RBNZ Banking Supervision Handbook: BS11 Outsourcing Policy
|
|
| Regulator |
Reserve Bank of NZ |
| Jurisdiction |
NZ |
| Status |
live |
| Applicability |
Platform |
BS11 is the RBNZ Banking Supervision Handbook standard governing outsourcing arrangements for
registered banks. It applies to banks with net external liabilities exceeding NZD 10 billion
(Group 1 banks and the largest Group 2 banks). Its purpose is to ensure that outsourcing
arrangements do not impair the RBNZ's ability to carry out its supervisory functions or to
resolve a failed bank using statutory resolution powers including Open Bank Resolution (OBR).
Key requirements include: registering all material outsourcing arrangements with the RBNZ before
entry; ensuring contracts include RBNZ access rights and do not restrict resolution powers;
maintaining the ability to perform or transfer outsourced functions within a reasonable timeframe;
and maintaining an up-to-date outsourcing register.
BS11 is being superseded by the DTA Outsourcing Standard, which takes
effect 1 December 2028. Until that date, banks within scope must maintain full compliance with
BS11.
Compliance register
This register maps every material obligation under BS11 to the platform control or institutional
process that satisfies it. It is the static traceability layer for the Totara compliance report —
dynamic data (module build status, test evidence, control test dates) is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — board governance, legal, procurement. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Material outsourcing identification and registration
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| BS11 §4 |
Identify all material outsourcing arrangements and determine whether BS11 applies |
🏛 Institutional |
OPS-005 |
Platform uses AWS (infrastructure), Neon (database), Snowflake (data platform), and third-party providers (eIDV, card bureau, BPAY/NPP). All are material arrangements. MOD-150 (AUTO) — critical third-party health monitoring provides the ongoing oversight evidence base. |
🔨 |
| BS11 §5 |
Register all material outsourcing arrangements with the RBNZ before entry into the arrangement |
🏛 Institutional |
OPS-005 |
RBNZ registration is an institutional process. MOD-150 (AUTO) — the third-party register maintained by MOD-150 provides the inventory of material arrangements supporting the RBNZ register. |
🔨 |
| BS11 §6 |
Notify RBNZ before materially amending or terminating a registered outsourcing arrangement |
🏛 Institutional |
OPS-005 |
Notification is an institutional process. MOD-150 (AUTO) — contract and SLA monitoring detects changes to provider terms; expiry alerts provide advance notice of contract changes. |
🔨 |
Contract requirements
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| BS11 §7 |
Ensure outsourcing contracts include RBNZ access rights — allow RBNZ to inspect information relating to the outsourced function |
🏛 Institutional |
OPS-005 |
Contract terms are negotiated institutionally. MOD-150 (LOG) — third-party register records contract reference and RBNZ access clause status for each provider. |
🔨 |
| BS11 §7 |
Ensure outsourcing contracts do not restrict the RBNZ's ability to exercise resolution powers |
🏛 Institutional |
OPS-005 |
Contract terms are negotiated institutionally (Legal / Company Secretary). No platform control — this is a legal/procurement obligation. |
— |
| BS11 §7 |
Ensure outsourcing contracts include continuity and exit provisions enabling service transfer within a reasonable timeframe |
🏛 Institutional |
OPS-005 |
Contract terms are negotiated institutionally. MOD-150 (AUTO) — service continuity monitoring identifies degradation that would trigger exit planning. |
🔨 |
Operational continuity
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| BS11 §8 |
Maintain the ability to perform or transfer outsourced functions within a reasonable timeframe if a provider fails |
🏛 Institutional |
OPS-005 |
The platform is designed as cloud-native on AWS with portable data in Neon (PostgreSQL) and Snowflake. MOD-150 (AUTO) — third-party SLA monitoring and incident creation; no manual dependency. Business continuity plans for provider failure are institutional. |
🔨 |
| BS11 §8 |
Test outsourcing continuity arrangements on a regular schedule agreed with the RBNZ |
🏛 Institutional |
OPS-005 |
Testing programme design and execution is institutional (Technology / Operations). MOD-150 provides the ongoing health evidence used in test preparation and results documentation. |
🔨 |
| BS11 §9 |
Assess outsourcing risks as part of the bank's enterprise risk management framework |
📊 Evidenced |
OPS-005 |
MOD-150 (AUTO) — technology and third-party risk events auto-classified against the risk taxonomy and written to the operational risk register continuously; risk assessment decisions are made institutionally. |
🔨 |
Outsourcing register and reporting
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| BS11 §10 |
Maintain an up-to-date outsourcing register and provide it to the RBNZ on request |
📊 Evidenced |
OPS-005 |
MOD-150 (AUTO) — third-party service register maintained continuously with provider details, contract status, SLA thresholds, and health status; register is always current and exportable for RBNZ submission. |
🔨 |
| BS11 §10 |
Report on material outsourcing arrangements in the bank's annual disclosure statement |
🏛 Institutional |
OPS-005 |
Disclosure statement is institutional. MOD-150 (AUTO) provides the register data; disclosure narrative preparation and sign-off is institutional. |
🔨 |
| Obligation |
Owner |
Platform evidence input |
| RBNZ pre-notification for each new material outsourcing arrangement |
CEO / Legal |
MOD-150 outsourcing register provides the arrangement details |
| Contract negotiation — RBNZ access rights, resolution non-restriction, and exit clauses |
Legal / Procurement |
MOD-150 records contract reference and clause status |
| Outsourcing risk assessment and board sign-off |
CRO / Board |
MOD-150 provides the risk event and health monitoring evidence base |
| Annual review of outsourcing arrangements and register |
CRO / COO |
MOD-150 provides the current inventory and SLA compliance record |
| Business continuity planning for critical provider failure |
COO / CTO |
MOD-150 health monitoring provides the early warning inputs |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Identification and registration |
3 |
0 |
0 |
3 |
0 |
| Contract requirements |
3 |
0 |
0 |
2 |
1 |
| Operational continuity |
3 |
0 |
2 |
1 |
0 |
| Register and reporting |
2 |
0 |
2 |
0 |
0 |
| Total |
11 |
0 (0%) |
4 (36%) |
6 (55%) |
1 (9%) |
BS11 is primarily an institutional obligation — the platform provides the evidence base and
operational risk monitoring, but outsourcing governance decisions are made by the board and
management. All attributed modules are currently build_status: Not started.
The DTA Outsourcing Standard (effective 1 December 2028) supersedes BS11 — see
nz-dta-outsourcing for the forward obligation register.
| Policy |
Title |
| OPS-005 |
Third-Party & Critical Service Provider Policy |
See D09 Operational Resilience for the full risk domain.
Official documentation
Policies referencing this standard
(None yet)
Compiled 2026-05-22 from source/entities/regulations/nz-bs11.yaml