NZ: Deposit Takers (Outsourcing) Standard
|
|
| Regulator |
RBNZ |
| Jurisdiction |
NZ |
| Status |
Draft — not yet in force |
| Applicability |
Platform |
DRAFT — under RBNZ consultation. Expected finalisation 2027.
The DTA Outsourcing Standard is issued under the Deposit Takers Act 2023, replacing BS11.
It requires deposit takers to identify material outsourcing arrangements, conduct structured
due diligence before entering or renewing any material arrangement, include mandatory
contractual protections (audit rights, data return on exit, sub-outsourcing restrictions,
business continuity obligations), notify RBNZ for significant outsourcing, and maintain
documented exit plans for critical service providers.
The standard aligns with APRA CPS 230 in intent. Key material outsourcing arrangements for
Totara Bank include: Neon (managed Postgres), Snowflake (data platform), AWS (cloud
infrastructure), BPAY/NPP/Swift (payment networks), card bureau, and eIDV providers.
ADR-035, ADR-028, and ADR-023 are designed to satisfy the anticipated data sovereignty
and exit strategy requirements. The standard takes effect 1 December 2028.
Compliance register
This register maps every material obligation under the Standard to the platform control or
institutional process that satisfies it. It is the static traceability layer for the Totara
compliance report — dynamic data (module build status, test evidence, control test dates)
is overlaid at runtime.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — board governance, legal, procurement. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Material outsourcing register and monitoring
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| OUT-1 |
Maintain a board-approved register of all material outsourcing arrangements |
🏛 Institutional |
DT-008, OPS-005 |
Register ownership sits with the Chief Operating Officer and is board-approved annually. MOD-150 (AUTO) — all designated critical third parties are continuously health-monitored; contract expiry dates trigger review reminders that feed the register review cycle. |
— |
| OUT-2 |
Monitor vendor SLA compliance continuously and auto-escalate SLA breaches |
🤖 Automated |
OPS-005 |
MOD-150 (AUTO) — all designated critical third-party services (Neon, Snowflake, AWS, BPAY, NPP, eIDV providers, card bureau) are continuously health-monitored; SLA breach auto-creates an incident in MOD-150 |
🔨 |
| OUT-3 |
Annual risk assessment of each material outsourcing arrangement |
🏛 Institutional |
DT-008 |
Annual review is owned by the Chief Technology Officer / Chief Operating Officer. MOD-150 (AUTO) — SLA history, incident data, and vendor health metrics provide the quantitative inputs for the annual review. |
— |
Contractual requirements
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| OUT-4 |
RBNZ audit rights — contracts must permit RBNZ to audit service providers |
🏛 Institutional |
DT-008 |
Contractual obligation owned by Legal / Chief Operating Officer. No platform control — this is a contract negotiation and legal sign-off process. |
— |
| OUT-5 |
Data return on exit — contracts must require the service provider to return data in a usable format on termination |
🏛 Institutional |
DT-006, DT-008 |
Data return obligations are embedded in provider contracts. ADR-035 (Snowflake) and ADR-028 (document storage) document the technical feasibility of data extraction at exit; execution is institutional. |
— |
| OUT-6 |
Sub-outsourcing restrictions — material sub-outsourcing requires approval |
🏛 Institutional |
DT-008 |
Sub-outsourcing approval is a contractual and governance obligation owned by the Chief Operating Officer. MOD-150 provides awareness of sub-outsourcing events where provider disclosures trigger review reminders. |
— |
| OUT-7 |
Business continuity — contracts must include provider BCM obligations and testing |
🏛 Institutional |
OPS-001, DT-008 |
BCP obligations are embedded in provider contracts. MOD-150 (AUTO) — vendor health monitoring provides early warning of provider-side disruption. BCM testing with providers is scheduled institutionally. |
— |
RBNZ notification and exit plans
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| OUT-8 |
Notify RBNZ before entering a significant outsourcing arrangement |
🏛 Institutional |
DT-008 |
RBNZ notification is a Chief Operating Officer / Chief Risk Officer obligation managed through the regulatory engagement process. No platform control. |
— |
| OUT-9 |
Maintain documented exit plans for each critical service provider |
🏛 Institutional |
DT-008, DT-006 |
Exit plans are owned by the Chief Technology Officer. ADR-023 (cloud region), ADR-035 (Snowflake), and ADR-028 (document storage) document the technical exit feasibility; executable exit plan authorship is institutional. |
— |
Change management feed
| Ref |
Obligation |
Scope |
Policy |
Platform controls |
Build |
| OUT-10 |
Maintain an audit trail of outsourcing arrangement changes (new, renewed, terminated) |
📊 Evidenced |
DT-007, OPS-001 |
MOD-150 (LOG) — CI/CD pipeline deployment events auto-create change records; contract expiry reminders and SLA breach incidents are logged as operational records available for regulatory examination |
🔨 |
| Obligation |
Owner |
Platform evidence input |
| Material outsourcing register — board approval |
Board / Chief Operating Officer |
MOD-150 vendor monitoring data provides operational inputs; register governance is institutional |
| Due diligence before entering / renewing material outsourcing |
Chief Operating Officer / Legal |
MOD-150 SLA history and vendor health metrics inform due diligence; execution is institutional |
| RBNZ notification for significant outsourcing |
Chief Operating Officer / Chief Risk Officer |
No platform control — institutional regulatory engagement process |
| Exit plan execution for critical providers |
Chief Technology Officer |
MOD-150 provides early warning; exit plan execution is institutional |
| NZ customer data sovereignty — data remains accessible within NZ |
Chief Technology Officer |
ADR-023 region selection and ADR-035 Snowflake data residency implement the technical controls; sovereignty assurance is board-attested |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| Register and monitoring |
3 |
1 |
0 |
2 |
0 |
| Contractual requirements |
4 |
0 |
0 |
4 |
0 |
| Notification and exit plans |
2 |
0 |
0 |
2 |
0 |
| Change management |
1 |
0 |
1 |
0 |
0 |
| Total |
10 |
1 (10%) |
1 (10%) |
8 (80%) |
0 (0%) |
The outsourcing standard is predominantly an institutional obligation. The platform's primary
contribution is continuous vendor health monitoring (MOD-150) and the change audit trail.
All attributed modules are currently build_status: Not started.
| Policy |
Title |
| DT-008 |
Third-Party & Outsourcing Risk Policy |
| DT-003 |
Technology Risk Management Policy |
| DT-006 |
Cloud & Infrastructure Policy |
| DT-007 |
Change and release management |
| DT-010 |
Environments and deployment standards |
| OPS-001 |
Business Continuity Policy |
| OPS-005 |
Third-Party & Critical Service Provider Policy |
Official documentation
Policies referencing this standard
- DT-001 — Information Security Policy
- DT-003 — Technology Risk Management Policy
- DT-006 — Cloud & Infrastructure Policy
- DT-007 — Change and release management
- DT-008 — Third-Party & Outsourcing Risk Policy
- DT-010 — Environments and deployment standards
- OPS-001 — Business Continuity Policy
- OPS-005 — Third-Party & Critical Service Provider Policy
Compiled 2026-05-22 from source/entities/regulations/nz-dta-outsourcing.yaml