Final Outsourcing Policy Decisions for Registered Banks

Final policy decisions on the revised policy proposals for the review of the outsourcing policy for registered banks February 2017

2 I. Introduction and background

1. This paper outlines the final policy decisions for the revised outsourcing policy for registered banks. The development of the policy followed a stocktake of banks’ understanding of the existing outsourcing policy in 2014. An analysis on submission feedback from both rounds of consultation can be found in the Summary of Submissions. The Regulatory Impact Statement provides an analysis of the options the Reserve Bank considered when reviewing the outsourcing policy.
2. There have been two rounds of consultation on the outsourcing policy (2015 and 2016), along with numerous meetings with banks and other affected stakeholders.
3. The Reserve Bank recognises that outsourcing by banks can have a positive impact on banks’ cost efficiencies and exposures to certain risks, and can allow banks to access specialist expertise that would otherwise not be available, or would be expensive to maintain internally. However, failure of outsourcing arrangements has the potential to disrupt the provision of banking services in business-as-usual situations and could increase the likelihood of a banking failure. There is also a clear risk that outsourcing arrangements may impede attempts to manage a failed bank, with the potential to increase costs through limiting the flexibility and the range of potential exit options available.
4. In developing its decisions on the outsourcing policy, the Reserve Bank has sought to mitigate the risks of outsourcing while providing banks with flexibility as to how they meet the outcomes of the policy so as to take account of their differing business models. Therefore, the outsourcing policy decisions have sought to ensure that banks can outsource functions so long as they are able to meet the outcomes of the policy. II. Final policy decisions following the 2016 consultation paper
5. Following submission feedback on both rounds of consultation the Reserve Bank has made the following final policy decisions. These decisions have been significantly shaped by the submissions and other feedback we have received. The Reserve Bank would like to thank stakeholders for their engagement throughout the development of this policy. I. Definition of Outsourcing
6. The current outsourcing policy (BS11) does not have a definition of outsourcing and relies on section 78(1)(fb) of the Reserve Bank of New Zealand Act 1989 (the Act). The 2015 consultation paper proposed to adopt a formal definition for outsourcing in order to focus the range of issues that would potentially be relevant for the policy. Having considered a number of options for the definition, the Reserve Bank consulted on and will be adopting the following: “Outsourcing is defined in this policy as a registered bank’s use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that could be undertaken by the registered bank, now or in the future.”
7. The definition is a modified version of the definition in the Basel Committee’s report on Outsourcing in Financial Services.

3 II. Outcomes 8. In the 2015 consultation paper, it was noted that banks have had variable application of the existing outsourcing policy, and it was felt that the wording for the “outcomes” could be tightened to provide more clarity. For example, some banks seemed to have focused on business continuity involving a natural disaster or technology failure, and not how to continue to operate under a stress event occasioned by a complete supplier or bank failure. It is also unclear whether banks had robust alternative arrangements in place on an on-going basis. Both of these considerations are particularly relevant to ensure the viability of Open Bank Resolution (OBR). 9. Consistent with the current BS11, the following outcomes will be adopted (revisions are italic): a) The bank is able to continue to meet its daily settlement and other time-critical obligations, before the start of the value day after the day of failure and thereafter, so as to avoid disruption and damage to the rest of the financial system; b) The bank is able to monitor and manage its financial market positions, including credit and market risk positions, before the start of the value day after the day of failure and thereafter, thereby limiting further damage to the bank’s balance sheet; c) The bank has at hand the systems and balance sheet data necessary for the New Zealand authorities to have available a range of options for managing the failed bank, on the first value day after the day of failure and thereafter; d) The bank is able to provide basic banking services to existing customers, including, but not limited to, liquidity (both access to deposits and to credit lines as defined in basic banking services) and account activity reporting, on the first value day after the day of failure and thereafter; e) Where a bank is part of an overseas banking group, the bank is able to meet outcomes (a) – (d) as a stand-alone entity in the event of separation from its parent, every day thereafter. 10. The Reserve Bank proposes to keep the existing wordings on outcome (a) but clarify in the policy what would be included in “other time critical obligations” to ensure that the policy is forward looking and there are no unintended gaps. Further feedback on the wording will be sought as part of the exposure draft consultation. III: Definition of Basic Banking Services 11. Both the current BS11 and the 2015 consultation paper did not include a definition of the basic banking services that banks were expected to provide to existing customers. Feedback from submitters suggested that such a definition would provide more clarity to banks.

4 12. This feedback was taken on board, and in the second consultation, the following definition was proposed: “The key retail and business services that bank customers typically rely on, where the disruption or sudden discontinuation of the function would be likely to have a material negative impact on a significant number of third parties that rely on such services and lead to contagion effects, including significant adverse effects on market confidence”. 13. For the purpose of the proposed policy, the Reserve Bank has also developed the following list of basic services that a bank would be expected to provide to existing customers upon separation from their parent bank. These cover both existing and new arrangements to those existing customers: • Transactions accounts or similar products used by individuals and businesses for their transactional, every day banking needs. A bank must be able to continue to provide ATM services, given the importance of cash in times of a crisis, e.g. a major earthquake. In addition, customers should be able to access their accounts through at least two of the most commonly used channels. • Savings accounts and term deposit accounts, which are usually held by individuals and entities who also engage in transactional banking. These deposits are either on-call or mature on a regular basis and are an integral part of individuals and businesses’ common banking needs. • Lending services to individuals and businesses, such as credit cards, overdraft facilities, revolving credit facilities, existing mortgage commitments (including pre-approvals) and mortgage facilities. • Account activity reporting for the relevant accounts individuals and businesses hold. • Payment, clearing and settlement services, such as credit card/merchant acquiring services and agency arrangements (including financial market infrastructure (FMI) access for smaller banks). 14. One submitter also suggested that institutional customers for whom the bank provides bespoke services should be excluded from the definition of basic banking services, given the low number of customers and high cost of providing the systems to manage these customers. It was also noted that institutional customers generally have multiple banking relationships and can more readily substitute the services they receive from one bank to another. 15. This submitter has suggested the following definition of institutional customer: “A large business or public or quasi-public enterprise, operating on a trans-Tasman or global basis – either multi-banked or able to source funding from multiple domestic or off-shore markets.”

5 16. Given the high costs of maintaining bespoke services for institutional customers who are able to substitute services reasonably easily, the Reserve Bank considers that the bespoke services provided to these customers should be excluded from the definition of basic banking services. However, banks will be required to move these customers onto the platforms used for banking services in the event of a separation from their parent (although banks can continue to use the bespoke systems for institutional customers if they would like to). 17. However, if banks plan to not provide bespoke services to institutional customers post a separation, they will be required to specifically disclose this to those affected customers in advance. Banks will also need to have the capability to shift institutional customers to basic banking services platforms, and will need to manage and wind down any existing arrangements. IV: Backup capabilities for functions outsourced to an overseas parent or related party 18. While the requirement for back-up capability is a part of the existing outsourcing policy, the Reserve Bank has not articulated the expectations for these arrangements. Where a bank outsources a function to its overseas parent or a related party it will be required to have a robust back-up arrangement for these outsourced functions. Based on submission feedback from the consultations the Reserve bank has defined this as follows (changes have been highlighted): • There is no capability to permanently lose transactions. The timeframe on what is meant by “permanently” would be consulted as part of the Exposure Draft. • The switch over would be expected to be delivered within 4 – 6 hours and a bank must be able to meet its obligations under OBR including settlement – for functions related to outcomes (a), and (b) (plus (e) to the extent that it is applicable). • The switch over would be delivered before 9am the day the bank is due to reopen (i.e. the value day after being placed into statutory management) – outcomes (c) and (d) (plus (e) to the extent that it is applicable). • The contingency arrangement is sustainable, in that it could be deployed as the primary mechanism, on an on-going and fully automated basis, to deliver the outsourced function with minimal impact and disruptions to both the bank’s customers and the bank’s own business operation. • Testing is conducted on an annual basis in a live simulation environment that mirrors the live environment to ensure that the back-up arrangement will work as intended. Separate to this, banks are required to ensure that changes made to the live environment will also be made in the simulation environment. • External review is conducted at least every three years to ensure the arrangement remains robust. However, an annual external review is required during the five-year transitional period.

6 • The bank must have direct ownership and/or control over the standby system. This does not necessarily mean that the system needs to be located in New Zealand, but that the NZ locally incorporated bank should have the legal and practical ability to control the standby system (i.e. that they own the system [or have a direct relationship with the third party provider for that system] and the data that is required to use it). This backup arrangement cannot be provided by a parent or a related party of the parent. 19. While the back-up capability requirements have certain timeframes set around them to ensure that a bank will be able to reopen at 9am the day after being placed into statutory management, it is important for banks to recognise that these timeframes do not affect the timeframes for OBR and banks must ensure that they can meet the requirements of that policy. 20. The Reserve Bank will consider also alternative arrangements to the back-up capability requirements where a New Zealand bank has an arrangement with a related party that is not the parent bank or a related party of the parent bank. In considering these arrangements, the Reserve Bank will look at matters such as: a) whether the New Zealand bank has legal and practical control over the arrangement; b) whether the parent, another related party, or any overseas authorities may be able to frustrate the arrangement; c) the relationship between the New Zealand bank and the related party; d) what functions or activities the related party will be undertaking on behalf of the New Zealand bank; and e) whether the related party will also be providing services to any other related parties. 21. For arrangements with independent third parties banks will be able to rely on the robust DR/BCP requirements provided by the independent service provider. V: The White List 22. In the 2015 and 2016 consultation papers it was proposed to include in the outsourcing policy a list of functions that would generally not be considered as relevant to the policy. This would help to clarify the arrangements that would be relevant for the purposes of the policy. This has been an approach that a number of jurisdictions have adopted. 23. In the follow-up engagements with banks, refining the white list has been one of the strong focuses, and these were reflected in the feedback received in this round of consultation.

7 24. Of particular importance is the treatment of software. Banks have suggested that a number of categories of software be added to the white list to minimise their interactions with the Reserve Bank. The two most important categories are software licensed in perpetuity (i.e. there is no termination rights from the service provider) and licensed software that is hosted on the NZ banks’ systems and where there is no reliance on a third party for support or maintenance. These categories of software are different from licensed off-the-shelf software where the provider could have termination rights in a crisis event. 25. The Reserve Bank is in the process of finalising the white list based on the useful feedback; we have included a proposed white list of functions in appendix one. The Reserve Bank plans to seek clarification from the banks on a few suggested categories as part of our consultation on the Exposure Draft. The updated white list is expected to be consulted on, along with the Exposure Draft, later in Q1 2017. 26. Some submitters have suggested functions that the Reserve Bank considers would never be expected to be included in the definition of outsourcing, such as catering services and corporate uniforms. Having weighed up the options at this stage the Reserve Bank does not anticipate including such functions on the white list. However, this can be readdressed with submitters when the exposure draft is released. VI: Engagement Process 27. BS11 currently presumes that outsourcing of a core function will be permitted where the bank can satisfy the Reserve Bank that the function is not material to the achievement of the required outcomes. However, BS11 does not contain a specific process for how banks should engage with the Reserve Bank on these matters. 28. The lack of a more explicit engagement process has given rise to variability in the way in which banks engage with the Reserve Bank on their outsourcing arrangements. This prompted the Reserve Bank to propose a more explicit engagement process between banks and the Reserve Bank in the 2015 consultation. Specifically, it was proposed that banks file a short form application for non-objection on all outsourcing arrangements that are not on the “white list”. The Reserve Bank would then have 20 working days to assess the application and either provide a notice of non-objection or inform the bank that a full application is required. The short form application would contain fairly high-level information on the proposed outsourcing arrangement. 29. Having listened to feedback and weighed up the options the engagement process has been revised as follows. This should further reduce compliance costs for banks, while still meeting the objectives of the outsourcing policy: • Require banks to only submit applications to the Reserve Bank that are with or contracted through their parent or a related party; • For all arrangements with an independent party banks must ensure that they fully comply with the outsourcing policy requirements, but they will not require Reserve Bank non-objection before entering into an arrangement; and • On the external review (as noted in the previous section): o For the first five years, banks obtain a yearly external review to ensure that the bank is complying with the outsourcing policy and is meeting the agreed deadlines for compliance; and

8 o After the first five years banks will then be required to have a three-yearly external review (where the terms of the review are set by the Reserve Bank). 30. It is important to note that any non-compliant arrangements must be amended ex-post. VII: Contractual Terms 31. In the 2015 consultation paper it was proposed that a number of matters be included in an outsourced arrangement, to ensure that outsourcing arrangements are robust and that functions outsourced to independent third parties, and arrangements made through the parent or a related party, will remain available following a failure. These matters include: a) a contractual provision to ensure continuing access on normal commercial terms to services when the bank enters statutory management; b) parallel rights for arrangements made through the parent or a related party to ensure continuing access to the services where the bank is separated from its parent; and c) the ability for the Reserve Bank to have access to documentation and information related to the outsourcing arrangement. 32. A list of further contractual terms, such as service levels and performance requirements and business continuity management were also included as expectations for robust outsourcing arrangements. 33. Feedback was generally positive and no change was proposed in the 2016 consultation, except to note that the Reserve Bank will be consulting on a BCP policy in due course and these contractual terms may be moved to another Banking Supervision Handbook document as a part of that review. However, just recently questions have been raised around the contractual terms. The Reserve Bank will work with banks to address this as part of the exposure draft. VIII: The Compendium 34. Both consultation papers proposed that banks maintain a compendium of their outsourced functions, though who these were maintained with, and how the condition of registration would work differed between the consultations. 35. We note that the COR is drafted in such a way that it focuses on the bank having “appropriate process in place to maintain a compendium”. If the bank has a robust process in place but mistakenly does not update the compendium within the timeframe required by the COR, then this would not necessarily be a breach of the COR. However, if the bank were to repeatedly fail to update its compendium then it would likely show that the process in place is not adequate and may be a breach of the COR. We would clarify this further in the Exposure Draft. 36. Submitters also sought a longer period for updating the compendium, noting that five working days was too short. The Reserve Bank considered this timeframe and tend to agree that it may be too short. It will now be extended from “five working days” to “twenty working days”.

9 37. Banks have also suggested that an internal audit of the compendium each quarter is too frequent. Some have suggested that the requirement should be annual, while others have suggested that it be done away with completely. 38. Having weighed up the submissions the Reserve bank proposes that an annual internal audit review should provide us with sufficient comfort, given that the Reserve Banks should have more oversight of the arrangements banks are entering in to. The COR would therefore be amended to as follows: That the registered bank has appropriate processes in place to maintain a compendium of its outsourcing arrangements in a form that is available to be sent to the Reserve Bank on request, and that include, in particular – a) Arrangements for the compendium to be updated within 20 working days of an outsourcing arrangement being effective; and b) Annual review of the compendium by the bank’s internal audit function to ensure it is up to date. IX. Separation Plan 39. Both consultation papers proposed that an explicit requirement for a separation plan be included in the policy. The purpose of this was to describe the processes a bank would have to undertake in the event that the parent fails, or that the NZ bank is separated from its parent. It was noted that the separation plan should not assume that the bank goes into wind-down in the event of separation. Rather, the plan should assume that the bank continues to operate on a business-as-usual basis in order to meet the outcomes of the policy and provide basic banking services at a minimum. 40. More specifically, it was proposed that the separation plan should set out how the bank will, from the day of being placed into statutory management and, if necessary, indefinitely thereafter: a) execute its clearing, settlement and payment obligations; b) monitor and manage its financial risk positions; c) manage the operational responsibilities for the separation; d) ensure parallel rights for the New Zealand bank are available for functions outsourced through the parent or a related party; e) set out robust alternative arrangements for systems that are owned or controlled by the parent or a related party; f) set out how the back-up capability will be switched over, including the timeframes for doing so; and g) set out how the bank will meet the outcomes of the outsourcing policy. 41. It was also proposed that the separation plan should also set out the timeframes in which all processes have to be completed and which staff positions are responsible for taking these actions, including a clear chain of command and a communications plan.

10 42. The Reserve Bank also noted that the separation plan would be required to be tested on an annual basis (i.e. every 12 months, not once within a calendar year). 43. The Reserve Bank is not proposing to make any changes to this policy requirement. X. Transition path to compliance 44. The 2015 consultation paper proposed a two and a half year transition path to compliance for banks, made up of a 6 month planning period and two further years to reach compliance with the revised policy. 45. Following submission feedback that suggested a longer transition path, the 2016 consultation paper proposed a five year transition path to compliance. The Reserve Bank considered that five years would be sufficient on the basis that most contracts for outsourcing arrangements roll over on a two to three yearly period, so extending the transition path to five years should provide a sufficient period for banks to comply with the revised policy. 46. The Reserve Bank proposes to retain the five year transition period for compliance with the revised policy. XI. Threshold 47. Outsourcing currently applies to all locally incorporated banks whose NZ liabilities, net of amounts due to related parties, exceeds NZ$10 billion. At the time the threshold was set it focused on “systemically important banks” given that they presented the greatest risk of causing significant damage to the financial system if they failed. 48. Since the introduction of BS11 in 2006, the Bank has implemented the OBR Policy, a tool that manages bank failures. The threshold for the OBR policy is set at any locally incorporated bank with retail funding over NZ$1 billion. This is a lower threshold than BS11, reflecting the fact that smaller institutions would likely benefit from pre￾positioning on the grounds that a more orderly resolution of a failure event may be preferable even in scenarios in which systemic concerns may be limited. 49. When reviewing BS11, the Reserve Bank considered there was a case for reviewing the threshold for the outsourcing policy given the relationship between outsourcing and the continuation of essential bank services during times of financial distress. With this in mind, the 2015 consultation paper sought feedback on the following two options: • Retaining the existing threshold of NZ$10 billion in liabilities, net of amounts owed to related parties; or • Aligning the outsourcing threshold with the threshold for OBR pre-positioning, being NZ $1 billion in retail funding. 50. On balance, the Reserve Bank concluded in the second consultation paper that it would retain the existing threshold for BS11, to maintain the focus on systemically important banks only. The Reserve Bank also agreed that there was a case to strengthen BCP requirements for all banks. The Reserve Bank plans to consult on a BCP policy for all banks in due course, which would likely also cover the contractual terms (discussed earlier) as they were expected to apply to all banks.

11 III. Next steps 51. Later in Q1 2017 the Reserve Bank intends to release an exposure draft on the revised outsourcing policy for consultation on the drafting and workability of the policy. 52. Following submissions the Reserve Bank will review and release a final policy. It is anticipated that this will be released in Q2 2017.

12 Appendix one: Options for the revised white list

1. Telecommunication services, equipment and public utilities (including predictive diallerand automated voice recording services);
2. Discrete advisory services (e.g. legal opinions, certain client-related investment advisory services that do not result directly in investment decisions);
3. Share, domestic note and bond registry and management services;
4. Securities trading agent/provider;
5. Sales, promotional and direct marketing products and activities;
6. Sponsorship, brand or promotional arrangements;
7. Fleet leasing services;
8. Rental property leases;
9. Temporary help and temporary contract personnel;
10. Generic or specialised recruitment and training services, and other incidental human resources related to these activities;
11. Repair, support and maintenance of fixed assets (whether owned or leased);
12. Security system, premises access and guarding services;
13. Market information and data services (e.g. Moody’s, Bloomberg, Standard and Poor’s, Fitch, Reuters or equivalent), including market research and analysis services;
14. Title search and security/collateral registration services;
15. Real estate appraisal and valuation services;
16. Reference and background check services;
17. Debt collection;
18. Production of plastic cards and cheques;
19. Custodial services;
20. Sales and distribution arrangements such as mortgage brokers, financial planners andother commission-based arrangements;
21. Certain categories of software (as defined below): a. Proprietary software or software licensed in perpetuity with no termination rights that is hosted on the New Zealand bank’s systems, and there is no reliance on a third party for support or maintenance (other than for routine standard support offering from the software vendor);

13 b. Licensed software (term or subscription) that is hosted on the New Zealand bank’s systems, is licensed to the New Zealand bank directly, there is no reliance on a third party for support or maintenance (other than for routine standard support offering from the software vendor), the provider does not have termination rights in a crisis event, and either: i. could be transitioned to an alternate provider; or ii. has escrow arrangements for source code. c. Licensed software that is licensed directly to the New Zealand bank to the extent it exclusively relates to one or more white listed functions; d. Support or maintenance of either proprietary or licenced software that is licensed to the New Zealand bank directly to the extent it exclusively relates to one or more white listed functions. 22. Fraud and forensic detection and monitoring services; 23. Agency and trustee arrangements for: a. treasury programmes; and b. syndicated loan facilities. 24. Wealth and insurance functions; 25. Data mining, customer surveying and rewards programmes for marketing purposes; 26. Data matching services, including personal information matching, valuation data and credit reporting; 27. Internet and network security services, including penetration testing; 28. Sanctions filtering systems; 29. Annual renewals or rollovers of a contract with an independent third party which confirms the commercial terms only; 30. Variations to contracts with independent third parties where only the commercial terms only are being varied.