As part of their CoFI licence obligations, financial institutions have a legal obligation to comply with a set of standard conditions. Two of these - Standard Condition 4 and Standard Condition 5 - are critical to operational resilience.
Standard Condition 4 relates to outsourcing.
If a financial institution outsources any system or process essential to providing services, it must ensure the provider can deliver to a standard that allows the financial institution to meet all its market services licensee obligations, including fair treatment of customers.
Standard Condition 5 is focused on business continuity and technology systems.
This means maintaining a business continuity plan tailored to the financial institution's scale and scope. For any critical technology systems, where disruption would materially affect service provision or other obligations, the financial institution must ensure operational resilience by preserving confidentiality, integrity and availability of information and systems.
A financial institution's business continuity plan and technology systems must be established, implemented and maintained in a way that supports compliance with their fair conduct programme.
Any event that materially impacts the operational resilience of its technology systems must be notified to the FMA as soon as possible, and in any case, no later than 72 hours after discovering the event.
