Draft consultation paper on the review of the outsourcing policy for registered banks

Consultation paper: Review of the outsourcing policy for registered banks The Reserve Bank invites submissions on this consultation paper by 4 December 2015 Submissions and enquiries about the consultation should be addressed to: Victoria Learmonth Prudential Supervision Department PO Box 2498 Wellington 6140 Email: Victoria.Learmonth@rbnz.govt.nz Please note that a summary of submissions may be published. If you think any part of your submission should properly be withheld on the grounds of commercial sensitivity, or for any other reason, you should indicate this clearly. 26 August 2015

2 Introduction

1. This paper discusses the Reserve Bank of New Zealand’s (Reserve Bank) proposed revision to the outsourcing by banks registered under the Reserve Bank of New Zealand Act 1989 (the RBNZ Act). The review follows a stocktake of Large Banks’1 compliance with the existing outsourcing policy.
2. The Reserve Bank requests that all submissions be filled in using the template in appendix four and sent in electronic form. A Word version of the appendix is available. Background
3. The Bank first consulted on an outsourcing policy in October 2004, with the final version of the policy (BS11) being released in January 2006. The original policy development noted the growth of outsourcing in the banking sector globally, and highlighted the particular risks developing in New Zealand as a result of the high proportion of the system being owned by off-shore parent banks, meaning that the extent of outsourcing was much greater than in most other countries.
4. The current outsourcing policy adopts an outcomes-focused approach that sets out a range of outcomes that banks need to be able to deliver on an on-going basis. It currently applies to any locally incorporated bank whose New Zealand liabilities, net of amounts due to related parties, exceed $10 billion (Large Bank).
5. Section 68 of the Reserve Bank of New Zealand Act 1989 (the Act) requires the Reserve Bank to exercise its banking supervision and registration powers for the purposes of: a. Promoting the maintenance of a sound and efficient financial system; or b. Avoiding significant damage to the financial system that could result from the failure of a registered bank.
6. BS11 pursues both these purposes by requiring that a Large Bank’s outsourcing arrangements do not create risk that the operation and management of the bank might be interrupted for a material length of time. In particular, any outsourcing arrangements for bank functions must not create risk to the bank’s ability to continue to provide and circulate liquidity in the economy, under normal business conditions or circumstances of stress or of failure of the bank or of a service provider to the bank. The current outcomes focus on the provision of liquidity to the financial system.
7. The development of BS11 took place against the backdrop of a number of other material policy developments, including the local incorporation policy and the consideration of the Basel II IRB approach. Significant work had been undertaken on the development of Bank Creditor Recapitalisation (BCR) (the forerunner to the Open Bank Resolution policy (OBR2 )). The outsourcing policy and the local incorporation policy were both linked to a desire to strengthen the Reserve Bank’s ability to respond 1 A locally incorporated bank whose New Zealand liabilities, net of amounts due to related parties, exceed $10 billion. 2 While the paper specifically refers to OBR, the application of the policy is relevant for crisis management options in general.

3 to a failure. However, the outsourcing policy is not just focused on the ability to manage failure, but also about standard outsourcing concerns, including ensuring that outsourcing arrangements are robust in limiting the potential impact on the bank or the wider financial system from supplier failure or where the supplier fails to provide an adequate service. 8. OBR pre-positioning was implemented on 1 July 2013 and applies to all locally￾incorporated registered banks whose retail deposits are in excess of $1 billion. OBR is a mechanism for providing bank customers continued access to liquidity and banking services after bank failure. Pre-positioning means having the IT, payments, resource and process functionality in place ahead of a crisis, such that should a bank enter into statutory management, access channels can be closed, a portion of customer funds can be frozen, and access channels can be reopened for business by no later than 9am the next business day enabling customers to have access to the available or good portion of their funds. 9. In recognition that it is good practice to carry out periodic reviews to ensure that prudential policies remain appropriate, the Reserve Bank is undertaking a review of the current outsourcing policy. This process follows a stocktake of Large Banks’ outsourcing activities conducted in 2014. In conducting the review, the Reserve Bank is undertaking a full review of the existing policy, including whether the current scope of the policy remains appropriate, whether the definition of 'core function' should be retained, and what legal and practical controls banks should have over their outsourced functions. The Reserve Bank will also consider whether there should be a definition of “outsourcing”, whether the threshold for Large Banks and the framework for the policy remain fit for purpose, and whether the process for engagement between banks and the Reserve Bank should be changed. 10. The Reserve Bank wishes to stress that the intention of the policy review and the proposed policy amendments and clarifications is not to stop banks from entering into outsourcing arrangements, but to manage any wider risks that may arise from outsourcing particular functions. Outsourcing can not only bring about cost reductions, but can also provide efficiency gains both through the use of pooled buying power, as well as allowing banks to focus on their core business. Problem definition What issues are we concerned about? 11. The basis for any prudential intervention ultimately stems from section 68 of the Act, and the case for an outsourcing policy is no different. Section 68 of the Act requires that the Bank exercise its powers for the purposes of: a. Promoting the maintenance of a sound and efficient financial system; or b. Avoiding significant damage to the financial system that could result from the failure of a registered bank.

4 12. Outsourcing arrangements are relevant under the first leg of section 68 as they have the potential to affect the soundness of the system both through the potential to cause disruption by interrupting the provision of services, and through the potential to increase the risk of bank failure. However, there is a trade-off inherent within the first leg of section 68 between soundness and efficiency, and this is also reflected in the underlying tensions around outsourcing arrangements. It is important to remain conscious that outsourcing also opens up access to external cost savings and expertise that cannot be supported in-house, which can provide potential soundness and efficiency benefits for the system. 13. Indeed, there are a number of benefits associated with outsourcing. Most of them fall within the general category of efficiency improvements but they might also include quality enhancements. For example, it may be the case that an external provider, whether a third party or a parent company, can combine certain services across a number of entities and thereby provide those services at a lower cost than the individual bank located in New Zealand could. Not only would this produce cost savings for the New Zealand located bank, but it might also allow internal resources to be used more efficiently and avoid the need to invest in and maintain expensive infrastructure. Another benefit often associated with outsourcing is that it allows a company to focus on its core business, while drawing on the resources of an external provider whose core business it is to provide those outsourced functions. 14. In addition to these efficiency benefits, the external party might also be able to provide those services faster and to a higher standard, thus improving the quality of the service. An external party may also have access to newer technologies, which may also improve the quality of the service provided. 15. The Reserve Bank is very conscious of these benefits that New Zealand-based banks get from their outsourcing arrangements, including the benefits from being part of a larger foreign-owned banking group. In making the decision to outsource a particular function, however, a bank is likely to consider the costs and benefits that affect it directly, but not the impact the decision has on the wider financial system or the effectiveness and efficacy of resolution options 16. The importance of outsourcing is probably more clear-cut with respect to the second leg of section 68, which focuses on the costs of a failure once it occurs. Here there is a clear risk associated with outsourcing in that arrangements may frustrate attempts to manage the failure of a registered bank, with potential to increase costs both directly and through limiting flexibility and the range of exit options available. Is intervention by the Bank necessary? 17. For the Bank to have a justifiable case for supervisory intervention, it is not enough simply to identify potential areas of concern. There must also be a plausible argument that there is market failure. For a market failure to occur there needs to be a demonstrable risk that the incentives on individual institutions do not align with the broader public good. This is particularly relevant in the case of outsourcing, where it is

5 generally in the bank’s own self-interest to mitigate the risks of outsourcing arrangements. 18. At a high level, it is true to say that both banks and the Reserve Bank have to balance soundness and efficiency concerns when assessing the appropriate levels of outsourcing. However, the respective assessments have the potential to diverge given that banks will generally only take account of the potential impact on their own business, while the Reserve Bank has a broader systemic focus. 19. Under business-as-usual conditions for the banks, we can expect them to face strong incentives to adopt arrangements that are robust in limiting the potential impact on their profits or solvency from supplier failure or failure of the supplier to provide adequate service. However, there may still be a potential case for intervention under those circumstances for a number of reasons. First, the banks may not take sufficient account of the broader economic costs of service disruption (i.e. the economic cost may exceed reputational risk or direct cost to the bank). Second, there may be particular issues around concentration risk associated with a single supplier to many banks. In this scenario, economic costs could be substantial, but the direct cost on individual institutions may be limited as all or many banks would be affected, limiting the impact of reputational damage at the bank level. 20. These factors suggest that there is a potential market failure in managing outsourcing risks during business as usual operations. 21. A more obvious potential issue arises with respect to the impact of outsourcing arrangements during the failure of a bank. In this scenario, bank owners and managers have no incentive to ensure arrangements are robust at the point of failure as they are no longer in control of the institution following the failure. 22. In 2014 the Bank undertook a stocktake of Large Banks’ compliance with the outsourcing policy. The stocktake found that the banks’ interpretation and application of the outsourcing policy varied, and that there were interpretational differences as to what functions should be defined as “core”, what continuity planning in the event of the failure of the parent bank, and the effectiveness and sustainability of manual work￾arounds. 23. The stocktake also highlighted that, while the practical and legal controls in place are useful for an event involving a natural disaster or technology failure, it is not clear how banks would continue to operate under a stress event occasioned by a complete supplier failure or a bank failure. Additionally, there are a number of industry-wide issues such as consistency of treatment of common functions and / or common suppliers. High level problem definition 24. Having regard to the issues set out above, the potential problems arising from banks’ use of outsourcing broadly fall under three headings relating to threats to the section 68 objectives. These problems arise if banks outsource functions, but are not

6 adequately mitigating the risks that may arise from their arrangements, because the incentives on them are wrong (from a public policy perspective). The three broad problems are that: a. The outsourcing may increase the risk of a bank (or banks) failing, where that failure may cause significant damage to the system; b. The outsourcing may increase the risk that there will be problems resolving a bank if it fails resulting in significant damage to the financial system; and c. In the absence of any failure, the outsourcing may create issues that may undermine the maintenance of a sound and efficient financial system. 25. Paragraph (a) relates to concerns around vulnerability of banks to disruption in a crucial outsourced function that may increase the probability of the bank failing. This may arise through the failure of the service provider resulting in a material disruption to services, or through service provider error. Even if services are not disrupted, errors may expose banks to added reputational risk, loss of confidence or compensation claims. Extensive outsourcing can therefore lead to increased operational risk. 26. To be a problem, the potential damage would need to satisfy one of two conditions. First, the functions that are disrupted, or the costs incurred, would need to be sufficiently serious to threaten the bank’s survival to the extent that the soundness of the system was at risk. This feeds through into a consideration of what is material. Secondly, the failure itself would need to be sufficiently damaging to satisfy us that the ‘significant damage’ threshold in section 68(b) would be relevant. 27. Paragraph (b) relates to concerns that outsourcing arrangements may result in increased risk of problems for a bank in resolution. In particular, complex outsourcing arrangements may make it harder for a statutory manager to ensure continuity of outsourced functions, whether those are customer facing or internal (risk management). 28. Where a function is carried out by the parent, there may be an unwillingness on the part of the parent to continue providing the service following separation, or the parent may simply be unable to continue supplying the service. Also, where there are contracts with third parties that are in place at the group level, separation may leave the NZ subsidiary with no legal relationship with the third party service provider. 29. Whilst the OBR implementation process required contracts to be reviewed and amended to ensure services would continue under a statutory management, the reach of the OBR policy only extends to the functionality required under OBR. The key issue here is that OBR focuses on overnight processes and making unfrozen funds available to customers, and does not, itself, ensure that the business of the bank can continue. As a result, outsourcing of functions that materially impact on the ability of the statutory manager to continue operating the bank can make it harder for us to realise the full benefits of the OBR policy.

7 30. The focus of the outsourcing policy should be on maintaining functionality. This is consistent with the section 68 objectives. However, while we have a particular focus on outsourcing arrangements with or through the parent, we are also concerned about outsourcing arrangements in general. 31. Paragraph (c) refers to circumstances where disruption emanating from an outsourcing arrangement may undermine the maintenance of a sound and efficient financial system even in the absence of any failure of either banks or service providers. This may occur, for example, in circumstances where there is prolonged disruption to the payments system caused by a technology failure. This issue is also relevant when considering the concentration risk associated with a single supplier to many banks. Q1: Do you agree with the analysis of the problem? Do you agree that the issues identified in paragraph 21 appropriately identify the potential problems with the banks’ use of outsourcing? Issues and potential options Current objectives and outcomes 32. As discussed above, section 68 of the Act requires the Reserve Bank to exercise its banking supervision and registration powers for the purposes of: a. promoting the maintenance of a sound and efficient financial system; or b. avoiding significant damage to the financial system that could result from the failure of a registered bank. 33. The way in which BS11 pursues these purposes is outlined in paragraph 5. 34. As discussed above, the stocktake of banks’ compliance with the outsourcing policy found variable application of the policy. The Current condition of registration for Large Banks states: “that the registered bank has legal and practical ability to control and execute any business, and any functions relating to any business, of the bank that are carried on by a person other than the bank, sufficient to achieve, under normal business conditions and in the event of stress or failure of the bank or of a service provider to the bank, the following outcomes: a. That the bank’s clearing and settlement obligations due on a day can be met on that day; b. That the bank’s financial risk positions on a day can be identified on that day; c. That the bank’s financial risk positions can be monitored and managed on the day following any failure and on subsequent days; and

8 d. That the bank’s existing customers can be given access to payments facilities on the day following any failure and on subsequent days. 35. The policy then provides a definition of the term legal and practical ability to control and sets out the Reserve Bank’s views on risk tolerance around the ability to meet the definition and execute outsourced functions. It does not identify any functions or processes that cannot be outsourced under any circumstances, and does not set explicit requirements for banks to engage with the Reserve Bank on any outsourcing proposals. Instead it requires banks to “satisfy” the Reserve Bank that the arrangements are adequate. 36. Banks currently outsource certain functions to the parent, but also to third parties via their parent banks. Both options create additional risks by increasing the potential for resolution to be frustrated. Where the function is carried out by the parent, there may be an unwillingness to continue supplying the service following separation, or the parent may be simply unable to continue supplying the service. Similarly, where contracts with third parties are in place at group level, separation may leave the subsidiary with no legal relationship with its service provider. Proposed revision to the objectives of the outsourcing policy 37. The outsourcing policy is outcomes-focused and provides banks with flexibility to satisfy the requirements in a cost-effective manner. At a high level, we consider that this remains broadly appropriate. However, the policy leaves a significant degree of responsibility on banks to manage their own compliance with the policy, and on supervisors to interpret the requirements. 38. The Reserve Bank’s prudential framework also places important emphasis on authorities having robust tools and processes in place to manage the failure of a registered bank and to mitigate the costs associated with any failure. Now that OBR is a live policy option, it is appropriate to reassess the outsourcing policy to ensure that the functions that it delivers are consistent with our objectives under the OBR policy, and that it does not unnecessarily constrain competition, innovation and efficiency. 39. In order to ensure consistency with the OBR policy the objectives of the outsourcing policy would need to ensure that the outsourcing did not compromise the ability of a bank to: a. Be effectively administered under statutory management for the purposes of maintaining the bank’s ability to continue to provide and circulate liquidity to the financial system and the wider economy; and b. Be in a position to enable any new owner of all or part of the bank to carry on the basic business of the bank. c. Address the impact that the failure of a service provider may have on the bank’s ability to carry on all or part of the business of the bank.

9 40. Objective (a) concerns how the bank will continue to provide and circulate liquidity to the financial system and economy if it were placed into statutory management. Particular outsourcing arrangements may make it harder for a statutory manager to ensure the continuity of functions that have been outsourced. 41. Objective (b) concerns the interest in a bank’s ability to carry on basic business following its transfer to new owners. This comes from a desire to maintain a range of viable exit strategies for authorities when seeking an exit from statutory management. 42. Objective (c) focuses on the bank’s ability to carry on business following the failure of a service provider. In assessing this objective, banks are expected to consider matters such as: a. The ability of the bank to bring the function back in-house or find a work-around; b. The impact on the ability of the bank to provide undertake basic banking functions; and c. The ability of the bank to meet regulatory and legal obligations. 43. However, these objectives should also be weighed against the efficiency, cost and risk-reduction advantages that outsourcing may provide. Q2: Without an outsourcing policy how would you propose that a failure is managed? Q3: Do you agree that the current outcomes-focus should be retained? Q4: Do you agree that changing the objectives to focus more on resolution is right? Proposed revision to the required outcomes from outsourcing policy 44. Given that the outsourcing policy operates as part of a package with OBR, it needs to support the objectives of OBR and the outcomes required need to support a statutory manager to ensure that there are a range of exit options available, including the ability for the bank to continue its operations in some form. 45. As noted earlier in the paper, in 2014 the Bank undertook a stocktake of Large Banks’ compliance with the outsourcing policy. The stocktake found that the banks’ interpretations of what functions should be defined as “core” for the purposes of the policy varied. 46. The stocktake also highlighted that Large Banks tended to focus on business continuity involving a natural disaster or technology failure so, while the practical and legal controls in place are useful for these types of events, it is not clear how banks would continue to operate under a stress event occasioned by a complete supplier failure or a bank failure. 47. In order to ensure that the objectives of OBR can be fully realised, it is important that banks have robust alternative arrangements that are able to be undertaken on an on-

10 going basis in order to manage a complete supplier failure or a separation from their parent. 48. We propose to retain the focus on outcomes to enable flexibility to meet our required outcomes in a way that suits the particular circumstances and business model of the bank. This will continue the focus on not unduly constraining financial system efficiency while still maintaining our focus on soundness. Functions that meet the outcomes proposed below would be considered relevant for the purposes of the policy and must be continued without material interruption to avoid significant damage to the financial system. 49. We have considered what functions a statutory manager of a failed bank would need to restore and propose that, in order to support OBR, that the bank should be operated in such a way that: a. The bank is able to continue to meet its daily settlement and other time-critical obligations, so as to avoid disruption and damage to the rest of the financial system; b. The bank is able to understand the bank’s credit and market risk positions, thereby limiting further damage to the bank’s balance sheet; c. The bank has at hand the systems and balance sheet data necessary for the New Zealand authorities to have available on the day of the failure a range of options for managing the failed bank; d. The bank is able to provide basic services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines) and account activity reporting; and e. The bank is able to operate on this basis as a stand-alone entity in the event of separation from its parent every day thereafter. 50. When assessing the ability to undertake these outcomes, banks should ensure that they can do so indefinitely, or as long as is necessary, as it may take some time to resolve a bank. Q5: Do you agree that the current outcomes are appropriate? Do you agree that the outcomes should also include a resolution-focused requirement? Please explain. Separation plan 51. We also propose to explicitly require banks to have a robust separation plan in place as part of the policy. The purpose of the separation plan is to describe the processes a bank would have to undertake in the event that the parent fails, or that the NZ bank is separated from its parent. The separation plan will assist in helping to bolster OBR by

11 requiring banks to set out how they will separate their operations from their parent, as well as the timeframes in which these processes will be undertaken. 52. We see the separation plan as a key strategic document for the Board and senior management of the bank in assisting to manage the separation of the parent and the subsidiary in a failure event. Therefore, banks will be required to get Reserve Bank agreement to their separation plans before they can be finalised. However, the Reserve Bank expects that any draft separation plan that is submitted to the Reserve Bank must have been approved by senior management and the Board before its submission. 53. In preparing its separation plan, banks will be required to prepare for an abrupt loss of access to functions provided by the parent and related parties for an indefinite period. While banks may have contractual arrangements in place for parents and related parties to provide transition services in the event of separation, these contracts should not be relied upon for the purposes of the separation plan. However, banks may continue to rely on contractual arrangements that are in substance unaffected by the separation. 54. The separation plan should not assume that the bank goes into wind-down in the event of separation. Rather, the plan should assume that the bank continues to operate on a business-as-usual basis for the services that it provides. 55. The separation plan should set out how the bank will, from the day of being placed into statutory management and, if necessary, indefinitely thereafter: a. execute its clearing, settlement and payment obligations; b. monitor and manage its financial risk positions; c. manage the operational responsibilities for the separation; d. ensure parallel rights for the New Zealand bank are available for functions outsourced through the parent or a related party; and e. set out robust alternative arrangements for systems that are owned or controlled by the parent or a related party. 56. The separation plan should also set out the timeframes in which all processes have to be completed and which staff members are responsible for taking these actions. This should include a clear chain of command and a communications plan. 57. The bank would also be required to undertake a process to test its ability to respond to a parental failure or separation event. We propose that this testing should be undertaken annually, and the duration of the annual testing should be set out in the separation plan. Q6: Do you agree that the matters identified above are the appropriate matters for inclusion in a separation plan? Are there any matters that have not been identified above, but should be included?

12 Proposed inclusion of a definition of outsourcing 58. Currently BS11 does not contain a definition of outsourcing, although this is fairly common practice internationally. Instead, the current policy defines outsourcing arrangements to include any arrangements that fall within the meaning of section 78(fb) of the Reserve Bank of New Zealand Act 1989 (the Act). 59. In order to focus the range of issues that would potentially be relevant for the policy we propose to adopt a formal definition of outsourcing. Having considered a number of options we propose to adopt a modified version of the definition in the Basel Committee’s report on Outsourcing in Financial Services. The proposed definition is as follows: 60. All functions not captured by the list below in paragraph 62 will be subject to the outsourcing policy and must meet the requirements. Q7: Does the proposed definition appropriately define outsourcing? If not, please provide an alternative definition that, in your opinion, better captures what is meant by the term outsourcing. Functions that are generally not considered relevant for the outsourcing policy 61. A number of the jurisdictions we have reviewed have also developed a list of activities that would not be classified as outsourcing for the purposes of their policy. We believe adopting this approach will assist to clarify the arrangements that are relevant for the purposes of the policy. It will also assist in interpreting the use of the word “could” in the proposed definition above. 62. Below are a number of functions that we consider should not be classified as outsourcing for the purposes of the policy: • Telecommunication services and public utilities; • Postal services; • Specialised training; • Discrete advisory services (e.g. legal opinions, certain investment advisory services that do not result directly in investment decisions); • Independent audit reviews; • Market information services (e.g. Moody’s, Bloomberg, Standard and Poor’s); • Independent consulting; • Services that the registered bank is not legally able to provide; • Printing services for marketing materials; • Repair and maintenance of fixed assets; • Supply and service of leased telecommunication equipment; “Outsourcing is defined in this policy as a registered bank’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that could be undertaken by the registered bank, now or in the future.”

13 • Travel agency and transportation services; • Temporary help and contract personnel; • Fleet leasing services; • Specialised recruitment; and • Conference organising. Q8: Are there any other functions that should be excluded from the outsourcing policy, but are not captured in the list above? Prohibition on outsourcing certain functions 63. Given the objectives of the policy focus on the ability of the bank to provide liquidity, the ability of the bank to provide basic banking services, and whether the outsourcing of a particular function may frustrate resolution options, we have considered whether it is appropriate to prohibit certain functions from being outsourced, given their importance to achieving the objectives of the outsourcing policy. Below we have identified three examples of functions that may be appropriate to prohibit banks from outsourcing. 64. The first example considers the ability of a bank to calculate its financial position. We propose that: 65. The basis for this proposal is due to the fact that a number of banks are reliant on their parent for undertaking these calculations. While there are BCP work-arounds, many of these are more focused on disaster recovery (DR) rather than parental separation and may not be a sustainable option in the intermediate term. Now that OBR is a live policy option it is worth considering whether banks should have the ability to undertake these calculations in-house. 66. However, we are aware that some banks are reliant on third party software for managing their data. We consider that it may still be appropriate to allow a bank to have its data managed by independent third parties using their technology platforms where the contract for those services meets the requirements set out in paragraph 81. 67. This proposal still allows for the New Zealand bank to provide a copy of its data to its related parties in order for the banking group to complete its financial position calculations. A bank must be able to calculate its financial position, including the ability to balance its general ledger, at the end of each business day. To undertake this requirement, a bank must be able to exclusively rely on data that it has direct ownership of, and control over. Where a bank is part of a larger banking group, the ownership and control of data used to calculate the New Zealand bank’s financial position must reside with the New Zealand bank.

14 68. The second example considers the use of SWIFT gateway and licences. We propose that: 69. Some banks are reliant on their parent’s SWIFT gateway licence for the processing of transactions. While banks operate DR capability, in a separation scenario there is an issue about whether this capability would be workable for the intermediate term. We consider it would be more appropriate for New Zealand banks to have their own SWIFT licence. However, banks can use independent third parties for this function. 70. The third example considers regulatory reporting. We propose that: 71. Like the first proposal, a number of banks are reliant on their parent or related parties to undertake their regulatory reporting calculations. As OBR is now a live option it is important that banks are able to determine their regulatory reporting requirements without being reliant on their parent or a related party. Q9: Do you agree that there are functions that are so integral to carrying on the business of a bank that they should not be outsourced? Do you agree that these examples are appropriate? Are there any other functions or systems that should not be outsourced? Process for engagement with the Reserve Bank 72. BS11 currently presumes that a core function (as described in the policy) will not be outsourced unless the bank can satisfy the Reserve Bank that the function is not material to the achievement of the required outcomes. However, BS11 does not contain a specific process for how banks should engage with the Reserve Bank on these matters. 73. The lack of a more explicit engagement process has given rise to variability in the way in which banks engage with the Reserve Bank on their outsourcing arrangements. 74. Therefore, we consider that: A bank should have its own SWIFT gateway and licence for the processing of transactions. A bank should be able to undertake its regulatory reporting using its own data. To undertake this requirement, a bank must be able to exclusively rely on data that it has direct ownership of, and control over. Where a bank is part of a larger banking group, the ownership and control of data used to calculate the New Zealand bank’s regulatory reporting position must reside with the New Zealand bank.

15 a. Maintaining a formal record of all outsourced arrangements would assist in the management of a failure of a registered bank; and b. A more explicit framework for determining the necessary process of engagement between banks and the Reserve Bank would assist in ensuring greater consistency in the management of potential outsourcing arrangements for functions. Compendium 75. If a bank were to fail and be placed into statutory management it is imperative that the authorities and the appointed statutory manager understand what functions and processes have been outsourced by the bank. This information will need to be provided rapidly as some outsourcing arrangements may relate to time-critical functions. 76. At a minimum the Reserve Bank believes that establishing a formal record of all outsourced functions with each bank is an important step to assist in managing the failure of a bank. For this purpose, the Reserve Bank proposes a compendium of outsourcing arrangements with each bank which includes key specific information. This compendium would not be made public but the requirement to have a compendium would form part of a bank’s conditions of registration, similar to the compendiums banks have with the Reserve Bank for prepositioning for OBR and internal models. 77. The information to be included in the compendium would be relatively basic, factual information and should assist with failure resolution, as well as assist banks with their risk management of these functions. 78. The compendium should: a. Be a key accountability document and should be embedded in board compliance; b. Include information on the name and location(s) of the service provider and the value and expiry or renewal date of the contract; c. Include an overview of the function or system that has been outsourced; and d. Be updated and form part of the oversight and governance reviews undertaken by the board and senior management. 79. The compendium will be required to be maintained with the Reserve Bank. Any new outsourcing arrangements or changes to service providers would require updating the compendium but not the conditions of registration. A draft of the compendium is outlined in appendix two. 80. Banks will also be required to update the compendium and to inform the Reserve Bank when functions that were outsourced are subsequently brought back in-house.

16 Q10: Do you think an outsourcing arrangement compendium would be useful as a reference record between the Reserve Bank and a bank? Q11: Are there any other matters not addressed above that should be included in the compendium? Q12: What are the costs to you of establishing and maintaining an outsourcing arrangement compendium that forms part of your conditions of registration? Contractual provisions 81. Given the importance of ensuring that outsourcing arrangements are robust and that functions outsourced to independent third parties, and arrangements made through the parent or a related party, will remain available following a failure we propose to require certain terms and conditions that an agreement must contain. These matters are: a. a contractual provision to ensure continuing access on normal commercial terms to services when the bank enters statutory management; b. parallel rights for arrangements made through the parent or a related party to ensure continuing access to the services where the bank is separated from its parent; and c. the ability for the Reserve Bank to have access to documentation and information related to the outsourcing arrangement. 82. Further contractual provisions that the Reserve Bank would expect to see included in robust outsourcing arrangements are identified in appendix one. Q13: Do you agree that all contracts for outsourcing arrangements should be required to include the terms outlined in paragraph 81? Options for engagement with the Reserve Bank 83. As discussed earlier in the paper, at present there is no formal engagement process that banks are required to follow when engaging with the Reserve Bank on outsourcing proposals. This has led to variable outcomes across the industry. Therefore, we consider that a more prescriptive approach would be appropriate. 84. The Reserve Bank has identified two options for how banks should engage with the Reserve Bank when proposing to outsource functions. Given that arrangements with the parent or related party have the potential to frustrate resolution options, we consider that it may be appropriate to differentiate between the engagement of these arrangements and arrangements with independent third parties. All arrangements with the parent or a related party will be relevant for the separation plan and the separation plan will need to be updated and agreed when any new outsourcing arrangement is identified. 85. In considering the options for engagement the Bank considered a number of approaches for engagement, including notification after the arrangement is entered into. However, these options were ruled out on the basis that they did not sufficiently

17 deal with the issues identified in the problem definition, in particular around the Reserve Bank’s ability to manage a bank in distress. As noted earlier, the outsourcing policy is focused on maintaining functionality and once outsourcing arrangements are entered into it can be difficult to unwind them. For these reasons we consider that banks should be required to seek Reserve Bank non-objection before entering into an outsourcing arrangement. 86. Regardless of which of the following options for engagement is chosen, the bank would be required to update its compendium of outsourced arrangements that is held with the Reserve Bank, as discussed above. Option one – Reserve Bank non-objection for all outsourcing arrangements 87. Under this option banks must seek non-objection on all outsourcing proposals. The bank would be required to prepare a detailed template submission for the Reserve Bank to consider the proposed outsourcing arrangement and to assess whether the proposal is appropriate. 88. A bank must be able to demonstrate to the Reserve Bank that, in assessing the options for outsourcing a function it has: a. considered all risks associated with outsourcing the function and determined that it does not expose itself to undue risks than if the bank were to undertake the function itself; b. demonstrate that the risks arising from the outsourcing proposal are appropriately managed; c. developed realistic contingency plans that would enable the outsourced function to be provided by an alternative service provider or brought in-house if required. These contingency plans should be tested by the bank if the outsourcing proposal is approved; d. undertaken a due diligence review of the chosen service provider, including the ability of the service provider to conduct the function on an on-going basis; e. involved the Board, Board committee, or senior manager with delegated authority from the Board, in approving the agreement; f. considered all the matters outlined in paragraph 81 that should be included in the outsourcing agreement itself. This should be independently validated by the bank’s internal audit process; g. implemented procedures for the on-going review to identify risks that may not have been identified at the time of entering into the agreement; h. set out how the proposal impacts the separation plan; i. that the bank has the ability to cancel the contract;

18 j. provided analysis of impacts in circumstances where the proposal interacts with other outsourced functions; k. considered how it would work with other banks where there is a common supplier; l. the required monitoring procedures to ensure that the related party is performing effectively and how potential inadequate performance would be addressed; and m. addressed the renewal process for outsourcing agreements and how the renewal will be conducted. 89. Where the service is undertaken by the parent or a related party, including any subcontracting, the bank must have regard to, and demonstrate to the Reserve Bank’s satisfaction, the following: a. that the terms of the contract are made as if it were on an arm’s-length basis; b. that the bank has significant oversight of the outsourced function on an on-going basis; c. that the bank’s management retains the ability to direct the service provider; and d. whether the bank is able to perform the function in-house. 90. The Reserve Bank may require that modifications to proposed outsourcing arrangements be made. Option two: filing a document outlining key information on proposed outsourcing arrangement with the Reserve Bank before entering into an arrangement 91. Under this option banks would be required to fill out a prescribed template outlining the key information on any proposed outsourcing arrangement as outlined below. This would be completed before entering into the arrangement. 92. The template (outlined in appendix three) would outline key information for the arrangement, including: a. information on the name and location(s) of the service provider and the value and expiry or renewal date of the contract; b. if the arrangements is with or through a related party, how the requirements under the separation plan have been considered; c. the function or system that is proposed to be outsourced; d. a summary of the substitutable arrangements; e. how the bank has considered the implications of the failure of the service provider, or the failure of a related party providing the function; and

19 f. information on the proposed internal control and risk management requirements of the outsourcing arrangement. 93. The arrangements would still be required to include the contractual terms identified in paragraph 81. 94. The Reserve Bank will then consider whether the arrangement will require non￾objection before it is entered into. If it does require non-objection then the process outlined below in paragraphs 87 - 90 must be followed by the bank. 95. If the Reserve Bank assesses the information and decides it does not require a full non-objection process then the bank will be notified and the bank may enter into the arrangement. The bank will then be required to notify the Reserve Bank within 20 working days of entering into the arrangement. The compendium would be updated at this time. Preferred option – option two 96. On balance we consider that option two would achieve the desired policy outcome. This option strikes a balance between ensuring that the Reserve Bank has oversight of the outsourcing arrangements that banks are entering into where those arrangements have the potential to affect the objectives of the policy, while allowing for banks to enter into arrangements that have little impact on the objectives. This option will also assist in expediting the Reserve Bank’s non-objection. 97. We consider that option two is better than option one as it provides for a faster process in the assessment outsourcing proposals. We think that most proposals will not require a full application as proposed under option one, therefore providing more efficiency in the assessment process. Q14: Do you agree that option two is the most appropriate option for the assessment of outsourcing arrangements? Please explain. Option for assessing proposals on outsourcing arrangements 98. At present banks can submit outsourcing proposals for the consideration of the Reserve Bank at any time. In order to minimise the time taken for the Reserve Bank to assess outsourcing proposals we could require standardised applications. For applications using prescribed templates (as outlined in option two) we expect that the Reserve Bank would advise the bank within 20 working days whether it required a full application, or whether more time is required to assess the application. 99. For full applications (as outlined in option one) the Reserve Bank would endeavour to get back to banks as soon as is practicable, though the time it will take to make a decision will depend on the complexity of the proposal, volume of requests from banks and other workloads. Assessment criteria

20 100. In assessing applications the Reserve Bank’s consideration will include, but is not limited to, the following factors: a. Who the intended service provider is and where they are located; b. Whether the service provider is the parent of the registered bank, or a related party of the parent; c. Whether any other functions have been outsourced to the same service provider; d. What impact a disruption in service may have on the bank’s operations; and e. The robustness of substitutable arrangements. Q15: Do you agree that the approach outlined above is an appropriate way to manage the assessment of outsourcing proposals? If not, please explain. Q16: Do you agree that having standardised applications would assist in reducing the time taken to assess outsourcing proposals? Q17: How many requests per annum do you expect to file in a business-as-usual state? How many requests do you expect to file at the outset of the policy? Threshold 101. Outsourcing currently applies to all locally incorporated banks whose NZ liabilities, net of amounts due to related parties, exceeds NZ$10 billion. At the time the threshold was set it focused on “systemically important banks” given that they presented the greatest risk of causing significant damage to the financial system if they failed. 102. Since the introduction of the outsourcing policy, the Bank has implemented the OBR policy as a tool to manage bank failures. The threshold for the OBR policy is set lower than the outsourcing policy, applying to any locally incorporated bank with retail funding over NZ$1 billion. This threshold reflects the fact that smaller institutions would likely benefit from pre-positioning on the grounds that a more orderly resolution of a failure event is preferable even in scenarios in which systemic concerns may be limited. 103. Given the relationship between outsourcing and the continuation of essential bank services during times of financial distress there is a case for reconsidering the threshold for outsourcing policy capture. This consideration is two-fold. First, whilst smaller institutions may not have been regarded as systemically important when the outsourcing policy was introduced, it acknowledges that there may some circumstances where a bank has a strong position in specific markets, or where it is stronger in a particular geographical region and may require the ability to carry on basic banking services under a statutory manager. In such cases, it is unlikely that all the existing customers of the bank would be able to immediately develop a relationship with another bank in the event of a failure of their existing bank.

21 104. Second, it provides a statutory manager with more exit options should a smaller bank fail. Whilst there may not be immediate, direct systemic concerns as a result of using OBR simply to carry out an orderly wind down of a smaller institution, there may be circumstances where the on-going operation of the institution following an OBR event is expected to minimise the losses incurred by the creditors of the failed institution. Enabling the pursuit of such a response is consistent with promoting the maintenance of a sound and efficient financial system and avoiding significant damage to the financial system from the failure of a bank. At this stage we believe that any cost impacts would be limited. Option one – status quo 105. Under this option the threshold for outsourcing policy capture would remain unchanged at NZ$10 billion in liabilities, net of amounts owed to related parties. This approach would continue to focus on systemically important banks, being those banks that present the greatest risk of causing significant damage to the financial system if they were to fail. The existing threshold covers the five largest banks3 . 106. Under the OBR policy, banks are required to be able to provide access to any unfrozen funds at 9am the next business day after a failure, and to provide access to any frozen funds that may be unfrozen at a later date. This functionality ensures that customers have access to liquidity throughout the resolutions process. However, it does not require the bank to be capable of conducting broader on-going business. As a result, the options for resolving smaller institutions may be limited to controlled wind down. Option two – align the outsourcing threshold with the OBR pre-positioning threshold 107. Under this option the threshold for outsourcing capture would be based on retail deposits above NZ $1 billion. This threshold would align with the threshold for OBR pre-positioning, and would extend the boundary of the outsourcing policy to include five further banks4 . 108. This approach would require that all banks captured by the OBR policy were capable of continuing to provide basic banking services, beyond simply providing access to unfrozen funds, and would ensure that authorities and the statutory manager retain access to the full suite of potential exit options in an OBR event. Q18: Do you think that that the threshold for the outsourcing policy should be aligned with the threshold for OBR pre-positioning, given the inter-linkages of the two policies? Would your bank impacted by an alignment? If so, provide detailed comments. 3 ANZ, ASB, BNZ, Kiwibank and WNZL. 4 Co-Op, Heartland, Rabo NZ, SBS and TSB.

22 Transition to compliance 109. Given the proposals contained in this consultation document may require banks to amend their current operations and potentially repatriate function we will consider a transitional path to compliance. 110. We believe that for some banks this could be a fairly lengthy process, given contracts that may be in place, as well as the need to reassess current operations and to prepare a separation plan and a compendium. 111. We believe a period of 6 months from the finalisation of the new policy for banks to develop a plan for how they propose to come to compliance with the new policy would be appropriate. Following that, banks would be provided with a further period of 2 years to amend their operations to ensure compliance with the final policy. Q19: Do you agree that 6 months is an appropriate amount of time for banks to provide the Reserve Bank with a plan for how it will come to compliance with the revised outsourcing policy, noting that its form has not yet been finalised? Q20: Do you agree that 2 years would provide a sufficient timeframe to reach compliance with the policy? Q21: How much do you think transitioning to compliance will cost and how could those costs be reduced by an appropriate transitional path? Timeline and next steps 112. The consultation period for these proposals will run until 4 December 2015. Following that, the Reserve Bank expects to release a summary of submissions and to consult on a draft of a revised BS11. 113. The Reserve Bank requests that all submissions be filled in using the template in appendix four and sent in electronic form. A Word version of the appendix is available.

23 Appendix one – contractual terms

1. Outlined below are contractual terms that the Reserve Bank would expect to see included in robust outsourcing arrangements: a. the scope of the arrangement and services to be supplied; b. commencement and end dates; c. escrow arrangements; d. review provisions; e. pricing and fee structure; f. service levels and performance requirements; g. the form in which data is to be kept and clear provisions identifying ownership and control of data; h. reporting requirements, including content and frequency of reporting; i. audit and monitoring procedures; j. business continuity management around how the service provider will deal with a failure of the service it is providing; k. confidentiality, privacy and security of information; l. default arrangements and termination provisions; m. dispute resolution arrangements; n. liability and indemnity; o. sub-contracting; and p. insurance.

24 Appendix two – compendium of outsourcing arrangements Related outcome Business function owner Function/system being outsourced Name of service provider Location of service provider Parent company / related party of the parent company

25 Appendix three – template for engagement with Reserve Bank – option two

1. Description of the function proposed to be outsourced
2. Description of the service/system proposed to be outsourced, including: a. Name of the service provider b. Location(s) of the service provider c. Duration of the arrangement d. Expected timeframe for implementation of the arrangement e. If the supplier is the parent company or a related party of the parent company whether the service/system is proposed to be outsourced by that party f. What other functions have been outsourced to the service provider
3. Impact of disruption In the event that the supplier becomes unable to deliver the required service/system, either on a temporary or permanent basis, provide a high-level description of the potential impact on the bank’s business operations
4. Controls Describe any control measures that would help the supplier deliver the required service/system in accordance with the requirements of the bank
5. Substitutability Is the service substitutable, i.e. are there other ways/mechanisms to provide a similar service to customers? Please provide an explanation. In the event that the supplier becomes unable to deliver the agreed service/system, what alternative arrangements are available and for how long can they be deployed, i.e. are they available on a permanent or temporary basis?
6. Date of internal sign-off and level, i.e. Board, Board delegate, etc (name and position) The proposal is required to have received internal sign-off in line with the bank’s internal processes before Reserve Bank non-objection is sought
7. If the proposed arrangement is with the parent company or a related party of the parent company, outline how the separation plan has been considered
8. Outline why you think the proposal is compliant with the outsourcing policy
9. Does the proposal contain the required contractual arrangements outlined in the policy?

26 Appendix four – submission table Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 Q21