Minter Ellison Rudd Watts Response to Reserve Bank Outsourcing Exposure Draft

s9(2)(a) privacy s9(2)(a) privacy

18217958:1 Plain 1 Schedule 1: Table of comments Reference Comment 2.1(1)(d) “provided by banks” should be inserted after “key retail and business services.” 2.1(1)(d)(iii) Reference to “contagion” is superfluous. Delete the words “contagion effect, including” and “that” 2.1(1)(d)(iv)(1) Delete “or similar.” 2.1(1)(d)(iv)(1) Delete “as a store of value.” 2.1(1)(m) Outsourcing definition should be amended to “the use, now and in the future, by a registered bank of a third party (either a related party within the corporate group or third party that is external to the corporate group) to perform services, that relate to the policy objectives in section 3.2(1) or the outcomes listed in section 3.2(2), on a regular or continuing basis that could be undertaken by the registered bank, and does not include any services on the White List.” This definition makes it clear functions unrelated to the policy objectives and outcomes, but not on the white list, are not captured by the policy. 2.1(1)(s)(ii) “qualifying” should be deleted. 2.1(1)(s)(v) This limb is very broad. For example, are banks which jointly own industry service providers intended to be related parties by reason of their common shareholding? 3.2(2)(e) Section 3.2(2)(e) of the Exposure Draft currently provides “Where a bank is part of an overseas banking group, it must achieve outcomes (a) – (d) as a stand-alone entity in the event of separation from its parent, on the day of failure and thereafter.” This should be amended to “Where a bank is part of an overseas banking group, it must achieve outcomes (a) – (d) as a stand-alone entity in the event of separation from its parent, on the first business day after the day of failure and thereafter.” The suggested amendment is to align the Exposure Draft with the Final Policy Decisions. 4.1(1) first bullet point. “the bank becoming aware of” should be inserted before “the failure or disruption of the outsourcing arrangement.” 4.1(1) second bullet point. “outcomes (a), (b) and (if applicable) (e)” should be amended to “the outcomes listed in section 3.2(2)(a), (b) and (if applicable) (e).” 4.1 Alternative arrangements “4.1 Alternative arrangements” should be amended to “4.3 Alternative arrangements.” 5.1(1) For clarity, the fact that arrangements entered into with non-related parties will not require non-objection should be stated. 5.1(2) “sections (6) and (7)” should read “sections 6 and 7” to avoid confusion.

18217958:1 Plain 2 5.1(1) Should begin “Subject to subsection (4) below, all outsourcing…” 5.1(4) “paragraphs (5) and (6)” should be replaced with “subsection (6).” 5.1(6)(i) 5.1(6)(i) should be amended to “has considered any ability to cancel the contract.” 5.1(7)(p) “5.1(7)(p)” should be replaced with “5.1(7)(a).” 5.1(7)(s) 5.1(7)(s) should be deleted. Requiring the bank to be able to perform the function in-house when the outsourced function is proposed to be undertaken by the parent or a related party is a change from the Final Policy Decisions which are predicated on back up capability being the primary requirement. Guidance box after 5.1(11) “particularly those with the parent or related parties” should be deleted given section 5 only applies to outsourcing arrangements with or through the parent or related parties. 6.1(2) Should read “The Reserve Bank will maintain a list of functions that are pre￾approved for the purposes of this policy. The functions and services on this list do not require Reserve Bank non-objection before a bank enters into the arrangement with or contracted through a parent or a related party” to track the language of 5.1(1). 6.1(3) For clarity, 6.1(3) should read “It is the responsibility of the bank to ensure that an arrangement on the pre-approved list is compliant with the policy” given the general obligation already exists at 6.1(1). 10.2(1) “processes a New Zealand bank would undertake to operate services in-house that were provided previously” should be amended to “processes a New Zealand bank would undertake to operate in-house or by a third party that were provided previously.” Otherwise, this is again inconsistent with the acceptability of back up capabilities. 10.4(3) This 24-hour requirement is too onerous. The impediments should be reported on, as well as mitigating steps taken, in the four-week report. If there is a requirement for advising the Reserve Bank within a shorter timeframe of impediments identified, then there should be some form of materiality threshold. 11.3(1) This subsection should also reference 10.4. Pre-approved functions and services 1(c) 1(c) captures “licensed software that is licensed directly to the New Zealand bank to the extent it exclusively relates to one or more white listed functions.” This should be captured by the white list rather than the pre-approved list, as it was in the Final Policy Decisions.