Third-Party & Critical Service Provider Policy¶
| Code | OPS-005 |
| Domain | Operational Resilience |
| Owner | Chief Risk Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD08 |
| Review date | 2027-03-25 |
Regulations: CPS 230 Operational Risk Management · DTA Outsourcing Standard¶
Purpose¶
Govern the management of third-party service providers and critical service dependencies. Defines obligations for provider assessment, contract requirements, concentration risk management, exit planning, and ongoing performance monitoring in accordance with APRA CPS 230 and RBNZ BS11 outsourcing requirements.
Scope¶
All third-party providers of services material to the banking platform, including cloud infrastructure providers, technology vendors, payment scheme operators, data providers, and any other outsourced functions that could impair the platform's ability to operate if unavailable.
Provider classification¶
All service providers SHALL be classified by criticality:
- Critical: Failure or disruption would directly impair payment processing, customer access, ledger integrity, or regulatory reporting.
- Important: Failure would cause material customer or operational impact but the platform could operate in a degraded mode.
- Standard: Failure would have limited operational impact.
Critical providers are subject to the full requirements of this policy. Important providers are subject to all requirements except exit testing frequency. Standard providers are subject to assessment and contract requirements only.
Assessment and onboarding¶
No critical or important service provider SHALL be onboarded without a documented risk assessment covering: service description and dependencies, data residency and sovereignty, resilience and availability commitments, information security standards, regulatory compliance status, and financial soundness.
Critical provider assessments SHALL be reviewed by the CTO and Chief Risk Officer before contract execution.
Contract requirements¶
Contracts with critical providers SHALL include: defined SLAs with financial remedies, data ownership and portability obligations, audit and inspection rights, notification obligations for material incidents, regulatory access provisions, and exit and termination provisions consistent with the exit plan.
Concentration risk¶
The platform SHALL monitor service provider concentration risk. Reliance on a single provider for more than one critical function SHALL be documented and assessed. Where concentration risk is assessed as material, a mitigation plan SHALL be documented and approved by the Board Risk Committee.
Exit planning¶
Every critical provider SHALL have a documented exit plan. The exit plan SHALL cover: triggering events, exit timeline, data migration approach, alternative provider options, and customer impact. Exit plans SHALL be tested at least every two years through a desktop exercise or, where feasible, a live test.
Performance monitoring¶
Critical and important providers SHALL be subject to ongoing performance monitoring against contracted SLAs. Material SLA breaches SHALL be escalated to the Head of Technology Operations and recorded in the provider management register.
An annual formal review of all critical and important providers SHALL be conducted covering: performance against SLA, financial health, regulatory status, and changes to the risk assessment.
Board reporting¶
The critical provider register and any material concentration or performance issues SHALL be reported to the Board Risk Committee annually.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-150 | Risk management platform | AUTO |
All designated critical third parties (Neon, Snowflake, AWS, BPAY, NPP, eIDV providers, card bureau) are continuously health-monitored; SLA breach auto-creates an incident. |
Part of Operational Resilience · Governance overview
Compiled 2026-05-22 from source/entities/policies/OPS-005.yaml