FinancialFederal — CanadaIn force May 1, 2024 (revised)

OSFI B-10

OSFI Guideline B-10 — Third-Party Risk Management

Canada's federal financial institution technology risk framework

Run OSFI B-10 assessment ← All frameworks

Overview

OSFI Guideline B-10 sets expectations for federally regulated financial institutions (FRFIs) on managing risks related to third-party arrangements — including technology vendors, cloud providers, and outsourced services. The 2024 revision significantly expanded scope to cover all third-party arrangements with a material risk, not just outsourcing.

Authority

Office of the Superintendent of Financial Institutions (OSFI)

Jurisdiction

Federal — Canada

Effective date

May 1, 2024 (revised)

Applicability

Who must comply with OSFI B-10?

Federally regulated financial institutions — banks, insurance companies, trust companies, credit unions regulated federally, and other OSFI-regulated entities. Mortgage investment corporations and smaller FRFIs have proportional requirements.

Compliance scope

Your organization collects personal information

You operate in the applicable jurisdiction

Commercial activities are involved

You use or disclose personal data

Not sure if OSFI B-10 applies? Run a free assessment →

Requirements

Key obligations under OSFI B-10

Third-Party Risk Management Framework

Maintain a documented TPRM framework governing the full lifecycle of third-party arrangements — from selection through exit.

Concentration Risk

Identify and manage concentration risk when multiple critical functions depend on a single third party or geographic region.

Sub-contractor Oversight

Know your vendors' vendors — FRFIs must assess material sub-contractors used by their third parties.

Data & Technology Risk

Assess data security, residency, and access controls for all third-party arrangements involving customer or institutional data.

Exit Plans

Maintain viable exit plans for critical third-party arrangements — you must be able to transition or recover if a vendor fails.

Board Accountability

Senior management and board must approve the TPRM framework and receive regular risk reporting — it's not just an IT function.

Enforcement

Penalties & enforcement

Maximum penalty

Administrative monetary penalties; supervisory directives

Enforced by: Office of the Superintendent of Financial Institutions

Notable case

OSFI issued a supervisory letter to several major banks following cloud concentration risk assessments (2023)

How Canuckt keeps you penalty-free:

Third-party vendor inventory tool that maps OSFI B-10 criticality tiers to all your SaaS and technology providers

TPRM questionnaire templates aligned with OSFI B-10 expectations for critical, important, and standard vendors

Sub-contractor chain mapping to identify and document your vendors' material subcontractors

OSFI board reporting templates showing your TPRM posture and concentration risk exposure

Frameworks that often overlap with OSFI B-10

Financial

FINTRAC

Canada's AML/CFT compliance framework

Privacy

PIPEDA

Canada's federal private-sector privacy law

Standards

ISO 27001

The international gold standard for information security

Run a free OSFI B-10 gap assessment

Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with OSFI B-10 — in under 3 hours. Free forever.

Start free assessment

No credit card

Results in hours

Canadian data residency