On October 9, 2025, Québec’s financial services regulator, the Autorité des marchés financiers (AMF), released a draft guideline on Third-Party Risk Management for public consultation (the Guideline). Once finalized, it will replace the Outsourcing Risk Management Guideline, initially enacted in 2009 (the 2009 Guideline).
The Guideline is intended to apply to any insurers, trust companies, deposit institutions, and financial services cooperatives authorized in Québec (financial institutions).
Federally regulated financial institutions subject to oversight by the Office of the Superintendent of Financial Institutions (OSFI) also fall within the scope of the Guideline if they meet one of the categories mentioned above. This could be the case, for instance, for insurers and trust corporations doing business in Québec and holding an authorization issued by the AMF for that purpose.
The Guideline introduces several distinctions from OSFI’s Guideline B-10. For instance, it requires financial institutions to maintain a centralized register of all third-party arrangements and sets out specific obligations to ensure the fair treatment of customers throughout the entire third-party relationship lifecycle.
This article highlights key aspects of the Guideline, focusing on governance, fair treatment of customers, the use of cloud services, and the contractual provisions that financial institutions must include in arrangements with critical or high-risk third parties.
Scope and governance requirements
While the 2009 Guideline focused narrowly on material outsourcing arrangements, the new Guideline aims to broadly capture third-party risk, defined as “risks a financial institution and/or its clients are exposed to when doing business with a third party,” and as such includes “all the risks associated with third-party arrangements."
The Guideline establishes specific expectations for boards of directors and senior management regarding the management of third-party risk.
In particular, it specifies that the board of directors holds ultimate responsibility for an institution’s third-party risk strategy and oversight. As such, it states that it is part of a board’s responsibilities to:
- Approve the financial institution's strategy regarding the use of third parties, noting that such a strategy should be aligned with the financial institution’s risk appetite and tolerance for disruptions.
- Approve the financial institution’s risk appetite related to third parties and its tolerance levels in this regard.
- Ensure that senior management develops and operationalizes a framework for managing third-party risk.
- Approve the above framework.
- Ensure that senior management produces periodic reports on mitigating third-party risk.
- Ensure that third-party risk management is integrated across the entire institution.
The Guideline also explicitly lists several related responsibilities that senior management should have. These include:
- Defining the institution's strategy regarding the use of third parties.
- Defining the appetite and tolerance levels for third-party risk within the institution.
- Developing and operationalizing a third-party risk management framework that covers the entire lifecycle of arrangements, with clearly defined roles and responsibilities of stakeholders.
- Producing the periodic reporting on third-party risk management.
- Communicating the strategy and third-party risk management framework to all internal and external stakeholders.
- Ensuring adequate expertise, training programs, and awareness of third-party risk management within the institution.
- Promoting sound third-party risk management practices.
Third-party risk appetite and risk management framework
The Guideline notes that financial institutions should establish a comprehensive risk appetite framework for third-party risk, which should incorporate both quantitative and qualitative assessment metrics. In establishing this framework, financial institutions should consider concentration and outsourcing risk, as well as the potential impact of third-party disruptions on operational resilience.
In addition, the financial institution’s risk appetite and tolerance levels should be regularly reviewed to reflect the evolution of third-party risk and the financial institution’s strategy in this regard.
Third-party risk management framework
Financial institutions are expected to implement a comprehensive third-party risk framework considering the entire lifecycle of third-party arrangements. This framework should be aligned with the financial institution’s overall operational risk and business strategy, and must:
- Define roles and responsibilities for managing third-party risks;
- Include policies, processes, and controls for identifying, assessing, mitigating, and reporting third-party risks; and
- Be regularly updated to reflect internal and external changes, and evolving best practices.
Fair treatment of clients
The Guideline also underscores the importance of ensuring fair treatment of the financial institution’s clients throughout the third-party relationship lifecycle, by requiring financial institutions to:
- Assess the potential impacts of the arrangement on clients during risk identification;
- Ensure that the third party’s practices are consistent with the institution’s culture regarding the fair treatment of clients;
- Embed fair treatment of clients’ expectations and reporting rights into contracts; and
- Monitor clients’ experience with the third party and review the treatment of clients’ fairness indicators on an ongoing basis, particularly when third parties interact directly with clients.
Cloud service providers
The Guideline includes specific requirements applicable to arrangements involving cloud service providers, noting that financial institutions’ risk management framework should include specific elements regarding cloud services, as well as ensure that these elements are based on generally recognized best practices. In particular, the Guideline notes that arrangements with cloud service providers should include provisions aimed at favouring interoperability and cloud portability while attenuating related risks, such as concentration risk, by considering multi-cloud strategies to mitigate dependency on a single provider.
Implementation of a centralized register of third-party arrangements
The AMF also intends to require financial institutions to maintain an up-to-date, centralized register of all third-party arrangements on an ongoing basis. The Guideline specifies that this register should include, at minimum, the following information regarding each arrangement:
- Its owner, its level of criticality, and its risk level;
- The process or processes related to the arrangement within the institution, as well as their level of criticality;
- The products or services related to the arrangement;
- Information on the third party’s subcontractors;
- The nature of data shared with the third party (including sensitive or personal information); and
- The location from where the services will be performed.
The AMF expects institutions to use the information recorded in the register for risk management purposes, including to highlight dependencies and interconnections between arrangements.
Mandatory provisions for critical arrangements
Similar to OSFI’s Guideline B-10, the AMF’s Guideline lists a series of contractual provisions that should be, at a minimum, enclosed in critical or high-risk arrangements. While many of these provisions echo those found in OSFI Guideline B-10, the AMF’s approach differs in several aspects.
For example, the AMF places particular emphasis on the fair treatment of clients, indicating that arrangements should include rights for the financial institution’s ability to monitor and evaluate the third party’s performance in this regard, where applicable. The Guideline also notes that arrangements should include a mechanism for handling complaints.
The financial institution’s right to information is more detailed under the AMF’s Guideline. For instance, it explicitly states that arrangements must provide for the financial institutions’ right to timely and comprehensive access to appropriate information regarding the third party and the arrangement, including:
- In the event of a major or repeated operational incident at the third party or a subcontractor;
- In the case of a new arrangement with a subcontractor, or any change to such arrangement;
- In response to a change in ownership of the third party;
- Following an important organizational or operational change at the third party; or
- In the event of any non-compliance with regulatory requirements or litigation.
Practical implications and next steps
The public consultation is open until December 19, 2025.
Once finalized, financial institutions will need to update their risk management frameworks to comply with the new Guideline and ensure its requirements are fully implemented in their operations. This will likely involve creating and maintaining a centralized register of third-party arrangements, incorporating the contractual provisions required by the Guideline (which differ from those in OSFI’s Guideline B-10), and implementing the measures mandated by the AMF to ensure the fair treatment of clients in connection with third-party arrangements.
BLG can assist
For further guidance on the Guideline or assistance with its implementation, including the development of internal policies, governance frameworks, or third-party risk management best practices, we invite you to contact the authors or any of the key contacts listed below.
