utility directional drillingJuly 7, 2022

modern rectangular side table

<< <>/Font<>/XObject<>/Pattern<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 540 732] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj Principle 1: The FRFI is ultimately accountable for all business activities, functions, and services outsourced to third parties and for managing the risks related to third-party arrangements. provide the FRFI with sufficient and timely information to comply with its reporting requirements under OSFIs Principle 2: The FRFI should establish a third-party risk management framework (TPRMF) that sets out clear accountabilities, responsibilities, policies, and processes for identifying, managing, mitigating, monitoring, and reporting on risks relating to the use of third parties. This practice guide is a useful tool to become better informed on risks related to third-party provider management. /FirstChar 32 0000032720 00000 n Concentration risk is the risk of loss or harm to the FRFI or to the broader financial system arising from reliance on a small number of and/or geographically concentrated third-party providers or subcontractors. When considering arrangements with third parties based outside of Canada (or Canadian third parties with material subcontractors located outside of Canada), the FRFI should pay particular attention to the legal requirements of relevant jurisdictions, as well as the potential political, legal, security, economic, environmental, social, and other risks that may impede the ability of the third party to provide services. endstream The agreement should also specify whether and how the third party has the right to use the FRFIs assets (e.g., data, hardware and software, system documentation or intellectual property), including authorized users, and the FRFIs right of access to those assets. An outsourced activity, function or service is one that is, or could be, undertaken by the FRFI itself and is a type of third-party arrangement. This is formembers only. (TGl%XUG&:SR62$Yt7"RB0AQr!cT\HR1%HQ,mAFt8#5KI I"EX&IzKYBVt&:H#]"I}R&0!jRRxC"}W$$5LuDaCHa#iHudi=,)u }*yS0R)ku4LtH:(QP$g#I,5!AFZ$>}X>S;Myng|_5oVyys. 190 0 obj To ensure that remediation actions are sufficient, the FRFI should request that the third party perform root cause analysis and share the results for any incidents, commensurate with the severity/potential impact of the incident on the FRFI. We are continually searching for innovative products and services to enhance our members' ability to meet their rising stakeholder demands. Draft Guideline B-15 /Length 18023 Principle 6: The FRFI should enter into written arrangements that set out the rights and responsibilities of each party. aggregate reporting to Senior Management on third-party risk exposure and trends to inform the FRFIs current and emerging risk profile, including an inventory of third-party providers delineated by level of risk and criticality of the provider. , Technology and Cyber Security Incident Reporting Advisory; significant organizational/operational changes. Please enable scripts and reload this page. FRFIs should implement the expectations in this Guideline proportionate to their size, the nature, scope, and complexity of their operations, and their risk profile. Pricing: The agreement should set out the basis for calculating fees relating to the services being provided. ,)yP`6mMz)N|K;57gQbHSbQ,3;$Ux#4=.tZ"152Vx:bt47 s[s3A}}s%3=i(IJ$j{&a s'(*1 ]Id)_psDb$*@Yri[Kgd'KZ|~\.8)0Ll{X5i4Z[-V6.&G[3C hP!'PPkb_1>0aH] w15(.zl03Kp f| 6cv6)D;G l>O$>{!n2D'OZ pY6Q8l&+0 CjF Bank Act, The TPRMF should reflect the FRFIs risk appetite and be consistent with its operational or enterprise risk management frameworks. /Group << /CS /DeviceRGB /S /Transparency /Type /Group >> ?o7 Prior to entering a third-party arrangement, the FRFI should identify and understand risk factors related to the third partys subcontracting practices, including, at minimum: level of subcontracting, including whether there are material subcontractors; geographic locations of subcontractors and any associated political, security, economic, environmental, social, and other risks; ability of subcontractors to provide services in alignment with the performance standards and controls outlined in the third-party contract, including through disruption; and. endobj Electronic Records must be capable of being reproduced in intelligible written form within a reasonable period of time. 2 0 obj stream Defining a third-party risk audit coverage approach. Corporate Governance Guideline for OSFIs expectations of FRFI Boards of Directors in regard to business strategy, risk appetite and operational, business, risk and crisis management policies. 0000003616 00000 n The FRFI should monitor its third-party arrangement(s) to ensure that the service is being delivered in accordance with the terms of the agreement, and that the third party remains financially sound. R1x|g)yfvB]y^@ Insurance Companies Act, and ss. All rights reserved. any other relevant financial and non-financial risks associated with the use of the third party. Roles and Responsibilities: The agreement should clearly establish the roles and responsibilities of the FRFI and the third party and any material subcontractors of the third party, including for managing technology and cyber risks and controls. 0000005943 00000 n notification requirements if there is a breach of security. Default and termination: The agreement should specify what constitutes a default, or right to terminate, identify remedies, and allow for opportunities to cure defaults or terminate the agreement. pl \nux#HTW.w_>,cC]!CI KkGCi %ns70T(h&`0%i,`Q)6(%Nf`Isg0OJ>lHp4@7Ukz 5C;7}?p&u 7R:cA4iGSmfEl! gO/M]!yi;3]LDBBC)!p7,:f?Hw5NznlFIgu);)Lr}@dnv8/>bT,+\IqbK?xaK'rBj6o[(NicA[fG9#Hi LM#i 09Y%Z~hlCKK,LV^\[yoK "3Ca o%.ojOa` y_n*;21'.$T%tINe9RuBvF8ducOgop&r# _Z[ 2 0 obj 0000015850 00000 n >> Any data and records should be returned to the FRFI in a format that allows the FRFI to sustain business operations without unreasonable expense. 3 0 obj <>/ExtGState<>/XObject<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 595.08 840.84] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> %PDF-1.7 0 The liquidator to conduct an effective liquidation of the FRFIs assets. 189 0 obj Oct 15, 2018. The FRFI should develop cloud-specific requirements to ensure that cloud adoption occurs in a planned and strategic manner. b XmO%# Nha0 Trust and Loan Companies Act. % Principle 8: The FRFIs third-party arrangements should allow the FRFI timely access to accurate and comprehensive information to assist it in overseeing third-party performance and risks. The agreement should also require the third party to notify the FRFI in the event of significant changes in insurance coverage. The FRFIs risk management program is dynamic and actively captures and appropriately manages a range of third-party relationships and interactions. 899 0 obj <>stream Unless it is reasonable to conclude that the results of the service will not be subject to audit procedures during an audit of the FRFIs financial statements, the FRFI should not obtain the following services from its external auditor: Any internal audit service related to the internal accounting controls, financial systems, or financial statements of the FRFI. 0000008649 00000 n The Ownership and access: The agreement should identify and establish ownership of all assets (intellectual and physical) related to third-party arrangements, including assets generated or purchased pursuant to the arrangement. OSFI expects the FRFI to assess its third-party arrangements regularly, with higher-risk and more critical arrangements subjected to more frequent and rigorous assessment. Jn}UjH i. %PDF-1.7 % The FRFI should conduct such assessments: prior to entering into the third-party arrangement (see Section 2.2.2); regularly throughout the lifecycle of the arrangement at a frequency and scope proportionate to the level of risk and criticality; and. << 0000002508 00000 n Outlining key roles, responsibilities, and risks in managing third-party providers. RNYu1LP=9"PXPP'Ybw0, ;0Ml 1@RFQZN;T2=T]}$_v^Aff. +tU"+E2!iXNU}/!:K}#XSP18ixWq5qAJgna\8ne~k`3u'w** %pdj]WD!S^U6$Iksr%RH*f&ovT Q(^SJ+iuZy/~Fw2k7jL:J Technology and Cyber Security Incident Reporting Advisory. Risks posed by third parties are identified and assessed. Principle 10: The FRFI should monitor its third-party arrangements to verify the third partys ability to continue to meet its obligations and effectively manage risks. Prudent risk management: The agreement should include any additional provisions necessary for the FRFI to prudently manage its risks in compliance with this Guideline. endobj The FRFI should conduct due diligence proportionate to the level of risk and criticality of each third-party arrangement: as part of the contract renewal process; and. However, the FRFI retains accountability for all its business activities, functions, and services outsourced through third-party arrangements, for data exchanged with the third party or data to which the third party has access, and for managing risks arising from third-party arrangements. /FontName /ACHMLF+Calibri-Bold endstream endobj startxref endobj /AvgWidth 536 The criticality of the third-party arrangement is an important input into the assessment of both: the third-party arrangements level of risk; and. The FRFIs senior management should also be satisfied that third-party arrangements are in alignment with the FRFIs risk appetite and managed proportionate to the level of risk and criticality. A critical third-party arrangement is one where the third party performs a function or service that is integral to the FRFIs provision of a significant operation, function, or service. Data and records should be subject to the same standard of protection at the third party as they would be at the FRFI. Developing a structure for scoping, planning, and executing third-party risk audits. Among the mitigating actions and controls that the FRFI may consider are the development of redundancies, workarounds, business continuity measures, and other resiliency mechanisms. Third-party risk scenarios could include, but would not be limited to: operational disruption at the third party due to people, inadequate or failed processes and systems, or from external events (e.g., cyber incidents); insolvency of or operational disruption at a material subcontractorFootnote 6; political, geographic, legal, environmental, or other risks impeding the third party or its material subcontractors from providing services according to its arrangement with the FRFI; risks arising from interconnections between multiple third parties and multiple FRFIs; corruption of FRFI data or FRFI data breaches;Footnote 7 and. <>/Metadata 285 0 R/ViewerPreferences 286 0 R>> Such documented plans should: encompass both planned and unplanned exits, such as a providers default, non-performance or prolonged disruption, and establish triggers for invoking exit/contingency plans; establish a set of activities to perform when exiting because of stressed circumstances, such as following the failure or insolvency of the service provider (a playbook for stressed exit); establish a set of activities to perform when exiting through a planned and managed exit due to commercial, performance, or strategic reasons (a playbook for non-stressed exit); take into account contractual provisions impacting exit, such as notification requirements and provisions obliging the third party to provide services over a prescribed period of time following notification of termination; contain sufficient detail (e.g., alternative options or providers, supported by timelines, costs, resourcing, revenue impacts, and interim workarounds) as to allow rapid execution; address severe but plausible scenarios and set out documented plans for each scenario; and. This Guideline should be read in conjunction with applicable legislation and relevant OSFI guidance, including but not limited to, Guideline E-21 on Operational Risk Management, Guideline B-13 on Technology and Cyber Risk Management, and the Corporate Governance Guideline. 732 0 obj <>stream The FRFI and OSFI should also be able to access audit reports in respect of the service being performed for the FRFI. Prior to obtaining management consulting services from its external auditor, the FRFI should assure itself that its external auditor would be in compliance with the relevant auditor independence standards of the Canadian accounting profession, as well as any other applicable auditor independence requirements, in respect of such services to be performed by the external auditor. The third-party agreement should specify the type and frequency of information to be reported to the FRFI by the third party. Bank Act, ss. Please see Sections 2.3.2.1 and 2.3.2.2 of this Guideline. endobj FlEh]3c#%MO ? Such risk assessments should, at minimum: determine whether the arrangement aligns with the FRFIs risk appetite for third-party risk and other relevant risks; establish the level of risk and criticality; and. The FRFI should establish a TPRMF that provides an enterprise-wide view of its exposures to third parties. 239(3.1) of the Technology and Cyber Risk Management for OSFIs expectations on FRFI technology and cyber risk management. )-08='!cQB?$7yIvrwL^]V|$RxB99|=WVWi?J'>$I~T#KR7tli[ktF6\)fv7If@Z>l 0000009957 00000 n 618 The FRFI should also perform its own root cause analysis, as appropriate. /Encoding /WinAnsiEncoding 0000011553 00000 n OSFI will communicate any subsequent changes to the planned publication schedules of these final guidelines at a later date. ,A g^pJF|LF/]08RyD!=4nPX&V( Lg CLY_(VR.Zb>v'^bG Fi7Q={SCN)K1k70=R*@;! The FRFI should establish processes to confirm regularly that the residual risk of their third-party arrangements, individually and in aggregate, remains within the FRFIs risk appetite. 0000001764 00000 n The FRFI should ensure that its written agreements with third parties contain adequate provisions to enable the FRFI to comply with its reporting requirements under OSFIs 1 0 obj endobj 262(1) of the <> 0 Insurance Companies Act, and ss. 1.J@8Xv0al8 {_R1p^Yy@) N`x9d>8Yb g nbhg8'0VEVmp[v. 4239 0 obj <> endobj Principle 5: The FRFI should assess, manage, and monitor the risks of subcontracting arrangements entered by third parties, including the impact of these arrangements on concentration risk. This should include reports that allow the FRFI to assess whether performance measures are being met and any other information required for the FRFIs monitoring program, including risk measures (see Section 2.4). Principle 7: Throughout the duration of the third-party arrangement, the FRFI and third party should establish and maintain appropriate measures to protect the confidentiality, integrity and availability of records and data. /Contents 196 0 R Footnote 16. % Third-Party Arrangements with the External Auditor, 4. 3 0 obj Technology and Cyber Security Incident Reporting Advisory; Strength of the third partys information security programs including their alignment with the FRFIs programs; The third partys capacity to provide critical services through disruption by examining its business continuity and disaster recovery plans, including the quality of such plans and the frequency and results of testing; The third partys reliance on, and capacity to, manage subcontractors; Impact of the third-party arrangement, including its subcontractors, on concentration risk; Geographic location of the third partys and its material subcontractors operations; Ability and ease of substituting the third party with another third party and impact of such substitution on the FRFIs operations; Portability of applications/services provided by a third party to another third party or the FRFI; Third partys business objectives, human resource policies, service philosophies, business culture, and their alignment with those of the FRFI; and. Trust and Loan Companies Act. o x|\. For this purpose, actuarial services relate to the determination of an amount to be recorded in the financial statements of the FRFI or work normally undertaken by its appointed actuary. >> They should also augment existing FRFI controls and standards, notably in the areas of data protection, key management, and container management. In those circumstances, the FRFI must provide OSFI with immediate, direct, complete and ongoing access to the Records that are stored outside Canada.Footnote 11. 0000004416 00000 n 8 0 obj <> 858 42 /FontBBox [ -519 -250 1263 750 ] In cases where data is being exchanged between the FRFI and a third party or where the third party has access to FRFI systems, data corruption and breaches may occur at the third party, the FRFI location or while the data is in transit. <> Outcome: Risks posed by third parties are identified and assessed. Foreign bank branches refers to foreign banks authorized to carry on business in Canada on a branch basis under Part XII.1 of the 192 0 obj To facilitate this outcome, the FRFI should establish and report metrics and associated thresholds to alert senior management when a threshold is being approached as well as triggers for invoking the FRFIs escalation process. NIST 500-291, version 2: NIST Cloud Computing Standards Roadmap defined portability the ability for data to be moved from one cloud system to another or for applications to be ported and run on different cloud systems at an acceptable cost. 6 0 obj Assessment criteria should also be reviewed periodically to ensure that they remain current for the risk landscape. 244(1) of the /Parent 183 0 R As applicable, joint design and testing of business continuity plans and disaster recovery plans should be considered between the third party and the FRFI, commensurate with the criticality of the service. Appropriately engaging and assessing third-party risk management activities across the business, oversight, and control functions. Such provisions could include, among other things, requirements to promptly notify the FRFI of technology and cybersecurity incidents (at the third party or the subcontractor) including providing information on each incident in line with the Advisory. 0000000016 00000 n 1 0 obj Office of the Superintendent of Financial Institutions. ;)*Rs/H7' N0\|N-?#Y96`m-sJJ36 LP btTFy7M>@ 2 0 obj Third-party provider, subcontractor and geographic concentration have the potential to increase overall risk to FRFIs and the financial services industry by: Criticality is the degree of impact of the third-party arrangement on the FRFIs risk profile, operations, strategy and/or financial condition. /CropBox [ 0 0 594.96 842.04 ] The FRFI should have contingency plans for its critical third-party arrangements. Monitoring should also cover regular oversight of current and emerging risks and risk acceptancesFootnote 13 and compliance of the third-party arrangement with the FRFIs risk policies and procedures and OSFIs expectations. 0000033338 00000 n The Office of the Superintendent of Financial Institutions (OSFI) expects that FRFIs practice effective risk management and retain ultimate accountability for all their business activities, functions, and services, whether they are performed in-house or through a third-party arrangement. 0000033640 00000 n To that end, FRFIs are required to provide to OSFI, upon request, information related to their business and strategic arrangements with third parties, risk management, and control environments, to support supervisory monitoring and review work.Footnote 1 OSFI expects to be promptly notified of substantive issues affecting the soundness of the FRFI due to a third-party arrangement. 0000002712 00000 n Technology and Cyber Risk Management and. The FRFI should establish exit plans proportionate to the level of risk and criticality of individual third-party arrangements to ensure continuity of the FRFIs operations through normal and stressed times. This does not prohibit the external auditor from providing a non-recurring service to evaluate a discrete item or program, if the service is not, in substance, the outsourcing of an internal audit function. Regulatory compliance: The agreement should enable the FRFI to comply with all applicable legislative and regulatory requirements, including, but not limited to, location of records and privacy of client information. Security of records and data: The agreements should govern the confidentiality, integrity, security, and availability of records and data. h[mo7%7 !-W)R+-?yF\3|*SY5Tg\X+@mICr%#I}!hXq RXS\%6"I`fY|*G%\kdM!XM+gr"d%+6$,HdR s"e-JdbW,%VFBXK,Q)I$:kH%^-FtHuRk The FRFI should also have clearly defined internal processes for effectively managing and escalating third-party incidents and for subsequently tracking remediation. 3(f' YtUZ'd. The agreement should also specify whether the third party must continue providing the service during a dispute and the resolution period, as well as the jurisdiction, governing law(s), and rules under which the dispute will be settled. 0000007432 00000 n However, there are potential risks that can arise from third-party arrangements that can threaten the FRFIs operational and financial resilience. Refer to Guideline B-13 - Please see s. 238 of the This Guideline applies to all FRFIs, excluding foreign bank branches and foreign insurance company branches.Footnote 2. 195 0 R >> /XObject << /X0 197 0 R /X1 198 0 R /X2 199 0 R /X3 200 0 R >> >> Q]IG [p'O= %|KKwgU@Z{J4Yx %PDF-1.4 $ke` The agreement should include requirements and procedures for the third party to report events in a timely manner to the FRFI that may have the potential to materially affect the risks and delivery of the service. 0000006666 00000 n The TPRMF should be developed to span the lifecycle of a third-party arrangement, from sourcing and due diligence of a third-party provider to potential exit from the third-party arrangement. The FRFI should ensure that the third party has the capacity to monitor and manage risks arising from the use of subcontractors, including, where feasible, through audit rights and/or access to independent audit reports. The TPRMF should set out how the FRFI will identify and assess; manage and mitigate; and monitor and report on third-party risk. the FRFIs overall operational and financial resilience. For clarity, the third-party risk management expectations set out in this Guideline are not intended to replace or substitute for, but rather to serve in addition to, appropriate counterparty credit risk and market risk management activities applied in respect of financial market infrastructures. Throughout the process, concentration should be considered within the FRFIs business functions/units and legal entities, and across the FRFIs entire organization. third-party arrangement is any business or strategic arrangement between the FRFI(s) and an entity(ies) or individuals, by contract or otherwise (e.g., another form of agreement or the conduct of the parties). <> The FRFI Statutes require FRFIs to keep copies of the Records at its head office, or at such other place in Canada as the directors of the FRFI think fit. Third-Party Risk Management and Bank Act, s. 261 of the Such arrangements include, among other things: outsourced activities, functions, and services;Footnote 3. brokers (e.g., mortgage, insurance, deposit brokers); utilities (e.g., power sources, telecommunications); financial market infrastructuresFootnote 4 (e.g., payments systems, clearing and settlement systems, other FRFIs in cases where the FRFI does not have direct access to financial market infrastructures); services provided by parent holding companies, affiliates, and subsidiaries, or through joint ventures and partnerships; and, other relationships involving the provision of services or the storage, use or exchange of data (such as cloud service providers, managed service providers, technology companies that deliver financial services).Footnote 5. Third-party risk is the risk to the FRFIs operational and financial resilience or reputation due to a third party failing to provide goods and services, protect data or systems, or otherwise carry out activities in accordance with the arrangement. Outcome: Risks posed by third parties are managed and mitigated within the FRFIs Risk Appetite Framework. Annex 1 of this Guideline. Foreign insurance company branches refers to foreign entities that are authorized to insure in Canada risks on a branch basis under Part XIII of the %PDF-1.5 % trailer contractual provisions allowing the FRFI to commission or conduct an audit of the subcontractor. reducing the market power of FRFIs vis--vis the third party to negotiate favorable arrangements. These requirements should be accompanied by robust cloud governance to provide proper oversight and monitoring of compliance with the FRFIs risk management practices and alignment to the broader technology strategy. Principle 11: Both the FRFI and its third-party should have documented processes in place to effectively identify, investigate, escalate, track, and remediate incidents to ensure ongoing operational and financial resilience and maintain risk levels within the FRFIs risk appetite. The agreement should not contain any terms that inhibit OSFI, or any other resolution authority or financial compensation scheme, from carrying out their mandate in times of stress or resolution. Please see ss. be reviewed regularly, and more frequently in the event of material changes to the third-party arrangements. Appropriate notice should be required for termination of the service and, where applicable, the FRFIs assets should be returned in a timely fashion. jsJc=8#Ap5EVyt =*J\UQP`kG5-;`Slwr=eITvHxEgza4w~>9ip- pbe[[>S^F}3LUQ!La^IVxn0OGdthZn; pWb]@fb"?L^`V+X^]_oUcN~+wBMuIn&Lo ugC=uWZ3]sPO=~i7ZU) Cuk>?&^`qmOwMo_ mpxx'e8}6:{k]_4OmvZ=Y'B).k9i15rhL Q0+oDz8!%+J6_rJ>(aN6)S!sPdu)-E-#ui.VGSV>X;;Y)ls-bN|[>,eh+1:OAz+D>m{{Kg3-k }aCg0_1kribZ~.7i_,Vl(nttCn7HZZZFli Wtt 0Qvj -@=@ZzXX00Y0000 #O!aZ%LXpa`|Xp'4{^yC9=qAL Draft Revised Guideline B-10 Third party performance is continually monitored and assessed, and risks and incidents are proactively addressed. Consistent with Guideline E-15 (Appointed Actuary: Legal Requirements, Qualifications and Peer Review), the FRFI may use an actuary working in the company's external auditor firm for the external review of the appointed actuary's work and reports. 3 0 obj IAlNQn@-KB}i Use of subcontractors:The agreement should establish parameters on the use of subcontractors and require the third party to notify the FRFI of any subcontracting of services so that the FRFI may conduct due diligence, as well as assess and manage the risk of the subcontractors and any potential impacts from a change in service. /BaseFont /ACHMLF+Calibri-Bold Risks across the full vendor life cycle are considered, including the appropriate sourcing, ongoing management, and termination of vendors. endobj %%EOF Insurance Companies Act, and s. 243 of the The FRFIs criteria to assess the risks of third-party arrangements should be comprehensive and focus on higher-risk arrangements, while maintaining oversight of other arrangements in accordance with the FRFIs risk-based approach. 858 0 obj <> endobj 0000005171 00000 n Please see ss. However, FRFIs may often receive, or use, products or services from providers, such as utilities, internet providers, financial market infrastructures, and others, under pre-defined terms and conditions in standard contracts with a limited ability to tailor contract terms. Standardized Contracts/Special Arrangements, 3.2.. stream Principle 9: The FRFIs agreement with the third party should encompass the ability to deliver operations through a disruption, including the maintenance, testing, and activation of business continuity and disaster recovery plans. In accordance with supervisory information requirements set out in theBank Act, the The processes established should clearly define accountabilities at all levels of the FRFI and triggers for escalation within the FRFI. 0000002425 00000 n N}Y,$. Please refer to OSFIs 244(3.1) of the 0000024917 00000 n Outcome: Third-party performance is continually monitored and assessed, and risks and incidents are proactively addressed. Where necessary, the FRFI should establish more granular descriptions of the roles, responsibilities, and procedures that apply to each party when managing the configuration of products and systems. 0000009260 00000 n hb```b``rAX,=!9E5Ud9fQN@pJnO~M]oY\]ME=>W\. The preference is always to have the arrangement documented in a contract; however, OSFI recognizes that there may be situations where obtaining a contract is challenging. As part of an effective third-party risk management program, the FRFI should ensure that its third parties have clearly defined and documented processes for identifying, investigating, escalating, remediating and notifying the FRFI in a timely manner of incidentsincluding subcontractor incidentsthat could directly or indirectly impact the third partys ability to deliver the contracted goods and/or services. Among other ways, the FRFI might achieve this by: contractual provisions prohibiting the use of subcontractors for certain functions; requiring that the FRFI be informed, in writing and on a timely basis, when a subcontractor is retained, or substituted, to carry out some of the functions contracted for the third party to perform; reserving a right of the FRFI to refuse a subcontractor; and.