Federal banking regulators revised their guidance for financial institutions to manage the risks that arise from their outsourcing arrangements.
The Office of the Superintendent of Financial Institutions (OSFI) published final guidance for risk management in connection with third-party relationships, which firms are increasingly relying on to drive innovation, enhance service and efficiency.
However, the regulator is concerned that these arrangements can create risks that threaten financial firms’ “operational and financial resilience.”
The guidance sets OSFI’s expectations for financial firms to manage their outsourcing risks, stressing that firms can’t outsource their compliance responsibilities and that firms retain “accountability for business activities, functions and services outsourced to a third party.”
“OSFI expects [firms] to manage these risks by adhering to this updated guideline, which emphasizes governance and risk management programs and includes six new, clear expected outcomes associated with effective third-party risk management,” the regulator said in a release.
The new guidance, which follows an industry consultation carried out last year, will take effect on May 1, 2024. The transition period is intended to give financial firms time to review their outsourcing arrangements and to ensure that those arrangements comply with the new guidance.
“Federally-regulated financial institutions have long leveraged third-party arrangements to drive innovation, introduce efficiency, and manage shifting operational needs. As the utilization of third-party arrangements has expanded, so too have the attendant risks,” said Peter Routledge, superintendent at OSFI, in a release.
The regulator’s revised guidance aims to “ensure financial institutions mitigate risks related to these arrangements,” Routledge added.