AWS for Industries

OSFI Guideline B-10 and how AWS supports our financial services customers with compliance

In April 2023, the Office of the Superintendent of Financial Institutions released its revised Guideline B-10 on Third-Party Risk Management (“Guideline” or “B-10”). The Guideline is effective as of May 1, 2024. It applies to all federally regulated financial institutions (FRFIs).

This marks the first time since 2009 that OSFI has updated B-10. Broadly, the rationale for the Guideline’s revision is based on OSFI’s observation that FRFIs are increasingly reliant on third-party providers for the provision of services. The updates to the Guideline are focused on supporting the operations and financial resilience of FRFIs by setting expectations for sound management of third-party risks.

What’s changed?

Key elements of the revised guideline include an expanded list of third-party risks; a principles-based approach with an emphasis on the assessed risk and criticality of the third-party arrangement; the management of subcontractor risk; and management of concentration risk both within the FRFI and systemically.

The Guideline also includes several expectations that are relevant to a FRFI’s use of AWS as a third-party service provider, including expectations specific to cloud adoption. Besides suggesting certain contractual provisions, B-10 sets expectations that FRFIs:

  • Develop cloud-specific requirements to ensure that cloud adoption occurs in a planned and strategic manner;
  • Establish robust cloud governance to provide proper oversight and monitoring of compliance with the FRFI’s risk management practices and alignment to the broader technology strategy;
  • Plan “appropriate exit strategies” for cloud arrangements deemed high-risk or critical;
  • Consider portability – or mitigants in the absence of portability – when entering an arrangement with a cloud service provider and as part of the design and implementation process in cloud adoption; and
  • Consider strategies to build resilience and mitigate cloud service provider concentration risk.

AWS welcomes OSFI’s continued emphasis of a principles- and risk-based approach to third-party arrangements. Advanced technologies, such as cloud computing, have significant benefits for the financial sector, including increased security, flexibility, rapid scalability, and reliability. It is important that implementing the requirements does not introduce barriers to how financial institutions choose to use technologies that can improve their operational resilience and provide innovative services to their customers.

We’re here to help!

AWS has a dedicated team of Financial Services Industry (FSI) specialists to help our customers achieve compliance with regulatory requirements such as B-10. Our team comprises former regulators, lawyers, compliance officers, information security experts, audit professionals, and technology specialists with deep industry expertise. We work with regulators and customers around the world throughout the regulatory lifecycle, from consultation on draft policies to advising our customers on the implementation of final regulations.

Many of these resources are available to our customers free of charge. AWS also has a number of publicly-available resources to assist FRFIs in their compliance with B-10. We recommend our whitepapers on “AWS’s Approach to Operational Resilience in the Financial Sector and Beyond” and “Unpicking Vendor Lock-In” as well as our blog post “Proven Practices for Developing a Multicloud Strategy.”

In addition, we encourage you to visit AWS Compliance Programs. AWS has obtained certifications and third-party attestations for a variety of industry-specific and general workloads and has developed Compliance Programs to make these resources available to customers. Customers can take advantage of AWS Compliance Programs to help satisfy their regulatory requirements.

Over the coming months, we will also update our AWS User Guide for Federally Regulated Financial Institutions in Canada to reflect the revisions to B-10. This guide summarizes regulatory requirements and guidance applicable to the use of AWS cloud services and additional resources to assist customers in designing and architecting their AWS environment to meet their security and regulatory objectives.

Contact your AWS account team or contact us here.

Heather Kay

Heather Kay

Heather Kay is the head of Canadian Financial Services Public Policy at AWS. She is also the co-lead for Financial Stability Board (FSB) engagement. Heather has broad experience gained through a career in the public and private sectors, with deep subject-matter expertise in public policy, financial regulation, and risk management. Prior to joining AWS, Heather led the strategic policy team at the Financial Services Regulatory Authority of Ontario. She also has experience overseeing major Canadian financial institutions, as a former supervisor at the Office of the Superintendent of Financial Institutions. As a management consultant with Deloitte Canada, Heather worked with financial sector customers to develop and implement leading risk management and compliance functions.

Dan MacKay

Dan MacKay

Dan is the Financial Services Compliance Specialist for AWS Canada. He advises financial services customers on best practices and practical solutions for cloud-related governance, risk, and compliance. Dan specializes in helping AWS customers navigate financial services and privacy regulations applicable to the use of cloud technology in Canada with a focus on third-party risk management and operational resilience.