Governance — Third-party risk

Canada's Office of the Superintendent of Financial Institutions (OSFI) updated Guideline B-10 on Third-Party Risk Management with effect from 1 May 2025. Federally regulated financial institutions (FRFIs) must show board-approved frameworks covering critical third parties, subcontractor chains, resilience testing, and exit plans. By August 2025, institutions should have mature programs capable of demonstrating continuous oversight and concentration monitoring before year-end supervisory reviews.

OSFI B-10 Regulatory Framework

Guideline B-10 establishes OSFI's expectations for how federally regulated financial institutions manage risks associated with third-party relationships. The guideline applies to banks, insurance companies, trust and loan companies, and cooperative credit associations under federal jurisdiction. Its principles-based approach allows flexibility while establishing clear expectations for governance, risk management, and operational resilience.

The updated guideline reflects lessons learned from operational incidents affecting financial institutions through third-party failures. Cloud service outages, cybersecurity breaches at vendors, and critical supplier disruptions have highlighted interconnected risks in modern financial services. OSFI's improved expectations address these systemic concerns while maintaining proportionality for different institution sizes and risk profiles.

The guideline aligns with international standards and supervisory expectations from peer regulators. Basel Committee guidance on operational resilience, EU DORA requirements, and other jurisdictions' third-party risk frameworks influence OSFI's approach. Canadian institutions with international operations benefit from regulatory alignment reducing compliance complexity.

Board and Senior Management Responsibilities

Board oversight of third-party risk represents a foundational requirement under B-10. Boards must approve third-party risk management frameworks, receive regular reporting on material exposures, and ensure adequate resources for risk management activities. Committee structures should assign clear accountability for third-party risk oversight, whether through risk committees or dedicated subcommittees.

Senior management bears responsibility for implementing board-approved frameworks and maintaining effective controls. Roles and responsibilities across first, second, and third lines of defense should be clearly defined. Resource allocation must enable effective risk identification, assessment, monitoring, and mitigation across the third-party portfolio.

Escalation procedures should ensure significant third-party risks receive appropriate management and board attention. Thresholds for escalation, communication protocols, and decision-making authorities require documentation. Regular reporting cadences keep oversight bodies informed of risk trends, emerging concerns, and remediation progress.

Critical Third-Party Identification

Institutions must identify critical third parties whose failure could materially impact business operations, financial condition, or reputation. Criticality assessment considers business impact, substitution difficulty, concentration exposure, and regulatory significance. Critical relationships warrant improved oversight, more strong contractual protections, and full exit planning.

Subcontractor relationships receive increased scrutiny under B-10. Fourth-party risks from vendors' own suppliers can propagate through supply chains to affect institutions. Visibility into material subcontracting arrangements, including cloud infrastructure providers and offshore service centers, enables full risk assessment.

Criticality classifications should be reviewed regularly and updated as business relationships evolve. New service setups, scope expansions, and market developments may change criticality assessments. Annual reviews with interim updates for material changes maintain classification accuracy.

Lifecycle Risk Management

Third-party risk management spans the complete relationship lifecycle from initial due diligence through ongoing monitoring to termination. Pre-engagement due diligence assesses prospective third parties against risk criteria before commitments are made. Financial stability, operational capabilities, security posture, and regulatory standing inform selection decisions.

Contractual arrangements should address risk allocation, performance expectations, audit rights, incident notification, and termination provisions. Standard contract clauses provide consistency while allowing customization for relationship-specific requirements. Legal review ensures contracts adequately protect institutional interests.

Ongoing monitoring validates that third parties continue meeting expectations throughout relationships. Performance metrics, control assessments, financial monitoring, and relationship reviews provide ongoing assurance. Risk-based monitoring intensity focuses resources on higher-risk relationships while maintaining adequate oversight across the portfolio.

Concentration Risk Management

B-10 emphasizes concentration risk arising from dependencies on single providers or interconnected provider networks. Geographic concentration where multiple critical services depend on specific locations creates correlated failure risks. Provider concentration where single vendors support multiple business lines amplifies impact from individual failures.

Fourth-party concentration may be less visible but equally significant. Multiple third parties relying on common infrastructure providers, cloud platforms, or telecommunications networks create hidden concentrations. Mapping supply chains to identify common dependencies enables concentration management.

Concentration limits and monitoring thresholds help manage aggregate exposures. Board-approved concentration policies establish acceptable levels and trigger improved oversight when thresholds approach. Diversification strategies reduce concentration over time where alternatives exist.

Exit and Contingency Planning

Exit strategies ensure institutions can end third-party relationships without unacceptable disruption. Exit plans should address transition to alternative providers, in-house capabilities, or wind-down scenarios. Plans require sufficient detail to execute under various conditions including adverse circumstances where third parties may not cooperate.

Contingency planning addresses third-party failure scenarios. Business continuity plans should incorporate third-party dependencies and establish response procedures. Recovery time objectives for third-party-dependent processes inform planning priorities. Workaround procedures enable continued operations during third-party disruptions.

Testing validates exit and contingency plan effectiveness. Tabletop exercises explore decision-making and coordination under stress. Technical testing validates data extraction, system migration, and operational transition capabilities. Lessons learned from testing drive plan improvements.

Resilience Testing Requirements

Operational resilience testing should incorporate third-party dependencies. Scenario testing examines impacts from third-party disruptions on critical business services. Testing scope should include cyber incidents affecting vendors, service outages, and provider failures. Results inform both institutional and third-party resilience improvements.

Third parties supporting critical operations should participate in or be subject to resilience testing. Contractual provisions should enable testing participation where appropriate. Third-party resilience capabilities including business continuity arrangements and incident response should be assessed and monitored.

Testing programs should evolve based on risk developments and lessons learned. New threats, changed dependencies, and incident experiences should inform testing scenarios. Regular testing cadences maintain preparedness while allowing scenario variation to avoid complacency.

Incident and Issue Management

Third-party incidents require prompt detection, assessment, and response. Contractual notification obligations ensure institutions learn of incidents affecting their data or services. Incident assessment procedures evaluate impact severity and determine response requirements. Escalation procedures engage appropriate management and oversight attention.

Issue management addresses control deficiencies and performance gaps identified through monitoring. Risk-based remediation prioritization focuses attention on significant issues. Tracking and reporting mechanisms ensure issues progress toward resolution. Persistent or severe issues may warrant relationship reconsideration.

OSFI notification requirements apply to certain third-party incidents. Institutions must understand when regulator notification is required and maintain capabilities for timely reporting. Post-incident analysis identifies improvements to prevent recurrence or mitigate future impact.

Supervisory Expectations and Examination Readiness

OSFI examinations will assess third-party risk management program effectiveness. Documentation of policies, procedures, and governance arrangements supports examination readiness. Evidence of ongoing monitoring, issue remediation, and board oversight shows program operation. Risk assessments and control testing results show risk management activities.

Self-assessment against B-10 requirements identifies gaps before regulatory examination. Internal audit coverage of third-party risk management provides independent assurance. Remediation of identified deficiencies before examination reduces adverse findings. Continuous improvement shows program maturity.

Peer benchmarking helps calibrate program adequacy. Industry discussions, regulatory guidance, and examination experiences provide insight into supervisory expectations. Program investments should reflect both regulatory requirements and institutional risk profile.

You may also find useful

Hand-picked articles on adjacent topics.

Governance · Credibility 96/100 · July 27, 2023

APRA CPS 230 operational risk management

APRA's CPS 230 operational risk standard went effective July 1, 2025 for Australian ADIs, insurers, and super funds. It is a big upgrade from CPS 231 and 232, with stricter requirements for operational resilience…

Governance · Credibility 86/100 · September 25, 2025

Model risk management

By the September 2025 supervisory cycle the PRA expects embedded model risk governance, independent validation, and challenger evidence aligned to SS1/23.

Governance · Credibility 88/100 · October 8, 2025

Governance — Third-party risk

The interagency third-party risk guidance now underpins 2025 examinations, so boards must show life-cycle oversight, tailored risk appetite, and evidence that community-bank scale adjustments still satisfy the Federal…

Governance · Credibility 88/100 · March 31, 2025

UK Operational Resilience Impact Tolerances

UK financial firms have had four years to prepare. March 31, 2025 is the hard deadline: you must prove you can actually operate within your impact tolerances, not just have plans to get there. The FCA and PRA will expect…

Governance · Credibility 86/100 · March 31, 2025

Rbi It Governance Deadline

Reserve Bank of India’s IT Governance Master Direction reaches full compliance for NBFC-Upper Layer and payment operators, requiring board technology risk committees and independent assurance routines.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

August 28, 2025

Coverage pillar

Governance

Source credibility

86/100 — high confidence

Topics

Third-party risk · Financial regulation · Operational resilience

Sources cited

3 sources (osfi-bsif.gc.ca, iso.org)

Reading time

6 min

Documentation

1. OSFI Guideline B-10 — Third-Party Risk Management — Office of the Superintendent of Financial Institutions
2. OSFI B-10 Questions and Answers — Office of the Superintendent of Financial Institutions
3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization