Final consultation paper on the outsourcing policy for registered banks

Consultation paper: Revised policy proposals for the review of the outsourcing policy for registered banks The Reserve Bank invites submissions on this consultation paper by 12 August 2016. Submissions and enquiries about the consultation should be addressed to: Victoria Learmonth Prudential Supervision Department PO Box 2498 Wellington 6140 Email: Victoria.Learmonth@rbnz.govt.nz Please note that a summary of submissions may be published. If you think any part of your submission should properly be withheld on the grounds of commercial sensitivity, or for any other reason, you should indicate this clearly. 23 May 2016

2 Part one: introduction

1. The Reserve Bank’s outsourcing policy (BS11) was introduced in 2006. The current outsourcing policy adopts an outcomes-focused approach that sets out a range of outcomes that banks need to be able to deliver on an on-going basis. It currently applies to any locally incorporated bank whose New Zealand liabilities, net of amounts due to related parties, exceed $10 billion (a “Large Bank”). In 2014 the Reserve Bank undertook a stocktake of banks’ outsourcing arrangements, which found that banks had inconsistent interpretation and application of the existing policy. Following that, the consultation paper Review of the outsourcing policy for registered banks1 was released in August last year.
2. This paper provides a high level summary of the submissions received on the consultation paper, which closed on 4 December 2015. It discusses the Reserve Bank’s responses to the comments made by stakeholders, including those from the submission process and subsequent bilateral discussions. It also sets out further options on a number of aspects that the Reserve Bank would like to receive feedback on before finalising the outsourcing policy. The Reserve Bank has made a number of policy proposals that particularly address key elements of the policy that have been the focus of stakeholder feedback.
3. Before and during the consultation period, the Reserve Bank has emphasised that the proposed outsourcing policy seeks to provide a better alignment with the Open Bank Resolution (OBR) policy, as well as to clarify a number of aspects of the existing outsourcing policy.
4. In developing the policy considerations, the Reserve Bank balances the valuable role outsourcing plays in the operation of a bank and the importance for the bank to have in place a comprehensive and robust risk management framework to manage its own, and wider, systemic risks. There are benefits to banks from outsourcing certain functions in order to, for example, take advantage of new technologies and innovation and make use of specialist expert entities. It is recognised that, being in a small country, New Zealand banks do not necessarily always have ready access to such specialist resources. The efficiency benefits were discussed in the 2015 consultation and reflected in the proposals. For example, in the 2015 proposal the Reserve Bank has not specified that service providers have to be based in New Zealand. The development of the current outsourcing policy
5. Section 68 of the Reserve Bank of New Zealand Act 1989 (the Act) requires the Reserve Bank to exercise its banking supervision and registration powers for the purposes of: a. Promoting the maintenance of a sound and efficient financial system; or b. Avoiding significant damage to the financial system that could result from the failure of a registered bank.
6. BS11 pursues both these purposes by requiring that a Large Bank’s outsourcing arrangements do not create risk that the operation and management of the bank might be interrupted for a material length of time. In particular, any outsourcing arrangements 1 http://rbnz.govt.nz/-/media/ReserveBank/Files/regulation-and-supervision/banks/consultations/consultation-review￾outsourcing-policy-registered-banks.pdf?la=en

3 for bank functions must not create risk to the bank’s ability to continue to provide and circulate liquidity in the economy, under normal business conditions or circumstances of stress or of failure of the bank or of a service provider to the bank. The current outcomes focus on the provision of liquidity to the financial system. 7. The development of BS11 took place against the backdrop of a number of other material policy developments, including the local incorporation policy and the consideration of the Basel II IRB approach. Significant work had been undertaken on the development of Bank Creditor Recapitalisation (BCR) (the forerunner to the OBR2 ). The outsourcing policy and the local incorporation policy were both linked to a desire to strengthen the Reserve Bank’s ability to respond to a failure. However, the outsourcing policy is not just focused on the ability to manage failure, but also about standard outsourcing concerns, including ensuring that outsourcing arrangements are robust in limiting the potential impact on the bank or the wider financial system from supplier failure or where the supplier fails to provide an adequate service. 8. OBR pre-positioning was implemented on 1 July 2013 and applies to all locally￾incorporated registered banks whose retail deposits are in excess of $1 billion. OBR is a mechanism for providing bank customers continued access to liquidity and banking services after bank failure. Pre-positioning means having the IT, payments, resource and process functionality in place ahead of a crisis, such that should a bank enter into statutory management, access channels can be closed, a portion of customer funds can be frozen, and access channels can be reopened for business by no later than 9am the next business day, enabling customers to have access to the available or good portion of their funds. 9. However, banks may only take account of the potential risks of outsourcing arrangements on their own business, whereas the Reserve Bank has a broader systemic focus. Under business-as-usual conditions banks have strong incentives to adopt arrangements that are robust in limiting the potential impact on their profits or solvency from supplier failure. Though, banks may not take account of the broader systemic costs of service disruption. 10. Furthermore, where a function is carried out by a parent, there may be situations where, after a separation, those services are no longer available. This could be because the parent’s focus has changed and it does not see itself as a service provider to a former subsidiary, due to an unwillingness on the part of the parent, or simply because the parent is unable to continue to provide the service. Also, where there are contracts with independent third parties that are in place at the group level, separation may leave the New Zealand subsidiary with no legal relationship with the third party service provider. 11. Whilst the OBR implementation process requires contracts to be reviewed and amended to ensure services would continue under statutory management, the reach of the OBR policy only extends to the functionality required under OBR. OBR is focused on overnight processes and making unfrozen funds available to customers but it does not itself ensure that the bank can continue in business indefinitely. As a result, outsourcing of functions that materially impact on the ability of the statutory manager to 2 While the paper specifically refers to OBR, the application of the policy is relevant for crisis management options in general.

4 continue operating the bank can make it harder to realise the full benefits of the OBR policy. 12. Outsourcing arrangements with independent third parties have less potential to be undermined by a separation, so long as the New Zealand subsidiary has a direct contractual arrangement (or parallel rights under a contract through the parent) with the service provider and these services continue to be provided following the failure of the bank or its parent bank. The incentives on the independent third party should be that the service continues to be provided so long as the bank keeps paying for the services as contractually agreed. Revised policy proposals 13. Having considered the submission feedback and assessed the policy options against the objectives of the outsourcing policy, the Reserve Bank has made a number of amendments to the policy options outlined in the 2015 consultation paper. We consider that the revisions to these options will achieve the objectives of the outsourcing policy while reducing the impact on a bank’s operations, and allow for technological development. 14. The policy options outlined in the paper include options where changes have been made to the proposals included in the 2015 consultation paper, and where the policy option remains unchanged. The policy options set out in this paper are as follows: a. Maintaining the existing threshold for the outsourcing policy (i.e. not to align the threshold with OBR); b. Retaining the problem definition, and expanding on the interaction of OBR and outsourcing; c. Slight revisions to the proposed outcomes of the outsourcing policy; d. A proposed definition of basic banking services; e. An extended list of functions that are not captured by the definition of outsourcing, based on feedback from submitters; f. Instead of an explicit prohibition on outsourcing certain functions we propose that robust back-up capability for outsourced functions that are critical to the bank’s operations may be appropriate; g. Retaining the proposal for a separation plan but provide more information on what is required for it; h. Retaining the proposed engagement process; i. Revisions to the requirement to maintain a compendium; j. Retaining the proposed contractual terms; and k. An extension of the transitional path to compliance to 5 years.

5 Structure of the paper 15. The rest of the paper is structured as follows: Part Two provides a high level summary of the submissions received, and the Reserve Bank’s responses; Part Three provides a detailed outline of the proposed outsourcing policy for banks that are above the $10 billion threshold, including further consultation on a number of aspects, and an extended transitional path to compliance; Part Four outlines the others matters and the next steps in the outsourcing review. Timeline and next steps 16. The consultation period for these proposals will run until 12 August 2016. Following the release of the consultation paper the Reserve Bank expects to hold bilateral meetings and industry workshops with stakeholders. 17. Following that, the Reserve Bank expects to release a summary of submissions and a regulatory impact statement. A final version of the outsourcing policy is anticipated to be released by the end of the year. 18. The Reserve Bank requests that all submissions be filled in using the template in appendix four and sent in electronic form. A Word version of the appendix is available.

6 Part two: high level summary of first round of submissions 19. The Reserve Bank received sixteen submissions3 on its 2015 consultation paper. During the consultation period, and following the submissions, the Reserve Bank has also held discussions with a number of submitters. In addition, we have held bilateral meetings with affected parties and a number of stakeholders, including internationally active service providers. We have also held discussions with other regulators. The Reserve Bank would like to thank all submitters for the constructive inputs provided, which have helped it to refine the outsourcing policy proposals. 20. Overall, submitters welcomed the review of the outsourcing policy and being involved early in the policy development process. Generally speaking, most submitters were either supportive and/or reasonably comfortable with the following: • The proposed problem definition; • The proposed revised objectives and outcomes; • The definition of outsourcing; • The compendium of outsourced functions; • The separation plan; and • The proposal to have a list of excluded functions. 21. On other matters, non-bank submitters remained very supportive whereas bank submitters were more critical. These included: • Lowering the threshold of outsourcing policy to align with the OBR threshold; • Prohibiting certain functions to be outsourced; • Not to include a materiality threshold; and • The two and a half year transitional path. 22. A number of banks provided cost estimates, and some have indicated that the cost implication of the proposals was high. The cost estimates ranged from $10 million to $400 million. 23. The proposals in the 2015 consultation paper had a lot of support from internationally active service providers, who noted that our proposals were standard practice in other comparable jurisdictions. 24. Submitters requested introducing a clear definition of basic banking services, given this concept has important implications for a number of aspects of the proposed outsourcing policy. Three submitters provided suggestions on what they thought should be captured. Our proposed definition comes from the feedback we received as well as consideration of bank services prepositioned for OBR policy. 25. A few submitters suggested alternative approaches to the outsourcing policy, such as a Memorandum of Understanding or a legislative solution with Australia. This is discussed briefly in Part Four. 26. Regarding some of the proposals that banks have found the most problematic, the Reserve Bank has revisited them with a view to reducing their impact while not compromising the policy objectives. For example, after careful consideration the Reserve Bank’s view is the existing threshold for full outsourcing policy should be 3 The submitters were: Asia Cloud Computing Association, ANZ NZ, ASB, BNZ, Co-operative Bank, FIRST Union, Heartland Bank, IBM, ICBC NZ, Microsoft, NZBA, Rabobank NZ, Salesforce, SBS, TSB and Westpac NZ.

7 retained, i.e. only for locally incorporated banks whose New Zealand liabilities exceed $10 billion, net of amounts due to related parties. We propose introducing a new requirement, either into the outsourcing policy or within another Banking Supervision Handbook document, such that all locally incorporated banks would be subject to business continuity preparation (BCP) requirements to ensure continuity of services, as well as the contractual terms set out in this paper. This will be consulted on in due course. 27. On other matters that submitters made comments on, the Reserve Bank proposes that: • Instead of prohibiting activities from being outsourced to a parent or related party, the policy would instead require banks that outsource certain key functions have robust backup for capabilities in place. • Instead of including an explicit materiality test, a more extensive “white list” is developed, where certain activities and functions would not be captured by the definition of outsourcing. This list has been expanded based on feedback from submitters, and will be reviewed periodically to ensure it remains appropriate. • The transitional path will be increased to five years, including the planning phase. 28. More details on each aspect of the proposed outsourcing policy are given in the next section.

8 Part three: proposed outsourcing policy for locally incorporated banks with net liabilities (excluding amounts owed to related parties) in excess of NZ $10 billion Threshold 29. The August 2015 consultation paper included two options for the threshold for the outsourcing policy: a. The existing threshold of NZ$10 billion in liabilities, net of amounts owed to related parties; or b. Aligning the outsourcing threshold with the threshold for OBR pre-positioning, being NZ $1 billion in retail funding. 30. The current threshold for outsourcing is based on the proposition that “systemically important” banks present the greatest risk of causing significant damage to the financial system should they fail. 31. Since the introduction of the outsourcing policy, the Bank has implemented the OBR policy as a tool to manage bank failures. The threshold for the OBR policy is set lower than the outsourcing policy, applying to any locally incorporated bank with retail funding over NZ$1 billion. This threshold reflects the fact that smaller institutions would likely benefit from pre-positioning on the grounds that a more orderly resolution of a failure event may be preferable even in scenarios in which systemic concerns may be limited. 32. Given the relationship between outsourcing and the continuation of essential bank services during times of financial distress, the Reserve Bank considered that there was a case for reconsidering the threshold for the outsourcing policy. 33. Submissions were mixed on the options. Those who supported the proposal noted that this would recognise that a smaller banks’ failure could equally impact on the soundness of the banking sector, and that it would create a more level playing field and a more consistent and secure outcome for customers. Other submitters noted that the proposal may place undue compliance costs on smaller banks and that an alternative may be to strengthen the requirements under OBR for smaller banks. 34. Having weighed up the options, the Reserve Bank has decided to retain the existing threshold for outsourcing. However, as part of the review submitters have suggested the inclusion of BCP requirements. In light of this feedback we will, in due course, release a consultation paper outlining policy options for BCP requirements. We anticipate co-locating the contractual term requirements of the outsourcing policy with these BCP requirements once finalised, though the Reserve Bank has yet to decide where to locate these BCP and contractual term requirements in it Banking Supervision Handbook. 35. Retaining the existing threshold continues the focus on systemically important banks, being those banks that present the greatest risk of causing significant damage to the financial system if they were to fail. The existing threshold covers the five largest banks4 . We consider that the BCP requirements (to be consulted on in due course) and contractual terms set out in this consultation paper will provide additional 4 ANZ, ASB, BNZ, Kiwibank and WNZL.

9 assurance that all banks have robust contractual arrangements, while keeping compliance costs with the requirements to a minimum. Problem definition 36. As noted earlier in this paper, the majority of submitters were comfortable with the problem definition. That is: a. The outsourcing may increase the risk of a bank (or banks) failing, where that failure may cause significant damage to the system; b. The outsourcing may increase the risk that there will be problems resolving a bank if it fails resulting in significant damage to the financial system; and c. In the absence of any failure, the outsourcing may create issues that may undermine the maintenance of a sound and efficient financial system. 37. We note that some submitters questioned the focus on resolution. We consider a focus on resolution is appropriate due to the interaction with OBR and the particular challenges with New Zealand’s financial system being very heavily foreign-owned brings. In addition, operational continuity is becoming increasingly important in the international arena. For example, in November 2015 the FSB released a consultation document Guidance on Arrangements to Support Operational Continuity in Resolution5 which notes that operational continuity is a key aspect of resolution planning for individual firms and a lack of arrangements for operational continuity is likely to impair firms’ resolvability. This complements an earlier FSB paper Recovery and Resolution Planning for Systemically Important Financial Institutions: guidance on identification of critical functions and critical shared services6 which focuses on how to identify and analyse a bank’s critical functions that are provided by third parties to assist the resolution strategy, including planning actions required to help maintain continuity of the critical functions and avoid serious disruption to the bank’s value and to the financial stability of that country. 38. Some submitters also felt that the problem definition was too heavily focused on soundness and did not sufficiently recognise the efficiency benefits that outsourcing arrangements provide to banks. In our meetings with submitters, we had good discussions on the recognition of the efficiency benefits that outsourcing arrangements can create, and also noted that in some areas an outsourced arrangement could be more robust than one provided in house and reduce risks. We also agree that in many cases banks themselves are incentivised to put in place robust risk management programmes to minimise the risks from supplier failures. We do, however, stress that the outsourcing policy proposals focus on risk and the potential market failure when, under some circumstances, incentives on individual institutions do not fully align with the broader public good. While banks are incentivised to have robust arrangements in place that limit the potential impact on their profit and solvency, they may not take sufficient account of the broader economic costs and systemic impact of the services disruption. We note that one key finding from the 2014 Outsourcing Stocktake was that banks have differing interpretations of the current existing policy, leading to a varied degree of application across the sector, which highlights a need to clarify the policy. 5 http://www.fsb.org/wp-content/uploads/Guidance-on-Arrangements-to-Support-Operational-Continuity-in-Resolution.pdf 6 http://www.fsb.org/wp-content/uploads/r_130716a.pdf

10 39. Some submitters also commented that outsourcing to parents/related parties was no riskier as they consider that the parent or related parties would be willing to continue provide services in the event of a separation. In our view, where the function is carried out by the parent or a related party there may be circumstances where that party may be unable to continue providing the service, especially post separation. 40. In considering the problem definition, it is worth noting that the outsourcing we refer to does not cover all outsourcing that banks have. A large number of functions that banks currently outsource would fall into the “white list”, which would not be caught under the revised outsourcing policy. This list has also been expanded to take into account feedback received, and will be reviewed periodically. 41. We do not propose to make any changes to the problem definition as consulted in 2015. Objectives and outcomes 42. In the 2015 consultation paper, it was proposed that the revised objectives of the outsourcing policy would require a bank to ensure the outsourcing would not compromise the ability of the bank to: a. Be effectively administered under statutory management for the purposes of maintaining the bank’s ability to continue to provide and circulate liquidity to the financial system and the wider economy; b. Be in a position to enable any new owner of all or part of the bank to carry on the basic business of the bank; and c. Address the impact that the failure of a service provider may have on the bank’s ability to carry on all or part of the business of the bank. 43. Accordingly, it was proposed that the revised outcomes were that the bank should be operated in such a way that: a. The bank is able to continue to meet its daily settlement and other time-critical obligations, so as to avoid disruption and damage to the rest of the financial system; b. The bank is able to understand the bank’s credit and market risk positions, thereby limiting further damage to the bank’s balance sheet; c. The bank has at hand the systems and balance sheet data necessary for the New Zealand authorities to have available on the day of the failure a range of options for managing the failed bank; d. The bank is able to provide basic services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines) and account activity reporting; and e. The bank is able to operate on this basis as a standalone entity in the event of separation from its parents every day thereafter. 44. Overall submitters were supportive of the retention of an outsourcing policy and that our assessment of banks’ focus and drivers regarding outsourcing was fair. Submitters were also supportive of retaining the outcomes-focus to give the flexibility to banks as

11 to how they satisfy the policy in a way that is most appropriate for their business model. 45. There was also acknowledgement that outsourced activities would be an important consideration during a bank failure scenario, as it is critical that outsourced activities be managed robustly during such a process. However, some submitters noted that the outcomes in the outsourcing policy should not be linked to resolution. In this regard, we note that the proposed outsourcing policy is designed for both business-as-usual and crisis scenarios, and the shift to more focus on resolution reflects the linkage between the outsourcing policy and OBR, and aligned with international trends. 46. Some submitters commented that the wording of the required outcomes need clarification, and to the extent relevant, be aligned with the proposal for a separation plan. 47. We also noted that there should be clear reference to the timeframe of the required outcomes. Consistent with the current BS11, we therefore propose to amend outcomes (a) to (d) as per following: a. The bank is able to continue to meet its daily settlement and other time-critical obligations, before the start of the value day after the day of failure and thereafter, so as to avoid disruption and damage to the rest of the financial system; b. The bank is able to monitor and manage its financial market positions, including credit and market risk positions, before the start of the value day after the day of failure and thereafter, thereby limiting further damage to the bank’s balance sheet; c. The bank has at hand the systems and balance sheet data necessary for the New Zealand authorities to have available on the day of the failure a range of options for managing the failed bank, first value day after the day of failure and thereafter; d. The bank is able to provide basic banking services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines) and account activity reporting, first value day after the day of failure and thereafter. 48. Some submitters commented that the required outcome (e) did not apply to all banks that were subject to the outsourcing policy. We have therefore provided further clarification and outcome (e) will now state: e. Where a bank is part of an overseas banking group, the bank is able to meet outcomes (a) – (d) as a stand-alone entity in the event of separation from its parent every day thereafter. 49. A small number of submitters also noted that a regulatory impact statement (RIS) was not included in our consultation paper. As noted above, we advised banks that we were still in the early stages of our policy thinking, and that a RIS would have not been appropriate at this stage. The consultation feedback will inform the RIS and is being developed alongside the policy. Q1: Do you agree that the modifications to outcomes (a) to (e) provide clarification?

12 Interaction with OBR 50. Some submitters sought more information on the interaction between OBR and outsourcing. The next few paragraphs provide this information. 51. The key objectives of resolution policy are to reduce wider impacts from a failure and to maintain critical functionality in the event of a bank failure or failures, and to do so in a manner that avoids recourse to taxpayers by imposing losses on shareholders and creditors, while protecting wherever possible the rightful interests of creditors. 52. The link between OBR and outsourcing policy arises due to the potential need to keep the bank operating at least with basic services whilst authorities identify a final resolution. The nature of the business undertaken during this period will be case specific and will depend on the type of institution that has failed, and the particular circumstances of the time. However, it is more likely that we would need a larger failed bank to operate more services under a statutory management than a small bank due to its more central role in the economy. As a number of banks operating in NZ are parts of foreign groups, it is important that we have confidence that the local subsidiary will be able to deliver those services in the event that a bank separates from its parent. 53. OBR is not a default solution for all instances of bank distress and/or failure. The OBR policy is intended to provide an alternative to liquidation or Government support to help address some of the costs that arise. As such, the intention is that the policy enhances decision making in a crisis. 54. The cost benefit analysis that underpinned the introduction of the OBR policy focused on its role as an additional option, and the impact that this may have on long run decision making. The positive benefit of OBR is therefore tied to it being an effective and available option in circumstances where liquidation is not preferable. Putting aside cases where using OBR as a controlled wind down is the desired outcome, these circumstances will generally arise where the closure of the institution raises systemic concerns, and therefore points towards a desire for the institution to maintain on-going operations in some form. 55. An ineffective outsourcing policy risks undermining the ability of OBR to deliver the assumed positive impact in a number of ways: • Failure to ensure that banks can operate effectively under statutory management. • Failure to provide certainty about availability of on-going functionality. 56. The existing outsourcing policy has been interpreted by some as focusing on the provision of liquidity in the short term, offering no assurance around other aspects of on-going operations, and therefore leaves the interaction between bank and regulator on outsourcing proposals at the discretion of the banks offering little clarity around the extent of outsourced functionality. Definition of basic banking services 57. The proposed policy, as consulted on in August 2015, did not include a definition of the basic banking services banks would be expected to provide to existing customers. We note that the definition of basic banking services would be relevant for a number of aspects of the proposed outsourcing policy as it would feed into:

13 • The proposed objectives b and c (paragraph 39 of the 2015 consultation document), that the outsourcing does not compromise the ability of a bank to: o Be in a position to enable any new owner of all or part of the bank to carry on the basic business of the bank; o Address the impact that the failure of a service provider may have on the bank’s ability to carry on all or part of the business of the bank. • Proposed required outcome (paragraph 49 (d) of the 2015 consultation document) states that “the bank is able to provide basic services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines), and account activity reporting”; and • The separation plan, in which banks are required to assume that the bank continues to operate on a business-as-usual basis for the services that it provides. 58. In their submissions, a number of submitters suggested that a definition of basic banking services should be provided. We received three suggestions on what should be included in the definition of basic banking services. 59. Accordingly we propose that basic banking services be defined as: “The key retail and business services that bank customers typically rely on, where the disruption or sudden discontinuation of the function would be likely to have a material negative impact on a significant number of third parties that rely on such services and lead to contagion effects, including significant adverse effects on market confidence”. 60. In determining whether a banking service would be classified as basic banking services, banks need to assess how critical the provision of the service is to its end users, taking into consideration the following: • What elements of the customers’ operations would be affected; • The knock-on effects of this disruption to other customers, suppliers, counterparty, etc.; • Speed at which disruption would have an impact; • The speed, costs and hurdles of substitution; and • The expected willingness and ability of other banks to provide the services of a failing bank. 61. For the purposes of the proposed outsourcing policy we have developed a list of services that we consider would constitute basic banking services. Given the different ways that banks arrange their businesses, we have chosen to focus on the types of services offered and not the types of products when it comes to specifying what constitutes basic banking services. This list has also been developed to be consistent with what is prepositioned for the OBR policy. Accordingly, we consider the following list of services fall under the definition of basic banking services:

14 • Transactions accounts or similar products used by individuals and businesses for their transactional, every day banking needs. A bank must be able to continue to provide ATM services, given the importance of cash in times of a crisis, e.g. a major earthquake. In addition, customers should be able to access their accounts through at least two of the most commonly used channels. • Savings accounts and term deposits accounts, which are usually held by individuals and entities who also engage in transactional banking. These deposits are either on-call or mature on a regular basis and are an integral part of individuals and businesses’ common banking needs. • Lending services to individuals and businesses, such as credit cards, overdraft facilities, revolving credit facilities, existing mortgage commitments (including pre-approvals) and mortgage facilities. • Account activity reporting for the relevant accounts individuals and businesses hold. • Payments, clearings and settlement services, such as credit card/merchant acquiring services and agency arrangements (including financial market infrastructure (FMI) access for smaller banks). • Foreign currency transactional, savings and term deposit accounts. 62. In addition to the above list of basic banking services, we are considering whether certain other services, such as trade finance and letters of credit, should also be included as basic banking services. These services are important to importers and exporters and may be difficult for a customer to substitute from a different bank. 63. We would welcome feedback on whether we have included the right services. In providing your feedback, it would be useful to include the monthly value/volume of trade finance and letters of credit to assist our analysis as to how much reliance customers currently have on these services. 64. Over time, technological or demographic changes may mean that the list of basic banking services requires updating. Banks will have to consider new services as they emerge to determine whether they would fall into the category of basic banking services, based on the above definition and the criteria outlined in paragraph 60. The Reserve Bank would also continue to monitor the list of basic banking services and update it as necessary. Any such updates would involve consultation with affected parties. Q2: Have we included the right services and scope? Are there any other services that should be included in the proposed list of basic banking services, such as trade finance and letters of credit? If appropriate, please provide the value/volume information on these services that are currently outstanding for your bank.

15 The definition of outsourcing 65. The proposed outsourcing definition in the first consultation document was: “Outsourcing is defined in this policy as a registered bank’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that could be undertaken by the registered bank, now or in the future.” 66. There was strong support for the introduction of a definition of outsourcing. There were, however, mixed views on whether the proposed definition appropriately defines outsourcing. Those that did not support the proposed definition noted that it was too broad and there was no materiality threshold, meaning many insignificant and irrelevant outsourcing activities may be inadvertently caught. On the other hand, those supporting it said that it reflects the globally accepted definition used by most regulators, is providing a consistent approach across jurisdictions for use by regulated entities and outsourced providers alike. 67. Our intention has been to have a wide definition of outsourcing, and we consider that the proposed definition is appropriately aligned with that used by authorities in a number of jurisdictions. After careful consideration our view remains that there is no need to introduce an explicit materiality test, as an extensive “white list” would essentially serve as a mechanism through which immaterial outsourcing arrangements by banks would be excluded from the outsourcing policy. This is discussed in more details in the next section. 68. We therefore propose to keep the definition of outsourcing the same as consulted on last year. Functions that are generally not captured by the outsourcing policy (“white list”) 69. In the 2015 consultation paper, we proposed a list of functions that would not be considered relevant for the outsourcing policy. This received a broad level of support from submitters, although some submitters continued to prefer a materiality test to complement a broad definition of outsourcing, noting that having to engage with the Reserve Bank on immaterial outsourcing activities would add significantly to compliance costs, delay their establishment of outsourcing arrangements and lead to inefficiency. There was also a concern that the Reserve Bank might not have sufficient resources to deal with the volume of banks’ outsourcing requests. These banks suggested that a materiality test should be added to the outsourcing policy. 70. We have carefully considered the inclusion of an explicit materiality test both before the finalisation of the 2015 consultation document and during the analysis of submissions received. We agree with stakeholders’ comments that having some sort of materiality test would not be inconsistent with our problem definition. However, after reviewing the types of materiality tests that many other regulators have, our view remains that an assessment based on similar tests would be overly subjective and likely lead to a wide range of interpretations. We therefore consider that having an up￾to-date and extensive “white list” would essentially serve the same purpose, as it would exclude functions that are not relevant for the our regulatory purposes, and prioritise both banks and the Reserve Bank’s resources to the types of outsourced functions that might be of concern. 71. For relevant yet insignificant outsourcing, banks would only have to record them in the compendium and submit a short form template for new or amended arrangements. We

16 do not think such requirements would be particularly onerous, given that banks generally already keep a repository for all their outsourced functions, and both the compendium and the short form template only require basic information. 72. Having said that, we did review the proposed list of excluded functions based on feedback received. As a result we are proposing the following “white list”, made up of those already included in the current list, as well as those taken from submitters. Original list of services to be included on the “white list” with modifications underlined or deleted • Telecommunication services and public utilities; • Postal and courier services; • Specialised training; • Discrete advisory services (e.g. legal opinions, certain investment advisory services that do not result directly in investment decisions); • Independent audit reviews; • Market information services (e.g. Moody’s, Bloomberg, Standard and Poor’s); • Independent consulting; • Services that the registered bank is not legally able to provide; • Printing services for marketing materials; • Repair and maintenance of fixed assets; • Supply and service of leased telecommunication equipment for phone line and internet; • Travel agency and transportation services; • Temporary help and contract personnel; • Fleet leasing services; • Specialised recruitment; and • Conference organising. Proposed additional services to be included on the “white list” • Production of plastic credit cards; • Sales and distribution arrangements such as mortgage brokers, financial planners and other commission-based arrangements; • Reinsurance contracts; • General office products and consumables; • Corporate uniforms; • Furniture, fittings and furnishing; • Commercial and office building construction services; • Interior finishing and furnishing and remodelling services; • Rental property leases; • Recruitment services; • Reference and background check services; • Title search and security/collateral registration services; • Real estate appraisal and valuation services; • Sponsorship, brand or promotional arrangements; • Debt collection;

17 • Predictive dialler and automated voice recording services; • Catering services; • Accommodation services; • Meeting facilities; • General business utility services; • Security system, premises access and guarding services; • Share, domestic note and bond registry and management services; • Sales, promotional and direct marketing activities; and • Property and facility maintenance services. 73. We note that some of the above functions should never be expected to be included in the definition of outsourcing (e.g. corporate uniforms), but for completeness we have included them. 74. We also note that the white list might need to be subject to regular reviews to reflect, for example, technological advances. Prohibited functions and the appropriateness and robustness of back-up capability 75. Our 2015 proposal suggests that some functions were so integral to carrying on the business of a bank that they should not be allowed to be outsourced to a related party, such as a foreign parent bank. We provided three examples: general ledger, SWIFT gateway and licence, and regulatory reporting. This proposal was provided as we considered that outsourcing of some functions could adversely affect the provision of liquidity and inhibit the ability of the bank to provide basic banking services in a crisis, and may therefore frustrate some resolution options. 76. Many submitters agreed that the three examples were integral functions of a bank. There were mixed views from banks and non-banks as to whether these examples represent functions that should not be outsourced. A number of banks have argued that instead of prohibition, having the right contractual and practical measures, including robust testing and demonstrated control, would be sufficient. In particular, they noted that a prohibition on these functions would likely require them to develop duplicate systems at the group level, which could be very expensive and inefficient, meaning that they were not able to utilise group expertise and may stifle innovation. There was a concern that the list of prohibited functions would also become outdated quickly as technology advances or banks change how they run their businesses. 77. On the other hand, non-bank submitters generally agreed that certain functions that relate to core management activities, decision-making and risk acceptance should not be outsourced at all. 78. There also seems to be some misunderstanding about our proposal on data (residing in NZ) and whether banks could continue to use agency arrangements for SWIFT transactions. 79. We would like to clarify that the three functions that we identified in the 2015 consultation paper were examples of functions that were considered integral to the required outcomes. There may be others where the Reserve Bank would have similar Q3: Are there any other services that should be included in the above lists, but have not yet been captured?

18 concerns if they were outsourced. Moreover, these functions could differ from bank to bank. 80. We recognise submitters’ concerns on the potential compliance costs on establishing new arrangements on those functions, and additional functions that would need to be re-established due to their connections with those functions. We also note that a list of prohibited functions may become outdated over time. During our subsequent meetings with a number of submitters some explained in more detail their existing back-up arrangements and how, if needed, those could be improved to meet the proposed required outcomes. 81. As a result of the discussions with affected banks, we have come to the view that there might not need to be an outright prohibition of certain functions from outsourcing and that there are circumstances where appropriate standby capability by the subsidiary could be a viable alternative for this to work. An appropriately robust standby arrangement should achieve the objective of NZ banks being able to operate independently from their parent or related parties. Consistent with the current BS11, we would continue to require banks to demonstrate they have legal and practical ability to control and execute an outsourced function. 82. For the outsourcing objectives to be achieved, functions that are related to required outcomes would need to be robust and sustainable. In addition to the current outsourcing arrangements on these functions being robust and sustainable, banks would need to have robust and sustainable back-up arrangements for these functions. For banks that do outsource such functions, for example the General Ledger, they would need to ensure that the back-up or standby arrangements meet the following requirements: • There is no capability to lose transactions; • The switch over would take no longer than 60 minutes; • The contingency arrangement is sustainable, in that it could be deployed as the primary mechanism, on an on-going and fully automated basis, to deliver the outsourced function with minimal impact and disruptions to both the bank’s customers and the bank’s own business operation (for example, a quick switch over and no transactions are lost); • Testing is conducted on a monthly basis where the backup arrangement involves swap over between primary and secondary systems. While this could increase operational risk, regular testing is an important component of a robust alternative arrangement, to ensure it is fully operational and functional; • External audit is conducted at least every two years to ensure the arrangement remains robust and sustainable; and • The bank must have direct ownership and control over the standby system. This does not necessarily mean that the system needs to be located in New Zealand, but that the NZ locally incorporated bank should have the legal and practical ability to control the standby system (i.e. that they own the system (or have a direct relationship with the third party provider for that system) and the data that is required to use it). This backup arrangement cannot be provided by a related party if the system is outsourced.

19 83. We decided not to use terms such as “hot” or “warm” standby due to the lack of a consistent definition. Instead, the standby would need to have mechanisms in place to minimise data loss. 84. Again, using the example of SWIFT capability, to meet the requirement of robust standby arrangements would require banks to have its own backup SWIFT infrastructure (which is more than just SWIFT gateway and licence and refers to a bank’s ability to send, process and receive messages). Banks would need to have direct control and ownership over this backup infrastructure, so that if the primary SWIFT infrastructure is unavailable, they would be able to use the alternative arrangement say, within half an hour. We note that other existing contingency arrangements such as 3LC via NZClear are not currently designed to be enduring solutions and could only be used on a more ad hoc basis. 85. Some banks have agency arrangements for their SWIFT capability, using independent third party banks. As noted in the 2015 consultation paper, we confirm that banks are able to continue to rely on those agency arrangements. 86. Overall, we consider that the objectives of the outsourcing policy would still be met of requiring robust backups that banks directly own and control. As a result, we propose that instead of having a list of prohibited functions, functions that are integral to meeting the proposed required outcomes would require robust backups. These functions might differ amongst banks and we would like to discuss and identify such functions with banks during the next phase of bilateral engagement. 87. The general ledger and SWIFT capability is not an exhaustive list of what functions the Reserve Bank may require robust back-up arrangements for. Other functions that require equally robust back-up functionality will likely be identified during the implementation phase with banks. It is also conceivable that there are functions where a standby arrangement is not feasible or would expose the bank to too much risk in terms of it being able to operate on a standalone basis. In some instances, a bank may be required not to outsource that particular function. Though it is likely that arrangements with third party providers would be acceptable. 88. We recognise that this proposal would have smaller cost implications for banks. However, we note that robust back-up arrangements would be an appropriate option compared to having an outright prohibition. Q4: Do you agree that having robust back-up arrangements would be able to meet the objectives of the outsourcing policy? Q5: Does your bank already have back-up capability for all key systems? Q6: If yes, would your arrangements meet the requirements outlined above? If not, what would the costs be of upgrading your systems? Q7: If your bank does not have back-up capability for the general ledger and/or SWIFT capability what would the cost be to develop this capability? Q8: Are there any features that are not on the list above that should be added?

20 Separation plan 89. The 2015 consultation paper included an explicit requirement for banks to have a robust separation plan in place. The purpose of the separation plan is to describe the processes a bank would have to undertake in the event that the parent fails, or that the NZ bank is separated from its parent. 90. Overall, submitters were supportive of the proposal to prepare a separation plan, though some had comments about its design and the functions it is envisaged to cover. We have attempted to clarify the coverage and design elements below. 91. Some submitters considered that the Board should not have to sign off the separation plan as it is an operational document. However, the Reserve Bank considers the separation plan to be a key strategic document for the Board and senior management of the bank in assisting to manage the separation of the parent and the subsidiary in a failure event. Banks will be required to seek Reserve Bank agreement to their separation plan before it can be finalised. However, the Reserve Bank will require that any draft separation plan submitted to us for consideration has been approved by senior management and the Board of the bank before the Reserve Bank’s agreement is sought. 92. The separation plan will assist OBR by requiring banks to set out how they will separate their operations from their parent, as well as the timeframes in which these processes will be undertaken. It is intended to be an operational document that forms part of the outsourcing policy requirements (amongst other requirements such as robust back-ups, the compendium and engagement with the Reserve Bank), and would only be applicable to banks that are foreign-owned. 93. Given the separation plan’s importance in ensuring continuation of bank services and functions, the plan should assume a continuation of bank operations on a business as usual basis for the services and functions required to be met under the outcomes of the outsourcing policy (refer paragraphs 47 and 48). It is important that the separation plan not assume that the bank goes into wind-down in the event of a separation, as bank crisis resolution options including OBR contemplate a number of scenarios. 94. The separation plan will be required to set out how the bank will, from the day of being placed into statutory management and, if necessary, indefinitely thereafter: a. Meet the required outcomes of the outsourcing policy; b. Manage the operational responsibilities for the separation; c. Ensure that the contractual obligations set out in paragraph 112 are included in all functions that are outsourced through the parent or a related party; and d. Set out how the alternative arrangements for the example list of functions in paragraphs 82 and 84 will be operationalised following a separation. 95. Some submitters thought that the separation plan should only cover basic banking services. However, given the importance of the separation plan in achieving other outcomes of the outsourcing policy, we consider that it should cover all outcomes required to be achieved for the outsourcing policy.

21 96. Some submitters sought clarification as to what was envisaged by “operational responsibilities” mentioned above. For this requirement the Reserve Bank expects banks to prepare: a. a list of the functions or services that each bank would be required to maintain post a separation from its parent; b. which position title is responsible for each service or function; c. a description of how the separation of the function will take place; and d. the time in which the separation can be undertaken. 97. The separation plan will be required to be tested on an annual basis. For clarity we consider that annual basis means every 12 months, not once within a calendar year. Engagement process 98. The current outsourcing policy does not have a formal engagement process and instead requires banks to satisfy the Reserve Bank that the function is not material to the achievement of the required outcomes, or is substitutable by other functions that are not outsourced. This lack of prescription has contributed to an inconsistent approach being taken across the sector. 99. The consultation paper proposed that banks file a short form application for non￾objection on all outsourcing arrangements that are not on the “white list”. The Reserve Bank then has 20 working days to assess the application and either provide a notice of non-objection or inform the bank that a full application is required. 100. The short form application will contain fairly high-level information on the proposed outsourcing arrangement. We anticipate that, in combination with the extended white list, the majority of outsourcing applications will be able to be considered under the short form application. It would only be for more complex arrangements, particularly those with the parent or related parties, that we anticipate requiring a full application. 101. Some submitters considered that ex-post notification would be more appropriate for the outsourcing policy, while others considered that ex-ante notification was appropriate and in line with other regulators. 102. We considered ex-post notification but, due to the inconsistencies in the interpretation of the policy, we do not consider that this is an appropriate option. 103. Based on the above we consider that no changes to the proposed engagement process should be made. 104. The template for the short form application can be found under appendix three. Q9: How many outsourcing proposals do you anticipate filing annually? Please note that this engagement process would not capture existing outsourcing arrangements that are covered by the transitional path to compliance, it would only cover new outsourcing proposals.

22 Compendium 105. The 2015 consultation paper proposed that banks be required to maintain a compendium of all outsourced arrangements. The compendium is intended to ensure that authorities have rapid access to understand what functions and processes have been outsourced by the bank. We note that most banks already maintain an internal register of outsourced functions, though the information contained on each register is likely to differ across banks. 106. In general, submitters supported the idea of a compendium. However, some submitters objected to the compendium being a condition of registration. While banks are concerned about matters that may cause them to breach their conditions of registration, the compendium will be a key document for understanding outsourcing arrangements, and the requirement to maintain a compendium will ensure that banks have an up to date list of outsourcing arrangements. 107. To deal with bank’s concerns around breaches of conditions of registration, and to ensure that the frequency of submissions of the compendium, we propose that the compendium be required to be updated within 5 working days of an outsourcing arrangement being entered into, and that the bank must have a process to ensure that this requirement is met. Directors will have to attest to banks having appropriate processes in place to meet these requirements. Accordingly, we propose to include the following condition of registration: That the registered bank has appropriate processes in place to maintain a compendium of its outsourcing arrangements in a form that is available to be sent to the Reserve Bank on request, and that include, in particular – a) Arrangements for the compendium to be updated within 5 working days of an outsourcing arrangement being entered into; and b) Quarterly review of the compendium by the bank’s internal audit function to ensure it is up to date. 108. The processes referred to in paragraph 107 include that the compendium be reviewed by the bank’s internal audit function quarterly to ensure that it is up to date. 109. Banks will be required to maintain the compendium in a form that is able to be sent to the Reserve Bank upon request. However, banks will be expected to send the compendium prior to discussions on operational risk with its supervisor. The template for the compendium is set out in appendix two. Contractual terms 110. The 2015 consultation paper proposed the inclusion of three contractual terms in all outsourcing arrangements (i.e. those arrangements captured by the to-be revised BS11). While BS11 captures only Large Banks we reiterate that these contractual terms will be required to be included in all locally incorporated banks’ outsourcing arrangements. Q10: Please provide comment on whether the draft condition of registration would work as envisaged?

23 111. These contractual terms reflect the importance of ensuring that outsourcing arrangements are robust and that functions outsourced to independent third parties, and arrangements made through the parent or a related party, will remain available following a failure or separation. 112. The contractual terms required to be included in all outsourcing arrangements are: a. That there will be continuing access on normal commercial terms to services when the bank enters statutory management; b. Parallel rights for arrangements made through a parent or related party to ensure continuing access to the services where the bank is separated from its parent; and c. The ability for the Reserve Bank to have access to documentation and information related to the outsourcing arrangement. 113. Some submitters noted that paragraph (b) should not be included as not all outsourcing arrangements are made through a parent or related party. For clarification, this term is not required to be included in contracts where the arrangement is made directly with an independent third party. 114. Contractual terms that the Reserve Bank would expect to see included (but not require) in robust outsourcing arrangements are identified in appendix one. 115. All banks subject to the outsourcing policy will be subject to an additional condition of registration regarding the inclusion of the contractual terms in all outsourcing arrangements. Although, as noted earlier in the paper, the Reserve Bank will be consulting on a BCP requirements policy in due course and these contractual terms may be moved to another Banking Supervision Handbook document as a part of that review. On the transitional path 116. Last year’s consultation paper proposed that banks have six months to plan for compliance with the new policy, with a further two years to become compliant with the new policy. 117. While some submitters have submitted that a six month planning phase would be appropriate, others have suggested a longer time frame of twelve months. These submitters also noted that due to the complexity of the proposed policy, such as the need for banks to bring back in house some of the functions that have been outsourced, the two year timeframe is insufficient to become compliant. Instead, they proposed timeframes ranging from five to twenty years. 118. As discussed earlier in the paper, we have now made some revisions to the original proposal, reflecting stakeholders’ feedback about the complexity of some of these arrangements and the ability to strike the right balance between risks and efficiency. We expect that, for example, the move from prohibiting certain functions to requiring robust back-ups would significantly mitigate banks’ concerns and as a result, have less cost implications and would take a shorter time to become compliant.

24 119. Nevertheless, we do recognise that it would have less impact on banks if the compliant phase also takes into account issues such as the normal technology cycles. Given the potential complexities with complying with the new policy, we recommend that it would be appropriate to extend the transitional period for compliance, to a period of five years, including the bank’s planning time. It should be noted, however, that while the transitional period has been extended, we would also require that during the transitional period there is no back-sliding with the current outsourcing arrangements banks already have in place. Q11: Do you agree that the revisions to the proposed policy would reduce the potential complexities of complying with the new policy? Q12: Do you agree with the new proposed transitional period? Q13: Please provide your estimate of the costs and benefits of the revised policy options, taking account of the extended transitional path to compliance.

25 Part four: Other matters, legal and practical control, and next steps Other matters 120. Some submitters felt that an amendment to the Australian Prudential Regulatory Authority Act and the Australian Banking Act should alleviate the Reserve Bank’s concerns. The changes proposed relate to what these submitters see as an expansion of the existing trans-Tasman co-operation section, put in place in 2006. There are corresponding requirements in the Reserve Bank of New Zealand Act. The Reserve Bank will watch developments in this area. 121. Some submitters felt that our proposals were going too far when compared with other regulators, however the large proportion of foreign ownership of NZ’s financial system brings challenges. As part of this review we compared our proposals with those of other regulators and found that, in practice, our proposals were not more onerous than other regulators. For example, some regulators required detailed information on outsourcing proposals, including costs and whether the bank has undertaken due diligence reports on the service provider. Some regulators also require the use of on￾shore service providers. Legal and practical ability to control and execute outsourced functions 122. Some submitters asked for clarity as to whether our legal and practical ability to control and execute functions would be included in the revised outsourcing policy. We note that, consistent with our current outsourcing policy, banks will be expected to maintain legal and practical ability to control and execute any business, and any functions relating to any business, of the bank that are carried on by a person other than the bank, sufficient to achieve, under normal business conditions and in the event of stress or failure of the bank or of a service provider to the bank any outsourcing arrangements captured by this policy. 123. We propose to retain the existing wording in the current outsourcing policy around legal and practical control (section C), as well as the tolerances for legal and practical ability to control and execute outsourced functions (section D). Timeline and next steps 124. The consultation period for these proposals will run until 12 August 2016. Following the release of the consultation paper the Reserve Bank expects to hold bilateral meetings and industry workshops with stakeholders. 125. Following that, the Reserve Bank expects to release a summary of submissions and a regulatory impact statement. A final version of the outsourcing policy is anticipated to be released by the end of the year. 126. The Reserve Bank requests that all submissions be filled in using the template in appendix four and sent in electronic form. A Word version of the appendix is available.

26 Appendix one – contractual terms

1. Outlined below are contractual terms that the Reserve Bank would expect to see included in robust outsourcing arrangements: c. the scope of the arrangement and services to be supplied; d. commencement and end dates; e. default arrangements and termination provisions; f. the form in which data is to be kept and clear provisions identifying ownership and control of data; g. business continuity management around how the service provider will deal with a failure of the service it is providing; h. service levels and performance requirements; i. escrow arrangements; j. review provisions; k. pricing and fee structure; l. reporting requirements, including content and frequency of reporting; m. audit and monitoring procedures; n. confidentiality, privacy and security of information; o. dispute resolution arrangements; p. liability and indemnity; q. sub-contracting; and r. insurance.

27 Appendix two – compendium of outsourcing arrangements Related outcome Business function owner Function/system being outsourced Name of service provider Location of service provider Parent company / related party of the parent company

28 Appendix three – short form template for engagement with Reserve Bank

1. Description of the function proposed to be outsourced
2. Description of the service/system proposed to be outsourced, including: a. Name of the service provider b. Location(s) of the service provider c. Duration of the arrangement d. Expected timeframe for implementation of the arrangement e. If the supplier is the parent company or a related party of the parent company whether the service/system is proposed to be outsourced by that party f. What other functions have been outsourced to the service provider
3. Impact of disruption In the event that the supplier becomes unable to deliver the required service/system, either on a temporary or permanent basis, provide a high-level description of the potential impact on the bank’s business operations
4. Controls Describe any control measures that would help the supplier deliver the required service/system in accordance with the requirements of the bank
5. Substitutability Is the service substitutable, i.e. are there other ways/mechanisms to provide a similar service to customers? Please provide an explanation. In the event that the supplier becomes unable to deliver the agreed service/system, what alternative arrangements are available and for how long can they be deployed, i.e. are they available on a permanent or temporary basis?
6. Date of internal sign-off and level, i.e. Board, Board delegate, etc. (name and position) The proposal is required to have received internal sign-off in line with the bank’s internal processes before Reserve Bank non-objection is sought
7. If the proposed arrangement is with the parent company or a related party of the parent company, outline how the separation plan has been considered
8. Outline why you think the proposal is compliant with the outsourcing policy
9. Does the proposal contain the required contractual arrangements outlined in the policy?

29 Appendix four – submission table Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13