← Back to all briefings
Compliance 5 min read Published Updated Credibility 86/100

Compliance Briefing — May 1, 2024

OSFI’s Guideline B-10 on Third-Party Risk Management takes effect, compelling Canadian banks and insurers to evidence board oversight, concentration monitoring, and exit strategies across critical outsourcing relationships.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Office of the Superintendent of Financial Institutions (OSFI) Guideline B-10 becomes effective on May 1, 2024. Federally regulated financial institutions must demonstrate end-to-end governance over third-party arrangements, including cloud, fintech partnerships, and material outsourcing. Boards are responsible for approving risk appetite, while management must maintain lifecycle inventories, criticality classifications, and exit plans.

Key compliance checkpoints

  • Board accountability. OSFI expects directors to approve third-party risk frameworks, review concentration metrics, and receive timely incident reporting.
  • Lifecycle controls. Institutions must document due diligence, contract clauses, performance monitoring, and termination activities for each relationship, with enhanced scrutiny for critical services.
  • Data residency and resilience. B-10 requires validation of data location, subcontracting arrangements, and business continuity testing that aligns with BCP and technology resilience expectations.

Control alignment

  • Integrate B-10 with OSFI Guideline B-13. Map technology and cyber risk management controls to third-party oversight so cloud migrations and managed services align with B-13 expectations.
  • Contract remediation. Refresh service-level agreements, audit rights, subcontractor approvals, and termination clauses to address B-10’s minimum contract requirements.
  • Concentration dashboards. Develop reporting that aggregates exposures by vendor, geography, and service category to identify systemic risk concentrations.

Enablement moves

  • Deploy third-party risk platforms or enhance GRC tools to capture due diligence evidence, issue tracking, and renewal workflows.
  • Run tabletop exercises simulating vendor outages to validate exit strategies and contingency plans.
  • Coordinate with procurement and legal teams to enforce onboarding checklists, residual risk sign-offs, and periodic reassessments.

Sources

Zeph Tech maps OSFI B-10 controls to vendor inventories, contract clauses, and resilience testing so Canadian institutions can evidence compliant third-party oversight.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • OSFI B-10
  • Third-party risk
  • Outsourcing
  • Canadian banking regulation
Back to curated briefings