Outsourcing tasks, not risk

By Kate McCaffery | December 10, 2008 | Last updated on December 10, 2008
4 min read

New OSFI guidelines related to outsourcing appear, at a glance, to be privacy- and risk management-related. They are, but a closer look shows that Draft Guideline B-10 is practically a how-to business manual for managing outsourced business activities, functions and processes.

Fortunately for many in the industry, the guideline issued by the Office of the Superintendent of Financial Institutions Canada (OSFI) only affects federally regulated entities — banks, trust or insurance companies and some holding companies, those already governed by existing privacy legislation. These institutions are invited to provide comments to OSFI by January 16, 2009, through their industry associations.

Organizations that provide services, though — information systems management, document or application processing, policy, management or loan administration, investment management, research, back office administration and more — plus those who are acquired in any consolidation moves, might also become aware of the guideline’s presence at some point.

That said, Robert Hanna, assistant superintendent of OSFI’s regulation sector, says in an open letter to companies that guidelines issued at the end of 2003, which removed the need for federally regulated companies to get approval before making certain outsourcing arrangements, are generally seen to be working well and that no substantive changes have been made. “The revisions to Guideline B-10 primarily reflect the repeal of this approval requirement… [They are] designed to clarify OSFI’s expectations.”

Even if the guideline does not in any way apply to your business, the document might be interesting reading for those who manage similar arrangements, even if those arrangements are being made on a much smaller scale.

Although financial institutions outsource business activities, functions and processes for valid reasons, the paper notes that outsourcing can increase an institution’s dependence on third parties, which may increase its risk profile. “This Guideline sets out OSFI’s expectations,” write the report’s authors. “These expectations should be considered prudent practices.”

Indeed, the document points out that companies are expected to consider the impact both company and subsidiary arrangements will have on consolidated operations, lays out extensive and detailed instruction for creating outsourcing agreements and even discusses the obligations independent auditors have: “Prior to obtaining non-audit services from its external auditory, the FRE should assure itself that the auditor would be in compliance with the relevant auditor independence standards of the Canadian accounting profession.” It goes on to say entities should not outsource internal audit services or actuarial services to its external auditor unless it is reasonable to conclude the results of such service will not be subject to audit processes.

The draft guideline also discusses board member or key person responsibilities and how to create an outsourcing risk philosophy (an actual requirement under the guideline), it includes a nearly step-by-step due diligence process, it and spells out ways to evaluate material risk. The document includes a list of specific questions companies can use to assess the materiality, relevance or potential business impact different outsourcing arrangements can have.

An interesting provision for those who must comply with the guideline is the suggestion that “significant changes in the volume or the nature of business [being] conducted should cause the FRE to reassess an outsourcing arrangement’s materiality,” an important consideration given the current market environment.

Finally, the guideline discusses details that should be included in an outsourcing contract: “The agreement is expected to specify the scope of the relationship… Performance measures should be established.”

Among these, OSFI says agreements should specify the type and frequency of information the company receives from the service provider; provisions should allow the company to assess whether performance measures are being met; OSFI expects agreements to incorporate protocol for resolving disputes, specify what constitutes a default [of service], identify remedies and allow for opportunities to fix problems or terminate the agreement. Further, it says identification and ownership of all physical or intellectual assets should be clearly established and business continuity and contingency plans should address reasonably foreseeable situations where the service provider fails.

Other contract items addressed include audit rights, subcontracting arrangements, confidentiality, pricing, location of records (federal legislation dictates that certain records maintained by those conducting business in Canada need to reside in Canada), monitoring and oversight, and more general business practices like maintaining a centralized list of agreements. (The guideline includes a template readers can download for this purpose.)

It even goes so far as to say that “OSFI expects material outsourcing arrangements to be documented by a written contract that addresses all elements of the arrangement and has been reviewed by [the company’s] legal counsel.”

Overall, representatives from the Canadian Bankers Association (CBA) say their preliminary sense is that the guideline is a relatively technical revision of existing guidelines. It does, however, plan to review the document and discuss its implications with members.

“It’s important to keep in mind that there are strict privacy laws in Canada that govern how banks and other companies protect the information of their customers, both here and abroad,” says Maura Drew-Lytle, the CBA’s director of media relations and communications. “Before outsourcing any functions that deal with personal information, the banks must ensure that these companies will protect that information, as the bank is required to do under Canadian law.”

Despite the rather prescriptive sounding nature of the document, ultimately the guideline lays the assumption of risk and responsibility squarely at the feet of those contracting service providers, regardless of who is actually carrying on certain aspects of the business:

“Federally regulated entities have the flexibility to configure their operations in the way most suited to achieving their corporate objectives,” say the report’s authors. That said, they add, “this guideline operates on the premise that FREs retain ultimate accountability for all outsourced activities.”


Kate McCaffery