NZ: Deposit Takers (Risk Management) Standard
|
|
| Regulator |
RBNZ |
| Jurisdiction |
NZ |
| Status |
Draft — not yet in force |
| Applicability |
Platform |
DRAFT — exposure draft expected as part of Tranche 2. Standard takes effect 1 December 2028.
The DTA Risk Management Standard is a non-core standard under the Deposit Takers Act 2023. It
sets minimum requirements for the risk management frameworks of deposit takers, including the
identification, measurement, monitoring, and control of material risks. The standard replaces
elements of BS14 (Corporate Governance) and the former risk management programme requirements.
This register covers proposed obligations based on available policy guidance and exposure drafts.
Controls are contingent on the final standard. Mark any pre-emptive compliance work as contingent
until the standard is finalised.
Compliance register
This register maps every material obligation under the draft standard to the platform control or
institutional process that is expected to satisfy it.
Scope legend
| Symbol |
Meaning |
| 🤖 Automated |
Platform enforces or performs the obligation. Primary control mode is GATE, AUTO, CALC, or ALERT. Human action is not required in the normal case. |
| 📊 Evidenced |
Platform captures the evidence trail automatically. Human compliance decision sits on top. Primary control mode is LOG. |
| 🏛 Institutional |
Obligation is met by a process entirely outside the platform — board governance, committee governance, HR, legal. Platform may generate evidence inputs but does not own the process. |
| N/A |
Obligation does not apply to this deployment configuration. |
Build legend
| Symbol |
Meaning |
| ✅ |
Module built and deployed |
| 🔨 |
Module planned — not yet built (build_status: Not started) |
| ❌ |
Uncontrolled gap — no module attributed |
Enterprise Risk Management Framework (ERMF)
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Establish and maintain a documented ERMF approved by the board |
🏛 Institutional |
GOV-002, GOV-003 |
MOD-150 (AUTO) — risk events from all system domains are auto-classified against the risk taxonomy and written to the operational risk register continuously; the platform operationalises the ERMF but the ERMF document and board approval are institutional. |
— |
| Identify and assess all material risks including credit, market, liquidity, operational, conduct, and reputational risk |
🤖 Automated |
GOV-002 |
MOD-150 (AUTO) — technology and operational risk events auto-classified; MOD-150 (CALC) — RAF dashboard aggregates all material risk metrics; MOD-032 (CALC) — liquidity risk; MOD-033 (CALC) — capital and credit risk; MOD-035 (CALC) — IRRBB/market risk |
🔨 |
| Maintain three lines of defence: risk-taking business units, independent risk oversight, and internal audit |
🏛 Institutional |
GOV-003 |
MOD-150 provides the risk register and RAF dashboard for the second line; MOD-151 (LOG) provides case records for internal audit. Framework design and mandate assignment are institutional. |
— |
| Review and update the ERMF at least annually or following material changes |
🏛 Institutional |
GOV-002 |
MOD-150 provides risk event data and RAF trending as inputs for annual ERMF review; review execution is institutional. |
— |
Risk Appetite Statement (RAS)
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Set and document a board-approved RAS covering all material risk types |
🏛 Institutional |
GOV-002 |
MOD-150 (CALC) — RAF dashboard continuously computed from SD06 outputs; RAF threshold breach auto-alerts CRO and Board Risk Committee chair. RAF threshold values are configured in the platform based on the board-approved RAS; board approval of the RAS is institutional. |
— |
| Report material risk exposures and limit breaches to the board and RBNZ on prescribed schedules |
📊 Evidenced |
GOV-002 |
MOD-150 (CALC) — RAF dashboard and board risk report data computed continuously; breach alerts auto-escalated to CRO and Board Risk Committee chair; RBNZ reporting schedules are managed institutionally |
🔨 |
Stress testing and scenario analysis
| Obligation |
Scope |
Policy |
Platform controls |
Build |
| Conduct and document an internal capital and liquidity adequacy assessment (ICLAAP or equivalent) |
📊 Evidenced |
GOV-002 |
MOD-034 (CALC) — stress test section populated from the scenario engine; no manually assembled spreadsheet; MOD-033 provides live capital ratios and MOD-032 provides liquidity ratios as ICLAAP base data |
🔨 |
| Stress testing programme — severe but plausible scenarios across all material risk types |
🤖 Automated |
GOV-002 |
MOD-034 (CALC) — stress test outputs documented and auditable; scenario inputs, model version, and results all logged; scenarios cover capital, liquidity, credit, and IRRBB dimensions |
🔨 |
| Scenario analysis — including macroeconomic and idiosyncratic scenarios |
📊 Evidenced |
GOV-002 |
MOD-034 (CALC) — scenario inputs are configurable; macroeconomic scenario design is institutional (ALCO/board); platform executes configured scenarios and documents outputs |
🔨 |
The following obligations under the standard are the responsibility of the institution, not the platform.
| Obligation |
Owner |
Platform evidence input |
| Board approval of ERMF and RAS |
Board / Chief Risk Officer |
MOD-150 provides RAF dashboard data inputs; board approval is institutional |
| Three lines of defence framework design and mandate assignment |
Chief Risk Officer / Chief Internal Auditor |
MOD-150 and MOD-151 provide the risk register and audit evidence; framework design is institutional |
| Annual ERMF and RAS review |
Chief Risk Officer |
MOD-150 provides risk event data and RAF trending as evidence inputs |
| ALCO and Board Risk Committee governance of risk exposures |
ALCO / Board Risk Committee |
MOD-150 provides all risk metrics and RAF alerts; committee governance is institutional |
| RBNZ reporting — risk management returns |
Chief Risk Officer / Chief Financial Officer |
MOD-150 provides the data; return preparation and submission are institutional |
Coverage summary
| Area |
Total obligations |
Platform automated 🤖 |
Platform evidenced 📊 |
Institutional 🏛 |
N/A |
| ERMF |
4 |
1 |
0 |
3 |
0 |
| Risk Appetite Statement |
2 |
0 |
1 |
1 |
0 |
| Stress testing and scenario analysis |
3 |
1 |
2 |
0 |
0 |
| Total |
9 |
2 (22%) |
3 (33%) |
4 (45%) |
0 |
Platform controls (MOD-034, MOD-150, MOD-032, MOD-033, MOD-035) provide the quantitative
infrastructure for the ERMF, but the framework document, RAS board approval, and committee
governance are institutional obligations by their nature.
| Policy |
Title |
| GOV-002 |
Risk Appetite Statement Policy |
| GOV-003 |
Three Lines of Defence Policy |
See D08 Governance & Accountability for the full risk domain.
Official documentation
Policies referencing this standard
- DT-005 — Model Risk Management Policy
- DT-013 — Model Validation & Audit Policy
Compiled 2026-05-22 from source/entities/regulations/nz-dta-risk-management.yaml