OSFI B-10: Third-Party risk management for Canadian financial entities

In brief:

• OSFI B-10 guideline maps a mandatory lifecycle for all third-party engagements, from selection to termination, and applies to all FRFIs, excluding foreign bank branches and foreign insurance company branches.
• B-10 mandates a proportional, risk-based approach to TPRM, and FRFIs are required to assess a third party’s risks and criticality to the institution's operations, strategy, and reputation.
• Leveraging RegTech for OSFI third-party oversight is crucial for operational resilience and auditable compliance since the B-10 update features an increased focus on technology and cyber risk.

Balancing operational efficiency with resiliency risk

While third-party engagements represent a vital source of innovation and efficiency for financial institutions, an over-reliance on these types of engagements puts pressure on a financial organization’s operational resilience as well as its financial resilience. Peter Routledge, Superintendent of Financial Institutions, explains more; “As the utilization of third-party arrangements has expanded, so too have the attendant risks.”

To enable organizations to effectively assess and managed such risks, Canada’s OSFI published Guideline B-10 “to ensure financial institutions mitigate risks related to these arrangements,” continues Peter Routledge. Guideline B-10 seeks to facilitate financial institutions’ governance and accountability structures to identify, assess, and monitor third-party risks so that they can be proactively mitigated.

But since B-10 is a guideline, non-compliance won’t land an institution in hot water with regulators. But ignore B-10 at your peril, since consistent failure to adhere to B-10 guidelines could affect an institution’s licence to operate in Canada.

B-10 Lifecycle mandates for Federally Regulated Financial Institutions (FRFIs)

OSFI B-10 sets out clear expectations for third-party risk in Canada, shifting the focus from simple checkbox compliance to embedding vendor risk management throughout the entire engagement lifecycle.

Here are the four key stages of the B-10 guide lifecycle:

1. Due diligence: Before selecting a third party, institutions must conduct thorough due diligence that is proportionate to the risk and criticality of the arrangement. The ‘know your vendor’ process must include a detailed assessment of the vendor’s ability to meet the FRFIs business objectives and manage risk.
2. Contract clauses: A written contract is a non-negotiable requirement. Contracts must clearly articulate responsibilities, establish performance metrics, and mandate effective monitoring and auditing rights. For high-risk arrangements, the contract must include termination clauses allowing for at least 30 days' notice. The guideline applies to all ‘third-party arrangements’, including FRFI outsourcing and SaaS services.
3. Ongoing monitoring: This phase requires continuous oversight of the third party's performance and risk profile. Effective service level agreement scorecards are necessary to measure performance against agreed-upon metrics.
4. Exit plans: Institutions must maintain a robust B-10 exit strategy template or plan for all critical third-party arrangements, ensuring continuity of services if the contract is terminated or the vendor fails. This plan must be tested and documented.

Key insight: OSFI’s focus on the entire lifecycle, robust governance, and accountability underscores that risk management is not a one-time event, but it’s a continuous, dynamic process that requires investment of time and resources from institutions.

Third-party risk hotspots for Canadian banks and playbooks to overcome them

On studying the B-10 guidelines, several areas stand out as significant risk hotspots that institutions must pay immediate attention to. These are touched on below, along with remedial actions to consider, as part of an OSFI B-10 checklist for 2025:

1. Concentration risk

• FRFIs must adhere to B-10 guidelines to avoid over-reliance on too few vendors, locations, or service providers, which could create vulnerabilities if something goes wrong. FRFIs should also assess systemic concentration risks, for example cloud concentration risk, to safeguard data. B-10 cloud risk requirements should be considered carefully.
• Insight: OSFI is now scrutinizing how institutions would manage a simultaneous service outage impacting multiple FRFIs, which is a core feature of concentration risk.
• Playbook action: Develop a 90-day remediation plan to diversify service deployment or create a failover mechanism using a different provider.

2. Data Residency and cross-border subcontracting

• Understanding where your data resides is fundamental, especially with cross-border arrangements.
• Cyber subcontracting introduces a layered risk where the primary vendor uses a sub-vendor, potentially moving data outside of Canada without adequate oversight. It’s vital to understand that the institution remains responsible for its compliance.
• Playbook action: Map all data flows down to every detail and simulate a data breach in a foreign jurisdiction to test notification and recovery procedures. This can be done using a tabletop script.

3. Contractual gaps

• Many institutions discover contractual deficiencies only after an incident has occurred. Effective B-10 contract clauses that banks must incorporate include:
  • Audit rights: Unambiguous right for the FRFI to audit the third party's controls and records.
  • Termination rights: Clear termination clauses with manageable notice periods (e.g., the 30-day requirement).
  • Data safeguarding: Specific requirements for data encryption, access controls, and immediate notification of a breach.

How can RegTech accelerate OSFI third-party oversight?

Mastering third-party risk in Canada is about building operational resilience, and this requires moving away from outdated, manual processes and embracing automated solutions, known as RegTech.

Action 1: Ditch the legacy spreadsheet

Using legacy spreadsheets for tracking risk and communication is inefficient and compromises your organization’s audit capabilities. An integrated RegTech for OSFI third-party oversight solution offers a powerful ROI advantage:

Action 2: Optimizing for audits and compliance

RegTech accelerators provide the necessary foundation for demonstrating outsourcing compliance:

• Vendor portals: These centralize all documentation, contracts, and due diligence evidence, making them accessible for audits.
• Comms archiving: With this, institutions can automatically capture and archive all vendor communication, fulfilling the need for robust vendor comms capture and an ironclad audit trail.

B-10 mastery: From compliance to confidence

The OSFI B-10 guideline is not a burden, but a framework for reducing financial and reputational risk. And in fact, achieving B-10 mastery transforms third-party risk management into a source of board-level confidence and positions institutions significantly more favorably.

To solidify this confidence, institutions need robust tools that automate the capture of vendor messages and file exchanges, ensuring every single interaction is part of the official record.

Global Relay offers centralized and secure message and file capture, ensuring your institution maintains a comprehensive and auditable record for outsourcing compliance. Future-proof your tech stack with Global Relay by learning more about our solutions.

< Back to the hub