a third party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement.
5. Subcontracting: The FRFI is responsible for identifying, monitoring, and managing risk arising from subcontracting arrangements undertaken by its third parties.
6. Written arrangements: The FRFI should enter into written arrangements that set out the rights and responsibilities of each party.
7. Confidentiality, integrity, and availability: Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity, and availability of records and data.
8. Access to information and audits: The FRFI's third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. The FRFI should also have the right to conduct or commission an independent audit of a third party.
9. Business continuity and disaster recovery: The FRFI's agreement with the third party should encompass the ability to deliver operations through disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should have contingency plans for its critical third-party arrangements.
10. Monitoring: The FRFI should monitor its third-party arrangements to verify the third party's ability to continue to meet its obligations and effectively manage risks.
11. Incidents: Both the FRFI and its third party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to maintain risk levels within the FRFI's risk appetite.

Key activities and implications

The Guideline spells out key activities for FRFIs to manage third-party risks while maintaining a certain level of flexibility so FRFIs may continue to arrange their operations in a way that achieves their business and strategic objectives. These are arranged by governance and accountability, management of third-party risk, special arrangements, and technology and cyber-risk in third-party arrangements.

Governance and accountability

Accountability for outsourcing: As the ultimately accountable entity, an FRFI retains accountability for services outsourced to a third party and must manage risk arising from all third-party arrangements. This includes accountability for business activities, functions, and services outsourced to third parties; data exchanged with third parties or data to which they have access; and managing risk arising from third-party arrangements. FRFI senior management should be satisfied that any outsourcing to third parties is done in a safe and sound manner, compliant with applicable law, internal policies, standards, and processes, and in alignment with FRFI's risk appetite.  

Third-Party Risk Management Framework (TPRMF): An FRFI should establish an enterprise-wide TPRMF. Such a TPRFM should span the entire lifecycle of a third-party arrangement, from sourcing to exit, and set out how the FRFI will identify, assess, manage, mitigate, monitor, and report third-party risk. It should be reviewed and updated regularly. The TPRMF should establish accountabilities, roles and responsibilities, and policies and processes for identifying, monitoring, and managing third-party risk. Regarding this last item, the FRFI should implement processes and systems to identify, assess, manage, monitor, measure, and report on:

• an inventory of third parties delineated by level of risk and criticality;
• third-party compliance with contractual provisions and/or service-level agreements, including processes for managing exceptions and incidents;
• third-party risks introduced by individual arrangements (including, among others, technology, cyber, information security, concentration, business continuity, strategic and financial risks); and
• aggregation of third-party risk exposures and trends to inform the FRFI's current and emerging risk profile.

Management of third-party risk

Risk-based approach

OFSI expects third-party risks to be managed proportionately to the risk level and complexity of the FRFI's third-party ecosystem. Higher risk and critical arrangements should be subject to more frequent and rigorous assessments and have more robust risk management. This risk-based approach requires FRFIs to ensure:

• risk assessment criteria are comprehensive and scalable: These criteria should be comprehensive, reviewed periodically to remain current, and should consider the criticality of the arrangement. FRFIs should consider factors such as the severity of loss or harm if the third party or its subcontractor fails to meet expectations, the third party's substitutability, the degree to which the third party or subcontractor supports critical operations, and the impact on business operations if the FRFI must exit the arrangement;
• the level of risk of third-party arrangements is assessed: When determining the level of risk, the FRFI should consider:
  • the probability of the third party or its subcontractor failing to meet expectations;
  • the FRFI's ability to assess the third party's controls and the ability to continue meeting regulatory and legal requirements;
  • the third party's financial health and 'step-in' risk (i.e., in case the FRFI is required to provide financial support);
  • the third party's use of subcontractors and supply chain complexity;
  • the degree of the FRFI's reliance on third parties with elevated concentration risk (e.g., is there over-reliance on a single third party, subcontractor, or geography? Are there systemic risks from multiple FRFIs relying on the same third party or geography?);
  • the information management, data, cyber security, and privacy practices of the third party and its subcontractors; and
  • other relevant financial and non-financial risks associated with using the third party; and
• the rigor of risk management activities matches the level of risk and criticality: The robustness and frequency of third-party risk management activities should match the level of risk and criticality of a given arrangement.

Risk assessment

OFSI expects FRFIs to assess the risk and criticality of the third-party arrangement throughout its lifecycle. This includes the assessment of risks both created and reduced by the arrangement and risk mitigants. Risk assessments should be conducted:

• before entering into the arrangement;
• regularly throughout the arrangement lifecycle in proportion to its criticality; and
• when there is a material change to the arrangement or third party.

Assessments should:

• determine if the arrangement aligns with the FRFI's risk appetite;
• document the arrangement's criticality;
• establish the risk level; and
• develop a plan to manage the arrangement within the FRFI's risk appetite.

Due diligence

FRFI's should establish due diligence processes for third-party arrangements that are proportionate to the level of risk and criticality of an arrangement. Processes should also consider factors related to outsourcing arrangements outside of Canada, such as legal, political, security, economic, environmental, social, and other risks.

Due diligence should be conducted:

• before entering into the arrangement;
• during contract renewal;
• periodically on an ongoing basis proportionate to the level of risk and criticality; and
• when there is a material change to the arrangement.

The Guidance provides a list of factors to be considered regarding high-risk and critical arrangements in Annex 1.

Other factors for assessment

Other factors that should be assessed include:

• concentration risk: FRFI's should assess both institution-specific concentration risks (e.g., is the FRFI over-reliant on a single third party, subcontractor, or geography?) and systemic concentration risks (e.g., are several FRFI's over-reliant on a single third party, subcontractor, or geography?) associated with an arrangement; and
• subcontracting risk: Before entering a third-party arrangement, FRFIs should identify and understand the third party's subcontracting practices and related risks. Risks should be monitored and managed, such as through contractual provisions that:
  • prohibit the use of subcontractors for certain functions;
  • require the FRFI to be informed (in writing and promptly) when a subcontractor is retained or substituted to carry out some of the third party's functions;
  • reserve the FRFI's right to refuse a subcontractor; and
  • allow the FRFI to commission or conduct an audit of subcontractors.

Risk management and mitigation

Risks should be managed and mitigated within the FRFI's risk appetite framework through:

• written agreements/contracting: Written agreements/contracts should set out clear responsibilities, be reviewed by the FRFI's legal counsel, and allow the FRFI to meet the expectations set out in the Guideline. The Guideline's Annex 2 describes provisions to be included in agreements for high-risk and critical arrangements;
• data security and controls (including data location): Responsibilities for the security of records and data should be established, including with regard to confidentiality, availability, integrity of records and data, and matters relating to security breaches such as liability and notification requirements;
• information rights and audit: Third-party agreements should preserve the FRFI's right to access information and reporting, specify the type and frequency of information reported, and allow the FRFI to assess performance measures. Events that materially impact the FRFI should be reported in a timely manner. Agreements should also give both the FRFI and OSFI the right to evaluate the third party's risk management practices, access audit reports regarding the third party's services, and appoint independent auditors;
• business continuity planning and testing: At a minimum, third-party agreements should require the third party to:
  • outline its measures for ensuring service continuity in case of disruption;
  • regularly test its business continuity and disaster recovery programs for services provided to the FRFI;
  • notify the FRFI of test results; or
  • address any material deficiencies. The FRFI should also maintain its own business continuity and recovery plans to address potential service disruptions, document backup, and redundancy capabilities, and ensure the FRFI can readily access all necessary records to sustain its business operations and meet its legal obligations; and
• contingency and exit strategy/planning: The FRFI should establish contingency and exit plans proportionate to the level of risk and criticality of its individual third-party arrangements. They should address triggers for invoking such plans; playbooks for both stressed and non-stressed/planned exits; and relevant contractual provisions, such as those that may trigger notice requirements. Plans should be sufficiently detailed to allow for rapid execution and be reviewed regularly.

Monitoring and reporting

Monitoring and reporting of third parties should include measures for both general oversight and incident management.

General oversight: FRFIs should monitor third-party arrangements to ensure services are delivered according to agreed-upon terms and that third parties remain financially sound. An FRFI should also establish metrics to confirm that residual risks remain within its risk appetite and define triggers for escalation.

Incident management and reporting: Incident management and reporting should include clearly defined incident management processes, address notification requirements to comply with OSFI reporting obligations, establish internal processes to effectively manage and escalate third-party incidents, and investigate and analyze incidents. FRFIs should require third parties to provide a root cause analysis for incidents and the FRFI should monitor remediation actions.

Special arrangements

The Guideline contains guidance for managing risk in what it refers to as special arrangements. This includes instances such as when the FRFI must enter into a standardized contract, arrangements that do not include a written agreement and measures to address conflicts of interest with external auditors.

Technology and cyber-risk in third-party arrangements

Due to the inherent risk associated with technology and cyber risks in third-party arrangements, OFSI expects FRFIs to:

• establish clear roles and responsibilities for cyber controls: These should be defined with sufficient granularity for each arrangement;
• ensure third parties comply with the FRFI's technology and cyber standards;
• establish cloud-specific requirements and governance: These should optimize interoperability, remain consistent with the FRFI's risk appetite, and augment existing controls and standards, particularly regarding data protection, key management, and container management; and
• ensure that portability and resilience are considered: Portability should be considered along with planning appropriate exit strategies, including benefits and risks of portability, and mitigants in the absence of portability. Strategies to address resilience and concentration risk should be considered.

Dustin Moores Counsel
[email protected]
nNovation LLP, Ottowa