FinQub
Regulation · Canada

OSFI Guideline B-10 – third-party risk management

The Canadian counterpart to the U.S. OCC Third-Party Risk Management Guidance, governing how FRFIs identify, assess, and manage risks from third-party arrangements.

Updated May 2026·8 min read

OSFI Guideline B-10 is the Office of the Superintendent of Financial Institutions guideline on third-party risk management for federally regulated financial institutions (FRFIs) in Canada. The current version was published in April 2023 and took effect 2024-05-01, replacing the prior 2009 outsourcing guideline. It is the Canadian counterpart to the U.S. OCC Third-Party Risk Management Guidance and applies to every banking, trust, life-insurance, and federally regulated insurance entity in Canada.

Scope

B-10 applies to FRFIs: domestic banks, foreign bank branches and subsidiaries, federal credit unions, trust and loan companies, life insurance companies, and federally regulated property and casualty insurers. It does not directly apply to fintechs. But fintechs that serve FRFIs are squarely in scope as third parties – their security posture, contractual terms, and operational evidence become an extension of the FRFI's own third-party risk-management program.

From 2009 to 2023

The 2009 guideline focused narrowly on outsourcing of material business functions. The 2023 update broadens the lens. It covers all third-party arrangements, including cloud, software-as-a-service, fintech partnerships, payment processors, data aggregators, and intra-group arrangements. It elevates expectations around concentration risk, sub-contracting transparency, and operational resilience. It requires a written third-party risk-management framework approved by senior management.

Materiality

An arrangement is material if its disruption or failure would have a significant impact on the FRFI's financial condition, operational resilience, reputation, or compliance posture. The FRFI determines materiality using its own framework, but the determination must be justified, documented, and refreshed as risk profiles change. Material arrangements draw enhanced expectations across the lifecycle, including OSFI notification.

Lifecycle expectations

B-10 structures expectations around the third-party lifecycle:

  • Planning and risk assessment – before engaging a third party, identify the risks the arrangement introduces and how those risks fit the FRFI's risk appetite.
  • Due diligence and selection – proportional to risk; covers financial, operational, security, compliance, and concentration considerations.
  • Contracting – includes audit rights, sub-contracting controls and transparency, data protection, exit assistance, incident notification, performance and SLA terms, and OSFI access where applicable.
  • Ongoing oversight and monitoring – cadence proportional to risk; performance metrics, incident reporting, and review of changes in the third party's risk profile.
  • Business continuity and exit – tested plans for material arrangements; documented exit strategy and assistance terms.
  • Termination – orderly wind-down with continuity of operations and proper handling of data.

Cloud, fintech, and intra-group arrangements

B-10 explicitly addresses cloud, fintech, and intra-group arrangements with their own treatment. For cloud, expectations include shared-responsibility-model documentation, data residency, and exit feasibility. For fintech, expectations include particular attention to concentration risk and sub-contracting transparency. For intra-group, the guideline reminds FRFIs that the third-party-risk standard applies even when the third party is a related entity.

OSFI notification

FRFIs are expected to notify OSFI of material third-party arrangements, of material changes to those arrangements, and of significant risks or incidents arising from them. The notification expectation pairs with OSFI Guideline B-13 (technology and cyber-risk) reporting obligations and is part of OSFI's broader operational-resilience supervision.

What an OSFI evidence pack looks like

  • Third-party inventory with risk ratings, materiality determinations, and current diligence packets
  • Contracts with the required clauses
  • Ongoing-monitoring artifacts proportional to risk – SOC reports, security questionnaires, performance metrics, incident logs
  • Tested business-continuity and exit plans for material arrangements
  • Concentration analysis across third parties
  • Board and senior-management reporting on the program
  • Findings and remediation tracking

How FinQub supports B-10

FinQub gives FRFIs a single substrate for the operational side of B-10. Every vendor call, decision, and data transformation routes through the orchestration layer and lands in a hash-chained audit trail tagged by vendor and by framework. Sub-processor inventories, vendor-incident chronologies, and the actual operational evidence behind contractual SLAs are queryable, not periodically reassembled through surveys.

For fintechs serving FRFIs, the same trail produces the diligence pack the FRFI's vendor-management team asks for: SOC mapping, sub-processor list, incident log, performance metrics, and the operational-resilience evidence the FRFI itself owes OSFI on the up-chain.

Keep reading

Frequently asked questions

Stop building your orchestration layer. Start running on it.

Let's talk about what FinQub looks like for your stack – which tools you're running, where the pain is, and how quickly you can eliminate it.

Not ready to book a call? Apply for the Partner Program →