How OSFI wants P&C insurers to manage their third-party risks

Canada’s financial solvency regulator has published its final revised guideline for managing risks associated with third-party contracts and arrangements, having addressed industry concerns about scope, prescription and the timing of implementation.

Guideline B-10: Third-Party Risk Management sets out enhanced third-party risk management expectations for federally regulated financial institutions (FRFIs).

“[FRFIs] have long leveraged third-party arrangements to drive innovation, introduce efficiency, and manage shifting operational needs,” Peter Routledge, superintendent of financial institutions, said of the new guideline. “As the utilization of third-party arrangements has expanded, so too have the attendant risks. Our updated Guideline B-10 will ensure financial institutions mitigate risks related to these arrangements.”

Examples of third-party arrangements include, among others:

• brokers (e.g., insurance, mortgage, deposit brokers).
• relationships involving the provision of goods and services or the storage, use, or exchange of data (such as cloud service providers, managed service providers, technology companies that deliver financial services).
• use of independent professional consultants.
• utilities (e.g., power sources, telecommunications).
• financial market infrastructures (e.g., payments systems, clearing and settlement systems, other FRFIs in cases where the FRFI does not have direct access to financial market infrastructures).
• services provided by parent holding companies, affiliates and subsidiaries, or through joint ventures and partnerships.

Canada’s P&C insurance industry professionals expressed concern during a previous consultation process that the scope of the draft guideline was too broad and possibly onerous to apply to certain third-party arrangements. The Office of the Superintendent of Financial Institutions (OSFI) responded by introducing the element of ‘criticality’ to its final published guideline.

“OSFI expects FRFIs to understand all its third-party arrangements and apply risk management activities appropriate to the level of risk and criticality of each arrangement,” the regulator wrote in its summary of industry concerns. “Higher-risk and more critical arrangements should be subject to more intensive risk management.

“To that end, OSFI has added a section to the guideline clarifying its expectation that FRFIs should apply the guideline in a manner proportionate to the level of risk and criticality of each third-party arrangement and to the size, nature, scope, complexity, and risk profile of the institution.

“OSFI has also clarified that where a third party is subject to government regulation or supervision, the FRFI may take this into consideration as part of its risk assessment.”

The industry also felt an initial draft guideline was too prescriptive in places. OSFI clarified in the updated guideline that the emphasis was on a risk-based — i.e., principles-based — approach to managing third-party arrangements.

As the OSFI put it in an April 24 letter to federally regulated property and casualty insurance companies, the final guideline:

“…reflects a principles-based approach with increased emphasis on a risk-based approach to managing third-party arrangements, reflecting [OSFI’s] expectation [of] FRFIs to understand a broad scope of third-party arrangements, but apply the guideline in a manner…proportionate to the level of risk and criticality of each arrangement, and to the size, nature, scope, complexity, and risk profile of the FRFI.”

The six principles in OSFI’s final version of the B-10 Guideline said FRFIs:

• are ultimately accountable for managing the risks arising from all types of third-party arrangements.
• should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies and processes for identifying, managing, mitigating, monitoring and reporting on risks related to the use of third parties.
• should identify and assess the risks of a third-party arrangement before entering the arrangement, and periodically thereafter. Risk assessments should be proportionate to the criticality of an arrangement. Specifically, the FRFI should conduct risk assessments to decide on third-party selection; (re)assess the risk and criticality of the arrangement; and plan for adequate risk mitigation and oversight.
• should undertake due diligence prior to entering contracts or other arrangements with a third party, and on an ongoing basis proportionate to the level of risk and criticality of the arrangement.
• are responsible for identifying, monitoring and managing risk arising from subcontracting arrangements undertaken by its third parties.
• should enter into written arrangements that set out the rights and responsibilities of each party.

Finally, OSFI responded to the P&C insurance industry’s request to have a long runway before final implementation.

“The guideline will come into effect May 1, 2024, roughly one year after its publication, to provide FRFIs sufficient time to self-assess and build third-party risk management programs that comply with the new requirements,” OSFI said in its letter to insurers. “Third-party arrangements commencing on or after May 1, 2024, would be expected to comply with all applicable sections of the guideline.”

Feature image courtesy of iStock.com/Aliaksei Brouka