OSFI B-13 · FSM-N21

OSFI B-13 & asset disposal: what FSM-N21 expects from your ITAD vendor.

OSFI Notice FSM-N21 (Technology Risk Management) and FSM-N22 (Cyber Hygiene) took effect 1 May 2024. Neither explicitly names 'asset disposal.' But both apply to IT you're retiring, especially servers and storage holding customer data. This explainer walks through what the notices actually require, how disposal fits in, and what vendor-selection evidence a OSFI examiner will ask to see.

Get a 2-Hour Quote → Destruction Spec

No obligation · written CAD response within 2 working hours

The framework

FSM-N21 and FSM-N22: what they say about disposal

OSFI Notice FSM-N21 (Technology Risk Management) requires banks, insurers, and finance companies to implement a 'sound' TRM framework. That framework includes policy, governance, system design, operational control, incident response, and — buried in the operational-control section — safe decommissioning of IT assets.

FSM-N22 (Cyber Hygiene) is narrower: it mandates specific cyber practices, including 'secure decommissioning' of devices that held sensitive data. Between the two, the expectation is clear: you can't just hand a retired server to a recycler and hope they delete the data. You need a documented process, vendor competence evidence, and per-disposal proof.

The OSFI doesn't tell you to use NIST 800-88 by name. But when examiners ask 'how do you ensure data is actually deleted?' and you answer 'we follow industry standards,' they will ask 'which standard?' Your answer should be NIST 800-88 or IEEE 2883-2022. Anything else will require justification and scrutiny.

OSFI Examination Scope

What an examiner will ask about your asset-disposal vendor

During a Technology Risk Management examination, OSFI will request your IT asset-disposal SOW, vendor agreement, and sample Certificates of Destruction. Here's what they're checking.

Vendor due diligence · Did you evaluate the vendor's competence before engaging? Insurance, references, sample process documentation.
SLA and escalation · If disposal takes longer than promised or something goes wrong (device lost in transit), how does the vendor recover? Written SLA with remedies.
Destruction method · Per the SOW, what method is used? Wipe? Shred? Why that method for your device types? How is method chosen per asset?
Per-job certification · Do you get a Certificate of Destruction per job, or a blanket annual 'we comply'? OSFI wants per-job proof.
Witness and sign-off · Is data destruction witnessed? Who signs off? OSFI wants to see operator names, dates, signatures on every certificate.
Residual disposition · After data is gone, what happens to the device shell? Remarket? Recycle? Where does the metal go? Is that documented?

OSFI-defensible evidence pack

Documentation you need on file per disposal job

When OSFI auditors ask to see your disposal track record, here's what you pull from your filing cabinet.

♦ Vendor Master Service Agreement (MSA): scope, insurance minimum, NDA, termination clause, and escalation path for disputes.
♦ SOW or RFQ response: device list, per-device method (wipe/purge/destroy), timeline, pricing, and serial-number requirements.
♦ Pre-pickup form: date of request, asset list with serials, confirmation the vendor received it and scheduled pickup.
♦ Pickup proof: photos of sealed box, dated, signed by two parties (your site, vendor driver).
♦ Transit log: pickup datetime, estimated delivery datetime, GPS tracking (if applicable), driver contact.
♦ Destruction Certificate: per device or per batch, method used, date destroyed, operator name, witness name, signatures, completion timestamp.
♦ Post-destruction photos: facility floor, shred machine, batch-shred evidence (if shredder); or screen capture of wipe-tool completion (if wipe).
♦ Residual disposition: record of where the device shell / metals / circuit boards went (remarket company name, date handed over; or downstream recycler name / receipt).

Vendor qualification

Red flags in a vendor contract to watch for

Not all ITAD vendors are equal in OSFI eyes. Here are contract terms that will get pushback if auditors see them.

'Certified to industry standards' with no detail · Vague. Require the vendor to name the standard (NIST 800-88) and provide evidence (documented procedure, training certs for operators).
Annual compliance statement instead of per-job certificates · OSFI will want per-job proof. An annual 'we comply' is not enough.
No insurance or indemnity clause · If the vendor loses your box in transit or fails to destroy the data, who pays for the breach? Get minimum 2M CAD coverage and indemnity in writing.
No witness requirement on destruction · OSFI examiners will ask: who watched the data actually get destroyed? Get witness sign-off, including witness name and date, on every certificate.
Bulk 'good faith' certification over per-serial accountability · Avoid 'we destroyed all the devices we received from you' without serial-number proof. Require per-device or per-batch ID on every certificate.

Key points

FSM-N21/N22 disposal checklist

Document your vendor selection

Before signing SOW, get vendor's procedure doc, insurance certificate, and 3 client references. OSFI will ask.

Use a method that aligns with NIST 800-88

Specify Clear, Purge, or Destroy per device type in your SOW. Don't default to shred for everything or wipe for everything.

Insist on per-job Certificates

Not templates. Each Certificate should list actual serial numbers, actual destruction date, actual operator and witness names.

Keep the pack for 3+ years

OSFI can request audit trails going back several years. Store Certificates, photos, and chain-of-custody logs in a secure filing system.

Align disposal to your data-classification policy

Your security policy should say what sensitivity each device holds. Disposal method should follow from that classification.

Test the vendor before the big job

Ask the vendor to handle a small pilot (20–50 units) first. Review the documentation. If satisfied, scale up.

OSFI B-13 Explainer

Full breakdown of FSM-N21 and FSM-N22, and where asset disposal fits.

Data Centre Decommissioning

Multi-rack and whole-cage decommissioning with OSFI-aligned documentation.

Request a Quote

Get FSM-N21-ready disposal pricing in 2 hours.

FAQs · 3 questions

Maxicom Canada — frequently asked

Does FSM-N21 require us to use a specific certified vendor, or can we self-certify?

FSM-N21 doesn't prescribe a vendor list. But OSFI examiners will ask: how did you pick this vendor? You need evidence the vendor is competent. For an in-house team, you need training records, documented procedures, and evidence you're following NIST 800-88. For an outsourced vendor, you need the vendor's documented procedure, insurance, and references. Either way, per-job certification (not annual blanket statements) is expected.

Can we destroy data using our own in-house tools instead of an external vendor?

Yes, if you can demonstrate the same rigor. Document your wipe tool (e.g. DBAN, Eraser), your operators' training, and your per-device wipe logs with timestamps and operator sign-off. Get a peer (not the wipe operator) to witness. OSFI will treat a well-documented in-house procedure the same as an external vendor contract — as long as you have the same level of evidence.

If a device is encrypted at rest, do we still need to wipe or shred it?

Technically, encrypted-at-rest data is harder to access without the encryption key. But NIST 800-88 recommends shred or cryptographic purge for encrypted devices anyway, to avoid the risk of the key being recovered. For OSFI purposes, a destroyed encryption key plus secure-erase of the media is more defensible than 'it's encrypted so we'll donate it.' If you want to remarket encrypted devices, use purge (secure-erase) first, then hand it over. Get proof of purge on the Certificate.