A 2026 Guide to OSFI Compliance for Canadian FRFIs

What is the risk of doing nothing?

Why is data residency a critical consideration for Canadian FRFIs?

B-10 requires FRFIs to understand where their vendor, contract, and risk data is geographically stored, who can access it, and under what legal jurisdiction, including data held in external systems by the vendors that provide third-party risk management services to the institution.

The risk is specific: data stored on infrastructure subject to a foreign jurisdiction, particularly US-hosted or US-owned platforms subject to the CLOUD Act, may under certain conditions be accessible to foreign law enforcement without the FRFI's consent, creating a conflict with Canadian privacy law and OSFI's expectation of data control. When you choose a third-party risk platform, three things shape your data residency risk:

• Where the data is hosted. This sets the country your data physically sits in.
• The provider's country of incorporation and ownership. This sets which governments and regulators can legally compel the provider to hand the data over, wherever it happens to be stored.
• Independent security certification, such as ISO 27001. This gives outside assurance that the provider's information security controls are sound.

What do B-10's six outcomes require of FRFIs?

B-10 sets out six expected outcomes for FRFIs, some harder to achieve than others. Here is what each one asks of the institution.

1. Governance and accountability. The board maintains oversight of the third-party risk management framework, with clear accountability assigned. You likely do not need a new governance structure: most institutions extend the enterprise risk governance they already have, then decide who owns third-party risk and how escalation is documented.
2. Risk identification and assessment. Every third-party relationship is identified, and the risk each one poses is assessed against the institution's risk appetite at a frequency that reflects how relationships change. This is the foundation that tiering, monitoring, and contract design all depend on.
3. Contract and relationship management. Contracts contain the provisions B-10 needs: audit rights, incident notification, data handling, and termination terms that do not leave you exposed. Contracts predating B-10 must be reviewed and remediated, and new ones must meet the standard at origination.
4. Ongoing monitoring. Continuous rather than periodic activity, covered in detail below.
5. Technology and cyber risk transparency. Also continuous, and closely tied to OSFI's Guideline B-13. Like monitoring, this is where programmes most often degrade after the initial build.
6. Independent assessment. Independent assurance over the programme, not a self-assessment. OSFI will test whether the independence is real: an internal audit function reporting into the same governance it assesses does not satisfy this.

How does Gatekeeper support your B-10 programme?

A platform supports a compliance programme, it does not replace the institution's judgement. Gatekeeper handles the inventory, tiering, contract, and monitoring work directly, shares the governance and cyber-transparency work, and leaves independent assessment and board oversight where B-10 requires them to sit, with you.

Direct support means Gatekeeper performs the work. Shared means Gatekeeper supports it but part of the task stays with your team. Your responsibility means the platform supplies the evidence but cannot perform the task itself.

Gatekeeper is built around the programme architecture B-10 describes: a single third-party inventory, risk tiering, contract control, and the continuous, documented monitoring an OSFI examination relies on. If this article has surfaced gaps in your current programme, Gatekeeper's vendor management software can help you close them before the deadline.

What is the third-party inventory problem, and how should FRFIs approach it?

None of B-10's outcomes can be met without an accurate, complete, and current picture of the institution's third-party relationships. The data most likely exists, but may not be centralised. That fragmentation is where compliance programmes stall, when institutions try to perfect their data before building governance around it.

The more productive approach is to build governance around the inventory as it stands, however incomplete. Establish a central repository and a policy that requires each function to contribute its third-party data to it. Define the process for keeping the repository current, and treat it as the backbone of a wider vendor management process rather than a one-off data clean-up. Improve the inventory continuously, including a review of existing contracts that may predate B-10 and lack the audit rights, notification obligations, or termination provisions the guidelines require.

A purpose-built vendor management platform provides the central repository this approach requires: one that captures vendor relationships, contract obligations, and risk data in a single model rather than across disconnected systems.

How should FRFIs structure risk tiering to satisfy OSFI examination?

B-10 requires that third-party risks be managed within the institution's risk appetite framework. The mechanism that makes this workable is risk tiering: a structured way of classifying third parties so that due diligence, monitoring, and contractual requirements are proportionate to the risk each relationship represents.

Tiering frameworks that fail under examination generally do so for one of two reasons. They use too many tiers. A three-tier model of low, medium, and high is sufficient to drive proportionate due diligence and monitoring decisions; additional tiers add administrative burden without improving outcomes. Or they define tiers by contract value, which represents commercial significance rather than operational risk.

A vendor that processes sensitive customer data under a low-value contract cannot be considered low-risk. A cloud provider supporting customer-facing digital banking services, for instance, may present significantly greater operational risk than a higher-value facilities management provider.

What OSFI will scrutinise is whether the criteria are consistently applied and defensible, and whether the due diligence and monitoring activity connected to each tier is proportionate. A three-tier model anchored to operational impact and data sensitivity satisfies these tests. Two tiers are sometimes sufficient for smaller institutions with limited third-party populations.

The tier assigned to a vendor must be changeable to reflect the ongoing nature of the relationship. A vendor that starts at a low tier can move to a higher one as the relationship deepens or the services expand. Risk tiers should be reviewed at least annually for ongoing relevance, with events such as contract expansion, changes in data access, or incidents driving reclassification as needed. Vendor management best practices increasingly treat risk tier as a dynamic attribute, reviewed on a schedule and revised as relationships change.

What does OSFI require for ongoing third-party monitoring?

Monitoring third-party relationships serves two purposes. The first is operational: determining whether vendors are delivering what was contracted, whether service levels are being met, and whether the quality of the relationship remains sufficient for the institution's needs.

The second is regulatory: providing the evidence that risks are identified as they evolve or disappear, and that the institution's understanding of its current risk exposure is current rather than historical.

Where monitoring identifies performance deterioration, relationship breakdown, or emerging risk, the consequences of not acting are proportionate to the degree of failure. Operationally, undetected deterioration can compound until an event, whether a missed service level, a complaint, or a more serious incident, makes it visible. From a regulatory standpoint, the absence of monitoring activity, or monitoring that cannot be evidenced, is itself a material gap, independent of whether any vendor has actually failed to perform.

The frequency and depth of monitoring should reflect the tier assigned to each vendor:

• High-tier vendors, typically those with access to sensitive data, critical systems, or significant operational responsibilities, generally warrant more frequent formal reviews, regular executive engagement, and continuous automated monitoring of cyber and operational indicators where available. Many institutions run quarterly reviews for this tier, though the cadence should reflect the nature of the risk.
• Medium-tier vendors generally suit annual formal reviews with event-driven interim reviews.
• Low-tier vendors require periodic, lower-intensity monitoring.

Tracking vendor performance systematically, not just at contract renewal, is what separates a monitoring programme that satisfies an examiner from one that merely satisfies an internal checklist.

Monitoring should also extend beyond the vendor's own performance to include visibility into their material third-party dependencies. Contractual disclosure requirements, and periodic confirmation that subcontracting arrangements have not changed, are what maintain that visibility.

Effective monitoring is bi-directional. The institution monitors vendor performance and risk from its own vantage point, but vendors should also carry a contractual obligation to self-report material incidents, breaches, or changes in their risk profile within defined timeframes. The monitoring framework should include a process for receiving, recording, assessing, and acting on those notifications.

As the third-party population grows, manual monitoring becomes unsustainable. Automation and risk-based prioritisation are essential at scale. Records of monitoring activity must be documented and readily available, because evidence of continuous oversight is what an OSFI examiner looks for. An otherwise well-designed monitoring programme that leaves no audit trail cannot provide that evidence.

What does E-21 require for third-party recovery planning?

E-21 requires FRFIs to hold documented recovery plans that account for third-party failure. A credible plan goes beyond naming critical dependencies. It needs a defined return-to-service target for each critical third-party relationship, documented alternative sourcing or manual workarounds where they exist, and tested scenarios that confirm the plan works. A workaround only counts if it has been rehearsed.

The concentration risk dimension is particularly demanding: where many FRFIs rely on the same provider for the same critical service, that provider's failure is a sector-wide outage rather than an isolated one, and recovery plans need to reflect that reality rather than assume the service can simply be replaced.

Recovery planning is the part of E-21 that sits outside a vendor management platform. The plans, the return-to-service targets, and the scenario testing are the institution's to build. Rather than start from a blank page, work from established sources: OSFI's own Guideline E-21 sets out the expectations, and recognised business continuity standards such as ISO 22301 provide a tested structure for recovery and impact-tolerance planning.

How should FRFIs prepare for the 1 September 2026 deadline?

A programme is examination-ready only when the institution can readily evidence that its third-party relationships are governed, risks are workably tiered, and resilience has been demonstrably tested. Documentation alone does not meet the bar.

Institutions that struggle at examination tend to have governance that exists as policy rather than practice, risk tiering that was set at launch and never revisited as the third-party population changed, and monitoring that can show a set of completed reviews but cannot demonstrate continuous activity. These are programme design failures that documentation cannot conceal.

With full E-21 adherence required by 1 September 2026, institutions should prioritise the foundations regardless of their current state of readiness: a centralised third-party inventory, a workable tiering model, and monitoring that generates a continuous, documented record. An examiner gives more credit for a programme that is genuinely operational in part than one that is complete on paper but cannot show it has actually been run.

The path to E-21 adherence runs through the same foundations for every FRFI: inventory, tiering, monitoring, and the evidence that each is being actively maintained. A vendor management programme structured around those foundations produces the continuous, documented record OSFI examiners expect to see.