BS11: Outsourcing Policy for Registered Banks

6881264 BS11: OUTSOURCING POLICY FOR REGISTERED BANKS All of the material set out in this document forms part of the requirements referred to in those conditions, except material that is identified as guidance by being included in a shaded box like this. Prudential Supervision Department Document BS11 Document version history January 2006 First issue date March 2017 Revised

2 6881264 1 Introduction 1.1 Purpose of this document (1) This document sets out the Reserve Bank of New Zealand’s (Reserve Bank’s) policy for outsourcing by registered banks. 1.2 Legal powers (1) The Reserve Bank has powers under Part 5 of the Reserve Bank of New Zealand Act 1989 (the Act) to register banks and undertake prudential supervision of registered banks. (2) Section 68 of the Act requires the powers under Part 5 of the Act to be exercised for the purposes of: (a) promoting the maintenance of a sound and efficient financial system; or (b) avoiding significant damage to the financial system that could result from the failure of a registered bank. (3) Section 68A of the Act requires that the Reserve Bank, when exercising its Part 5 powers, must support Australian authorities in pursuit of Australian financial stability and where reasonably practicable avoid actions that are likely to have a detrimental effect on financial stability in Australia. Actions that are likely to have detrimental effect in on financial stability in Australia include action that prevents or interferes with an outsourcing arrangement. (4) Section 74 of the Act permits the Reserve Bank to impose upon registered banks conditions of registration that relate to, among other things, the matters referred to in sections 78(e), 78(1)(f) and 78(1)(fb) of the Act. These matters are, respectively: (e) separation of the business or proposed business from other business and from other interest of any person owning or controlling the applicant or registered bank. (f) internal controls and accounting systems or proposed internal controls and accounting systems; (fb) arrangements for any business, or functions relating to any business, of the applicant or registered bank to be carried on by any person other than the applicant or the registered bank (5) Section 74 and the respective conditions of registration made under it (see Appendix I) provide the legal basis for the outsourcing policy described in this document.

3 6881264 2 Definitions and explanations for the policy 2.1 Definitions (1) In this policy–: (a) Act means the Reserve Bank of New Zealand Act 1989. (b) Annual means a period of 12 months, commencing on the day after the day on which the relevant obligation was last performed. (c) Bank or banks means a person registered under Part 5 of the Act. (d) Basic banking services means the key retail and business services that: i. bank customers typically rely on for transactions and economic life, and ii. where the disruption or sudden discontinuation of the service would be reasonably likely to have a material negative impact on a significant number of third parties that rely on such services, and iii. that if disrupted or discontinued could reasonably be expected to lead to contagion effects, including significant adverse effects on market confidence. iv. At a minimum banks must be able to provide the following basic banking services to customers:

1. Transaction or similar accounts used by individuals and businesses for their transactional needs. A bank must be able to continue to provide Automatic Teller Machine (ATM) services. In addition customers should be able to access their account through at least two other of the most commonly used channels.
2. Savings accounts and term deposits provided to customers as a store of value.
3. Credit services to individuals and businesses, including credit cards, overdraft and revolving credit facilities, secured lending and home loan facilities (including pre-approvals).
4. Account activity reporting for relevant accounts held by individuals and businesses.
5. Payment and securities clearing and settlement services, including credit card/merchant acquiring services and agency arrangements with correspondent banks. Guidance: The definition of basic banking services makes no distinction between customer types. I.e. there is no difference among consumer, small- to-medium business, or institutional customers under the definition. (e) Business day means a working day as defined in the Interpretation Act 1999; (f) Compendium means a formal and centralised record of all the functions a bank has outsourced.

4 6881264 (g) Day of failure is the calendar day that the bank: i. is given a direction under the Act; ii. becomes subject to statutory management; iii. becomes separated from its parent or its banking group; or iv. a disruption of an outsourcing arrangement occurs. (h) Disruption of an outsourcing arrangement means a situation in which a bank’s outsourcing arrangement fails to comply with the requirements of this policy for a period of longer than 6 hours. (i) Effective means the point an outsourcing contract has been signed by both the bank and service provider. (j) Large Bank means a registered bank, incorporated as a company in New Zealand, whose net liabilities exceed $10 billion. (k) Legal ability to control and execute a service or function means the bank’s ability to invoke statutory, contractual or other rights to ensure that the relevant function or service continues to be provided. (l) Net liabilities means the total liabilities of the banking group, net of amounts to related parties. (m) Outsourcing means the use, now and in the future, by a registered bank of a third party (either a related party within the corporate group or third party that is external to the corporate group) to perform services on a regular or continuing basis that could be undertaken by the registered bank, and does not include any services on the White List. (n) Overseas party means a company, or other person, that is incorporated, formed, or established in a jurisdiction other than New Zealand, whether or not that company or person has a primary place of business in New Zealand and whether or not it carries on business in New Zealand. (o) Parallel rights means: i. step-in rights allowing the bank continuing access to the service in question should the bank be separated from its parent or the wider banking group; or ii. a separate contract which comes for the service in question which comes into force should the bank be separated from its parent of the wider banking group. (p) Parent means a person that is a holding company of a registered bank. (q) Person includes a corporation sole, a body corporate, and an unincorporated body. (r) Practical ability to control and execute a service or function means the bank’s ability to secure continued provision of the service or function within the timeframes set out in the policy, taking into account any delays associated with the enforcement of legal rights. Practical ability to control a function depends heavily on the availability and responsiveness of personnel with the technical and business knowledge needed to control and execute the function, as well as physical access to and control of the required systems and data.

5 6881264 (s) Related party means: i. a person that directly or indirectly controls the management of the registered bank; or ii. a person that has direct or indirect qualifying interest in 20% or more of the voting or non-voting securities issued by the registered bank; or iii. a person that is directly or indirectly controlled by that registered bank; or iv. a person for which that registered bank has a direct or indirect qualifying interest in 20% or more of the voting or non-voting securities issued by that person; v. there is another person to whom both the person in question ad registered bank are related parties; or vi. A person in which a parent of the registered bank has a direct or indirect interest in 20% of the voting securities of that person, or which the parent controls the management of. (t) Thereafter means an indefinite period or until such time as the bank puts an equally robust alternative arrangement in place. (u) Time critical obligations means any obligation that is relevant to meeting the outcomes of the policy, including ensuring that payments can be made to critical service providers. Guidance: Critical service providers will be agreed with the Reserve Bank on a bank by bank basis. 3 Application of the policy 3.1 Application of the outsourcing policy (1) All Large Banks will ordinarily be subject to conditions of registration requiring them to comply with this policy. (2) The Reserve Bank may require under conditions of registration other registered banks to comply with parts or all of this policy. (3) The standard conditions of registration for banks subject to the outsourcing policy are set out in Appendix I of this policy. 3.2 Policy objectives and outcomes (1) The objectives of this policy are to ensure that outsourcing arrangements made by a bank do not compromise the bank’s ability to: (a) be effectively administered under the statutory management for the purposes of continuing to provide and circulate liquidity to the financial system and the wider economy; (b) facilitate the carrying on of basic banking services by any new owner of all or part of the bank; and

6 6881264 (c) address the impact that the failure of a service provider may have on the bank’s ability to carry on all or part of the business of the bank. (2) For these objectives to be achieved the following outcomes are required of banks: (a) It must continue to meet its daily settlement and other time-critical obligations, before the start of the business day after the day of failure and thereafter, so as to avoid disruption and damage to the rest of the financial system; (b) It must monitor and manage its financial positions, including credit and market risk positions, before the start of the business day after the day of failure and thereafter, limiting further financial losses; (c) It must make available the systems and financial data necessary for the New Zealand authorities to have available a range of options for managing the failed bank, on the first business day after the day of failure and thereafter; (d) It must provide basic banking services to existing customers including, but not limited to, liquidity (both access to deposits and to credit lines as defined in basic banking services) and account activity reporting, on the first business day after the day of failure and thereafter; (e) Where a bank is part of an overseas banking group, it must achieve outcomes (a) – (d) as a stand-alone entity in the event of separation from its parent, on the day of failure and thereafter. Guidance: The intention of this policy is to ensure that any outsourcing arrangements that banks put in place cannot frustrate the objectives of the policy. 4 Back-up capabilities for functions outsourced to an overseas parent or related party 4.1 Back-up capabilities for functions outsourced to an overseas related party (1) Where a bank has an outsourcing arrangement with an overseas related party the bank must have robust back-up capability for that arrangement. This back-up capability must enable the following requirements to be met: • There is no possibility of permanently losing transactions. In order for a bank to meet this requirement all disrupted transactions must be processed within 48 hours of the failure or disruption of the outsourcing arrangement. • The switch over from the outsourced arrangement to its back-up must be delivered within 6 hours of the failure for functions related to outcomes (a), (c) and (if applicable) (e). The bank must also meet its obligations for a bank’s conditions of registration relating to BS17 – Open Bank Resolution Pre￾positioning Requirements Policy (or other applicable requirements under other conditions of registration).

7 6881264 • The switch over from the outsourced arrangements to its back-up must be delivered before 9:00 am on the business day after the day on which the statutory manager is appointed to the bank for functions related to outcomes (b), (d) and (if applicable) (e). • The back-up arrangement must be sustainable, in that it could be equally substituted for the outsourcing arrangement on an on-going and fully automated basis, to deliver the outsourced service with minimal impact and disruptions to both the bank’s customers and the bank’s own business operation. • Testing must be conducted on an annual basis in a testing environment that simulates the live environment. This testing must be done to ensure that the back-up arrangement will work as intended. Separate to this testing, a bank must required to ensure that changes made to the live environment will also be made in the back-up environment. • External review is conducted at least every three years to ensure the arrangement remains robust. However, an annual external review is required during the five-year transitional period. • The bank must have direct ownership and/or legal and practical control over the back-up system. This does not mean that the system has to be located in New Zealand, but requires that the bank should have the legal and practical ability to control the back-up system (i.e. that they own the system (or have a direct relationship with the third party provider for that system) and the data that is required to use it). This backup arrangement cannot be provided by a parent or a related party of the parent. 4.2 Timeframes in this policy do not affect bank’s obligations under other conditions of registration (1) While the back-up capability requirement has certain timeframes set around it to ensure that a bank will be able to reopen at 9am the day after being placed into statutory management, it is important for banks to recognise that these timeframes do not affect the timeframes for a bank’s conditions of registration relating to BS17 – Open Bank Resolution Pre-positioning Requirements Policy (or other applicable requirements under other conditions of registration) and banks must ensure that they can meet the requirements of these as well as the outsourcing policy requirements. 4.1 Alternative arrangements (1) The Reserve Bank may consider also alternative arrangements to the back-up capability requirements where a New Zealand bank has an arrangement with a related party that is under the control of the New Zealand bank. In considering these arrangements, the Reserve Bank will look at matters such as: a) whether the New Zealand bank has legal and practical control over the arrangement; b) whether the parent, another related party, or any overseas authorities may be able to frustrate the arrangement; c) the relationship between the New Zealand bank and the related party;

8 6881264 d) what functions or activities the related party will be undertaking on behalf of the New Zealand bank; and e) whether the related party will also be providing services to any other related parties. Guidance: For arrangements with independent third parties banks will be able to rely on the robust disaster recovery/business continuity preparation requirements provided by the independent service provider. 5 Engagement process 5.1 Non-objection required for outsourcing arrangements with or through their related party (1) All outsourcing arrangements with or contracted through a parent or a related party must receive non-objection from the Reserve Bank before being entered into. (2) Subsection (1) is subject to the exceptions set out in sections (6) and (7). (3) The white list of functions and services can be found in the document “White list functions and services for BS11: Outsourcing Policy for Registered Banks”. (4) The Reserve Bank will also maintain a list of functions that are pre-approved for the purposes of the policy. For functions and services that are on this list banks will not require Reserve Bank non-objection before entering into an arrangement and the requirements of paragraphs (5) and (6) below will not apply. (5) The list of pre-approved functions and services can be found in the document “Pre￾approved functions and services for BS11: Outsourcing Policy for Registered Banks”. (6) Any application must demonstrate that in assessing the options for outsourcing a function, the bank: (a) has considered all risks associated with outsourcing the function and determined that it does not expose itself to undue risks more than if the bank were to undertake the function itself; (b) has shown that the risks arising from the outsourcing proposal are appropriately managed; (c) has developed realistic contingency plans that would enable the outsourced function to be provided by an alternative service provider or brought in-house if required, and shown that regular testing of the contingency plans can be undertaken. (d) has undertaken a due diligence review of the chosen service provider, including the ability of the service provider to conduct the function on an on-going basis; (e) has received agreement from the Board, Board committee, or senior manager with delegated authority from the Board on the arrangement prior to the application for non-objection;

9 6881264 (f) has considered all the matters outlined in 9.1-9.2 that should be included in the outsourcing agreement itself. This should be independently validated by the bank’s internal audit process; (g) has implemented procedures for on-going review to identify risks that may not have been identified at the time of entering into the agreement; (h) has set out how the proposal impacts the separation plan; (i) has the ability to cancel the contract; (j) has provided analysis of impacts in circumstances where the proposal interacts with other outsourced functions; (k) has considered how it would address concentration risk should the supplier be widely used across the industry; (l) has the required monitoring procedures to ensure that the related party is performing effectively and how potential inadequate performance would be addressed; and (m) has addressed the renewal process for outsourcing agreements and how the renewal will be conducted. (7) Additionally, where the outsourced function or service is proposed to be undertaken by the parent or a related party, including any subcontracting by the service provider, the bank must have regard to, and demonstrate to the Reserve Bank’s satisfaction, the following: (p) that the terms of the contract are made as if it were on an arm’s-length basis; (q) that the bank has significant oversight of the outsourced function on an on-going basis; (r) that the bank’s management retains the ability to direct the service provider; and (s) that the bank is able to perform the function in-house. (8) To obtain non-objection, banks must first submit an application as set out in Appendix II. Guidance: On receiving an application for an outsourcing arrangement from a bank, the Reserve Bank will endeavour, within twenty working days, to either: (a) issue its non-objection to the outsourcing arrangement; (b) request more information; or (c) decline the application.

10 6881264 (9) If, after receiving an application, the Reserve Bank requires more information (5.1 (8)(c)), once the information is received, the request for non-objection will be considered as a new request and 5.1 (8) will be re-applied. (10) The Reserve Bank may require that modifications to proposed outsourcing arrangements be made before an arrangement is entered into or decline the application should it reasonably consider it is not possible for the proposed arrangement to comply with the outsourcing policy. (11) When the Reserve Bank requires an application to be supplemented with additional information, such information will likely correspond to one of the matters listed above in 5.1(6)-5.1(7). Guidance: The short form application will contain fairly high-level information on the proposed outsourcing arrangement. We anticipate that, in combination with the extended white list, the majority of outsourcing applications will be able to be considered under the short form application. It would only be for more complex arrangements, particularly those with the parent or related parties, that we anticipate requiring a full application. (12) It is the responsibility of the bank to ensure the outsourcing arrangement in question is compliant, and that it remains compliant. A notice of non-objection does not guarantee that the outsourcing arrangement complies with the Reserve Bank’s outsourcing policy. Guidance: Any notice of non-objection from the Reserve Bank to an outsourcing arrangement is made on the basis of information a bank provides to the Reserve Bank. A notice of non-objection does not constitute a safe-harbour. It is the bank’s responsibility to ensure an outsourcing arrangement is compliant with the policy and continues to be so. 6 List of pre-approved functions and services 6.1 Purpose of the list of pre-approved functions and services (1) A bank must ensure that all outsourcing arrangements that it enters into are compliant with the policy. (2) However, the Reserve Bank will maintain a list of functions that are pre-approved for the purposes of this policy. The functions and services on this list do not require Reserve Bank non-objection before a bank can enter into the arrangement. Guidance: Banks can propose to add functions or services to the list of pre-approved functions or services, though the final decision will be made by the Reserve Bank. If a function or service was to be removed from the list of pre-approved functions or services then the Reserve Bank would undertake consultation with banks. (3) It is the responsibility of the bank to ensure that the arrangement is compliant with the policy.

11 6881264 7 White list of functions and services that are not subject to the policy 7.1 Purpose of the white list of functions and services that are not subject to the policy (1) The Reserve Bank will maintain a list of functions and services that if carried out by a third party are not regarded as Outsourcing for the purposes of this policy. Guidance: Banks can propose to add functions or services to the list of functions or services that are not relevant for the policy, though the final decision will be made by the Reserve Bank. If a function or service was to be removed from the white list then the Reserve Bank would undertake consultation with banks if the function or service is captured by the policy as an outsourcing arrangement. 8 Compendium 8.1 Purpose of a compendium (1) The purpose of the compendium is to help New Zealand authorities and a statutory manager understand what functions and processes have been outsourced by a bank. This information must be readily accessible as some outsourcing arrangements may relate to time-critical obligations. 8.2 Information to be kept in compendiums (1) The information to be included in a compendium must include: (a) the legal name, physical address, and address for service of the entity providing the outsourced arrangements; and (b) the total value of the outsourcing contract, including both the upfront costs and the on-going expenses; and (c) the expiry of, and any renewal date, of that contract; and (d) the arrangements in place for the termination of the contract (refer section 9); and (e) an overview of the function or system that has been outsourced. 8.3 Banks must maintain compendiums (1) The compendium should: (a) be a key accountability document embedded in board compliance; and; (b) be kept up to date; and (c) form part of the oversight and governance reviews undertaken by the board and senior management.

12 6881264 8.4 Compendiums must be up to date (1) Banks must have appropriate processes in place to maintain a compendium such that information on new outsourcing arrangements, as detailed in 8.2, is entered into the compendium within twenty working days of the outsourcing arrangement being effective. 8.5 Compendium to be reviewed annually (1) A bank’s compendium should be reviewed at least annually to ensure it is up to date. (2) Reviews of the compendium must be conducted by either the bank’s own internal audit function or an external auditor. 8.6 Banks must be able to provide their compendium to the Reserve Bank (1) The compendium must be kept in a printed and electronic form that can be sent to the Reserve Bank on request. Guidance: The Reserve Bank will likely ask for a copy of a bank’s compendium at least once a year as part of normal supervisory practice. Outside of this annual request the Reserve Bank will likely only ask for a copy of a bank’s compendium in special circumstances. 9 Contractual terms 9.1 Outsourced functions to remain available following a failure (1) For outsourcing arrangements with third parties the bank must address the following matters: (a) a contractual provision to ensure continuing access on arms-length commercial terms to services when the bank enters statutory management; Guidance: arms-length commercial terms includes that the bank continues to pay for the service under the existing contract with the third party. (b) a contractual provision providing the Reserve Bank the ability to have access to documentation and information related to the outsourcing arrangement. Guidance: the Reserve Bank only expects that third party providers be contractually required to provide access to documentation and information about a relevant outsourcing arrangement, when such documentation and information belongs to or is accessible to the third party itself.

13 6881264 Guidance: Further contractual terms the Reserve Bank would expect, but does not require, to see included in robust outsourcing arrangements: a) the scope of the arrangement and services to be supplied; b) commencement and end dates; c) escrow arrangements; d) review provisions; e) pricing and fee structure; f) service levels and performance requirements; g) the form in which the data is to be kept and clear provisions identifying ownership and control of data; h) reporting requirements, including content and frequency of reporting; i) audit and monitoring processes; j) business continuity management around how the service provider will deal with a failure of the service it is providing; k) confidentiality privacy and security of arrangements; l) default arrangements and termination provisions; m) dispute resolution arrangements; n) liability and indemnity; o) sub-contracting; and p) insurance. 9.2 Outsourcing through a related party (1) In addition to the requirements in 9.1, a bank must have parallel rights for outsourcing arrangements that are made through a parent or related party. This is to ensure that the New Zealand bank has continuing access to the services if the bank is separated from its parent or the wider banking group. 10 Separation plan 10.1 Requirement to have a separation plan (1) A bank must have a separation plan. (2) A bank is exempt from the requirement to have a separation plan when: i) the bank is not subject to the outsourcing policy; or ii) the bank is subject to the outsourcing policy but it is not a member of a foreign￾owned banking group.

14 6881264 10.2 Purpose and content of separation plans (1) A separation plan must describe the processes a New Zealand bank would undertake to operate services in-house that were provided previously by a member of its banking group in the event it is subject to the appointment of a statutory manager following either its own failure or its parent failing, or in the event it is otherwise separated from the foreign-owned banking group. Specifically, the objective of the plan should be that the bank continues to operate on a business-as-usual basis and must set out how the bank will, from the day of being subject to statutory management or separated from its foreign banking group and, if necessary, indefinitely thereafter :

(a) execute its clearing, settlement and payment obligations; (b) monitor and manage its financial risk positions; (c) manage the operational responsibilities for the separation; (d) ensure parallel rights for the New Zealand bank are available for functions outsourced through the parent or a related party; (e) set out robust alternative arrangements for operating systems that are owned or controlled by a related party; (f) set out how the back-up capability will be activated, including the timeframes for doing so; and (g) set out how the bank will meet the outcomes of the outsourcing policy. (2) The separation plan must also set out how the processes to deliver the outcomes (a)- (e) referred to in 3.2(2) will be completed from the point of separation from its parent to the point the outcomes are attained on a standalone basis. The plan should include: a. which staff positions are responsible for taking these actions, including a clear chain of command and a communications plan. b. the relevant timeframes under which the separation and transition will be undertaken; and c. the technology and other resource needs. (3) In preparing its separation plan, a bank must prepare for an abrupt loss of access to functions provided by the parent and related parties for an indefinite period. While a bank may have contractual arrangements in place for parents and related parties to provide transition services in the event of separation, these contracts should not be relied upon for the purposes of the separation plan. However, banks may continue to rely on contractual arrangements that are in substance unaffected by the separation. (4) The Reserve Bank may issue additional guidance to banks on how to produce separation plans which sufficiently detail how the outcomes (a)-(e), referred to in 3.2(2) would be achieved.

15 6881264 10.3 Separation plans to require Reserve Bank non-objection (1) Banks required to have a separation plan must receive Reserve Bank non-objection to their specific separation plan before it can be finalised. (2) A bank may only submit a draft separation plan for Reserve Bank non-objection after it has been approved by the senior management and board of the bank. (3) The Reserve Bank may require changes to the separation plan before it issues a non￾objection. The outcomes (a)-(e) referred to in 3.2(2) will inform any decision by the Reserve Bank to require changes to a separation plan before issuing a non-objection. (4) It is the responsibility of the bank to ensure the separation plan is compliant. A notice of non-objection does not guarantee that the separation plan complies with the Reserve Bank’s outsourcing policy. Guidance: Any notice of non-objection from the Reserve Bank to a bank’s separation plan is made on the basis of information a bank provides to the Reserve Bank. A notice of non-objection does not constitute a safe-harbour. It is the bank’s responsibility to ensure an separation plan is compliant with the policy and continues to be so. (5) A bank must report all changes to its separation plan to the Reserve Bank. If the Reserve Bank considers a change to be sufficiently material the bank will be required to seek Reserve Bank non-objection to the revised plan. (6) The Reserve Bank may review a bank’s separation plans at any time and may decide to require the bank to make changes to its separation plan to. In such a case, the bank must submit a draft of a revised separation plan as per the process in 10.3(2)-10.3(3). 10.4 Separation plans to be tested annually (1) A bank required to have a separation plan must test that the plan works as intended on at least on an annual basis. (2) The results from the separation plan test are required to be reported back to the bank’s supervisor within [4] weeks of completion of the test. (3) If a bank identifies any impediments during the test it must advise the Reserve Bank within 24 hours of the impediment being identified. (4) Separation plans must be included within scope of the external reviews of a bank’s compliance with the outsourcing review as set out in 11.3-11.4 and 12.1-12.2. 11 Path to compliance and external review 11.1 Arrangements entered into before the revised outsourcing policy was in place (1) All of a bank’s outsourcing arrangements must be compliant with this policy no later than [five years after the revised CoRs are put in place].

16 6881264 11.2 Planning for compliance (1) The five year transition period is inclusive of any time a bank takes in planning its path to compliance and reaching an agreement with the Reserve Bank on such a plan. Guidance: Banks are expected to have reached agreement with their supervisor on their plan to compliance within 6 months from the date of the new outsourcing policy becoming a condition of registration. 11.3 External review over the first five years (1) During the five year transitional path a bank must obtain an annual independent external review to assess whether the bank is meeting the agreed timeframes for the path to compliance with the policy (refer 11.2). 11.4 Terms of appointment for the external review (1) The Reserve Bank must approve the person nominated by a bank to carry out an independent external reviewer and their terms of appointment. The bank will pay for the review. (2) The external review will review that a bank is meeting the timeframes agreed to with the Reserve Bank. It will also review arrangements that have been amended in line with the process outlined in this document. Guidance: Where a bank is not meeting the agreed timeframe for compliance the Reserve Bank will likely take supervisory action. 12 Three-yearly external review following the transition path to compliance 12.1 Three-yearly review (1) After a bank is required to fully comply with its conditions of registration under this policy the bank will have its compliance with this policy externally reviewed no later than once every three years since the last review was undertaken. 12.2 Terms of appointment for the external review (1) A bank must obtain the Reserve Bank’s approval of its independent reviewer and the terms of references of the review. (2) The external review will be paid for by the bank. (3) The external review will review the bank and its arrangements to ensure that they are compliant with the policy.

17 6881264 12.3 Action following non-compliance (1) If any outsourcing arrangement entered into by a bank fails to comply with the requirements of this policy, the Reserve Bank will require the bank to amend the terms of the arrangement to achieve compliance and may, if necessary, take enforcement action against the bank to ensure compliance.

18 6881264 Appendix I: Conditions of registration I.1 Conditions of registration (1) Locally incorporated banks whose net liabilities exceed $10 billion are ordinarily subject to a condition of registration relating to outsourcing arrangements. That condition is: (a) That the registered bank has the legal and practical ability to comply with the Reserve Bank of New Zealand document “Outsourcing Policy for Registered Banks” (BS11) dated [xx] 2017. (2) In addition, banks subject to the condition or registration in I.1(a) are generally subject to a condition of registration regarding accountability: (a) That the business and affairs of the bank are managed by, or under the direction or supervision of, the board of the bank; (b) That the employment contract of the chief executive officer of the bank or person in an equivalent position (together “CEO”) is with the bank, and the terms and conditions of the CEO’s employment agreement are determined by, and any decisions relating to the employment or termination of employment of the CEO are made by, the board of the bank; and (c) That all staff employed by the bank have their remuneration determined by (or under the delegated authority of) the board or the CEO of the bank and are accountable (directly or indirectly) to the CEO of the bank. (3) Furthermore, banks subject to the condition of registration in I.1(a) will also generally be subject to a condition of registration regarding their compendium of outsourced arrangements. This condition of registration will be: That the registered bank has appropriate processes in place to maintain a compendium of its outsourcing arrangements in a form that is available to be sent to the Reserve Bank on request, and that include, in particular – (a) Arrangements for the compendium to be updated within 20 working days of an outsourcing arrangement being effective; and (b) An annual review of the compendium is to be completed by the bank’s internal audit function to ensure that it is up to date. Guidance: The condition of registration relating to the compendium is intended to focus on the process that a bank uses for managing the updating of its compendium. On this basis it is likely that not meeting the timeframe for four or less arrangements within a 12 month period is unlikely to be a breach of this condition of registration. However, any more than that would likely mean that a bank’s processes are not sufficiently robust and would likely be a breach of the condition of registration.

19 6881264 (4) Banks subject to the condition of registration in I.1(a) that are also part of a foreign￾owned banking group will also generally be subject to a condition of registration requiring them to have a separation plan. This condition of registration will be: (a) That the bank has an separation plan that is up-to-date and that meets the requirements set out for separation plans in the Reserve Bank of New Zealand document “Outsourcing policy for registered banks” (BS11) dated [XX] 2017. (2) Although the Reserve Bank will generally seek to impose standard conditions of registration regarding outsourcing arrangements uniformly on all banks subject to the outsourcing policy, the Reserve Bank may impose a non-standard condition of registration on a bank where special circumstances apply.

20 6881264 Appendix II – application template for engagement with Reserve Bank

1. Description of the function proposed to be outsourced
2. Description of the service/system proposed to be outsourced, including: a. Name of the service provider b. Location(s) of the service provider c. Duration of the arrangement d. Expected timeframe for implementation of the arrangement e. If the supplier is the parent or a related party of the parent whether the service/system is proposed to be outsourced by that party f. What other functions have been outsourced to the service provider
3. Impact of disruption In the event that the supplier becomes unable to deliver the required service/system, either on a temporary or permanent basis, provide a high-level description of the potential impact on the bank’s business operations
4. Controls Describe any control measures that would help the supplier deliver the required service/system in accordance with the requirements of the bank
5. Substitutability Is the service substitutable, i.e. are there other ways/mechanisms to provide a similar service to customers? Please provide an explanation. In the event that the supplier becomes unable to deliver the agreed service/system, what alternative arrangements are available and for how long can they be deployed, i.e. are they available on a permanent or temporary basis?
6. Date of internal sign-off and level, i.e. Board, Board delegate, etc (name and position) The proposal is required to have received internal sign-off in line with the bank’s internal processes before Reserve Bank non-objection is sought
7. If the proposed arrangement is with the parent or a related party of the parent, outline how the separation plan has been considered
8. Outline why you think the proposal is compliant with the outsourcing policy
9. Does the proposal contain the required contractual arrangements outlined in the policy?