Spotlight on Canada’s approach to managing third party risk in the finance sector

Update 3 May 2023: The office of the superintendent of Financial Institutions (OSFI) have now released their revised B-10 guidelines setting out a new set of expectations in the way financial institutions manage third party risk. Impacted organisations must adhere to the new guidelines by its effective date of 1 May 2024 or face the consequences.

The global cyber and regulatory landscape is transforming rapidly, with many more countries adopting their own regulatory frameworks, including the Digital Operational Resilience Act (DORA) in the EU, and new regulations by the Prudential Regulation Authority (PRA) in the UK and Monetary Authority of Singapore (MAS) in Singapore.

Canada is the latest country to renew its focus on resilience with the Canadian regulatory body, the Office of the Superintendent of Financial Institutions (OSFI), currently consulting on new expectations for the way financial institutions manage third-party risk. This will closely mirror new regulations in other countries and will shake up the way institutions in the sector must operate.

Following the call for input from the OSFI, John Boruvka, Vice President, Sales - US for NCC Group Software Resilience, provides an overview of the key points to note.

What would the proposed new guidance involve?

The proposed changes will apply to all Federally Regulated Financial Institutions (FRFI), which includes all banks, loan companies and insurance firms. These firms will be required to implement stronger governance and risk management programmes to remain resilient throughout their supply chain.

Meanwhile, the OSFI has extended its definition of third-party risk to encompass everything from technology, cyber and data security through to operational, business continuity, supply chain and concentration risks.

An increasing reliance on third parties to deliver critical functions within the industry make the changes especially important as financial institutions undergo rapid digital transformation and expand their supply chain risk. Behind every digital transformation programme is a complex ecosystem of innovative third-party solutions with ever more reliance on the cloud, meaning that supply chain risk management becomes ever more important.

What does this mean for organizations?

As a principle-based regulator, OSFI avoids outlining prescriptive and detailed rules, so does not advise specific solutions for operational continuity. This is different to other regulators around the world, such as the UK (PRA) and Singapore (MAS), which have explicitly encouraged organizations to utilize escrow solutions to strengthen resilience. That said, under the new guidelines, organizations will be required to establish exit strategies that ensure the continuity of critical services.

In OSFI’s revised B-10 guidelines, which outline the new approach, the regulator recommends that organizations implement holistic third-party risk management programs. These should include making specific arrangements to manage technology and cyber risk through the use of software escrow and verification and prioritizing resilience by design.

Escrow and verification solutions are vital to add reassurance and demonstrable proof of how services can be maintained during and after any disruption and should absolutely be at the core of any exit strategy.

What’s next for Canada regulation?

The OSFI invited public comments on its revised guidelines and issued the final guidelines in April 2023. This move from the OSFI marks Canada’s involvement in a global movement to strengthen resilience in the finance sector, and it is likely that we will see more similar regulatory guidance in Canada and beyond in the future.

In the meantime, institutions should establish clear roles and responsibilities, compliance with cyber standards, cloud-specific requirements and the consideration of cloud portability when managing and mitigating the risks of using third party suppliers.