Reserve Bank of New Zealand Outsourcing Policy BS11

Ref #2267614 Outsourcing Policy Financial Stability Department Document BS11 Issued: January 2006

2 Ref #2267614 BS11 January 2006

A. Introduction

1. This document sets out the Reserve Bank of New Zealand’s (Reserve Bank’s) policy with regard to outsourcing, including an explanation of the term “legal and practical ability to control and execute”.
2. Section 74 of the Reserve Bank of New Zealand Act (the Act) permits the Reserve Bank to impose conditions of registration that relate to, among other things, the matters referred to in sections 78(1)(f) and 78(1)(fb) of the Act. These matters are, respectively: (f) internal controls and accounting systems or proposed internal controls and accounting systems (fb) arrangements for any business, or functions relating to any business, of the applicant or registered bank to be carried on by any person other than the applicant or the registered bank.
3. For the purposes of the outsourcing policy, outsourcing arrangements are those specified by section 78(1)(fb) of the Act.
4. Banks whose New Zealand liabilities, net of amounts due to related parties, exceed $10 billion (Large Banks) are normally subject to a condition of registration relating to outsourcing arrangements. That condition is: that the registered bank has legal and practical ability to control and execute any business, and any functions relating to any business, of the bank that are carried on by a person other than the bank, sufficient to achieve, under normal business conditions and in the event of stress or failure of the bank or of a service provider to the bank, the following outcomes: (a) that the bank’s clearing and settlement obligations due on a day can be met on that day; (b) that the bank’s financial risk positions on a day can be identified on that day; (c) that the bank’s financial risk positions can be monitored and managed on the day following any failure and on subsequent days; and (d) that the bank’s existing customers can be given access to payments facilities on the day following any failure and on subsequent days. For the purposes of this condition of registration, the term “legal and practical ability to control and execute” is explained in the January 2006

3 Ref #2267614 BS11 January 2006

Reserve Bank of New Zealand document entitled “Outsourcing Policy – Financial Stability Department Document BS11”. 5. In addition, Large Banks are generally subject to a condition of registration regarding accountability: (a) that the business and affairs of the bank are managed by, or under the direction or supervision of, the board of the bank; (b) that the employment contract of the chief executive officer of the bank or person in an equivalent position (together “CEO”) is with the bank, and the terms and conditions of the CEO’s employment agreement are determined by, and any decisions relating to the employment or termination of employment of the CEO are made by, the board of the bank; and (c) that all staff employed by the bank have their remuneration determined by (or under the delegated authority of) the board or the CEO of the bank and are accountable (directly or indirectly) to the CEO of the bank. 6. Although the Reserve Bank will generally seek to impose standard conditions of registration regarding outsourcing arrangements uniformly on all Large Banks, the Reserve Bank may impose a non-standard condition of registration on a bank where special circumstances apply. 7. The rest of this document: • explains the objectives of the outsourcing policy (section B); • explains the term “legal and practical ability to control and execute” and discusses risks to a bank’s legal and practical ability to control and execute an outsourced function (section C); and • provides guidance on tolerance of risks to a bank’s legal and practical ability to control and execute an outsourced function (Section D). B. Objectives of the outsourcing policy 8. This section explains the objectives of the outsourcing policy. 9. Section 68 of the Act requires the Reserve Bank to exercise its banking supervision and registration powers for the purposes of: (a) promoting the maintenance of a sound and efficient financial system; or (b) avoiding significant damage to the financial system that could result from the failure of a registered bank.

4 Ref #2267614 BS11 January 2006

10. The outsourcing policy pursues both these purposes by requiring that a Large Bank’s outsourcing arrangements do not create risk that the operation and management of the bank might be interrupted for a material length of time. In particular, any outsourcing arrangements for bank functions must not create risk to the bank’s ability to continue to provide and circulate liquidity in the economy, under normal business conditions or circumstances of stress or of failure of the bank or of a service provider to the bank.
11. The outsourcing policy is outcomes-focused. The outcomes required by the Reserve Bank are specified in the condition of registration set out in paragraph 4.
12. The outsourcing policy is framed in terms of the continuity of functions needed to achieve required outcomes. The continuity of bank functions is itself dependent on the availability of supporting systems, staff and data. The outsourcing policy allows flexibility for a Large Bank to configure its systems, staff and data in ways that take account of the bank’s business circumstances and strategy, provided the required outcomes are met.
13. Functions needed to achieve the outcomes specified in the condition of registration set out in paragraph 4 are the most time-critical, “core” bank functions. These must be continued under normal business conditions in order to maintain the soundness and efficiency of the financial system. In the event of a failure of a bank or of a service provider to a bank, these functions must also be continued without material interruption, in order to avoid significant damage to the financial system.
14. In particular, requirements (a) and (b) in the condition of registration set out in paragraph 4 must be achieved before the start of the value day after the day of the failure, and requirements (c) and (d) must be achieved on the value day after the day of the failure, in order to prevent the failure from causing a sharp and disruptive contraction in financial system liquidity or prolonged disruption to the transaction￾processing activities of the bank.
15. Directors or a statutory manager of the bank must have the legal and practical ability to control and execute any outsourced functions to ensure that the bank’s core functions would be available within these timeframes.
16. Table 1 summarises the required availability for core functions in the event of a failure of the bank or of a service provider to the bank.

5 Ref #2267614 BS11 January 2006

Table 1 Required outcome Required availability of functions needed to achieve outcome, in the event of a failure of the bank or of a service provider to the bank (a) the bank’s clearing and settlement obligations due on a day can be met on that day; (b) the bank’s financial risk positions on a day can be identified on that day; Before the start of the value day after the day of failure (and thereafter) (c) the bank’s financial risk positions can be monitored and managed on the day following any failure and on subsequent days (d) the bank’s existing customers can be given access to payments facilities on the day following any failure and on subsequent days First value day after the day of failure (and thereafter) 17. The condition of registration set out in paragraph 5 does not prevent directors of a Large Bank from delegating management responsibilities to non-employees of the bank. However, the bank will need to satisfy the Reserve Bank that the achievement of the required outcomes would not be undermined by the proposed delegation. In particular, the Reserve Bank will focus on whether any divided accountability of a non-employee to which a power has been delegated would undermine the achievement of the required outcomes. Any such delegations must not diminish the role of the board of a Large Bank in overseeing and supervising the affairs of the bank. 18. Notwithstanding section 128(3) of the Companies Act, a Large Bank’s constitution must not contain any modifications, exceptions or limitations which would affect the bank’s ability to meet the condition of registration set out in paragraph 5. C. “Legal and practical ability to control and execute” 19. This section explains the term “legal and practical ability to control and execute” and discusses risks to a bank’s legal and practical ability to control and execute an outsourced function. The various risks discussed here will not necessarily constitute all relevant risks in all cases. 20. Legal ability to control and execute a function refers to the ability to invoke statutory, contractual or other rights as needed to ensure that the function continues to be provided.

6 Ref #2267614 BS11 January 2006

21. Practical ability to control and execute a function refers to the ability to secure continued provision of the function within the timeframes set out in the previous section, taking into account any delays associated with the enforcement of legal rights. Practical ability to control a function depends heavily on the availability and responsiveness of personnel with the technical and business knowledge needed to control and execute the function, as well as physical access to and control of the required systems and data. Risks to legal ability to control and execute an outsourced function
22. Legal risks to outsourcing can arise when the contractual terms and conditions (service levels etc.) of the outsourcing arrangement are not sufficiently clear and complete to ensure continued service provision under circumstances of stress of either the service provider or of the bank itself.
23. If the service provider is in another jurisdiction, a risk exists that proceedings to require the provider to perform may have to be brought in that other jurisdiction’s court and under that jurisdiction’s laws. If so, the bank might have less ability to ensure continued performance than if the provider were resident in New Zealand, and if proceedings were handled by the New Zealand courts and under New Zealand law.
24. If the provider (or the provider’s ultimate parent) is regulated by a regulator other than the Reserve Bank, there may be a risk that the duties and powers of that regulator cause it to intervene in such a way as to interfere with the provider’s performance. Risks to practical ability to control and execute an outsourced function
25. Compared to an arrangement where a provider performs a function in New Zealand, performance of a function offshore complicates the logistics of ensuring timely performance – for example, due to time zone differences, differences in statutory holidays, the extra time needed to access essential staff and systems, etc.
26. If the provider is also performing functions for other entities in a way in which the functions are operationally mingled, there may be a risk of competition for the provider’s resources, impeding the performance of functions for the bank. D. Tolerances for risk to legal and practical ability to control and execute outsourced functions
27. This section provides guidance on tolerance for risks to a bank’s legal and practical ability to control and execute outsourced functions.
28. Consistent with the policy’s focus on outcomes, a Large Bank will have flexibility to pursue outsourcing strategies tailored to its particular circumstances and operational preferences, provided that the bank satisfies the Reserve Bank that the required outcomes are met. The Reserve Bank recognises the many ways in which outsourcing arrangements can be configured and the associated risks mitigated.

7 Ref #2267614 BS11 January 2006

29. In general, the Reserve Bank’s tolerance for risk will be lower for the more time￾critical functions described in Section B. Tolerance for risk will also be lower the more material the function is to the achievement of the required outcomes, and the lower the substitutability of the function by other bank functions.
30. In this context, a function would be substitutable if there are alternative means (whose control and execution is subject to less risk) by which a bank could achieve the required outcomes (within the specified timeframes) in the absence of the function. These alternative means could consist of alternative delivery channels, “workarounds”, substitute staff, or operational backups.
31. The Reserve Bank’s presumption is that a core function as described in section B will not be outsourced, unless the bank can satisfy the Reserve Bank that the function is not material to the achievement of the required outcomes, or is substitutable by other functions that are not outsourced. Similarly, the Reserve Bank’s presumption is that a power to manage bank business relating to a core function will not be delegated to a person who is not employed solely by the bank, unless the bank can satisfy the Reserve Bank that the power is not material to the achievement of the required outcomes, or that the required outcomes can still be achieved in the event that access to the person is unavailable for some reason. This presumption regarding delegations applies to “matrix management” and any other management arrangements involving persons who are not employed solely by the bank.
32. For some core functions, an outsourcing arrangement with an independent party might be acceptable, provided that the arrangement featured strong mitigants to the risks to the bank’s legal and practical ability to control and execute the function. Such mitigants might include contractual mechanisms which mimic to the extent possible the substance of an in-house arrangement (e.g. with rights for the bank to “step in” in the event of technical or financial failure of the provider, BCP and regular testing requirements on the provider, explicit exclusion of statutory management of the bank from the definition of default events for the purposes of the contract, requirements that the provision of service be conducted from a location within or close to New Zealand, etc.).
33. Greater risk to the bank’s legal and practical ability to control and execute the non￾core functions could be tolerated, and consequently a wider range of outsourcing arrangements could be acceptable, where a bank has established a credible internal process to manage the risks to its business associated with any outsourcing arrangements. In general, the Reserve Bank would expect that any products (beyond those that provide core transactional functions) that are widely used and depended upon by customers would be subject to the most intense risk management. Other relevant issues for a bank to consider in managing outsourcing risks for non-core functions would include: • the ability of customers to find substitutes (e.g. other banks) for products supported by the function, or to use a workaround if the products suddenly became unavailable; • the extent of inconvenience to customers; and • the number of customers affected.

8 Ref #2267614 BS11 January 2006

34. The provision of bank functions, whether by outsourcing arrangement or otherwise, generally requires supporting systems (hardware, software, networking, data centre buildings, etc.), staffing and data. Systems, staffing and data may themselves be provided either in-house or under outsourcing arrangements. A function might be substantially produced in-house while still drawing on inputs that are supplied by outside providers. Conversely, if important parts of the production process are outsourced, where they might instead be provided in-house, the Reserve Bank may view the arrangements for the function as substantially outsourced even if some elements of the function are maintained in-house.
35. In this regard the Reserve Bank will generally focus on the arrangements for control of the people and data supporting the function, rather than for the systems supporting the function. The practical ability to control and execute a function depends vitally on the ready availability of skilled and knowledgeable staff and the relevant data. For core functions, the Reserve Bank’s presumption is that the relevant staff and data would be maintained in-house, whereas it might be acceptable for certain systems to be outsourced if the Reserve Bank were satisfied that the systems would not be needed in the aftermath of a failure, or that backups or workarounds could take their place.
36. A Large Bank would be expected to manage and document any outsourcing arrangement for the provision of a function (or for supporting systems, staff or data) according to commercially reasonable “arms length” practice, whether the service provider is a related party or not. In general, the Reserve Bank would expect documentation to be clear on the rights and obligations of each party to the contract and on service levels and pricing, to a level commensurate with the function’s time￾criticality, materiality and substitutability.
37. A Large Bank will need to satisfy itself in the first instance that any risks to the required outcomes are tolerable. The bank will need to satisfy the Reserve Bank also that its arrangements or any proposed arrangements are adequate, especially where a core function is involved. The Reserve Bank may seek further information about any arrangement or proposed arrangement, or require a review by a person approved by the Reserve Bank. If the Reserve Bank is not satisfied that an arrangement or proposed arrangement is adequate, it will have to be modified to reduce the risks, or the function brought back or maintained in-house.