Meeting OSFI Third-Party Risk Guideline B-10: A Comprehensive Guide
Feb 20, 2026
Interconnected financial landscape, third-party relationships are more critical—and more complex—than ever. The Office of the Superintendent of Financial Institutions (OSFI) in Canada introduced Guideline B-10 to provide clear expectations on how federally regulated financial institutions (FRFIs) should manage risks related to third-party arrangements. Meeting OSFI’s B-10 requirements is essential for maintaining trust, ensuring operational resilience, and protecting customer data. This article explores practical strategies to achieve compliance with OSFI Guideline B-10 while optimizing vendor risk management practices.
Understanding OSFI Guideline B-10
Guideline B-10 establishes the standards for managing risks associated with outsourcing and third-party business arrangements. It emphasizes that while activities may be outsourced, accountability and risk remain with the financial institution. Institutions must adopt a comprehensive due diligence, monitoring, and governance framework to oversee third-party relationships throughout their lifecycle.
Key Objectives of B-10:
Protect customer information and confidentiality.
Ensure continuity and quality of critical services.
Maintain operational resilience.
Uphold regulatory accountability and oversight.
Compliance requires integrating these objectives into procurement, contract management, and ongoing vendor oversight processes.
Building a Third-Party Risk Management Framework
A strong Third-Party Risk Management (TPRM) framework is the cornerstone of B-10 compliance. Financial institutions should establish formal policies and procedures covering the full lifecycle—planning, due diligence, contracting, monitoring, and exit strategies.
Core Components of a Compliant Framework:
Governance and Accountability: Define roles and responsibilities, including board oversight and senior management accountability for third-party arrangements.
Risk Assessment: Classify third parties based on criticality and risk exposure, including financial, operational, cybersecurity, reputational, and legal risks.
Due Diligence: Conduct thorough assessments before onboarding vendors, including financial stability, data protection controls, regulatory compliance, and service capabilities.
Conducting Robust Due Diligence
Due diligence under B-10 goes beyond checking basic credentials. Institutions must evaluate vendors’ ability to meet performance, security, and compliance expectations.
Due Diligence Best Practices:
Review third-party security certifications (e.g., ISO 27001, SOC 2).
Assess data handling processes and incident response mechanisms.
Examine financial health and service scalability.
Verify compliance with privacy and industry regulations.
For critical or high-risk vendors, on-site assessments or independent audits may be required.
Strengthening Contractual Controls
Contracts form the legal foundation of third-party oversight. Under B-10, contracts must clearly outline performance expectations, risk controls, and exit clauses.
Essential Contract Provisions:
Data Security and Confidentiality: Requirements for secure data handling, encryption, and breach notification timelines.
Service Level Agreements (SLAs): Performance metrics, reporting obligations, and penalties for failure.
Audit and Access Rights: The right to audit vendor operations and review compliance reports.
Termination and Exit Strategy: Clear procedures for transitioning services or terminating the relationship with minimal disruption.
Including contingency plans in contracts ensures that institutions can maintain continuity of operations if a vendor fails.
Continuous Monitoring and Oversight
Meeting B-10 requirements doesn’t end with contract signing. Ongoing monitoring is essential to ensure third parties continue to meet regulatory and performance expectations.
Ongoing Monitoring Activities:
Regular performance reviews against SLAs.
Annual risk reassessments and compliance checks.
Review of incident reports, breach notifications, and remediation actions.
Monitoring of subcontractors and fourth-party risks.
Establishing communication channels with vendors helps identify emerging risks early and maintain transparency.
Managing Fourth-Party and Concentration Risks
OSFI B-10 highlights the importance of understanding dependencies beyond direct vendors. This includes subcontractors (fourth parties) and concentration risk when multiple services rely on a single provider.
Mitigation Strategies:
Require transparency of subcontracting arrangements.
Track critical service dependencies.
Diversify vendor portfolios to prevent over-reliance.
Institutions must be prepared to address cascading failures that could arise from hidden dependencies.
Incident Management and Business Continuity
Under B-10, financial institutions must ensure third parties have strong incident response and business continuity plans. Institutions must remain capable of managing disruptions without exposing customers to harm.
Key Expectations:
Joint incident response coordination.
Business continuity testing and contingency planning.
Communication protocols for incident updates.
These measures help maintain operational resilience and customer trust even during disruptions.
Governance and Board Oversight
OSFI expects boards and senior management to maintain oversight of third-party arrangements. Institutions should provide regular reporting on vendor risks, performance, and incidents.
Reporting Practices:
Quarterly risk dashboards.
Summary of critical vendor performance and risk trends.
Regulatory compliance updates.
Strong governance ensures accountability and alignment with institutional strategy.
Leveraging Technology for Compliance
Modern TPRM platforms help automate and streamline compliance with B-10. Features such as centralized vendor repositories, automated risk assessments, and real-time monitoring enable institutions to scale oversight efficiently.
Benefits of TPRM Technology:
Enhanced visibility into vendor risk.
Automated due diligence workflows.
Streamlined documentation and audit readiness.
Implementing technology solutions reduces human error and supports evidence-based reporting.
Meeting OSFI’s Third-Party Risk Guideline B-10 requires more than ticking a compliance checklist—it demands a proactive, integrated approach to risk management. By building strong governance, conducting thorough due diligence, enforcing contractual safeguards, and implementing continuous monitoring, financial institutions can protect their operations and uphold regulatory expectations. Investing in a robust TPRM framework not only ensures compliance but also strengthens resilience in an evolving risk landscape.
With strategic planning and the right tools, financial institutions can turn regulatory compliance into a competitive advantage instilling confidence among regulators, partners, and customers alike.