Give info under embargo? Then make the rules ultra tight

The main lesson one could take away from the now-confirmed leak of the Reserve Bank of New Zealand's rate cut decision is that any embargo rules must be kept ultra tight and be reviewed regularly along with advances in technology.

Reading the report on the results of an independent investigation made me sad. The report, quite surprisingly, reveals severe weaknesses in the RBNZ's arrangements for the handling of sensitive and potentially market-moving information. No wonder that the RBNZ was left with no option but to discontinue embargoed lock-ups ahead of major announcements.

Summary of the main findings:

How was the investigation carried out?

... we initially took a broad investigation approach and considered that the alleged leak could have come from any number of sources: RBNZ personnel, the media lockup, the external analysts lockup or other third parties such as the Minister of Finance’s office or anyone else that might have overheard any conversations.

The Finance Minister asked

There has been a long established protocol that the Minister of Finance is informed of the decision by the Governor of RBNZ on the morning of the release. We spoke with the Minister of Finance on 24 March 2016 to ascertain where he was when the Governor phoned him on 10 March 2016. We were satisfied from this conversation that the Minister of Finance was, at the time of the call, in a private area and that it was very unlikely that the OCR decision was overhead by any third party. Therefore, we did not progress this further.

How did the word get out?

This one was classic: One of the journalists in the lockup emailed a draft story to their newsroom, and a colleague who overheard the newsroom conversation about the story subject emailed the news to blogger Michael Reddell who later alerted the RBNZ.

The journalist in the lockup emailed a draft story (without RBNZ approval) from within the lockup room to their Mediaworks colleagues shortly before 8am on 10 March 2016 using a data card and a laptop computer.

The email was sent to Mr Reddell by another Mediaworks’ employee who was not one of the original recipients of the journalist’s story sent from the lockup. Mediaworks established from the individual that they had allegedly overheard the discussion taking place between Mediaworks’ colleagues about the rate drop and then the employee sent the email to Mr Reddell at 8:04am.

Main takeaway

The RBNZ lockup arrangements were apparently so weak that the journalist was able to report the news to the office, something that should have been identified as a key risk and prevented at all costs, for instance by removing any means of online communications, such as mobile phones and data cards, from the journalists (until, say, 5-10 minutes ahead of the release time). It is quite likely that it had actually been an established practice for one or more journalists send their draft story from within the lockup to their editors.

As Reddell writes on his blog, the investigation unfortunately did not address - what apparently was very poor - lockup management:

It is unfortunate that the Deloitte report does not look into (and probably was not asked to) how it was the Reserve Bank’s systems for managing lock-ups for incredibly sensitive information were as insecure as they proved to be.

When systems are weak, sooner or later they will result in a breach, by accident or deliberately. It is also unfortunate that the Governor’s press release does not address this issue.

Nevertheless, the report's findings provide a resounding reminder for the Czech National Bank and the few other central banks that allow access to embargoed information: These potentially credibility-damaging leaks could easily occur unless the procedures are made, and importantly kept, ultra tight.