sign up log in
Want to go ad-free? Find out how, here.

Deloitte report on RBNZ's bank director attestation regime calls for APRA-style prescriptive prudential standard on risk management

Deloitte report on RBNZ's bank director attestation regime calls for APRA-style prescriptive prudential standard on risk management

By Gareth Vaughan

A review of the Reserve Bank's bank director attestation regime, through which bank directors sign-off on the accuracy of bank financial information, calls for a more prescriptive approach to oversight of bank risk management. has obtained a copy of a report on the attestation regime, done by Deloitte at the behest of the Reserve Bank (RBNZ), almost a year after first asking the RBNZ for a copy. (See more at the bottom of this article on how and why we got the report).

The Deloitte report, produced in August 2017, came after the International Monetary Fund (IMF) urged the RBNZ to more rigorously test director attestations in its 2017 Financial Sector Assessment Program (FSAP) report on New Zealand.

The bank disclosure regime the RBNZ oversees is supported by a requirement for bank directors to attest to, i.e. sign-off on, the accuracy of information contained in bank general disclosure statements. The RBNZ approach to supervision relies on three pillars being self, market, and regulatory discipline. The IMF pointed out the self-discipline pillar relies on directors’ attestations to the fact that banks have adequate risk management systems in place.

Directors are responsible and accountable for the integrity of bank reporting, the RBNZ says, and there are no specific rules around how a bank must meet the attestation requirements with the RBNZ accepting the attestations without auditing the process. Thus the director attestation regime is a key plank of NZ bank oversight, arguably outsourcing regulation to the regulated

'Largely effective'

Deloitte says the review implicitly challenged and tested the assumption that, given its positive 20 year track record, the attestation regime will continue to serve NZ well for the foreseeable future. It notes the regime was compared with the majority of bank supervisory regimes overseas that extensively use comprehensive onsite bank inspections, something the RBNZ does not do.

Deloitte concluded that the regime is "largely effective" based on the following graduated scale; ineffective-somewhat effective-largely effective-fully effective.

"Our concerns are that while the regime appears to have been effective since its inception, including through periods of significant market disruption, this is no guarantee of future effectiveness and there are some areas in which its operational resilience could in future be challenged," Deloitte says.

These areas include a reliance on high quality directors especially those with banking experience, poor culture with culture not currently captured explicitly in any Reserve Bank requirement or guidance and not being assessed, and the extent of verification as a basis for determining banks' compliance with regulations and guidelines.

"There is a case for more verification short of extensive on-site audits by the Reserve Bank's own staff and practical examples suggested as to how this might be achieved e.g. periodic thematic reviews across all banks focused on particular areas of concern/interest. Such reviews could also serve to surface 'best practices' for wider sharing across the sector," says Deloitte.

Deloitte recommends the RBNZ sets out its expectations of banking in risk management along the lines of the Australian Prudential Regulation Authority's Prudential Standard CP2 220. This would "raise the bar" for the non-Australian owned banks and present a level playing field, and bring together in one place the RBNZ's expectations for integrated risk management essential to the effective design and operation of any attestation regime. 

Concerns over cyber risk

"While already a requirement for the Australian owned 'majors' under [APRA's] CPS 220, this is an opportunity for the Reserve Bank to ensure that the smaller banks benefit from equivalent guidance while at the same time addressing the IMF's concerns regarding the need for strengthening regulatory discipline and issuing enforceable supervisory standards on key risks," Deloitte says.

The report says interviewees suggested a range of risks the directors' attestation regime is not well suited to identifying or dealing with. These include cyber risk, conduct risk, progressive risk appetite creep and complacency. Deloitte recommends the RBNZ should continue to explicitly challenge, on an ongoing basis, the directors' attestation regime as a prudential regulation tool. This includes identifying and forming its own view on where residual vulnerabilities lie, and whether any further mitigating measures need to be taken given the RBNZ's full suite of regulatory tools.

The 1%

Directors from ANZ, ASB, BNZ, Westpac, Kiwibank, Rabobank, The Cooperative Bank, SBS Bank, Heartland Bank, Bank of China and Bank of Baroda were interviewed by Deloitte. According to the report, 99% of respondents said they have not signed an attestation collectively while having their own reservations.

"Only 1% of directors disagreed with the statement 'I have never had cause to withhold my support for any final attestation by our board.' One director commented that this situation occurred only once in his nine-year tenure, while another director commented that he/she has withheld support in the past until certain matters were clarified to his/her satisfaction."

The report says Deloitte's survey and interviews showed all directors, both independent and not independent, were well aware of their responsibilities in attesting.

Deloitte points out that interpretations of some regulations vary quite widely between different banks, and notes interviewees suggestions for a more prescriptive approach from the RBNZ to its outsourcing policy and its open bank resolution policy. 

Other recommendations from Deloitte include the RBNZ issue guidance in areas of "definitional clarity" including banks' conditions of registration. The RBNZ is also encouraged to be more active in assessing weaknesses on bank boards and within senior management, and require these be addressed beyond "just attempting to use moral suasion." Deloitte also says the RBNZ should review the effectiveness of its "no objection" approach to director appointments.

"The Reserve Bank's current approach to the 'fit and proper person' test for a new director, or designated senior bank officer, is to confirm 'no objection' when he/she is first nominated, but not to monitor or re-assess whether the director continues to satisfy the test, 'set and forget.' The Reserve Bank may wish to consider periodic re-validation at, say, intervals of no longer than three-years."

Deloitte also suggests the RBNZ could set policy requirements on how many boards an individual could be on in addition to their bank board.

Open culture touted but little evidence of how this is achieved

In terms of culture, Deloitte says most directors were quick to say they believed there was an open culture within their bank, and that bad news would flow upwards. But few were able to point to a systematic and regular process or methodology through which this was achieved.

"Culture is not currently mentioned or captured in any Reserve Bank requirement or guidance, nor is it formally assessed. This stands out in contrast with the significant focus on the topic not only by other regulators but by the industry at large and the vast majority of directors we interviewed. Given the fundamental premise and basis of the New Zealand prudential regulatory regime and its reliance on strong governance in the first instance, its omission is the more conspicuous," Deloitte says.

It's worth noting here that the Deloitte report was completed before the RBNZ and Financial Markets Authority (FMA) review of banks' conduct and culture got underway.

In a cover letter sent to with the Deloitte report RBNZ spokesman Angus Barclay addresses several of the issues raised in the report. 

He notes Deloitte refers to varying degrees of clarity, and potential misalignment, between each bank’s stated director attestation goals including type of assurance, whether ‘reasonable’ or ‘limited,’ and the approaches followed to provide that assurance.

"Deloitte recommended that the Reserve Bank clarify its expectation that ‘reasonable assurance’ applies as well as generally accepted assurance standards. The Reserve Bank has been discussing the benefits of moving to 'positive assurance' frameworks with those banks that currently use 'negative assurance' frameworks. The supervisory approach will be considered as part of the second phase of the review of the Reserve Bank Act. Any potential policy changes will be considered in due course and undergo a public consultation and full impact analysis," says Barclay.

"Deloitte stated that while ‘end-to-end’ views of the directors’ attestation process are evident among the larger banks, this is not so with the smaller banks. Moreover, even with the larger banks a ‘comprehensive’ and holistic approach to attestation was still in its early stages of development. Deloitte said the Reserve Bank could set out its expectations of banks in relation to risk management via a standard equivalent in substance to APRA’s CPS 220, and in relation to directors’ attestations as comprehensive and integrated risk and control system beyond process. Reserve Bank supervisors are in regular contact with banks and communicate expectations in relation to risk management. Subject to other priorities and resource constraints, the issuance of further guidance will be considered in the latter part of 2019."

RBNZ 'actively encourages' boards to get regular independent performance assessments 

Barclay says the RBNZ "actively encourages" bank boards to get regular independent performance assessments. A review of BS10, the RBNZ's document covering the suitability of bank directors and senior managers, is on the Reserve Bank’s "medium to longer term to-do list."

The RBNZ is also reviewing its Banking Supervision Handbook. This review, due to conclude at the end of 2019, will improve the clarity of the RBNZ’s prudential requirements, says Barclay.

"The Reserve Bank is also actively working on the potential introduction of a materiality threshold for disclosing any breaches of its requirements. A public consultation on this topic closed in December and policy options are in the process of being finalised," he adds.

"Subject to other priorities, the Reserve Bank will proactively assess weaknesses on boards as part of its supervisory engagement with banks. Potential policy developments may be considered in due course as time and resources allow," Barclay says.

Additionally he says the RBNZ gained a better understanding of banks’ culture as a result of the conduct and culture review. Insights from this will inform supervisory assessments of banks’ own vulnerabilities.

"The Reserve Bank will engage with institutions on how to rectify any vulnerabilities it identifies. Further policy work may be considered."

How we got the Deloitte report

The RBNZ released the Deloitte report to almost a year after I first asked it to release the review of its bank director attestation regime.

When RBNZ Deputy Governor Geoff Bascand said in a speech in early March last year that a thematic review of the attestation process by Deloitte, on behalf of the RBNZ, had determined the attestation regime to be "largely effective," I asked if I could see a copy of the full report. The RBNZ declined my request. A subsequent request made under the Official Information Act was also declined, as detailed here.

Subsequently I complained to the Office of the Ombudsman. This was after the RBNZ demanded greater accountability from bank boards in its report on bank conduct and culture, done with the  FMA. If the RBNZ was doing this it should also deliver greater accountability itself and publicly release the review of its director attestation regime, I argued here. Because the attestation regime is such a key plank of the RBNZ's overall regulatory regime and there's scant public detail available on it, it remains opaque to the public, including household depositors who have loaned $174.2 billion to banks, I argued.

Last week a RBNZ spokesman got in touch to say the RBNZ had now decided to release the Deloitte report. However, a Deloitte assessment on each of the 11 banks whose directors participated in the review is covered in a separate companion report that was not released to

"It would appear that in light of this Office’s notification, the Reserve Bank has reconsidered its decision in this instance and under the relevant provisions of the Reserve Bank of New Zealand Act, namely, it appears section 105(2)(b) of that Act, it has decided to release the information to you. That is a decision only the Reserve Bank can make," Office of the Ombudsman investigator Sarah Quigan says.

*This article was first published in our email for paying subscribers early on Monday morning. See here for more details and how to subscribe.

We welcome your comments below. If you are not already registered, please register to comment.

Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.


A report by the same entity that would benefit from requirements for further independent reports. I wonder how they dealt with that conflict of interest.

And of course they would argue for systems and processes.... it means they can be audited and therefore gain further revenue. Again, a conflict.

Finally, the demand for more guidance, rules, and frameworks, a further dumbing down of the that just like in accounting, it’s no longer around personal judgement and expertise, but around following the rules..... why? Because it’s easier to be defended when challenged..... I followed the rules your honour.... not I applied my mind and actually thought about it, and was wrong. It’s all about personal risk reduction. And of course, if you have rules, you can get clever lawyers to create ways around the rules.

It’s always going to be around culture, and then ethical behaviour not process. Of course the big banks have more process, because the link between the board and front line is disjointed, and can be overridden by Australia. In smaller banks, it can be more informal... it’s shorter, and there is less risk of alternative facts being created because there is only one set of masters.

One size does not fit all. Guidance and rules are not better. Just because something is not auditable doesn’t make is inappropriate.

Culture and integrity are not easily auditable or subject to reviews. That doesn’t mean they don’t exist and are not working.

A process that is reviewed doesn’t mean that culture and integrity exists either.

Be careful of applying solutions that work for the reviewers and the reviewed. They need to work for society to generate outcomes, not audits.


Firstly well done Gareth for chasing the RBNZ on releasing this. The entire framework relies on Directors being liable for the accuracy of reporting and disclosures and it highlights that the RBNZ is not clear in regards to what it expects of its directors.

The APRA attestations is an interesting model because the Australian Directors are very aware that the regulator will challenge them on the accuracy of certain claims and data. This results in directors challenging executive management, who in anticipation run their own challenge process with their reports to ensure the accuracy of what is presented.

Its a shame the RBNZ have chosen not to release the results at an individual bank level .. however I think that would leave more questions for the RBNZ to answer as to why they have chosen not to prosecute directors where their oversight and governance was found to be wanting.