New Zealand Bankers Association Submission on RBNZ Consultation Paper Regarding Bank Breach Reporting

NEW ZEALAND BANKERS ASSOCIATION Level 15, 80 The Terrace, PO Box 3043, Wellington 6140, New Zealand TELEPHONE +64 4 802 3358 EMAIL nzba@nzba.org.nz WEB www.nzba.org.nz Submission to the Reserve Bank of New Zealand on the Consultation paper: Public and private reporting by banks of breaches of regulatory requirements, with consideration of materiality 14 December 2018

2 About NZBA

1. NZBA works on behalf of the New Zealand banking industry in conjunction with its member banks. NZBA develops and promotes policy outcomes that contribute to a strong and stable banking system that benefits New Zealanders and the New Zealand economy.
2. The following seventeen registered banks in New Zealand are members of NZBA:  ANZ Bank New Zealand Limited  ASB Bank Limited  Bank of China (NZ) Limited  Bank of New Zealand  MUFG Bank, Ltd  China Construction Bank  Citibank, N.A.  The Co-operative Bank Limited  Heartland Bank Limited  The Hongkong and Shanghai Banking Corporation Limited  Industrial and Commercial Bank of China (New Zealand) Limited  JPMorgan Chase Bank, N.A.  Kiwibank Limited  Rabobank New Zealand Limited  SBS Bank  TSB Bank Limited  Westpac New Zealand Limited Background
3. NZBA welcomes the opportunity to provide feedback to the Reserve Bank of New Zealand (RBNZ) on its consultation paper Public and private reporting by banks of breaches of regulatory requirements, with consideration of materiality (Consultation Paper). NZBA commends the work that has gone into developing the Consultation Paper.
4. If you would like to discuss any aspect of the submission further, please contact:

3 Introduction 5. NZBA supports the work undertaken by RBNZ to address concerns of the banks and their directors regarding the effectiveness of the current breach1 reporting regime. Overall, NZBA agrees with RBNZ that there are good grounds for introducing a materiality threshold in relation to bank disclosures, and broadly supports Option 2, subject to the specific comments in this submission. 6. NZBA also acknowledges RBNZ’s recently proposed amendments to the Conditions of Registration (CoRs) in relation to capital requirements, which will remove some of the current difficulties in disclosing potential minor or trivial breaches that have no bearing on a bank's prudential soundness. NZBA attaches as Schedule 1 some further comments on the framing of the CoRs to reduce the scope for minor or trivial breaches to arise. Specific responses to Consultation Paper Proposed changes to reporting and publishing of breaches (i) Section 93 Notice 7. Based on discussions with members, we consider that the current informal notification approach with RBNZ is working well and facilitates open and early dialogue about potential or actual issues, as well as creating an opportunity to build trust between individual supervisors and their banks. 8. Notwithstanding the above, NZBA acknowledges the desire by RBNZ to impose a formal reporting requirement on every registered bank under s 93 of the Reserve Bank of New Zealand Act 1989 (Act) with respect to breaches of CoRs and was well-signalled in potential policy decisions following the Regulatory Stocktake in 2015. 9. NZBA is comfortable that the proposed mechanism for breach reporting via the s 93 notice as specified in Appendix 1 of the Consultation Paper is appropriate, provided it is amended so that it only applies to material breaches of CoRs and s 80 notice requirements. NZBA and its members consider that the current approach to notifying RBNZ of breaches of Orders in Council (OiC) made under s 81 of the Act operates well. NZBA's preference is for OiCs to be left to operate in parallel with the proposed s 93 notice for CoRs and s 80 notices. 10. NZBA's proposed wording for the materiality threshold of the s 93 notice is set out in Appendix 1 to this submission and aligns with the wording used in the analogous Financial Markets Conduct Act 2013 (FMCA) section. 11. The rationale for this materiality amendment is set out below. (a) The inclusion of a materiality threshold is consistent with breach reporting requirements specified in s 412(2) of the FMCA, which we understand has been used as the basis for the inclusion of the “likely to” wording in the proposed s 93 notice.

1 For the purposes of this submission, unless specified otherwise, a “breach” refers to situations where a bank has become aware of information that leads it to form a belief (or reasonably ought to have led it to form a belief) that it has breached, may have breached, or is likely to breach i) a condition of registration imposed under Section 74; ii) a notice issued under section 80; or iii) an Order in Council (OiC) made under section 81.

4 (b) Given the potential for criminal liability to be imposed for a s 93 breach, banks will therefore be very risk averse in both reporting and verifying the contents of reports, substantially increasing the compliance burden. This may also have the unintended consequence of banks delaying the more informal, very early discussions in relation to potential breaches until they have all relevant information, in case this puts them in breach of the s 93 notice requirements. (c) Without a materiality threshold, banks are liable for potential criminal sanctions for failing to notify insignificant breaches. While banks will maintain processes designed to ensure that all breaches, regardless of materiality, are identified and can be notified and disclosed, imposing the risk of criminal sanctions for insignificant breaches is inconsistent with the purpose of the power given to RBNZ under s 93. It is also inconsistent with underlying rationale given by RBNZ for the consultation, namely to recognise the importance of focusing on materiality in breach reporting and disclosure. 12. NZBA acknowledges that RBNZ has raised concerns during the consultation process that by restricting the notice to material breaches only, banks might no longer discuss what they have deemed to be immaterial breaches with RBNZ. We understand the main concern is that if banks and their directors form a view that a particular matter is not material, the breach may remain invisible to RBNZ. This is particularly relevant for potentially borderline material breaches where RBNZ may have a different view than bank directors of whether the breach is material. 13. Although we consider the current process whereby banks engage in early dialogue with RBNZ is working well, RBNZ should first consider mechanisms other than a s 93 notice to provide it with additional assurances that the current process of early discussion of all breaches, including minor or trivial ones, will continue, such as: (a) amending BS1 to expand the section setting out RBNZ's policy on breaches of CoRs and s 80 requirements to include its expectations of banks to report all breaches in a timely manner and advising that banks that don't could be served with a s 93 notice requiring them to disclose all breaches; or (b) publishing a separate policy setting out its expectations around engagement on non-material breaches including open and early dialogue between banks and itself in accordance with the Relationship Charter expectations of honest communications in a timely manner. (ii) Section 93 definitions 14. NZBA notes that notification of a breach by a bank to RBNZ under the section 93 notice is triggered where the bank becomes “aware” of the information. There are a number of ways this could be interpreted. However, the NZBA suggests that the most likely interpretation is that banks will be taken to be "aware" once senior managers (as defined in FMCA) have "actual knowledge of the facts which give rise to the need for disclosure". This is the test used in a recent Australian case when determining accessory liability.2

2 Gore v Australian Securities and Investments Commission [2017] FCAFC 13.

5 (iii) Publication 15. NZBA supports RBNZ’s proposal that material “actual” breaches of: (a) a condition of registration imposed under s 74; or (b) a notice issued s section 80; are published on RBNZ’s website, in order to facilitate more timely disclosure and provide a central repository for users of bank breach disclosure information. 16. However, we differ from RBNZ with respect to the determination of the wording for publication of the breach on the website. NZBA considers that banks should retain the responsibility for the content of disclosure notices with respect to breaches to the public via RBNZ’s website, in the same way as they are currently responsible for the content of their Disclosure Statement. NZBA strongly submits that a change to this responsibility would undermine the core pillar of self-discipline and ownership and accountability of the breach itself. 17. In practice, banks will liaise with RBNZ with respect to the final wording (in the same way as currently) but ultimately it should be up to banks to explain their material breaches to the public. As discussed at [59]-[63] of the Consultation Paper, the need for congruence between s 93 disclosure and Disclosure Statement requirements would mean RBNZ was in effect dictating the language directors will ultimately insert into their Disclosure Statements. This, in NZBA's opinion is inconsistent with RBNZ's philosophy on the importance of self-discipline. 18. That does not preclude RBNZ from including in the notification template guidance on the aspects of a breach they consider should be included in the disclosure wording. Also, in order to facilitate the timely notification of actual breaches to RBNZ, we propose that banks have up to 10 working days to provide RBNZ with the proposed wording for the website, following notification of the actual breach via the template to RBNZ. Mark-ups to the notification template which reflect these matters are included in Appendix 2 to this submission. 19. NZBA is comfortable with a central repository of confirmed breaches of the last five years being publicly available if it includes only material breaches. 20. In addition, NZBA notes that the proposal does not address the remediation of breaches. Users of the website may not be aware that published breaches, which would remain on the website for five years, have been remedied. NZBA recommends that banks should be able to annotate the disclose register website entries with information about remediation of the breach and consideration needs to be given to a mechanism to implement this. NZBA has made amendments to the draft RBNZ webpage accordingly – see Appendix 3 below. Proposed changes to materiality (i) Materiality thresholds 21. In terms of assessing materiality, NZBA understands why RBNZ cannot set prescriptive standards but we believe some guidance would be helpful. Ideally, there would be a further round of consultation specifically on factors affecting materiality. We set out a high-level summary of our initial position below.

6 22. NZBA agrees with the following factors for assessing materiality set out in [56] of the Consultation Paper: (a) The impact of the breach on the bank's ability to carry on business in a prudent manner. (c) The value to users of disclosure information or the general public of knowing about the breach. (d) How long the breach lasted (if already remedied), or is expected to continue. 23. In NZBA's opinion, the rest of the matters set out in [56] (b), (e), and (f) go more towards assessing the appropriate consequence for a breach, as opposed to assessing the materiality of the breach itself. NZBA believes that [56] (g) "the opinion of the banks' directors on whether the breach is material" is circular and not necessary given the other factors. 24. NZBA's position is that the criteria for assessing materiality should be directly linked to the purpose of disclosure, namely to enable market discipline. The pillar of market discipline relies on users of disclosure, being depositors and potential investors, monitoring the financial soundness of banks because they are taking a credit risk on the bank, and therefore have a financial interest in doing so. There is a consensus that the market requires "clear, concise and effective communication". This is the approach of the Financial Markets Authority (FMA) and is equally applicable to depositors and potential investors in banks. NZBA considers that what is (or would be deemed) material to depositors and potential investors should be the standard against which disclosure requirements are measured. We attach as Schedule 2 a discussion on the broader purpose of disclosure. 25. NZBA also believes that materiality should be considered both in the context of the specific breach, and also in the broader context of the purpose of CoRs and disclosure. Accordingly, NZBA suggests the following criteria should be added to the proposed materiality guidance: (a) Whether the breach is an isolated incident, or part of a recurring pattern of breaches in relation to a matter that is of the same nature. (b) The impact the breach had/has on potential investors and depositors of the bank. (c) The extent to which the breach or likely breach indicates that the bank’s arrangements to ensure compliance with the CoRs are inadequate. (d) Any matter which could have a significant adverse impact on the bank’s reputation. (e) Any matter in respect of the bank which could result in serious financial consequences to the NZ financial system or to other banks. (f) Reference to accounting standards, listing obligations and other relevant regulators' breach reporting guidelines. (g) The nature of the underlying CoR breached (whether it is narrow and objective, or a broader subjective requirement).

7 (ii) Judgement as to materiality 26. Banks and their boards should form a view as to whether breaches of CoRs and s 80 requirements are material or not, taking into account the published guidance described above, and disclose accordingly. This approach aligns with the principles of self-discipline and market discipline. 27. For non-material/trivial breaches (which banks will continue to report informally) RBNZ will be able to form its own opinion. We expect that only in the rarest of cases would the parties fail to reach an agreed position. In the very unlikely event that RBNZ and a bank cannot agree, RBNZ as the enforcement agency can formally pursue the matter if it wishes to. 28. This approach is also consistent with directors’ duties in relation to market disclosures generally. For example, NZX does not pre-approve market disclosures. Rather, directors’ judgment is relied on in making market disclosures. As discussed above at 16, banks would prefer a similar system of notifying RBNZ of breaches, and drafting the public disclosure notice themselves as the content of the notice will often be fact-specific. RBNZ can always take disciplinary steps if a bank fails to disclose adequately, and retains a residual discretion to take the view that a breach was material, even if the bank has reached the opposite view. This disconnect can be tested by RBNZ suggesting that the bank has not complied with its Disclosure Statement OiC obligations or by bringing enforcement action. (iii) Practical impact on directors' time 29. NZBA does not anticipate that the proposal as currently drafted will materially lessen the obligations and timing requirements for directors. It is likely that directors will spend more time than they do now considering breach notifications. That is because of the proposed requirement to report all actual and potential breaches formally, regardless of their materiality, and the risk of criminal liability for the bank for a s 93 breach. 30. Under option 2, directors will still be required to oversee the reporting of all breaches of CoRs and s 80 requirements. This will be followed by a secondary process of drafting the publication notice. Boards treat the internal consideration of breaches, as well as their public disclosure, as equally important. (iv) Amendments to director attestations 31. NZBA supports the recommended change to directors’ attestations and believes it is consistent with a philosophy of clear, concise and effective disclosure. 32. However, the attestation as currently drafted ("materially complied with all CoRs") appears to relate to aggregate compliance in a material respect with all CoRs, rather than material compliance with each CoR. RBNZ may like to consider whether its intent would be better reflected by amending the attestation wording to "materially complied with each CoR". (v) Timeframe of changes 33. NZBA members generally support option (a) at [92] of the Consultation Paper, conditional on the materiality threshold being included because it is preferable to have formal reporting and disclosures aligned. However, this may be challenging

8 because it will require a quick turnaround, and banks may need more time for implementation if the outcome is that all breaches are reported via s 93. 34. Under this option, consistent with our submission at paragraph [28], banks (rather than RBNZ) would retrospectively determine whether any of the previously disclosed breaches in the financial year prior to the implementation of the website breach reporting are material (and therefore include these in subsequent Disclosure Statements for that year). (vi) Further discussion of specific basis point tolerance thresholds 35. In response to Question 10 of the Consultation Paper, NZBA supports the provision of explicit thresholds for important numbers, with a tiered response for different scaled errors, and agrees this is of secondary importance to a) revision of the CoRs and b) in the alternative, a materiality threshold for breach notification and disclosure. (vii) Specific amendments to Appendices 36. NZBA attaches as Appendix 1, 2 and 3 to this submission marked-up copies of the Consultation Paper's Appendices and annexures with comments.

9 Schedule 1 – Further comments on Conditions of Registration 37. We note that RBNZ has identified a number of broad examples of CoRs which lend themselves to being breached in a minor or trivial way. Since the Consultation Paper was published RBNZ has proposed amendments to one of the most problematic, namely "complies[ng] with all requirements" set out in BS2B. These amendments go some way towards removing the current difficulties in disclosing potential minor or trivial breaches by focusing banks' attention on the most crucial requirements for registration and prudential soundness for banks subject to both BS2A and BS2B. 38. We would welcome further revisions to other CoRs identified by RBNZ in the Consultation Paper (eg increasing flexibility with respect to 50% of board of directors counting as independent, as suggested) and also to others that have the potential to lead to minor, technical breaches. We highlight in particular those that reference single RBNZ policies within The Banking Supervision Handbook (including BS13 and BS11). 39. Notwithstanding RBNZ's comments on the Outsourcing Policy condition (BS11) there is, in NZBA's opinion, also a risk of uncertainty regarding how minor breaches of the policy should be dealt with given the condition requires compliance with all of the policy, which runs to 27 pages. 40. RBNZ should review the standard CoRs with a view to identifying those where a materiality threshold could be introduced, without compromising the purpose of the relevant conditions, as a matter of priority. To do so would be consistent with RBNZ's comments in relation to the BS11 condition that "the policy is intended to ensure that no single minor event should cause a breach of policy". Furthermore, there are already conditions that include some materiality thresholds (eg on non￾financial activities and offshore activities) and so to introduce materiality into other conditions is consistent with this established approach.

10 Schedule 2 – The purpose of disclosure

1. As noted previously, NZBA believes that the current regime of publicly disclosing all breaches only serves to confuse potential investors and depositors. In practice, banks are disclosing minor technical breaches in public disclosure documents. That then leaves the media and public with the task of differentiating whether the breach is trivial or minor or not. This is particularly difficult to do without a high level of expertise in New Zealand's prudential regulation and how it differs from disclosure required under other domestic and international regimes.
2. The starting point should be an analysis of why New Zealand bank disclosure needs to be more detailed than what is required under other regimes and, in particular, from the disclosure required by New Zealand's conduct regulation or other prudential regulators in countries with similar legal systems. Analogous New Zealand disclosure regimes
3. A high-level analysis of the FMCA regime and the new NZX Listing Rules (dated 1 January 2019) reveals that the New Zealand regime of prudential regulation has set the disclosure threshold for banks at such a level that issues are being disclosed which are so minor that there would be no analogous disclosure requirements on banks if they were listed on New Zealand's equity markets. In effect, disclosure to depositors is much more detailed than would be required for shareholders. It is difficult to see a justification for this unless RBNZ believes that moral hazard can be avoided if all information it has is also reported to the market (something which seems inconsistent with the current approach of other regulators).
4. A core tenet of the FMA's approach to market discipline is that disclosure should be clear, concise and effective. This is to benefit the market and prevent investors from being saturated with information and consequently disengaging. A requirement to disclose trivial breaches is inconsistent with this.
5. Accordingly, NZBA believes that only material breaches should be disclosed (if non￾material breaches can't be eliminated) and agrees non-material breaches should not be put on a disclosure register because to do so is consistent with an approach of clear, concise and effective disclosure.
6. By way of an example, the FMCA requires certain financial market services to be licensed by the FMA, including managers of managed investment schemes, independent trustees of restricted scheme, DIMS providers and regulated derivatives issuers (together licensees). Licensees must report to the FMA if "they have, or may have, contravened, or are likely to contravene, a licence obligation in a material respect". Accordingly, NZBA notes that the FMCA imposes a materiality threshold before disclosure is required.
7. Failure to comply with an obligation to report to the FMA gives rise to civil liability, including a pecuniary penalty not exceeding $200,000 in the case of an individual or $600,000 in any other case. A report provided by a licensee pursuant to this obligation is not admissible as evidence against it in a criminal proceeding, unless it is a proceeding concerning the falsity of the report.
8. We believe RBNZ should look to align its approach with the FMCA.

11 Appendix 1 – Suggested changes to proposed section 93 notice [Date and address] Dear [CEO name to add] New breach reporting requirements As you will be aware, the requirement for registered banks to prepare off-quarter disclosure statements was removed from 31 March 2018. A consequence of this change is that any breaches of conditions of registration by a registered bank are now only published in disclosure statements on a six monthly basis. To compensate for this change, and to formalise existing arrangements around the private reporting of breaches to the Reserve Bank, we are issuing all registered banks with a notice under section 93 of the Reserve Bank of New Zealand Act 1989 requiring them to provide information on any breaches of prudential requirements, and certain related matters. This letter therefore gives you notice under section 93 of the Reserve Bank of New Zealand Act 1989 of the requirement to provide information on these matters. Notice under Section 93 Reserve Bank of New Zealand Act 1989 If [bank name to add] becomes aware of information that leads it to form a belief (or reasonably ought to have led it to form a belief) that it has breached, may have breached, or is likely to breach a specified requirement in a material respect [Drafting note: This is the language used in section 412(2) of the FMCA] at any time from [1 April 2019] onwards, [bank name to add] must provide the Reserve Bank with a completed version of the template contained in the Annex to this letter as soon as practicable. For these purposes, “specified requirement” means a requirement set out in any of the following instruments made under the Reserve Bank of New Zealand Act 1989:  A condition of registration imposed under Section 74; or  A notice issued under section 80.; or  An Order in Council made under section 81. [Drafting note: See our submission at paragraph [9]] Under the Reserve Bank of New Zealand Act information collected pursuant to this notice is confidential to the Reserve Bank and may only be disclosed outside the Reserve Bank in the circumstances listed in section 105 of the Act. Section 105(2)(d) of the Act permits the Reserve Bank to disclose this information for the purposes of, or in connection with, the exercise of powers under the Act. The Reserve Bank may publish confirmed breaches of prudential requirements on its website under section 105(2)(d). If you have any further questions regarding this request, please contact [name and contact details to add]. Yours sincerely [name to add] Senior Manager Supervision

NEW ZEALAND BANKERS ASSOCIATION Level 15, 80 The Terrace, PO Box 3043, Wellington 6140, New Zealand TELEPHONE +64 4 802 3358 EMAIL nzba@nzba.org.nz WEB www.nzba.org.nz Appendix 2 – Annex to s 93 notice, suggested changes to template for notifying RBNZ Bank Contact Details Type of breach Nature of breach Category of breach Date of actual or potential breach Date bank became aware of breach Bank directors when the breach occurred View on materiality Remediation plan Name, position and contact details of the person completing the form Identify type of breach – has occurred / may have occurred / will likely occur [Drafting note: Proposed addition.] CoR or credit rating? Nature and impact of the breach. Note: where possible, please include information on the scale of the breach, e.g. dollar amount involved, number of customers affected. How was the breach identified?

• Capital
• Liquidity
• Loan to Value restrictions
• Governance
• Credit ratings
• Outsourcing
• Connected exposures
• Open bank resolution
• Other Date or date range of when the breach occurred / may have occurred / will likely occur Date the bank became aware of the breach [Drafting note: See discussion of meaning of "aware" above at 14.] Directors of the registered bank during the period that the breach of prudential requirement/s occurred [Drafting note: Delete as information available elsewhere and may span a period where directors change.] Whether or not, in the opinion of the directors, the breach was material. [Drafting note: Not required for s 93 notice which must be material.] Remediation actions already undertaken by the registered bank and / or proposed actions to rectify the breach. Note: The bank may wish to leave this section blank if the bank has not yet formed a remediation plan.

2 Appendix 3 – Suggested changes to draft RBNZ webpage [NZBA recommends that this be completed by the bank within 10 working days of providing the above notice to RBNZ.] Bank Nature of breach Category of breach Date the breach occurred Date bank became aware of the breach Date the breach was confirmed by RBNZ Bank directors when the breach occurred Additional Information CoR breach or credit rating breach? What is the nature and impact of the breach? How was the breach identified? [Drafting note: We query whether this is of assistance to the public]

• Capital
• Liquidity
• Loan to Value restrictions
• Governance
• Credit ratings
• Outsourcing
• Connected exposures
• Open bank resolution
• Other Date or date range of when the breach occurred Date the bank became aware of the breach [Drafting note: See discussion of meaning of "aware" above at 14] Date that RBNZ confirmed that the bank has breached its prudential requirement/s [Drafting note: Delete as not relevant] Directors of the registered bank during the period that the breach of prudential requirement/s occurred [Drafting note: Delete as information available elsewhere and may span a period where directors change] Any public action taken by RBNZ in response to the bank’s breach [to be filled out by RBNZ] Describe steps taken to remedy breach [Drafting note: Necessary to be able to amend this later as this notice will be published on the website for 5 years]