Westpac New Zealand Limited’s (WNZL) Condition of Registration 22 requires WNZL to comply with the Reserve Bank of New Zealand document “Outsourcing Policy” (BS11) dated September 2022 (Outsourcing Policy).
The objectives of this policy are to ensure that an outsourcing arrangement entered into by a bank does not compromise that bank’s ability to–
a. be effectively–
Compendium Requirements
Outsourcing arrangements without required risk mitigants in place
WNZL entered into outsourcing arrangements without the required risk mitigants in place for the adequate support of six key software or hardware environments. The risk mitigants required when outsourcing to an independent third party include the Prescribed Contractual Terms being included in the contract with the third party, assessment of the third party’s Business Continuity Planning/Disaster Recovery procedures as being adequate and appropriate, and entry of the arrangement into the bank’s BS11 compendium.
Specifically:
- From April 2020 to May 2021, WNZL did not have the required risk mitigants in place to ensure adequate support services were available for database applications that are used to store and retrieve data for critical frontline applications.
- From April 2018 to May 2021, WNZL did not have the required risk mitigants in place to ensure that adequate support services were available for software used to ensure high availability of key WNZL server infrastructure.
- For periods ranging from July 2015, February 2017 and February 2019, WNZL had outsourcing arrangements without the required risk mitigants in place to ensure adequate support services were available for certain payment systems operated by WNZL, which support some of WNZL’s payment processing services. Remediation activities, including the move to a new hardware environment, are underway.
- For periods ranging from September 2017 and July 2019 to July 2021, WNZL did not have the required risk mitigants in place to ensure adequate support services were available for two instances of software used to automate key business processes for WNZL.
Despite not having adequate support contracts in place, WNZL either continued to receive support or could have acquired support on a non-contractual basis. WNZL also had internal teams in place to provide support in the event of issues arising with the software and hardware.
However, if a critical problem had arisen with the software without the required risk mitigants in place, this could have increased the risk that WNZL may not have been able to access support to restore the relevant services within WNZL’s recovery time objectives. This would, in turn, have impacted WNZL’s ability to provide certain services to business and retail customers who use these services or business applications. This may have also impacted WNZL's ability to be administered under statutory management or to address the impact of a service or function provider failure until these situations were remediated.
WNZL has remediated all, except one of the above non-compliances. With respect to item 3 WNZL will complete that work by moving to a new hardware environment in November 2023.