How insurers will handle new third-party risk-management guideline

Canada’s financial solvency regulator’s new guideline for managing risks associated with third parties (including brokers) will require insurers to find a ‘balance point’ for compliance, one industry expert said. 

The Office of the Superintendent of Financial Institutions Guideline B-10: Third-Party Risk Management sets out enhanced expectations for federally regulated financial institutions (FRFIs). It aims to reduce risks arising from third-party arrangements that can threaten the FRFI’s operational and financial resilience. 

The guideline essentially asks insurers to do their due diligence by, among other things, “identifying, managing, mitigating, monitoring and reporting” the risks related to the use of third parties.

The topic was raised during the Insurance Bureau of Canada’s Financial Affairs Symposium. 

“[Guideline B-10] is important because of how we’re all becoming much more reliant on third parties to manage our software, to manage our infrastructure, to manage how our businesses operate,” said Bryan Lillycrop, vice president financial reporting at Definity and chair of IBC’s Finance Standing Committee. “There’s an understandable risk that it creates, but the effort to comply with that is very significant. 

“We’re all having to think about how [to] put in place the necessary checks and balances and evaluations that the guideline is asking [us] to do, and so it’s hard to find that balance point.” 

Getting ready for that will be challenge some companies, Lillycrop said. “But I think we’re all kind of working our way towards that and looking at what others are doing to be ready to comply with it.” 

Darrell Leadbetter, senior director, insurance and pension supervision at OSFI, said the guideline is really about understanding third-party risks. 

“You may use a third party to help you review, but do you understand the risks? And are you taking steps to manage what your biggest exposures are?” Leadbetter posed. 

“We’re not necessarily [asking] that you will manage everything; we don’t really care about your landscaping third-party, as an example. But if you are outsourcing to an MGA, and that MGA has the pen [on] underwriting or claims, then we expect that you have processes involved to understand that.” 

Examples of third-party arrangements include, among others: 

• Brokers (e.g., insurance, mortgage, deposit brokers). 
• Relationships involving the provision of goods and services, or the storage, use or exchange of data (such as cloud service providers, managed service providers or technology companies that deliver financial services). 
• Use of independent professional consultants. 
• Utilities (e.g., power sources, telecommunications). 
• Financial market infrastructures (e.g., payments systems, clearing and settlement systems, etc.). 
• Services provided by parent holding companies, affiliates and subsidiaries, or through joint ventures and partnerships. 

Feature image by iStock.com/Aliaksei Brouka