IT implications of final proposal for the BS11 outsourcing policy

The Final Policy Proposals for the regulation of outsourcing at registered banks were issued by the Reserve Bank on 2 February (a link to our previous news alert is here). Whilst some of the details remain to be determined, including importantly the extent of the “white list” of outsourcing activities, the final proposal makes it clear that a revised and more onerous outsourcing policy is here to stay.

Locally incorporated “large banks” (those whose liabilities exceed $10 billion) will be shifting their focus from debating the merits of the policy to how they will transition to the new regime. However, the consultation on the exposure draft of the outsourcing policy (due Q1 2017) will provide a final opportunity for large banks to shape the policy.

We look below at what some of the new requirements affecting IT services will be.

Requirement that large banks provide “basic banking services” during a crisis and the need for contract reviews

Under the proposed policy, a bank must be able to provide “basic banking services” to existing customers on the first value day after the day of failure (eg a bank or a supplier failure) and thereafter. One key requirement is that transaction accounts (or similar) must continue to be provided for transactional, everyday banking needs (including ATMs and at least two of the most commonly used channels for accessing such accounts).

Banks will need to review the contracts they have with the firms that supply their ATMs and those who replenish the cash. As an example, the policy requires that access to ATMs is provided in times of crisis. To meet this standard, large banks will need to assess:

  • what business continuity/disaster recovery (BC/DR) arrangements need to be put in place?
  • are the carve-outs from liability permitted under any force majeure clause too broad?

Given the prevalence of Internet banking as a transactional channel, it is likely that Internet banking (and possibly mobile applications) will fall within the scope of the policy. Banks will need to consider how arrangements would respond under crisis events and whether enhancement is required. This might include consideration of:

  • whether current service level agreements (SLAs) adequately replicate the restoration times required under the policy?
  • whether the associated limitation of liability regime is appropriately structured to ensure that suppliers are focussed on the aspects that are key from a regulatory perspective?
  • whether the bank has the necessary contractual arrangements with primary and possibly secondary suppliers that clearly enable the bank to activate alternative arrangements where necessary and in a practical way?

Given the importance of these channels to banking business, it would be surprising if existing arrangements were poor in this area. Nevertheless, the regulatory overlay increases the stakes and such arrangements should be reviewed.

Back-up capabilities and separation plans

A new requirement is that large banks have “back-up capabilities for functions outsourced to an overseas parent or related party”. In addition, the policy requires that large banks prepare and deliver to the Reserve Bank a separation plan.

This requirement will affect the big four New Zealand banks, who each have Australian parents. These banks will, to varying degrees, be leveraging group level systems and contracting arrangements.

A key requirement is that contingency arrangements owned and/or controlled by the local back must be in place, and could be deployed as the primary mechanism on an on-going and automated basis. The policy also requires that there must be no possibility that a transaction could be permanently lost and that the switch to back-up systems must take effect within 4 – 6 hours in certain circumstances. These requirements may suggest the need for a mirrored system on a “hot” standby basis in some cases. For others, it may be possible to back-up data in real-time and to activate a skeleton set of contingency systems as necessary. This will be a key area where increased costs for banks will arise.

Banks will clearly need to identify the critical aspects that will need to be replicated and how this can be achieved efficiently. This kind of analysis will not be a completely new concept to banks, who are likely to have, as a matter of good commercial governance, business continuity and disaster recovery plans. However, the separation plan is likely to be a much more detailed document (and require a much deeper analysis), will need to be evidenced to the Reserve Bank, and must be tested on an annual basis. Moreover, the need for direct interaction with back-end suppliers to the parent may well require an increase in the number of transTasman contingency or transitional services agreements.

Contractual requirements and pricing

The back-up capabilities provide a clear touchstone for the contents of SLAs, as does the section of the proposal that deals with the contractual terms that the Reserve Bank will require to be included in outsourcing agreements. Certain terms will simply be non-negotiable and this may have an impact on price.

One strategy for controlling costs that will be essential will be to ensure that robust Request for Proposal (RFP) processes are in place before banks commit to any particular supplier. The RFP should set out in detail the requirements, including the legal and contractual requirements (with the BS11-compliant draft contract already prepared and attached), that the supplier will be expected to adhere to. Running a competitive process will help ensure that any upward pressure on pricing is moderated. This would also be the time to include benchmarking provisions to ensure that the bank can maintain pricing no greater than market pricing over the life of the contract.

The white list

The white list of permitted forms of outsourcing is provided in draft. The Reserve Bank proposes that these be settled over the next few months. However, the white list is intended to be a “live” document that changes over time.

While the Reserve Bank included certain categories of software on its revised list, some submitters will be disappointed that cloud services do not appear. As the white list is a live document, this may be an area where banks can work with the Reserve Bank during the transition period to establish guidelines around use of cloud services in the way that regulators in other jurisdictions have done.

External reviews and future proofing

The Reserve Bank does not require a bank to obtain a statement of non-objection before it can go ahead with an outsourcing arrangement which is not on the white list (though use of a related party will need to be notified). However, the Reserve Bank can review an outsourcing arrangement at a later stage and require modification. Accordingly, a clause in the outsourcing contract requiring the supplier to make certain changes to its service in line with the regulator’s requirements will be necessary. The parties will also need to agree on how the pain of any increased cost or lost revenues will be apportioned between the parties and whether any associated termination and transition provisions will be necessary.

As a general consideration, having a well-documented procurement process and a comprehensive set of outsourcing contracts, drafted in line with good industry practice, will serve the dual purposes of ensuring that the bank (i) is aware of, and implements, the outsourcing requirements and (ii) can demonstrate to the regulator that it has implemented them.

Conclusion

Improvements to BC/DR planning and increased resilience in what is already a robust banking system comes at a very considerable cost. Large banks will be digesting the latest policy draft and will closely review the Exposure Draft of the revised policy (due Q1 2017). We expect large banks will be continuing to engage with their technology teams and suppliers to determine how to most efficiently implement the new requirements once they are issued. Suppliers should also start to anticipate how the changes will affect them.

Our team

Our team has deep experience within IT outsourcing and provides advice throughout the outsourcing lifecycle. We advise on RFP processes, negotiation of documentation, right through to dispute resolution. This is supplemented in the context of BS11 by our banking colleagues who have a deep knowledge of the regulatory framework.

In addition, as a member of the Minter Ellison Legal Group, we are well-placed to advise on transactions with an Australian dimension.

Please contact us if you would like to discuss how we can assist in this area.

Who can help