PowerPoint Presentation on OSFI Guideline B-10 · OSFI Guideline B-10 Section 4 • Rather, notwithstanding the use of the term ... materiality criteria, risk management program and

Adam D. VereshackMcCarthy Tétrault

Federated PressMarch 29, 2004

www.mccarthy.cawww.mccarthy.ca

OSFI Guideline BOSFI Guideline B--1010

Revised OSFI Guideline Revised OSFI Guideline BB--10 on Outsourcing 10 on Outsourcing

McCarthy Tétrault LLPMcCarthy Tétrault LLP2


Background Background

• Released on December 15, 2003. • Sets out OSFI’s expectations for federally regulated

entities (“FREs”) which outsource any of their business activities.



Section 1Section 1

Section 1– Introduction• OSFI’s expectations should be considered prudent

practices applied according to the nature of the outsourcing and the circumstances of the FRE.

• In other words, all provisions are not to be viewed as mandatory in all cases.



Section 1Section 1

• OSFI expects the FRE to use sound judgment in connection with both the outsourcing arrangement and the circumstances of the application of these provisions.



Section 1Section 1

• OSFI clarifies that: “its specific expectations may vary, depending on the nature of the outsourcing being contemplated and the relationship between the FRE and the service provider.

• OSFI directly references the Supervisory Framework, (Included in Materials) which it will use in applying its risk-based approach to assessing an FRE’s safety and soundness on a consolidated basis.



Section 1Section 1

• Guideline E-3, Processing Information Outside Canada will be revoked on December 14, 2004 and replaced by the requirements of Section 8 of the Guideline.



Section 2Section 2

Section 2 – Transition Period• The FRE is expected to comply by December 15,

2004 with: Section 4 (Application of the Guideline) Section 5 (Accountability and Control) Section 6 (Materiality Assessment)Section 7.3.1 (Centralized List of all Material Outsourcing Arrangements)



Section 2Section 2

• All Arrangements prior to December 15, 2004 are expected to comply with the sections on the next page at the “first opportunity” after December 15, 2004.

• “First opportunity” means at the time the outsourcing contract or SOW, is substantially amended, renewed or extended.



Section 2Section 2

» Section 7.1 (Due Diligence Process)» Section 7.2 (Policies and Procedures to Manage

Risks Associated with Material Outsourcing) [This includes Contract Provisions]

» Section 7.3.2 (Monitoring the Outsourcing Arrangement)

» Section 7.3.3 (Monitoring the Service Provider)



Section 2Section 2

• All arrangements signed on or after December 15, 2004, are expected to comply with all applicable Sections of the Guideline.



Section 3Section 3

Section 3 – Definitions• What Constitutes Outsourcing

An agreement between an FRE and a service provider whereby the service provider performs a business activity that is, or could be, undertaken by the FRESeveral examples are listed in Annex 1 (Michael will talk about these next.)



Section 3Section 3

• Entities Subject to the GuidelineSchedule I or II BankTrust and Loan Companies Cooperative Credit AssociationsInsurance Companies Bank Holding Companies

(Cont’d)



Section 3Section 3

• Entities Subject to the GuidelineInsurance Holding CompaniesCanadian branch of a foreign bank approved to operate in CanadaCanadian branch of a foreign insurance company approved to operate in Canada



Section 3Section 3

• FRE Group (Sec. 3.2.1)• The FRE group of a Bank, Trust Company or

Insurance Company, etc. includes the FRE and any of the following:

The entity that controls the FRE if that entity is also an FREA subsidiary of the FREA subsidiary of the entity that controls the FRE

(Cont’d)



Section 3Section 3

• RFIP Group• Branches or subsidiaries in Canada with a regulated

foreign or provincial parent.



Section 3Section 3

• RFIP GroupFor Bank, Trust Company or Insurance Company -the entity that controls the FRE if that entity is regulated by a foreign or provincial financial regulatory bodyFor Foreign Bank - the Canadian branch, head office, and any other branches or agenciesFor Foreign Insurance Company - the Canadian branch, head office, and any other branches or agencies



Section 4Section 4

Section 4 – Application of Guideline• Applies to all outsourcing arrangements of an FREs or

FRE Groups• Prior Guideline referred to “material” outsourcing

arrangements• The Guideline also now expressly states that:

“OSFI expects the FRE to ensure that its subsidiaries and branches follow the guideline when entering into material outsourcing arrangements.”



Section 4Section 4

• Degrees of materiality recognized. • However, the Guideline states that:

“The robustness of an FRE’s management of outsourcing risks should be commensurate with the materiality of the arrangement.”

• Those outsourcings which are deemed to be “material” must follow the full risk management program set out in Section 7.



Section 4Section 4

• The Guideline is much clearer in acknowledging that where the material outsourcing arrangement is between an FRE and a member of an FRE Group, reduced expectations may be applied, in a manner consistent with Sections 4.1 and 4.2 respectively.”



Section 4Section 4

• The Guideline then states that outsourcing arrangements deemed clearly immaterial are not expected to follow the risk management program outlined in this Guideline.”

• However, materiality is not relevant for outsourcing arrangements performed out of Canada.

• In this case, all FRE outsourcing arrangements involving the out-of-Canada processing of specified information or data are subject to the Guideline.



Section 4Section 4

• FRE Intra-group Outsourcing Arrangements• Section 4.1 sets out the minimum expectations of

OSFI when a member of an FRE Group enters into a material outsourcing arrangement with another entity that is a member of the same FRE Group.

» the scope of the arrangement, the services to be supplied, the nature of the relationship between the FRE and the service provider

(Cont’d)



Section 4Section 4

» procedures governing the subcontracting of services

» a business continuity plan» a process for monitoring and oversight» legislative requirements relating to location of

records and the processing of data outside of Canada



Section 4Section 4

• In order to simplify matters, the Guideline now provides that:

A parent FRE may address these expectations within enterprise-wide processes or plans, so long as any specific risks to each subsidiary are dealt with, and the board of directors, principal officer or chief agent are able to fulfill their accountabilitiesA parent FRE may establish the program and develop and maintain the reporting on behalf of its FRE subsidiaries.



Section 4Section 4

• Supervisory Framework• Guideline makes it clear that: “consistent with the

risk-based Supervisory Framework, OSFI may have additional expectations depending on the outsourcing risks.



Section 4Section 4

• Material RFIP Intra-group Outsourcing Arrangements

• Section 4.2 sets out minimum expectations when a Canadian branch or a Canadian subsidiary enters into a material outsourcing arrangement with another a member of its RFIP group (which will usually be a foreign parent or a foreign affiliate):

A due diligence process that addresses the qualitative aspects of the arrangement, particularly those pertaining to the unique operational requirements of the FRE

(Cont’d)



Section 4Section 4

An outsourcing agreement that details, among other things, the scope of the arrangement, the services to be supplied, the nature of the relationship between the FRE and the service provider and that addresses the items set out in Section 7.2.1 (Contract Requirements) as appropriate

(Cont’d)



Section 4Section 4

Procedures governing the subcontracting of servicesA business continuity planA process for monitoring and oversightLegislative requirements relating to location of records and the processing of data outside of Canada



Section 4Section 4

• OSFI states that consistent with the risk-based Supervisory Framework, OSFI may have additional expectations for RFIP Group arrangements, depending on the outsourcing risks.

• Apparent is OSFI’s clear policy change to require more information and a more stringent due diligence process when the FRE is a Canadian branch of a foreign entity which is outsourcing to its foreign parent or affiliate than when a Canadian FRE is outsourcing to a Canadian parent or an affiliate.



Section 4Section 4

Canadian branches of foreign entities.• One problem that appeared to have been introduced

into the Guideline is the requirement that if a Canadian branch of a foreign entity enters into an outsourcing arrangement with its head office, there is a need for an outsourcing agreement.

• The problem is that a branch cannot enter into an agreement with its foreign head office as they are the same legal entity.



Section 4Section 4

• I spoke with one of the drafters of the Guideline at OSFI and was told that the term “outsourcing agreement” as used here and in Section 7 is not meant to be a formal agreement when dealing with outsourcing arrangements between a Canadian branch FRE and its foreign head office.



Section 4Section 4

• Rather, notwithstanding the use of the term “agreement” here and in Section 7, OSFI will be satisfied if the arrangements are documented in writing between the Canadian branch and the foreign head office.

• Believe that this document will be adequate if it covers those items set out in the last paragraph on page 10 of the Current Guideline which reads:



Section 4Section 4

“In cases such as this, all that OSFI expects is that such arrangements be documented in writing in sufficient detail to permit OSFI to understand the parties’ intentions relating to service levels and performance standards, audit rights and monitoring procedures, contingency planning, defaults and termination, and pricing.”



Section 4Section 4

• Outsourcing Arrangements with the External Auditor• Beyond the Scope of this Presentation



Section 5Section 5

• Section 5 – Accountability and Control• FRE Board of Directors Responsibilities

The Current Guideline states that the Board should have the ultimate, but not operational, responsibility for an FRE’s risk-management policies and practices The Guideline has modified this to allow a committee of the Board to assume these responsibilities



Section 5Section 5

While both the Current Guideline and the Guideline list those responsibilities, this list has been considerably shortened in Section 5.1 of the Guideline Others have not been removed Rather, they have been transferred to the management of the FRE and enlarged in scope



Section 5Section 5

• The Guideline now only lists two responsibilities of the Board or a committee of the Board:

Approve or reaffirm the policies that apply to outsourcing arrangements (e.g., risk philosophy, materiality criteria, risk management program and approval limits)Review a list of all the FRE’s material outsourcing arrangements and other relevant reports



Section 5Section 5

• This changes must be viewed as a clear recognition by OSFI that it is not appropriate to leave operational responsibilities with the Board and that the development of risk management policies and practices are more properly handled by senior management.



Section 5Section 5

• FRE Management Responsibilities• Section 5.2 of the Guideline deals in detail with the

development of outsourcing policies. • It is primarily a reorganization of comparable

provisions that were dealt with in various areas of the Current Guideline into a concise statement of specific requirements that the management of an FRE must consider in developing outsourcing policies and procedures.



Section 5Section 5

• Without repeating the details of the Guideline, the following are the main points that should be dealt with:

An outsourcing risk philosophyA materiality assessmentAn outsourcing risk management programAppropriate approval levels for outsourcing arrangements



Section 5Section 5

• Responsibilities of the Chief Agent or Principal Officer

• Section 5.3 of the Guideline moves this responsibility from the foreign Board to the chief agent or principal officer in Canada.

• This is a clear policy change to reflect proposed changes to Guideline E-4 (Role of the Canadian Chief Agent and Record Keeping Requirements).



Section 5Section 5

• The Guideline states that: “These changes are anticipated to clarify that, more generally, OSFI expects the chief agent or principal officer to take on the corporate governance role normally assumed by the board of directors and senior management.”



Section 5Section 5

• Newly added to the Guideline is the statement that: “The chief agent or principal officer remains accountable for the business in Canada, regardless of whether a particular business activity takes place in Canada or has been outsourced.”



Section 5Section 5

• The Guideline states that: “OSFI expects the chief agent or principal officer to ensure that the branch has risk management policies for outsourcing and that the expectations set out in Section 5.2 of this Guideline are met.”



Section 5Section 5

• In particular, the chief agent or principal officer would be expected to:

Ensure that materiality assessment criteria are developed and appliedEnsure that the risk management program is appliedWithin a reasonable time, advise OSFI about any events that are likely to have a significant negative impact on the delivery of the service provided for by a material outsourcing arrangement



Section 6Section 6

Section 6 – Materiality Assessment for Outsourcing Arrangements

• For the most part, Section 6 of the Guideline is a restatement of its counterpart in the Current Guideline.

• Some differences. • Perhaps the most significant philosophical change can

be seen in the opening paragraph.



Section 6Section 6

• The Current Guideline states that: “Only those arrangements identified as “material” pursuant to the assessment are subject to the guideline’s provisions for material outsourcing arrangements.”



Section 6Section 6

• However, the Guideline takes a different approach and states that:

“In general, OSFI expects that an FRE will design a risk management program that applies to all its outsourcing arrangements, except those that are clearly immaterial, and that the risk mitigants employed under this program will be appropriate to the particular outsourcing arrangement.”



Section 6Section 6

• The next significant change is that the Guideline moves away from the mathematical two-step approach for determining materiality thresholds and weighting factors and providing examples such as those in Appendix B to the Current Guideline.

• Rather, OSFI provides more guidance to FREs in helping them assess materiality.



Section 6Section 6

• What follows are some specific examples of how OSFI achieves this.

Materiality will depend on the extent to which it has the potential to have an important influence on a significant line of business of the consolidated operations of the FRE or the Canadian operations of a foreign branch or subsidiaryAssessment of the materiality is often subjective and depends on the circumstances faced by an individual FRE



Section 6Section 6

• Sample questions that an FRE might consider in assessing materiality are set out in Annex 2. (Included in the Materials)

• Significant changes in the volume or the nature of business conducted should cause the FRE to reassess an outsourcing arrangement’s materiality.



Section 7Section 7

Section 7 – Risk Management Program for Material Outsourcing Arrangements

• The Guideline contains an entirely new paragraph which highlights OSFI’s general expectations on the risk management program to be developed by FREs.

“A FRE should design a risk management program that applies to the entire FRE Group.”

(Cont’d)



Section 7Section 7

“The risk mitigants employed should be commensurate with the FRE’s assessment of the risks associated with the particular outsourcing arrangement.”



Section 7Section 7

• Due Diligence Process• Section 7.1 first requires the FRE to conduct internal

due diligence to determine the nature and scope of the business activity to be outsourced, its relationship to the rest of the FRE’s activities, and how the activity is managed.



Section 7Section 7

• Requires the FRE to undertake due diligence that addresses all relevant aspects of the service provider, including qualitative (i.e., operational) and quantitative (i.e., financial) factors and provides specifics in Annex 3. (Included in the Materials)



Section 7Section 7

• One possible problem with Annex 3 is that it is so comprehensive that it might well be viewed by a service provider as being unnecessarily wide and intrusive.

• OSFI’s decision to include in the due diligence on the service provider items such as “business reputation,” “complaints,” “potential litigation” and “business culture” may be viewed by service providers as excessive.



Section 7Section 7

• However, the Guideline does state that due diligence “may include” these factors.

• Further, the Guideline has been amended by adding the word “relevant”.

• Hopefully, this will allow the FRE and the service provider room to reach agreement on what is truly relevant in the circumstances.



Section 7Section 7

• Contracts for Services• The Guideline starts out by stating that:

“OSFI expects material outsourcing arrangements to be documented by a written contract that addresses all elements of the arrangement and has been reviewed by the FRE’s legal counsel.”

• Following these general principles, Section 7.2, of the Guideline details approximately 50 provisions which OSFI expects should be dealt with in any outsourcing contract.



Section 7Section 7

• In the Guideline, OSFI states that: “Some of the items below may not be applicable in all circumstances; however, FREs are expected to address all issues relevant to managing the risks associated with each outsourcing arrangement to the extent feasible and reasonable given the circumstances, and having regard to the interests of the FRE.”



Section 7Section 7

• The point is that OSFI expects the FRE to use judgment and prudence in applying these contractual guidelines rather than viewing them as a list of mandatory requirements for every outsourcing agreement.



Section 7Section 7

• Outsourcing in Foreign Jurisdictions• The Guideline introduces a new concept into its

outsourcing requirements. • In addition to Section 8 of the Guideline which is

substantially similar to Guideline E-3 - Data Processing Outside Canada, Section 7.2.4 expands OSFI’s concern with outsourcing in foreign jurisdictions to any outsourcing.



Section 7Section 7

• This provision states that: “when the material outsourcing arrangement results in services being provided in a foreign jurisdiction, the FRE’s risk management program should be enhanced to address any additional concerns linked to the economic and political backdrop, technological sophistication, and the legal and regulatory risk profile of the foreign jurisdiction(s).”



Section 7Section 7

• Monitoring and Oversight of Material Outsourcing Agreements

• Section 7.3.1 adds a new requirement to this issue: “The FRE must maintain a centralized list of all its material outsourcing arrangements that includes the name of the service provider and location where the service is provided, expiry or renewal date of the agreement and value of the agreement.”



Section 7Section 7

• Further, the Guideline requires that: “The list should be updated continually and should form part of the documentation delivered to the FRE board of directors or the chief agent or principal officer” of a Canadian branch.

• Finally, the Guideline states that OSFI should have access to the list at any time - without prior notice and at any time on business days or non-business days.



Section 7Section 7

• Monitoring the Service Provider• Section 7.3.3 provides for more formal and detailed

annual reviews of the service provider.• The review could include an assessment of the service

provider’s circumstances including its financial strength, prospects (except in cases involving the parent or home office of a Canadian subsidiary or branch), and technical competence.



Section 8Section 8

Section 8 – Data Processing in Foreign Jurisdictions• Guideline E-3 – Data Processing Outside Canada is

to be revoked on December 15, 2004.• Following that date, data processing outside Canada

will be approved pursuant to Deemed Approval Instruction Document No. 10 - Processing Information Outside Canada. (Included in Materials)



Section 8Section 8

• Despite this change, there are virtually no substantive changes in the information or other materials required to be provided to OSFI in order for an FRE to receive the Exemption Order to process data outside of Canada.

Documents

PowerPoint Presentation on OSFI Guideline B-10 · OSFI Guideline B-10 Section 4 • Rather, notwithstanding the use of the term ... materiality criteria, risk management program and