OSFI’s third-party guidance to include insurer-broker contracts

Canada’s solvency regulator is preparing guidance that legal experts say will shift the scope of the regulator’s concerns about outsourcing data and technology to a much broader inquiry about insurers’ arrangements with third parties generally — including with broker partners.

“The new guidance specifically refers to brokers,” said Stuart Carruthers, partner of Stikeman Elliott LLP, at the NICC Conference of Canada held in Halifax in mid-September. “The old guidelines specifically excluded brokers. So, the distribution for agents and brokers was not outsourcing.

“One of the things the industry is thinking about and commenting on is, ‘Do we now have to go back and look at all of our broker agreements and see whether they comply with any guidance?”

The Office of the Superintendent of Financial Institutions’ (OSFI) look at how insurers are managing their relationships with third parties also includes contracts with reinsurance. Legal experts see this as an expansion of OSFI’s recent guidance on reinsurance, which also regulates the nature of insurers’ relationships with their reinsurers.

“Reinsurance relationships are already subject to separate OSFI guidelines and that’s already gone through a long process over the past five years,” Carruthers commented. “OSFI is also thinking the guidance should apply to operational considerations with your reinsurance partners, whether that’s cyber, business continuity and so on.”

In April 2022, OSFI began consultations on revised Draft Guideline B-10 – Third-Party Risk Management, which sets out enhanced third-party risk management expectations for federally regulated financial institutions (FRFIs).

“The financial industry has long made use of third-party arrangements to introduce efficiency, drive innovation, manage shifting operational needs, and improve service,” OSFI noted in its communications introducing the Draft B-10 Guideline. “Increasingly, FRFIs are relying on an expanded third-party ecosystem to execute on and deliver more of their critical activities. This increases the likelihood that these arrangements could impact a FRFI’s operational and financial resilience.”

OSFI noted the Draft B-10 guideline on third-party risk emerged from OSFI’s 2019 Third-Party Risk Study, feedback from OSFI’s 2020 Technology Risk Discussion Paper, and industry’s response to OSFI’s draft Technology and Cyber Risk Management Guideline (Guideline B-13).

“In response to consultation feedback, OSFI modified its approach to expectations on technology and cyber risk in third-party arrangements,” OSFI noted on its website.

“OSFI’s perception is that there was an increased reliance on third parties, including a rise of third parties that went beyond what was considered outsourcing for the purposes of the current…guidelines,” said NICC panellist Koker Christensen, a partner at Fasken. “So, outsourcing under the current B-10 [guidelines] was defined as getting a third party to do something that the financial institution could do itself. Some things were in, some things were out, based on the definition of outsourcing.

“Now, the focus is on third-party maintenance. And that’s defined very broadly to basically any arrangement with a third party. So, there are things that are now in scope of the B-10 [guidelines] that weren’t in scope before. For example, corporate relationships are now in scope, whereas they weren’t before.

“I think what it means in practice is that institutions are going to have to…assess their current practices, policies, policies and procedures against these new expectations. I think that means you’re going to have to do additional due diligence, including with respect to the third parties were maybe not in scope of the prior approach because of the definition of outsourcing. And I think it’s going to, in some cases, have implications for agreements with third parties.”