Heidi:
Kia ora and welcome to Inside the FMA, a podcast by New Zealand’s Financial Markets Authority. Today I’m joined by Jocelyn McKernan from our Operational Resilience team to explore a critical obligation for all licensed financial institutions: ensuring they are operationally resilient. Welcome, Jocelyn.
Jocelyn:
Thanks, Heidi. It’s lovely to be here.
Heidi:
Before we dive into the details, can you tell us—what is operational resilience?
Jocelyn:
Operational resilience is the ability of an entity to continue delivering critical operations during a disruptive event. The financial services sector understands how vital resilience is—the ability to anticipate, withstand, and recover from adverse events is critical. This is especially important given rising threats, reliance on third parties, and the increasing digital delivery of financial services, all of which can make the sector vulnerable to disruption.
Heidi:
Financial institutions are required to comply with a set of standard conditions as part of their CoFI licence obligations. Is operational resilience part of that?
Jocelyn:
Absolutely. Operational resilience is a non-negotiable requirement. These standard conditions came into force through the Financial Markets Amendment Act in 2022 and the Financial Markets Conduct Act in 2013. They are compulsory obligations.
Heidi:
So what exactly are Standard Conditions 4 and 5 under CoFI, and why are they legally binding for all licensed financial service providers?
Jocelyn:
Standard Condition 4 covers outsourcing, and Standard Condition 5 covers business continuity and technology systems. Together, they form the foundation for operational resilience in the financial sector.
Condition 4 ensures that if a financial institution outsources any critical system, process, or service, it must be confident the provider can maintain the same standards as if the service were kept in-house.
Heidi:
So when outsourcing, due diligence must be really important. What steps should financial institutions take before outsourcing?
Jocelyn:
It’s crucial. Before signing any contract, institutions should conduct thorough due diligence. This includes reviewing public reports about the supplier, their complaints-handling processes, and any regulatory obligations in their home jurisdiction—because these may differ from New Zealand’s. The goal is to ensure the provider can deliver reliable service to the same standard as the institution itself.
Heidi:
Once outsourcing is in place, how should institutions monitor and manage the supplier?
Jocelyn:
Start with strong contracts that include provisions for termination and allow oversight. Regular risk-based reviews and monitoring visits are essential. Building a solid relationship with the supplier is also key.
Heidi:
What does Standard Condition 4 mean for consumer fairness?
Jocelyn:
It should support fair conduct. If something goes wrong with a third-party supplier, the customer is ultimately impacted. So these guardrails around outsourcing help protect consumers.
Heidi:
Now, Jocelyn, what is Standard Condition 5?
Jocelyn:
Standard Condition 5 covers business continuity and technology systems.
Heidi:
What is a Business Continuity Plan (BCP), and how should it be tailored under Standard Condition 5?
Jocelyn:
Under Condition 5, institutions must maintain a BCP that covers their ability to provide financial services—not just technology systems. Larger institutions should have comprehensive plans, including disaster recovery and data centre resilience. Smaller entities might have simpler plans, such as alternative office locations in case of natural disasters.
Heidi:
What does operational resilience mean under Standard Condition 5 for technology?
Jocelyn:
Institutions must maintain confidentiality, integrity, and availability (CIA) of information and technology systems. Implementation should not negatively impact fair conduct programmes.
Heidi:
How should institutions test and update their BCP and technology?
Jocelyn:
BCPs should be tested regularly—at least annually—through exercises like crisis scenario testing. Plans must be updated whenever there’s a material change, such as switching a critical supplier or moving premises. Institutions should notify the FMA as soon as possible, and within 72 hours, if a critical technology system is materially impacted.
Heidi:
To summarise, how can financial institutions build compliance into their operations?
Jocelyn:
Compliance works best when integrated into governance and risk management frameworks. Board-led reviews, self-assessments, external reviews, and using FMA resources can help embed operational resilience into organisational culture—not just policies.
Heidi:
Thank you, Jocelyn. There’s a lot that goes into operational resilience, and it’s a great reminder that CoFI Standard Conditions 4 and 5 apply to all licensed financial institutions. Regular monitoring and keeping BCPs and outsourcing arrangements up to date is critical.
Jocelyn:
You’re welcome. And don’t forget—we have resources available on our Operational Resilience webpage at https://www.fma.govt.nz.
Heidi:
Make sure you check out those resources. See you next time!
