OSFI Guideline B-10 (2023)

Effective Date: November 2025

Summary

In 2023, the Canadian Office of the Superintendent of Financial Institutions (OSFI) adopted amendments to Guideline B-10: Third-Party Risk Management. These changes are applicable to vendors who provide services to regulated financial institutions, specifically concerning the vendors' use of subcontractors.

FundApps position: Taken together, FundApps’ subcontractor management, Sub-processor oversight, Change of Control provisions, and ISO/SOC 2-aligned security practices fully satisfy the subcontractor governance obligations set out in Annex 2 of OSFI Guideline B-10. No additional contractual terms are required to meet OSFI expectations.

Overview of Guideline B-10

Federally regulated financial institutions (FRFIs) must effectively manage the risks associated with outsourcing business activities to external parties, as required by OSFI.

Key Requirements:

• Accountability: FRFIs retain full accountability for all outsourced activities.

• Supervisory Authority: OSFI's supervisory powers remain unchanged, even when activities are outsourced.

• Documentation: Written agreements with third parties must comply with OSFI's risk management Guideline expectations.

• Reporting: FRFIs are required to provide OSFI with requested information and promptly report any substantive issues that could impact critical operations.

Key 2023 Amendments

For arrangements deemed high-risk and critical, OSFI mandates that FRFIs incorporate the provisions outlined in Annex 2 of this Guideline into their written agreements. These agreements must, as a minimum requirement, clearly define the respective rights and responsibilities of the parties involved, establish specific roles related to technology, set clear limits for the engagement of subcontractors, and require the third party to inform the FRFI of any use of subcontracting. Additionally, the FRFI must retain the authority to perform due diligence to evaluate the implications of any proposed change in service.

Specifically, Annex 2 of the 2023 amendments states:

”Use of subcontractors: The agreement should establish parameters on the use of subcontractors and require the third-party to notify the Federally regulated financial institutions (FRFI) of any subcontracting of services. The FRFI should have the ability to conduct due diligence, in order to evaluate the impacts from the change in service.”

How This Applies To FundApps

FundApps’ subcontractor and Sub-processor governance framework fully aligns with the subcontractor-related requirements set out in the 2023 amendments to OSFI Guideline B-10, including the expectations in Annex 2 regarding notification, parameters, and due-diligence rights. As such, no additional contractual terms are required for FundApps to meet OSFI expectations.

1. Subcontractor/Sub-processor Accountability Per Section 15.4 of our General Terms, FundApps may utilize subcontractors to fulfil any of its obligations under the Agreement, while remaining fully accountable for all their actions and omissions. A current list of our Subcontractors is available here. Given the nature of our services, many of these subcontractors also function as Sub-processors, as defined in our Privacy Policy and Section 4 of Schedule C of the General Terms.

FundApps is contractually required to:

• Maintain full responsibility for all Sub-processors;

• Keep an updated list of Sub-processors and provide at least 30 days’ notice prior to the addition of a new Sub-processor; and

• Provide clients a 30-day objection window for valid data-protection concerns, with either party able to terminate on 30 days’ notice if concerns cannot be resolved. A lack of objection within this period constitutes approval.

2. Security, Certifications, and Due Diligence FundApps performs comprehensive due diligence on all new subcontractors and Sub-processors prior to onboarding, including assessments of technical, organizational, and security controls in line with our internal Third Party Risk Management framework. This process is reinforced by our ISO 27001 certification and SOC 2 Type II accreditation, both of which require documented, audited procedures for supplier assessment, monitoring, and risk management.

Additionally, FundApps complies with security and assurance requirements under Clause 3.1 of the General Terms, including:

• Procurement and maintenance of an SSL certificate;

• Provision of SOC 2 Type II Report and ISO 27001 certificate for the Software; and

• Ensuring the hosting provider, AWS, one of our subcontractors, maintains ISO 27001 certification or its equivalent.

FundApps also undergoes annual due-diligence questionnaires (DDQs) from clients’ compliance teams, further validating the robustness and transparency of our subcontractor oversight practices.

3. Change of Control (CoC) Governance The remaining Subcontractors listed are FundApps Affiliates. Under Section 15.5 of the General Terms, FundApps may assign or transfer the Agreement or its rights to:

(a) an Affiliate for purposes of providing services, with FundApps remaining fully accountable for the Affiliate’s actions; or (b) an acquirer of all or a majority of FundApps’ equity interests, assets, or business related to this Agreement (“Change of Control”), with prior written notice to the client. In the event of a Change of Control, the client may terminate the Agreement on 30 days’ notice only if they provide reasonable evidence that the Change of Control would have a materially adverse effect.

This provision ensures clients maintain OSFI-aligned oversight of material changes in service delivery while FundApps retains accountability for any Affiliate or acquirer acting under the Agreement.

4. Regulatory Alignment Beyond OSFI Our subcontractor oversight and due-diligence practices are also aligned with the requirements under the EU Digital Operational Resilience Act (DORA), providing a comprehensive and harmonized approach to third-party risk management across multiple regulatory frameworks.