Summary of Submissions for Outsourcing Policy Review for Registered Banks

Summary of submissions on the Consultation Paper: Revised policy proposals for the review of the outsourcing policy for registered banks February 2017

2 PART ONE: BACKGROUND

1. The Reserve Bank’s outsourcing policy (BS11) was introduced in 2006. The current outsourcing policy adopts an outcomes-focused approach that sets out a range of outcomes that banks need to be able to deliver on an on-going basis. It currently applies to any locally incorporated bank whose New Zealand liabilities, net of amounts due to related parties, exceed $10 billion (a “Large Bank”). In 2014 the Reserve Bank undertook a stocktake of banks’ outsourcing arrangements, which found that banks had inconsistent interpretation and application of the existing policy. Importance of an effective outsourcing policy and the need for a review
2. Section 68 of the Reserve Bank of New Zealand Act 1989 (the Act) requires the Reserve Bank to exercise its banking supervision and registration powers for the purposes of: a. promoting the maintenance of a sound and efficient financial system; or b. avoiding significant damage to the financial system that could result from the failure of a registered bank.
3. BS11 pursues both these purposes by requiring that a Large Bank’s outsourcing arrangements do not create risk that the operation and management of the bank might be interrupted for a material length of time. In particular, any outsourcing arrangements for bank functions must not create risk to the bank’s ability to continue to provide and circulate liquidity in the economy, under normal business conditions, or circumstances of stress, or of failure of the bank or of a service provider to the bank. The current outcomes focus on the provision of liquidity to the financial system.
4. The development of BS11 took place against the backdrop of a number of other material policy developments, including the local incorporation policy and the consideration of the Basel II IRB approach. Significant work had also been undertaking on the development of Bank Creditor Recapitalisation (BCR) (the forerunner to the Open Bank Resolution Policy (OBR)1). The outsourcing policy and the local incorporation policy were both linked to a desire to strengthen the Reserve Bank’s ability to respond to a failure. However, the outsourcing policy is not just focused on the ability to manage failure, but also about standard outsourcing concerns, including ensuring that outsourcing arrangements are robust in limiting the potential impact on a bank or the wider financial system from a supplier failure or where a supplier fails to provide an adequate service.
5. OBR pre-positioning was implemented on 1 July 2013 and applies to all locally￾incorporated registered banks whose retail deposits are in excess of $1 billion. OBR is a mechanism for providing bank customers with continued access to liquidity and banking services after bank failure. Pre-positioning means having the IT, payments, resource and process functionality in place ahead of a crisis, such that should a bank enter into statutory management, access channels can be closed, a portion of customer funds can be frozen, and access channels can be reopened for business by no later than 9 a.m. the next business day, enabling customers to have access to the available or a portion of their funds.
6. While banks will clearly want to manage risks from outsourcing, they will be focused on their own business, whereas the Reserve Bank has a broader systemic focus. Under 1 While the paper specifically refers to OBR, the application of the policy is relevant for crisis management options in general.

3 business-as-usual conditions banks have strong incentives to adopt arrangements that are robust in limiting the potential impact on their profits or from supplier failure, but may not make allowances for the broader systemic costs of service disruption. 7. Furthermore, where a function is carried out by a parent, there may be situations where, after a separation, those services are no longer available. This could be because the parent’s focus has changed and it does not see itself as a service provider to a former subsidiary, due to an unwillingness on the part of the parent, or simply because the parent is unable to continue to provide the service. Regulatory coordination may support the continued provision of services during normal times, but it might not work well when there is banking distress and there can be elevated risks to the financial system. Also, regulators and national authorities may face different incentives during times of stress. Also, where there are contracts with independent third parties that are in place at the group level, separation may leave the New Zealand subsidiary with no legal relationship with the third party service provider. 8. Whilst the OBR implementation process requires contracts to be reviewed and amended to ensure services would continue under statutory management, the reach of the OBR policy only extends to the functionality directly required under OBR. OBR is focused on overnight processes and making unfrozen funds available to customers but it does not itself ensure that the bank can continue in business indefinitely. As a result, outsourcing of functions that materially impact on the ability of the statutory manager to continue operating the bank can make it harder to realise the full benefits of the OBR policy. 9. Outsourcing arrangements with independent third parties have less potential to be undermined by a separation, so long as the New Zealand subsidiary has a direct contractual arrangement (or parallel rights under a contract through the parent) with the service provider and these services continue to be provided following the failure of the bank or its parent bank. The incentives on the independent third party should be that the service continues to be provided so long as the bank keeps paying for the services as contractually agreed. 10. An outsourcing policy is important for financial stability, especially for dealing with a crisis and a bank failure. The current outsourcing policy already tries to achieve this. The review of the outsourcing policy was undertaken for a number of reasons, including the fact that it has been ten years since the policy was introduced and it is good practice to review policies; the inconsistent interpretation and application across the sector; and the implementation of the OBR policy.

4 Consultation history 11. The Reserve Bank released the first consultation document on a revised outsourcing policy for registered banks in August 20152, following an internal stocktake of the outsourcing policy, which highlighted a need for enhanced clarity for both requirements of the policy, and greater consistency in its application across the banking sector. The timing of the first consultation reflected stakeholders’ desire to be involved early in the policy development process and included a number of proposals to update the existing policy. These included: a) The proposed problem definition. b) The proposed revised objectives and outcomes. c) The definition of outsourcing. d) An explicit requirement for a separation plan for subsidiaries of foreign owned￾banking groups. e) A list of functions that are not relevant for the outsourcing policy. f) A compendium of outsourcing functions. g) A list of functions that cannot be outsourced. h) A clearer process for obtaining non objection from the Reserve Bank for outsourcing proposals. i) A possible lowering of the threshold used for deciding to which banks the outsourcing policy should apply to that used for OBR. j) A transitional path of two and a half years. 12. Sixteen submissions were received 3 . Most submitters were either supportive or reasonably comfortable with proposals a) – f). On the last four proposals g) – j), non￾bank submitters were supportive whereas bank submitters were less so. Bank submitters suggested that an explicit materiality test and a definition for basic banking services should be included. 13. The Reserve Bank engaged with submitters both before and after the first consultation closed through bilateral meetings and industry fourms. The Reserve Bank has had over 70 meetings with stakeholders on the outsourcing policy. For the proposals that banks have found the most problematic, the Reserve Bank has subsequently revised them, with a view to reducing their compliance impact while not compromising the policy objectives. The Reserve Bank has also made further adjustments to other proposals that submitters commented on. As a consequence, the Reserve Bank released a second consultation in May 2016, with the following proposals: 2 http://www.rbnz.govt.nz/-/media/ReserveBank/Files/regulation-and-supervision/banks/consultations/consultation-review￾outsourcing-policy-registered-banks.pdf?la=en 3 The submitters were: Asia Cloud Computing Association, ANZ NZ, ASB, BNZ, Co-operative Bank, FIRST Union, Heartland Bank, IBM, ICBC NZ, Microsoft, NZBA, Rabobank NZ, Salesforce, SBS, TSB and Westpac NZ.

5 • Instead of prohibiting some functions from being outsourced to a parent or related party, the policy would instead require banks that outsource certain key functions to have robust backup capabilities. • The existing threshold for compliance with the full outsourcing policy would be retained, i.e. only for locally incorporated banks whose New Zealand liabilities exceed $10 billion, net of amounts due to related parties. It is also proposed that a new, separate, requirement that all locally incorporated banks would be subject to business continuity preparation (BCP) requirements and contractual terms, would be introduced in due course. • Instead of including an explicit materiality test, a more extensive “white list” would be developed, where certain activities and functions would not be captured by the definition of outsourcing. This list builds on the proposed list of functions that are not relevant for the outsourcing policy to include feedback from submitters. It is also proposed that the “white list” will be reviewed periodically to ensure it remains appropriate. Banks will also be able to make suggestions for additional activities and functions to be added to the white list. • The transitional path would be increased to five years. • A proposed definition of basic banking services would be included. 14. The Reserve Bank also clarified the proposed engagement process further in the second consultation paper, which was released in May 2016. 15. Eleven submissions4 were received in the second round of formal consultation, including a joint submission by four Australian-owned banks. The Reserve Bank continued to engage in ongoing discussions with submitters both before and after the second consultation, and would like to thank the industry for the generally constructive feedback received throughout this process. Further refinements have been made to the overall proposal, which reflect the comments that have been provided by stakeholders. 16. The remainder of the paper is structured as follows: • Part two provides a detailed problem definition; • Part three outlines the objectives of the policy; • Part four provides a summary of submissions on all key features of the proposal; • Part five outlines the policy changes during the two rounds of consultation; and • Part six outlines the other related matters and the next steps. 4 The submitters were: Asia Cloud Computing Association, ANZ NZ, ASB, BNZ, Joint Australian-owned banks, Kiwibank, Microsoft, NZBA, Rabobank NZ, Salesforce, and Westpac NZ.

6 PART TWO: PROBLEM DEFINITION 17. The first consultation paper laid out the problem definition with a further, more detailed, explanation of the interaction of the outsourcing and OBR policies in the second consultation paper. However, as noted in these papers, the outsourcing policy is not just focused on the ability to manage failure, but also on standard outsourcing concerns, including ensuring that outsourcing arrangements are robust in limiting the potential impact on the bank or the wider financial system from supplier failure or where the supplier fails to provide an adequate service. 18. At a high level both banks and the Reserve Bank have to balance soundness and efficiency concerns when assessing the appropriate levels of outsourcing. Under business-as-usual conditions banks have strong incentives to adopt arrangements that are robust in limiting the potential impact on their profits or solvency from supplier failure. However, the broad economic costs may exceed the reputational risk or direct cost to the individual bank. There may also be particular concerns around concentration risk associated with a single supplier to many banks. In this scenario, economic costs could be substantial, but the direct cost for individual banks may be limited as all or many of them would be affected, limiting the impact of reputational damage at the bank level. 19. There are externalities related to outsourcing by New Zealand banks that are best described in three categories: • costs to third parties arising from outsourcing arrangements frustrating the orderly resolution of a bank; • costs to third parties arising from outsourcing arrangements increasing the probability of a bank failing; and • costs to third parties arising from service disruption under BAU conditions. 20. The potential for negative externalities is particularly relevant with respect to the second leg of section 68, which focuses on the costs of a banking failure once it occurs. Here there is a clear risk associated with outsourcing arrangements potentially interfering with attempts to manage the failure of a registered bank including the application of OBR or take over by a competitor. 21. A more obvious potential issue arises with respect to the impact of outsourcing arrangements during the failure of a bank. In this scenario, bank owners and managers have limited incentive to ensure arrangements are robust at the point of failure as they will no longer be in control of the institution following the failure. 22. Furthermore, where a function is carried out by a parent, there may be situations where, after a separation, those services are no longer available. This could be because the parent’s focus has changed and it does not see itself as a service provider to a former subsidiary, due to an unwillingness on the part of the parent, or simply because the parent is unable to continue to provide the service, for example, if the parent’s resources are stretched and the parent’s regulator requires it to focus on itself and not on the services it provides to a former subsidiary. Also, where there are contracts with independent third parties that are in place at the group level, separation may leave the New Zealand subsidiary with no legal relationship with the third party service provider. 23. Whilst the OBR implementation process requires contracts to be reviewed and amended to ensure services would continue under statutory management, the reach of the OBR

7 policy only extends to the functionality required under OBR. OBR is focused on overnight processes and making unfrozen funds available to customers but does not itself ensure that the bank can continue in business indefinitely. As a result, outsourcing of functions that impact on the ability of the statutory manager to continue operating the bank can make it harder to realise the full benefits of the OBR policy. 24. Outsourcing arrangements with independent third parties have less potential to be undermined by a separation, so long as the New Zealand subsidiary has a direct contractual arrangement (or parallel rights under a contract through the parent) with the service provider and these services continue to be provided following the failure of the bank or its parent bank. The incentives on the independent third party should be that the service continues to be provided so long as the bank keeps paying for the services as contractually agreed, however the Reserve Bank is mandating the inclusion of certain contractual provisions to ensure this is the case, rather than simply relying on commercial incentives. 25. There are also concerns around vulnerability of banks to disruption of a crucial outsourced function that may increase the probability of the bank failing. This may arise through the failure of the service provider resulting in a material disruption to services, or through service provider error. Even if services are not disrupted, errors may expose banks to added reputational risk, loss of confidence or compensation claims. Extensive outsourcing can therefore lead to increased operational risk. 26. Also, a single supplier to several banks may increase concentration risk, or the failure of a service provider to one bank could have implications for that bank to provide liquidity to the financial system, thus leading to wider systemic disruption. Repeated outsourcing disruptions could also turn short term efficiency gains into long term efficiency costs, although banks should have a direct interest in addressing this latter risk. 27. A large part of the outsourcing policy review involves clarifying the existing policy requirements given the variable compliance and misunderstanding of the current outsourcing policy that was identified as part of the outsourcing stocktake. For example, some banks had not properly understood the outcomes the policy was seeking to achieve and what services would be required. Some banks also did not properly understand the expectations for back-up capability. Interaction of outsourcing and OBR 28. The key objectives of resolution policy are to reduce wider impacts from a failure and to maintain critical functionality in the event of a bank failure or failures, and to do so in a manner that avoids recourse to taxpayers by imposing losses on shareholders and creditors, while protecting wherever possible the rightful interests of creditors. 29. The link between OBR and outsourcing arises due to the potential need to keep the bank operating at least with basic services whilst authorities identify a final resolution. As a number of banks operating in NZ are part of foreign groups it is important that the Reserve Bank has confidence that the local subsidiary will be able to deliver those services in the event that a bank separates from its parent.

8 30. OBR is not a default solution for all instances of bank distress and/or failure. The OBR policy is intended to provide an alternative to liquidation or Government support to help address some of the costs that arise. As such, the intention is that the policy enhances decision making in a crisis. 31. The cost benefit analysis that underpinned the introduction of the OBR policy focused on its role as an additional option, and the impact that this may have on long run decision making. The positive benefit of OBR is therefore tied to it being an effective and available option in circumstances where liquidation or bailout is not preferable. In 2012 the net expected present value of OBR was calculated to be in the order of $1.3 billion. 32. An ineffective outsourcing policy risks undermining the ability of OBR to deliver the assumed positive impact in a number of ways: • Failure to ensure that banks can operate effectively under statutory management. • Failure to provide certainty about availability of reopening and on-going functionality. 33. The existing outsourcing policy has been interpreted by some as focusing on the provision of liquidity in the short term. Submission feedback 34. Submitters broadly agreed with the problem definition, including the high-level problems identified, that outsourcing can create efficiency and quality benefits for banks, though these need to be balanced against the impact outsourcing may have on the soundness of the financial system. However, a number of submitters made comments in the following areas: a. Focus on resolution: Submitters who commented on this area noted that they thought the inclusion of a resolution focus in the proposed outsourcing policy was inconsistent with other regulators. However, the Reserve Bank considers that a focus on resolution is appropriate, not only because New Zealand’s financial system is very heavily foreign-owned, but also because operational continuity is increasingly seen as important, For example, in November the FSB released a consultation document Guidance on Arrangements to Support Operational Continuity in Resolution which notes that operational continuity is a key aspect of resolution planning for individual firms and a lack of arrangements for operational continuity is likely to impair firms’ resolvability. b. Some submitters also noted that they did not agree that the outsourcing policy should be aligned with OBR. Other submitters had the opposite view, noting that an outsourcing policy is required that supports OBR and reduces the impact that a bank failure would have on the NZ financial system. c. Section 68A of the RBNZ Act: Submitters who commented on this noted that they thought a number of concerns about outsourcing arrangements could be dealt with by enhancing the trans-Tasman cooperation section in the RBNZ Act and the corresponding Australian legislation. This is considered later in this paper.

9 a. Risks of outsourcing to parents/related parties: Submitters who commented on this noted that they thought parents or related parties would be willing to continue to provide services in the event of a separation. They consider that the overseas regulator would not choose to require the parent or related party to discontinue services and that they expect the Australian and NZ regulators to work together to manage the failure. b. Single or limited suppliers: Submitters who commented in this area seem to have misinterpreted the proposal and thought that the Reserve Bank may be proposing to dictate what third party suppliers banks could outsource functions to. This issue was intended to be raised as a risk magnifier for the Bank to be aware of, but it was not intended to prohibit or control the use of particular suppliers. c. Outcomes-focus: Overall, submitters were happy that the revised outsourcing policy will retain an outcomes-focus. However, submitters were quite mixed on whether the Reserve Bank should provide more definitions in the policy. d. Balance of soundness and efficiency: In meetings with banks the Reserve Bank had good discussions on the recognition of the efficiency benefits that outsourcing arrangements can create, and also noted that in some areas an outsourced arrangement can be more robust than one provided in-house. Some submitters felt that the problem definition was too heavily focused on soundness and did not recognise the efficiency benefits that outsourcing arrangements provided to banks. The Reserve Bank acknowledges that the policy proposals focus on risk, but both consultation papers also fully recognise the efficiency and quality benefits that outsourcing can provide. PART THREE: POLICY OBJECTIVES 35. In the 2015 consultation paper, it was proposed that the objectives of the outsourcing policy would require a bank to ensure the outsourcing would not compromise the ability of the bank to: a) Be effectively administered under statutory management for the purposes of maintaining the bank’s ability to continue to provide and circulate liquidity to the financial system and the wider economy; b) Be in a position to enable any new owner of all or part of the bank to carry on the basic business of the bank; and c) Address the impact that the failure of a service provider may have on the bank’s ability to carry on all or part of the business of the bank. 36. These objectives support the overarching purposes of section 68 of the RBNZ Act by minimising wider damage that the failure of a bank, or a service provider, may have on the financial system and are consistent with the objectives of the current outsourcing policy. 37. On the first consultation paper, submitters were overall supportive of the retention of an outsourcing policy and that our assessment of banks’ focus and drivers regarding outsourcing was fair. As noted above, submitters were supportive of retaining the outcomes-focus to give the flexibility to satisfy the policy in the most appropriate way for their business model.

10 38. However, some submitters noted that instead of including some of our proposals in the outsourcing policy the Reserve Bank could instead look to enhance the OBR policy to manage outsourcing arrangements. Some submitters noted that the outcomes in the outsourcing policy should not be linked to resolution. 39. A small number of submitters also noted that a Regulatory Impact Statement (RIS) was not included in the consultation paper. The Reserve Bank advised banks that it was still in the early stages of our policy thinking, and that a RIS would not have been appropriate at that stage given the undeveloped policy areas, for example a definition of what is included as a basic banking service was not included in the first consultation paper. The early consultation sought to elicit cost information and other data for the RIS. 40. One bank said that the Reserve Bank should be able to rely on the existing trans￾Tasman co-operation legislation rather than proposing changes to the policy. Another bank suggested minor clarifications to the trans-Tasman legislation. However, as noted above, the 2006 outsourcing policy already considered the existing legislation in setting the policy framework. The consultation on the existing outsourcing policy noted that, in times of stress, particularly where the parent bank (being used as a service provider) and the New Zealand subsidiary are both in statutory management, the obligations and duties of the parent bank’s statutory manager may be in direct conflict with the best interests of the New Zealand bank. 41. On the second consultation paper, a number of bank submitters proposed that the outsourcing policy review be put on hold and that a joint resolution framework be developed with Australia. The proposal on the joint resolution suggested that the governments agree to a joint recapitalisation of the Australian parent bank, either by using a burden sharing agreement or by bailing-in New Zealand creditors and using those funds to bail out the parent. PART FOUR: HIGH LEVEL SUMMARY OF SUBMISSIONS 42. As noted in Part One, the Reserve Bank has had two rounds of public consultation since 2015, and received 165 and 116 submissions respectively by the end of each round. One of the submissions on the 2016 consultation was a joint submission by the four Australian-owned banks. The Reserve Bank has also been holding bilateral and industry meetings with stakeholders, both to clarify the proposal and to receive feedback, throughout the consultation periods. Submission feedback has shaped the final proposal, which is outlined in more detail in Part Five. 43. Instead of providing a summary of submissions question-by-question, the first part has been structured to provide a summary of feedback on each key feature of the outsourcing proposal, followed by the Reserve Bank’s response. The second part focuses on the joint submission from the four Australian banks. 5 The submitters were: Asia Cloud Computing Association, ANZ NZ, ASB, BNZ, Co-operative Bank, FIRST Union, Heartland Bank, IBM, ICBC NZ, Microsoft, NZBA, Rabobank NZ, Salesforce, SBS, TSB and Westpac NZ. 6 The submitters were: Asia Cloud Computing Association, ANZ NZ, ASB, BNZ, Joint Australian-owned banks, Kiwibank, Microsoft, NZBA, Rabobank NZ, Salesforce, and Westpac NZ.

11 Key features of the outsourcing policy – feedback and Reserve Bank response I. Definition of Outsourcing 44. Current BS11 does not have a formal definition of outsourcing but refers to section 78(1)(fb) of the Act. In the 2015 consultation, it was proposed to adopt a formal definition for outsourcing in order to focus the range of issues that would potentially be relevant for the policy. Having considered a number of options, the following definition was proposed: “Outsourcing is defined in this policy as a registered bank’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that could be undertaken by the registered bank, now or in the future.” 45. The proposed definition is a slightly modified version of the definition in the Basel Committee’s 2005 report on Outsourcing in Financial Services. 46. There was strong support for the introduction of a definition of outsourcing. However, there were mixed views on whether the proposed definition appropriately defines outsourcing. Those that were supportive noted that it was consistent with globally accepted definition used by most regulators, and provide a consistent approach across jurisdictions for use by both regulated entities and outsourced providers. Those that did not support it noted that it was too broad, and suggested that a materiality threshold be included to exclude immaterial outsourcing arrangements. 47. The Reserve Bank has intentionally adopted a wide definition of outsourcing, and notes that the proposed definition is appropriately aligned with that used by authorities in a number of jurisdictions. As discussed in the next section, the Reserve Bank is of the view that an expanded “white list” would serve as a practical mechanism to exclude immaterial outsourcing arrangements by banks from the outsourcing policy. 48. As a result, no further change was proposed in the 2016 consultation and the Reserve bank decided to finalise the definition of outsourcing as originally proposed. II. Outcomes 49. In the 2015 consultation paper, it was noted that banks have had variable application of the existing outsourcing policy, and it was felt that the wording for the “outcomes” could be tightened to provide more clarity. For example, some banks seemed to focus on business continuity involving a natural disaster or technology failure, and not how to continue to operate under a stress event occasioned by a complete supplier or bank failure. It is also unclear whether banks have robust alternative arrangements in place that can continue to operate indefinitely. Both of these considerations are particularly relevant to ensure the viability of OBR. 50. Having considered the functions that a statutory manager of a failed bank would need to restore, the 2015 consultation proposed to retain the outcomes-focus in the outsourcing policy, but would revise the existing outcomes as follows: a) The bank is able to continue to meet its daily settlement and other time-critical obligations, so as to avoid disruption and damage to the rest of the financial system;

12 b) The bank is able to understand the bank’s credit and market risk positions, thereby limiting further damage to the bank’s balance sheet; c) The bank has at hand the systems and balance sheet data necessary for the New Zealand authorities to have available on the day of the failure a range of options for managing the failed bank; d) The bank is able to provide basic banking services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines) and account activity reporting; and e) The bank is able to operate on this basis as a stand-alone entity in the event of separation from its parent, every day thereafter. 51. It was also emphasised that banks should ensure they can achieve these outcomes indefinitely, or as long as is necessary, as it may take some time to resolve a bank. 52. Submitters were generally supportive of retaining the outcomes-focus to give flexibility to banks as to how they satisfy the policy in a way that is most appropriate for their business model. There was also acknowledgement of the importance that outsourced activities be managed robustly during a bank failure scenario. Submitters asked for more clarity on the wording of the outcomes, and to the extent relevant, that they be aligned with the separation plan requirements. The Reserve Bank also notes that there needs to be a clear reference to the timeframe for achieving the required outcomes. 53. Following stakeholder feedback the Reserve Bank proposed to slightly revise the outcomes in the 2016 consultation paper as follows (revisions are bold): a) The bank is able to continue to meet its daily settlement and other time-critical obligations, before the start of the value day after the day of failure and thereafter, so as to avoid disruption and damage to the rest of the financial system; b) The bank is able to monitor and manage its financial market positions, including credit and market risk positions, before the start of the value day after the day of failure and thereafter, thereby limiting further damage to the bank’s balance sheet; c) The bank has at hand the systems and balance sheet data necessary for the New Zealand authorities to have available a range of options for managing the failed bank, on the first value day after the day of failure and thereafter; d) The bank is able to provide basic banking services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines) and account activity reporting, on the first value day after the day of failure and thereafter; e) Where a bank is part of an overseas banking group, the bank is able to meet outcomes (a) – (d) as a stand-alone entity in the event of separation from its parent, and every day thereafter. 54. Submitters generally accepted the proposed outcomes, though made further drafting suggestions, such as the removal of “other time critical obligations” in outcomes (a), and the removal of “both access to deposits and to credit lines” in outcome (d). 55. After considering the feedback, the Reserve Bank decided to keep the existing wordings on outcome (a) but clarify in the policy what would be included in “other time critical

13 obligations”, to ensure that the policy is forward looking and there are no unintended gaps. The Reserve Bank expects to seek feedback on the wording when the exposure draft is published for consultation. 56. The Reserve Bank also proposes to keep the existing wording on outcome (d), which emphasises to banks that they must continue to provide both credit and access to deposits. To minimise any potential misinterpretation, this will cross-reference to the definition of basic banking services, so outcome (d) would read as follows: 57. “The bank is able to provide basic banking services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines as defined in basic banking services) and account activity reporting, first value day after the day of failure and thereafter”. III: Definition of Basic Banking Services 58. Both the current BS11 and the 2015 proposed policy did not include a definition of the basic banking services that banks were expected to provide to existing customers. We sought feedback from submitters on what services should be captured by the definition. The definition is intended to limit disruption to the financial system in the event of a bank failure. 59. This feedback was taken on board and in the 2016 consultation paper the following definition was proposed: “The key retail and business services that bank customers typically rely on, where the disruption or sudden discontinuation of the function would be likely to have a material negative impact on a significant number of third parties that rely on such services and lead to contagion effects, including significant adverse effects on market confidence” 60. The Reserve Bank also developed a list of minimum services that a bank would be expected to provide to existing customers upon separation from their parent bank, which covers both existing and new arrangements to those existing customers: • Transactions accounts or similar products used by individuals and businesses for their transactional, every day banking needs. A bank must be able to continue to provide ATM services, given the importance of cash in times of a crisis, e.g. a major earthquake. In addition, customers should be able to access their accounts through at least two of the most commonly used channels. • Savings accounts and term deposits accounts, which are usually held by individuals and entities who also engage in transactional banking. These deposits are either on-call or mature on a regular basis and are an integral part of individuals and businesses’ common banking needs. • Lending services to individuals and businesses, such as credit cards, overdraft facilities, revolving credit facilities, existing mortgage commitments (including pre￾approvals) and mortgage facilities. • Account activity reporting for the relevant accounts individuals and businesses hold.

14 • Payment, clearing and settlement services, such as credit card/merchant acquiring services and agency arrangements (including financial market infrastructure (FMI) access for smaller banks). • Foreign currency transactional, savings and term deposit accounts. 61. In addition, the Reserve Bank sought feedback on whether new trade finance and letters of credit arrangements should be included as in the definition of basic banking services. 62. All submitters were supportive of most of the proposed definition of basic banking services. However, for new trade finance and letters of credit, most submitters said that these should not be captured within the definition given that post a separation, they expect to have a smaller operation, and existing customers that rely on such services would also be able to get these services from another bank. 63. On foreign currency transactional, savings and term deposit accounts, some banks have submitted that they do not have a large pool of customers that rely on these services, so they should be excluded from the definition of basic banking services. Banks have noted that these are currently pre-positioned for OBR. 64. On balance, it was concluded that trade finance, letters of credit and foreign currency transactional, savings and term deposit accounts will be excluded from the proposed definition of basic banking services. This will mean that banks will have to manage existing arrangements, but they would not be required to offer new arrangements. The other services in the proposed list of basic banking services, as well as the definition of basic banking services, will remain unchanged. 65. One submitter also suggested that institutional customers should be explicitly excluded from the definition of basic banking services, given the low number of customers and high cost of providing systems to manage these customers. It was also noted that institutional customers generally have multiple banking relationships and can more readily substitute the services they receive from one bank to another. 66. This submitter suggested the following definition for institutional customer: “A large business or public or quasi-public enterprise, operating on a trans-Tasman or global basis – either multi-banked or able to source funding from multiple domestic or off-shore markets”. 67. Given the high costs of maintaining bespoke services for institutional customers who are able to substitute services reasonably easily, the Reserve Bank agrees that they could be excluded from the definition of basic banking services. However, the Reserve Bank considers that these customers will still require basic banking services from their bank. Therefore, instead of excluding these customers from the definition of basic banking services, the policy will instead require banks to move these customers to the platforms used for basic banking services in the event of a separation from their parent (although banks can continue to use the bespoke systems for institutional customers if they would like to). This will minimise disruption to these customers, but also ensure that banks will not be required to have back-up capability for the more bespoke systems currently used to manage these customers.

15 68. If banks plan to not provide bespoke services to institutional customers post a separation, they will be required to specifically disclose this to those affected customers in advance. They will also need to have the capability to shift institutional customers to normal platform, and offer basic banking services at a minimum. Banks will also need to manage and wind down any existing arrangements. 69. Given that a proposed definition of institutional customer was not included in the consultation paper, this will be included as part of the exposure draft for the revised BS11. IV: Backup capabilities for certain functions 70. In the first consultation, it was proposed that banks would be prohibited from outsourcing certain functions to a related party (such as a foreign parent bank), due to the importance of these functions in achieving the objectives of outsourcing. Examples given included functions related to a bank’s ability to calculate its financial position, SWIFT gateway and licence for the processing of transactions, and regulatory reporting. 71. There was general acknowledgement that those three examples were integral functions of a bank. However, there were diverging views between banks and non-bank submitters as to whether these three examples represent functions that should not be outsourced. 72. Non-bank submitters generally supported the proposal that certain functions, such as those related to core management activities and risk acceptance. Those that did not support prohibition suggested that having the right contractual and practical control, and robust testing, would be sufficient. In particular, there were concerns around the costs of establishing duplicate systems, instead of banks being able to leverage off systems of their parents. 73. The Reserve Bank has held extensive discussions with banks subsequently on this proposal. As a result, the Reserve Bank came to the view that there might not need to be an outright prohibition of certain functions, if appropriate and robust backup capability is available, where the banks would have legal and practical control over the back-up capability, and where it is a sustainable arrangement in the event of a separation from their parent. The existing BS11 already has requirement for back-up capability, although it does not explicitly state the requirements for such arrangements. 74. A revised proposal was therefore put forward in the 2016 consultation paper where banks would need to have robust and sustainable back-up arrangements for their core functions, should they decide to outsource them to a parent or related party. Feedback was sought on the requirements for the back-up capability, which was based on advice from banks and on advice from technology experts. The proposals were that: • There is no capability to lose transactions. • The switch over would take no longer than 60 minutes. • The contingency arrangement is sustainable, in that it could be deployed as the primary mechanism, on an on-going and fully automated basis, to deliver the outsourced function with minimal impact and disruptions to both the bank’s customers and the bank’s own business operation (for example, a quick switch over and no transactions are lost).

16 • Testing is conducted on a monthly basis where the backup arrangement involves swap over between primary and secondary systems. While this could increase operational risk, regular testing is an important component of a robust alternative arrangement, to ensure it is fully operational and functional. • External audit is conducted at least every two years to ensure the arrangement remains robust and sustainable. • The bank must have direct ownership and/or control over the standby system. This does not necessarily mean that the system needs to be located in New Zealand, but that the NZ locally incorporated bank should have the legal and practical ability to control the standby system (i.e. that they own the system [or have a direct relationship with the third party provider for that system] and the data that is required to use it). This backup arrangement cannot be provided by a related party if the system is outsourced. 75. Submitters generally welcomed this change (from prohibition to back-up functionality), although some raised issues with the policy. Banks have raised issues with the 60 minute timeframe in particular, and the monthly testing. Banks have suggested some refinement on the proposals, including the timeframes for switching over, the environment for conducting testing on the back-up, and the external audit requirement. In follow-up discussions with banks, the Reserve Bank focused on how quickly back-up capability has to be up and running, and how that would affect banks’ cost estimates. There was also an emphasis of linking the requirements more closely with the timeframe of each outcome. 76. Based on these discussions, the Reserve Bank has decided that, in relation to each requirement of the robust back-up arrangement (changes have been highlighted): • There is no capability to permanently lose transactions. The timeframe on what is meant by “permanently” would be consulted as part of the exposure draft. • The switch over would be expected to be delivered within 4 – 6 hours and a bank must be able to meet its obligations under OBR including settlement, but no later than 9am the following morning – for functions related to outcomes (a)7 , and (b) 8 (plus (e)9 to the extent that it is applicable). • The switch over would be delivered before 9am the day the bank is due to reopen (i.e. the value day after being placed into statutory management) – outcomes (c)10 and (d)11 (plus (e) to the extent that it is applicable). 7 The bank is able to continue to meet its daily settlement and other time-critical obligations, before the start of the value day after the day of failure and thereafter, so as to avoid disruption and damage to the rest of the financial system 8 The bank is able to monitor and manage its financial market positions, including credit and market risk positions, before the start of the value day after the day of failure and thereafter, thereby limiting further damage to the bank’s balance sheet 9 Where a bank is part of an overseas banking group, the bank is able to meet outcomes (a) – (d) as a stand-alone entity in the event of separation from its parent every day thereafter 10 The bank has at hand the systems and balance sheet data necessary for the New Zealand authorities to a range of options for managing the failed bank, on the first value day after the day of failure and thereafter 11 The bank is able to provide basic banking services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines) and account activity reporting, on the first value day after the day of failure and thereafter

17 • The contingency arrangement is sustainable, in that it could be deployed as the primary mechanism, on an on-going and fully automated basis, to deliver the outsourced function with minimal impact and disruptions to both the bank’s customers and the bank’s own business operation (for example, a quick switch over and transactions are not permanently lost). • Testing is conducted on annual basis in a simulation environment that mirrors the live environment to ensure that the back-up arrangement will work as intended. Separate to this, banks are required to ensure that changes made to the live environment will also be made in the simulation environment. • External review is conducted at least every three years to ensure the arrangement remains robust. However, annual external review is required during the five￾year transitional period. • The bank must have direct ownership and/or control over the standby system. This does not necessarily mean that the system needs to be located in New Zealand, but that the NZ locally incorporated bank should have the legal and practical ability to control the standby system (i.e. that they own the system [or have a direct relationship with the third party provider for that system] and the data that is required to use it). This backup arrangement cannot be provided by a related party if the system is outsourced. 77. While the back-up capability requirements have certain timeframes set around them to ensure that a bank will be able to reopen at 9am the day after being placed into statutory management, it is important for banks to recognise that these timeframes do not affect the timeframes for OBR and banks must ensure that they can meet the requirements of that policy. 78. However, the Reserve Bank will consider alternative arrangements to the back-up capability requirements where a New Zealand bank has an arrangement with a related party that is not the parent bank or a related party of the parent bank. In considering these arrangements, the Reserve Bank will look at matters such as: a) whether the New Zealand bank has legal and practical control over the arrangement; b) whether the parent, another related party, or any overseas authorities may be able to frustrate the arrangement; c) the relationship between the New Zealand bank and the related party; d) what functions or activities the related party will be undertaking on behalf of the New Zealand bank; and e) whether the related party will also be providing services to any other related parties. V: The White List 79. In the 2015 consultation, it was proposed to include in the outsourcing policy a list of functions that would generally not be considered as relevant, which should clarify the arrangements that would be relevant for the purposes of the policy. This has been an approach that a number of jurisdictions that were reviewed have adopted.

18 80. That list included sixteen functions, including telecommunication services and public utilities, postal services, discrete advisory services, travel agency and transportation services, and conference organising. A list of what was proposed during the first consultation period was included in the consultation paper. 81. Submitters showed a broad level of support, although some continued to prefer a materiality test to complement a broad definition. There were some concerns around having to engage with the Reserve Bank on immaterial outsourcing activities and how that would add significantly to compliance costs, delay the establishment of outsourcing arrangements and lead to inefficiency. Some also noted that the Reserve Bank might not have sufficient resources to deal with the volume of banks’ outsourcing requests. 82. Whether or not to include a materiality test was carefully considered both before the 2015 consultation, and again after receiving the first round of submissions. The Reserve Bank has also reviewed the types of materiality tests that many other regulators have. Our view remains that an assessment based on similar materiality tests would be overly subjective and prone to different interpretations. 83. The Reserve Bank therefore favours the use of an extensive “white list”, which would essentially serve as an implicit materiality list in excluding functions that are not relevant, and help prioritise banks and the Reserve Bank’s resources to the types of outsourced functions that might be of concern. In the 2016 consultation paper, an updated proposed “white list” was consulted on which added over twenty functions based on feedback from submitters (see the 2016 consultation paper). 84. While some submitters still noted their preference for an explicit materiality test, most seem to have accepted that a white list could be used to exclude functions that were not relevant for the outsourcing policy. In the follow-up engagements with banks, refining the white list has been one of the strong focuses, reflected in the feedback received in this round of consultation. 85. Of particular importance is the treatment of software. Banks have suggested that a number of categories of software be added to the white list to minimise their interactions with the Reserve Bank. The two most important categories are software licensed in perpetuity (i.e. there is no termination rights from the service provider) and licensed software that is hosted on the NZ banks’ systems and where there is no reliance on a third party for support or maintenance. These software are different from licensed off￾the-shelf software where the provider could have termination rights in a crisis event. 86. A number of banks also noted that payment switching and card scheme services should not be considered as outsourcing. Our view is if a bank is a direct participant or a member of a financial market infrastructure (such as CLS, ESAS or SBI), then that would not be considered as outsourcing. If a bank relies on another entity to meet its obligations as a direct participant, then that would be considered as outsourcing. For services such as switching, it would be common to expect an acquiring bank to have switching capabilities – while NZ acquiring banks currently use Paymark or EFTPOS NZ to switch card transactions, the Reserve Bank has tended to consider switching an outsourced function for acquiring banks. As such, switching services will not be added to the white list at this stage.

19 87. The Reserve Bank is in the process of finalising the white list based on the useful feedback, however the Reserve Bank has included some functions in appendix two. As part of that process the Reserve Bank also plans to seek clarification from the banks on a few suggested categories in the new year. The updated white list is expected to be consulted on along with the exposure draft later in Q1 2017. VI: Engagement Process 88. BS11 currently presumes that a core function will not be outsourced unless the bank can satisfy the Reserve Bank that the function is not material to the achievement of the required outcomes. However, BS11 does not contain a specific process for how banks should engage with the Reserve Bank on these matters. 89. The lack of a more explicit engagement process has given rise to variability in the way in which banks engage with the Reserve Bank on their outsourcing arrangements. This prompted the Reserve Bank to propose a more explicit engagement process between banks and the Reserve Bank in the 2015 consultation. Specifically, it was proposed that banks file a short form application for non-objection on all outsourcing arrangements that are not on the “white list”. The Reserve Bank would then have 20 working days to assess the application and either provide a notice of non-objection or inform the bank that a full application is required. The short form application would contain fairly high-level information on the proposed outsourcing arrangement. 90. While some submitters proposed that ex-post notification be adopted, the Reserve Bank was concerned about the inconsistencies in the interpretation and did not think this would be appropriate. No change to the engagement process was proposed in the second consultation. 91. Submissions received in the second round raised concerns about the work involved in assessing outsourcing applications, noting that this could become quite onerous. Banks are also required to engage with the Reserve Bank on their transitional path to compliance, including agreeing timeframes for when they will become compliant with particular parts of the policy. 92. Having weighed up the options the Reserve Bank has decided on the following revisions to the engagement process, which should significantly reduce compliance costs for banks, while still meeting the objectives of the outsourcing policy: • Require banks to only submit applications to the Reserve Bank that are with or contracted through their parent or a related party; • For all arrangements with an independent party, banks must ensure that they comply with the policy requirements, but they will not require Reserve Bank non￾objection before entering into an arrangement; and • On the external review (as noted in the previous section): i. Banks obtain a yearly external review to ensure that the bank is complying with the outsourcing policy and (for the first five years) is meeting the agreed deadlines for compliance; and ii. After the first five years banks will then be required to have a three-yearly external review (where the terms of the review are set by the Reserve Bank).

20 93. It is important to note that any non-compliant arrangements must be amended ex-post. VII: Contractual Terms 94. In the 2015 consultation paper it was proposed that a number of matters were included in an outsourced arrangement, to ensure that outsourcing arrangements are robust and that functions outsourced to independent third parties, and arrangements made through the parent or a related party, will remain available following a failure. These matters include: a) a contractual provision to ensure continuing access on normal commercial terms to services when the bank enters statutory management; b) parallel rights for arrangements made through the parent or a related party to ensure continuing access to the services where the bank is separated from its parent; and c) the ability for the Reserve Bank to have access to documentation and information related to the outsourcing arrangement. 95. A list of further contractual terms, such as service levels and performance requirements and business continuity management were also included for comments. 96. It should be noted that While BS11 captures only Large Banks these contractual terms will be required to be included in all locally incorporated banks’ outsourcing arrangements. 97. Feedback was generally positive and no change was proposed in the 2016 consultation, except to note that the Reserve Bank will be consulting on a BCP policy in due course and these contractual terms may be moved to another Banking Supervision Handbook document as a part of that review. However, just recently the Reserve Bank has had some questions around the contractual terms. The Reserve Bank will work with banks to address this as part of the exposure draft. VIII: The Compendium 98. In the 2015 consultation, the Reserve Bank proposed a requirement that banks maintain a formal record of all outsourced arrangement – i.e. a compendium – to assist in the management of a failure of a bank, as part of the broader new engagement process. The compendium would be required to form part of a bank’s conditions of registration (COR), be updated and form part of the oversight and governance reviews undertaken by the board and senior management, and be maintained with the Reserve Bank. It was proposed that any new outsourcing arrangements or changes to service providers would require updating the compendium but not the conditions of registration. 99. In general, submitters supported the introduction of a compendium, although some disagreed that it would be a COR. To address banks’ concerns around breaches of COR, in the second consultation, it was proposed that the compendium be required to be updated within 5 working days of an outsourcing arrangements being entered into, and that the focus of the condition of registration would be that the bank must have a process to ensure that this requirement is met. Directors will have to attest to banks having appropriate processes in place to meet these requirements. We also proposed the following COR:

21 That the registered bank has appropriate processes in place to maintain a compendium of its outsourcing arrangements in a form that is available to be sent to the Reserve Bank on request, and that include, in particular – a) arrangements for the compendium to be updated within 5 working days of an outsourcing arrangement being entered into; and b) quarterly review of the compendium by the bank’s internal audit function to ensure it is up to date. 100. Instead of requiring the compendium be maintained with the Reserve Bank, it was proposed that banks be required to maintain the compendium in a form that is able to be set to the Reserve Bank on request. Banks would also be expected to send the compendium prior to discussions on operational risk with its supervisor. 101. In the second round of consultation, submitters were still concerned about the COR relating to the updating of the compendium. This appears to be in part due to a misunderstanding of how the COR is intended to work. 102. We note that the COR is drafted in such a way that it focuses on the bank having “appropriate process in place to maintain a compendium”. If the bank has a robust process in place but mistakenly does not update the compendium within the timeframe required by the COR, then this would not necessarily be a breach of the COR. However, if the bank were to repeatedly fail to update its compendium then it would likely show that the process in place is not adequate and may be a breach of the COR. We would clarify this further in the exposure draft. 103. On the five working day timeframe, banks have also noted that it was too short and the wording of “being entered into” is not clear enough as they may not always be notified within the timeframe that a service provider has also signed a contract, thus meaning they may unwittingly be in breach of the requirements. 104. The Reserve Bank has considered this timeframe and tends to agree that it may be too short. It will be extended from “five working days” to “twenty working days”. The Reserve Bank has also slightly amended the proposed wording of the COR to clarify with banks when the contract must be added to the compendium to minimise the likelihood of minor breaches. 105. Banks have also suggested that an internal audit of the compendium each quarter is too frequent. Some have suggested that the requirement should be annual, while others have suggested that it be done away with completely. 106. Having weighed up the submissions the Reserve Bank has decided that an annual internal audit review should provide sufficient comfort, given that there will be more oversight of the arrangements banks are entering in to. The COR would therefore be amended to: That the registered bank has appropriate processes in place to maintain a compendium of its outsourcing arrangements in a form that is available to be sent to the Reserve Bank on request, and that include, in particular – a) arrangements for the compendium to be updated within 20 working days of an outsourcing arrangement being effective; and

22 b) annual review of the compendium by the bank’s internal audit function to ensure it is up to date. 107. The meaning of “effective” will be consulted on in the exposure draft to ensure a consistent understanding across industry. IX. Separation Plan 108. In the 2015 consultation, the Reserve Bank sought feedback on a requirement that banks captured by the outsourcing policy prepare a separation plan - the purpose of which was to describe the processes a bank would have to undertake in the event that the parent fails, or that the NZ bank is separated from its parent. It was noted that the separation plan should not assume that the bank goes into wind-down in the event of separation. Rather, the plan should assume that the bank continues to operate on a business-as-usual basis, meeting the outcomes of the policy and providing basic banking at a minimum. 109. More specifically, it was proposed that the separation plan should set out how the bank will, from the day of being placed into statutory management and, if necessary, indefinitely thereafter: a) execute its clearing, settlement and payment obligations; b) monitor and manage its financial risk positions; c) manage the operational responsibilities for the separation; d) ensure parallel rights for the New Zealand bank are available for functions outsourced through the parent or a related party; e) set out robust alternative arrangements for systems that are owned or controlled by the parent or a related party; f) set out how the back-up capability will be switched over, including the timeframes; and g) set out how the bank will meet the outcomes of the outsourcing policy. 110. It was also proposed that the separation plan should set out the timeframes in which all processes have to be completed and which staff members are responsible for taking these actions, including a clear chain of command and a communications plan. 111. Most submissions received were supportive of the proposal, although some queried its design and the function it was envisaged to cover. The 2016 consultation sought to provide further clarifications on that requirement, by stressing the need for Board and senior management approval, given the key strategic role the separation plan would play in assisting to manage the separation of the parent and the subsidiary in a failure event. Banks will be required to seek Reserve Bank non-objection to their separation plan before it can be finalised.

23 112. While some submitters suggested that the separation plan should only cover basic banking services, the Reserve Bank has noted the importance of the separation plan in achieving other outcomes of the outsourcing policy, and continued to believe that it should cover all outcomes required to be achieved for the outsourcing policy. The Reserve Bank has therefore clarified that the separation plan would be required to set out how the bank would, from the day of being placed into statutory management and, if necessary, indefinitely thereafter: a) meet the required outcomes of the outsourcing policy; b) manage the operational responsibilities for the separation; c) ensure that the contractual obligations (discussed in the next section) are included in all functions that are outsourced through the parent or a related party; and d) set out how the alternative arrangements for backup arrangements would be operationalised following a separation. 113. Some submitters also sought clarification as to what was envisaged by “operational responsibilities”. This was clarified in the 2016 consultation paper, where it noted that for this requirement the Reserve Bank expects banks to prepare: a) a list of the functions or services that each bank would be required to maintain post a separation from its parent; b) which position title is responsible for each service or function; c) a description of how the separation of the function will take place; and d) the time in which the separation can be undertaken. 114. The Reserve Bank also notes that the separation plan would be required to be tested on an annual basis (i.e. every 12 months, not once within a calendar year). 115. The Reserve Bank is now in the process of reviewing several draft separation plans that have been received, and plan to provide feedback to banks in due course. X. Transition path to compliance 116. The 2015 consultation paper proposed a two and a half year transition path to compliance for banks, made up of a 6 month planning period and two further years to reach compliance with the revised policy. 117. Following submission feedback that suggested a longer transition path, the 2016 consultation paper proposed a five year transitional path to compliance. The Reserve Bank considers that five years would be sufficient on the basis that most contracts for outsourcing arrangements roll over on a two to three yearly period, so extending the transitional path to five years should provide a sufficient period for banks to comply with the revised policy. 118. Submitters welcomed the extension of the transition period, nothing that this would reduce costs and assist in managing the transition for a number of arrangements. 119. They have, however, requested that the Bank retain some flexibility in the ability to extend the transition path to compliance for banks where the arrangement may be

24 particularly complex and where limited specialist resources may be required. The Reserve Bank considers that it can retain this type of flexibility, but that it should only be used on an exceptional basis and the bank must have demonstrated that they have been working towards compliance with the revised policy. XI. Threshold 120. Outsourcing currently applies to all locally incorporated banks whose NZ liabilities, net of amounts due to related parties, exceeds NZ$10 billion. At the time the threshold was set it focused on “systemically important banks” given that they presented the greatest risk of causing significant damage to the financial system if they failed. 121. Since the introduction of BS11 in 2006, the Bank has implemented the OBR Policy, a tool that manages bank failures. The threshold for the OBR policy is set at any locally incorporated bank with retail funding over NZ$1 billion. This is a lower threshold than BS11, reflecting the fact that smaller institutions would likely benefit from pre-positioning on the grounds that a more orderly resolution of a failure event may be preferable even in scenarios in which systemic concerns may be more limited. 122. When reviewing BS11, the Reserve Bank considered there was a case for reviewing the threshold for the outsourcing policy given the relationship between outsourcing and the continuation of essential bank services during times of financial distress. With this in mind, the 2015 consultation paper sought feedback on the following two options: • retaining the existing threshold of NZ$10 billion in liabilities, net of amounts owed to related parties; or • aligning the outsourcing threshold with the threshold for OBR pre-positioning, being NZ $1 billion in retail funding. 123. There were diverging views on the two options. Supporters of lowering the threshold noted that this would recognise that a smaller banks’ failure could equally impact on the soundness of the banking sector, and that it would create a more level playing field and a more consistent and secure outcome for customers. Those against lowering the threshold noted that were concerned that it would result in placing undue compliance costs on smaller banks. In turn, they suggested that an alternative may be to strengthen the requirements under OBR for smaller banks. 124. On balance, the Reserve Bank concluded in the second consultation paper that it would retain the existing threshold for BS11, to maintain the focus on systemically important banks only. The Reserve Bank also agreed that there was a case to strengthen BCP requirements for all banks. The Reserve Bank plans to consult on a BCP policy for all banks in due course, which would likely also cover the contractual terms (discussed later) as they were expected to apply to all banks. General comment section 125. The Reserve Bank notes that the joint submission of the Australian-owned banks reflected to varying degrees the comments made by those banks in their individual submissions. The joint submission argued that the outsourcing policy ought to be flexible, that there should be a separate policy focused on resolution, and that the outsourcing policy development should be halted to allow for the IMF’s FSAP recommendations to be considered.

25 126. The joint submission further argued that the Reserve Bank should have a coordinated approach with Australia which focuses on a Single Point of Entry (SPE) resolution strategy that keeps the group intact, as well as a Multiple Point of Entry (MPE) resolution strategy where “separation of the New Zealand subsidiaries could be considered”. 127. The Reserve Bank notes that our outsourcing policy has always been outcomes-focused and that is less prescriptive around how banks must meet the policy than similar policies of other regulators. For example, the Reserve Bank’s outsourcing policy does not distinguish between arrangements with providers based on their location. There is no New Zealand preference as to where a provider or functionality may reside. This seems to have been misunderstood by some respondents who erroneously assumed that back￾up arrangements would have to be located onshore. This is not the case and the focus is on the legal and practical control that the New Zealand bank has over the back-up arrangement. 128. The Reserve Bank was somewhat surprised by the envisaged detail of the SPE and MPE proposal and believes that it might be based on a misunderstanding of the OBR process. The SPE/MPE proposal was also separately made by a consultancy report submitted by one of the banks. That document seems to advocate using the bail in of New Zealand creditors as per OBR to bail out the Australian parent bank via a SPE joint Australian/New Zealand recapitalisation. It is not clear to the Reserve Bank why a bail in of a bank’s New Zealand creditors would be used for a SPE recapitalisation at parent level which gives no guarantee that the funds would flow through to the New Zealand subsidiary and seems to ignore the depositor preference that exists in Australia. 129. The IMF’s FSAP review will provide important feedback on New Zealand’s broad financial regulatory framework, but the review does not specifically address the outsourcing policy. Submitters’ arguments to pause the outsourcing review subject to completion of the FSAP were not seen as relevant. 12 Trans-Tasman Legislation 130. The joint Australian-owned banks submission and some other individual submissions also suggested that the Reserve Bank should consider changes to the trans-Tasman cooperation provisions with the the Act, the (Australian) Banking Act and the Australian Prudential Regulatory Authority Act. In particular, it was proposed to expand the existing trans-Tasman co-operation section. 131. The Reserve Bank notes that amendments have already been made to these three Acts in 2006 to provide a level of assurance that respective regulators would not, to the extent practicable, take action that is likely to have a detrimental effect on financial system stability in either jurisdiction. “Action” specifically includes interference with any outsourcing arrangement. This work was undertaken by the Reserve Bank of New Zealand, New Zealand Treasury and Australian Treasury. 132. The Reserve Bank has carefully reviewed these amendments in light of the feedback, including seeking legal advice and engaging with external parties, and found that the trans-Tasman framework is advanced by international standards, especially for two separate sovereign nations. 133. However, the legislative provisions leave gaps: 12 http://www.rbnz.govt.nz/-/media/ReserveBank/Files/Publications/Bulletins/2016/2016apr79-7.pdf

26 • The first is that the provisions relate to actions by APRA not those of the Australian parent banks themselves. The provisions do not replace the need for a New Zealand bank to have robust back-up arrangements in the scenario that its Australian parent can simply no longer provide critical services or is unwilling to do so. • In a crisis, authorities may have to take action before they can consult with their counterparts because any delay could cause further damage to the financial system. • The interests of Australian and New Zealand authorities may diverge in times of crisis. An action that is beneficial for one jurisdiction may have adverse impacts of the other.13 • A legislation solution could be unwound in the future at which point it may be significantly more costly to re-introduce an outsourcing policy than to revise the existing policy now (because of possible increased integration across banking groups). 134. Finally, an outsourcing policy should not necessarily focus on the trans-Tasman dimension. While at present all major overseas-owned banks in New Zealand have Australian parents, this has not always been the case and it should not be assumed it will continue to be so. It is important for a country, such as New Zealand, where the financial system is largely foreign-owned, to have a robust outsourcing policy that aims at minimising the disruption caused by interrupted provision of services or failure of its parent. 135. The Reserve Bank notes that without the existing legislation the outsourcing policy would be a lot more stringent. 136. The Reserve Bank also notes that extensive discussions have been held with New Zealand and Australian agencies on this proposal. Master Service Agreement (MSA) 137. During the second round of consultation, some submitters have suggested that strengthening the contracts between the parent banks and their subsidiaries could provide sufficient comfort to ensure that outsourced services would continue in a separation. 13 The 2004 consultation preceding the original outsourcing policy stated: “In an extreme case, the stress affecting one or both parties may be so severe that one or both parties in statutory management. In the case of a service provider being in statutory management, the directors’ legal ability to control systems such that the bank can be operated in a stand-alone basis will need to be robust to the actions of the provider’s statutory manager, whose obligations and duties may directly conflict with the best interests of the New Zealand bank (especially if the service provider is itself a financial institution)”.

27 138. The Reserve Bank has reviewed the MSAs that have been received as part of the 2014 outsourcing stocktake, and have some concerns about particular provisions in them. In particular, the current MSAs contain provisions that neither parent nor the subsidiary will be liable to the other for the failure or delay in the performance of their obligations if this is due to a Force Majeure Event. A Force Majeure Event generally includes a restriction of, requirement of or failure to act by a government or quasi-government entity. This means that currently a parent can withhold a service to a subsidiary that is captured under the MSA if an Australian Minister or APRA direct them not to provide the service. 139. While the Reserve Bank would not necessarily expect APRA or an Australian Minister to ask for non-performance in a failure, a failure might reveal differences of opinion, including different priorities. For example, if the parent is in difficulty and has significant issues to deal with, it might not be in its immediate interest, or it might not have the resources to devote to the continuation of services to its formal subsidiary. 140. The Reserve Bank has concluded that there are therefore areas where the current MSAs could be strengthened, to better ensure that services would continue to be provided in a separation. This would include potential removal of certain provisions under the Force Majeure Event. The Reserve Bank would also likely need to see a more formal process in place for how services would continue to be provided in the event of a separation. 141. However, while MSAs should be amended, if the services were not provided the contract would need to be enforced in court. Any form of court action would likely take time to resolve, by which stage damage to the New Zealand bank could have already been realised. 142. Therefore, strengthened MSAs could not fully substitute for the outsourcing policy, where the most critical functions back up functionality would still be required to ensure that the bank can meet its obligations under OBR and reopen at 9am on the day after being placed into statutory management. As a result, the Reserve Bank’s view is that MSAs should be strengthened where possible, but banks will continue to subject to the outsourcing policy, and specifically the requirement that the bank has to be able, where required, to reopen at 9 a.m. as a standalone entity. Costs 143. The Regulatory Impact Statement (RIS) prepared by the Reserve Bank includes a qualitative assessment of the pros and cons of the proposed revisions to the outsourcing policy as well as a quantitative analysis of its costs and benefits. Naturally, the quantitative analysis has had to rely on a number of assumptions and was limited to the items that could be quantified and monetised. Although appropriate sensitivity analysis was carried out, the estimated net benefit should be seen as indicative only. 144. Due to the strong support the outsourcing policy provides to the OBR policy, the net benefit of the outsourcing policy has been calculated jointly with that of the OBR policy. In practical terms this meant adding a cost item to the OBR cost benefit analysis the Reserve Bank undertook in 2012. It should be noted that the Reserve Bank also updated some of the parameter assumptions of 2012, including the discount rate which, following Treasury guidance has been lowered to 6 percent from a previous 10 percent.

28 145. A key input into the CBA has been the cost estimates supplied by banks. The Reserve Bank stressed the importance of reliable and detailed cost estimates from the beginning of the policy consultation process. Banks submitted high-level cost estimates in the first round of consultation that ranged from $10 million to $400 million in upfront (capital) costs and up to $60 million on-going (annual) costs. The estimates were useful input for helping Reserve Bank consider how to reduce compliance costs for the proposals. However, the following are reasons why Reserve Bank believed the true compliance costs would likely be lower than what some banks stated: • Some banks included the costs of in-house functions which were not included in the list of prohibited functions in the August 2015 proposals. The rationale was that if some currently outsourced services are required to be brought back in￾house under a new BS11, then it is more cost effective for them to also bring back other outsourced functions not captured by the prohibition. In the Reserve Bank’s view, such additional costs are due to business decisions previously taken that may not always have been aligned with the policy intentions of the current outsourcing policy and that they are therefore not regulatory compliance costs. • Some banks also appeared to have assumed that some functions would be brought in-house and did not consider potentially more efficient third-party solutions. • At least some of the cost estimates appeared to be gross cost estimates rather than costs net of benefits. For example, some banks, when they considered the policy would require them to in-house functions currently provided by their parent, did not account for the reduced fees they would then pay to their parent.14 To the extent that there are currently marginal costs to the parent for providing these services to subsidiaries reductions in fees should be included in net cost estimates. • Most cost estimates were at a high level and could probably be reduced following a more granular assessment of the requirements. • The estimates appeared to include the costs of arrangements that are already captured under the current BS11 or OBR policies. 146. Most banks revised their cost estimates in the second round of consultation. While there was some more detailed breakdown of cost estimates, most remained at a high level, with one bank in discussions with the Reserve Bank describing theirs as “orders of magnitude” that included some conservative assumptions because IT projects tend to have cost overruns. Estimates of upfront costs now ranged from $10 million to $300 million and estimates of on-going costs from $12.75 million to $52 million. 147. One bank submitted a more granular breakdown of its costs, making theirs the most constructive cost estimate. The two banks that sent in the most high-level estimates were also the two with the highest cost estimates. 14 All cross-border transactions between associated parties for services are for tax, and other regulatory compliance, purposes on an arm-lengths basis.

29 148. Most cost estimates made it difficult for the Reserve Bank to determine what functionality or systems the suggested costs related to. This complicated the Reserve Bank’s analysis because it was often not possible to tell what proportion of the cost estimates related to true incremental costs of the proposed changes to BS11. The issues with the cost estimates the Reserve Bank received in the first round consultation therefore remained largely unaddressed. 149. The Reserve Bank had its judgements on banks’ cost estimates verified by external IT and banking consultants. The consultants equally struggled to obtain a better understanding of banks’ cost estimates given their high level nature. However, similar to the Reserve Bank’s observations, the consultants confirmed that the majority of banks’ cost estimates seemed to be due to a misinterpretation of the existing BS11 and were therefore not new, incremental compliance costs. The consultants also observed that banks’ estimates were overly focused on technical solutions and did not consider more efficient business solutions that may exist. An example of such a business solution may be a restructuring of arrangements with a parent so that the New Zealand subsidiary has full legal and practical control of the service. 150. As mentioned, one bank did provide a fuller breakdown of their cost estimates that set out what individual systems would be affected alongside the associated upfront costs. This allowed the Reserve Bank to look at each of these system changes individually and determine whether or not they represented costs that are incremental to the policy proposals or something that the bank should have already been doing. 151. A large fraction of the costs the representative bank included were for functions it would not be required to provide under the new policy. Additionally, the bank attributed some of its cost estimate for complying with the revised BS11 to systems and functions it had previously begun work on for compliance with the existing BS11 policy (and to the best of the Reserve Bank’s knowledge this work started before the review of BS11 began). 152. Eliminating those costs that relate to systems not required to be amended due to the policy proposals leads to a significantly lower cost estimate for this bank. In doing so, the Reserve Bank made conservative assumptions. If it was not clear whether a system was covered by the policy or a cost was new, the Reserve Bank erred on the side of caution and included those costs. 153. This approach led to that particular bank’s upfront cost estimate being reduced by 65 per cent. The bank did not provide a breakdown of its total on-going costs but the Reserve Bank thought it would be reasonable to scale the estimate of on-going costs by the same factor, i.e. a reduction of 65 per cent.15 154. To the extent that the Reserve Bank was able to carry out similar analysis on other banks’ cost estimates the results indicated that it would be reasonable to apply similar reductions. Similar to the representative bank, other banks appear to have included costs for functionality outside the scope of the revised policy or for functionality that the bank itself stated was for meeting existing BS11 obligations. 15 The scaling factor is 0.3541

30 155. Given that the bank that provided the better breakdown is fairly representative of the sector, its incremental compliance costs were taken as representative for the other affected banks, too. Hence they were multiplied by five. Using this kind of extrapolation gives a net present value figure of $550 million for the costs to industry as a whole.16 There is significant conservatism built into this approach since two of the five banks’ cost estimates were significantly below those of the other three banks. 156. One could argue that when extrapolating the revised cost figures of the representative bank to the other banks one might want to scale them for differences in size (e.g. if a bank has say a balance sheet higher or lower than the size of our representative bank, one should scale the estimate accordingly). It was found that this would not materially change the overall estimate. It should also be noted that much of the outsourcing policy costs are likely to be of a fixed nature and may not vary greatly by balance sheet. 157. The Reserve Bank further assumed that the upfront costs for banks would be evenly spread over the five-year transition period and used a discount rate of 0.0617 (as per Treasury guidelines). Furthermore, and again to err on the side of caution, it was assumed that banks would incur the full on-going costs immediately (which is conservative). 158. This industry cost estimate of $550 million in net present value terms compares with an estimate of costs by banks of around $870 million calculated under the second approach. This consists of approximately $670 million in upfront costs and a $200 million allowance for on-going costs. Due to the lack of reliability and detail on the two widely differing on-going cost estimates that were submitted, the Reserve Bank had to make an assumption to reflect a compliance cost figure in NPV terms. The Reserve Bank’s reasons for questioning the reliability or accuracy of some of these high-level cost estimates are stated above. Nevertheless, the Reserve Bank acknowledges that banks view the revised outsourcing policy as having significant cost implications. The sensitivity analysis around the Reserve Bank’s central net benefit scenario includes a high end estimate of costs based on banks’ estimates taken at face value. 159. Arguably, the Reserve Bank should have revised the $870 million figure downwards to account for the inclusion of out of scope systems/functionality in banks’ cost estimates. However, it was decided to make as few adjustments to the numbers as possible given the inconsistency in the level of granularity of banks’ estimates and to calculate a conservative upper band of the range of cost estimates. 160. The Reserve Bank’s central scenario based on an industry cost estimate of $550m produces a net benefit from OBR and outsourcing of $2.2 bn. 161. The higher cost figure reduces this net benefit to $1.9 bn. Both figures are higher than the 2012 OBR net benefit, which is mainly due to the change in the discount rate from 10 to 6 per cent. As stated above, these figures should be interpreted with caution. However, they provide an indication of the size of the net benefit expressed in monetary terms. Further information is available in the accompanying Regulatory Impact Statement. 16 To calculate the net present value of costs the following formula was used: 𝑁𝑁𝑁𝑁𝑁𝑁 𝑝𝑝𝑝𝑝 𝑣𝑣𝑣𝑣𝑣𝑣𝑣𝑣 𝑜𝑜𝑜𝑜 𝑐𝑐 = $550 𝑚𝑚𝑚𝑚 𝑚𝑚 = 5�1 5 𝑟𝑟 𝑐𝑐 1.06𝑡𝑡 𝑡𝑡=4 𝑡𝑡=0

• 5 𝑟𝑟 𝑜𝑜 𝑜𝑜𝑜𝑜 𝑜𝑜 𝑐𝑐 0.06 17 Treasury’s suggested default discount rate as of October 2016. Source: http://www.treasury.govt.nz/publications/guidance/planning/costbenefitanalysis/currentdiscountrates, accessed 24 November 2016.

31 162. Finally, the Reserve Bank considers that affected banks are in a position to absorb the sizeable investment without material adverse consequences for their profitability or ability to innovate. The Reserve Bank concludes that the impact on the competitive landscape will be limited. The central cost figure equates to around 2.8 percent of these banks’ cumulative profits over the last five years. Furthermore, there is no indication that those banks that are already better placed to comply with the revised policy by being more operationally independent are less profitable. PART FIVE: POLICY EVOLUTION AND IMPORTANCE OF STAKEHOLDER FEEDBACK 163. This section covers the evolution and importance of stakeholder feedback on the policy proposals for the outsourcing policy. Throughout the lengthy consultation period the Bank has had numerous discussions with stakeholders. These discussions have shaped our policy thinking considerably. 164. The changes listed below are based on direct feedback from banks and provide lower cost alternatives to the original proposals, but still allow the objectives of the outsourcing policy to be met. The changes are as follows: • We had originally proposed that certain critical functions could not be outsourced to a parent or a related party. Following stakeholder feedback the policy will instead be requiring that the New Zealand bank have robust back-up functionality for functions that are outsourced to a parent or a related party. This was a part of the 2006 outsourcing policy, but our expectations of what was expected from back￾up capability were not explicitly stated; • We had originally proposed that all back-up capability must be able to be up and running from 60 minutes after a separation. Following stakeholder feedback the Reserve Bank has extended this to 4 hours, or 9am the next business day, depending on which outcome is affected; • The policy proposals had originally proposed to have monthly testing on back-up capability. Following stakeholder feedback the Reserve Bank will be amending this to annual testing; • An option of lowering the threshold outsourcing to align with OBR given the interaction of the two policies was included. Stakeholder feedback was mixed on this, however it was decided on balance to maintain the existing threshold; • The Reserve Bank had proposed to include new trade finance, letters of credit and foreign currency transactional, savings and term deposit accounts from the definition of basic banking services. It was decided not to include these services in the definition; • One submitter asked for institutional customers to be excluded from the definition of basic banking services on the basis that they either have, or are able to get, services from other banks. Having weighed this up the Reserve Bank decided to exclude the bespoke services used by those customers from the definition of basic banking services, meaning that these customers would have access to the same services as other customers, but not anything more;

32 • The consultation originally proposed a limited white list of functions that are not relevant for the outsourcing policy. Having considered submission feedback it was decided that the policy will have an extended white list, including certain categories of software; • The policy had proposed to require banks to seek Reserve Bank non-objection on all outsourcing proposals that were not on the white list. Following submission feedback the policy will now require notification for arrangements that are with or through the parent or a related party; • Originally banks would have been required to submit their compendiums whenever a new function is added to them. Following feedback the policy will instead require that banks send in an updated compendium of outsourced arrangements before meetings with the Reserve Bank on operational risk (which are generally conducted annually); • Instead of making a condition of registration for updating the compendium within a required time, the policy will now set the condition of registration against the process for updating the compendium; • The transitional path to compliance with the requirements of the updated policy was originally proposed to be conducted over a two and a half year period. Following feedback this was extended to five years, which will provide better alignment with when contracts normally rollover so the renegotiation is not done outside of normal business practices. 165. As a result, key features of the final policy proposal for the outsourcing policy is summarised in Appendix One (as compared to the existing BS11 policy). PART SIX: NEXT STEPS 166. The Reserve Bank has concluded its consultations on the outsourcing policy. The Reserve Bank again thanks all submitters and stakeholders for their constructive comments during the two rounds of consultations, which have helped improve the policy decisions. 167. The Reserve Bank intends to release an exposure draft of the revised outsourcing policy later in Q1 2017 for consultation on the drafting and workability of the policy. Following that it is anticipated that the revised policy will be in place in Q2 2017.

33 Appendix One: Key Features of Final Policy Proposal (as compared to current BS11) Final proposal for the outsourcing policy Existing Outsourcing policy 1 Threshold Large banks - NZ$10 billion in liabilities, net of amounts owed to related parties Large banks - NZ$10 billion in liabilities, net of amounts owed to related parties 2 Definition of outsourcing A registered bank’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that could be undertaken by the registered bank, now or in the future No explicit definition for outsourcing, although para A3 refers to outsourcing arrangements as those specified in section 78(1)(fb) in the RBNZ Act, i.e. “arrangements for any business, or functions relating to any business, of the applicant or registered bank to be carried on by any person other than the applicant or the registered bank. 3 Objectives The outsourcing policy would require a bank to ensure the outsourcing would not compromise the ability of the bank to: a. Be effectively administered under statutory management for the purposes of maintaining the bank’s ability to continue to provide and circulate liquidity to the financial system and the wider economy; b. Be in a position to enable any new owner of all or part of the bank to carry on the basic business of the bank; and c. Address the impact that the failure of a service provider may have on the bank’s ability to carry on all or part of the business of the bank. Not explicitly stated. However - In para B10, it states that “the outsourcing policy … requiring that a Large Bank’s outsourcing arrangements do not create risk that the operation and management of the bank might be interrupted for a material length of time. In particular, any outsourcing arrangements for bank functions must not create risk to the bank’s ability to continue to provide and circulate liquidity in the economy, under normal business conditions or circumstances of stress or of failure of the bank or of a service provider to the bank. Para B13 also states that “…the most time-critical, “core” bank functions…must be continued under normal business conditions in order to maintain the soundness and efficiency of the financial system. In the event of a failure of a bank or of a service provider to a bank, these functions must also be continued without material interruption, in order to avoid significant damage to the financial system”. 4 Outcomes a) The bank is able to continue to meet its daily settlement and other time-critical obligations, before the start of the value day after the day of failure and thereafter, so as to avoid disruption and damage to the rest of the financial system; b) The bank is able to monitor and manage its financial market positions, including credit and market risk positions, before the start That the bank has legal and practical ability to control and execute any business, and any functions relating to any business, of the bank that are carried on by a person other than the bank, sufficient to achieve, under normal conditions and in the event of stress or failure of the bank or of a service provider to the bank, the following: a) that the bank’s clearing and settlement obligations due on a day can be met on that

34 of the value day after the day of failure and thereafter, thereby limiting further damage to the bank’s balance sheet; c) The bank has at hand the systems and balance sheet data necessary for the New Zealand authority to have available on the day of the failure a range of options for managing the failed bank, on the first value day after the day of failure and thereafter; d) The bank is able to provide basic banking services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines as defined in “basic banking services”) and account activity reporting, on the first value day after the day of failure and thereafter; e) Where a bank is part of an overseas banking group, the bank is able to meet outcomes (a) – (d) as a stand-alone entity in the event of separation from its parent every day thereafter day (before the start of the value day after the day of failure and thereafter) b) that the bank’s financial risk positions on a day can be identified on that day (before the start of the value day after the day of failure and thereafter); c) that the bank’s financial risk positions can be monitored and managed on the day following any failure and on subsequent days (first value day after the day of failure and thereafter); d) that the bank’s existing customers can be given access to payments facilities on the day following any failure and on subsequent days (first value day after the day of failure and thereafter) 5 White list – functions not relevant for the outsourcing policy See the 2016 consultation paper. An extended white list will be consulted on when the exposure draft is expected to be released in Q1 2017. No white list 6 Definition of basic banking services The key retail and business services that bank customers typically rely on, where the disruption or sudden discontinuation of the function would be likely to have a material negative impact on a significant number of third parties that rely on such services and lead to contagion effects, including significant adverse effects on market confidence Services captured by the definition include: • Transactions accounts or similar products used by individuals and businesses for their transactional, every day banking needs. A bank must be able to continue to provide ATM services, given the importance of cash in times of a crisis, e.g. a major earthquake. In addition, customers should be able to access their accounts through at least two of the most commonly used channels. No definition of basic banking services except outcome (d) refers to “the bank’s existing customers can be given access to payments facilities on the day following any failure and on subsequent days”.

35 • Savings accounts and term deposits accounts, which are usually held by individuals and entities who also engage in transactional banking. These deposits are either on-call or mature on a regular basis and are an integral part of individuals and businesses’ common banking needs. • Lending services to individuals and businesses, such as credit cards, overdraft facilities, revolving credit facilities, existing mortgage commitments (including pre￾approvals) and mortgage facilities. • Account activity reporting for the relevant accounts individuals and businesses hold. • Payment, clearing and settlement services, such as credit card/merchant acquiring services and agency arrangements (including financial market infrastructure (FMI) access for smaller banks). The bespoke systems used by institutional customers, once clearly defined, are also likely to be excluded from this definition. 7 Back-up capability Banks would need to have robust and sustainable back-up arrangements for their core functions, should they decide to outsource them to a parent or related party. The requirements are: • There is no capability to permanently lose transactions. The timeframe on what is meant by “permanently” would be consulted as part of the exposure draft. • The switch over would be delivered within 4 hours – for functions related to outcomes (a), and (c) (plus (e) to the extent that it is applicable). • The switch over would be delivered by 9am the day the bank is due to reopen (i.e. the day after being placed into statutory management) – outcomes (b) and (d) (plus (e) to the extent that it is applicable). • The contingency arrangement is sustainable, in that it could be deployed as the primary mechanism, on an on-going and fully automated basis, to deliver the No specific requirement, except in para D31 it states that “the Reserve Bank’s presumption is that a core function … will not be outsourced, unless the bank can satisfy the Reserve Bank that the function is not material to the achievement of the required outcomes, or is substitutable by other functions that are not outsourced. Para D32 states that “for some core functions, an outsourcing arrangement with an independent party might be acceptable, provided that the arrangement featured strong mitigants to the risks to the bank’s legal and practical ability to control and execute the function. Such mitigants might include contractual mechanisms which mimic to the extent possible the substance of an in-house arrangements (e.g. with rights for the bank to “step in” in the event of technical or financial failure of the provider, BCP and regular testing requirements on the provider, explicit exclusion of statutory management of the bank from the definition of default events for the purposes of the contract, requirements that the provision of service be conducted from a location within or close to New Zealand, etc).

36 outsourced function with minimal impact and disruptions to both the bank’s customers and the bank’s own business operation (for example, a quick switch over and transactions are lost). • Testing is conducted on annual basis in a live simulation environment that mirrors the live environment to ensure that the back-up arrangement would work as intended. Separate to this, banks are required to ensure that changes made to the live environment will also be made in the simulation environment. • External review is conducted at least every three years to ensure the arrangement remains robust. However, annual external audit is required during the five-year transitional period. • The bank must have direct ownership and control over the standby system. This does not necessarily mean that the system needs to be located in New Zealand, but that the NZ locally incorporated bank should have the legal and practical ability to control the standby system (i.e. that they own the system (or have a direct relationship with the third party provider for that system) and the data that is required to use it). This backup arrangement cannot be provided by a related party if the system is outsourced. Para D35 states that “for core functions, the Reserve Bank’s presumption is that the relevant staff and data would be maintained in-house, whereas it might be acceptable for certain systems to be outsourced if the Reserve Bank were satisfied that the systems would not be needed in the aftermath of a failure, 8 Engagement Process A more explicit engagement process where • Banks are required to submit short form applications to the Reserve Bank that are with or contracted through their parent or a related party; • For all arrangements with an independent party banks must ensure that they comply with the policy requirements, but they will not require Reserve Bank non-objection before entering into an arrangement; and • On the external review: i. Banks obtain a yearly external review to ensure that the bank is complying with the outsourcing policy and (for the first No explicit engagement process is specified in the existing policy, except that regarding “core functions”, “banks can satisfy the Reserve Bank that the function is not material to the achievement of the required outcomes, or is substitutable by other functions that are not outsourced” (para D31).

37 five years) is meeting the agreed deadlines for compliance; and ii. After the first five years banks will then be required to have a three-yearly external review (where the terms of the review are set by the Reserve Bank). 9 Compendium A new condition of registration for banks: That the registered bank has appropriate processes in place to maintain a compendium of its outsourcing arrangements in a form that is available to be sent to the Reserve Bank on request, and that include, in particular a) Arrangements for the compendium to be updated within 20 working days of an outsourcing arrangement being entered into; and b) Annual review of the compendium by the bank’s internal audit function to ensure it is up to date. No requirement for compendium 10 Separation Plans Banks are required to prepare a separation plan that set out how the bank would, from the day of being placed into statutory management and, if necessary, indefinitely thereafter: a) Meet the required outcomes of the outsourcing policy; b) Manage the operational responsibilities for the separation; c) Ensure that the contractual obligations (discussed in the next section) are included in all functions that are outsourced through the parent or a related party; and d) Set out how the alternative arrangements for backup arrangements would be operationalised following a separation The current policy assumes that a bank can operate independently from its parent which would assume a plan for operating separately, however it was not an explicit requirement. 11 Contractual Terms A number of matters such as the following are required to be included in outsourcing arrangements to both third and related parties: • a contractual provision to ensure continuing access on normal commercial terms to services when the bank enters statutory management; Para D36 states that “a Large Bank would be expected to manage and document any outsourcing arrangement for the provision of a function (or for supporting systems, staff or data) according to commercially reasonable “arm’s length” practice, whether the service provider is a related party or not. In general, the Reserve Bank would expect documentation to be clear on the rights and obligations of each party to the contract and on service levels and pricing, to a level

38 • parallel rights for arrangements made through the parent or a related party to ensure continuing access to the services where the bank is separated from its parent; and • the ability for the Reserve Bank to have access to documentation and information related to the outsourcing arrangement. commensurate with the function’s time-criticality, materiality and substitutability. Para D32 states that “for some core functions, an outsourcing arrangement with an independent party might be acceptable, provided that the arrangement featured strong mitigants to the risks to the bank’s legal and practical ability to control and execute the function. Such mitigants might include contractual mechanisms which mimic to the extent possible the substance of an in-house arrangements (e.g. with rights for the bank to “step in” in the event of technical or financial failure of the provider, BCP and regular testing requirements on the provider, explicit exclusion of statutory management of the bank from the definition of default events for the purposes of the contract, requirements that the provision of service be conducted from a location within or close to New Zealand, etc).

39 Appendix two: Options for the revised white list – will be part of the exposure draft consultation

1. Telecommunication services, equipment and public utilities (including predictive diallerand automated voice recording services);
2. Discrete advisory services (e.g. legal opinions, certain client-related investment advisory services that do not result directly in investment decisions);
3. Share, domestic note and bond registry and management services;
4. Securities trading agent/provider;
5. Sales, promotional and direct marketing products and activities;
6. Sponsorship, brand or promotional arrangements;
7. Fleet leasing services;
8. Rental property leases;
9. Temporary help and temporary contract personnel;
10. Generic or specialised recruitment and training services, and other incidental human resources related to these activities;
11. Repair, support and maintenance of fixed assets (whether owned or leased);
12. Security system, premises access and guarding services;
13. Market information and data services (e.g. Moody’s, Bloomberg, Standard and Poor’s, Fitch, Reuters or equivalent), including market research and analysis services;
14. Title search and security/collateral registration services;
15. Real estate appraisal and valuation services;
16. Reference and background check services;
17. Debt collection;
18. Production of plastic cards and cheques;
19. Custodial services;
20. Sales and distribution arrangements such as mortgage brokers, financial planners andother commission-based arrangements;
21. Certain categories of software (as defined below): a. Proprietary software or software licensed in perpetuity with no termination rights that is hosted on the New Zealand bank’s systems, and there is no reliance on a third party for support or maintenance (other than for routine standard support

40 offering from the software vendor); b. Licensed software (term or subscription) that is hosted on the New Zealand bank’s systems, is licensed to the New Zealand bank directly, there is no reliance on a third party for support or maintenance (other than for routine standard support offering from the software vendor), the provider does not have termination rights in a crisis event, and either: i. could be transitioned to an alternate provider; or ii. has escrow arrangements for source code. c. Licensed software that is licensed directly to the New Zealand bank to the extent it exclusively relates to one or more white listed functions; d. Support or maintenance of either proprietary or licenced software that is licensed to the New Zealand bank directly to the extent it exclusively relates to one or more white listed functions. 22. Fraud and forensic detection and monitoring services; 23. Agency and trustee arrangements for: a. treasury programmes; and b. syndicated loan facilities. 24. Wealth and insurance functions 25. Data mining, customer surveying and rewards programmes for marketing purposes; 26. Data matching services, including personal information matching, valuation data and credit reporting; 27. Internet and network security services, including penetration testing; 28. Sanctions filtering systems; 29. Annual renewals or rollovers of a contract with an independent third party which confirms the commercial terms only; 30. Variations to contracts with independent third parties where only the commercial terms only are being varied.