Let’s not give even more statutory powers to the Reserve Bank

This morning the Reserve Bank released a variety of material that followed on from the leak of OCR at the time of March MPS.    Slipped out quietly onto their website – in response to an OIA request from me – was what might best be called the second stage of the leak inquiry report.  It is a document written by Deloitte almost a month after the release of what the Governor has called the “summary report” that was released on 14 April, and in places it is clearly phrased to respond to criticisms made after the release of that report.  I’ll have more to say about that document another day, but would just note that I was touched by the solicitousness of the Bank in deleting my name from a report they were releasing to me, apparently so as to “protect the privacy of natural persons”.  Perhaps they thought I’d forgotten my involvement?

The Bank also put out a press release headed “New Reserve Bank procedures for policy releases”.   After the discontinuation, from 14 April, of pre-release MPS and FSR lock-ups for journalists and analysts, there was pushback, especially from journalists, seeking the reinstatement of media lock-ups, under new and improved security arrangements (as distinct from what Deloitte call the “very high trust” arrangements –  under  which journalists could simply email from the lock-ups whenever they liked –  which had been found sorely wanting).   The Governor had indicated that the Bank would consider the options, and apparently commissioned a “security review” to explore the feasibility of lock-ups with much tighter security.  That review was undertaken under the leadership of Deloitte, but from the text the Bank has released today it is clear that it had a high degree of Reserve Bank staff involvement.

At the end of the process, the Governor has come to the right conclusion.  Lock-ups are not being reinstated, whether for analysts or journalists.  That was an approach I recommended at a time when the Bank itself didn’t even believe there had been a leak.  I commended the Governor’s initial decision to terminate the lock-ups, and I commend him again today.  There is simply no need for such lock-ups, and to hold them inevitably exposes the Bank to unnecessary security risks and/or unnecessary costs.  The public might have been well-served by lock-ups in a pre-internet age –   when it was hard to get timely access to the released documents –  but with today’s technology, the text is open to everyone at much the same time, and the onus is on the Bank to write its documents in a way that clearly communicates the messages it wants to convey.

Of course, the Bank is not seriously committed to openness or competitive neutrality in the access to information.  I have heard that they are still running briefings for analysts after the release.  [UPDATE: A market economist tells me that although they had such a briefing in June, there won’t be any in future]  An overseas expert on central bank communications has recommended –  and I agree with him –  that if such briefings are to be held (and there may be a useful place for them) they should be webcast, so that everyone has access to the same information/interpretation, not just the invited few who find it worthwhile to come all the way to Wellington (recall that most trading in the NZD is done offshore, and most New Zealand government bonds are held offshore).

[UPDATE: On further reflection, I would argue that such a post-release briefing, provided it is made openly available, would be a sensible option and cannot really understand why the Bank has scrapped them.  At a minimum it is less bad (and less costly in time) than lots of analysts approaching the Bank individually, and getting answers that could be (a) inconsistent across analysts, and/or (b) could be influenced by how well the analyst in question gets on with – eg  doesn’t criticize too much – the Bank and its senior economic staff in particular.]

For the media, the Bank notes that

We will also be placing additional emphasis on other opportunities for media access, such as on-the-record media briefings which have been trialled successfully this year.

There may be a place for such briefings, but if they are on-the-record again there is a strong case for webcasting them –  or even quickly publishing a transcript –  again so that everyone has the same information on a timely basis.  And, of course, on-the-record briefings –  with an emphasis on what the Bank wants to tell the media –  are very different from the sort of on-the-record searching interviews that the Governor consistently refuses.

I noted the other day that the Bank is sheltering behind an old provision of the Reserve Bank Act which, they argue, imposes serious sanctions (including a large fine or a term of imprisonment) if they were to release submissions –  especially from banks –  on proposed changes in regulatory policy.  I argued that if they had any sort of commitment to open government they should be promoting a simple amendment to the Act, to ensure that such submissions were fully, and simply, within the ambit of the Official Information Act.  If the Bank won’t promote such a change, perhaps an MP with a commitment to open government might.

So when I read through the Deloitte security review document, I was struck by the number of times that report had encouraged the Bank to seek a change to the Reserve Bank Act, this time to provide criminal sanctions for the early unauthorized release of OCR or MPS (or FSR?) material.  I suspect the idea for such a change did not come from Deloitte, but from Bank management themselves – in particular from the Deputy Governor responsible for such things (and former Government Statistician) Geoff Bascand.  In previous material released on the OCR leak, Bascand was on record as noting that Reserve Bank material of this sort did not have the sort of protections the Statistics Act provided to Statistics New Zealand.

It is really important that when the coercive powers of the state are used to compel individuals and firms to provide information to state agencies that people can be confident that that information is held securely.  Severe punishment for the inappropriate release of private information supplied by other people is quite appropriate.  But in fact, both the Statistics Act and the Reserve Bank Act already provide such penalties –  under the Reserve Bank Act someone can be sent to prison for three months, or a company can face a half million dollar fine.

But the economic forecasts and policy views of a government official (the Governor in this case) are a quite different matter.  And in many respect, that sort of information is not so different than the private information a firm might hold about a proposed merger or acquisition, about its planned dividend, about a new investment project, or –  in the New Zealand case –  Fonterra’s expected dairy payout.  Perhaps I’m wrong, but I’m not aware that there are criminal sanctions that protect, say, government Budget documents, or any other release of planned policy or legislation by government ministers.

In all those cases, confidentiality is clearly important to the information holder.  But in each case there would appear to be civil procedures open to information holders to protect the confidentiality of their information.  Typically, some staff in the relevant organization would have access to such information, and early unauthorized release would typically be a grounds for disciplinary action or perhaps even dismissal.    But other parties might too –  government Budget documents are printed externally, as is the MPS.  Sometimes professional advisers –  eg lawyers –  will be involved. And in some cases, entities will choose to provide information under embargo, or even to hold a lock-up.  In each and every case, it is open to the owner/provider of the information to specify in contract the confidentiality obligations of any party receiving the information.   Remedies for breaches of those policies are the responsibility of the institution providing the information.  There is no obvious need for criminal sanctions to be introduced in the process.  I hope that the Reserve Bank thinks again, and decides not to seek amendments of the sort Deloitte (no doubt at the Bank’s prompting) has suggested.  There is simply nothing that special about the OCR information –  it is not private information involuntarily provided to a government agency, and nor is it (say) material relating to national security.

In conclusion, it is interesting that in all the material that has emerged in recent months there has been little or no mention of one of the greatest security risks the Bank –  quite unnecessarily  – faces.    In most countries, the OCR decision is made and released on the same day –  that will have been what happened at the RBA yesterday.  The Reserve Bank has considerably shortened the lags over recent years, but as their recent article on the monetary policy process decision illustrates, the OCR decision to be released next Thursday will be made by the Governor this Friday.  There is six whole days when the information about the decision is known within the Bank.  Even if the formal knowledge is kept to a relatively small group –  when I was involved it was 10 to 15 people – it is simply an unnecessary risk.  With the best will in the world,it is almost inevitable that one day some one will let something slip, and there will be a huge uproar.  In terms of tightening security, still the best reform the Bank could make would be to release the OCR decision on the day it is made.

 

Another example of the Reserve Bank’s approach to the OIA

Regular readers will recall the OCR leak at the time of the March MPS.  A month or so later, when the Reserve Bank reluctantly recognized that there had in fact been a leak, and that their systems needed to change to reduce future risks, they released what purported to be a report undertaken for them into the leak by Deloitte.

In fact, subsequent material released by the Bank in response to an OIA request confirmed that what had been released then was not the actual report but a short-form “public” version.  I’m not sure what they had to hide, but decided to ask for a copy of the full report, partly out of genuine interest in its contents (as I had been the subject of a significant portion of the short-form “report”) and partly on the principle that leak inquiry reports, paid for by taxpayers’ money, should be made public as a matter of course.  In particular, the public should not be misled into believing that they were being given a full report, when in fact they were being given only a convenient summary.  When the initial release was made on 14 April, there was no suggestion at all that what was being released was a summary report only.

Anyway, I lodged the request several weeks ago, and this afternoon received this response.  How it can take more than 20 working days to decide whether or not to release a single report (that they already claimed to have released), which they themselves commissioned, and which they must have expected to be requested, and which deals only with their lock-ups etc is beyond me.  It seems like just another excuse for delay, another opportunity to simply ignore the principles of the Official Information Act.

(UPDATE: A reader points out that the Bank has given itself almost twice as long to consider the release of a single easily accessible administrative document as it allows for citizens to make submissions on its own proposals for further far-reaching regulatory interventions around housing finance.)

22 July 2016

Dear Mr Reddell

RE: OIA REQUEST FOR FULL DELOITTE INQUIRY REPORT

On July 4 2016 you made a request under the Official Information Act for:

“…. a copy of the full Deloitte inquiry report (as distinct from the “summary” – Graeme’s description in the Board minutes – or “public” version that was released on 14 April”.

The Reserve Bank is extending the time limit for decisions on your request to 10 August 2016, as permitted under section 15A(1)(b) of the Act, because consultations necessary to make decisions on the request are such that a proper response to the request cannot reasonably be made within the original 20 working day time limit.

Under section 28(3) of the Official Information Act, you have the right to complain to the Ombudsman about the Reserve Bank’s decisions relating to your requests.

Yours sincerely

Naomi

Naomi Mitchell

External Communications Adviser | Reserve Bank of New Zealand (Auckland)

205-209 Queen St, Auckland 1010 | P O Box 5240, Auckland 1141

  1. +64 9 366 2643 | M. +64 27 294 3900 | F. +64 9 366 0517

www.rbnz.govt.nz

Three months on…

It is three months since, on the morning of the release of the last Monetary Policy Statement, a fortuitous set of circumstances brought to light a leak of the Reserve Bank’s OCR decision.  It hadn’t required any particular devious methods or technologies, and the suggestion –  including from the Reserve Bank’s own lawyer –  has been that it wasn’t the first time it had happened.  Whether that was so or not, the Reserve Bank’s systems were loose enough that it was only a matter of time before, accidentally or deliberately, a leak happened.  And ethics were loose enough at MediaWorks that the leak was apparently seen as acceptable conduct, despite the rules of the lock-up.  It took weeks for MediaWorks to own up, and even now there has been no proper accounting from them as to just what went on.

In an email yesterday about today’s Monetary Policy Statement, someone in the markets noted to me

Still waiting to read your full apology from RBNZ, I live in hope!!

It might be nice, but the words and (in)actions of Graeme Wheeler, and his associates Geoff Bascand, Mike Hannah, and Rod Carr, really speak for themselves.  How did we end up in a situation where these sorts of people govern our central bank?

But I’m still more disturbed about the secrecy with which the Reserve Bank has sought to cloak the whole affair –  telling us just as much as they want us to know.  Answers to a series of fairly straightforward OIA requests, about events that happened two to three months ago, have been kicked out to 1 July –  and such is the Reserve Bank’s track record on the OIA that I’m not optimistic we will get much even then.  Whatever the case for secrecy on some policy matters, a leak inquiry  –  especially one that confirmed an actual leak and prompted major system changes – seems like one of those things where the public should be able to expect a full and open accounting from a taxpayer funded public agency.

Instead, we have them stalling, seemingly averse to transparency and scrutiny.  Among the outstanding matters:

  • We haven’t seen the terms of reference for the leak inquiry
  • We haven’t seen the full Deloitte leak inquiry report, only a short-form public version.
  • We haven’t heard why no penalty was initially imposed on MediaWorks, only for the Governor to later change his mind and indefinitely ban them from Reserve Bank press conferences.
  • We haven’t heard why the Governor chose in his press statement to emphasise the cooperation of MediaWorks when even the short-form report makes clear that it took weeks for that company to own up, and then only when it had been approached by the inquiry team.
  • We have seen no acceptance from the Reserve Bank that its own systems had failed to keep pace with technological change, which left them open to a leak (the consequences of which could have been much more serious than they were).
  • We don’t know whether the Bank has made any serious efforts to find out whether MediaWorks staff had leaked previously, and if they did make the effort to seriously pursue the matter, what the answers were.
  • We don’t know how much involvement the Bank’s Board –  supposed to operate at arms-length from management to hold the Governor to account – had in the handling of the leak, and 14 April press statement.  The documents that have been released suggest, which shed a partial light on the matter, suggest that the answer was “too much”.
  • We haven’t seen the papers the Reserve Bank considered in reviewing the options regarding the future of lock-ups, press conferences etc.

I’m not sure what the Bank has to hide.  The answer may well be “not that much at all”.  If so, the obstructiveness and resistance to an open accounting for their handling of a serious breach is perhaps more just a reflection of an ingrained resistance to see themselves as a public body with all that means.  In particular, that they are subject to the Official Information Act as much as to any other law, and are a body from whom the public should reasonably expect a full and open accounting.  Mistakes happen, errors are made, system flaws come to light.  That is what happens with human beings and human institutions.  Embarrassing as they sometimes are, accidents  and errors will happen.  But how an institution – and a powerful individual – recognizes, accepts responsibility for, and responds to such mis-steps can tell us a lot.

As journalists and MPs gather today to scrutinize the Governor, perhaps they might like to reflect on some of this.

 

The OCR leak: some disclosures

Will I come to regret this post?  Probably not, but only time will tell.  It also may not be of wide general interest, but that is fine.

Regular readers will recall that I got caught up in the Reserve Bank’s OCR leak.  More specifically, gaping breaches in the Bank’s systems (a near-total reliance on trust) and an actual leak of the March OCR decision would not have come to their attention, and been addressed, if I had not passed on to them information that arrived unwanted in my email in-box on the morning of the release, which suggested the possibility of a leak.  Frankly, if anyone was the innocent party in the whole episode it was me.  I wasn’t the leaker, I wasn’t the major media organisation that failed to disclose the leak by its employees for several weeks, I didn’t even receive what information I had from the person who was the leaker, and I wasn’t the central bank that ran security systems that made such a leak astonishingly easy.

And so I was more than a little miffed to have the Governor of the Reserve Bank describe me and my conduct as irresponsible in his press release announcing the results of the inquiry –  an inquiry that would never have taken place if it had not been for my initiative in alerting the Bank to the issue.  What particularly irked me was that in the same statement the Governor (a) took no responsibility for the laxness of the Bank’s own systems, and (b) seemed to go out of his way to stress how helpful the media organisation, MediaWorks, had been.   It also puzzled me a little that there seemed to be no sanctions imposed by the Bank on the leakers – MediaWorks and its staff.

That prompted me to lodge a series of requests for information –  from the Bank itself, and from its Board (which is paid to operate at arms-length from the Bank to scrutinise the performance of the Governor and hold him to account).    The Bank has actually responded to one other OIA request in this area: the Taxpayers’ Union asked about the cost of the Deloitte inquiry, and was told a few weeks ago that the cost was $58952.28 (plus GST).  My OIA requests have been treated in a more typical Bank way –  not just extended for one month, but all the way out to 1 July, with talk of the possibility of charging.

However, I also sought from the Bank under the Privacy Act material relating to me that was held by the Bank and generated or obtained between the morning of the MPS release on 10 March and the day I lodged the request.  They didn’t respond in 20 working days, but it wasn’t that much after the initial deadline when I was sent a fairly large collection of material yesterday.  I had kept the request quite focused –  I wasn’t after copies of media reports, or out to embarrass junior people who were not involved in the leak investigation and might have been exchanging speculative emails.  All the material I obtained was comments from people directly involved, mostly people from the senior management group including the Governor.

I have tossed up about whether to release this material, and am doing so for two reasons.

The first is that I think it does shed useful light on how the Bank went about dealing with the information I provided to them, and the priors and presuppositions of key people involved.  It is only a partial view of course, and I hope in time the Official Information Act requests will provide some more clarity.  Unfortunately, the Bank has deliberately stalled the release of that information (which it can be onerous neither to collect/collate nor to review).

The second is more personal.  Various people wisely suggested that I separate my irritation at having been personally attacked by the Governor from the wider issues of how the Bank has dealt with the issues of the leak, MediaWorks involvement, lock-ups etc.   Some experienced former colleagues had even got in touch to suggest I must be misinterpreting things, and the Governor’s statement about irresponsibility couldn’t have been meant to include me.  And so I decided to write a private letter to the Governor, outlining my perspective on my involvement in the whole issue and, in light of those points, inviting him to explain, or reconsider, his public assertion that my conduct had been irresponsible.  If possible, dealing with such issues privately is generally likely to be more constructive.

It wasn’t long before I got a very terse response from the Governor confirming that he did indeed regard me as having behaved irresponsibly.  I didn’t do anything with that, other than to pass the message on to those optimistic former colleagues.

But then I received yesterday’s collection of documents.  Publishing them, together with my letter to the Governor and his reply, will enable people to form their own views.  I’m sure many will see what they want to see, and some of those inclined to support Graeme Wheeler more generally may agree with the views he, and his senior colleagues, expressed.   Anyone is entitled to his or her own view.

As for me, I have to live with my own conscience.  There would be nothing shameful in concluding that, with the benefit of hindsight, one might have done some things differently.  After all, the Governor himself –  who had much more time – has changed tack twice since the inquiry was released (from no penalties for MediaWorks to indefinite exclusion from press conferences, and from immediately discontinuing lock-ups to investigating the possibility of reinstating them).   I have asked myself some of the questions others have posed, but reading the material I received yesterday led me to conclude more strongly than previously that I had done the right thing –  not necessarily the things the Bank would have preferred, but those which best balanced the public interest and the protection of my own interests.

Here is the link to the material the Reserve Bank released.

OCR leak inquiry Privacy Act response from RB

My earlier posts on the leak and related issues are all here

And here is what I took from the newly-released material.

The first point I noted is that, with the exception of a brief email from John McDermott on the morning of the MPS release, in which he wrote to me “Thank you for letting me know”, no one (management or Board) seems to have considered, at any point in the subsequent six weeks, expressing appreciation to me for coming forward and passing on the information that I had.  One doesn’t try to do the right thing in the hope of being thanked for it, but it is a telling omission nonetheless.

The second point is that I was pleasantly surprised to learn that the Bank seemed to take the information seriously from the start.  By 11:30am on 10 March, Deputy Governor Geoff Bascand had asked the senior manager responsible for risk and audit to undertake an inquiry, noting (page 2) “we cannot be sure it is a leak as opposed to speculation but need to enquire into it with diligence and urgency on the assumption it is”.

That was fine, and he even noted that “in the first instance, he [Michael] is the messenger”.   But in the same email Bascand had already moved on to treating the information I had passed on as an “allegation”, and two of the three questions he expects answers to are about my conduct.

Somewhat surprisingly, in a world in which a “no surprises” policy is generally supposed to prevail between government agencies and the Minister’s office, it appears (page 4) that the Bank only decided to tell the Minister of Finance’s office about the possibility of a leak after I had made a brief mention of the information I received on my blog on the afternoon of the release (having advised the Bank some hours earlier that I was likely to mention it).  That looks like poor political management, but also tends to confirm the unease I felt at the time, that the issue might be hushed up if at all possible.

Geoff Bascand’s biases become increasingly apparent in one of the unguarded emails that requests like this throw up.  After they advised Bank staff of the situation late on 10 March, the head of HR emails Bascand with a brief expression of sympathy.  Bascand’s response is nothing at all about the possible vulnerability in the Bank’s own systems (he being the senior manager responsible for the Communications functions), the possibility of an actual leak, or anything of the sort, but is all about the messenger.

By this time, and perhaps reflecting his biases, it is becoming clear that Bascand has trouble with the meaning of the word “allegation”.  I have commented on this previously, but it is more stark in the light of the information in this release.  In his message to all Bank staff (page 5) late on the afternoon of 10 March the heading is “Allegation of leak information”, and in a five line email the word “allegation” is used twice.  Nowhere, by contrast, does he note something like “we have received information suggesting that information may have been leaked”.      To repeat, allegations are claims are that are made, something that (at least according to my Oxford dictionary) involves “to assert without proof”.

To repeat, at no time between 10 March and 14 April (the release of the short-form inquiry report) did I make any “allegations”.  All I did –  and the emails are in this batch, on page 1 –  was to pass on hard information that I had (an email) while stressing repeatedly that I had no idea whether it was the fruit of a leak, or something else.  At the time, as I’ve said before, I struggled to believe a leak was possible.

It took a while for the leak inquiry to get going.  I’ve covered previously the Bank’s approach to me to assist the inquiry –  an approach which was extremely professional and which carefully referred only to the “possibility of a leak”.  I talked to the Deloitte investigators a few days later.  I gave them a copy of the text of the email I had received, and we had an amicable conversation in which, inter alia, they indicated that the Bank was very grateful to me for having come forward.  At the time I took that at face value, and commented openly on my support for the process the Bank had put in place.  It is worth noting –  because it comes up later –  that the Deloitte investigators did not ask me who sent the email to me, and indicated that they would not expect that I would tell them.  I wrote a post following that meeting with the investigators, mentioning briefly the discussion we had had, but focusing mostly on structural changes that I thought were warranted (abandonment of lock-ups etc) regardless of whether or not there had been a leak on this occasion.

That post seemed to spark some media interest.  The documents contain an email to Mike Hannah (RB Head of Communications) from Hamish Rutherford of Fairfax (someone else who appears to have had trouble with the meaning of the word “allegations”) and over the next couple of days there was a flurry of media coverage, here and abroad, and some clarificatory posts from me (partly annoyed at the continued public use of the term “allegations” by media and Bank representatives).  That in turn sparked various emails among senior managers at the Bank.

Mike Hannah is the first (page 13).  Interestingly, he claims that he would have picked up and responded quickly to any email I had sent before 9am on 10 March.  If so, that is good to know now, although it wasn’t the impression I was under at the time.  But he also notes that the Bank would not necessarily have done anything differently: “we’d have watched the markets very carefully , and might have had to consider going early if we saw action”.  But as everyone recognises, there was nothing visible happening in markets.

Hannah also responds to my point that one reason I hadn’t contacted the Bank in the brief window before 9am was my unease about the Bank’s reaction if in fact it had not been cutting that morning.  He considers it a “flimsy” story, but in fact the tone of the senior management comments –  from him, Bascand and Wheeler – throughout these documents only confirms that was an entirely reasonable fear on my part.  One thing that is striking in these documents is the apparent total inability of such senior people to imagine themselves in someone else’s position with someone else’s (lack of) information. They knew there was a cut coming. I didn’t.

The Governor responded to Hannah (at 1:48 am –  perhaps he was travelling).  From the tone of his email he seems to regard the whole exercise as a “quest for publicity” by me, adding that “my sense is that he is digging himself into a hole” – I’m still not sure, from context, how.    He seems aggrieved (on which more later) that a former employee of the Bank would blog about the enquiry.  It is really quite a weird reaction: one might hope that the Governor would have been most concerned about getting to the bottom of the substantive issue, and would expect considerable public scrutiny at even the possibility that an OCR decision had been leaked.  Recall that by this point –  objections to the misuse of “allegations” apart –  I had been supportive –  in public and in private –  of the whole inquiry process the Bank had put in place.

The Governor forwarded that email to the chair of the Bank’s Board, Rod Carr.  Instead of keeping an appropriate distance from management, Carr weighs in suggesting that perhaps I was now feeling guilty, that my actions were not a “sign of good citizenship”, and that somehow advising them a few minutes earlier  –  see Hannah’s comments above –  might have protected “NZ’s reputation”.    To his credit, Carr does flag the possible need to abolish lock-ups.

A few days later, Mike Hannah reports to the Governor on his approaches to the attendees at the media lock-up.  Hannah remains reluctant to believe that any media person/body can be responsible –  even though I had told him by inference (on the first day) and told the Deloitte team directly a week earlier that the email I received had come from a person in a media organisation.    More generally, at this point, Hannah still seems reluctant to believe that there had been a leak at all –  perhaps understandably given that he ran the lock-ups –  noting of his conversations with journalists “it may all be humour, bluff, etc, but it may also reflect scepticism about Reddell’s credibility”.    Given Hannah’s reluctance to accept the possibilities, the Bank’s in-house counsel (one of the few to emerge creditably from these documents) had to go back to Deloitte (page 16/17) to confirm that I had in fact said the email came from a person in a media organisation.

The Deloitte report indicated that, finally, on 5 April, MediaWorks owned up to the fact that there had been a leak, and that their staff had been responsible.  Perhaps unsurprisingly, there is no email in the system from senior RB managers saying “gee, Michael’s information turned out to be about something real; just as well as he came forward”.

Instead, the documents skip forward to Sunday 10 April.  By then, the Bank had the draft Deloitte report and was providing comments on it, and drafting press releases.

Geoff Bascand had sent out an email expressing surprise that no (MediaWorks) names were named in the Deloitte report –  in particularly that the report did not name the person who had sent the email to me.  Hannah responds identifying his suppositions about who it was, and he indicated that his draft press releases included the name of the person he suspected.  He also noted that he  had “not yet included Reddell’s name” –  the operative word apparently being “yet”.  Reflecting the Bank’s cast of mind, he noted that this was “not to save him” but simply because he still wanted more information.  The next morning, Hannah emails senior colleagues indicating that the draft press release had been done by him and the Governor jointly.  He urges that the Bank needs to get Deloitte to ask MediaWorks for the name of the person who emailed me (even if just to confirm that they would not provide the information).

In response, Nick McBride points out that he would not expect MediaWorks would provide anything more, and urged that the Bank should avoid focusing on individuals, stressing “it is MediaWorks that is responsible”. He goes on to note that “there is also a strong basis for speculating that a journalist emailing from the lock-up was normal behaviour, for Mediaworks at least”.   Interesting, he notes that MediaWorks will be particularly reluctant “if it senses the Bank’s ‘no mercy’ approach and the lack of credit it is likely to get for its admission”.    Given that there were no sanctions imposed on MediaWorks in the 14 April announcement, and the statement went out of its way to praise the cooperation of MediaWorks, something must have changed between then and 14 April.

That same day  – Monday 11 April –  also saw an odd email exchange between the Bank and Deloitte.  The Bank asks for copies of all emails from MediaWorks, and in response is told that “the only other email correspondence that we had with MediaWorks was the email exchange about Mr Reddell’s phone number –  now attached for your reference” [although for some reason not included in the material the Bank released].  My phone number isn’t exactly a secret –  it is in the White Pages.  But that same exchange also confirms that what the Bank released on 14 April is not, despite the impression given in the Bank’s statement, the full Deloitte report at all.  Instead, it appears to be a “short form” “public version”.  Someone should probably request the full report.

The Governor himself was engaged in providing comments on the draft report.  His attitude is evident in the following exchange.  A manager in the audit area of the Bank advises senior management that he has asked that Deloitte delete the word “all” from a description of how I had “cooperated with all our inquiries”, since I had declined to name my source (despite never being asked to, either by the Bank or Deloitte).  Not content with that excision (which wouldn’t have bothered me) the Governor insists that they must delete “Mr Reddell cooperated with our enquiries”, noting “as he didn’t disclose everything that was necessary this therefore gives a misleading impression”.  The fact that the inquiry would never have occurred at all without my original initiative clearly escaped him.

The remaining emails relate to the period after the release of the (public version) of the inquiry report on 14 April.  There is the gratuitously nasty one from someone outside the Bank (page 25) but my interest is mostly in the stance of the Bank’s senior management and Board.

According to Mike Hannah, in an email to the Governor and Board chair, by now I am “obviously smarting from a well-aimed and deserved reprimand”, and am “irresponsible again” for suggesting that the lock-ups had had lax security.  Reading that did prompt me to wonder which senior manager oversaw the procedures for and administration of the lock-ups which had just been revealed to have been breached.

And then the ante starts getting raised further.  According to Geoff Bascand,

“nothing will satisfy Michael. He is a deeply aggrieved person.  Everything will be interpreted through his victim filter”.

I’m not sure where Bascand gets any of this from.  And a simple apology from the Governor for publically tarring me as “irresponsible” would satisfy me.  Bascand continues to seem to think I somehow regret leaving the Reserve Bank, when I had been quite clear for several years prior to doing so that I was keen to get out, and do as my mother had done for me, and be around for my growing children.    That had only become financially feasible by late 2014, and by then the (personally) optimal thing was to stick around long enough to collect a looming redundancy cheque, which is currently helping pay for house alterations.  As I said to John McDermott at the time, my only concern had been that the Bank might change its mind.

The Governor also weighs in (page 27) and we get here the fullest explanation of his view of my irresponsibility

I firmly believe Michaels behaviour was irresponsible in failing to inform the Bank immediately, in not informing Deloitte as to who contacted him and blogging continuously on the matter even when the investigation was underway. I believe the reasons he trotted out for his actions to Deloittes were extremely weak to say the least.

 

I also find all this rich from someone who worked in the Bank for a long time and I believe should have used much better judgement- also Michael has repeated denigrated the work of colleagues that he worked alongside for many years and I believe also he has been reckless in his criticism . I believe many of the points he makes are misplaced and can readily be countered by a competent economist.

Some of this was familiar ground (see his brief letter below), but much was not.  The suggestion that I  –  or presumably others  –  should not have written about the matter while his investigation was underway almost beggars belief.  His internal inquiry about a possible failure of internal process is not exactly on a par with a matter that might be sub judice because it is being dealt with in a court of law. This is a (potential and actual) systems breach in high profile powerful public agency.

Unfortunately, the Governor seems to have allowed his judgement on the specifics of the (possible) leak issue to have become clouded by his irritation at the scrutiny and challenges that I have posed to the Bank, and him in particular, over the previous year or so.   And the substance of his point seems wrong  – I have tried to be very careful, when being critical, to focus responsibility on the Governor (as the law does) and his senior managers, and not on the many able staff who work in the organisation.  I’m quite relaxed about the idea that the Governor will often disagree with my points of view   –  that is hardly surprising, and not really that different than it was when I was inside the organisation –  and, yes, reasonable people (including some other “competent economists”) will differ on many of these issues.  But none of that is, or should be, germane to the specific issue of the leak that (a) occurred on his watch, and (b) would not have come to light without my help.

Since I was interested in lowering the temperature on the personal aspects of this, I approached a friend of mine who is on the Board seeking some sense from him as to why the Governor’s stance towards me on this issue was reasonable.  Perhaps he was in an awkward position, but I was largely fobbed off with a “circle the wagons in defence of the Governor” attitude.  And so I wrote to the Governor, copied to the Board.

That letter is here.

Letter to Graeme Wheeler OCR leak press release

The Governor’s very brief response is here.

Graeme Wheeler Ltr to M Reddell April 2016

The final email in the set of documents that the Bank released is an email from the Governor to his senior colleagues and the Board chair, forwarding them a copy of the letter, with the terse observation “I find this letter quite extraordinary”.

Some readers will get to the end of all this and perhaps still think the issue at stake is that I should have got in touch with the Bank a little earlier than I did on 10 March.  A few commenters on earlier posts have argued that.

Contrary to the sense that pervades many of these emails among Reserve Bank senior managers and Board members, I owed the Reserve Bank nothing.   But I do feel some sense of residual loyalty to the organisation and so I did what I reasonably could, in a way that directly helped them uncover a serious leak (and subsequently amend their own procedures).    If anyone reading these emails thinks that, in my shoes, they’d have rushed to tell the Bank earlier, at risk of being scoffed at and ridiculed had the Bank not in fact been cutting that morning, well all I can say is that they have a thicker skin than I do.  Bascand and Wheeler would no doubt have been poised with some barbed turn of phrase about “there goes Michael again”, ready to tell others the story the next time I ran a post they disliked.

At one level, the attitudes in these emails don’t surprise me greatly –  although perhaps I’m a little  surprised that despite the OIA and the Privacy Act they wrote these things down.  And I’m a little relieved that none of them are from my own two previous bosses.  I don’t think they reflect well on the Bank, or its Board, but that is also something for others to judge.

Wheeler and Hannah on the OCR leak

I will offer some thoughts on the FSR itself tomorrow, but I had few quick reactions to the comments made at the press conference this morning about the MediaWorks OCR leak and related issues.

I had heard that the Reserve Bank had been considering backtracking on the discontinuation of lock-ups, and had in fact been consulting selected journalists on the conditions on which media lock-ups might be reinstated.  That was confirmed by the Governor this morning.

Frankly, they seem all over the place.  Less than a month ago, they announced the discontinuation of lock-ups.  I thought that was the right decision at the time (and had called for it earlier).  Presumably the Bank  had carefully considered the various options open to it then, and decided on balance that (a) consultation with affected parties was not required, and (b) that it was not appropriate to continue with lock-ups.  One wonders what has changed, apart perhaps from some aggrieved coverage from some members of the media.  As the Governor pointed out, lock-ups are very unusual internationally.  There might have been a case for them 20 or 30 years ago, when citizens and investors couldn’t just download the documents themselves, and were quite reliant on the media for initial reporting and interpretation.  That is no longer so, and the security risks are higher than they were (as the Governor rightly noted, they can’t simply go on relying on trust).  I would urge the Reserve Bank not to reverse itself again, but if they do reinstate lock-ups for a select few media representatives –  whether relying on pen and paper, or totally physically secure environments –  the costs of those privileged arrangements should be borne by the media organisations concerned.

The Governor was also asked why the exclusion of MediaWorks from Bank press conferences had been announced only last week, and not when the inquiry results were released on 14 April (a question I also raised last week).  The Bank simply avoided answering that question.  Simply telling us that this was the first press conference since 14 April told us nothing.  If there were penalties to be imposed on MediaWorks (and exclusion seems sensible) why not announce them when the inquiry report was released –  rather than use that opportunity to praise the helpfulness of MediaWorks legal team?.  What has changed?

Mike Hannah also confirmed that the Bank has no information on whether there had been previous breaches of security, whether by MediaWorks or other lock-up participants.  He stated not only that the Bank was not aware, but that it had not asked.  That seems simply extraordinary, at least as regards MediaWorks.  When MediaWorks approached the Bank and Deloitte on 5 April, surely a very early question –  from either party –  should have been “and has this happened before?” (along with “and who in the organization knew about it?”).  It is a shame media did not pursue the matter further, but we are left with the suspicion that the Reserve Bank really did not want to know too much about what had  gone on, and wanted the whole issue put behind it quickly.    That should not be the standard to which powerful autonomous public agencies operate.

A belated price for the OCR leak

More than three weeks after the Reserve Bank released the results of its OCR leak inquiry comes news that the Bank has finally taken some specific action against MediaWorks, the media group responsible for the leak.  We learn today –  although not via a open release from the Bank –  that representatives

“from Mediaworks news outlets are excluded from Reserve Bank media conferences until further notice”

In the Reserve Bank’s release on 14 April there was no hint of any specific sanctions for MediaWorks.  Instead, taking the opportunity to tar junior staff (and me), the Governor lauded MediaWorks management, noting that:

Deloitte was assisted in its investigation by Mediaworks’ legal team, who undertook an internal investigation, uncovered emails that confirmed the leak, and reported these to Deloitte.

The leak prompted the Reserve Bank (quite appropriately) to discontinue lock-ups for media and market analysts, but to the extent that was a penalty it was one imposed on all those who had previously participated (and was, perhaps, a greater burden on some of the more specialist entities).

Unfortunately for the Reserve Bank, it quickly became clear, upon reading the Deloitte report, that MediaWorks management must in fact not have been terribly helpful, at least until very late in the piece.

It is possible that MediaWorks senior management, including the former chief executive Mark Weldon, was not aware there was even an issue until 21 March.  The leak had occurred on 10 March, and although I drew attention to it that day (both directly to the Bank and, later, on a post here), it only got attention and coverage in the mainstream media on 21 March.    But at that point it got considerable coverage, and there is no way the senior management of a major media organization, with their own corporate Group Head of Communications, could not have been aware there had been a leak.  At that point, it would presumably have taken no more than an hour to have had the internal IT people check the emails of the MediaWorks staff in the lockup (even if they had no knowledge or suspicion of their own organization’s involvement, just to be on the safe side). That would have confirmed that MediaWorks was the organization responsible.

At that point, as the Deloitte team was (by their own account) only just turning their attention to media outlets as the possible source of the (then) possible leak, MediaWorks could have come forward and alerted the Reserve Bank to their responsibility.   That would have looked like full and early cooperation.  Even better, they could have pro-actively told the Bank, and Deloitte, how long this practice, of journalists emailing draft stories back to the office from the lock-up, had been going on.  There is no suggestion in the Deloitte report that what happened was just an accident (someone hit the wrong key on their laptop).

In fact, the Deloitte report makes it clear that MediaWorks did not approach either them or the Reserve Bank until 5 April, more than two weeks later, and then only when the Deloitte team sought meetings with each media person who had been in the lock-up.  At that point, presumably, the staff concerned and their managers left senior management with little option.

It isn’t really that clear why the Reserve Bank gave so much cover to MediaWorks in their 14 April statement.  A simple statement that MediaWorks had not approached the Reserve Bank until more than three weeks after the leak had occurred would have been considerably more appropriate than the positive statement on the role of the MediaWorks legal team. They were, no doubt, working largely to protect the interests of their own organization –  an organization which has been notably unforthcoming in answering questions about just really went on, who had sanctioned these breaches of the lock-up rules etc.

I suspect the answer to my question has something to do with the Reserve Bank’s desire to play down the whole episode.  Their systems were shown to have been very weak, and totally reliant on trust. It took no sophisticated signaling techniques for this leak to occur –  just clicking Send on an email.    Systems that might have reasonably robust 20 years ago –  when lock-ups were more useful, because ordinary readers couldn’t simply download the MPS at 9am and read for themselves what the Bank had to say –  simply hadn’t kept up.  The Bank has accepted no responsibility for that, or released any internal reviews it has undertaken as to how such vulnerabilities were allowed to arise.

But the inquiry also raised some questions about just how seriously the Reserve Bank itself had taken the issue in the first place.  Had they really taken seriously the possibility of a leak they could have taken action on 10 March.  I had suggested to them that morning that they focus on media outlets.  It wouldn’t have taken much effort for the Bank – Governor and Deputy Governors – to have rung the heads of each media organization in the lock-up  (I’m not sure how many that would be, but I’m assuming no more than 20) and asked them to (a) check emails of all of their staff who had been in the lock-up, and (b) arrange for signed statements to be prepared by all those in the lock-up swearing that they had not been responsible.  Had there in fact not been a leak (and the Reserve Bank couldn’t be sure then) it wouldn’t have cost much.  As it was, it surely would have identified the culprits within hours.    Instead, we learn that the Deloitte inquiry did not focus on media until after they met me on 18 March –  more than a week later –  and as late as 21 March the Bank was on record as talking only of “allegations” of a leak.

To be frank, given the Bank’s general attitude to me, and their unease about the issues I have been raising, and the questions I’ve been posing, I can understand why they might have been a little wary.  But the fact remains that, for all the Governor’s huffing and puffing about whether I told them what I knew at 8:30 or 9:08, they don’t seem to have done much with the information for several days at least.  And when they finally did discover the truth they appear to have been at pains to help protect MediaWorks’ corporate image.   There are still unanswered questions about whether MediaWorks was shown the draft Deloittle report, and whether it was given the chance to comment on the Reserve Bank’s press release in draft.

But this all brings us back to the question as to what has changed now (other than the CEO of MediaWorks).  Banning MediaWorks from Reserve Bank media conferences for a time seems like a reasonable sanction, but why wasn’t it done three weeks ago?  Since the Governor never acknowledges mistakes, and rarely makes himself available for interviews, perhaps we’ll never know. Then again, perhaps someone will ask at the FSR press conference next week.  They might also ask what “until further notice” means.  What are the conditions that MediaWorks has to meet?  Such an indefinite suspension seems unwise, and could give rise to speculation that the suspension might be lifted if MediaWorks outlets were seen to be covering the Bank in a not-unfavourable light.  Better, probably, to have banned them for three or six months, and then put the matter behind them.  And if the conditions for lifting the suspension don’t relate to the tone of the coverage of the Reserve Bank, do they relate to getting fuller and more complete answers from the new management about just what had been going on?  That might not be an unreasonable stance to have taken, but the Bank should be upfront about it.  As it is, we were left with the impression on 14 April that the matter was over as far as the Bank was concerned.

There is still a series of questions outstanding for both the Reserve Bank and MediaWorks.  Those for the Reserve Bank concern me most, because the Bank is a powerful public sector organization, which really should be much more upfront with the public when things go wrong (as inevitably occasionally they will).  I hope that some light will be shed on some of those questions when a series of Official Information Act and Privacy Act requests I have lodged with the Bank (and its Board) are answered.  Those answers are due in a couple of weeks, and I suspect that the Reserve Bank will delay responding just as long as it possibly can.

UPDATE: The question of why the Reserve Bank provided such cover to MediaWorks is deepened if this piece by John Drinnan is accurate.

The report talks about workers, but I understand senior news staff received the leak. I spoke to a Bank spokesman at the time the Bank stopped lockups, and it was unhappy about the way it was dealt with.

If the Bank was really unhappy, why imply otherwise, commending the assistance of MediaWorks?

 

The Treasury on lock-ups

I just received from The Treasury the response to my OIA request about Budget (and similar) lock-ups.  Not quite as fast a response as that from Statistics New Zealand, which I commented on last week, but well within the 20 working days, and thus most welcome.

No doubt they will put the response on their website in due course, but here is the document.

Treasury OIA response on lock-ups

As I’ve noted from the start, I’m less bothered about pre-release lock-ups for Budgets than for OCR announcements or the release of key macroeconomic data.  Most of the time, most of what is in the Budget is not that market-sensitive –  and what is headline-grabbing has often been well-foreshadowed by Ministers and their staff.  And Budgets often have a large range of complex material, straddling numerous portfolios areas.  When new initiatives are announced often the details can be tricky, and important. But I don’t think Treasury can be complacent about these lock-ups –  there is sometimes material there that is market-sensitive.  Advance news about the bond programme would, at times, be very valuable.  There is a difficult balancing act, since Budgets are a mix of political management and  other, perhaps market sensitive, material.

Like the Reserve Bank in the past, and SNZ still, the Treasury seems to rely mostly on trust for the security of the lock-ups.   Attendees are not even required to surrender phones or mobile devices, just required not to transmit with them.  Apparently “compliance is monitored throughout”, but presumably by wandering around. I imagine the Reserve Bank staff did that in their lock-ups.

I had asked about any reviews undertaken in light of the Reserve Bank’s experience.  As is already known, after “discussions” the Secretary to the Treasury has decided to go ahead with this year’s lock-up.  There is no suggestion that those discussions included any effort to identify whether leaks had occurred in the past, along the lines of what happened at the Reserve Bank.  The Deloitte report gave no suggestion that the MediaWorks breach was accidental, and there are even suggestions afoot that the journalist involved may have been under management instructions to send draft stories from the lock-up (see John Drinnan’s comment at the end of this post).   If a story was deliberately sent from the OCR lock-ups, might the same practice have occurred, with the same people, at previous Budget/HYEFU lock-ups?  I don’t know, but then neither –  it would appear – does The Treasury.

Treasury is probably quite safe this year, since everyone (no doubt including MediaWorks) will be hyper-sensitive to the Reserve Bank experience.   But weak systems create a high risk that there will eventually be breaches.