Your browser is not supported

Our website does not support the browser you are using. For a better browsing experience update to a compatible browser like the latest browsers from Chrome, Firefox and Safari.

Registered Bank Category Period of breach Date registered bank become aware  Status
Westpac New Zealand Limited Condition of Registration – Outsourcing January 2021 – October 2022 January 2021 Closed 

Westpac New Zealand Limited’s (WNZL) Condition of Registration 22 requires WNZL to comply with the Reserve Bank of New Zealand document “Outsourcing Policy” (BS11) dated September 2022 (Outsourcing Policy).

The objectives of this policy are to ensure that an outsourcing arrangement entered into by a bank does not compromise that bank’s ability to–

a. be effectively– 

i. administered under statutory management; and 
 
ii. operated for the purposes of continuing to provide and circulate liquidity to the financial system and the wider economy; and
 
b. facilitate the carrying on of basic banking services by any new owner of all or part of the bank; and
 
c. address the impact that the failure of a service or function provider may have on the bank’s ability to carry on all or part of the business of the bank.
 

Compendium Requirements

WNZL is required to maintain a BS11 compendium, which is a formal centralised record of all outsourcing arrangements that complies with the requirements of the Outsourcing Policy.  The purpose of the BS11 compendium is to enable the Reserve Bank and a statutory manager to understand what services and functions have been outsourced by a bank.
 
From January 2021 to 11 October 2022 WNZL identified, and has remediated, a significant number of instances of non-compliance with BS11 compendium requirements. Assessed against the materiality factors outlined in the Guidance on reporting by banks of breaches of regulatory requirements, published in January 2021, individually these are not considered material.  However, when assessing breaches for materiality the Reserve Bank undertakes a holistic assessment of the findings and has concluded that the number of instances of non-compliance with the Outsourcing Policy do collectively constitute a material breach of Condition of Registration 22. 

Outsourcing arrangements without required risk mitigants in place

WNZL entered into outsourcing arrangements without the required risk mitigants in place for the adequate support of six key software or hardware environments. The risk mitigants required when outsourcing to an independent third party include the Prescribed Contractual Terms being included in the contract with the third party, assessment of the third party’s  Business Continuity Planning/Disaster Recovery procedures as being adequate and appropriate, and entry of the arrangement into the bank’s BS11 compendium.

Specifically:  

  1. From April 2020 to May 2021, WNZL did not have the required risk mitigants in place to ensure adequate support services were available for database applications that are used to store and retrieve data for critical frontline applications. 
  2. From April 2018 to May 2021, WNZL did not have the required risk mitigants in place to ensure that adequate support services were available for software used to ensure high availability of key WNZL server infrastructure.
  3. For periods ranging from July 2015, February 2017 and February 2019, WNZL  had outsourcing arrangements without the required risk mitigants in place to ensure adequate support services were available for certain payment systems operated by WNZL, which support some of WNZL’s payment processing services. Remediation activities, including the move to a new hardware environment, are underway.
  4. For periods ranging from September 2017 and July 2019 to July 2021, WNZL did not have the required risk mitigants in place to ensure adequate support services were available for two instances of software used to automate key business processes for WNZL.
 
The relevant software and hardware environments ensure high availability of key frontline applications for its retail and business customers. The failure to have the required risk mitigants in place to support these software and hardware environments was non-compliant with the Outsourcing Policy and therefore with WNZL’s Condition of Registration 22.

Despite not having adequate support contracts in place, WNZL either continued to receive support or could have acquired support on a non-contractual basis. WNZL also had internal teams in place to provide support in the event of issues arising with the software and hardware.

However, if a critical problem had arisen with the software without the required risk mitigants in place, this could have increased the risk that WNZL may not have been able to access support to restore the relevant services within WNZL’s recovery time objectives. This would, in turn, have impacted WNZL’s ability to provide certain services to business and retail customers who use these services or business applications. This may have also impacted WNZL's ability to be administered under statutory management or to address the impact of a service or function provider failure until these situations were remediated.

WNZL has remediated all, except one of the above non-compliances. With respect to item 3 WNZL will complete that work by moving to a new hardware environment in November 2023.