Understanding OSFI Guideline B-10 third-party risk management and how Halbarad helps

OSFI Guideline B-10 is Canada's prudential third-party risk management guideline for federally regulated financial institutions.

OSFI Guideline B-10 is Canada's prudential third-party risk management guideline for federally regulated financial institutions. The important shift is that B-10 is not just an outsourcing guideline.

OSFI wants FRFIs to understand and manage the risk that comes from relying on outside parties. That includes classic outsourcing, but also technology providers, cloud providers, consultants, data providers, affiliates, utilities, and other arrangements that can affect the institution.

2 official sources used
Book a demoRead the page

OSFI Guideline B-10 is Canada's prudential third-party risk management guideline for federally regulated financial institutions. The important shift is that B-10 is not just an outsourcing guideline. It covers risks from third-party arrangements more broadly, including arrangements that may affect operations, technology, data, strategy, reputation, resilience, or financial soundness.

Official sources

OSFI states that Guideline B-10 sets expectations for managing risks associated with third-party arrangements. It applies to all federally regulated financial institutions, including foreign bank branches and foreign insurance company branches to the extent consistent with applicable Canadian requirements and legal obligations.

What B-10 is trying to do

OSFI wants FRFIs to understand and manage the risk that comes from relying on outside parties. That includes classic outsourcing, but also technology providers, cloud providers, consultants, data providers, affiliates, utilities, and other arrangements that can affect the institution.

B-10 is principles-based and risk-based. It does not require the same process for every third party. Instead, it expects the institution to know which arrangements matter most and to apply stronger oversight where the arrangement is more critical, more complex, more sensitive, or harder to exit.

What B-10 covers

B-10 covers the full third-party risk management program:

  • governance and accountability for third-party risk;
  • a third-party risk management framework;
  • risk appetite and risk-based controls;
  • identification and assessment of third-party arrangements;
  • due diligence before and during the relationship;
  • written agreements and contractual protections;
  • ongoing monitoring and issue management;
  • subcontracting and downstream dependency visibility;
  • concentration risk and systemic dependency risk;
  • business continuity, exit, and transition;
  • reporting and independent review.

What this means for FRFIs

An FRFI should be able to show more than a vendor list. It should have a third-party inventory that shows the arrangement, service, owner, risk rating, criticality, data access, geographic exposure, contract, subcontractors, evidence, monitoring status, issues, and exit posture.

The institution should also be able to explain why an arrangement was classified as high or low risk, what diligence was performed, what contractual protections exist, how the provider is monitored, and what would happen if the provider failed or had to be replaced.

Evidence teams should maintain

  • Third-party risk management framework, policy, governance records, and risk appetite materials.
  • Third-party inventory with risk, criticality, owner, contract, data, technology, and

subcontractor fields.

  • Due diligence and risk assessment records.
  • Contract review evidence and executed agreements.
  • Monitoring plans, control evidence, issues, incident records, and remediation.
  • Concentration-risk analysis and dependency mapping.
  • Business continuity, exit, and transition plans for higher-risk arrangements.
  • Management reporting and independent review results.

Common gaps

  • The institution treats B-10 as an outsourcing refresh instead of a broader third-party risk

framework.

  • Risk ratings are not tied to clear criteria, making it hard to explain why one provider receives

deeper oversight than another.

  • Subcontractors and fourth parties are not tracked consistently.
  • Concentration risk is discussed at a high level but not connected to real provider, service,

geography, and technology dependencies.

  • Exit plans do not identify replacement options, transition timing, data movement, and operational

impact.

How Halbarad helps

Halbarad helps FRFIs turn B-10 into a governed third-party record. Instead of scattering information across procurement files, security questionnaires, legal folders, and spreadsheets, teams can build a shared view of the arrangement and its risk.

Halbarad can help teams:

  • maintain a B-10-aligned third-party inventory;
  • classify arrangements by risk, criticality, data, service, owner, and dependency;
  • collect diligence and monitoring evidence through structured workflows;
  • discover subcontractors, fourth parties, fifth parties, and concentration exposure;
  • monitor provider incidents, outages, advisories, status-page changes, trust-center changes, and

material-change signals;

  • manage residual risk, issues, remediation, approvals, reporting, and audit trail.

Halbarad helps operationalize and evidence the B-10 program. It does not replace OSFI guidance, legal review, or institution-specific supervisory interpretation.

Disclaimer

This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.

More regulations

OSFI B-13OSFI E-21PIPEDA Vendor PrivacyPayments Canada TPRMUS Interagency TPRMPRA SS2/21