Compliance Briefing — May 1, 2024
OSFI’s Guideline B-10 on Third-Party Risk Management takes effect, compelling Canadian banks and insurers to evidence board oversight, concentration monitoring, and exit strategies across critical outsourcing relationships.
Executive briefing: The Office of the Superintendent of Financial Institutions (OSFI) Guideline B-10 becomes effective on May 1, 2024. Federally regulated financial institutions must demonstrate end-to-end governance over third-party arrangements, including cloud, fintech partnerships, and material outsourcing. Boards are responsible for approving risk appetite, while management must maintain lifecycle inventories, criticality classifications, and exit plans.
Key compliance checkpoints
- Board accountability. OSFI expects directors to approve third-party risk frameworks, review concentration metrics, and receive timely incident reporting.
- Lifecycle controls. Institutions must document due diligence, contract clauses, performance monitoring, and termination activities for each relationship, with enhanced scrutiny for critical services.
- Data residency and resilience. B-10 requires validation of data location, subcontracting arrangements, and business continuity testing that aligns with BCP and technology resilience expectations.
Control alignment
- Integrate B-10 with OSFI Guideline B-13. Map technology and cyber risk management controls to third-party oversight so cloud migrations and managed services align with B-13 expectations.
- Contract remediation. Refresh service-level agreements, audit rights, subcontractor approvals, and termination clauses to address B-10’s minimum contract requirements.
- Concentration dashboards. Develop reporting that aggregates exposures by vendor, geography, and service category to identify systemic risk concentrations.
Enablement moves
- Deploy third-party risk platforms or enhance GRC tools to capture due diligence evidence, issue tracking, and renewal workflows.
- Run tabletop exercises simulating vendor outages to validate exit strategies and contingency plans.
- Coordinate with procurement and legal teams to enforce onboarding checklists, residual risk sign-offs, and periodic reassessments.
Sources
- OSFI Guideline B-10: Third-Party Risk Management
- OSFI outsourcing expectations and implementation timeline
Zeph Tech maps OSFI B-10 controls to vendor inventories, contract clauses, and resilience testing so Canadian institutions can evidence compliant third-party oversight.