Understanding OSFI B-10 and B-13 For Financial Institutions

Written by: Gizem Toprak & Müzeyyen Gökçen Tapkan

What is OSFI?

The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada that is responsible for the supervision and regulation of banks, insurance companies, and trust and loan companies. OSFI reports to the Canadian Minister of Finance.

The Role of OSFI in Financial Regulation

Supervision of Financial Institutions

OSFI supervises financial institutions through regular reviews, risk assessments and ongoing monitoring. It allows OSFI to detect potential risks early and take corrective measures to reduce them. By maintaining strict oversight, OSFI increases confidence in the financial system by ensuring that financial institutions operate safely and comply with regulatory requirements.

Setting Regulatory Standards

OSFI sets regulatory standards to ensure the stability, efficiency and resilience of Canada’s financial sector. These standards cover a wide range of areas such as capital adequacy, corporate governance and risk management. By establishing clear and comprehensive guidelines, OSFI contributes to the overall stability of the financial system by helping financial institutions effectively manage their risks and maintain strong financial health.

Crisis Management

OSFI plays a critical role in crisis management by implementing contingency plans and coordinating with other regulatory agencies. OSFI’s crisis management framework includes early intervention measures and resolution strategies to address challenges faced by troubled financial institutions. This proactive approach helps reduce the impact of financial crises, protect the interests of depositors and policyholders, and maintain confidence in the financial system.

Enforcement

OSFI’s enforcement activities ensure that financial institutions comply with regulatory standards and operate within the legal framework. This involves investigating potential violations, imposing penalties, and taking corrective actions against non-compliant entities. Through diligent enforcement, OSFI upholds the integrity of the financial system, deters misconduct, and promotes a culture of accountability and transparency within the financial sector.

OSFI-B13: Cybersecurity and Technology Risk

OSFI B-13 guidance to help Federally Regulated Financial Institutions (FRFIs) mitigate cybersecurity and technology risks. OSFI B-13 introduces new management requirements for the organizational structure of IT departments, encompassing all operational units and technology control owners. The guidance mandates that financial institutions develop a clear cybersecurity strategy that aligns with their overall organizational strategy. Additionally, it emphasizes the need to assess third-party vendor risk and integrate cybersecurity practices into their project management and systems development lifecycles.

Key Highlights of OSFI-B13

Cyber Security

Will employ a secure technology posture that protects the confidentiality, integrity and availability of FRFI’s technology assets.

Governance and Oversight

It requires FRFI’s to manage technology and cyber risks through clear responsibilities and frameworks.

Technology Operations and Resilience

FRFI’s technology environment is expected to be maintained “up to date” and supported by sustainable technology operating processes.

OSFI-B10 and Third-Party Risk Management

OSFI B-10 aims to expand the definition of third parties to include any person or entity that has a relationship with your financial institution, such as sponsors, spokespeople, or charities. This significantly impacts the way organizations identify, assess and mitigate third-party risks. It also addresses the risk of concentration and requires organizations to evaluate the risk of relying on a single vendor for multiple services both before and during the deal. This assessment helps determine appropriate risk mitigation levels. Calls for standardization of contracts to clearly define and manage relationships with third parties.

Key Highlights of OSFI – B10

Third Parties

It calls for standardized contracts to reduce potential risks associated with third-party relationships.

Risk Assessment

Risk assessment ensures that organizations remain alert and can promptly resolve any issues that arise with third-party service providers.

Due Diligence

This includes assessing the regulatory compliance and overall risk profile of third-party service providers.

Third-Party Risk Management Framework (TPRMF)

Most federally regulated financial institutions (FRFIs) have policies addressing specific third-party regulations, such as outsourcing and auditing, but often lack an integrated third-party risk management framework (TPRMF). The revised OSFI B-10 requires FRFIs to develop a TPRMF to assess, risk rate, classify, and manage all third-party relationships across the enterprise. This framework should cover the entire lifecycle of third-party orchestrations, from sourcing to exit; It should enable FRFIs to identify, assess, manage, mitigate, monitor and report third-party risks, including concentration risk, which is difficult to manage in a single environment.

How Similar Are OSFI B-13 and NIST CSF ?

Scope

• OSFI B-13 Mandatory for Canadian financial institutions; highly specific to the financial sector.

• NIST CSF Voluntary and intended for use by organizations in any sector globally.

Compliance

• OSFI B-13 Sets out mandatory requirements for compliance with Canadian financial regulations.

• NIST CSF Provides guidelines and best practices without mandatory compliance requirements, although it can be adapted to meet regulatory needs.

Structure

• OSFI B-13 Prescriptive and detailed, with specific requirements for governance, risk assessment, incident response, and third-party management.

• NIST CSF Structured around five core functions (Identify, Protect, Detect, Respond, Recover) and is designed to be flexible and adaptable.

Strategy

• OSFI B-13 Requires alignment of cybersecurity strategy with the overall business strategy of financial institutions.

• NIST CSF Encourages integration of cybersecurity into organizational risk management processes but is more flexible regarding how this is achieved.

Vendor and Third-Party Risk Management

• OSFI B-13 Specifically addresses the need for assessing and managing third-party vendor risks in detail.

• NIST CSF Includes third-party risk management as part of its broader risk management guidelines but is less prescriptive.

Conclusion: Strengthening Financial Institutions Through Comprehensive Risk Management

In conclusion, OSFI’s B-10 and B-13 guidelines are critical frameworks for ensuring the safety, resilience, and compliance of Canadian financial institutions in today’s increasingly complex and interconnected digital landscape. By addressing both technology and third-party risks, these regulations empower financial institutions to take a proactive approach to risk management. While OSFI B-13 focuses heavily on cybersecurity and the integration of IT practices into broader business strategies, OSFI B-10 sharpens its lens on third-party relationships, urging financial institutions to establish robust frameworks for managing vendor risks. Together, these guidelines not only strengthen the operational integrity of financial institutions but also reinforce the confidence of stakeholders, ensuring the long-term stability of Canada’s financial system. As regulatory landscapes continue to evolve, financial institutions that align their practices with these standards will be better equipped to navigate risks and maintain resilience in the face of emerging challenges.

How Black Kite Can Help with AI

Black Kite’s UniQuE™ Parser, the industry’s first cyber-aware AI engine, enables organizations to automate the extraction and analysis of vendor contracts and security documentation, ensuring compliance with regulatory requirements while saving time and resources. You can quickly identify gaps, evaluate vendor alignment with OSFI guidelines, and gain a complete, centralized view of your third-party risk landscape. Learn more about automating compliance.