AMF publishes draft Third-Party Risk Management Guideline for Consultation

The Autorité des marchés financiers (AMF, Quebec’s securities authority) recently published a draft Third-Party Risk Management Guideline for consultation (AMF Guideline). This new framework updates the Outsourcing Risk Management Guideline, published in 2009, in response to evolving outsourcing practices, particularly in the technology sector. 

The AMF Guideline applies to authorized insurers, financial services cooperatives, authorized trust companies and authorized deposit institutions overseen by the AMF. Federally regulated financial institutions, such as banks and insurance companies regulated by the Office of the Superintendent of Financial Institutions (OSFI), remain subject to Guideline B-10 – Outsourcing of Business Activities, Functions and Processes (OSFI Guideline). It should be noted that some entities may be subject to both systems simultaneously.

The main objective of the new AMF Guideline is to promote sound and prudent management of third-party risk, while strengthening the operational resilience of financial institutions. 

Influenced by the principles laid down by international organizations such as the Basel Committee on Banking Supervision, the International Association of Insurance Supervisors and the Financial Stability Board, the AMF Guideline is consistent with other guidelines issued by the AMF.

In this update, we summarize the key elements of the AMF Guideline and provide a comparative analysis with the requirements of the OSFI Guideline, to better identify the convergences and distinctions between the two regulatory systems.

Scope and requirements of the AMF Guideline

The AMF Guideline covers a wide range of agreements with third parties, including outsourcing agreements, mandates entrusted to independent consultants, intra-group agreements, distribution agreements and various contractual relationships with suppliers of products and services, including those relating to data management. However, client agreements and employment contracts are expressly excluded from its scope.

Its application must be adapted to the specific characteristics of each financial institution, taking into account the institution’s size, the nature of its activities and its risk profile. These risks may be general (such as financial and operational risks) or specific (such as risks tied to the concentration of third parties or their use of subcontractors).

The AMF expects senior management to define a clear strategy and appetite for third-party risk, and to implement a management framework covering the entire life cycle of agreements. The board of directors is ultimately responsible for this management and must approve the strategy and appetite for risk.

Each financial institution is required to assess the criticality of its agreements with third parties, and to analyze the risks involved according to formalized criteria, throughout the life of the agreement. This assessment must take into account:

• The financial or strategic importance of the agreement
• The nature and complexity of the product or service
• The criticality of the process in question
• The institution’s tolerance for disruption
• The nature and sensitivity of the data or information shared

The criticality of an agreement and associated level of risk must inform the management measures put in place to meet the AMF Guideline’s requirements.

Furthermore, agreements with third parties should include certain essential clauses relating to:

• The right to audit
• The right to assess the third party’s risk management practices
• Procedures governing information transmission and reporting frequency
• Processes for reporting events that could jeopardize the performance of the agreement

The AMF also suggests criteria for assessing third parties and recommends including specific contractual provisions to mitigate risks.

Special considerations apply to business continuity, fair treatment of customers and cloud service providers. Lastly, each institution should maintain an up-to-date register of its agreements with third parties.

Convergences and distinctions between the AMF Guideline and OSFI Guideline

The AMF Guideline and the OSFI Guideline have a number of similar requirements and application principles, as they are both grounded in guidance issued by international bodies.

For example, the notion of criticality is a central element in both guidelines, serving to modulate the intensity of risk management measures according to the strategic or operational importance of each agreement.

For cloud services, both guidelines address the issues of portability and interoperability, to ensure hosted data can be migrated to other technological environments securely and efficiently. They also recommend adopting a multi-cloud strategy for greater resilience.

Lastly, both guidelines set out key contractual provisions to be incorporated into third-party agreements, such as the right to audit, event reporting mechanisms and compliance requirements. There is, however, one notable distinction: the AMF Guideline incorporates specific expectations for the fair treatment of customers, an element absent from the OSFI Guideline.

Next steps and public consultation

The financial institutions to which the AMF Guideline applies will have to adapt their governance frameworks, review their existing agreements with third parties and set up a centralized register to carefully track and document these agreements. In addition, service providers can expect to be subject to enhanced due diligence by the financial institutions with which they collaborate, particularly when agreements are deemed critical or risky.

Interested parties have until December 19, 2025, to submit their comments to the AMF as part of this public consultation.