Outsourcing Policy. Financial Stability Department Document BS11. Issued: January 2006. Ref #2267614



Similar documents
U & D COAL LIMITED A.C.N BOARD CHARTER

Guidance on Arrangements to Support Operational Continuity in Resolution. Consultative Document

The Audit of Best Value and Community Planning The City of Edinburgh Council. Best Value audit 2016

Business Continuity Management

Statement of Guidance

Consultation paper: Revised policy proposals for the review of the outsourcing policy for registered banks

Managing Outsourcing Arrangements

Statement of Principles

GUIDE TO DIRECTORS DUTIES UNDER THE BVI BUSINESS COMPANIES ACT 2004

Advisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities

GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

INSURANCE LAWS AMENDMENT BILL

Statement of Guidance: Outsourcing All Regulated Entities

JNCC Committee Papers - September 2003

Code of Practice - Risk Management Including With Regard To Debtors

Performance Bond. Business):

Resource Management Services. 1. Introduction. 1.1 Background and Rationale for the Council s Involvement

Central bank corporate governance, financial management, and transparency

Model Template for 165(d) Tailored Resolution Plan

Dispute Resolution Service Policy

Consolidated Financial Statements

SUPERVISION GUIDELINE

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Statement of responsibilities of auditors and audited small bodies

COMMISSION REGULATION (EU)

GUIDANCE NOTE ON OUTSOURCING

He also has a duty not to diminish such assets as remain, so he is unlikely to enter into unprofitable contracts.

Performance Audit of the San Diego Convention Center s Information Technology Infrastructure JULY 2012

Act amending Banking Act (ZBan-1L) Article 1

Securing safe, clean drinking water for all

S TATUTORY INSTRUMENTS No. COMPANIES AUDITORS. Draft. Made *** Laid before Parliament *** Coming into force - - ***

Prudential Practice Guide

SaaS Terms & Conditions

Corporate Risk Management Policy

GUIDE TO SUMMARY WINDING UP OF A JERSEY COMPANY

Stockland "North Lakes Hot Lot" promotion Terms and Conditions

Ohio Supercomputer Center

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

CONTACT(S) Riana Wiesner +44(0) Jana Streckenbach +44(0)

Prudential Practice Guide

National Check Payments Certification. Fraud, Risk, and Risk Mitigation Part II. Copyright 2015 by the Electronic Check Clearing House Organization

THE PAYMENT AND SETTLEMENT SYSTEMS (AMENDMENT) BILL, 2014

Nauru Utilities Corporation Act 2011

Statement of responsibilities of auditors and audited bodies: Local authorities, NHS bodies and small authorities.

fdsfdsfdsfdsfsdfdsfsdfdsfsdfsd Square Box Systems Technical Support Agreement

FINAL NOTICE. (1) imposes on Bank of Beirut (UK) Ltd ( Bank of Beirut ) a financial penalty of 2,100,000; and

GENERAL TERMS AND CONDITIONS OF SUPPLY OF MONT.EL APPARECCHIATURE ELETTROELETTRONICHE S.R.L. PRODUCTS

GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004

Policy Statement PS20/15 Strengthening individual accountability in banking: UK branches of non EEA banks. August 2015

Policy Statement PS25/15 Contractual stays in financial contracts governed by third-country law. November 2015

OUTSOURCING POLICY

Criteria and Risk-Management Standards for Prominent Payment Systems

CONTENT OF THE AUDIT LAW

Outsourcing. FSA Regulated firms (including offshore outsourcing) Contents. March 2004

Clearing and Settlement Procedures. New Zealand Clearing Limited. Clearing and Settlement Procedures

RESEARCH COUNCIL HOMEWORKING GUIDANCE

Business Continuity Policy & Plans

South West Lincolnshire NHS Clinical Commissioning Group Business Continuity Policy

VOLUME 7A, CHAPTER 60: HEALTH PROFESSIONS SCHOLARSHIP PROGRAM FOR ACTIVE SERVICE SUMMARY OF MAJOR CHANGES. All changes are denoted by blue font.

DRAFT ONLY FOR DISCUSSION PURPOSES

Virginia Commonwealth University School of Medicine Information Security Standard

Statutes in translation Please note that this translations are not official translations. The translation is furnished for information purposes only

The APRA Supervision Blueprint

Unofficial Consolidation

Terms of Reference - Board Risk Committee

Cyprus International Trusts

Governance and the role of Boards

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

Financial Services Guidance Note Outsourcing

WOODWARD INC. DIRECTOR GUIDELINES

CHAPTER 5 THE GOVERNMENT OF THE HONG KONG SPECIAL ADMINISTRATIVE REGION COMPANIES REGISTRY TRADING FUND. Companies Registry

ELECTRICITY SUPPLY/ TRADE LICENSE KORLEA INVEST A.S

Submission to the Health Select Committee on the Substance Addiction (Compulsory Assessment and Treatment) Bill

ROYAL COLLEGE OF CHIROPRACTORS (RCC) PHD STUDENTSHIP GRANTS TERMS & CONDITIONS OF AWARD

Financial Planning Report

BANKING ORDINANCE. Authorization of Virtual Banks. A Guideline issued by the Monetary Authority under Section 16(10)

Model Commercial Paper Dealer Agreement Guidance Notes

AIRBUS GROUP BINDING CORPORATE RULES

CHAPTER E12 - ENVIRONMENTAL IMPACT ASSESSMENT ACT

OVERSIGHT STANDARDS FOR EURO RETAIL PAYMENT SYSTEMS

Corporate Governance in New Zealand Principles and Guidelines

Complaints and Compensation Policy

Private Health Insurance Administration Council (PHIAC) Cost Recovery Impact Statement. 16 June 2009 Increase in the Council Administration Levy

NCR Corporation Board of Directors Corporate Governance Guidelines Revised January 20, 2016

Delay, Disruption and Acceleration Costs

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Technical support terms and conditions

ICT Digital Transformation Programme

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

Terms and Conditions of Use and Sale as at 1 st January 2009

Standard conditions of the Electricity Distribution Licence

TERMS OF SERVICE TELEPORT REQUEST RECEIVERS

HSBC FINANCE CORPORATION CHARTER OF THE RISK COMMITTEE

ST HELENA TELECOMMUNICATIONS ORDINANCE, CAP 106 LICENCE TO OPERATE BROADCASTING STATIONS AND TO BROADCAST SERVICES (TELEVISION BROADCASTING LICENCE)

Objective and key requirements of this Prudential Standard

WORKPLACE INJURY MANAGEMENT AND WORKERS COMPENSATION (MEDICAL EXAMINATIONS AND REPORTS FEES) ORDER

Software Support Terms and Conditions INFORMATION SYSTEMS CORPORATION

Human Resources and Data Protection

Transcription:

Outsourcing Policy Financial Stability Department Document Issued:

2 A. Introduction 1. This document sets out the Reserve Bank of New Zealand s (Reserve Bank s) policy with regard to outsourcing, including an explanation of the term legal and practical ability to control and execute. 2. Section 74 of the Reserve Bank of New Zealand Act (the Act) permits the Reserve Bank to impose conditions of registration that relate to, among other things, the matters referred to in sections 78(1)(f) and 78(1)(fb) of the Act. These matters are, respectively: (f) (fb) internal controls and accounting systems or proposed internal controls and accounting systems arrangements for any business, or functions relating to any business, of the applicant or registered bank to be carried on by any person other than the applicant or the registered bank. 3. For the purposes of the outsourcing policy, outsourcing arrangements are those specified by section 78(1)(fb) of the Act. 4. Banks whose New Zealand liabilities, net of amounts due to related parties, exceed $10 billion (Large Banks) are normally subject to a condition of registration relating to outsourcing arrangements. That condition is: that the registered bank has legal and practical ability to control and execute any business, and any functions relating to any business, of the bank that are carried on by a person other than the bank, sufficient to achieve, under normal business conditions and in the event of stress or failure of the bank or of a service provider to the bank, the following outcomes: (a) (b) (c) (d) that the bank s clearing and settlement obligations due on a day can be met on that day; that the bank s financial risk positions on a day can be identified on that day; that the bank s financial risk positions can be monitored and managed on the day following any failure and on subsequent days; and that the bank s existing customers can be given access to payments facilities on the day following any failure and on subsequent days. For the purposes of this condition of registration, the term legal and practical ability to control and execute is explained in the

3 Reserve Bank of New Zealand document entitled Outsourcing Policy Financial Stability Department Document. 5. In addition, Large Banks are generally subject to a condition of registration regarding accountability: (a) (b) (c) that the business and affairs of the bank are managed by, or under the direction or supervision of, the board of the bank; that the employment contract of the chief executive officer of the bank or person in an equivalent position (together CEO ) is with the bank, and the terms and conditions of the CEO s employment agreement are determined by, and any decisions relating to the employment or termination of employment of the CEO are made by, the board of the bank; and that all staff employed by the bank have their remuneration determined by (or under the delegated authority of) the board or the CEO of the bank and are accountable (directly or indirectly) to the CEO of the bank. 6. Although the Reserve Bank will generally seek to impose standard conditions of registration regarding outsourcing arrangements uniformly on all Large Banks, the Reserve Bank may impose a non-standard condition of registration on a bank where special circumstances apply. 7. The rest of this document: explains the objectives of the outsourcing policy (section B); explains the term legal and practical ability to control and execute and discusses risks to a bank s legal and practical ability to control and execute an outsourced function (section C); and provides guidance on tolerance of risks to a bank s legal and practical ability to control and execute an outsourced function (Section D). B. Objectives of the outsourcing policy 8. This section explains the objectives of the outsourcing policy. 9. Section 68 of the Act requires the Reserve Bank to exercise its banking supervision and registration powers for the purposes of: (a) (b) promoting the maintenance of a sound and efficient financial system; or avoiding significant damage to the financial system that could result from the failure of a registered bank.

4 10. The outsourcing policy pursues both these purposes by requiring that a Large Bank s outsourcing arrangements do not create risk that the operation and management of the bank might be interrupted for a material length of time. In particular, any outsourcing arrangements for bank functions must not create risk to the bank s ability to continue to provide and circulate liquidity in the economy, under normal business conditions or circumstances of stress or of failure of the bank or of a service provider to the bank. 11. The outsourcing policy is outcomes-focused. The outcomes required by the Reserve Bank are specified in the condition of registration set out in paragraph 4. 12. The outsourcing policy is framed in terms of the continuity of functions needed to achieve required outcomes. The continuity of bank functions is itself dependent on the availability of supporting systems, staff and data. The outsourcing policy allows flexibility for a Large Bank to configure its systems, staff and data in ways that take account of the bank s business circumstances and strategy, provided the required outcomes are met. 13. Functions needed to achieve the outcomes specified in the condition of registration set out in paragraph 4 are the most time-critical, core bank functions. These must be continued under normal business conditions in order to maintain the soundness and efficiency of the financial system. In the event of a failure of a bank or of a service provider to a bank, these functions must also be continued without material interruption, in order to avoid significant damage to the financial system. 14. In particular, requirements (a) and (b) in the condition of registration set out in paragraph 4 must be achieved before the start of the value day after the day of the failure, and requirements (c) and (d) must be achieved on the value day after the day of the failure, in order to prevent the failure from causing a sharp and disruptive contraction in financial system liquidity or prolonged disruption to the transactionprocessing activities of the bank. 15. Directors or a statutory manager of the bank must have the legal and practical ability to control and execute any outsourced functions to ensure that the bank s core functions would be available within these timeframes. 16. Table 1 summarises the required availability for core functions in the event of a failure of the bank or of a service provider to the bank.

5 Table 1 Required outcome Required availability of functions needed to achieve outcome, in the event of a failure of the bank or of a service provider to the bank (a) (b) the bank s clearing and settlement obligations due on a day can be met on that day; the bank s financial risk positions on a day can be identified on that day; Before the start of the value day after the day of failure (and thereafter) (c) (d) the bank s financial risk positions can be monitored and managed on the day following any failure and on subsequent days the bank s existing customers can be given access to payments facilities on the day following any failure and on subsequent days First value day after the day of failure (and thereafter) 17. The condition of registration set out in paragraph 5 does not prevent directors of a Large Bank from delegating management responsibilities to non-employees of the bank. However, the bank will need to satisfy the Reserve Bank that the achievement of the required outcomes would not be undermined by the proposed delegation. In particular, the Reserve Bank will focus on whether any divided accountability of a non-employee to which a power has been delegated would undermine the achievement of the required outcomes. Any such delegations must not diminish the role of the board of a Large Bank in overseeing and supervising the affairs of the bank. 18. Notwithstanding section 128(3) of the Companies Act, a Large Bank s constitution must not contain any modifications, exceptions or limitations which would affect the bank s ability to meet the condition of registration set out in paragraph 5. C. Legal and practical ability to control and execute 19. This section explains the term legal and practical ability to control and execute and discusses risks to a bank s legal and practical ability to control and execute an outsourced function. The various risks discussed here will not necessarily constitute all relevant risks in all cases. 20. Legal ability to control and execute a function refers to the ability to invoke statutory, contractual or other rights as needed to ensure that the function continues to be provided.

6 21. Practical ability to control and execute a function refers to the ability to secure continued provision of the function within the timeframes set out in the previous section, taking into account any delays associated with the enforcement of legal rights. Practical ability to control a function depends heavily on the availability and responsiveness of personnel with the technical and business knowledge needed to control and execute the function, as well as physical access to and control of the required systems and data. Risks to legal ability to control and execute an outsourced function 22. Legal risks to outsourcing can arise when the contractual terms and conditions (service levels etc.) of the outsourcing arrangement are not sufficiently clear and complete to ensure continued service provision under circumstances of stress of either the service provider or of the bank itself. 23. If the service provider is in another jurisdiction, a risk exists that proceedings to require the provider to perform may have to be brought in that other jurisdiction s court and under that jurisdiction s laws. If so, the bank might have less ability to ensure continued performance than if the provider were resident in New Zealand, and if proceedings were handled by the New Zealand courts and under New Zealand law. 24. If the provider (or the provider s ultimate parent) is regulated by a regulator other than the Reserve Bank, there may be a risk that the duties and powers of that regulator cause it to intervene in such a way as to interfere with the provider s performance. Risks to practical ability to control and execute an outsourced function 25. Compared to an arrangement where a provider performs a function in New Zealand, performance of a function offshore complicates the logistics of ensuring timely performance for example, due to time zone differences, differences in statutory holidays, the extra time needed to access essential staff and systems, etc. 26. If the provider is also performing functions for other entities in a way in which the functions are operationally mingled, there may be a risk of competition for the provider s resources, impeding the performance of functions for the bank. D. Tolerances for risk to legal and practical ability to control and execute outsourced functions 27. This section provides guidance on tolerance for risks to a bank s legal and practical ability to control and execute outsourced functions. 28. Consistent with the policy s focus on outcomes, a Large Bank will have flexibility to pursue outsourcing strategies tailored to its particular circumstances and operational preferences, provided that the bank satisfies the Reserve Bank that the required outcomes are met. The Reserve Bank recognises the many ways in which outsourcing arrangements can be configured and the associated risks mitigated.

7 29. In general, the Reserve Bank s tolerance for risk will be lower for the more timecritical functions described in Section B. Tolerance for risk will also be lower the more material the function is to the achievement of the required outcomes, and the lower the substitutability of the function by other bank functions. 30. In this context, a function would be substitutable if there are alternative means (whose control and execution is subject to less risk) by which a bank could achieve the required outcomes (within the specified timeframes) in the absence of the function. These alternative means could consist of alternative delivery channels, workarounds, substitute staff, or operational backups. 31. The Reserve Bank s presumption is that a core function as described in section B will not be outsourced, unless the bank can satisfy the Reserve Bank that the function is not material to the achievement of the required outcomes, or is substitutable by other functions that are not outsourced. Similarly, the Reserve Bank s presumption is that a power to manage bank business relating to a core function will not be delegated to a person who is not employed solely by the bank, unless the bank can satisfy the Reserve Bank that the power is not material to the achievement of the required outcomes, or that the required outcomes can still be achieved in the event that access to the person is unavailable for some reason. This presumption regarding delegations applies to matrix management and any other management arrangements involving persons who are not employed solely by the bank. 32. For some core functions, an outsourcing arrangement with an independent party might be acceptable, provided that the arrangement featured strong mitigants to the risks to the bank s legal and practical ability to control and execute the function. Such mitigants might include contractual mechanisms which mimic to the extent possible the substance of an in-house arrangement (e.g. with rights for the bank to step in in the event of technical or financial failure of the provider, BCP and regular testing requirements on the provider, explicit exclusion of statutory management of the bank from the definition of default events for the purposes of the contract, requirements that the provision of service be conducted from a location within or close to New Zealand, etc.). 33. Greater risk to the bank s legal and practical ability to control and execute the noncore functions could be tolerated, and consequently a wider range of outsourcing arrangements could be acceptable, where a bank has established a credible internal process to manage the risks to its business associated with any outsourcing arrangements. In general, the Reserve Bank would expect that any products (beyond those that provide core transactional functions) that are widely used and depended upon by customers would be subject to the most intense risk management. Other relevant issues for a bank to consider in managing outsourcing risks for non-core functions would include: the ability of customers to find substitutes (e.g. other banks) for products supported by the function, or to use a workaround if the products suddenly became unavailable; the extent of inconvenience to customers; and the number of customers affected.

8 34. The provision of bank functions, whether by outsourcing arrangement or otherwise, generally requires supporting systems (hardware, software, networking, data centre buildings, etc.), staffing and data. Systems, staffing and data may themselves be provided either in-house or under outsourcing arrangements. A function might be substantially produced in-house while still drawing on inputs that are supplied by outside providers. Conversely, if important parts of the production process are outsourced, where they might instead be provided in-house, the Reserve Bank may view the arrangements for the function as substantially outsourced even if some elements of the function are maintained in-house. 35. In this regard the Reserve Bank will generally focus on the arrangements for control of the people and data supporting the function, rather than for the systems supporting the function. The practical ability to control and execute a function depends vitally on the ready availability of skilled and knowledgeable staff and the relevant data. For core functions, the Reserve Bank s presumption is that the relevant staff and data would be maintained in-house, whereas it might be acceptable for certain systems to be outsourced if the Reserve Bank were satisfied that the systems would not be needed in the aftermath of a failure, or that backups or workarounds could take their place. 36. A Large Bank would be expected to manage and document any outsourcing arrangement for the provision of a function (or for supporting systems, staff or data) according to commercially reasonable arms length practice, whether the service provider is a related party or not. In general, the Reserve Bank would expect documentation to be clear on the rights and obligations of each party to the contract and on service levels and pricing, to a level commensurate with the function s timecriticality, materiality and substitutability. 37. A Large Bank will need to satisfy itself in the first instance that any risks to the required outcomes are tolerable. The bank will need to satisfy the Reserve Bank also that its arrangements or any proposed arrangements are adequate, especially where a core function is involved. The Reserve Bank may seek further information about any arrangement or proposed arrangement, or require a review by a person approved by the Reserve Bank. If the Reserve Bank is not satisfied that an arrangement or proposed arrangement is adequate, it will have to be modified to reduce the risks, or the function brought back or maintained in-house.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information