Reserve Bank of New Zealand White List for BS11 Outsourcing Policy

Ref #X598778 v1.4

White list for the Purposes of BS11: Outsourcing Policy Prudential Supervision Department 20 June 2022

1 1 White list for the Purposes of BS11 Ref #X598778 v1.4 Prudential Supervision Department Document for the Purposes of BS11 Document version history September 2017 Issued May 2021 Issued October 2018 Issued June 2021 Issued April 2019 Issued February 2022 Issued August 2019 Issued June 2022 Issued October 2019 Issued March 2020 Issued December 2020 Issued Note A bank must first determine that a service or function is not directly relevant to BS11 outcomes before assessing if the service or function can be allocated to a White list item category. For the avoidance of doubt, if the bank determines that a service or function is directly relevant to BS11 outcomes then the service or function cannot be allocated to a White list item category. White list 8.1 is specifically excluded from the consideration determined in this cover note. This cover note is effective from 1 July 2019, with no immediate requirement to re-assess services or functions that have already been allocated to a White list category. All contracts must be reassessed when the contract comes due for renewal and must be compliant with the cover statement by the end of the transition period. Any proposed exception to this must be agreed with the Reserve Bank on a bilateral basis.1 Note Functions approved for inclusion on the White List are identified numerically in this document. For the purposes of readability and ease of use only, the Reserve Bank has grouped functions with similar processes or objectives into categories. The existence of a category does not confer a wider scope of approved White listed functions than those that are specifically listed under that category heading. 1 Updated 20 March 2020 All of the material set out in this document forms part of the requirements referred to in the conditions, except material that is identified as guidance by being included in a shaded box like this.

2 2 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated Section One: Financial markets activities 1.1 Share, domestic note and bond registry and management services. 3 Sep-17 1.2 Arrangements with securities trading agent/providers in circumstances where these services are only being offered by a large bank to its own clients and are separate from and not otherwise being used for the management of the large bank’s own financial and risk positions. Also, there are appropriate controls in place to ensure the separation is maintained. 4 Oct-19 1.3 deleted 17 Sep-17 Deleted Jan￾22 1.4 deleted - Deleted Feb￾22 (a) deleted 20(a) Sep-17 (b) deleted 20(b) Sep-17 Section Two: Global reporting, AML, other similar monitoring 2.1 Fraud and forensic detection and monitoring services. 19 Sep-17 2.2 deleted 24 Sep-17 Deleted Feb￾22 2.3 Foreign Account Tax Compliance Act compliance requirements. 35 Sep-17 2.4 Common Reporting Standards (also informally referred to as the Global Account Tax Compliance Act) compliance requirements. 41 Feb-18 2.5 Software or applications (that are compliant with AML rules) for biometric authentication, digital verification and image capture for on boarding of customers to new services. 43 Feb-18 2.6 Functions related solely to meeting regulatory requirements for the parent bank’s home regulator and not related to any New Zealand regulatory requirements. New Oct-19 Amended Feb-22

3 3 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated 2.7 Anti-Bribery & Corruption functions and services (including assessment, advice, procedures, tools, systems, monitoring and reporting), including those contributing to meeting best practice requirements (based on individual bank practices, applicable local/group policies and global standards). New Sep-18 2.8 deleted New Dec-18 Deleted Feb￾22 2.9 Functions for the management and governance of business processes and policy relating to gifts, entertainment and conflict of interest. New Mar-19 2.10 Sustainability, environmental and corporate social responsibility functions and supporting tools that are not undertaken to meet legal or regulatory obligations and that the bank is not otherwise compelled to comply with, excluding any functions or services that relates to the provision of basic banking services. New May-19 Section Three: Sales & product origination 3.1 Sales, promotional and direct marketing products and activities. 5 Sep-17 3.2 Title search and security/collateral registration services. 13 Sep-17 3.3 Sales and distribution arrangements such as mortgage brokers, financial planners and other commission-based arrangements, including related reconciliation activities. 18 Feb-18 3.4 Wealth and insurance functions. 21 Sep-17 3.5 Real estate appraisal and valuation services. 30 Sep-17 3.6 Customer sales generation tools that have no bearing on credit assessment, risk grade assessment, or financial, credit or liquidity position identification. 37 Sep-17 3.7 deleted New Jul-18 Deleted Feb￾22

4 4 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated 3.8 deleted New Jul-18 Deleted Feb￾22 3.9 Capture of customer pre-orders (an intention to transact with pre-determined transaction requirements) for Financial Market Products (e.g. commodities, fixed income and foreign exchange transactions) to be filled at a time in future and not executed if pre-determined conditions are not met. It is independent of the deal booking and risk systems. Prior to execution, both the bank and the customer can cancel the pre-order at any time. New Sep-18 3.10 deleted New Oct-18 Deleted Feb￾22 3.11 Content design, authoring, editing, publishing and uploading software and services (including fonts) used for the purposes of manually creating, editing, publishing and uploading content and designs such as videos, images, wireframes, documents and slideshows, both for internal and external use. For the avoidance of doubt, a bank must still retain the capability to publish essential communications via its channels e.g. notices to its website. New Feb-22 Section Four: Ongoing client/customer activity and recoveries 4.1 Debt collection: the function of contracting debt recovery services to a specialised third party debt collection company. 15 Sep-17 4.2 Merchant currency conversion services for international cardholders. 38 Sep-17 4.3 Push notification alerts opted in by customers that are triggered by customer activity, but not related to basic banking services. New Sep-18 4.4 deleted New Oct-18 Deleted Feb￾22 4.5 deleted New Oct-18 Deleted Feb￾22

5 5 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated 4.6 Customer financial insights tools, software and applications, which allow customers to make better informed financial decisions (based on the information derived from their own accounts and spending habits) excluding payment or transfer functionality. New Dec-18 4.7 deleted New Dec-18 Deleted Feb￾22 4.8 Systems and tools that provide the capability to present third party information and banking information to customers on a dashboard, including where data is sourced directly from third party applications via data feeds. New Mar-19 4.9 Arrangements to use ATMs provided by another bank or alternative ATM operator. New April-19 Amended Feb-22 Section Five: Human resources 5.1 Temporary help and temporary contract personnel. 9 Sep-17 5.2 Generic or specialised recruitment and training services, and other incidental human resources related to these activities. 10 Sep-17 5.3 Reference and background check services. 14 Sep-17 5.4 Workplace health and safety incident and hazard recording, reporting and management systems. 32 Sep-17 5.5 Human Resources management and reporting (including the systems, applications and personnel necessary for this function) related to:

• Mar-19 (a) recruitment; 34 Feb-18 (b) learning and development; 34 Sep-17 (c) determination of remuneration; 34 Sep-17 (d) performance management; 34 Sep-17 (e) career transition services; and 34 Feb-18

6 6 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated (f) workforce planning and analytics which does not relate to day to day staffing. 34 Feb-18 5.6 deleted New Jul-18 Deleted Feb￾22 Section Six: Specialist services, consultancy and advice 6.1 Discrete advisory services (including, legal opinions, tax advice, business strategy, professional support relating to information technology and communications, certain client￾related investment advisory services that do not result directly in investment decisions). 2 Sep-17 6.2 deleted 31 Sep-17 Deleted Feb￾22 6.3 Project management applications and systems. 33 Sep-17 6.4 deleted New Jul-18 Deleted Feb￾22 6.5 Payments NZ’s managing of the registration of service providers with the card schemes. New Feb-19 6.6 Translation of customer queries/requests and bank responses or updates in relation to queries/requests. The translation service is provided solely to support customer experience and is not provided to a significant number of customers. The service provider may have read-access to bank systems solely for the purpose of facilitating translation, but the service provider may not have system access / functionality to fulfil the customer query/request. New Feb-19 Section Seven: Data & documents – supply, management, analysis 7.1 Data masking and encryption services, data mining, and rewards programmes for marketing purposes. 22 Feb-18 Amended Feb-22

7 7 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated 7.2 Customer, staff and stakeholder surveying, market research and analysis services. 28 Sep-17 Amended Feb-22 7.3 Data matching services, including personal information matching. 29 Sep-17 Amended Feb-22 7.4 Physical and electronic document storage and archiving systems and services. 36 Sep-17 Amended Feb-22 7.5 Internal application management tool that manages bank staff who are using hand held devices for accessing corporate emails and corporate Sharepoint sites, including identifying and accessing control; compliance with information security requirements; and protection of bank’s data and information. The relevant devices are those that are not a staff member’s primary hand held IT device / computer. New Mar-19 7.6 Expense management systems used to manage expenses incurred by bank staff using a bank issued credit card in the bank’s name or personal funds. New Sep-18 7.7 Digital signature services for digitally executing documents. New Nov-18 7.8 Preparation and maintenance of group and related party policies and strategic documents to ensure consistency across the group that boards of the NZ banks then adopt (and sometimes vary), maintain and execute. New Dec-18 7.9 Expense management system used by customers for coding, tracking and reconciliation of the client’s staff corporate card expenditure. New Feb-19 7.10 Knowledge management systems that are used internally only (and are not customer facing) to provide a single point of access to reference information where the system is not the sole, primary, or business-as-usual repository for that information. The information cannot be identifiable customer data or documentation (e.g. it could be highly aggregated customer data such as information used to analyse market share). New Feb-19

8 8 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated 7.11 Data analytics and reporting tools, which: (a) are not the primary method to generate, capture, or store the data; (b) are not used to monitor, manage, or influence decisions relating to the bank’s financial positions, including credit, liquidity, market risk and operational risk positions; and (c) can be replaced or wound down with no material impact on decision making. Data analytics and reporting tools include those used for: data discovery; collection; consolidation; storage; analytics and insights; behaviour modelling; and graphical data display / visualisation. New May-19 Section Eight: IT – software packages 8.1 (a) Software licensed to the bank whether on a perpetual basis or otherwise including for the avoidance of doubt, software/firmware that is installed on (or is pre-installed as a part of) equipment used by the bank, where: i. the independent third party has no practical ability to intentionally disrupt or terminate the outsourcing arrangement; and ii. the terms of the software licence contain no right for the licensor to terminate the licence due to the appointment of a Statutory Manager (or equivalent in the contract jurisdiction) or the occurrence of an insolvency event; and iii. there is no reliance on the licensor to run, operate or maintain the software (other than for Routine Standard Support1 offerings from the software licensor). (b) Routine Standard Support1 of software of the type set out in item 8.1(a) or of equipment owned or leased by the bank which is provided by the vendor or licensor of that software or equipment. (c) Arrangements for the purchase of third party software licences from a software vendor who is only a reseller of third party software licenses and, as part of the arrangement, plays no other role in the licensing or support of the software. 25 May-19 Amended Jun-22

9 9 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated (d) Software subject to a licence approved by the Open Source Initiative (https://opensource.org/licenses). (e) Standard, non-customised “off-the-shelf” software that is available free of charge and downloaded into the bank’s environment (rather than being software as a service).” [1] Routine Standard Support means support services (typically including the provision of patches, updates and advice and in the case of equipment, break/fix or repair services) routinely offered by a software licensor or equipment vendor to all licensees or owners of a particular product. 8.2 Licensed software that is licensed directly to the New Zealand bank to the extent it exclusively relates to one or more white listed functions. 26 Sep-17 8.3 Software or applications for the secure distribution and arrangement of board and committee documents and information and for the facilitation of voting. 42 Feb-18 8.4 The capability to display maps on a bank’s website or other digital holdings, including software applications related to location-aware map display, taking data from other sources and overlaying it on top of maps, and tools for managing or improving the way that these maps are created and/or displayed. New Nov-18 8.5 IT asset management software used to collate information from other sources, including via scanning agents and discovery tools located on a bank’s systems. The information is used internally to assist in managing the bank’s IT assets by providing a combined view of hardware, software and virtual assets. New Feb-19 8.6 Tools / software to manage organisational structure, to build / develop organisational charts and / or to enable and facilitate people change initiatives, including automation and modelling capability in operating model alignment, organisation design, and selection & transition. New Feb-19 Amended Feb-22 8.7 Tools / Software used for Information Communication Technology (ICT) data consolidation from multiple bank systems, analysis for presentation, monitoring and reporting. New Feb-19 8.8 A bank’s website search engine capabilities and tools (being tools for undertaking information searches on a bank’s main website). New Feb-19 8.9 Links to system operational status tools (including software applications relating to system status updates and IT outage notification pages). New Feb-19

10 10 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated 8.10 Systems for internal staff communication for the purpose of collaboration but excludes systems that (1) are the primary staff email system; (2) contain a record of customer instructions, formal business decisions, or bank or customer transactions; or (3) are the sole (or primary) means of communicating formal business decisions. New Mar-19 8.11 Software for vendor invoice consolidation to process through Accounts Payable. New Mar-19 8.12 Automated configuration management tools for compliance and remediation of software configurations in line with corporate IT standards & configurations. New Mar-19 8.13 Electronic invoicing (“e-invoicing”) service / system which allows the direct exchange of invoices between a bank’s customer’s finance systems with its own customers’ finance systems. New Apr-19 8.14 Workflow management and reporting tools. New Apr-19 8.15 IT tools that support the management and storage of software development artefacts such as executable files, compiled libraries and source codes. New May-19 8.16 Systems for supporting platforms which streamline the email communication process of connecting buyers and sellers of SME businesses New May-19 8.17 Software that automates tax code mapping and / or tax calculations for the purpose of generating financial statements and / or tax returns in relation to the New Zealand bank and its subsidiaries, where: (a) the software is not the sole source or repository of tax information, and (b) the mapping and / or calculations could be completed manually by staff of the New Zealand bank if required, and (c) the workaround would not impact the bank’s ability to comply with tax filing timeframes. New May-19 Amended Feb-22 8.18 Applications that provide bank-wide communication tool for sharing incident alerts internally, where the tool is not the primary system used to record incidents and where the tool is not the only system available to alert staff to incidents New May-19 8.19 Software package and services to assess code libraries for security vulnerabilities and licensing risk as part of a secure New July-19

11 11 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated software development lifecycle, where the bank has a documented alternative manual process. 8.20 deleted Deleted Jun￾22 Section Nine: IT – hardware, other services & support 9.1 Internet, network and mainframe security services, including penetration testing and PKI certificate management, and their associated monitoring and reporting functions. 23 May-19 9.2 Support or maintenance of either proprietary or licensed software that is licensed to the New Zealand bank directly to the extent it exclusively relates to one or more white list functions. 27 Sep-17 9.3 deleted 45 Feb-18 Deleted Feb￾22 9.4 Pre-production, development, testing and viability assessment activities for systems, applications, products or services (prior to being released into full production/go-live). 46 Feb-18 Amended Dec-20 9.4(a) Proof of concept or pilot services implemented into a restricted production environment, where access is limited to a closed user group for a defined period of time of no more than a year without prior approval from the Reserve Bank, for testing and viability purposes prior to public/market launch as an approved banking product or service. For clarity, the service or function must be fully compliant with the BS11 policy before its public / market launch and / or release in a full production environment. New Dec-20 9.5 Third Level Support of Open Source Software. New Jan-19 9.6 Identity and Access Management processes that involves user access review, role change and employment termination processing only. New Feb-19 9.7 Service to provide remarketing, disposal or destruction of used computer equipment and peripherals. New Mar-19 Amended Feb-22

12 12 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated Section Ten: Production of physical items 10.1 Production, personalisation and distribution of plastic cards (subject to contingency arrangements to meet 3 months’ non-personalised proprietary debit / EFTPOS card issuance on the failure of the service) and printing of cheques - including distribution of related remittance notices. 16 Jun-19 Amended Dec-20 10.2 Printing and scanning, but not the electronic preparation of, customer bank statements and other operational documentation and forms. This includes the data encryption functions used exclusively for the printing and scanning of those documents. 39 Oct-19 Section Eleven: Provision of services 11.1 deleted 1 Sep-17 Deleted Feb￾22 11.2 deleted 6 Sep-17 Deleted Feb￾22 11.3 deleted 7 Sep-17 Deleted Feb￾22 11.4 Rental property leases, and lease and rental portfolio management and reporting applications. 8 Sep-17 11.5 Installation, repair, support and / or maintenance of fixed assets (whether owned or leased). 11 Sep-17 Amended Feb-22 11.6 Security system, premises access and guarding services. 12 Sep-17 11.7 The provision of the following items of general procurement: - - (a) deleted 40(a) Sep-17 Deleted Feb￾22

13 13 White list for the Purposes of BS11 Ref #X598778 v1.4 No. Historic ref. Last updated (b) deleted 40(b) Sep-17 Deleted Feb￾22 (c) deleted 40(c) Sep-17 Deleted Feb￾22 (d) travel, transport and vehicle management services; 40(d) Feb-18 (e) conference organising; New Jul-18 (f) hotel and other accommodation booking services; New Jul-18 (g) meeting facilities; and New Jul-18 (h) cleaning services. New Jul-18 (i) deleted New Jul-18 Deleted Feb￾22 11.8 Distribution and low level testing arrangements for devices (excluding staff primary system access devices) and other bank issued items (excluding device management and support, and switching and processing of transactions). New Feb-19 Amended Feb-22