CPG 231 Outsourcing

Outsourcing is part of the operations of many financial institutions. To ensure the effective operation of such arrangements, there are various factors that APRA-regulated institutions could generally consider so that outsourcing does not give rise to risks to the beneficiaries of the financial institution.

While the Prudential Standards only apply to arrangements to outsource material business activities[1], the practices outlined in this guide are matters that regulated institutions could find beneficial when considering any outsourcing arrangement, material or otherwise.

A material business activity, for the purposes of the Prudential Standards, can typically include investment management functions, professional services (such as accounting and actuarial), a significant part of a regulated institution’s information technology functions supporting its core businesses, business continuity management (BCM) arrangements and business recovery facilities, loan processing, claims processing, marketing and research, custodial or administration arrangements, treasury or dealing operations (for authorised deposit-taking institutions (ADIs)), payment processing (for ADIs) and arrangements with agents, brokers and reinsurance brokers (for general insurers).

APRA does not envisage that a material business activity would ordinarily include contractor relationships — that is, relationships where there are numerous service providers in the marketplace, the agreement is short-term (i.e. less than 12 months) and the cost of switching between providers is low and switching is relatively easy. Examples of contractor relationships include utility services (e.g. mail and telephone services), legal services, advertising, recruitment and other personnel functions, printing services, travel and transportation services, repair and maintenance of fixed assets, purchase of goods, background investigation and information services, specialised training and software licensing arrangements.

Further, APRA does not expect that secondments would normally fall within the definition of outsourcing. In this context, a secondment is an arrangement whereby the regulated institution maintains effective management control of a third-party resource which is normally physically located within the regulated institution. Typically, a secondment involves one company within a corporate group employing all personnel of the group and seconding these personnel to other entities within the group. Where there is doubt as to whether an arrangement is outsourcing or a secondment, APRA envisages that the regulated institution would treat the activity as if it were outsourcing for the purposes of complying with the Prudential Standards.

In APRA’s view, the use of third-party approved actuaries (by general insurers) and third-party appointed actuaries (by life insurers) will not generally constitute a material business activity and as such does not fall within the definition of outsourcing for the purposes of the Prudential Standards. However, APRA would expect that proposals for such arrangements would be adequately assessed, and the arrangements adequately documented.

When a regulated institution decides to enter into an outsourcing agreement, there are a number of factors that may be appropriate for the Board to consider in addition to those outlined in the Prudential Standards.

The Prudential Standards require a regulated institution to address any subcontracting or outsourcing agreement with a service provider. The agreement would typically include specific rules, or limitations to, such arrangements (for example, notification to the regulated institution prior to entering into a subcontracting arrangement).

Whilst not required by the Prudential Standards, APRA envisages that the same standards which apply to the service provider in respect of security and confidentiality of information, offshoring, compliance with relevant legislation and regulations, and APRA’s access to information, would equally apply to any subcontractors or outsourcing arrangements entered into by the primary service provider.

The outsourcing agreement would typically be sufficiently flexible to accommodate changes to existing processes and to accommodate new processes in the future to meet changing circumstances.

APRA envisages that the agreement would clearly set out the procedures in place to enable the regulated institution to effectively monitor the performance of the service provider. This would typically include the extent to whichthe regulated institution’s internal or external auditors can obtain sufficient information (including through on-site inspections or the appointment of an external party) to satisfy themselves as to the adequacy of the service provider’s risk management systems. Also, consideration would usually be given to including provisions allowing an annual review of the service provider’s internal control systems by an independent expert.

In addition, as the Prudential Standards require that BCM arrangements be included in the agreement, APRA envisages that the agreement would detail how these arrangements would ensure that acceptable service levels are maintained in the event of problems occurring with the service provider. This requirement would, under the agreement, also apply to any subcontracting or outsourcing by the service provider.

With respect to default arrangements, the agreement would typically clearly specify what constitutes a default event, identify how it is to be rectified and specify any indemnity provisions.

The Prudential Standards require that termination provisions be addressed in the agreement. As a guide, an agreement could set out possible reasons for termination and procedures to be followed in the event oftermination, including notice periods, the rights and responsibilities of the respective parties and transition arrangements. Transition arrangements would normally address access to, and ownership of, documents, records, software and hardware. Termination clauses would typically also specify the time period over which the business activity would continue to be undertaken by the service provider, and its role in transitional arrangements if the activity is brought back in-house within the regulated institution or outsourced to another service provider.

APRA envisages that the agreement would set out explicit pricing arrangements, covering issues such as frequency of payment, invoicing and payment procedures.

The Prudential Standards require that dispute resolution mechanisms be addressed in the agreement. These mechanisms, including conciliation and arbitration arrangements, would normally enable the continued operation of the outsourced activity while specific issues are being dealt with.

As required by the Prudential Standards, the agreement must address liability and indemnity issues. It would typically specify the extent of liability for each party and, in particular, whether liability for negligence is limited. It would also specify any indemnities and provide details of any insurance arrangements. Also, consideration would usually be given to the extent of liability to both the regulated institution and service provider in relation to subcontracting arrangements.

Unless APRA has required a written, legally binding arrangement, an outsourcing arrangement between a regulated institution and its related body corporate[2] may be in the form of a service level agreement.

The regulated institution could consider obtaining legal advice in assessing the agreement. This could include undertaking legal due diligence prior to the execution of the agreement to ensure that there are no legal impediments to APRA’s access to information and/or relevant persons employed by the regulated institution or service provider for the purposes of prudential supervision of the regulated institution’s activities.

When assessing options for outsourcing material business activities, it is good practice to establish an outsourcing team consisting of individuals from the relevant business area(s) and others with the necessary skills to assess the risks involved in outsourcing. They may include specialists in the relevant risk areas and external experts. This team would ensure that the outsourcing policy is followed at all times, including assessment of the initial tender and due diligence processes, evaluation of the outsourcing options, and making recommendations to senior management and the Board on the outsourcing proposal.

The Prudential Standards require regulated institutions to consult with APRA prior to entering into offshoring agreements. This prior consultation is intended to provide an opportunity for APRA to review the institution’s assessment of offshoring risks, and the processes and controls introduced to mitigate them. This will allow APRA to provide feedback to regulated institutions, but APRA does not intend to approve individual offshoring arrangements.

For the purposes of the Prudential Standards, offshoring does not include the situation where an Australian entity has an overseas branch and that branch outsources within the host country or another country.

An ‘offshoring’ arrangement can give rise to a number of particular risks, including:

country risk — the risk that overseas economic, political and/or social events will have an impact upon the ability of an overseas service provider to continue to provide an outsourced service to the regulated institution;

compliance (legal) risk — the risk that offshoring arrangements will have an impact upon the regulated institution’s ability to comply with relevant Australian and foreign laws and regulations (including accounting practices);

contractual risk — the risk that the regulated institution’s ability to enforce the offshoring agreement may be limited or completely negated;

access risk — the risk that the ability of the regulated institution to obtain information and to retain records is partly or completely hindered. This risk also refers to the potential difficulties or inability of APRA to gain access to the service provider and the material business activity being conducted for prudential review purposes; and

counterparty risk — the risk arising from the obligor’s failure to meet the terms of any agreement with the regulated institution or to otherwise perform as agreed.

Typically, these and other risks would be specifically addressed during the preparation of a business case, when conducting due diligence and during contract negotiations. These risks would also be considered when conducting the ongoing monitoring and control of that material business activity. Specific risk management expertise may be required when assessing, monitoring and controlling material business activities outsourced to service providers conducting the activities outside Australia.

An offshoring agreement would typically include the following additional provisions:

choice of law — typically, the agreement would specify the particular jurisdiction under which contractual disputes will be resolved. The due diligence process may include an examination of the relevant foreign legislation and regulations by a suitably qualified expert to ensure that contractual provisions are recognised by the foreign jurisdiction and are able to be enforced in the chosen jurisdiction;

security and confidentiality of information — as a guide, contractual provisions in relation to data would be of the same standard as those required of a domestic service provider and in accordance with requirements under Australian legislation and regulations. The agreement would normally also ensure that all information forwarded to the service provider by the regulated institution (as well as any information forwarded by the service provider to third parties in the course of providing that service, such as to a back-up disaster recovery provider) remains the property of the regulated institution.

The Prudential Standards require a regulated institution to devote sufficient resources to managing and monitoring an outsourcing relationship.

APRA envisages that the monitoring framework of a regulated institution would reflect the size and nature of the arrangements. Importantly, the regulated institution could consider specifically assigning accountability for managing the outsourcing arrangement to an individual or team/committee. This would help to ensure a continued focus on the outsourcing arrangement.

To support the audit function, the regulated institution would typically arrange for access to those records held by the service provider which are necessary for audit trail purposes.

To address the specific risks associated with offshoring arrangements, APRA would expect a regulated institution to maintain copiesof important documents related to the arrangement, written in English and held at the regulated institution’s Australian office. Such documents would typically include:

a copy of the contractual agreement;

a copy of the due diligence assessment;

a copy of the service provider’s BCM documentation and details of the latest testing of BCM processes undertaken; and

copies of financial statements, reports and any other information the regulated institution considers critical to the ongoing monitoring and control of the outsourcing arrangement with the service provider.

In addition, the regulated institution could consider on-going monitoring of the economic, social and political conditions within the host country to assess the ability of the service provider to continue to adequately perform the contracted service.