Browse Skills

OSFI B-10 — Third-Party Contracting

    Canada OSFI B-10 Third-party risk Contracting FRFI
    Get Started with This Skill

    Overview

    Draft standards for third-party written agreements (data security, audit rights, BCP) under OSFI B-10, including Annex 2 for high-risk/critical arrangements.

    Getting Started

    Add your source materials to the project workspace, then activate the OSFI B-10 — Third-Party Contracting skill. The agent will guide you through the process step by step.

    Example conversation

    You: We need standards for third-party contracts under B-10—data security, audit rights, and business continuity. We have several high-risk arrangements that should follow Annex 2.

    Agent: I’ll draft the contracting standards using the skill reference. I’ll document expectations for written agreements (clear responsibilities, legal review); data security and controls (confidentiality, integrity, availability, isolation, breach notification, liability); record-keeping and OSFI access; information and audit rights (FRFI and OSFI); and business continuity and disaster recovery (third-party measures, testing, FRFI BCP/DR). For high-risk and critical arrangements I’ll reference B-10 Annex 2 provisions. I’ll note that standardized or non-negotiable contracts are addressed in B-10 Section 3.

    Output excerpt

    Written agreements — Third-party arrangements are supported by a written contract or other agreement that sets out the rights and responsibilities of each party and has been reviewed by the FRFI’s legal counsel. For high-risk and critical arrangements, the FRFI includes the provisions set out in B-10 Annex 2. The agreement is structured to allow the FRFI to meet OSFI expectations under Guideline B-10.

    Data security and controls — Agreements set out each party’s responsibilities for the confidentiality, integrity, and availability of records and data; controls and monitoring over the third party’s use of the FRFI’s systems and information; scope of records and data to be protected; isolation of FRFI data from other clients; equivalent standard of protection; breach notification; and liability for losses from a security breach. Record-keeping complies with the FRFI Statutes; records are available to the FRFI and OSFI on request.

    Information and audit — The agreement specifies the type and frequency of information and reporting from the third party. The FRFI and OSFI have the right to evaluate risk management practices and to appoint auditors; the FRFI has access to relevant audit reports. Business continuity and disaster recovery: the third party outlines continuity measures, tests BCP/DR regularly, and notifies the FRFI of results; the FRFI’s BCP/DR addresses severe but plausible scenarios and ensures access to records for operations and OSFI.

    Extension and validation

    validate_third_party_contracting — Validates the contracting document for key contract/agreement elements (Annex 2 for high-risk/critical), data security and controls, audit rights (FRFI/OSFI), and business continuity/disaster recovery. Flags missing content or placeholders. Run after drafting or updating contracting standards or agreements.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started