The agreement should also specify whether the third party must continue providing the service during a dispute and the resolution period, as well as the jurisdiction, governing law(s), and rules under which the dispute will be settled. Subcontracting risk stems from the complexity and interdependency of the third-partys supply chain. 0000021171 00000 n For clarity, the third-party risk management expectations set out in this Guideline are not intended to replace or substitute for, but rather to serve in addition to, appropriate counterparty credit risk and market risk management activities applied in respect of financial market infrastructures. /CropBox [ 0 0 594.96 842.04 ] The FRFI should have contingency plans for its critical third-party arrangements. Please enable scripts and reload this page. <>/Metadata 3522 0 R/ViewerPreferences 3523 0 R>> Please see Section 3 of this Guideline for OSFI expectations related to such third-party arrangements. Third-Party Risk Management and To that end, FRFIs are required to provide to OSFI, upon request, information related to their business and strategic arrangements with third parties, risk management, and control environments, to support supervisory monitoring and review work.Footnote 1 OSFI expects to be promptly notified of substantive issues affecting the soundness of the FRFI due to a third-party arrangement. NIST 500-291, version 2: NIST Cloud Computing Standards Roadmap defined portability the ability for data to be moved from one cloud system to another or for applications to be ported and run on different cloud systems at an acceptable cost. The robustness and frequency of the FRFIs third-party risk management activities (e.g., risk assessment, mitigation, monitoring, measuring, and reporting) should be proportionate to the level of risk and criticality associated with the third-party arrangement. endobj Arrangements with the external auditor can give rise to conflicts of interest. The agreement should not contain any terms that inhibit OSFI, or any other resolution authority or financial compensation scheme, from carrying out their mandate in times of stress or resolution. stream For this purpose, actuarial services relate to the determination of an amount to be recorded in the financial statements of the FRFI or work normally undertaken by its appointed actuary. /LastChar 122 /CapHeight 750 FRFIs should implement the expectations in this Guideline proportionate to their size, the nature, scope, and complexity of their operations, and their risk profile. 0000002614 00000 n Technology and Cyber Risk in Third-Party Arrangements, Annex 1 Examples of Due Diligence Consideration, Annex 2 Minimum Provisions for Third-Party Agreements. Trust and Loan Companies Act. At minimum, the TPRMF should establish and govern the following elements: accountability for third-party risk management, including for relevant oversight functions; clear roles and responsibilities for overseeing and managing third-party arrangements and associated risk management processes; third-party risk appetite and measurement (e.g., limits, thresholds and key risk indicators); methodology for assessing the level of risk and criticality of third-party arrangements; policies, standards, systems and processes governing third-party risk, which are approved, regularly reviewed and consistently implemented enterprise-wide; processes and systems for identifying, assessing, managing, monitoring, measuring, and reporting on third-party compliance with contractual provisions and/or service level agreements, including processes for managing exceptions and incidents; processes for identifying, assessing, managing, monitoring, measuring, and reporting on third-party risks (including, among others, technology, cyber, concentration, business continuity, strategic and financial risks), and the contribution of third-party arrangements in aggregate to the FRFIs overall level of risk; and. xY[o8~G?1Y kKt/CB7M5=xg wn?*'~W7k;^'t6_|^9?qXlnY[v{ )2[Z3I)"4;0d #q9 2n%0oV "MeYlJP$4[ae/=h=x 8P?%#0$mE|FAMa``vtulRlUs>"SHAFF`vl]2Pn^i8rXvreXv%Z%C[ G -vAp9R'L1mzuPC:2y$tebkS-;iT!vWR$Y=E&$=V0Dla/hqkk{3C#[5%/y @}(]n)"3uKy! 0000011553 00000 n (TGl%XUG&:SR62$Yt7"RB0AQr!cT\HR1%HQ,mAFt8#5KI I"EX&IzKYBVt&:H#]"I}R&0!jRRxC"}W$$5LuDaCHa#iHudi=,)u }*yS0R)ku4LtH:(QP$g#I,5!AFZ$>}X>S;Myng|_5oVyys. 0 making substitutability of the third party more difficult; increasing the likelihood that the insolvency of or an operational disruption at a third party or its subcontractor has ramifications on the FRFI or throughout the financial services industry; exposing the FRFI or the financial services industry to increased impact of natural disasters or other external events; and. The FRFI should conduct such assessments: prior to entering into the third-party arrangement (see Section 2.2.2); regularly throughout the lifecycle of the arrangement at a frequency and scope proportionate to the level of risk and criticality; and. Pricing: The agreement should set out the basis for calculating fees relating to the services being provided. International Professional Practices Framework (IPPF), Certification in Risk Management Assurance, Internal Audit Foundation Premier Global Research Internal Audit: A Global View, Institute of Internal Auditors Announces New Global Board Chairman; Concludes 2022 International Conference, IIA Debuts New Global Research; Announces Professional Achievement Awards at 2022 International Conference, NEW Issue of Tone at the Top Internal Audit and the Boards ESG Committee, Internal Audit and the Board's ESG Committee. /Widths 193 0 R Principle 10: The FRFI should monitor its third-party arrangements to verify the third partys ability to continue to meet its obligations and effectively manage risks. >> 0000032681 00000 n /FirstChar 32 xUn@+xfC[SKbb7 g-kPG|4vl;~U1:M!=<6#3w#+:Hdg9@6:E( 5OvN*=]o$my,kYG~9H=zyTje-)Q'2.p3f2BI/Ms8$I5|q)%+6yT:i:a]P4Eqg~#sR\[f7-N'fD~68q]Fy|jmp5 gmx%#]F7u#N9*'7F:q- Accordingly, Records should be updated daily or at the frequency with which they change. Third-Party Arrangements with the External Auditor, 4. At minimum, due diligence should consist of the following non-exhaustive factors: Experience, technical competence, and capacity of the third party to implement and support the activities it is being engaged to provide, including, where applicable, the experience, technical competence, and capacity of material subcontractors; Financial strength of the third party to deliver successfully on the third-party arrangement; Compliance with applicable laws, rules, regulations and regulatory guidance within Canada and other relevant jurisdictions; Potential reputation risk associated with the third-party relationship or its services, including existence of any recent or pending litigation, investigation or complaints against the third party; Strength of the third partys risk management programs, processes, and internal controls as well as the reporting environment (the FRFI should determine if there is alignment with the FRFIs risk management processes and controls); manage technology and cyber risks in accordance with the expectations outlined in OSFIs Guideline B-13: 0000002339 00000 n Use of subcontractors:The agreement should establish parameters on the use of subcontractors and require the third party to notify the FRFI of any subcontracting of services so that the FRFI may conduct due diligence, as well as assess and manage the risk of the subcontractors and any potential impacts from a change in service. The agreement should include requirements and procedures for the third party to report events in a timely manner to the FRFI that may have the potential to materially affect the risks and delivery of the service. In addition, the FRFI should evaluate and consider the impact of use of subcontractors on the concentration risk of third-party arrangements (refer to 2.2.3 above). OSFI recognizes that technology and cyber risk in third-party arrangements present elevated vulnerabilities to the FRFI. OSFI expects the FRFI to assess its third-party arrangements regularly, with higher-risk and more critical arrangements subjected to more frequent and rigorous assessment. To access it and other valuable resources, become a member today or log in! Technology and Cyber Security Incident Reporting Advisory; Strength of the third partys information security programs including their alignment with the FRFIs programs; The third partys capacity to provide critical services through disruption by examining its business continuity and disaster recovery plans, including the quality of such plans and the frequency and results of testing; The third partys reliance on, and capacity to, manage subcontractors; Impact of the third-party arrangement, including its subcontractors, on concentration risk; Geographic location of the third partys and its material subcontractors operations; Ability and ease of substituting the third party with another third party and impact of such substitution on the FRFIs operations; Portability of applications/services provided by a third party to another third party or the FRFI; Third partys business objectives, human resource policies, service philosophies, business culture, and their alignment with those of the FRFI; and. Specifically, the FRFI should conduct risk assessments to decide on third-party selection; (re)assess the risk and criticality of the arrangement; and plan for adequate risk mitigation and oversight. OSFI recognizes that there are certain third-party arrangements for which a customized contract may not be feasible, or for which a formal contract or agreement may not exist. 1 0 obj
Technology and Cyber Risk Management and. Principle 5: The FRFI should assess, manage, and monitor the risks of subcontracting arrangements entered by third parties, including the impact of these arrangements on concentration risk. Outcome: Risks posed by third parties are managed and mitigated within the FRFIs Risk Appetite Framework. /Length1 36996 Trust and Loan Companies Act (collectively, the FRFI Statutes), contain requirements with respect to certain records that FRFIs must prepare and maintain (the Records).Footnote 8 OSFI expects the Records to be updated and accurate as at the end of each business dayFootnote 9, and that the Records will be sufficiently detailed to enable: OSFI to conduct an examination and inquiry into the business and affairs of the FRFI; OSFI to manage the FRFIs assets, prior to the appointment of a liquidator, should the Superintendent take control of the FRFIs assets; and. << ability of subcontractors to meet legal and regulatory requirements. The criticality of the third-party arrangement is an important input into the assessment of both: the third-party arrangements level of risk; and. Technology and Cyber Security Incident Reporting Advisory; significant organizational/operational changes.
third-party arrangement is any business or strategic arrangement between the FRFI(s) and an entity(ies) or individuals, by contract or otherwise (e.g., another form of agreement or the conduct of the parties). Please see Sections 2.3.2.1 and 2.3.2.2 of this Guideline. Insurance Companies Act, and ss. Prudent risk management: The agreement should include any additional provisions necessary for the FRFI to prudently manage its risks in compliance with this Guideline. /Filter /FlateDecode Developing a structure for scoping, planning, and executing third-party risk audits. In addition to minimum expectations articulated earlier in this guideline, the FRFI should consider additional controls to manage technology and cyber risks stemming from its third-party arrangements. startxref <> Climate Risk Management until the FRFIs overall operational and financial resilience. The absence of a written arrangementFootnote 14 does not obviate the existence of a third-party relationship. <> x|\. Appropriately engaging and assessing third-party risk management activities across the business, oversight, and control functions.
Recommended 2 0 obj The FRFI should ensure that its written agreements with third parties contain adequate provisions to enable the FRFI to comply with its reporting requirements under OSFIs $ke` /Descent -250 A critical third-party arrangement is one where the third party performs a function or service that is integral to the FRFIs provision of a significant operation, function, or service. stream Among the mitigating actions and controls that the FRFI may consider are the development of redundancies, workarounds, business continuity measures, and other resiliency mechanisms. /Type /Page 0 contractual provisions allowing the FRFI to commission or conduct an audit of the subcontractor. The TPRMF should be developed to span the lifecycle of a third-party arrangement, from sourcing and due diligence of a third-party provider to potential exit from the third-party arrangement. *-ICiG5!8cx7("*.`_yC6YI@&W$$K$mY=aKo bqSaj*Y]OvRRGC+b5">{*14pb__mIVZp|tp`S!Zu%ri.Y~))vx%T$g. Such documented plans should: encompass both planned and unplanned exits, such as a providers default, non-performance or prolonged disruption, and establish triggers for invoking exit/contingency plans; establish a set of activities to perform when exiting because of stressed circumstances, such as following the failure or insolvency of the service provider (a playbook for stressed exit); establish a set of activities to perform when exiting through a planned and managed exit due to commercial, performance, or strategic reasons (a playbook for non-stressed exit); take into account contractual provisions impacting exit, such as notification requirements and provisions obliging the third party to provide services over a prescribed period of time following notification of termination; contain sufficient detail (e.g., alternative options or providers, supported by timelines, costs, resourcing, revenue impacts, and interim workarounds) as to allow rapid execution; address severe but plausible scenarios and set out documented plans for each scenario; and. Technology and Cyber Risk Management for OSFIs expectations on FRFI technology and cyber risk management. 262(1) of the pl \nux#HTW.w_>,cC]!CI KkGCi %ns70T(h&`0%i,`Q)6(%Nf`Isg0OJ>lHp4@7Ukz 5C;7}?p&u 7R:cA4iGSmfEl! gO/M]!yi;3]LDBBC)!p7,:f?Hw5NznlFIgu);)Lr}@dnv8/>bT,+\IqbK?xaK'rBj6o[(NicA[fG9#Hi LM#i 09Y%Z~hlCKK,LV^\[yoK "3Ca o%.ojOa` y_n*;21'.$T%tINe9RuBvF8ducOgop&r# _Z[ be reviewed regularly, and more frequently in the event of material changes to the third-party arrangements. 858 42 <>/Font<>/XObject<>/Pattern<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 540 732] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> 4 0 obj ;QeUVj(oF/pf^ vTkb`Sr5f\^W8 dKhpom8J_3K#[+{q.hp2$)]H0Yt>HYbiaMA"T+=[8/%v:g\w@`30aPe"q`/0GT2eS%#EC,Ar0u9wZw .G FP/l_T^UjN$ Sc"90XIh$4|>@6jG0)tLi|wv/ ],ANMuQu4 4 0 obj endstream endobj 898 0 obj <>/Filter/FlateDecode/Index[136 722]/Length 46/Size 858/Type/XRef/W[1 1 1]>>stream develop a plan, with appropriate intensity of monitoring and mitigating actions, to manage the arrangement within the FRFIs risk appetite. An outsourced activity, function or service is one that is, or could be, undertaken by the FRFI itself and is a type of third-party arrangement. Foreign bank branches refers to foreign banks authorized to carry on business in Canada on a branch basis under Part XII.1 of the
Throughout the process, concentration should be considered within the FRFIs business functions/units and legal entities, and across the FRFIs entire organization. endobj 8 0 obj !NeKFf,$#%e-6=}yys/ 0u C: Kqr@/ Xx%]HHsDFt}%;/>J}K=TBo^u@j.U)9&1o]7[,aH4\XTq3Ei65q$'6dKH%^%A3~7T"3b4TE)CQDe&8FMtIF]~XmK2+(~x7 Such arrangements include, among other things: outsourced activities, functions, and services;Footnote 3. brokers (e.g., mortgage, insurance, deposit brokers); utilities (e.g., power sources, telecommunications); financial market infrastructuresFootnote 4 (e.g., payments systems, clearing and settlement systems, other FRFIs in cases where the FRFI does not have direct access to financial market infrastructures); services provided by parent holding companies, affiliates, and subsidiaries, or through joint ventures and partnerships; and, other relationships involving the provision of services or the storage, use or exchange of data (such as cloud service providers, managed service providers, technology companies that deliver financial services).Footnote 5. Third-party risk is the risk to the FRFIs operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement. stream 1.J@8Xv0al8 {_R1p^Yy@) N`x9d>8Yb g nbhg8'0VEVmp[v. , Bank Act, ss. jsJc=8#Ap5EVyt =*J\UQP`kG5-;`Slwr=eITvHxEgza4w~>9ip- pbe[[>S^F}3LUQ!La^IVxn0OGdthZn; pWb]@fb"?L^`V+X^]_oUcN~+wBMuIn&Lo ugC=uWZ3]sPO=~i7ZU) Cuk>?&^`qmOwMo_ mpxx'e8}6:{k]_4OmvZ=Y'B).k9i15rhL Q0+oDz8!%+J6_rJ>(aN6)S!sPdu)-E-#ui.VGSV>X;;Y)ls-bN|[>,eh+1:OAz+D>m{{Kg3-k Sample audit guidance is offered, making this a robust resource with tangible tools. 2 0 obj To determine the appropriate level of mitigation, the FRFI should assess concentration risk both prior to entering a contract or agreement and on an ongoing basis. /Subtype /TrueType stream Where necessitated by risk and criticality, the FRFI should establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standardsor recognized industry standardsfor mitigating risk, notably in the areas of access management and data security and protection. This is formembers only. 0000003504 00000 n Third-party agreements are expected to set out each partys responsibilities for the confidentiality, availability and integrity of records and data. The FRFI should consider strategies (e.g., multi-cloud design) to build resilience and mitigate cloud service provider concentration risk. Ownership and access: The agreement should identify and establish ownership of all assets (intellectual and physical) related to third-party arrangements, including assets generated or purchased pursuant to the arrangement. Concentration risk is the risk of loss or harm to the FRFI or to the broader financial system arising from reliance on a small number of and/or geographically concentrated third-party providers or subcontractors. Outcome: The FRFIs risk management program is dynamic and actively captures and appropriately manages a range of third-party arrangements and interactions. IAlNQn@-KB}i h1 04h\GMyC. endobj 0000007432 00000 n endstream All rights reserved. )-08='!cQB?$7yIvrwL^]V|$RxB99|=WVWi?J'>$I~T#KR7tli[ktF6\)fv7If@Z>l
Subcontracting diminishes the FRFIs ability to manage the risk related to such arrangements and can increase the overall risk related to the use of certain third parties. For certain types of information, such as reinsurance arrangements or files on more complex activities, reproduced electronic Records may not be sufficient for OSFI's review and the executed copy may need to be available, upon OSFI's request. Copyright 2022 The Institute of Internal Auditors. 0000002389 00000 n This should include reports that allow the FRFI to assess whether performance measures are being met and any other information required for the FRFIs monitoring program, including risk measures (see Section 2.4). /StemV 53 This guideline is not intended to impede the establishment or operations of such a framework. >> 239(1) of the b XmO%# Nha0 <> Principle 2: The FRFI should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third parties. In determining the level of risk and criticality, the FRFI should consider, among other things: the third partys use of subcontractors; the potential for loss or harm to the FRFI in the event that the third party or material subcontractor fails to meet expectations, due to service disruption, outage, cyber security breaches or any other reason; the ability of the FRFI to assess controls at the third party and continue to meet regulatory and legal requirements in respect of activities performed by the third party, particularly in the case of disruption; substitutability of the third party, including the portability and timeliness of a transfer of services; the potential impact on business operations if the FRFI needed to exit the third-party arrangement and transition to another service provider or bring the business activity in-house; the financial health of the third party and the potential step-in risk, whereby the FRFI is required to provide financial support to the third party or take over the third partys business; the degree of the FRFIs or the industrys reliance on or concentration of the third party (see Section 2.2.3); and. whenever there is material change in the arrangement or third party (including disruption at the third party or in the service provided). Draft Revised Guideline B-10 These specific requirements should optimize interoperability while operating within the FRFIs stated risk appetite. Outlining key roles, responsibilities, and risks in managing third-party providers. endobj 0000032720 00000 n /Type /FontDescriptor The FRFI should conduct risk assessments of each third-party arrangement to determine the risk and criticality of the arrangement, considering both risks created and reduced (e.g., using suppliers in various jurisdictions to reduce geographic concentration) by the arrangement, as well as potential mitigants. 0000033640 00000 n Such provisions could include, among other things, requirements to promptly notify the FRFI of technology and cybersecurity incidents (at the third party or the subcontractor) including providing information on each incident in line with the Advisory.
any other relevant financial and non-financial risks associated with the use of the third party. Default and termination: The agreement should specify what constitutes a default, or right to terminate, identify remedies, and allow for opportunities to cure defaults or terminate the agreement. 0000033932 00000 n The extent and frequency of monitoring should be proportionate to the level of risk and criticality of the third-party arrangement. Monitoring should be conducted at the individual arrangement level, as well as at an aggregate business unit, segment, platform, and enterprise level. Third-Party Risk Management Framework (TPRMF), 3.1. +tU"+E2!iXNU}/!:K}#XSP18ixWq5qAJgna\8ne~k`3u'w** %pdj]WD!S^U6$Iksr%RH*f&ovT Q(^SJ+iuZy/~Fw2k7jL:J 4239 0 obj <> endobj Appropriate notice should be required for termination of the service and, where applicable, the FRFIs assets should be returned in a timely fashion. %%EOF The FRFI should also have clearly defined internal processes for effectively managing and escalating third-party incidents and for subsequently tracking remediation. xZ+Wh`&M [ Y E {O$[- MXS_.7xxW>n0]~1E;.?/a|o>"|kXv~Dz|mg'B7%+"n0oDIa>arog91Ou;Q+`90)BdD`I*]a`^Cof@Hz\NGPSfgi8_C.+Vi9cYJBL# e4ZnHk;j14h\]]t6 tbXy&cSl{.^ce/IjB$yFea7LW/~1PY%K@"(dHx >> "]DLA{(+8Z%35o$?d%"l|W8z-KU} 7r`unhAk9( Determining whether the organization has a third-party risk management structure that results in a patchwork approach, and, if so, how to bring it together into an enterprisewide framework. zB*cr Insurance Companies Act. To ensure that remediation actions are sufficient, the FRFI should request that the third party perform root cause analysis and share the results for any incidents, commensurate with the severity/potential impact of the incident on the FRFI. A /XHeight 250 In such cases, the FRFIs risk assessment should consider inherent risks, mitigating controls and other factors to arrive at the final risk rating for these arrangements. The FRFI should conduct due diligence proportionate to the level of risk and criticality of each third-party arrangement: as part of the contract renewal process; and. Agreements should establish, among other things: the scope of the records and data to be protected; availability of the records and timely access to data by the FRFI and OSFI, upon request; controls and monitoring over the third partys use of the FRFIs systems and information; clear responsibilities of each party in managing data security; which party is liable for any losses that might result from a security breach; and. 0000032950 00000 n Performance measures: The agreement should establish performance measures that allow each party to determine whether the commitments set out in the agreement are being fulfilled. Arrangements with FRFI customers (e.g., depositors and policyholders) are excluded from this definition. Prior to obtaining management consulting services from its external auditor, the FRFI should assure itself that its external auditor would be in compliance with the relevant auditor independence standards of the Canadian accounting profession, as well as any other applicable auditor independence requirements, in respect of such services to be performed by the external auditor. Annex 2 of this Guideline. h[mo7%7 !-W)R+-?yF\3|*SY5Tg\X+@mICr%#I}!hXq RXS\%6"I`fY|*G%\kdM!XM+gr"d%+6$,HdR s"e-JdbW,%VFBXK,Q)I$:kH%^-FtHuRk 0000003616 00000 n The The FRFI should assess whether the existence of material subcontracting might negatively impact their operational and financial resilience during a significant disruption within the third partys supply chain, and whether this impact could outweigh the benefits of the arrangement. 5 0 obj 0000003467 00000 n