On April 24, 2023, the Office of the Superintendent of Financial Institutions (OSFI) published its final revised Guideline B-10: Third-Party Risk Management (the Guideline), setting out associated risk management expectations for federally regulated financial institutions (FRFIs).

As previously reported by the E-TIPS® Newsletter here, OSFI considers that the growing number of dominant third-party service providers in key areas of the economy increases the risk of FRFIs being unable to deliver critical services if such third-party service providers are disrupted. OSFI expects FRFIs to manage risks related to third-party arrangements by adhering to the updated Guideline, and emphasizes that FRFIs retain accountability for business activities, functions, and services outsourced to a third party.

The Guideline presents the following six expected outcomes for FRFIs to achieve through effective third-party risk management:

  1. Governance and accountability structures are clear with comprehensive risk management strategies and frameworks in place.
  2. Risks posed by third parties are identified and assessed.
  3. Risks posed by third parties are managed and mitigated within the FRFI’s risk appetite framework.
  4. Third party performance is monitored and assessed, and risks and incidents are proactively addressed.
  5. The FRFI’s third-party risk management program allows the FRFI to identify and manage a range of third-party relationships on an ongoing basis.
  6. Technology and cyber operations carried out by third parties are transparent, reliable, and secure.

With an effective date of May 1, 2024, OSFI maintains that the Guideline provides adequate time for regulated entities to self-assess and ensure compliance. OSFI expects that third-party arrangements commencing after the effective date will adhere to the Guideline, while those entered prior to the date will be updated to meet compliance on the effective date or as soon as possible thereafter.

Summary By: Steffi Tran


23 05 03

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.