Let’s not give even more statutory powers to the Reserve Bank

This morning the Reserve Bank released a variety of material that followed on from the leak of OCR at the time of March MPS.    Slipped out quietly onto their website – in response to an OIA request from me – was what might best be called the second stage of the leak inquiry report.  It is a document written by Deloitte almost a month after the release of what the Governor has called the “summary report” that was released on 14 April, and in places it is clearly phrased to respond to criticisms made after the release of that report.  I’ll have more to say about that document another day, but would just note that I was touched by the solicitousness of the Bank in deleting my name from a report they were releasing to me, apparently so as to “protect the privacy of natural persons”.  Perhaps they thought I’d forgotten my involvement?

The Bank also put out a press release headed “New Reserve Bank procedures for policy releases”.   After the discontinuation, from 14 April, of pre-release MPS and FSR lock-ups for journalists and analysts, there was pushback, especially from journalists, seeking the reinstatement of media lock-ups, under new and improved security arrangements (as distinct from what Deloitte call the “very high trust” arrangements –  under  which journalists could simply email from the lock-ups whenever they liked –  which had been found sorely wanting).   The Governor had indicated that the Bank would consider the options, and apparently commissioned a “security review” to explore the feasibility of lock-ups with much tighter security.  That review was undertaken under the leadership of Deloitte, but from the text the Bank has released today it is clear that it had a high degree of Reserve Bank staff involvement.

At the end of the process, the Governor has come to the right conclusion.  Lock-ups are not being reinstated, whether for analysts or journalists.  That was an approach I recommended at a time when the Bank itself didn’t even believe there had been a leak.  I commended the Governor’s initial decision to terminate the lock-ups, and I commend him again today.  There is simply no need for such lock-ups, and to hold them inevitably exposes the Bank to unnecessary security risks and/or unnecessary costs.  The public might have been well-served by lock-ups in a pre-internet age –   when it was hard to get timely access to the released documents –  but with today’s technology, the text is open to everyone at much the same time, and the onus is on the Bank to write its documents in a way that clearly communicates the messages it wants to convey.

Of course, the Bank is not seriously committed to openness or competitive neutrality in the access to information.  I have heard that they are still running briefings for analysts after the release.  [UPDATE: A market economist tells me that although they had such a briefing in June, there won’t be any in future]  An overseas expert on central bank communications has recommended –  and I agree with him –  that if such briefings are to be held (and there may be a useful place for them) they should be webcast, so that everyone has access to the same information/interpretation, not just the invited few who find it worthwhile to come all the way to Wellington (recall that most trading in the NZD is done offshore, and most New Zealand government bonds are held offshore).

[UPDATE: On further reflection, I would argue that such a post-release briefing, provided it is made openly available, would be a sensible option and cannot really understand why the Bank has scrapped them.  At a minimum it is less bad (and less costly in time) than lots of analysts approaching the Bank individually, and getting answers that could be (a) inconsistent across analysts, and/or (b) could be influenced by how well the analyst in question gets on with – eg  doesn’t criticize too much – the Bank and its senior economic staff in particular.]

For the media, the Bank notes that

We will also be placing additional emphasis on other opportunities for media access, such as on-the-record media briefings which have been trialled successfully this year.

There may be a place for such briefings, but if they are on-the-record again there is a strong case for webcasting them –  or even quickly publishing a transcript –  again so that everyone has the same information on a timely basis.  And, of course, on-the-record briefings –  with an emphasis on what the Bank wants to tell the media –  are very different from the sort of on-the-record searching interviews that the Governor consistently refuses.

I noted the other day that the Bank is sheltering behind an old provision of the Reserve Bank Act which, they argue, imposes serious sanctions (including a large fine or a term of imprisonment) if they were to release submissions –  especially from banks –  on proposed changes in regulatory policy.  I argued that if they had any sort of commitment to open government they should be promoting a simple amendment to the Act, to ensure that such submissions were fully, and simply, within the ambit of the Official Information Act.  If the Bank won’t promote such a change, perhaps an MP with a commitment to open government might.

So when I read through the Deloitte security review document, I was struck by the number of times that report had encouraged the Bank to seek a change to the Reserve Bank Act, this time to provide criminal sanctions for the early unauthorized release of OCR or MPS (or FSR?) material.  I suspect the idea for such a change did not come from Deloitte, but from Bank management themselves – in particular from the Deputy Governor responsible for such things (and former Government Statistician) Geoff Bascand.  In previous material released on the OCR leak, Bascand was on record as noting that Reserve Bank material of this sort did not have the sort of protections the Statistics Act provided to Statistics New Zealand.

It is really important that when the coercive powers of the state are used to compel individuals and firms to provide information to state agencies that people can be confident that that information is held securely.  Severe punishment for the inappropriate release of private information supplied by other people is quite appropriate.  But in fact, both the Statistics Act and the Reserve Bank Act already provide such penalties –  under the Reserve Bank Act someone can be sent to prison for three months, or a company can face a half million dollar fine.

But the economic forecasts and policy views of a government official (the Governor in this case) are a quite different matter.  And in many respect, that sort of information is not so different than the private information a firm might hold about a proposed merger or acquisition, about its planned dividend, about a new investment project, or –  in the New Zealand case –  Fonterra’s expected dairy payout.  Perhaps I’m wrong, but I’m not aware that there are criminal sanctions that protect, say, government Budget documents, or any other release of planned policy or legislation by government ministers.

In all those cases, confidentiality is clearly important to the information holder.  But in each case there would appear to be civil procedures open to information holders to protect the confidentiality of their information.  Typically, some staff in the relevant organization would have access to such information, and early unauthorized release would typically be a grounds for disciplinary action or perhaps even dismissal.    But other parties might too –  government Budget documents are printed externally, as is the MPS.  Sometimes professional advisers –  eg lawyers –  will be involved. And in some cases, entities will choose to provide information under embargo, or even to hold a lock-up.  In each and every case, it is open to the owner/provider of the information to specify in contract the confidentiality obligations of any party receiving the information.   Remedies for breaches of those policies are the responsibility of the institution providing the information.  There is no obvious need for criminal sanctions to be introduced in the process.  I hope that the Reserve Bank thinks again, and decides not to seek amendments of the sort Deloitte (no doubt at the Bank’s prompting) has suggested.  There is simply nothing that special about the OCR information –  it is not private information involuntarily provided to a government agency, and nor is it (say) material relating to national security.

In conclusion, it is interesting that in all the material that has emerged in recent months there has been little or no mention of one of the greatest security risks the Bank –  quite unnecessarily  – faces.    In most countries, the OCR decision is made and released on the same day –  that will have been what happened at the RBA yesterday.  The Reserve Bank has considerably shortened the lags over recent years, but as their recent article on the monetary policy process decision illustrates, the OCR decision to be released next Thursday will be made by the Governor this Friday.  There is six whole days when the information about the decision is known within the Bank.  Even if the formal knowledge is kept to a relatively small group –  when I was involved it was 10 to 15 people – it is simply an unnecessary risk.  With the best will in the world,it is almost inevitable that one day some one will let something slip, and there will be a huge uproar.  In terms of tightening security, still the best reform the Bank could make would be to release the OCR decision on the day it is made.


Another example of the Reserve Bank’s approach to the OIA

Regular readers will recall the OCR leak at the time of the March MPS.  A month or so later, when the Reserve Bank reluctantly recognized that there had in fact been a leak, and that their systems needed to change to reduce future risks, they released what purported to be a report undertaken for them into the leak by Deloitte.

In fact, subsequent material released by the Bank in response to an OIA request confirmed that what had been released then was not the actual report but a short-form “public” version.  I’m not sure what they had to hide, but decided to ask for a copy of the full report, partly out of genuine interest in its contents (as I had been the subject of a significant portion of the short-form “report”) and partly on the principle that leak inquiry reports, paid for by taxpayers’ money, should be made public as a matter of course.  In particular, the public should not be misled into believing that they were being given a full report, when in fact they were being given only a convenient summary.  When the initial release was made on 14 April, there was no suggestion at all that what was being released was a summary report only.

Anyway, I lodged the request several weeks ago, and this afternoon received this response.  How it can take more than 20 working days to decide whether or not to release a single report (that they already claimed to have released), which they themselves commissioned, and which they must have expected to be requested, and which deals only with their lock-ups etc is beyond me.  It seems like just another excuse for delay, another opportunity to simply ignore the principles of the Official Information Act.

(UPDATE: A reader points out that the Bank has given itself almost twice as long to consider the release of a single easily accessible administrative document as it allows for citizens to make submissions on its own proposals for further far-reaching regulatory interventions around housing finance.)

22 July 2016

Dear Mr Reddell


On July 4 2016 you made a request under the Official Information Act for:

“…. a copy of the full Deloitte inquiry report (as distinct from the “summary” – Graeme’s description in the Board minutes – or “public” version that was released on 14 April”.

The Reserve Bank is extending the time limit for decisions on your request to 10 August 2016, as permitted under section 15A(1)(b) of the Act, because consultations necessary to make decisions on the request are such that a proper response to the request cannot reasonably be made within the original 20 working day time limit.

Under section 28(3) of the Official Information Act, you have the right to complain to the Ombudsman about the Reserve Bank’s decisions relating to your requests.

Yours sincerely


Naomi Mitchell

External Communications Adviser | Reserve Bank of New Zealand (Auckland)

205-209 Queen St, Auckland 1010 | P O Box 5240, Auckland 1141

  1. +64 9 366 2643 | M. +64 27 294 3900 | F. +64 9 366 0517


Three months on…

It is three months since, on the morning of the release of the last Monetary Policy Statement, a fortuitous set of circumstances brought to light a leak of the Reserve Bank’s OCR decision.  It hadn’t required any particular devious methods or technologies, and the suggestion –  including from the Reserve Bank’s own lawyer –  has been that it wasn’t the first time it had happened.  Whether that was so or not, the Reserve Bank’s systems were loose enough that it was only a matter of time before, accidentally or deliberately, a leak happened.  And ethics were loose enough at MediaWorks that the leak was apparently seen as acceptable conduct, despite the rules of the lock-up.  It took weeks for MediaWorks to own up, and even now there has been no proper accounting from them as to just what went on.

In an email yesterday about today’s Monetary Policy Statement, someone in the markets noted to me

Still waiting to read your full apology from RBNZ, I live in hope!!

It might be nice, but the words and (in)actions of Graeme Wheeler, and his associates Geoff Bascand, Mike Hannah, and Rod Carr, really speak for themselves.  How did we end up in a situation where these sorts of people govern our central bank?

But I’m still more disturbed about the secrecy with which the Reserve Bank has sought to cloak the whole affair –  telling us just as much as they want us to know.  Answers to a series of fairly straightforward OIA requests, about events that happened two to three months ago, have been kicked out to 1 July –  and such is the Reserve Bank’s track record on the OIA that I’m not optimistic we will get much even then.  Whatever the case for secrecy on some policy matters, a leak inquiry  –  especially one that confirmed an actual leak and prompted major system changes – seems like one of those things where the public should be able to expect a full and open accounting from a taxpayer funded public agency.

Instead, we have them stalling, seemingly averse to transparency and scrutiny.  Among the outstanding matters:

  • We haven’t seen the terms of reference for the leak inquiry
  • We haven’t seen the full Deloitte leak inquiry report, only a short-form public version.
  • We haven’t heard why no penalty was initially imposed on MediaWorks, only for the Governor to later change his mind and indefinitely ban them from Reserve Bank press conferences.
  • We haven’t heard why the Governor chose in his press statement to emphasise the cooperation of MediaWorks when even the short-form report makes clear that it took weeks for that company to own up, and then only when it had been approached by the inquiry team.
  • We have seen no acceptance from the Reserve Bank that its own systems had failed to keep pace with technological change, which left them open to a leak (the consequences of which could have been much more serious than they were).
  • We don’t know whether the Bank has made any serious efforts to find out whether MediaWorks staff had leaked previously, and if they did make the effort to seriously pursue the matter, what the answers were.
  • We don’t know how much involvement the Bank’s Board –  supposed to operate at arms-length from management to hold the Governor to account – had in the handling of the leak, and 14 April press statement.  The documents that have been released suggest, which shed a partial light on the matter, suggest that the answer was “too much”.
  • We haven’t seen the papers the Reserve Bank considered in reviewing the options regarding the future of lock-ups, press conferences etc.

I’m not sure what the Bank has to hide.  The answer may well be “not that much at all”.  If so, the obstructiveness and resistance to an open accounting for their handling of a serious breach is perhaps more just a reflection of an ingrained resistance to see themselves as a public body with all that means.  In particular, that they are subject to the Official Information Act as much as to any other law, and are a body from whom the public should reasonably expect a full and open accounting.  Mistakes happen, errors are made, system flaws come to light.  That is what happens with human beings and human institutions.  Embarrassing as they sometimes are, accidents  and errors will happen.  But how an institution – and a powerful individual – recognizes, accepts responsibility for, and responds to such mis-steps can tell us a lot.

As journalists and MPs gather today to scrutinize the Governor, perhaps they might like to reflect on some of this.


The OCR leak: some disclosures

Will I come to regret this post?  Probably not, but only time will tell.  It also may not be of wide general interest, but that is fine.

Regular readers will recall that I got caught up in the Reserve Bank’s OCR leak.  More specifically, gaping breaches in the Bank’s systems (a near-total reliance on trust) and an actual leak of the March OCR decision would not have come to their attention, and been addressed, if I had not passed on to them information that arrived unwanted in my email in-box on the morning of the release, which suggested the possibility of a leak.  Frankly, if anyone was the innocent party in the whole episode it was me.  I wasn’t the leaker, I wasn’t the major media organisation that failed to disclose the leak by its employees for several weeks, I didn’t even receive what information I had from the person who was the leaker, and I wasn’t the central bank that ran security systems that made such a leak astonishingly easy.

And so I was more than a little miffed to have the Governor of the Reserve Bank describe me and my conduct as irresponsible in his press release announcing the results of the inquiry –  an inquiry that would never have taken place if it had not been for my initiative in alerting the Bank to the issue.  What particularly irked me was that in the same statement the Governor (a) took no responsibility for the laxness of the Bank’s own systems, and (b) seemed to go out of his way to stress how helpful the media organisation, MediaWorks, had been.   It also puzzled me a little that there seemed to be no sanctions imposed by the Bank on the leakers – MediaWorks and its staff.

That prompted me to lodge a series of requests for information –  from the Bank itself, and from its Board (which is paid to operate at arms-length from the Bank to scrutinise the performance of the Governor and hold him to account).    The Bank has actually responded to one other OIA request in this area: the Taxpayers’ Union asked about the cost of the Deloitte inquiry, and was told a few weeks ago that the cost was $58952.28 (plus GST).  My OIA requests have been treated in a more typical Bank way –  not just extended for one month, but all the way out to 1 July, with talk of the possibility of charging.

However, I also sought from the Bank under the Privacy Act material relating to me that was held by the Bank and generated or obtained between the morning of the MPS release on 10 March and the day I lodged the request.  They didn’t respond in 20 working days, but it wasn’t that much after the initial deadline when I was sent a fairly large collection of material yesterday.  I had kept the request quite focused –  I wasn’t after copies of media reports, or out to embarrass junior people who were not involved in the leak investigation and might have been exchanging speculative emails.  All the material I obtained was comments from people directly involved, mostly people from the senior management group including the Governor.

I have tossed up about whether to release this material, and am doing so for two reasons.

The first is that I think it does shed useful light on how the Bank went about dealing with the information I provided to them, and the priors and presuppositions of key people involved.  It is only a partial view of course, and I hope in time the Official Information Act requests will provide some more clarity.  Unfortunately, the Bank has deliberately stalled the release of that information (which it can be onerous neither to collect/collate nor to review).

The second is more personal.  Various people wisely suggested that I separate my irritation at having been personally attacked by the Governor from the wider issues of how the Bank has dealt with the issues of the leak, MediaWorks involvement, lock-ups etc.   Some experienced former colleagues had even got in touch to suggest I must be misinterpreting things, and the Governor’s statement about irresponsibility couldn’t have been meant to include me.  And so I decided to write a private letter to the Governor, outlining my perspective on my involvement in the whole issue and, in light of those points, inviting him to explain, or reconsider, his public assertion that my conduct had been irresponsible.  If possible, dealing with such issues privately is generally likely to be more constructive.

It wasn’t long before I got a very terse response from the Governor confirming that he did indeed regard me as having behaved irresponsibly.  I didn’t do anything with that, other than to pass the message on to those optimistic former colleagues.

But then I received yesterday’s collection of documents.  Publishing them, together with my letter to the Governor and his reply, will enable people to form their own views.  I’m sure many will see what they want to see, and some of those inclined to support Graeme Wheeler more generally may agree with the views he, and his senior colleagues, expressed.   Anyone is entitled to his or her own view.

As for me, I have to live with my own conscience.  There would be nothing shameful in concluding that, with the benefit of hindsight, one might have done some things differently.  After all, the Governor himself –  who had much more time – has changed tack twice since the inquiry was released (from no penalties for MediaWorks to indefinite exclusion from press conferences, and from immediately discontinuing lock-ups to investigating the possibility of reinstating them).   I have asked myself some of the questions others have posed, but reading the material I received yesterday led me to conclude more strongly than previously that I had done the right thing –  not necessarily the things the Bank would have preferred, but those which best balanced the public interest and the protection of my own interests.

Here is the link to the material the Reserve Bank released.

OCR leak inquiry Privacy Act response from RB

My earlier posts on the leak and related issues are all here

And here is what I took from the newly-released material.

The first point I noted is that, with the exception of a brief email from John McDermott on the morning of the MPS release, in which he wrote to me “Thank you for letting me know”, no one (management or Board) seems to have considered, at any point in the subsequent six weeks, expressing appreciation to me for coming forward and passing on the information that I had.  One doesn’t try to do the right thing in the hope of being thanked for it, but it is a telling omission nonetheless.

The second point is that I was pleasantly surprised to learn that the Bank seemed to take the information seriously from the start.  By 11:30am on 10 March, Deputy Governor Geoff Bascand had asked the senior manager responsible for risk and audit to undertake an inquiry, noting (page 2) “we cannot be sure it is a leak as opposed to speculation but need to enquire into it with diligence and urgency on the assumption it is”.

That was fine, and he even noted that “in the first instance, he [Michael] is the messenger”.   But in the same email Bascand had already moved on to treating the information I had passed on as an “allegation”, and two of the three questions he expects answers to are about my conduct.

Somewhat surprisingly, in a world in which a “no surprises” policy is generally supposed to prevail between government agencies and the Minister’s office, it appears (page 4) that the Bank only decided to tell the Minister of Finance’s office about the possibility of a leak after I had made a brief mention of the information I received on my blog on the afternoon of the release (having advised the Bank some hours earlier that I was likely to mention it).  That looks like poor political management, but also tends to confirm the unease I felt at the time, that the issue might be hushed up if at all possible.

Geoff Bascand’s biases become increasingly apparent in one of the unguarded emails that requests like this throw up.  After they advised Bank staff of the situation late on 10 March, the head of HR emails Bascand with a brief expression of sympathy.  Bascand’s response is nothing at all about the possible vulnerability in the Bank’s own systems (he being the senior manager responsible for the Communications functions), the possibility of an actual leak, or anything of the sort, but is all about the messenger.

By this time, and perhaps reflecting his biases, it is becoming clear that Bascand has trouble with the meaning of the word “allegation”.  I have commented on this previously, but it is more stark in the light of the information in this release.  In his message to all Bank staff (page 5) late on the afternoon of 10 March the heading is “Allegation of leak information”, and in a five line email the word “allegation” is used twice.  Nowhere, by contrast, does he note something like “we have received information suggesting that information may have been leaked”.      To repeat, allegations are claims are that are made, something that (at least according to my Oxford dictionary) involves “to assert without proof”.

To repeat, at no time between 10 March and 14 April (the release of the short-form inquiry report) did I make any “allegations”.  All I did –  and the emails are in this batch, on page 1 –  was to pass on hard information that I had (an email) while stressing repeatedly that I had no idea whether it was the fruit of a leak, or something else.  At the time, as I’ve said before, I struggled to believe a leak was possible.

It took a while for the leak inquiry to get going.  I’ve covered previously the Bank’s approach to me to assist the inquiry –  an approach which was extremely professional and which carefully referred only to the “possibility of a leak”.  I talked to the Deloitte investigators a few days later.  I gave them a copy of the text of the email I had received, and we had an amicable conversation in which, inter alia, they indicated that the Bank was very grateful to me for having come forward.  At the time I took that at face value, and commented openly on my support for the process the Bank had put in place.  It is worth noting –  because it comes up later –  that the Deloitte investigators did not ask me who sent the email to me, and indicated that they would not expect that I would tell them.  I wrote a post following that meeting with the investigators, mentioning briefly the discussion we had had, but focusing mostly on structural changes that I thought were warranted (abandonment of lock-ups etc) regardless of whether or not there had been a leak on this occasion.

That post seemed to spark some media interest.  The documents contain an email to Mike Hannah (RB Head of Communications) from Hamish Rutherford of Fairfax (someone else who appears to have had trouble with the meaning of the word “allegations”) and over the next couple of days there was a flurry of media coverage, here and abroad, and some clarificatory posts from me (partly annoyed at the continued public use of the term “allegations” by media and Bank representatives).  That in turn sparked various emails among senior managers at the Bank.

Mike Hannah is the first (page 13).  Interestingly, he claims that he would have picked up and responded quickly to any email I had sent before 9am on 10 March.  If so, that is good to know now, although it wasn’t the impression I was under at the time.  But he also notes that the Bank would not necessarily have done anything differently: “we’d have watched the markets very carefully , and might have had to consider going early if we saw action”.  But as everyone recognises, there was nothing visible happening in markets.

Hannah also responds to my point that one reason I hadn’t contacted the Bank in the brief window before 9am was my unease about the Bank’s reaction if in fact it had not been cutting that morning.  He considers it a “flimsy” story, but in fact the tone of the senior management comments –  from him, Bascand and Wheeler – throughout these documents only confirms that was an entirely reasonable fear on my part.  One thing that is striking in these documents is the apparent total inability of such senior people to imagine themselves in someone else’s position with someone else’s (lack of) information. They knew there was a cut coming. I didn’t.

The Governor responded to Hannah (at 1:48 am –  perhaps he was travelling).  From the tone of his email he seems to regard the whole exercise as a “quest for publicity” by me, adding that “my sense is that he is digging himself into a hole” – I’m still not sure, from context, how.    He seems aggrieved (on which more later) that a former employee of the Bank would blog about the enquiry.  It is really quite a weird reaction: one might hope that the Governor would have been most concerned about getting to the bottom of the substantive issue, and would expect considerable public scrutiny at even the possibility that an OCR decision had been leaked.  Recall that by this point –  objections to the misuse of “allegations” apart –  I had been supportive –  in public and in private –  of the whole inquiry process the Bank had put in place.

The Governor forwarded that email to the chair of the Bank’s Board, Rod Carr.  Instead of keeping an appropriate distance from management, Carr weighs in suggesting that perhaps I was now feeling guilty, that my actions were not a “sign of good citizenship”, and that somehow advising them a few minutes earlier  –  see Hannah’s comments above –  might have protected “NZ’s reputation”.    To his credit, Carr does flag the possible need to abolish lock-ups.

A few days later, Mike Hannah reports to the Governor on his approaches to the attendees at the media lock-up.  Hannah remains reluctant to believe that any media person/body can be responsible –  even though I had told him by inference (on the first day) and told the Deloitte team directly a week earlier that the email I received had come from a person in a media organisation.    More generally, at this point, Hannah still seems reluctant to believe that there had been a leak at all –  perhaps understandably given that he ran the lock-ups –  noting of his conversations with journalists “it may all be humour, bluff, etc, but it may also reflect scepticism about Reddell’s credibility”.    Given Hannah’s reluctance to accept the possibilities, the Bank’s in-house counsel (one of the few to emerge creditably from these documents) had to go back to Deloitte (page 16/17) to confirm that I had in fact said the email came from a person in a media organisation.

The Deloitte report indicated that, finally, on 5 April, MediaWorks owned up to the fact that there had been a leak, and that their staff had been responsible.  Perhaps unsurprisingly, there is no email in the system from senior RB managers saying “gee, Michael’s information turned out to be about something real; just as well as he came forward”.

Instead, the documents skip forward to Sunday 10 April.  By then, the Bank had the draft Deloitte report and was providing comments on it, and drafting press releases.

Geoff Bascand had sent out an email expressing surprise that no (MediaWorks) names were named in the Deloitte report –  in particularly that the report did not name the person who had sent the email to me.  Hannah responds identifying his suppositions about who it was, and he indicated that his draft press releases included the name of the person he suspected.  He also noted that he  had “not yet included Reddell’s name” –  the operative word apparently being “yet”.  Reflecting the Bank’s cast of mind, he noted that this was “not to save him” but simply because he still wanted more information.  The next morning, Hannah emails senior colleagues indicating that the draft press release had been done by him and the Governor jointly.  He urges that the Bank needs to get Deloitte to ask MediaWorks for the name of the person who emailed me (even if just to confirm that they would not provide the information).

In response, Nick McBride points out that he would not expect MediaWorks would provide anything more, and urged that the Bank should avoid focusing on individuals, stressing “it is MediaWorks that is responsible”. He goes on to note that “there is also a strong basis for speculating that a journalist emailing from the lock-up was normal behaviour, for Mediaworks at least”.   Interesting, he notes that MediaWorks will be particularly reluctant “if it senses the Bank’s ‘no mercy’ approach and the lack of credit it is likely to get for its admission”.    Given that there were no sanctions imposed on MediaWorks in the 14 April announcement, and the statement went out of its way to praise the cooperation of MediaWorks, something must have changed between then and 14 April.

That same day  – Monday 11 April –  also saw an odd email exchange between the Bank and Deloitte.  The Bank asks for copies of all emails from MediaWorks, and in response is told that “the only other email correspondence that we had with MediaWorks was the email exchange about Mr Reddell’s phone number –  now attached for your reference” [although for some reason not included in the material the Bank released].  My phone number isn’t exactly a secret –  it is in the White Pages.  But that same exchange also confirms that what the Bank released on 14 April is not, despite the impression given in the Bank’s statement, the full Deloitte report at all.  Instead, it appears to be a “short form” “public version”.  Someone should probably request the full report.

The Governor himself was engaged in providing comments on the draft report.  His attitude is evident in the following exchange.  A manager in the audit area of the Bank advises senior management that he has asked that Deloitte delete the word “all” from a description of how I had “cooperated with all our inquiries”, since I had declined to name my source (despite never being asked to, either by the Bank or Deloitte).  Not content with that excision (which wouldn’t have bothered me) the Governor insists that they must delete “Mr Reddell cooperated with our enquiries”, noting “as he didn’t disclose everything that was necessary this therefore gives a misleading impression”.  The fact that the inquiry would never have occurred at all without my original initiative clearly escaped him.

The remaining emails relate to the period after the release of the (public version) of the inquiry report on 14 April.  There is the gratuitously nasty one from someone outside the Bank (page 25) but my interest is mostly in the stance of the Bank’s senior management and Board.

According to Mike Hannah, in an email to the Governor and Board chair, by now I am “obviously smarting from a well-aimed and deserved reprimand”, and am “irresponsible again” for suggesting that the lock-ups had had lax security.  Reading that did prompt me to wonder which senior manager oversaw the procedures for and administration of the lock-ups which had just been revealed to have been breached.

And then the ante starts getting raised further.  According to Geoff Bascand,

“nothing will satisfy Michael. He is a deeply aggrieved person.  Everything will be interpreted through his victim filter”.

I’m not sure where Bascand gets any of this from.  And a simple apology from the Governor for publically tarring me as “irresponsible” would satisfy me.  Bascand continues to seem to think I somehow regret leaving the Reserve Bank, when I had been quite clear for several years prior to doing so that I was keen to get out, and do as my mother had done for me, and be around for my growing children.    That had only become financially feasible by late 2014, and by then the (personally) optimal thing was to stick around long enough to collect a looming redundancy cheque, which is currently helping pay for house alterations.  As I said to John McDermott at the time, my only concern had been that the Bank might change its mind.

The Governor also weighs in (page 27) and we get here the fullest explanation of his view of my irresponsibility

I firmly believe Michaels behaviour was irresponsible in failing to inform the Bank immediately, in not informing Deloitte as to who contacted him and blogging continuously on the matter even when the investigation was underway. I believe the reasons he trotted out for his actions to Deloittes were extremely weak to say the least.


I also find all this rich from someone who worked in the Bank for a long time and I believe should have used much better judgement- also Michael has repeated denigrated the work of colleagues that he worked alongside for many years and I believe also he has been reckless in his criticism . I believe many of the points he makes are misplaced and can readily be countered by a competent economist.

Some of this was familiar ground (see his brief letter below), but much was not.  The suggestion that I  –  or presumably others  –  should not have written about the matter while his investigation was underway almost beggars belief.  His internal inquiry about a possible failure of internal process is not exactly on a par with a matter that might be sub judice because it is being dealt with in a court of law. This is a (potential and actual) systems breach in high profile powerful public agency.

Unfortunately, the Governor seems to have allowed his judgement on the specifics of the (possible) leak issue to have become clouded by his irritation at the scrutiny and challenges that I have posed to the Bank, and him in particular, over the previous year or so.   And the substance of his point seems wrong  – I have tried to be very careful, when being critical, to focus responsibility on the Governor (as the law does) and his senior managers, and not on the many able staff who work in the organisation.  I’m quite relaxed about the idea that the Governor will often disagree with my points of view   –  that is hardly surprising, and not really that different than it was when I was inside the organisation –  and, yes, reasonable people (including some other “competent economists”) will differ on many of these issues.  But none of that is, or should be, germane to the specific issue of the leak that (a) occurred on his watch, and (b) would not have come to light without my help.

Since I was interested in lowering the temperature on the personal aspects of this, I approached a friend of mine who is on the Board seeking some sense from him as to why the Governor’s stance towards me on this issue was reasonable.  Perhaps he was in an awkward position, but I was largely fobbed off with a “circle the wagons in defence of the Governor” attitude.  And so I wrote to the Governor, copied to the Board.

That letter is here.

Letter to Graeme Wheeler OCR leak press release

The Governor’s very brief response is here.

Graeme Wheeler Ltr to M Reddell April 2016

The final email in the set of documents that the Bank released is an email from the Governor to his senior colleagues and the Board chair, forwarding them a copy of the letter, with the terse observation “I find this letter quite extraordinary”.

Some readers will get to the end of all this and perhaps still think the issue at stake is that I should have got in touch with the Bank a little earlier than I did on 10 March.  A few commenters on earlier posts have argued that.

Contrary to the sense that pervades many of these emails among Reserve Bank senior managers and Board members, I owed the Reserve Bank nothing.   But I do feel some sense of residual loyalty to the organisation and so I did what I reasonably could, in a way that directly helped them uncover a serious leak (and subsequently amend their own procedures).    If anyone reading these emails thinks that, in my shoes, they’d have rushed to tell the Bank earlier, at risk of being scoffed at and ridiculed had the Bank not in fact been cutting that morning, well all I can say is that they have a thicker skin than I do.  Bascand and Wheeler would no doubt have been poised with some barbed turn of phrase about “there goes Michael again”, ready to tell others the story the next time I ran a post they disliked.

At one level, the attitudes in these emails don’t surprise me greatly –  although perhaps I’m a little  surprised that despite the OIA and the Privacy Act they wrote these things down.  And I’m a little relieved that none of them are from my own two previous bosses.  I don’t think they reflect well on the Bank, or its Board, but that is also something for others to judge.

Wheeler and Hannah on the OCR leak

I will offer some thoughts on the FSR itself tomorrow, but I had few quick reactions to the comments made at the press conference this morning about the MediaWorks OCR leak and related issues.

I had heard that the Reserve Bank had been considering backtracking on the discontinuation of lock-ups, and had in fact been consulting selected journalists on the conditions on which media lock-ups might be reinstated.  That was confirmed by the Governor this morning.

Frankly, they seem all over the place.  Less than a month ago, they announced the discontinuation of lock-ups.  I thought that was the right decision at the time (and had called for it earlier).  Presumably the Bank  had carefully considered the various options open to it then, and decided on balance that (a) consultation with affected parties was not required, and (b) that it was not appropriate to continue with lock-ups.  One wonders what has changed, apart perhaps from some aggrieved coverage from some members of the media.  As the Governor pointed out, lock-ups are very unusual internationally.  There might have been a case for them 20 or 30 years ago, when citizens and investors couldn’t just download the documents themselves, and were quite reliant on the media for initial reporting and interpretation.  That is no longer so, and the security risks are higher than they were (as the Governor rightly noted, they can’t simply go on relying on trust).  I would urge the Reserve Bank not to reverse itself again, but if they do reinstate lock-ups for a select few media representatives –  whether relying on pen and paper, or totally physically secure environments –  the costs of those privileged arrangements should be borne by the media organisations concerned.

The Governor was also asked why the exclusion of MediaWorks from Bank press conferences had been announced only last week, and not when the inquiry results were released on 14 April (a question I also raised last week).  The Bank simply avoided answering that question.  Simply telling us that this was the first press conference since 14 April told us nothing.  If there were penalties to be imposed on MediaWorks (and exclusion seems sensible) why not announce them when the inquiry report was released –  rather than use that opportunity to praise the helpfulness of MediaWorks legal team?.  What has changed?

Mike Hannah also confirmed that the Bank has no information on whether there had been previous breaches of security, whether by MediaWorks or other lock-up participants.  He stated not only that the Bank was not aware, but that it had not asked.  That seems simply extraordinary, at least as regards MediaWorks.  When MediaWorks approached the Bank and Deloitte on 5 April, surely a very early question –  from either party –  should have been “and has this happened before?” (along with “and who in the organization knew about it?”).  It is a shame media did not pursue the matter further, but we are left with the suspicion that the Reserve Bank really did not want to know too much about what had  gone on, and wanted the whole issue put behind it quickly.    That should not be the standard to which powerful autonomous public agencies operate.

A belated price for the OCR leak

More than three weeks after the Reserve Bank released the results of its OCR leak inquiry comes news that the Bank has finally taken some specific action against MediaWorks, the media group responsible for the leak.  We learn today –  although not via a open release from the Bank –  that representatives

“from Mediaworks news outlets are excluded from Reserve Bank media conferences until further notice”

In the Reserve Bank’s release on 14 April there was no hint of any specific sanctions for MediaWorks.  Instead, taking the opportunity to tar junior staff (and me), the Governor lauded MediaWorks management, noting that:

Deloitte was assisted in its investigation by Mediaworks’ legal team, who undertook an internal investigation, uncovered emails that confirmed the leak, and reported these to Deloitte.

The leak prompted the Reserve Bank (quite appropriately) to discontinue lock-ups for media and market analysts, but to the extent that was a penalty it was one imposed on all those who had previously participated (and was, perhaps, a greater burden on some of the more specialist entities).

Unfortunately for the Reserve Bank, it quickly became clear, upon reading the Deloitte report, that MediaWorks management must in fact not have been terribly helpful, at least until very late in the piece.

It is possible that MediaWorks senior management, including the former chief executive Mark Weldon, was not aware there was even an issue until 21 March.  The leak had occurred on 10 March, and although I drew attention to it that day (both directly to the Bank and, later, on a post here), it only got attention and coverage in the mainstream media on 21 March.    But at that point it got considerable coverage, and there is no way the senior management of a major media organization, with their own corporate Group Head of Communications, could not have been aware there had been a leak.  At that point, it would presumably have taken no more than an hour to have had the internal IT people check the emails of the MediaWorks staff in the lockup (even if they had no knowledge or suspicion of their own organization’s involvement, just to be on the safe side). That would have confirmed that MediaWorks was the organization responsible.

At that point, as the Deloitte team was (by their own account) only just turning their attention to media outlets as the possible source of the (then) possible leak, MediaWorks could have come forward and alerted the Reserve Bank to their responsibility.   That would have looked like full and early cooperation.  Even better, they could have pro-actively told the Bank, and Deloitte, how long this practice, of journalists emailing draft stories back to the office from the lock-up, had been going on.  There is no suggestion in the Deloitte report that what happened was just an accident (someone hit the wrong key on their laptop).

In fact, the Deloitte report makes it clear that MediaWorks did not approach either them or the Reserve Bank until 5 April, more than two weeks later, and then only when the Deloitte team sought meetings with each media person who had been in the lock-up.  At that point, presumably, the staff concerned and their managers left senior management with little option.

It isn’t really that clear why the Reserve Bank gave so much cover to MediaWorks in their 14 April statement.  A simple statement that MediaWorks had not approached the Reserve Bank until more than three weeks after the leak had occurred would have been considerably more appropriate than the positive statement on the role of the MediaWorks legal team. They were, no doubt, working largely to protect the interests of their own organization –  an organization which has been notably unforthcoming in answering questions about just really went on, who had sanctioned these breaches of the lock-up rules etc.

I suspect the answer to my question has something to do with the Reserve Bank’s desire to play down the whole episode.  Their systems were shown to have been very weak, and totally reliant on trust. It took no sophisticated signaling techniques for this leak to occur –  just clicking Send on an email.    Systems that might have reasonably robust 20 years ago –  when lock-ups were more useful, because ordinary readers couldn’t simply download the MPS at 9am and read for themselves what the Bank had to say –  simply hadn’t kept up.  The Bank has accepted no responsibility for that, or released any internal reviews it has undertaken as to how such vulnerabilities were allowed to arise.

But the inquiry also raised some questions about just how seriously the Reserve Bank itself had taken the issue in the first place.  Had they really taken seriously the possibility of a leak they could have taken action on 10 March.  I had suggested to them that morning that they focus on media outlets.  It wouldn’t have taken much effort for the Bank – Governor and Deputy Governors – to have rung the heads of each media organization in the lock-up  (I’m not sure how many that would be, but I’m assuming no more than 20) and asked them to (a) check emails of all of their staff who had been in the lock-up, and (b) arrange for signed statements to be prepared by all those in the lock-up swearing that they had not been responsible.  Had there in fact not been a leak (and the Reserve Bank couldn’t be sure then) it wouldn’t have cost much.  As it was, it surely would have identified the culprits within hours.    Instead, we learn that the Deloitte inquiry did not focus on media until after they met me on 18 March –  more than a week later –  and as late as 21 March the Bank was on record as talking only of “allegations” of a leak.

To be frank, given the Bank’s general attitude to me, and their unease about the issues I have been raising, and the questions I’ve been posing, I can understand why they might have been a little wary.  But the fact remains that, for all the Governor’s huffing and puffing about whether I told them what I knew at 8:30 or 9:08, they don’t seem to have done much with the information for several days at least.  And when they finally did discover the truth they appear to have been at pains to help protect MediaWorks’ corporate image.   There are still unanswered questions about whether MediaWorks was shown the draft Deloittle report, and whether it was given the chance to comment on the Reserve Bank’s press release in draft.

But this all brings us back to the question as to what has changed now (other than the CEO of MediaWorks).  Banning MediaWorks from Reserve Bank media conferences for a time seems like a reasonable sanction, but why wasn’t it done three weeks ago?  Since the Governor never acknowledges mistakes, and rarely makes himself available for interviews, perhaps we’ll never know. Then again, perhaps someone will ask at the FSR press conference next week.  They might also ask what “until further notice” means.  What are the conditions that MediaWorks has to meet?  Such an indefinite suspension seems unwise, and could give rise to speculation that the suspension might be lifted if MediaWorks outlets were seen to be covering the Bank in a not-unfavourable light.  Better, probably, to have banned them for three or six months, and then put the matter behind them.  And if the conditions for lifting the suspension don’t relate to the tone of the coverage of the Reserve Bank, do they relate to getting fuller and more complete answers from the new management about just what had been going on?  That might not be an unreasonable stance to have taken, but the Bank should be upfront about it.  As it is, we were left with the impression on 14 April that the matter was over as far as the Bank was concerned.

There is still a series of questions outstanding for both the Reserve Bank and MediaWorks.  Those for the Reserve Bank concern me most, because the Bank is a powerful public sector organization, which really should be much more upfront with the public when things go wrong (as inevitably occasionally they will).  I hope that some light will be shed on some of those questions when a series of Official Information Act and Privacy Act requests I have lodged with the Bank (and its Board) are answered.  Those answers are due in a couple of weeks, and I suspect that the Reserve Bank will delay responding just as long as it possibly can.

UPDATE: The question of why the Reserve Bank provided such cover to MediaWorks is deepened if this piece by John Drinnan is accurate.

The report talks about workers, but I understand senior news staff received the leak. I spoke to a Bank spokesman at the time the Bank stopped lockups, and it was unhappy about the way it was dealt with.

If the Bank was really unhappy, why imply otherwise, commending the assistance of MediaWorks?


The Treasury on lock-ups

I just received from The Treasury the response to my OIA request about Budget (and similar) lock-ups.  Not quite as fast a response as that from Statistics New Zealand, which I commented on last week, but well within the 20 working days, and thus most welcome.

No doubt they will put the response on their website in due course, but here is the document.

Treasury OIA response on lock-ups

As I’ve noted from the start, I’m less bothered about pre-release lock-ups for Budgets than for OCR announcements or the release of key macroeconomic data.  Most of the time, most of what is in the Budget is not that market-sensitive –  and what is headline-grabbing has often been well-foreshadowed by Ministers and their staff.  And Budgets often have a large range of complex material, straddling numerous portfolios areas.  When new initiatives are announced often the details can be tricky, and important. But I don’t think Treasury can be complacent about these lock-ups –  there is sometimes material there that is market-sensitive.  Advance news about the bond programme would, at times, be very valuable.  There is a difficult balancing act, since Budgets are a mix of political management and  other, perhaps market sensitive, material.

Like the Reserve Bank in the past, and SNZ still, the Treasury seems to rely mostly on trust for the security of the lock-ups.   Attendees are not even required to surrender phones or mobile devices, just required not to transmit with them.  Apparently “compliance is monitored throughout”, but presumably by wandering around. I imagine the Reserve Bank staff did that in their lock-ups.

I had asked about any reviews undertaken in light of the Reserve Bank’s experience.  As is already known, after “discussions” the Secretary to the Treasury has decided to go ahead with this year’s lock-up.  There is no suggestion that those discussions included any effort to identify whether leaks had occurred in the past, along the lines of what happened at the Reserve Bank.  The Deloitte report gave no suggestion that the MediaWorks breach was accidental, and there are even suggestions afoot that the journalist involved may have been under management instructions to send draft stories from the lock-up (see John Drinnan’s comment at the end of this post).   If a story was deliberately sent from the OCR lock-ups, might the same practice have occurred, with the same people, at previous Budget/HYEFU lock-ups?  I don’t know, but then neither –  it would appear – does The Treasury.

Treasury is probably quite safe this year, since everyone (no doubt including MediaWorks) will be hyper-sensitive to the Reserve Bank experience.   But weak systems create a high risk that there will eventually be breaches.


Questions about the OCR leak, the inquiry etc

Questions about the handling of the OCR leak issue aren’t going away.  Last Saturday, I posted some thoughts on some issues that the Reserve Bank and MediaWorks should be asked about, flowing from a careful rereading of the relevant documents.

Since then there has been a variety of articles –  especially focused on MediaWorks – in the mainstream media.   Jenny Ruth had a piece on the NBR website “Were there other MediaWorks leaks from Reserve Bank lockups”.  Hamish Rutherford has a substantial and useful piece in the Dominion-Post this morning “MediaWorks Owes an Explanation” (although I have considerably more readers than he reports) and John Drinnan’s media column in the Herald today is largely devoted to media aspects of the leak and its aftermath.

It is perhaps understandable that the mainstream media has focused mainly on the media dimensions –  many of them are grumpy at losing the opportunities previously afforded by the lockups (although others quietly acknowledge that the lockups were really products of a different technological age and probably had to go).  I don’t have much sympathy on that count, having called a month ago for the lockups to be scrapped.  But I do share the surprise that there has been no evident specific  sanctions meted out to MediaWorks, the chief culprits in the whole affair.  Various people have suggested that MediaWorks should have been banned from lock-ups, rather than ending the practice altogether.  Ending lock-ups was the right thing to do, but it is still surprising that there appear to be no other concrete consequences for MediaWorks’ flagrant breach of the rules (not reported to the Bank for weeks).   Then again, what other sanctions were available?  One might have been to deprive MediaWorks of, say, opportunities for any interviews with the Governor. But since he doesn’t give interviews, I guess that option wasn’t available.

There are questions for MediaWorks, but in the end they are a private company and have to make their own judgements about what to tell us.  It is disappointing that they have not been more open.  I’m not so much bothered about them not naming the person who sent the email from the lock-up, but about things like:

  • had these sorts of leaks happened before by MediaWorks staff?
  • why did it take more than three weeks for MediaWorks to acknowledge that its employees were responsible (including more than two weeks after the issue had extensive media coverage).

But, as I say, MediaWorks is a private organization.  The Reserve Bank, by contrast, is a powerful public body.  We should expect an open and transparent approach by public institutions when bad stuff happens, and the Bank is subject not just to the Official Information Act, but also to parliamentary scrutiny.  I think there is a range of questions to which the public deserves answers from the Bank:

  • Did the Bank, or Deloitte, ask MediaWorks whether these sorts of breaches had occurred before.  If not, why not.  If so, what was the response?
  • Why does the inquiry report not address issues around “the process for transmitting the Governor’s OCR decision to see if any improvements are needed”, even though the Bank had told me the Deloitte inquiry would cover such matters?
  • Was MediaWorks given a chance to comment on the draft inquiry report, or the draft of the Reserve Bank news release of 14 April?
  • Why does the Reserve Bank press release go out of its way to stress the cooperation of MediaWorks, when MediaWorks did not report the breach until more than three weeks after it occurred?
  • Why does the news release not accept any responsibility for the Bank having run lock-ups with such lax security procedures that a breach of this sort could happen so easily?
  • Have any Reserve Bank officials been disciplined or reprimanded for failing to update security procedures to reflect the advances of technology?

In support of seeking answers to these, and other, questions, I have lodged an Official Information Act request with the Reserve Bank.  It requests the following information:

Terms of reference

  • Copies of the terms of reference for the Deloitte inquiry, including the TOR as at 15 March 2015 (the date of Nick McBride’s approach to me), and any subsequent variants, (formal or informal).
  • Copies of any advice to or from the Board regarding the terms of reference

MediaWorks’ 5 April advice

  • Copies of the initial MediaWorks advice to the Reserve Bank and Deloitte on 5 April (date as per the inquiry report).  In the event that the advice was oral, please provide copies of any filenotes or other records of conversations with MediaWorks.
  • Copies of any follow-up requests for further information made to MediaWorks or its representatives by the Reserve Bank or the Deloitte inquiry team.

The Deloitte inquiry report

  • Names of any person or organisation, beyond the Reserve Bank’s staff or Deloitte, invited to comment on the draft report.
  • Copies of any advice provided to the Reserve Bank by non-executive members of the Reserve Bank Board on the draft report.

The Reserve Bank’s 14 April news release

  • Copies of all drafts of the 14 April news release
  • Names of any persons or organisation beyond the Reserve Bank’s staff or Deloitte, invited to comment on the draft news release.
  • The time at which MediaWorks was given a copy of (a) the draft, and (b) the final news release.
  • Copies of any comments made to the Bank by (a) MediaWorks and/or (b) non-executive Board members on the draft news release.

Internal Reserve Bank committees

  • Copies of the relevant sections of the minutes of any meetings of (a) the Governing Committee, and (b) the Senior Management Group at which the (possible/actual) OCR leak, and/or the Reserve Bank’s response to it, were discussed.

I remain more than a little aggrieved, having brought the issue to light in the first place, at having my conduct described by the Governor as “irresponsible”, but I have addressed those issues in a separate letter to Governor.




The OCR leak – some more thoughts

I was re-reading the documents released on the OCR leak.  There are three of them: the Deloitte report, the Reserve Bank’s press release, and the MediaWorks press release.  The latter document doesn’t seem to be on the web (and certainly not with the company’s 2016 press releases), but someone did send me a copy.  This is the text

Mark Weldon, Group CEO, MediaWorks said:

“MediaWorks unreservedly apologises to the Reserve Bank for this incident. Once MediaWorks was aware a leak had taken place, it conducted its own investigation to determine whether the leak had come from within MediaWorks and self-reported that to the Reserve Bank.”

Regarding the specifics of the matter, Richard Sutherland, Acting Chief News Officer, said:

“The leak was caused by a failure within News to follow proper process and changes have already been made as a result. We are addressing the breach with those concerned and new policies and training will be implemented moving forward.”

I also compared the Deloitte report with what the Bank’s legal counsel, Nick McBride, told me about the scope of the enquiry – which they had already commissioned by then – when they asked for my assistance.  I included the whole email in yesterday’s post, but this was the bit I had in mind today

The Bank has appointed investigators from Deloitte to try and find out whether there was a breach in security and, if so, how it occurred. They will also review the process for transmitting the Governor’s OCR decision to see if any improvements are needed.

A number of things struck me:

  • We have not seen the terms of reference for the Deloitte inquiry.  They are referred to in passing in the report, but are not attached.  That seems strange.
  • The substance of the report is less than three pages of text.  A full page of that is devoted to me.  I don’t have too many problems with it, but I understood it was normal public sector practice when inquiries are done to give those affected by the inquiry an opportunity to see, and comment on, the report in draft before it was published.  That didn’t happen for me (but there must have been coordination with MediaWorks –  did they see the report before it was released?).  Had the draft report been shown to me, I would have requested some wording changes.
  • Despite the comment in McBride’s email that the investigation would “review the process for transmitting the Governor’s OCR decision to see if any improvements are needed”, there is nothing at all on that topic in the published report.  I had offered some comments, in passing, on that matter when I met with the investigation team.  Were the terms of reference changed at a later date?  If so, why?
  • The MediaWorks statement says that “once MediaWorks was aware a leak had taken place, it conducted its own investigation to determine whether the leak had come from within MediaWorks and self-reported that to the Reserve Bank”.  But that seems inconsistent with the Deloitte report, which says that the source was identified only after “communication that we initiated with the journalists”.  The inquiry report says it only focused on the media after my meeting with the inquiry on 18 March, and I wrote about the leak possibility for the second time that day (and I know various MediaWorks employees read my blog), and the mainstream media gave a lot of coverage to the story on 21 March.  So news of the possible leak was widespread by then at the latest.  And yet MediaWorks only self-reported the information about the leaker “to RBNZ and to us [Deloittes] on 5 April 2016”, more than two weeks later.  It doesn’t take two weeks for an organization to track something like this down internally – MediaWorks knew which of its employees had been in the lockup.   It seems more probable that MediaWorks acted only after the inquiry team requested a meeting with the staff who had been in the lockup.
  • It is striking that the Deloitte report makes no attempt to assess whether what the MediaWorks person in the lock-up did on 10 March (file a draft story back to their office well before the embargo lifted) had been done before.  And the MediaWorks statement also does not address that issue.  There are various stories on the media grapevine that it was, in fact, established practice.  And while I have no way of knowing whether that is so, it is not inconsistent with the fact that the person who sent me the information presumably didn’t see anything extraordinary about doing so.   There is no suggestion in the report or statement(s) that the transmission from the lock-up was somehow accidental (inadvertently hit the wrong button, or somesuch), and if it wasn’t accidental perhaps it was customary.    It is unfortunate that the Reserve Bank’s inquiry does not appear to have attempted to assess whether that was the case, or even just note the possibility.
  • The Reserve Bank’s own statement seems very supportive of the MediaWorks hierarchy, even though (a) people in that organization knew what had happened from the start, (b) must have known it was against the rules, even before I started to draw attention to the issue, and (c) the timing suggests that the management action (and formal internal investigation) was all rather belated, occurring when their people realise they would be interviewed by the inquiry and would have to provide an accurate factual account of what happened.

There seem to be quite a few more questions that should be asked of both the Reserve Bank and the MediaWorks management.

In passing, I would note that I have read and heard many dismissive comments in the last few days from other media people about MediaWorks, and their coverage of economics and monetary policy issues.  I don’t watch their TV channel, and am not a commercial radio listener.  Nonetheless, I had actually been quite impressed that Radio Live had been keen to run interviews with some one like me on such diverse topics as the OCR, US monetary policy, Kiwibank, the real exchange rate and economic performance, immigration policy and so on.  As I say, I don’t listen to commercial radio (my wife kept saying “but no one I know listens to Radio Live”), so I’m not sure how representative those sorts of interviews are. But my experience had been a wholly positive one –  intelligent interviewers, aiming at popular market no doubt, asking sensible well-researched questions, and not obviously pursuing “gotcha” moments (but then why would they with a middle-aged rather serious economist, talking mostly about rather geeky issues?).

Someone has, however, drawn to my attention an NBR story in which Rob Hosking reports  that

“Mr Reddell did not at the time ask how they knew of the decision an hour before it was announced-  an omission which has apparently caused some resentment within Mediaworks who feel he should have warned them about this”.

Yeah right.  The MediaWorks people knew very well that the information was not supposed to be outside the lock-up.  What was I supposed to do –  assuming I had believed it was the fruit of a real leak which, as I noted yesterday, I had no particular basis for doing (25 years of MPSs having gone by without one) ? I genuinely didn’t know what to make of it.   I suppose I could have said “you do know you aren’t supposed to have that information, assuming it is true, don’t you?”  But the sender, and the people that person apparently overheard, already knew that. The 9am release time is no secret.  It was no worse sending it on to me than it was for them to have had the information, in breach of their express commitments to the Reserve Bank, in the first place.  I had no ongoing or formal relationship with MediaWorks (I generally talk to any media –  or anyone else –  who asks), and I reported the matter to the Reserve Bank because if there had in fact been a leak, it was their information and systems that had been compromised.  The guilty people were hardly likely to own-up unprompted.

The OCR leak: again/still

I’m heartily sick of the Reserve Bank leak story and hope that this is the last occasion I write about it.  But there were a few further points I wanted to make, partly in response to the coverage in the last 24 hours.

I would also add that despite several commenters on various stories having correctly noted that the longstanding system vulnerabilities mean that there may have been previous leaks over the years from people in the Reserve Bank’s media or analyst lock-ups, I’m not sure it would a wise use of time or resources now (or perhaps even possible) to attempt to prove it one way or the other.  But that is a matter for the Reserve Bank.

Much of the media commentary has been about the abolition of the Reserve Bank’s lock-ups.  The many good trustworthy people pay the price of one peripheral player cheating.  Worse, it will apparently be harder to get good reporting and consumers of news will suffer.  And, from some of the economists, a concern that financial markets might be more volatile for the “first few minutes” after the release while economists and traders try to digest what the Bank is saying.   I plead for some perspective.

All of this commentary loses sight of the simple point which I have made previously, and which the Reserve Bank statement yesterday also makes.  Other countries don’t do it the way we were.  No country that I’m aware of had provided advance lock-ups for economists and analysts for official interest rate announcements.  And the handful that do provide some tightly-controlled advance notice for a select group of journalists give them only a few minutes advance notification, not two hours.  Other countries’ central banks don’t provide their staff to provide private briefings to media or analysts in advance of release, in doing so providing different information to those inside those lock-ups than is available to those outside.     What the Reserve Bank wants to say  in its releases should be carefully drafted and refined, and then put in the official documents, and left to speak for itself.  Sometimes press conferences can be useful, but they should be viewable (as the Reserve Bank’s are) by everyone, not only by the select few.  If anything, under the new arrangements, the press conferences may even allow better scrutiny and more searching questioning of the Governor, since future press conferences will occur an hour after the release (rather than a few minutes after as has been the case until now).  That will allow journalists to talk to economists, politicians, sector group leaders etc before they pose their questions to the Governor.

It is worth remembering, again as I’ve pointed out previously, that half of each year’s OCR announcements have always taken place without benefit of lengthy explanatory lock-ups (or press conference).  The full scale lock-ups have been used for Monetary Policy Statements, but not for the other intervening OCR reviews.  I’m not sure there is any evidence that the market reaction to those one page statements has been any more difficult or volatile than for the MPS releases.

Nonetheless, I think there are still some aspects of the new regime that will require some bedding down, and perhaps later refinement.    I’ve long thought it was a mistake to release OCR announcements at exactly the same time as MPSs. A better model, in my view, would be to release the OCR decision as soon as it is made (further reducing another aspect of risk in the system) and then to release an MPS a few days later, as background analysis (looking forward, and providing ex post assessments).  In such a model, the MPS would be much less market sensitive (the main market-moving news is in the OCR announcement itself). For such a background document, there might be less harm (but less interest) in a lock-up to explore the technical detail of the forecasts.

More immediately, the Reserve Bank should consider adopting the idea proposed by former Czech central bank head of communications Marek Petrus (discussed on his Lombard Rates blog, and here on mine) that the Bank should host an analysts briefing later in the day of the MPS release.  In such a briefing,  analysts could ask questions of the Bank (in person or by phone –  akin to conference calls investment banks run), and the Bank  might also be able to use the occasion to resolve  openly any misinterpretations that had arisen over the day.  But the critical aspect of the arrangement is that the briefing would be webcast (as the press conferences are) so that everyone has the same information, whether in Wellington, Auckland, Singapore, or New York, whether economist or not.  A concern about the new system the Bank announced yesterday is that it will resolve one problem and open another.  The analysts lock-up (and the later economists’ lunch) has always had problems in that they sometimes provided information to attendees that wasn’t available to everyone else.  In the new world there is a risk that there will be high rewards for those – especially the Wellington-based – who, searching for nuance, secure coffee discussions with the Chief Economist or the Manager, Forecasting.

Somewhat surprisingly, even the Prime Minister has weighed in, calling for the Reserve Bank to reconsider, noting that Budget lock-ups had worked well.  I’m not sure whether The Treasury uses more robust systems to reduce the risk of leaks (perhaps they will be reviewing them in light of the Bank’s experience?), but even if they aren’t the case for a lock-up for Budget material is much stronger than for MPS.  First, there is typically a wide range of material across huge number of portfolio areas.  Second, often new initiatives are being announced, with technically complex details.  And third, not much about the Budget is typically very market-sensitive, especially as the Beehive typically provides strong hints (or more) on the juicy stuff in advance of Budget day.  By contrast, OCR announcements and MPS releases are really just the same old stuff over again (new data, new rate, but the same basic framework), but the bottom line is highly market sensitive, and there is no pre-briefing of selected journalists.

Changing tack, I have been a little surprised at how little of the media coverage has focused on the Reserve Bank’s weak systems.  Perhaps that is understandable: the media has the strongest interest in the story as it affects them (changes in lock-up arrangements), and the Reserve Bank is a powerful institution and most of them want to remain on good terms with the Bank (even while complaining quietly).  But what happened in this episode involved two things:

  • A MediaWorks staffer who breached his own express or implied commitments to the Reserve Bank (not to communicate the information before the embargo lifted)
  • A central bank that ran lock-ups that, it turns out, used no technological protections, and relied totally on trust to protect extremely sensitive information.

I was trying to explain the story to my children last night.  I told them that I had no reason to distrust the people who live on my street, but that nonetheless I would irresponsible if we went out and left the doors wide open, simply relying on trust that nothing bad would happen.   Most of the time, nothing bad would happen.  But if and when it did, people (including the insurance company) might reasonably talk of contributory negligence.

Managing highly sensitive information is not incidental to what the Reserve Bank does, but integral.  And yet they unnecessarily sit on the OCR decisions for six days, running risks of (inadvertent) release by someone inside the institution.  And they tell the Minister of Finance –  when he and his advisers will have their own agendas –  more than hour before the announcement.  And –  the focus of this episode –  they have dozens of people from the financial media and financial institution economists in lock-ups which were secured by no more than trust.    I don’t think I had realized until last night quite how bad the situation was.  On entering the lock-ups participants have to hand in their phones, but all continue to have access to their laptops with active internet connections throughout the lock-ups.  There was, apparently, no effort ever made to secure either individual laptops or the rooms where the lock-ups were held (to physically prevent transmission until the embargo is lifted).    In an earlier post, I touched on hypothetical risks –  the analysts lock-up used to be held in a room easily overseen from neighbouring apartments – but all the time anyone in the lock-ups could simply have emailed the news to anyone they chose.  It is staggeringly lax.  Mike Hannah, Head of Communications was quoted in yesterday’s press release on the new arrangements, but these previous lock-ups were his responsibility.  What were he, and his boss Deputy Governor, Geoff Bascand, doing in allowing such incredibly lax security?  They left the door wide open, and eventually (at least) one person walked through it.

As I noted yesterday, it is surprising that the Governor’s press release took no responsibility for any of this, and offered no apology for it.   I hope the Bank’s Board (and its audit or risk committee) is asking some hard questions.

Finally, I remain irked at being accused by the Governor of being “irresponsible”, for not passing on to the Bank the email I received (from someone not in the lock up) as soon as I received it.   As I have already noted, I had no relationship of trust with the Bank, owed them nothing, and in passing on the information at all –  acting with a sense of public responsibility, and a concern for the best interests of an organization I had worked for for decades –  I have probably jeopardised my future relationship with MediaWorks.  I am also irked that yesterday was the first time I had heard the Bank suggest that I was somehow to blame.  It has the feel of a line made up after the event, to distract attention from the real story: the Bank’s weak systems, and a security breach by a journalist who the Bank had allowed to participate in its lock-up.


Let me explain.  And if the detail is painstaking, feel free to stop here. This is for the record as much as anything.


As I have said previously, I received an email from a MediaWorks employee at 8:04am on the morning of 10 March.  It is reproduced in the Deloitte report.  It read.

We have just heard that the Reserve Bank is cutting by 25 basis points
I didn’t see the email straightaway  –  it is the sort of time my kids are getting ready to leave for school.  I saw it about 10 minutes after it arrived, and emailed back to the sender at 8:14
if true, that is very encouraging –  at last.  I  have thought it a bit more likely than the market pricing, but…one never quite knows
As I have noted all along, I had no way of knowing (until yesterday) if this was real information, or just the sender talking things up.     The tone of this email is not one suggesting I instantly believed there had been a genuine leak.
Various people have asked why the person sent the email to me in particular.  It had already been arranged that I was going to provide some on-air commentary on Radio Live later that morning on the OCR announcement.
I’ve gone through this stuff before, but in the following minutes various things went through my head.  I flicked onto the ANZ and Westpac exchange rate chart pages, half expecting, half fearing, to see a sudden movement in the exchange rate.  If there had been a genuine leak it seemed unlikely that I was going to be the only one to know, and in all my years at the Reserve Bank –  including running the Financial Markets Department –  our greatest fear had been market participants being able to profit from early access to such information.
At some point I thought about contacting the Reserve Bank.  That wouldn’t have been as easy as it sounds.  I’m not exactly persona grata at the Reserve Bank, I knew that key people would most likely actually be in the lockups, and I didn’t have their cellphone numbers.  Graeme Wheeler wasn’t in lock-ups, but he was hardly going to take my call.   I could have sent an email, but who was likely to be rushing to open emails from me in that dead half hour when their attentions were on the media and market lock-ups.   And, as I have noted previously, I didn’t know if the information was the result of a real leak.  If I’d passed it on to the Bank before 9am, and it turned out they weren’t cutting, what I could expect from them was not a “hey, thanks Michael, even though there clearly wasn’t a leak on this occasion, but we really appreciate you pro-actively coming forward” but more like “there he goes again, always willing to believe the worst, constantly undermining us”.   And so, since the market hadn’t moved, I kept the email myself for the remaining few minutes and as soon as I’d read and digested the key bits of the statement (my own priority), I sent this email through to John McDermott (Assistant Governor, and my former boss) and Mike Hannah, Head of Communications at 9:08am
Mike, John
For what it is worth, I received an email an hour ago from someone telling me that they had just heard that the Bank was going to cut by 25bps this morning.  I have no idea whether it was a well-sourced “leak” or just speculation, but I have no reason to doubt the person who told me, who in turn (as far as I’m aware) has no reason to pass on simple speculation.
As I’ve noted previously, there are no allegations in this email, simply information  –  information which I didn’t know what to make of, but which now at least seemed to warrant investigation.
I didn’t hear from them for a while (both were at the press conference).  Reflecting on it a bit further, at 9:47 I sent this follow-up
Just for the avoidance of doubt, the email did not come from anyone inside the Bank (or inside govt).
At 10:03 am I had this email from John McDermott, cc’ed to Mike Hannah

Hmm. Serious but this is very little information to go on. What time exactly did you get the email?


A couple of minutes later I responded


And at 10:08 I sent this to Mike and John

and i’d be checking the media lock-up
At 10:29am I had this response from  McDermott

Thank you for letting me know. I am disappointed that somebody knew and thought it a good idea to spread the leak. Somebody with a decent character would have instead informed the Bank. You should let them know that for them to tell you puts you in a difficult place.

I had not noticed until now that McDermott even then apparently assumed there was a leak (“I am disappointed that somebody knew”).

And I responded at 10:37

No difficulty for me –  not as if I trade fx markets (or would ever use such information if I did). I did check the exch rate charts at the time, and had I seen any sudden move would have passed on the information before 9am.   I may mention the issue in my post on the MPS later in the day.
I did make mention of the issue some hours later in the my post on the MPS.   I noted, somewhat agnostically
And finally, as I have noted to them, the Reserve Bank might want look to the security of its systems.  I had an email out of the blue at around 8 this morning-  most definitely not from someone in the Bank –  telling me that the sender had just heard that the OCR was to be cut by 25 basis points.  I have no way of knowing if it was the fruit of a leak, or just inspired speculation, and was relieved to see the foreign exchange markets weren’t moving, but it wasn’t a good look.
And left it at that.
The next I heard was an email from Nick McBride, the Bank’s in-house lawyer, on 15 March


I think I saw you in Thorndon New World today when I was buying my lunch. Anyway, I am emailing you following your email to John McDermott and Mike Hannah at 9:08am Thursday 10 March alerting them to the possibility of a leak of the OCR decision. The Bank has appointed investigators from Deloitte to try and find out whether there was a breach in security and, if so, how it occurred. They will also review the process for transmitting the Governor’s OCR decision to see if any improvements are needed. I’m sure we both agree that it is the public interest to ensure the integrity of the process and tighten it as necessary.

As you are the person who has information that may indicate vulnerability in the process we would be grateful if the Deloitte investigators could talk to you about your email to John and Mike. We would suggest the meeting to discuss this take place at a convenient time for you at the Deloittes office here in Wellington (Level 16, 10 Brandon Street), ideally this week. If you could let me know the days and times you are available that would be appreciated. Deloitte should be able to fit in with you.

The lead from Deloitte is Ian Tuke and I have copied him on this email.

Thank you very much in advance for your cooperation. Feel free to contact me if you have any queries.


I thought this was a thoroughly professional approach, was relieved to hear about the inquiry, and we set up a time to meet.  There was no suggestion in Nick’s email, or in any of the earlier comments from McDermott, that I had done anything inappropriate.

A couple of days later I had a meeting with the Deloittes people conducting the inquiry.  I don’t have word for word what the senior guy said, but it was along the lines that the Bank had been very appreciative of me coming forward.  We had a good discussion, I gave them the original MediaWorks email (sender redacted) and I came away pretty content with how the Bank seemed to be handling the issue.

On 21 March, the following Monday, the media appeared to finally take some interest in the possibility of the leak.  Hamish Rutherford wrote a story on Stuff, in which he had sought comment from the Reserve Bank.   This is where I started to get a little annoyed with the Bank

The Reserve Bank has confirmed that following an allegation, it had launched an investigation.

“We are aware of an allegation that information may have been leaked ahead of the OCR announcement on 10 March,” a spokesman of the bank said.

While we have no evidence at this stage that any information was leaked, we take the integrity and security of market-sensitive information very seriously and have initiated an external investigation into the allegation.”

Note the repeated use of the word “allegation” –  a word, or idea, which had not appeared at all in Nick McBride’s email above (which simply talked of investigating the “possibility of a leak”).  As I have said repeatedly, I made no allegation: I passed on information, which appeared to raise some questions, and left it to the Reserve Bank to make what, if anything, it could of that information.

And then I heard nothing more of the matter until yesterday afternoon’s release.

The Bank has also taken to running the line that if only I had told them earlier, they would have avoided risks by bringing forward the release of the MPS (perhaps from 9am to 8:45am).  I’ve already touched yesterday on the implausibility of the idea that this would have solved their problems.  Graeme Wheeler should engage it a bit of introspection and ask himself just what his reaction would have been if somehow I had got hold of him or his advisers by 8:30 and told them what I in fact told them just after 9am.   After all, what I was passing was only hearsay (a solid report of what someone else had heard) at that point –  I didn’t know there had been a real leak, and so the Bank couldn’t be sure either.  And, frankly, the messenger would have mattered –  and I daresay Graeme would have been less inclined to react positively to hearing it from me, than from one of his admirers.  In reality, they would have debated the matter among themselves –  after it had taken perhaps five minutes to get the key people in the same room –  been not sure what to make of it, especially after checking the exchange rate screens.  Probably they would have waited it out til 9am.  Partly because if they hadn’t, and had released at 8:45, it would have created mayhem –  the markets moving suddenly with people still away from desks and screens, and the Bank could only have said something like “we received information, from a source we aren’t sure we trust, which suggested that there might have been a leak”.  I’m not sure how that would have made their position, then or now, any better.   Those who lost money would have been even more vociferous than usual (and understandably so).

In  conclusion to what has been a long post, I am sufficiently riled by the gratuitous attack that I am considering raising the matter with the Reserve Bank Board.  Are such ad hominem attacks on someone public-spiritedly providing (possibly at some cost to myself) information that enabled the Reserve Bank to (a) identify an actual leak, and (b) identify serious weaknesses in their systems, the sort of behaviour they expect or tolerate from their employee the Governor? I sincerely hope not.