The TPRMF should be developed to span the lifecycle of a third-party arrangement, from sourcing and due diligence of a third-party provider to potential exit from the third-party arrangement. xref
192 0 obj
Outcome: Third-party performance is continually monitored and assessed, and risks and incidents are proactively addressed. 244(3.1) of the /StemV 53 The FRFIs senior management should also be satisfied that third-party arrangements are in alignment with the FRFIs risk appetite and managed proportionate to the level of risk and criticality. /Descent -250 To that end, FRFIs are required to provide to OSFI, upon request, information related to their business and strategic arrangements with third parties, risk management, and control environments, to support supervisory monitoring and review work.Footnote 1 OSFI expects to be promptly notified of substantive issues affecting the soundness of the FRFI due to a third-party arrangement. Technology and Cyber Risk Management and. Bank Act, ss. The FRFI should establish exit plans proportionate to the level of risk and criticality of individual third-party arrangements to ensure continuity of the FRFIs operations through normal and stressed times. The agreement should give the FRFI and OSFI the right to evaluate the risk management practices related to the service provided. Records that change less frequently than daily remain accurate until they change. Annex 1 of this Guideline. OSFI recognizes that there are certain third-party arrangements for which a customized contract may not be feasible, or for which a formal contract or agreement may not exist. These specific requirements should optimize interoperability while operating within the FRFIs stated risk appetite. 0000001159 00000 n endstream h1 04h\GMyC. 0000009355 00000 n +tU"+E2!iXNU}/!:K}#XSP18ixWq5qAJgna\8ne~k`3u'w** %pdj]WD!S^U6$Iksr%RH*f&ovT Q(^SJ+iuZy/~Fw2k7jL:J Please see ss. stream
series /MediaBox [ 0 0 594.96 842.04 ]
Principle 3: Before entering a third-party arrangementand, periodically thereafter, proportionate to the level of risk and criticality of the arrangementthe FRFI should identify and assess the risks of the arrangement. The agreement should not contain any terms that inhibit OSFI, or any other resolution authority or financial compensation scheme, from carrying out their mandate in times of stress or resolution. b XmO%# Nha0 Before entering an arrangement with a third partywhether written or notand on an ongoing basis thereafter, the FRFI should perform due diligence. <> The extent and frequency of monitoring should be proportionate to the level of risk and criticality of the third-party arrangement. <>/Metadata 285 0 R/ViewerPreferences 286 0 R>> >> zB*cr endobj 0000005171 00000 n Foreign bank branches refers to foreign banks authorized to carry on business in Canada on a branch basis under Part XII.1 of the %PDF-1.5 stream Concentration risk is the risk of loss or harm to the FRFI or to the broader financial system arising from reliance on a small number of and/or geographically concentrated third-party providers or subcontractors. Specifically, the FRFI and OSFI should be able to evaluate the risks arising from the arrangement or appoint independent auditors to evaluate the risk management practices related to service provided and the risks arising from the relationship on the FRFIs or on OSFIs behalf. 0000008649 00000 n endstream endobj 898 0 obj <>/Filter/FlateDecode/Index[136 722]/Length 46/Size 858/Type/XRef/W[1 1 1]>>stream Governance and accountability structures are clear with comprehensive risk management strategies and frameworks in place to contribute to ongoing operational and financial resilience. The preference is always to have the arrangement documented in a contract; however, OSFI recognizes that there may be situations where obtaining a contract is challenging. Principle 2: The FRFI should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third parties. Principle 9: The FRFIs agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. Criticality should also be reviewed periodically. 5 0 obj endobj startxref /Resources << /Font << /F1 190 0 R >> /ExtGState << /GS7 194 0 R /GS8 /Rotate 0 OSFI recognizes that technology and cyber risk in third-party arrangements present elevated vulnerabilities to the FRFI. The criticality of a third-party arrangement should influence the nature and frequency of the FRFIs risk management activities. Performance measures: The agreement should establish performance measures that allow each party to determine whether the commitments set out in the agreement are being fulfilled. 0000015850 00000 n 0000013200 00000 n
x[Ko$)6Uvx4U,i6cyJvkdtz}xvNVk]5j1;uuxp[::Ao~K.ddy>:z{&_g/{y6_.w|F Where necessary, the FRFI should establish more granular descriptions of the roles, responsibilities, and procedures that apply to each party when managing the configuration of products and systems. Agreements should establish, among other things: the scope of the records and data to be protected; availability of the records and timely access to data by the FRFI and OSFI, upon request; controls and monitoring over the third partys use of the FRFIs systems and information; clear responsibilities of each party in managing data security; which party is liable for any losses that might result from a security breach; and. This annex provides a non-exhaustive list of provisions that FRFIs should include in duly executed agreements with third parties (tailored to the circumstances of the third-party arrangement): Nature and scope of the arrangement: The agreement should specify the nature and scope of the arrangement, including provisions that address the frequency, content and format of services, duration of the agreement, and physical location of the services being provided. An outsourced activity, function or service is one that is, or could be, undertaken by the FRFI itself and is a type of third-party arrangement. 0000002339 00000 n IAlNQn@-KB}i These requirements should be accompanied by robust cloud governance to provide proper oversight and monitoring of compliance with the FRFIs risk management practices and alignment to the broader technology strategy. <<27E64938890834448F5A15EC28DF5052>]/Prev 666134/XRefStm 1764>> Unless it is reasonable to conclude that the results of the service will not be subject to audit procedures during an audit of the FRFIs financial statements, the FRFI should not obtain the following services from its external auditor: Any internal audit service related to the internal accounting controls, financial systems, or financial statements of the FRFI. xY[o8~G?1Y kKt/CB7M5=xg wn?*'~W7k;^'t6_|^9?qXlnY[v{ )2[Z3I)"4;0d #q9 2n%0oV "MeYlJP$4[ae/=h=x 8P?%#0$mE|FAMa``vtulRlUs>"SHAFF`vl]2Pn^i8rXvreXv%Z%C[ G -vAp9R'L1mzuPC:2y$tebkS-;iT!vWR$Y=E&$=V0Dla/hqkk{3C#[5%/y @}(]n)"3uKy!
Outlining key roles, responsibilities, and risks in managing third-party providers. Arrangements with the external auditor can give rise to conflicts of interest. Among other ways, the FRFI might achieve this by: contractual provisions prohibiting the use of subcontractors for certain functions; requiring that the FRFI be informed, in writing and on a timely basis, when a subcontractor is retained, or substituted, to carry out some of the functions contracted for the third party to perform; reserving a right of the FRFI to refuse a subcontractor; and. %PDF-1.5 % Such provisions could include, among other things, requirements to promptly notify the FRFI of technology and cybersecurity incidents (at the third party or the subcontractor) including providing information on each incident in line with the Advisory. These types of external arrangements, or third-party arrangements, can be beneficial to the FRFI by introducing efficiencies, driving innovation, managing shifting operational needs, and improving services. hb```b``rAX,=!9E5Ud9fQN@pJnO~M]oY\]ME=>W\. If the Records are in electronic form, complete copies must be kept on a computer server(s) physically located at the places stipulated in the FRFI Statutes.Footnote 10, Certain FRFIs are exempted from the requirement to keep copies of the Records at the above noted places in Canada. /ItalicAngle 0 >> 1 0 obj Such arrangements include, among other things: outsourced activities, functions, and services;Footnote 3. brokers (e.g., mortgage, insurance, deposit brokers); utilities (e.g., power sources, telecommunications); financial market infrastructuresFootnote 4 (e.g., payments systems, clearing and settlement systems, other FRFIs in cases where the FRFI does not have direct access to financial market infrastructures); services provided by parent holding companies, affiliates, and subsidiaries, or through joint ventures and partnerships; and, other relationships involving the provision of services or the storage, use or exchange of data (such as cloud service providers, managed service providers, technology companies that deliver financial services).Footnote 5. Third-party risk is the risk to the FRFIs operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement. 8 0 obj "]DLA{(+8Z%35o$?d%"l|W8z-KU} 7r`unhAk9( /LastChar 122
/Parent 183 0 R
Where necessitated by risk and criticality, the FRFI should establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standardsor recognized industry standardsfor mitigating risk, notably in the areas of access management and data security and protection. xZ+Wh`&M [ Y E {O$[- MXS_.7xxW>n0]~1E;.?/a|o>"|kXv~Dz|mg'B7%+"n0oDIa>arog91Ou;Q+`90)BdD`I*]a`^Cof@Hz\NGPSfgi8_C.+Vi9cYJBL# e4ZnHk;j14h\]]t6
tbXy&cSl{.^ce/IjB$yFea7LW/~1PY%K@"(dHx The Office of the Superintendent of Financial Institutions (OSFI) is extending the comment period for the public consultation processes on
%
Footnote 16. /CapHeight 750
Prior to entering a third-party arrangement, the FRFI should identify and understand risk factors related to the third partys subcontracting practices, including, at minimum: level of subcontracting, including whether there are material subcontractors; geographic locations of subcontractors and any associated political, security, economic, environmental, social, and other risks; ability of subcontractors to provide services in alignment with the performance standards and controls outlined in the third-party contract, including through disruption; and. 0000033338 00000 n
reducing the market power of FRFIs vis--vis the third party to negotiate favorable arrangements.
0000001962 00000 n 4 0 obj Technology and Cyber Risk Management for OSFIs expectations on FRFI technology and cyber risk management. Insurance Companies Act, and theTrust and Loan Companies Act. periodically on an ongoing basis proportionate to the level of risk and criticality or whenever there are material changes to the third-party arrangement, such as the nature of the arrangement or its criticality. Technology and Cyber Risk in Third-Party Arrangements, Annex 1 Examples of Due Diligence Consideration, Annex 2 Minimum Provisions for Third-Party Agreements. Bank Act, OSFI expects the FRFI to assess its third-party arrangements regularly, with higher-risk and more critical arrangements subjected to more frequent and rigorous assessment. Appropriate notice should be required for termination of the service and, where applicable, the FRFIs assets should be returned in a timely fashion. Insurance Companies Act, and s. 243 of the Trust and Loan Companies Act. 0000009957 00000 n Pricing: The agreement should set out the basis for calculating fees relating to the services being provided. This does not prohibit the external auditor from providing a non-recurring service to evaluate a discrete item or program, if the service is not, in substance, the outsourcing of an internal audit function.
whenever there is material change in the arrangement or third party (including disruption at the third party or in the service provided). R1x|g)yfvB]y^@ The IIA Assessment criteria should also be reviewed periodically to ensure that they remain current for the risk landscape. The FRFI should establish a TPRMF that provides an enterprise-wide view of its exposures to third parties. endobj endobj RNYu1LP=9"PXPP'Ybw0, ;0Ml 1@RFQZN;T2=T]}$_v^Aff. Please see Section 3 of this Guideline for OSFI expectations related to such third-party arrangements. Any data and records should be returned to the FRFI in a format that allows the FRFI to sustain business operations without unreasonable expense.
All rights reserved. Accordingly, Records should be updated daily or at the frequency with which they change. <> % Outcome: Governance and accountability structures are clear with comprehensive risk strategies and frameworks in place to contribute to ongoing operational and financial resilience. 195 0 R >> /XObject << /X0 197 0 R /X1 198 0 R /X2 199 0 R /X3 200 0 R >> >> For example, the agreement should, among other things, remain valid and enforceable in resolution provided there is no default in payment obligations. The FRFI has the flexibility to arrange its operations in a way that achieves its business and strategic objectives. 0000011553 00000 n 0000002739 00000 n As set out earlier in this guideline, and emphasized in Annex 2, establishing clear roles and responsibilities between the FRFI and the third party is essential to managing risk and limiting ambiguity between the parties. 0000011042 00000 n In situations where a standardized or no formal contract or agreement supports the arrangement, OSFI still expects the FRFI to have a third-party risk management program that covers the relationship, and that is proportionate to the level of risk and criticality of the third-party relationship. When setting responsibilities for technology and cyber controls, the FRFI should consider the risk and criticality of its arrangement. That is, a failure in performance of the third party could cause significant harm to the FRFIs operations and/or reputation. <> Bank Act, ss. << Risks posed by third parties are identified and assessed. )-08='!cQB?$7yIvrwL^]V|$RxB99|=WVWi?J'>$I~T#KR7tli[ktF6\)fv7If@Z>l 239(1) of the 858 0 obj <> endobj To facilitate this outcome, the FRFI should establish and report metrics and associated thresholds to alert senior management when a threshold is being approached as well as triggers for invoking the FRFIs escalation process. Copyright 2022 The Institute of Internal Auditors. The TPRMF should set out how the FRFI will identify and assess; manage and mitigate; and monitor and report on third-party risk. 0000000016 00000 n endobj 732 0 obj <>stream endobj *b`b`]yl? O489&U}~[9_8=}5&o?0 i Third-Party Risk Management Framework (TPRMF), 3.1. 0000003467 00000 n /FontFile2 192 0 R Please see ss. 0000007432 00000 n The TPRMF should reflect the FRFIs risk appetite and be consistent with its operational or enterprise risk management frameworks. % <>/Font<>/XObject<>/Pattern<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 540 732] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> Please refer to OSFIs Customized contracts can be effective tools for the mitigation of third-party risk. /Flags 32 h[mo7%7 !-W)R+-?yF\3|*SY5Tg\X+@mICr%#I}!hXq RXS\%6"I`fY|*G%\kdM!XM+gr"d%+6$,HdR s"e-JdbW,%VFBXK,Q)I$:kH%^-FtHuRk Outcome: Risks posed by third parties are identified and assessed. NIST 500-291, version 2: NIST Cloud Computing Standards Roadmap defined portability the ability for data to be moved from one cloud system to another or for applications to be ported and run on different cloud systems at an acceptable cost. Prior to obtaining management consulting services from its external auditor, the FRFI should assure itself that its external auditor would be in compliance with the relevant auditor independence standards of the Canadian accounting profession, as well as any other applicable auditor independence requirements, in respect of such services to be performed by the external auditor. 0000002425 00000 n hVmLSg>m/m~QVB"Ulm+FGIi` Monitoring should be conducted at the individual arrangement level, as well as at an aggregate business unit, segment, platform, and enterprise level. %PDF-1.7 % Oct 15, 2018. A critical third-party arrangement is one where the third party performs a function or service that is integral to the FRFIs provision of a significant operation, function, or service. Jn}UjH i. <>/ExtGState<>/XObject<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.08 840.84] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> The Office of the Superintendent of Financial Institutions (OSFI) expects that FRFIs practice effective risk management and retain ultimate accountability for all their business activities, functions, and services, whether they are performed in-house or through a third-party arrangement. In addition, these agreements should specify that the FRFIs data and records be isolated from those of other clients at all times, including during the transfer process and under adverse conditions (e.g., disruption of services).
jsJc=8#Ap5EVyt =*J\UQP`kG5-;`Slwr=eITvHxEgza4w~>9ip- pbe[[>S^F}3LUQ!La^IVxn0OGdthZn; pWb]@fb"?L^`V+X^]_oUcN~+wBMuIn&Lo ugC=uWZ3]sPO=~i7ZU) Cuk>?&^`qmOwMo_ mpxx'e8}6:{k]_4OmvZ=Y'B).k9i15rhL Q0+oDz8!%+J6_rJ>(aN6)S!sPdu)-E-#ui.VGSV>X;;Y)ls-bN|[>,eh+1:OAz+D>m{{Kg3-k This guideline is not intended to impede the establishment or operations of such a framework.
In addition, the FRFI should evaluate and consider the impact of use of subcontractors on the concentration risk of third-party arrangements (refer to 2.2.3 above). A non-exhaustive list of factors to consider is set out in
%%EOF Principle 1: The FRFI is ultimately accountable for all business activities, functions, and services outsourced to third parties and for managing the risks related to third-party arrangements. Office of the Superintendent of Financial Institutions. /Group << /CS /DeviceRGB /S /Transparency /Type /Group >> The robustness and frequency of the FRFIs third-party risk management activities (e.g., risk assessment, mitigation, monitoring, measuring, and reporting) should be proportionate to the level of risk and criticality associated with the third-party arrangement. /Type /FontDescriptor Annex 2 of this Guideline. The third-party agreement should specify the type and frequency of information to be reported to the FRFI by the third party. The (TGl%XUG&:SR62$Yt7"RB0AQr!cT\HR1%HQ,mAFt8#5KI I"EX&IzKYBVt&:H#]"I}R&0!jRRxC"}W$$5LuDaCHa#iHudi=,)u }*yS0R)ku4LtH:(QP$g#I,5!AFZ$>}X>S;Myng|_5oVyys. To determine the appropriate level of mitigation, the FRFI should assess concentration risk both prior to entering a contract or agreement and on an ongoing basis. 7TS>B}onf syilms&Z=sH"=]u@\Ef7|%\0BFw#w:&7?n+/*%{,(mT(U+(?A=bCC9*sJfa{rm wN+K#"4QJl K"Y;6XXE9i-:H;j1J;",}}%9,-uA5 Technology and Cyber Security Incident Reporting Advisory. The FRFI should also have clearly defined internal processes for effectively managing and escalating third-party incidents and for subsequently tracking remediation. 0000004416 00000 n This Guideline applies to all FRFIs, excluding foreign bank branches and foreign insurance company branches.Footnote 2. The FRFI should have contingency plans for its critical third-party arrangements.
be reviewed regularly, and more frequently in the event of material changes to the third-party arrangements. This Guideline sets out OSFIs expectations for managing risks associated with third-party arrangements. <> 899 0 obj <>stream provide the FRFI with sufficient and timely information to comply with its reporting requirements under OSFIs all expectations set out in Section 2 be considered minimum expectations. ,A g^pJF|LF/]08RyD!=4nPX&V( Lg CLY_(VR.Zb>v'^bG Fi7Q={SCN)K1k70=R*@;! /XHeight 250
stream Draft Revised Guideline B-10 Processes established should take reasonable steps to assess concentration risk over multiple dimensions including geography, supplier, and subcontractor. 0 2 0 obj 0000002614 00000 n 4252 0 obj <>/Filter/FlateDecode/ID[<619162F7B4C6DD4B9EFE43E5171B5698>]/Index[4239 24]/Info 4238 0 R/Length 77/Prev 1008242/Root 4240 0 R/Size 4263/Type/XRef/W[1 2 1]>>stream Principle 7: Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data. 190 0 obj ability of subcontractors to meet legal and regulatory requirements. The FRFI should establish processes to confirm regularly that the residual risk of their third-party arrangements, individually and in aggregate, remains within the FRFIs risk appetite. endobj To manage the risks associated with each third-party arrangement, the FRFI should structure its written agreement with the third party in a manner that allows it to meet the expectations set out in this Guideline. For critical third-party arrangements and those that pose a high risk to the FRFI, OSFI expects that The FRFI should assess whether the existence of material subcontracting might negatively impact their operational and financial resilience during a significant disruption within the third partys supply chain, and whether this impact could outweigh the benefits of the arrangement. stream /BaseFont /ACHMLF+Calibri-Bold 0000012341 00000 n Principle 8: The FRFIs third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. Third-Party Arrangements with the External Auditor, 4. These outcomes contribute to the FRFIs operational and financial resilience and help safeguard its reputation. any other relevant financial and non-financial risks associated with the use of the third party. You may be trying to access this site from a secured browser on the server. o The FRFI should conduct risk assessments of each third-party arrangement to determine the risk and criticality of the arrangement, considering both risks created and reduced (e.g., using suppliers in various jurisdictions to reduce geographic concentration) by the arrangement, as well as potential mitigants.
Outcome: Third-party performance is continually monitored and assessed, and risks and incidents are proactively addressed. 244(3.1) of the /StemV 53 The FRFIs senior management should also be satisfied that third-party arrangements are in alignment with the FRFIs risk appetite and managed proportionate to the level of risk and criticality. /Descent -250 To that end, FRFIs are required to provide to OSFI, upon request, information related to their business and strategic arrangements with third parties, risk management, and control environments, to support supervisory monitoring and review work.Footnote 1 OSFI expects to be promptly notified of substantive issues affecting the soundness of the FRFI due to a third-party arrangement. Technology and Cyber Risk Management and. Bank Act, ss. The FRFI should establish exit plans proportionate to the level of risk and criticality of individual third-party arrangements to ensure continuity of the FRFIs operations through normal and stressed times. The agreement should give the FRFI and OSFI the right to evaluate the risk management practices related to the service provided. Records that change less frequently than daily remain accurate until they change. Annex 1 of this Guideline. OSFI recognizes that there are certain third-party arrangements for which a customized contract may not be feasible, or for which a formal contract or agreement may not exist. These specific requirements should optimize interoperability while operating within the FRFIs stated risk appetite. 0000001159 00000 n endstream h1 04h\GMyC. 0000009355 00000 n +tU"+E2!iXNU}/!:K}#XSP18ixWq5qAJgna\8ne~k`3u'w** %pdj]WD!S^U6$Iksr%RH*f&ovT Q(^SJ+iuZy/~Fw2k7jL:J Please see ss. stream
series /MediaBox [ 0 0 594.96 842.04 ]
Principle 3: Before entering a third-party arrangementand, periodically thereafter, proportionate to the level of risk and criticality of the arrangementthe FRFI should identify and assess the risks of the arrangement. The agreement should not contain any terms that inhibit OSFI, or any other resolution authority or financial compensation scheme, from carrying out their mandate in times of stress or resolution. b XmO%# Nha0 Before entering an arrangement with a third partywhether written or notand on an ongoing basis thereafter, the FRFI should perform due diligence. <> The extent and frequency of monitoring should be proportionate to the level of risk and criticality of the third-party arrangement. <>/Metadata 285 0 R/ViewerPreferences 286 0 R>> >> zB*cr endobj 0000005171 00000 n Foreign bank branches refers to foreign banks authorized to carry on business in Canada on a branch basis under Part XII.1 of the %PDF-1.5 stream Concentration risk is the risk of loss or harm to the FRFI or to the broader financial system arising from reliance on a small number of and/or geographically concentrated third-party providers or subcontractors. Specifically, the FRFI and OSFI should be able to evaluate the risks arising from the arrangement or appoint independent auditors to evaluate the risk management practices related to service provided and the risks arising from the relationship on the FRFIs or on OSFIs behalf. 0000008649 00000 n endstream endobj 898 0 obj <>/Filter/FlateDecode/Index[136 722]/Length 46/Size 858/Type/XRef/W[1 1 1]>>stream Governance and accountability structures are clear with comprehensive risk management strategies and frameworks in place to contribute to ongoing operational and financial resilience. The preference is always to have the arrangement documented in a contract; however, OSFI recognizes that there may be situations where obtaining a contract is challenging. Principle 2: The FRFI should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third parties. Principle 9: The FRFIs agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. Criticality should also be reviewed periodically. 5 0 obj endobj startxref /Resources << /Font << /F1 190 0 R >> /ExtGState << /GS7 194 0 R /GS8 /Rotate 0 OSFI recognizes that technology and cyber risk in third-party arrangements present elevated vulnerabilities to the FRFI. The criticality of a third-party arrangement should influence the nature and frequency of the FRFIs risk management activities. Performance measures: The agreement should establish performance measures that allow each party to determine whether the commitments set out in the agreement are being fulfilled. 0000015850 00000 n 0000013200 00000 n
x[Ko$)6Uvx4U,i6cyJvkdtz}xvNVk]5j1;uuxp[::Ao~K.ddy>:z{&_g/{y6_.w|F Where necessary, the FRFI should establish more granular descriptions of the roles, responsibilities, and procedures that apply to each party when managing the configuration of products and systems. Agreements should establish, among other things: the scope of the records and data to be protected; availability of the records and timely access to data by the FRFI and OSFI, upon request; controls and monitoring over the third partys use of the FRFIs systems and information; clear responsibilities of each party in managing data security; which party is liable for any losses that might result from a security breach; and. This annex provides a non-exhaustive list of provisions that FRFIs should include in duly executed agreements with third parties (tailored to the circumstances of the third-party arrangement): Nature and scope of the arrangement: The agreement should specify the nature and scope of the arrangement, including provisions that address the frequency, content and format of services, duration of the agreement, and physical location of the services being provided. An outsourced activity, function or service is one that is, or could be, undertaken by the FRFI itself and is a type of third-party arrangement. 0000002339 00000 n IAlNQn@-KB}i These requirements should be accompanied by robust cloud governance to provide proper oversight and monitoring of compliance with the FRFIs risk management practices and alignment to the broader technology strategy. <<27E64938890834448F5A15EC28DF5052>]/Prev 666134/XRefStm 1764>> Unless it is reasonable to conclude that the results of the service will not be subject to audit procedures during an audit of the FRFIs financial statements, the FRFI should not obtain the following services from its external auditor: Any internal audit service related to the internal accounting controls, financial systems, or financial statements of the FRFI. xY[o8~G?1Y kKt/CB7M5=xg wn?*'~W7k;^'t6_|^9?qXlnY[v{ )2[Z3I)"4;0d #q9 2n%0oV "MeYlJP$4[ae/=h=x 8P?%#0$mE|FAMa``vtulRlUs>"SHAFF`vl]2Pn^i8rXvreXv%Z%C[ G -vAp9R'L1mzuPC:2y$tebkS-;iT!vWR$Y=E&$=V0Dla/hqkk{3C#[5%/y @}(]n)"3uKy!
Outlining key roles, responsibilities, and risks in managing third-party providers. Arrangements with the external auditor can give rise to conflicts of interest. Among other ways, the FRFI might achieve this by: contractual provisions prohibiting the use of subcontractors for certain functions; requiring that the FRFI be informed, in writing and on a timely basis, when a subcontractor is retained, or substituted, to carry out some of the functions contracted for the third party to perform; reserving a right of the FRFI to refuse a subcontractor; and. %PDF-1.5 % Such provisions could include, among other things, requirements to promptly notify the FRFI of technology and cybersecurity incidents (at the third party or the subcontractor) including providing information on each incident in line with the Advisory. These types of external arrangements, or third-party arrangements, can be beneficial to the FRFI by introducing efficiencies, driving innovation, managing shifting operational needs, and improving services. hb```b``rAX,=!9E5Ud9fQN@pJnO~M]oY\]ME=>W\. If the Records are in electronic form, complete copies must be kept on a computer server(s) physically located at the places stipulated in the FRFI Statutes.Footnote 10, Certain FRFIs are exempted from the requirement to keep copies of the Records at the above noted places in Canada. /ItalicAngle 0 >> 1 0 obj Such arrangements include, among other things: outsourced activities, functions, and services;Footnote 3. brokers (e.g., mortgage, insurance, deposit brokers); utilities (e.g., power sources, telecommunications); financial market infrastructuresFootnote 4 (e.g., payments systems, clearing and settlement systems, other FRFIs in cases where the FRFI does not have direct access to financial market infrastructures); services provided by parent holding companies, affiliates, and subsidiaries, or through joint ventures and partnerships; and, other relationships involving the provision of services or the storage, use or exchange of data (such as cloud service providers, managed service providers, technology companies that deliver financial services).Footnote 5. Third-party risk is the risk to the FRFIs operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement. 8 0 obj "]DLA{(+8Z%35o$?d%"l|W8z-KU} 7r`unhAk9( /LastChar 122
/Parent 183 0 R
Where necessitated by risk and criticality, the FRFI should establish processes to ensure that third parties with elevated levels of technology and cyber risk comply with FRFI standardsor recognized industry standardsfor mitigating risk, notably in the areas of access management and data security and protection. xZ+Wh`&M [ Y E {O$[- MXS_.7xxW>n0]~1E;.?/a|o>"|kXv~Dz|mg'B7%+"n0oDIa>arog91Ou;Q+`90)BdD`I*]a`^Cof@Hz\NGPSfgi8_C.+Vi9cYJBL# e4ZnHk;j14h\]]t6
tbXy&cSl{.^ce/IjB$yFea7LW/~1PY%K@"(dHx The Office of the Superintendent of Financial Institutions (OSFI) is extending the comment period for the public consultation processes on
%
Footnote 16. /CapHeight 750
Prior to entering a third-party arrangement, the FRFI should identify and understand risk factors related to the third partys subcontracting practices, including, at minimum: level of subcontracting, including whether there are material subcontractors; geographic locations of subcontractors and any associated political, security, economic, environmental, social, and other risks; ability of subcontractors to provide services in alignment with the performance standards and controls outlined in the third-party contract, including through disruption; and. 0000033338 00000 n
reducing the market power of FRFIs vis--vis the third party to negotiate favorable arrangements. 0000001962 00000 n 4 0 obj Technology and Cyber Risk Management for OSFIs expectations on FRFI technology and cyber risk management. Insurance Companies Act, and theTrust and Loan Companies Act. periodically on an ongoing basis proportionate to the level of risk and criticality or whenever there are material changes to the third-party arrangement, such as the nature of the arrangement or its criticality. Technology and Cyber Risk in Third-Party Arrangements, Annex 1 Examples of Due Diligence Consideration, Annex 2 Minimum Provisions for Third-Party Agreements. Bank Act, OSFI expects the FRFI to assess its third-party arrangements regularly, with higher-risk and more critical arrangements subjected to more frequent and rigorous assessment. Appropriate notice should be required for termination of the service and, where applicable, the FRFIs assets should be returned in a timely fashion. Insurance Companies Act, and s. 243 of the Trust and Loan Companies Act. 0000009957 00000 n Pricing: The agreement should set out the basis for calculating fees relating to the services being provided. This does not prohibit the external auditor from providing a non-recurring service to evaluate a discrete item or program, if the service is not, in substance, the outsourcing of an internal audit function.
whenever there is material change in the arrangement or third party (including disruption at the third party or in the service provided). R1x|g)yfvB]y^@ The IIA Assessment criteria should also be reviewed periodically to ensure that they remain current for the risk landscape. The FRFI should establish a TPRMF that provides an enterprise-wide view of its exposures to third parties. endobj endobj RNYu1LP=9"PXPP'Ybw0, ;0Ml 1@RFQZN;T2=T]}$_v^Aff. Please see Section 3 of this Guideline for OSFI expectations related to such third-party arrangements. Any data and records should be returned to the FRFI in a format that allows the FRFI to sustain business operations without unreasonable expense.
All rights reserved. Accordingly, Records should be updated daily or at the frequency with which they change. <> % Outcome: Governance and accountability structures are clear with comprehensive risk strategies and frameworks in place to contribute to ongoing operational and financial resilience. 195 0 R >> /XObject << /X0 197 0 R /X1 198 0 R /X2 199 0 R /X3 200 0 R >> >> For example, the agreement should, among other things, remain valid and enforceable in resolution provided there is no default in payment obligations. The FRFI has the flexibility to arrange its operations in a way that achieves its business and strategic objectives. 0000011553 00000 n 0000002739 00000 n As set out earlier in this guideline, and emphasized in Annex 2, establishing clear roles and responsibilities between the FRFI and the third party is essential to managing risk and limiting ambiguity between the parties. 0000011042 00000 n In situations where a standardized or no formal contract or agreement supports the arrangement, OSFI still expects the FRFI to have a third-party risk management program that covers the relationship, and that is proportionate to the level of risk and criticality of the third-party relationship. When setting responsibilities for technology and cyber controls, the FRFI should consider the risk and criticality of its arrangement. That is, a failure in performance of the third party could cause significant harm to the FRFIs operations and/or reputation. <> Bank Act, ss. << Risks posed by third parties are identified and assessed. )-08='!cQB?$7yIvrwL^]V|$RxB99|=WVWi?J'>$I~T#KR7tli[ktF6\)fv7If@Z>l 239(1) of the 858 0 obj <> endobj To facilitate this outcome, the FRFI should establish and report metrics and associated thresholds to alert senior management when a threshold is being approached as well as triggers for invoking the FRFIs escalation process. Copyright 2022 The Institute of Internal Auditors. The TPRMF should set out how the FRFI will identify and assess; manage and mitigate; and monitor and report on third-party risk. 0000000016 00000 n endobj 732 0 obj <>stream endobj *b`b`]yl? O489&U}~[9_8=}5&o?0 i Third-Party Risk Management Framework (TPRMF), 3.1. 0000003467 00000 n /FontFile2 192 0 R Please see ss. 0000007432 00000 n The TPRMF should reflect the FRFIs risk appetite and be consistent with its operational or enterprise risk management frameworks. % <>/Font<>/XObject<>/Pattern<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 540 732] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> Please refer to OSFIs Customized contracts can be effective tools for the mitigation of third-party risk. /Flags 32 h[mo7%7 !-W)R+-?yF\3|*SY5Tg\X+@mICr%#I}!hXq RXS\%6"I`fY|*G%\kdM!XM+gr"d%+6$,HdR s"e-JdbW,%VFBXK,Q)I$:kH%^-FtHuRk Outcome: Risks posed by third parties are identified and assessed. NIST 500-291, version 2: NIST Cloud Computing Standards Roadmap defined portability the ability for data to be moved from one cloud system to another or for applications to be ported and run on different cloud systems at an acceptable cost. Prior to obtaining management consulting services from its external auditor, the FRFI should assure itself that its external auditor would be in compliance with the relevant auditor independence standards of the Canadian accounting profession, as well as any other applicable auditor independence requirements, in respect of such services to be performed by the external auditor. 0000002425 00000 n hVmLSg>m/m~QVB"Ulm+FGIi` Monitoring should be conducted at the individual arrangement level, as well as at an aggregate business unit, segment, platform, and enterprise level. %PDF-1.7 % Oct 15, 2018. A critical third-party arrangement is one where the third party performs a function or service that is integral to the FRFIs provision of a significant operation, function, or service. Jn}UjH i. <>/ExtGState<>/XObject<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.08 840.84] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> The Office of the Superintendent of Financial Institutions (OSFI) expects that FRFIs practice effective risk management and retain ultimate accountability for all their business activities, functions, and services, whether they are performed in-house or through a third-party arrangement. In addition, these agreements should specify that the FRFIs data and records be isolated from those of other clients at all times, including during the transfer process and under adverse conditions (e.g., disruption of services).
jsJc=8#Ap5EVyt =*J\UQP`kG5-;`Slwr=eITvHxEgza4w~>9ip- pbe[[>S^F}3LUQ!La^IVxn0OGdthZn; pWb]@fb"?L^`V+X^]_oUcN~+wBMuIn&Lo ugC=uWZ3]sPO=~i7ZU) Cuk>?&^`qmOwMo_ mpxx'e8}6:{k]_4OmvZ=Y'B).k9i15rhL Q0+oDz8!%+J6_rJ>(aN6)S!sPdu)-E-#ui.VGSV>X;;Y)ls-bN|[>,eh+1:OAz+D>m{{Kg3-k This guideline is not intended to impede the establishment or operations of such a framework.
In addition, the FRFI should evaluate and consider the impact of use of subcontractors on the concentration risk of third-party arrangements (refer to 2.2.3 above). A non-exhaustive list of factors to consider is set out in
%%EOF Principle 1: The FRFI is ultimately accountable for all business activities, functions, and services outsourced to third parties and for managing the risks related to third-party arrangements. Office of the Superintendent of Financial Institutions. /Group << /CS /DeviceRGB /S /Transparency /Type /Group >> The robustness and frequency of the FRFIs third-party risk management activities (e.g., risk assessment, mitigation, monitoring, measuring, and reporting) should be proportionate to the level of risk and criticality associated with the third-party arrangement. /Type /FontDescriptor Annex 2 of this Guideline. The third-party agreement should specify the type and frequency of information to be reported to the FRFI by the third party. The (TGl%XUG&:SR62$Yt7"RB0AQr!cT\HR1%HQ,mAFt8#5KI I"EX&IzKYBVt&:H#]"I}R&0!jRRxC"}W$$5LuDaCHa#iHudi=,)u }*yS0R)ku4LtH:(QP$g#I,5!AFZ$>}X>S;Myng|_5oVyys. To determine the appropriate level of mitigation, the FRFI should assess concentration risk both prior to entering a contract or agreement and on an ongoing basis. 7TS>B}onf syilms&Z=sH"=]u@\Ef7|%\0BFw#w:&7?n+/*%{,(mT(U+(?A=bCC9*sJfa{rm wN+K#"4QJl K"Y;6XXE9i-:H;j1J;",}}%9,-uA5 Technology and Cyber Security Incident Reporting Advisory. The FRFI should also have clearly defined internal processes for effectively managing and escalating third-party incidents and for subsequently tracking remediation. 0000004416 00000 n This Guideline applies to all FRFIs, excluding foreign bank branches and foreign insurance company branches.Footnote 2. The FRFI should have contingency plans for its critical third-party arrangements.
be reviewed regularly, and more frequently in the event of material changes to the third-party arrangements. This Guideline sets out OSFIs expectations for managing risks associated with third-party arrangements. <> 899 0 obj <>stream provide the FRFI with sufficient and timely information to comply with its reporting requirements under OSFIs all expectations set out in Section 2 be considered minimum expectations. ,A g^pJF|LF/]08RyD!=4nPX&V( Lg CLY_(VR.Zb>v'^bG Fi7Q={SCN)K1k70=R*@;! /XHeight 250
stream Draft Revised Guideline B-10 Processes established should take reasonable steps to assess concentration risk over multiple dimensions including geography, supplier, and subcontractor. 0 2 0 obj 0000002614 00000 n 4252 0 obj <>/Filter/FlateDecode/ID[<619162F7B4C6DD4B9EFE43E5171B5698>]/Index[4239 24]/Info 4238 0 R/Length 77/Prev 1008242/Root 4240 0 R/Size 4263/Type/XRef/W[1 2 1]>>stream Principle 7: Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data. 190 0 obj ability of subcontractors to meet legal and regulatory requirements. The FRFI should establish processes to confirm regularly that the residual risk of their third-party arrangements, individually and in aggregate, remains within the FRFIs risk appetite. endobj To manage the risks associated with each third-party arrangement, the FRFI should structure its written agreement with the third party in a manner that allows it to meet the expectations set out in this Guideline. For critical third-party arrangements and those that pose a high risk to the FRFI, OSFI expects that The FRFI should assess whether the existence of material subcontracting might negatively impact their operational and financial resilience during a significant disruption within the third partys supply chain, and whether this impact could outweigh the benefits of the arrangement. stream /BaseFont /ACHMLF+Calibri-Bold 0000012341 00000 n Principle 8: The FRFIs third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. Third-Party Arrangements with the External Auditor, 4. These outcomes contribute to the FRFIs operational and financial resilience and help safeguard its reputation. any other relevant financial and non-financial risks associated with the use of the third party. You may be trying to access this site from a secured browser on the server. o The FRFI should conduct risk assessments of each third-party arrangement to determine the risk and criticality of the arrangement, considering both risks created and reduced (e.g., using suppliers in various jurisdictions to reduce geographic concentration) by the arrangement, as well as potential mitigants.