Recently, the Office of the Superintendent of Financial Institutions (OSFI) released a memorandum reminding federally-regulated financial institutions (FRFIs) that OSFI’s revised Guideline B-10 “Outsourcing of Business Activities, Functions and Processes” applies to new technology-based outsourcing arrangements, including cloud computing.
In the short memorandum, OSFI:
- acknowledged that these new technology-based services may offer opportunities and benefits for FRFIs but cautioned FRFIs that they need to consider and manage the risks associated with the unique features of these services (including issues surrounding location of records.)
- reminded FRFIs that the expectations in the Guideline apply to these services.
The Guideline sets out OSFI’s expectations for FRFIs that outsource any of their business activities to a service provider. Although OSFI takes the view that FRFIs should have the flexibility to configure their operations in the way most suited to achieving their corporate objectives, the Guideline operates on the premise that FRFIs retain ultimate accountability for all outsourced activities.
Under the Guideline, material outsourcing arrangements are expected to comply with specified requirements around (among other things):
- confidentiality, security and separation of property
- contingency planning
- location of records
- access and audit rights
- subcontracting by the service provider
- monitoring the arrangement and the service provider