OSFI Guideline B-10 — Third-Party Risk Management
OSFI Guideline B-10 — Third-Party Risk Management
OSFI Guideline B-10 — Third-Party Risk Management — 100% covered.
3 requirements · 3 enforced · 0 designed · 0 advisory · 0 deferred.
Source: Office of the Superintendent of Financial Institutions, Guideline B-10 Third-Party Risk Management (effective 1 May 2024). Risk-based, principles-based management of third-party arrangements: a central record of third-party arrangements, risk assessment proportionate to criticality, and ongoing monitoring of third-party performance and concentration risk.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Third-party arrangement register | 1 | 1 | 0 | 0 | 0 | 100% |
| Risk assessment by criticality | 1 | 1 | 0 | 0 | 0 | 100% |
| Ongoing monitoring + concentration risk | 1 | 1 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
osfi-b-10.register |
Third-party arrangement register: maintain a central record of third-party arrangements with sufficient detail to manage their risks | enforced | audit_events: kye.risk.authority_register.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
osfi-b-10.risk-assessment |
Risk assessment by criticality: assess and manage third-party risk proportionate to the criticality and risk of each arrangement | enforced | audit_events: kye.assurance.risk_assessment.v1, kye.purpose.admissibility.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/12-PURPOSE-PERMISSION.md |
osfi-b-10.monitoring |
Ongoing monitoring + concentration risk: monitor third-party performance and assess concentration risk arising from reliance on a small number of providers | enforced | audit_events: kye.resilience.signal.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/51-NO-SPOF.md |