NZ: Deposit Takers (Governance) Standard
|
|
| Regulator |
RBNZ |
| Jurisdiction |
NZ |
| Status |
Draft — not yet in force |
| Applicability |
Platform |
RBNZ's governance standard under the Deposit Takers Act 2023, phasing in progressively. It sets
minimum requirements for board composition, committee structure, fit and proper assessment of
directors and senior managers, conflicts of interest management, and accountability of senior
managers. It replaces governance conditions previously embedded in individual bank registration
conditions.
DRAFT — Tranche 2 exposure draft. Consultation closed May 2026. Policy decisions pending. Standard takes effect 1 December 2028. Current governance obligations derive from individual bank registration conditions and RBNZ supervisory expectations; these remain operative until the DTA Governance Standard takes effect.
The standard applies to all locally-incorporated deposit takers (G1, G2, G3) with proportionate expectations. G3 entities face principles-based requirements with proportionality guidance reducing the detailed requirements appropriate for larger institutions.
Compliance register
This register maps every material obligation under the standard to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates) is
overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — board governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Board composition and committees
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Majority independent directors |
Board must comprise a majority of independent non-executive directors |
🏛 Institutional |
GOV-001 |
Institutional governance and legal process; board composition is not a platform control. |
| Board Risk Committee — required with independent chair |
Establish a Board Risk Committee with an independent chair |
🏛 Institutional |
GOV-001 |
MOD-150 (CALC) — RAF dashboard and board risk report data provided to Board Risk Committee; committee governance is institutional. |
| Board Audit Committee — required with independent chair |
Establish a Board Audit Committee with an independent chair |
🏛 Institutional |
GOV-001 |
MOD-151 (LOG) — all risk cases, decisions, and resolutions are available to the internal_audit role; MOD-151 (GATE) — whistleblower cases delivered directly to Board Audit Committee role. Committee governance is institutional. |
| Annual board attestation to RBNZ |
Board attests annually to RBNZ on governance compliance |
🏛 Institutional |
GOV-001, GOV-006 |
MOD-150 provides risk management data inputs; MOD-151 provides risk case audit evidence. Board attestation is institutional. |
Fit and proper assessment
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Fit and proper — directors and senior managers |
Assess all directors and senior managers for fitness and propriety prior to appointment |
🏛 Institutional |
GOV-004 |
Fit and proper vetting is a human governance and regulatory process. The platform's audit trail (MOD-047, MOD-048) evidences ongoing conduct but does not execute the vetting process. |
| Director registration with RBNZ |
All directors must be registered with RBNZ |
🏛 Institutional |
GOV-004 |
Registration is a regulatory administration process; not a platform function. |
Three lines of defence and internal audit
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Three lines of defence — documented framework |
Maintain a documented three lines of defence model with defined mandates |
🏛 Institutional |
GOV-003 |
MOD-150 (CALC) — risk register, RAF dashboard, and scenario data provide the operational risk layer (second line evidence); MOD-151 (LOG) — case records and resolution evidence available to internal audit. Framework design and governance are institutional. |
| Internal audit — independent function |
Maintain an independent internal audit function with access to all records |
📊 Evidenced |
GOV-006 |
MOD-076 (LOG) — platform-level system events, errors, and performance anomalies captured in the observability store and available for internal audit review; MOD-151 (LOG) — all risk cases and decisions available to the internal_audit role; no case can be deleted |
Risk Appetite Framework (RAF) and whistleblower programme
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| RAF — board-approved with reporting to board |
Document and maintain a board-approved Risk Appetite Framework with regular reporting |
📊 Evidenced |
GOV-002 |
MOD-150 (CALC) — RAF dashboard continuously computed from SD06 outputs; RAF threshold breach auto-alerts CRO and Board Risk Committee chair; board risk report data provided as an evidence input. Board approval of RAF is institutional. |
| Whistleblower programme |
Maintain a whistleblower programme with protected disclosure channels and board-level oversight |
🤖 Automated |
GOV-001 |
MOD-151 (GATE) — whistleblower submissions received through an isolated intake channel with no management routing; cases delivered directly to the Board Audit Committee role; identity protection enforced at the data layer — no bypass path exists |
Conflicts of interest
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Conflicts of interest — documented policy and disclosure |
Maintain a documented conflicts of interest policy; material conflicts disclosed to board and RBNZ |
🏛 Institutional |
GOV-001 |
Conflicts disclosure and management are institutional governance and legal processes; not a platform control. |
The following obligations under the standard are the responsibility of the institution, not the platform.
| Obligation |
Owner |
Platform evidence input |
| Board composition maintenance and independence assessment |
Company Secretary / Board |
Not a platform function |
| Fit and proper vetting and registration of directors/senior managers |
Chief People Officer / Company Secretary |
MOD-047, MOD-048 provide ongoing conduct evidence |
| Annual RBNZ attestation on governance compliance |
Board |
MOD-150 and MOD-151 provide evidence inputs |
| Regulatory examination responses on governance matters |
Company Secretary / Chief Risk Officer |
MOD-151 provides risk case audit evidence; MOD-047/MOD-048 provide audit logs |
| Conflicts of interest disclosure and management |
Company Secretary |
Not a platform function |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Board composition and committees |
4 |
0 |
0 |
4 |
0 |
| Fit and proper |
2 |
0 |
0 |
2 |
0 |
| Three lines and internal audit |
2 |
0 |
1 |
1 |
0 |
| RAF and whistleblower |
2 |
1 |
1 |
0 |
0 |
| Conflicts of interest |
1 |
0 |
0 |
1 |
0 |
| Total |
11 |
1 (9%) |
2 (18%) |
8 (73%) |
0 |
Governance obligations are predominantly institutional by nature. Platform controls provide
the data and evidence layer (MOD-150 RAF dashboard, MOD-151 risk case console) but board
governance, composition, and attestation are not platform-deliverable obligations.
| Policy |
Title |
| GOV-001 |
Board Charter |
| GOV-002 |
Risk Appetite Statement Policy |
| GOV-003 |
Three Lines of Defence Policy |
| GOV-004 |
Fit & Proper Policy |
| GOV-006 |
Internal Audit Policy |
See D08 Governance & Accountability for the full risk domain.
Official documentation
Policies referencing this standard
Compiled 2026-05-22 from source/entities/regulations/nz-dta-governance.yaml