Principle 11: Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to ensure ongoing operational and financial resilience and maintain risk levels within the FRFIs risk appetite. Concentration risk is the risk of loss or harm to the FRFI or to the broader financial system arising from reliance on a small number of and/or geographically concentrated third-party providers or subcontractors. 0000008649 00000 n Appropriately engaging and assessing third-party risk management activities across the business, oversight, and control functions. Developing a structure for scoping, planning, and executing third-party risk audits. The FRFI should also ensure that they have ongoing line of sight into the third partys use of subcontractors.
be reviewed regularly, and more frequently in the event of material changes to the third-party arrangements. 0000007432 00000 n In determining the level of risk and criticality, the FRFI should consider, among other things: the third partys use of subcontractors; the potential for loss or harm to the FRFI in the event that the third party or material subcontractor fails to meet expectations, due to service disruption, outage, cyber security breaches or any other reason; the ability of the FRFI to assess controls at the third party and continue to meet regulatory and legal requirements in respect of activities performed by the third party, particularly in the case of disruption; substitutability of the third party, including the portability and timeliness of a transfer of services; the potential impact on business operations if the FRFI needed to exit the third-party arrangement and transition to another service provider or bring the business activity in-house; the financial health of the third party and the potential step-in risk, whereby the FRFI is required to provide financial support to the third party or take over the third partys business; the degree of the FRFIs or the industrys reliance on or concentration of the third party (see Section 2.2.3); and. To ensure that remediation actions are sufficient, the FRFI should request that the third party perform root cause analysis and share the results for any incidents, commensurate with the severity/potential impact of the incident on the FRFI. aggregate reporting to Senior Management on third-party risk exposure and trends to inform the FRFIs current and emerging risk profile, including an inventory of third-party providers delineated by level of risk and criticality of the provider. 0000012341 00000 n Third-party risk scenarios could include, but would not be limited to: operational disruption at the third party due to people, inadequate or failed processes and systems, or from external events (e.g., cyber incidents); insolvency of or operational disruption at a material subcontractorFootnote 6; political, geographic, legal, environmental, or other risks impeding the third party or its material subcontractors from providing services according to its arrangement with the FRFI; risks arising from interconnections between multiple third parties and multiple FRFIs; corruption of FRFI data or FRFI data breaches;Footnote 7 and. However, the FRFI retains accountability for all its business activities, functions, and services outsourced through third-party arrangements, for data exchanged with the third party or data to which the third party has access, and for managing risks arising from third-party arrangements. xY[o8~G?1Y kKt/CB7M5=xg wn?*'~W7k;^'t6_|^9?qXlnY[v{ )2[Z3I)"4;0d #q9 2n%0oV "MeYlJP$4[ae/=h=x 8P?%#0$mE|FAMa``vtulRlUs>"SHAFF`vl]2Pn^i8rXvreXv%Z%C[ G -vAp9R'L1mzuPC:2y$tebkS-;iT!vWR$Y=E&$=V0Dla/hqkk{3C#[5%/y @}(]n)"3uKy! 0000024917 00000 n
Third-Party Risk Management and
0000002614 00000 n Principle 2: The FRFI should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third parties. Notifications to the FRFI: The agreement should require the third party to notify the FRFI of: incidents/events (at the third party or a subcontractor) that impact or could potentially impact services provided, the FRFIs customers/data or the FRFIs reputation; technology and cyber security incidents (at the third party or a subcontractor) to enable the FRFI to comply with its reporting requirements under OSFIs endobj endobj The TPRMF should reflect the FRFIs risk appetite and be consistent with its operational or enterprise risk management frameworks. /FontFile2 192 0 R << Insurance Companies Act, and ss. 0000002389 00000 n trailer xref The criticality of the third-party arrangement is an important input into the assessment of both: the third-party arrangements level of risk; and. 6 0 obj /Parent 183 0 R stream Dispute resolution: The agreement should incorporate a protocol for resolving disputes. 262(3.1) of the At a minimum, OSFI expects the FRFI to include in written agreements the provisions that are set out in
To access it and other valuable resources, become a member today or log in! The FRFI should employ a range of audit and information gathering methods (e.g., independent reports provided by third parties, individually performed or pooled audits). The FRFI and OSFI should also be able to access audit reports in respect of the service being performed for the FRFI. endstream endobj 898 0 obj <>/Filter/FlateDecode/Index[136 722]/Length 46/Size 858/Type/XRef/W[1 1 1]>>stream 0000003467 00000 n The agreement should also specify whether and how the third party has the right to use the FRFIs assets (e.g., data, hardware and software, system documentation or intellectual property), including authorized users, and the FRFIs right of access to those assets. /XHeight 250 244(1) of the The third-party agreement should specify the type and frequency of information to be reported to the FRFI by the third party. <> Among the mitigating actions and controls that the FRFI may consider are the development of redundancies, workarounds, business continuity measures, and other resiliency mechanisms. Outcome: Governance and accountability structures are clear with comprehensive risk strategies and frameworks in place to contribute to ongoing operational and financial resilience. h1 04h\GMyC. The FRFI should ensure that its written agreements with third parties contain adequate provisions to enable the FRFI to comply with its reporting requirements under OSFIs The FRFI Statutes require FRFIs to keep copies of the Records at its head office, or at such other place in Canada as the directors of the FRFI think fit. hbbd``b`kAD(`$ At minimum, due diligence should consist of the following non-exhaustive factors: Experience, technical competence, and capacity of the third party to implement and support the activities it is being engaged to provide, including, where applicable, the experience, technical competence, and capacity of material subcontractors; Financial strength of the third party to deliver successfully on the third-party arrangement; Compliance with applicable laws, rules, regulations and regulatory guidance within Canada and other relevant jurisdictions; Potential reputation risk associated with the third-party relationship or its services, including existence of any recent or pending litigation, investigation or complaints against the third party; Strength of the third partys risk management programs, processes, and internal controls as well as the reporting environment (the FRFI should determine if there is alignment with the FRFIs risk management processes and controls); manage technology and cyber risks in accordance with the expectations outlined in OSFIs Guideline B-13: For example, the agreement should, among other things, remain valid and enforceable in resolution provided there is no default in payment obligations. making substitutability of the third party more difficult; increasing the likelihood that the insolvency of or an operational disruption at a third party or its subcontractor has ramifications on the FRFI or throughout the financial services industry; exposing the FRFI or the financial services industry to increased impact of natural disasters or other external events; and. <>
<> 0000032950 00000 n Security of records and data: The agreements should govern the confidentiality, integrity, security, and availability of records and data. NIST 500-291, version 2: NIST Cloud Computing Standards Roadmap defined portability the ability for data to be moved from one cloud system to another or for applications to be ported and run on different cloud systems at an acceptable cost. stream /Length 18023
Third party performance is continually monitored and assessed, and risks and incidents are proactively addressed. Pricing: The agreement should set out the basis for calculating fees relating to the services being provided. h[mo7%7 !-W)R+-?yF\3|*SY5Tg\X+@mICr%#I}!hXq RXS\%6"I`fY|*G%\kdM!XM+gr"d%+6$,HdR s"e-JdbW,%VFBXK,Q)I$:kH%^-FtHuRk Federally regulated financial institutions (FRFIs) engage in business and strategic arrangements with external partiesentities or individualsto perform business activities, functions, and services in support of their own operations or their business strategy. provide the FRFI with sufficient and timely information to comply with its reporting requirements under OSFIs <>/ExtGState<>/XObject<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.08 840.84] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> Oct 15, 2018. For clarity, the third-party risk management expectations set out in this Guideline are not intended to replace or substitute for, but rather to serve in addition to, appropriate counterparty credit risk and market risk management activities applied in respect of financial market infrastructures. The FRFI should assess whether the existence of material subcontracting might negatively impact their operational and financial resilience during a significant disruption within the third partys supply chain, and whether this impact could outweigh the benefits of the arrangement. % That is, a failure in performance of the third party could cause significant harm to the FRFIs operations and/or reputation. The FRFIs senior management should also be satisfied that third-party arrangements are in alignment with the FRFIs risk appetite and managed proportionate to the level of risk and criticality. 244(3.1) of the Annex 2 of this Guideline. In those circumstances, the FRFI must provide OSFI with immediate, direct, complete and ongoing access to the Records that are stored outside Canada.Footnote 11. The Consistent with Guideline E-15 (Appointed Actuary: Legal Requirements, Qualifications and Peer Review), the FRFI may use an actuary working in the company's external auditor firm for the external review of the appointed actuary's work and reports. All rights reserved. Standardized Contracts/Special Arrangements, 3.2.. 0000002339 00000 n /Ascent 750 The FRFI should develop cloud-specific requirements to ensure that cloud adoption occurs in a planned and strategic manner. The FRFIs criteria to assess the risks of third-party arrangements should be comprehensive and focus on higher-risk arrangements, while maintaining oversight of other arrangements in accordance with the FRFIs risk-based approach. Trust and Loan Companies Act. /CropBox [ 0 0 594.96 842.04 ] In situations where a standardized or no formal contract or agreement supports the arrangement, OSFI still expects the FRFI to have a third-party risk management program that covers the relationship, and that is proportionate to the level of risk and criticality of the third-party relationship. Once the framework is designed, OSFI may provide relevant guidance as appropriate. The Office of the Superintendent of Financial Institutions (OSFI) expects that FRFIs practice effective risk management and retain ultimate accountability for all their business activities, functions, and services, whether they are performed in-house or through a third-party arrangement. 3 0 obj Prudent risk management: The agreement should include any additional provisions necessary for the FRFI to prudently manage its risks in compliance with this Guideline.
899 0 obj <>stream A Principle 9: The FRFIs agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. The FRFI should also have the right to conduct or commission an independent audit of a third party. 0000002712 00000 n Please enable scripts and reload this page. %%EOF 0 Regulatory compliance: The agreement should enable the FRFI to comply with all applicable legislative and regulatory requirements, including, but not limited to, location of records and privacy of client information. Footnote 16. uOl%9Xsb:|GDDYv~LS1 Vb%_p2i However, FRFIs may often receive, or use, products or services from providers, such as utilities, internet providers, financial market infrastructures, and others, under pre-defined terms and conditions in standard contracts with a limited ability to tailor contract terms. %PDF-1.7
/Encoding /WinAnsiEncoding Monitoring should be conducted at the individual arrangement level, as well as at an aggregate business unit, segment, platform, and enterprise level.
Please see Sections 2.3.2.1 and 2.3.2.2 of this Guideline. 5 0 obj Annex 1 of this Guideline. Principle 5: The FRFI should assess, manage, and monitor the risks of subcontracting arrangements entered by third parties, including the impact of these arrangements on concentration risk. 0 0000033786 00000 n 2 0 obj 732 0 obj <>stream 0000005057 00000 n Electronic Records must be capable of being reproduced in intelligible written form within a reasonable period of time.
endobj 1 0 obj However, there are potential risks that can arise from third-party arrangements that can threaten the FRFIs operational and financial resilience. Subcontracting risk stems from the complexity and interdependency of the third-partys supply chain.
}aCg0_1kribZ~.7i_,Vl(nttCn7HZZZFli Wtt 0Qvj -@=@ZzXX00Y0000 #O!aZ%LXpa`|Xp'4{^yC9=qAL 0000013200 00000 n The FRFI should also have clearly defined internal processes for effectively managing and escalating third-party incidents and for subsequently tracking remediation. The FRFI should ensure that the third party has the capacity to monitor and manage risks arising from the use of subcontractors, including, where feasible, through audit rights and/or access to independent audit reports. Draft Revised Guideline B-10 Risks posed by third parties are identified and assessed. Please see Section 3 of this Guideline for OSFI expectations related to such third-party arrangements. periodically on an ongoing basis proportionate to the level of risk and criticality or whenever there are material changes to the third-party arrangement, such as the nature of the arrangement or its criticality. /LastChar 122 To determine the appropriate level of mitigation, the FRFI should assess concentration risk both prior to entering a contract or agreement and on an ongoing basis. $ke` 262(1) of the 192 0 obj hb```b``rAX,=!9E5Ud9fQN@pJnO~M]oY\]ME=>W\. The FRFI should establish processes to confirm regularly that the residual risk of their third-party arrangements, individually and in aggregate, remains within the FRFIs risk appetite. OSFI expects the FRFI to manage third-party risks in a manner that is proportionate to the level of risk and complexity of the FRFIs third-party ecosystem.
/Rotate 0 0000008194 00000 n @@BHHk ;Lr@#1Q? /ItalicAngle 0 endobj
3 0 obj
Technology and Cyber Security Incident Reporting Advisory. The preference is always to have the arrangement documented in a contract; however, OSFI recognizes that there may be situations where obtaining a contract is challenging. Third-Party Risk Management Framework (TPRMF), 3.1. These outcomes contribute to the FRFIs operational and financial resilience and help safeguard its reputation. 2 0 obj
239(1) of the
Q]IG [p'O= %|KKwgU@Z{J4Yx
series
*-ICiG5!8cx7("*.`_yC6YI@&W$$K$mY=aKo bqSaj*Y]OvRRGC+b5">{*14pb__mIVZp|tp`S!Zu%ri.Y~))vx%T$g. 239(3.1) of the Subcontracting diminishes the FRFIs ability to manage the risk related to such arrangements and can increase the overall risk related to the use of certain third parties. /StemV 53 Bank Act, ss.
Copyright 2022 The Institute of Internal Auditors. Specifically, the FRFI should conduct risk assessments to decide on third-party selection; (re)assess the risk and criticality of the arrangement; and plan for adequate risk mitigation and oversight. 0000015850 00000 n The FRFI should monitor its third-party arrangement(s) to ensure that the service is being delivered in accordance with the terms of the agreement, and that the third party remains financially sound. Risks posed by third parties are managed and mitigated within the FRFIs risk appetite framework. Please see ss.
The TPRMF should set out how the FRFI will identify and assess; manage and mitigate; and monitor and report on third-party risk. Principle 10: The FRFI should monitor its third-party arrangements to verify the third partys ability to continue to meet its obligations and effectively manage risks. 0000011553 00000 n
Please refer to OSFIs An outsourced activity, function or service is one that is, or could be, undertaken by the FRFI itself and is a type of third-party arrangement.
notification requirements if there is a breach of security. Business continuity and recovery: The agreement should require the third party to outline measures for ensuring continuity of services in the event of disruption including testing and reporting expectations and mitigation requirements, as well as requirements of the third party to monitor and manage technology and cyber security risk.
Such risk assessments should, at minimum: determine whether the arrangement aligns with the FRFIs risk appetite for third-party risk and other relevant risks; establish the level of risk and criticality; and. Before entering an arrangement with a third partywhether written or notand on an ongoing basis thereafter, the FRFI should perform due diligence. Insurance Companies Act, and the Processes established should take reasonable steps to assess concentration risk over multiple dimensions including geography, supplier, and subcontractor. x[&_scRz{RZJ}}m0073jyRkAWu|U W}i8?9e[o/:^A^~j$3Vn::ynzl|vlg7OB7E\B--eCFvi4_sJjWF},Ykk3,('DE ?h+' %Q77>ZlOPSws@v(aZ{;UgF^:I|Q>\lY Agreements should establish, among other things: the scope of the records and data to be protected; availability of the records and timely access to data by the FRFI and OSFI, upon request; controls and monitoring over the third partys use of the FRFIs systems and information; clear responsibilities of each party in managing data security; which party is liable for any losses that might result from a security breach; and. IAlNQn@-KB}i 8 0 obj OSFI expects electronic Records to be accessible and intelligible without incurring additional costs and by using readily available commercial applications. Ownership and access: The agreement should identify and establish ownership of all assets (intellectual and physical) related to third-party arrangements, including assets generated or purchased pursuant to the arrangement. >> Governance and accountability structures are clear with comprehensive risk management strategies and frameworks in place to contribute to ongoing operational and financial resilience. /FontName /ACHMLF+Calibri-Bold contractual provisions allowing the FRFI to commission or conduct an audit of the subcontractor. ability of subcontractors to meet legal and regulatory requirements. jsJc=8#Ap5EVyt =*J\UQP`kG5-;`Slwr=eITvHxEgza4w~>9ip- pbe[[>S^F}3LUQ!La^IVxn0OGdthZn; pWb]@fb"?L^`V+X^]_oUcN~+wBMuIn&Lo ugC=uWZ3]sPO=~i7ZU) Cuk>?&^`qmOwMo_ mpxx'e8}6:{k]_4OmvZ=Y'B).k9i15rhL Q0+oDz8!%+J6_rJ>(aN6)S!sPdu)-E-#ui.VGSV>X;;Y)ls-bN|[>,eh+1:OAz+D>m{{Kg3-k *b`b`]yl? O489&U}~[9_8=}5&o?0 i The FRFI should establish a TPRMF that provides an enterprise-wide view of its exposures to third parties. Refer to Guideline B-13 - Insurance Companies Act. Such arrangements include, among other things: outsourced activities, functions, and services;Footnote 3. brokers (e.g., mortgage, insurance, deposit brokers); utilities (e.g., power sources, telecommunications); financial market infrastructuresFootnote 4 (e.g., payments systems, clearing and settlement systems, other FRFIs in cases where the FRFI does not have direct access to financial market infrastructures); services provided by parent holding companies, affiliates, and subsidiaries, or through joint ventures and partnerships; and, other relationships involving the provision of services or the storage, use or exchange of data (such as cloud service providers, managed service providers, technology companies that deliver financial services).Footnote 5. Third-party risk is the risk to the FRFIs operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement. 4 0 obj The FRFI should establish exit plans proportionate to the level of risk and criticality of individual third-party arrangements to ensure continuity of the FRFIs operations through normal and stressed times. Third-party provider, subcontractor and geographic concentration have the potential to increase overall risk to FRFIs and the financial services industry by: Criticality is the degree of impact of the third-party arrangement on the FRFIs risk profile, operations, strategy and/or financial condition. A critical third-party arrangement is one where the third party performs a function or service that is integral to the FRFIs provision of a significant operation, function, or service. The FRFI should have contingency plans for its critical third-party arrangements. %%EOF 0000033640 00000 n As applicable, joint design and testing of business continuity plans and disaster recovery plans should be considered between the third party and the FRFI, commensurate with the criticality of the service. 0000032681 00000 n Outlining key roles, responsibilities, and risks in managing third-party providers. Climate Risk Management until Among other ways, the FRFI might achieve this by: contractual provisions prohibiting the use of subcontractors for certain functions; requiring that the FRFI be informed, in writing and on a timely basis, when a subcontractor is retained, or substituted, to carry out some of the functions contracted for the third party to perform; reserving a right of the FRFI to refuse a subcontractor; and. At minimum, the TPRMF should establish and govern the following elements: accountability for third-party risk management, including for relevant oversight functions; clear roles and responsibilities for overseeing and managing third-party arrangements and associated risk management processes; third-party risk appetite and measurement (e.g., limits, thresholds and key risk indicators); methodology for assessing the level of risk and criticality of third-party arrangements; policies, standards, systems and processes governing third-party risk, which are approved, regularly reviewed and consistently implemented enterprise-wide; processes and systems for identifying, assessing, managing, monitoring, measuring, and reporting on third-party compliance with contractual provisions and/or service level agreements, including processes for managing exceptions and incidents; processes for identifying, assessing, managing, monitoring, measuring, and reporting on third-party risks (including, among others, technology, cyber, concentration, business continuity, strategic and financial risks), and the contribution of third-party arrangements in aggregate to the FRFIs overall level of risk; and. 0000005943 00000 n Criticality should also be reviewed periodically. This does not prohibit the external auditor from providing a non-recurring service to evaluate a discrete item or program, if the service is not, in substance, the outsourcing of an internal audit function. 0000033932 00000 n 0000002739 00000 n Throughout this document, the term subcontractors refers broadly to the third partys supply chain. Recommended Roles and Responsibilities: The agreement should clearly establish the roles and responsibilities of the FRFI and the third party and any material subcontractors of the third party, including for managing technology and cyber risks and controls. Determining whether the organization has a third-party risk management structure that results in a patchwork approach, and, if so, how to bring it together into an enterprisewide framework.
