Office of the Superintendent of Financial Institutions (OSFI) Canada

About the OSFI

The Office of the Superintendent of Financial Institutions (OSFI) is an independent agency of the Government of Canada responsible for the prudential regulation and supervision of federally regulated financial institutions and pension plans in Canada.

In its oversight role, OSFI published the B-10 Guidelines for Outsourcing of Business Activities, Functions, and Processes. They established 'prudent practices, procedures, or standards' for federally regulated financial institutions to evaluate and manage the risk associated with outsourcing their business to a service provider. A subsequent OSFI memorandum, New technology-based outsourcing requirements, reminded these institutions that the B-10 Guidelines remain current and that they must meet OSFI expectations for material outsourcing arrangements.

In addition, the use of cloud services by financial institutions must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), and in some instances, provincial data privacy laws.

Microsoft and OSFI

To help guide financial institutions in Canada considering outsourcing business functions to the cloud, Microsoft has published Navigating your way to the cloud: A compliance checklist for financial institutions in Canada. By reviewing and completing the checklist, financial organizations can adopt Microsoft business cloud services with the confidence that they are complying with applicable regulatory requirements.

When Canadian financial institutions outsource business activities, they must comply with the B-10 Guidelines for Outsourcing of Business Activities, Functions, and Processes published by the Office of the Superintendent of Financial Institutions (OSFI), as well as Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Microsoft checklist helps Canadian financial firms conducting due-diligence assessments of Microsoft business cloud services and includes:

  • An overview of the regulatory landscape for context.
  • A checklist that sets forth the issues to be addressed and maps Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 services against those regulatory obligations. The checklist can be used as a tool to measure compliance against a regulatory framework and provide an internal structure for documenting compliance, and help customers conduct their own risk assessments of Microsoft business cloud services.

Microsoft in-scope cloud services

How to implement

Frequently asked questions

Is regulatory approval required?

No. There is no requirement for prior notification, consultation, or approval. The use of public cloud computing is permitted, subject always to compliance with OSFI requirements.

The OSFI B-10 Guidelines indicate that OSFI expects a financial institution to design a risk management program that applies to all of its outsourcing arrangements, with risk mitigation commensurate with the associated risks. However, only material outsourcing arrangements need to be documented by a written contract that addresses safeguards identified in the guidelines. Part 2 of the Microsoft checklist (page 53) maps these against the sections in Microsoft contractual documents where they are addressed.

Are there any mandatory terms that must be included in the contract with the cloud services provider?

Yes, but only if the outsourcing arrangement is a material outsourcing or if it involves any transfer of personal information to the cloud service provider.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources