Basel Committee reaffirms OSFI’s guidelines for the sound management of third-party risk

Principle

Summary of BCBS Principle

Comparison to OSFI’s requirements

1

Responsibility for the oversight of all third-party service providers (TPSPs) is in the hands of the Board, who should approve a clear strategy for TPSP arrangements within the FRFI’s risk appetite.

OSFI assigns responsibility to the Board for the FRFI’s overall business strategy and setting the FRFI’s risk appetite, which will, in practice, include arrangements with third parties¹.

2

The Board should ensure that senior management implements the third-party risk management framework, including reporting on performance and assessing and mitigating risks.

OSFI makes clear that it is the role of senior management to implement the decisions of the Board, which includes ensuring that policies are adhered to².

3

FRFIs should perform a comprehensive risk assessment to evaluate and manage identified and potential risks throughout a TPSP arrangement.

OSFI identifies performing a comprehensive risk assessment as outcomes 2 and 5 of Guideline B10’s objectives. In addition, this is identical to B10’s principle 3³.

4

FRFIs should conduct due diligence on prospective TPSPs.

This is identical to B10’s principle 4⁴.

5

TPSPs should be governed by legally binding written contracts that clearly describe rights and obligations.

This is identical to B10’s principle 6; however, OSFI includes practical guidance on what to do when this is not feasible in Section 3.2 of B10⁵.

6

FRFIs should dedicate sufficient resources to support a TPSP arrangement.

OSFI makes clear that it is the role of senior management and the Board to mandate resources and budgets for oversight responsibilities, which will, in practice, include the oversight of TPSPs⁶.

7

FRFIs should assess, monitor, and respond to the performance, risks, and criticality of TPSP arrangements and report to senior management on an ongoing basis.

This is identical to B10’s principles 5 and 10⁷.

8

FRFIs should maintain robust business continuity management.

This is identical to B10’s principle 9⁸.

9

FRFIs should maintain exit plans for the termination of TPSP arrangements.

This is encompassed within B10’s principle 9 as set out in Section 2.3.5 of B10⁹.

10

Supervisors should consider third-party risk management as an integral part of ongoing assessment of FRFIs’ operational resilience.

This is addressed in OSFI’s Guidelines E-21 (Principle 2)¹⁰ and B10 (Outcomes 2 and 5)¹¹ as a concern for FRFI’s to address; however, OSFI’s Supervisory Framework (Operational Resilience)¹² addresses the key role supervisors play in overall risk management.

11

Supervisors should analyze potential systemic risks posed by the concentration of one or multiple TPSPs.

This is encompassed within OSFI’s Guidelines B10 (Principle 4 as set out in Section 2.2.3)¹³ and Supervisory Framework (Operational Resilience)¹⁴.

12

Supervisors should coordinate and communicate across sectors and borders to monitor systemic risks posed by critical TPSPs.

Requirements that FRFI’s monitor concentration risk within the FRFI and the banking sector are encompassed within B10’s principle 4 as set out in Section 2.2.3 of B10¹⁵. However, B10 does not require coordination and communication across other sectors and borders. OSFI’s Supervisory Framework (Supervisory Reporting)¹⁶  does prescribe communication with provincial regulators and, where there is a memorandum of understanding, foreign regulators.