Feedback Statement on Outsourcing Exposure Draft BS11

September 2017 Feedback Statement: Consultation on the exposure draft for the revised outsourcing policy (BS11) 1 Background

1. The Reserve Bank of New Zealand (the ‘Reserve Bank’) first introduced an outsourcing policy (BS11) in 2006. Following a full review of the policy beginning in 2014, the Reserve Bank published final policy decisions for a revised policy in February 2017 alongside a regulatory impact statement and summary of submissions received to two public consultations.
2. Following the release of final policy decisions but before release of the revised policy document, an exposure draft of the wording for the revised BS11 was released for public consultation in March 2017. The purpose of this consultation was for stakeholders to be able to report back on any instance where they believed the wording of the exposure draft was unclear, could be interpreted in more than one way, or did not reflect the substance of what was set out in the final policy decisions document. The Reserve Bank was not seeking feedback on any of the policy decisions made.
3. The Reserve Bank has now published the final wording for the revised BS11. The revised policy becomes effective from 1 October 2017. This document summarises feedback to the consultation on the exposure draft.
4. Five sets of submissions were received in total. The submitters were: • the five Large Banks jointly (ANZ Bank New Zealand, ASB Bank, Bank of New Zealand, Kiwibank and Westpac New Zealand)1 ; • New Zealand Bankers Association (NZBA); • Amazon Web Services; • KPMG; and • MinterEllisonRuddWatts
5. Since the closure of the exposure draft consultation, the Reserve Bank has received additional bilateral feedback from banks on the policy drafting. This was 1 The Large Banks jointly provided three separate submissions.

2 as part of private consultations the Reserve Bank is required to undertake with banks before making changes to their conditions of registration. Issues raised in this final stage of consultation were technical and minor and in some cases were reflected in earlier submissions on the exposure draft. 2 Submission feedback 5. Key messages from submitters and the Reserve Bank’s responses are summarised below. The appendix to this document contains a more extensive summary of feedback received and the Reserve Bank’s responses. 6. The Reserve Bank acknowledges the work behind an extensive redraft of the policy wording provided as part of the Large Banks’ submissions. The Reserve Bank focused on the substance of the re-draft and it provided many ideas for the Reserve Bank on how to more clearly set out the policy requirements. As detailed below many of these suggestions have been at least partly adopted. However, in some areas the Reserve Bank developed ideas from the re-draft further and in other places the Reserve Bank did not adopt suggested changes. This has led the final wording of the revised Policy to be different in form to both the exposure draft and the banks’ re-draft.. In substance, the Reserve Bank considers the final wording to be clear and consistent with its policy decisions published in February. Application of the policy 7. Two submitters expressed a concern that the wording in the exposure draft left open the potential for the Reserve Bank to apply the policy to banks under the threshold of Large Bank. The Reserve Bank has made some changes to the wording, of section A1.3 of the revised BS11 to address this concern, the policy will apply to all current Large Banks and it may also apply in cases where a bank becomes a Large Bank or a bank which was previously a Large Bank no longer meets that definition. Concept of simulated live environment 8. One submitter noted that ‘simulated live environment’ used in the context of how banks need to annually test any back-up arrangement was unclear and could lead to differing interpretations. The Reserve Bank agrees with this view and has added additional text to clarify what is meant by ‘simulated live environment’ See section B2.8 of the revised BS11 for the final wording. Cloud services 9. One submitter suggested providing extensive additional guidance on cloud computing. The Reserve Bank has not accepted these changes as it does not believe the policy wording (purposefully or inadvertently) places additional requirements on cloud computing. The Reserve Bank does not believe, at least

3 in a prudential sense, that cloud computing poses a different set of risks to other outsourcing arrangements. Clarification around outsourcing to a third party and other arrangements 10. Submitters requested that the revised BS11 document be clearer on the Reserve Bank’s expectations when a bank enters into an outsourcing arrangement with a third party. It was noted that the exposure draft explicitly states cases where certain requirements apply (e.g. outsourcing to the parent or other related party) but it would be helpful for the Reserve Bank to clearly state all the parallel cases where such requirements do not apply. The Reserve Bank agrees and has added additional text so that the requirements specific to every sort of outsourcing arrangement is set out in the final policy wording. Concept of ‘controlled entity’ 11. One submitter introduced the concept of ‘controlled entity’ in their re-draft of the exposure draft. They believe that outsourcing to related parties that are under a bank’s control, and moreover could be placed under control of a statutory manager appointed to administer the bank, should not be considered any different to outsourcing to a third party. That is, a bank should be able to rely on the ‘controlled entity’s’ own robust back-ups and disaster recovery systems rather than have to build an additional back-up. 12. The Reserve Bank agrees with the general suggestion. However, we believe it is simpler to replace ‘controlled entity’ with ‘subsidiary’ as defined the Reserve Bank of New Zealand Act 1989 (the ‘Act’) and that could be placed into statutory management when a bank is also placed into statutory management. Separation of ‘Initial Financial Position Function’ and ‘Critical Functions’ 13. One submitter proposed creating the concepts of ‘Initial Financial Position Function’ and ‘Critical Functions’. ‘Critical functions’ means the provision of basic banking services, monitoring of the bank’s financial position, and meeting of daily domestic settlement obligations. The definition tries to capture all the functions a bank would need to provide on day one and thereafter post a separation or failure event. ‘Initial Financial Position Function’ is a definition by banks designed to capture functions and systems that would be needed on day zero of a failure. The submitter suggested this distinction because in a failure/separation they envisage the following: • start of day zero – the bank receives its financial position from its parent. • from failure/separation until close of business – the bank’s treasury department uses manual systems (e.g. spread sheets) and its staff to keep track of intraday position (and therefore know its financial position throughout the day).

4 • overnight and before start of business of day one – the bank boots up back-up systems which it will on an on-going basis and feeds its calculated financial position at the end of day zero into these systems. 14. The Reserve Bank has not adopted these concepts and the associated changes to the exposure draft. The Reserve Bank’s assessment is that the wording of the exposure draft and the finalised wording of BS11 would allow a bank to have this sort of arrangement in place. However, if a bank adopted this approach it would still need to convince the Reserve Bank that the exact processes it puts in place are robust. Timelines for back-up arrangements 15. One submitter suggested the removing the 6 hour deadline saying it is redundant giving other obligations on the bank (must be able to report its financial position on the day of failure/separation, meet domestic settlement obligations, re-open the next business day to provide basic banking services to all existing customers). The Reserve Bank had decided to keep this requirement as a ‘back￾stop’ but agrees that other obligations may mean a bank needs to have back-up systems in place before six hours in the event of separation or failure. Engagement process and concept of ‘directly relevant’ 16. One submitter suggested replacing the single application form the Reserve Bank placed at the end of its exposure draft with several case specific forms. The Reserve Bank has adopted this suggestion and there will be four different application forms. There is a separate form for providing evidence: • why an outsourcing arrangement should be placed on the White List; • why an outsourcing arrangement should be placed on the List of Pre￾approved Functions and Services; • That an outsourcing arrangement is through or with a subsidiary of the bank that can be placed under control of a statutory manager appointed to administer the bank; and • that a robust-back up or alternative arrangement is in place for outsourcing to a parent or other related party (which is not a subsidiary of the bank). 17. These application forms sit outside the final wording of BS11 and are available here on the Reserve Bank website. 18. The submitter also proposed creating a concept of ‘directly relevant’. This is designed to allow them to apply to the Reserve Bank to enter into an outsourcing arrangement but not have to apply any of the policy requirements even if the

5 Reserve Bank does not think the arrangement ought to be captured on the white list. 19. The Reserve Bank has not accepted this suggestion as it is not aware of any concrete examples of cases where the Reserve Bank could allow a bank to enter into an outsourcing arrangement where the policy requirements do not apply and it would not be appropriate to amend the white list to capture such arrangements. Concept of ‘general procurement’ 20. One submitter asked that the Reserve Bank introduce a concept of general procurement of services and then scope this out of the definition of outsourcing. The Reserve Bank believes such a concept would be difficult to define precisely and believes it would be better to list specific procurement items on the White List. 3 Conclusion 21. This concludes the formal, public consultation process. The Reserve Bank appreciates the constructive feedback it has received from key stakeholders as part of the two formal public policy consultations and the exposure draft consultation. The Revised BS11 will take effect from 1 October 2017. The Reserve bank will work will affected banks to help them establish paths to compliance.

6 Appendix: Key proposals by submitters on the exposure draft and Reserve Bank responses General proposals Proposed change Accepted? Comment Concept of ‘directly relevant’ Not accepted A submitter suggested a category of outsourcing arrangements for situations when the Reserve Bank is not prepared to add the associated category to the white list but agrees, in this particular instance, the arrangement should not be subject to any policy requirements (e.g. minimal contractual terms, entry onto the compendium). The Reserve Bank is unaware of any concrete examples of such arrangements and therefore does not think the concept would be useful. Concepts of ‘Controlled entity’, ‘other related party’ etc. Accepted The Reserve Bank agrees it is useful to separate out related parties of the bank which are the bank’s subsidiaries and could be subject to control of a statutory manager appointed to administer the bank. If a bank outsources to such a subsidiary we agree it should be able to rely on the ‘subsidiary’s’ own BCP/DR back-ups. The term ‘subsidiary’ was used instead of ‘controlled entity’ as this concept already exists under the Reserve Bank of New Zealand Act 1989 (the ‘Act’). Concepts of ‘existing outsourcing arrangements’ and ‘in-progress arrangement’ Accepted When the policy comes into force all new outsourcing arrangements entered into will need to be compliant. A submitter noted concerns about banks having to re-negotiate arrangements that are substantially complete when the policy comes into force but might not begin until shortly after. We agree with this concern. The submitter provided two definitions for separating out arrangements that are substantially complete when the policy comes into force from those which are not. A substantially complete or ‘in-progress’ outsourcing arrangement would be one where: 1) the bank’s own internal supplier risk acceptance and approval processes have commenced; 2) the Reserve Bank’s non-objection to the proposed outsourcing arrangement has been sought (if applicable); and 3) a draft contract or statement of work is already under negotiation with the outsourcing arrangement provider. The submitter also suggested that any ‘in-progress arrangement’ not yet completed three months after the policy comes into force would need to be made compliant. The Reserve Bank agrees these are useful concepts and has adopted them in the final policy wording. All outsourcing arrangements of a bank will need to be compliant with the policy 5 years after the policy comes into force. Revised definition of ‘failure event’ Not accepted The Reserve Bank did not accept a submitter’s revised definition of ‘failure event’ due to other related proposals also not being accepted and due to the Reserve Bank’s belief that the exposure draft was simpler. One amendment to the definition of ‘failure event’ was made to make it clear that a ‘direction’ means one issued under s 113 of the Act and relating to a condition of registration regarding outsourcing. Separation of ‘Initial Financial Position Function’ and ‘Critical Functions’ Not accepted The general approach suggested by one submitter (on day zero of a separation/failure they rely on manual systems and personnel to keep track of the financial position and other information for the statutory manager and then overnight robust back-up arrangements are booted for going forward) is achievable under the existing (and final) policy wording . Any bank which prepares for a separation or failure event in the way described above will still need to convince the Reserve Bank that the exact systems the bank puts in place will be robust and meet the outcomes of the policy. Cloud computing Not accepted One submitter asked suggested the policy would inadvertently prevent outsourcing arrangements and requested the policy wording provide guidance specifically on cloud computing. The Reserve Bank does not agree with this proposition. Cloud computing will not be treated any different to any other form of outsourcing arrangement. ‘Required risk mitigants’ Accepted Submitters have requested new categories of outsourcing arrangements to make it explicitly clear when certain requirements do not apply. Such situations were previously implied only. The Reserve Bank agrees with this proposal. Concept of ‘general procurement ‘ Not accepted The Reserve Bank believes such a concept would be difficult to define precisely and believes that existing alternative of banks making submissions for additional items on the white list is preferable. Other proposals by section Proposed change Accepted? Comment Moving policy objectives to section 1 of the document. Accepted This does not alter the policy. It makes sense for the purpose of the document and objectives to be side-by side. Legal powers section Accepted Proposed editorial changes were accepted.

7 Definitions Partially accepted The Reserve Bank has accepted new proposed definitions or changes to existing definitions where we believe they improve the clarity or the policy or make the policy at least as clear as the original exposure draft. Examples include a definition of an in-progress outsourcing arrangement. Some changes could not be accepted as they appear to change the policy. One example is the proposed definition of related party as this was a narrower definition than what appeared in the exposure draft. The exposure draft definition was largely based on the definition of associated person in the Act. Other changes have been partially adopted. For example, one submitter suggested that ‘general procurement’ be defined as: goods or services used by a bank which are operational in nature, not unique to the operation of a bank and are utilised by business generally. This definition will not be included in the policy but wording to cover ‘general procurement’ will be added to the white list, albeit with a tighter definition. Application of the policy Accepted Two submitters were concerned the wording of the exposure draft suggests the possibility the policy could be applied to smaller banks. The Reserve Bank has revised the wording to clarify that it would only potentially apply to smaller banks that were crossing the Large Bank threshold in either direction. Outcomes of BS11 Not accepted Some editorial changes accepted but ‘required outcomes’ have not been turned into a defined term as was suggested by one submitter. Risk mitigation requirements for outsourcing arrangements Partially accepted The Reserve Bank has adopted submitters’ suggestions that the final wording in being more explicit about what requirements apply for each and every possible type of outsourcing arrangement. The Reserve Bank has also provided more explanation of what is mean t by a ‘simulated life environment’. Engagement process Partially accepted The Reserve Bank has accepted some of a submitter’s suggestions around the engagement process as they make the document clearer. The Reserve Bank agrees with the proposal to have several specific forms for banks to request non-objection rather than one general form. Contractual terms Not accepted The Reserve Bank has added wording into the final policy document to make it clear that parallel rights are not required when a bank has an alternative arrangement/back-up capability. For readability, the Reserve Bank believes it is best to not absorb this section into the list of defined terms. The compendium Partially accepted The total value of a contract is relevant for the statutory manager and the Reserve Banks. Such information will be protected under section 105 of the RBNZ Act. Therefore, The Reserve bank believes it should be captured on the compendium. The Reserve Bank agrees with submitters’ suggestion that banks may have the option to use the external reviewer instead of their external or internal audit functions. Banks suggested that the requirement to have a fully compliant compendium come into force two years after the new conditions of registration are first applied. Previously, the policy was silent on when exactly a bank would need to have a compliant compendium. We agree this change is helpful. Description of the List of Pre-approved functions and services Partially accepted The Reserve Bank agrees with the proposal that it should consult with banks before removing an item from the whitelist (or before narrowing an item’s definition). However, the Reserve Bank does not believe it should be required to consult needed for adding items (or expanding definitions). Proposed wording changes which would have placed obligations on the Reserve Bank were not accepted. Description of the White list Partially accepted The Reserve Bank agrees with the proposal that it should consult with banks before removing an item from the whitelist (or before narrowing an item’s definition). However, the Reserve Bank does not believe it should be required to consult needed for adding items (or expanding definitions). Proposed wording changes which would have placed obligations on the Reserve Bank were not accepted. Alternative arrangements Not accepted The proposed wording changes to this section did not improve the clarity of the policy. Also the wording “the bank believes that the … arrangement is not capable of being frustrated …” is problematic as it is subjective and cannot provide certainty that the arrangement will work as intended. Separation plan Partially accepted Proposed changes to this section which were not accepted by the Reserve Bank are largely due to corresponding changes elsewhere in the document not being picked up.

8 Conditions of registration Not accepted Proposed wording changes which would have placed obligations of the Reserve Bank have not been accepted. This means the conditions of registration can refer to the final wording of BS11 as a whole and the Reserve Bank has not needed to pick up proposed wording changes to the new conditions of registration. The Reserve Bank has set out in the conditions of registration when specific parts of the policy will apply if it differs from the end of the five year transition period. E.g. banks will need to have a fully compliant compendium 2 years after the date the new conditions of registration first come into effect. The conditions of registration relating to the 2006 policy will remain in place and capture any outsourcing arrangement which has not been altered up till the end of the transition period. Changes to the List of Pre-approved functions and services Accepted The Reserve Bank agrees with most of the proposed changes. Changes to the white list Accepted The Reserve Bank agrees with most of the proposed changes.