Table of contents
Prudential practice guide
SPG 231 Outsourcing
-
Current1 July 2013
Prudential framework pillars
About this guide
Prudential Practice Guides (PPGs) provide guidance on APRA’s view of sound practice in particular areas. PPGs frequently discuss legal requirements from legislation, regulations or APRA’s prudential standards, but do not themselves create enforceable requirements.
Prudential Standard SPS 231 Outsourcing (SPS 231) sets out APRA’s requirements in relation to outsourcing. This PPG aims to assist an RSE licensee in complying with those requirements and, more generally, to outline prudent practices in relation to managing outsourcing arrangements.
For the purposes of this guide, and consistent with the application of SPS 231, ‘RSE licensee’ and registrable superannuation entity (RSE) have the meaning given in the Superannuation Industry (Supervision) Act 1993 (SIS Act).
Subject to the requirements of SPS 231, an RSE licensee has the flexibility to manage its outsourcing arrangements in the way most suited to achieving its business objectives. Not all practices outlined in this PPG will be relevant for every RSE licensee and some aspects may vary depending upon the size, business mix and complexity of the RSE licensee’s business operations.
Disclaimer and copyright
This prudential practice guide is not legal advice and users are encouraged to obtain professional advice about the application of any legislation or prudential standard relevant to their particular circumstances and to exercise their own skill and care in relation to any material contained in this guide.
APRA disclaims any liability for any loss or damage arising out of any use of this prudential practice guide. © Australian Prudential Regulation Authority (APRA)
This work is licensed under the Creative Commons Attribution 3.0 Australia Licence (CCBY 3.0).
This licence allows you to copy, distribute and adapt this work, provided you attribute the work and do not suggest that APRA endorses you or your work. To view a full copy of the terms of this licence, visit www.creativecommons.org/licenses/ by/3.0/au/.
Outsourcing
Outsourcing is part of the operations of many RSE licensees. To ensure the effective operation of such arrangements, there are various factors that an RSE licensee could generally consider so that outsourcing does not give rise to risks to the beneficiaries of the RSEs within its business operations.
For the purposes of SPS 231, outsourcing refers to all arrangements with any other party to perform, on a continuing basis, a business activity that is a function or responsibility of an RSE licensee pursuant to its duties under the governing rules and where the business activity has been delegated to that other party. It includes business activities that the RSE licensee performs in its capacity as trustee and does not include business activities that the RSE licensee performs in its capacity as a corporate entity. Where a business activity has been outsourced, the risks and responsibility of the business activity continue to be borne by the RSE licensee.
While SPS 231 only applies to arrangements to outsource material business activities, the practices outlined in this guide are matters that an RSE licensee could find beneficial when considering any outsourcing arrangement, material or otherwise.
[1]
As defined in SPS 231
Materiality
A material business activity is defined in SPS 231. APRA considers that when identifying a material business activity an RSE licensee would consider those business activities where it relies on the performance of the business activity and the degree of difficulty that may arise in the event of the business activity being suddenly terminated. APRA envisages that, where there may be a level of uncertainty as to whether a business activity is material, the RSE licensee would treat the business activity as material. As a guide, a non-exhaustive list of material business activities for RSE licensees would typically include administration (including arrangements to ensure the processing of contributions, rollovers and transfers complies with the superannuation data and payment regulations and standards), custody arrangements, investment management functions under a formal agreement or mandate (including implemented asset consulting), the internal audit function (as outlined in SPS 231), business continuity planning arrangements, product design, marketing and arrangements with fund promoters, and may include arrangements with financial planners, particularly where the advice relates only to a member’s interest in the RSE.
[2]
Refer to s. 10(1) of the SIS Act for definitions of Superannuation data and payment standards.
It is APRA’s view that the investment of RSE assets into a unit trust, a pooled superannuation trust (PST), a managed investment scheme, a policy of life insurance or a similar arrangement would not typically be considered to be outsourcing for the purposes of SPS 231. This is because the RSE licensee is responsible for the selection and implementation of the investment arrangements, i.e. by deciding which vehicles to invest in, while the manager of the selected investment vehicle is responsible for the day-to-day operation of the investment vehicle. However, while such investment arrangements may not be considered to be outsourcing, APRA expects that an RSE licensee will have a sound understanding of any risks arising from the arrangement and that these risks will be thoroughly considered and managed within the RSE licensee’s risk management framework.
APRA does not envisage that a material business activity would ordinarily include contractor relationships — that is, relationships where there are numerous service providers in the marketplace, the agreement is short-term (i.e. less than 12 months) and the cost of switching between providers is low and switching is relatively easy. Examples of contractor relationships include utility services (e.g. mail and telephone services), legal services, advertising, recruitment and other personnel functions, printing services, travel and transportation services, repair and maintenance of fixed assets, purchase of goods, background investigation and information services, specialised training and software licensing arrangements.
Further, APRA does not expect that secondments would normally fall within the definition of outsourcing. In this context, a secondment is an arrangement whereby an RSE licensee maintains effective management control of a third-party resource that is normally physically located within the RSE licensee’s business operations. Typically, a secondment involves one company within a corporate group employing all personnel of the group and seconding these personnel to other entities within the group. Where there is doubt as to whether an arrangement is outsourcing or a secondment, APRA envisages that an RSE licensee would treat the activity as if it were outsourcing for the purposes of complying with SPS 231.
In APRA’s view, the use of advisory services or professional services, including an RSE actuary, will not generally constitute a material business activity and as such does not fall within the definition of outsourcing for the purposes of SPS 231. Even where the advisory or professional service is provided under an ongoing or regular arrangement, e.g. for review and amendment of trust deeds to comply with legislative changes, or actuarial services in respect of a defined benefit fund, the arrangement is unlikely to be considered outsourcing unless the service could reasonably be performed by an RSE licensee. However, APRA would expect that proposals for such arrangements would be adequately assessed and the arrangements adequately documented. It is APRA’s view that, where the advisory or professional service extends beyond the recognised advisory or professional role, e.g. additional consulting services, this may be considered to be outsourcing. For an RSE actuary, such additional services may include services additional to the specific duties of the RSE actuary such as advice on investment strategies, unit pricing/crediting rate policies, liquidity policies or the use of reserves. Where the additional services could be performed by an RSE licensee and are considered to be material, APRA envisages that the arrangement will then be treated as a material business activity.
[3]
Refer to s. 10(1) of the SIS Act for the definition of RSE actuary
Outsourcing policy
APRA expects that a sound outsourcing policy would address all aspects of outsourcing that may be contemplated by an RSE licensee. It would also clearly identify what business activities, functions or services are covered under the policy, including whether the policy deals with nonmaterial as well as material business activities. It is APRA’s view that a sound outsourcing policy would address how the selection process and due diligence review will be conducted, how the RSE licensee will ensure the effectiveness of these processes, how the outsourcing arrangement will be conducted on an arm’s length basis, how any conflicts arising from the arrangement will be managed and, overall, how the arrangement is considered to be in the best interests of beneficiaries. APRA expects that the policy would identify any additional concerns that need to be considered and addressed in the context of some outsourcing arrangements, and may also specify the types of outsourcing arrangements that are not acceptable to the RSE licensee.
In APRA’s view, a sound outsourcing policy would clearly outline whether outsourcing to associated entities is permitted, and any restrictions and/ or additional expectations in relation to such arrangements. Where associated entities are involved, the policy would be expected to cover additional concerns including the impact of group/related party expectations and how these other interests are managed when an RSE licensee is considering the best interests of beneficiaries.
An RSE licensee is required to have a conflicts management framework that identifies all potential and actual conflicts in the RSE licensee’s business operations and takes all reasonably practicable actions to ensure the conflicts are identified, and avoided or prudently managed. The framework must include a conflicts management policy. Where the conflicts management policy does not cover specific conflicts issues related to outsourcing, APRA expects that the outsourcing policy would do so. Conflicts related to outsourcing may arise in a range of different circumstances and, as a guide, may include conflicts arising from arrangements with associated entities and/or from arrangements where individuals may receive direct or indirect benefits as a result of the existing arrangements. Benefits received as a result of the arrangement may be financial or non-financial, and may include the right to a controlling interest or to a Board, committee or management position in respect of the RSE licensee or another entity including a service provider.
[4]
Factors to consider when entering into outsourcing arrangements
When an RSE licensee decides to enter into an outsourcing arrangement, there are a number of factors that may be appropriate for Board of the RSE licensee (the Board) to consider in addition to those outlined in SPS 231.
In assessing options for outsourcing, an RSE licensee is required to consider how the adequacy of resources requirements will be met. The adequacy of resources requirements may be met by the RSE licensee itself and/or the outsourced service provider. APRA expects the RSE licensee to ensure its service provider is financially sound and has the required resources to undertake the outsourced functions on a continuing basis. In assessing financial soundness, the RSE licensee would be expected to consider the adequacy of the service provider’s capital, its insurance and/or guarantee arrangements and its ability to meet its liabilities on a continuing basis.
[5]
SPS 231 requires service level and performance requirements to be set out in the outsourcing agreement. This would normally include the content, frequency and format of the service being provided. The agreement would typically also state timelines for receipt and delivery of work and specify priorities. In addition, the agreement would normally contain performance benchmarks, including default benchmarks that, if not met, could result in penalties being applied or, in extreme cases, termination of the agreement. Typically, the agreed service levels would be specified in the service level agreements.
The outsourcing agreement would typically be sufficiently flexible to accommodate changes to existing processes and to accommodate new processes in the future to meet changing circumstances.
APRA envisages that the agreement would clearly set out the procedures in place to enable an RSE licensee to effectively monitor the performance of the service provider. This would typically include the extent to which an RSE licensee’s internal or external auditors can obtain sufficient information (including through on-site inspections or the appointment of an external party) to satisfy themselves as to the adequacy of the service provider’s risk management systems. Also, consideration would usually be given to including provisions allowing an annual review of the service provider’s internal control systems by an independent expert.
In addition, as SPS 231 requires that business continuity management (BCM) arrangements be included in the agreement, APRA envisages that the agreement would detail how these arrangements would ensure that acceptable service levels are maintained in the event of problems occurring with the service provider. APRA also expects that outsourcing agreements will enable an RSE licensee to request reporting or other documentary evidence on the outsourced service provider’s Business Continuity Plan. These requirements would, under the agreement, also apply to any subcontracting or outsourcing by the service provider.
With respect to default arrangements, the agreement would typically clearly specify what constitutes a default event, identify how it is to be rectified and specify any indemnity provisions.
SPS 231 requires that termination provisions be addressed in the agreement. As a guide, an agreement could set out possible reasons for termination and procedures to be followed in the event of termination, including notice periods, the rights and responsibilities of the respective parties and transition arrangements. Transition arrangements would normally address access to, and ownership of, documents, records, software and hardware. Termination clauses would typically also specify the time period over which the business activity would continue to be undertaken by the service provider, and its role in transitional arrangements if the activity is brought back in-house within the RSE licensee’s business operations or outsourced to another service provider.
APRA envisages that the agreement would set out explicit pricing arrangements, covering issues such as frequency of payment, invoicing and payment procedures.
SPS 231 requires that dispute resolution mechanisms be addressed in the agreement. These mechanisms, including conciliation and arbitration arrangements, would normally enable the continued operation of the outsourced activity while specific issues are being dealt with.
As required by SPS 231, the agreement must address liability and indemnity issues. It would typically specify the extent of liability for each party and, in particular, whether liability for negligence is limited. It would also specify any indemnities and provide details of any insurance arrangements. Also, consideration would usually be given to the extent of liability to both the RSE licensee and service provider in relation to subcontracting arrangements.
An RSE licensee could consider obtaining legal advice in assessing the agreement. This could include undertaking legal due diligence prior to the execution of the agreement to ensure that there are no legal impediments to APRA’s access to information and/or relevant persons employed by the RSE licensee or service provider for the purposes of prudential supervision of the RSE licensee’s activities.
When assessing options for outsourcing material business activities, it is good practice to establish an outsourcing team consisting of individuals from the relevant business area(s) and others with the necessary skills to assess the risks involved in outsourcing. They may include specialists in the relevant risk areas and external experts. This team would ensure that the outsourcing policy is followed at all times, including assessment of the initial tender and due diligence processes, evaluation of the outsourcing options, and making recommendations to senior management and the Board on the outsourcing proposal.
If an RSE licensee decides to renew an existing outsourcing agreement or to add an additional material service to an existing agreement, it is considered to be a new agreement and is therefore subject to the requirements of SPS 231, including the requirements for assessment of the outsourcing options. A range of selection processes may be appropriate and the same process does not have to be used each time. It is important that irrespective of the selection process used, an RSE licensee is able to demonstrate that the outsourcing arrangement is sound and the risks of the arrangement are well understood and well managed.
Subcontracting
SPS 231 requires an RSE licensee to address any subcontracting in the outsourcing agreement with a service provider. The agreement would typically include specific rules on, or limitations to, such arrangements (e.g. notification to the RSE licensee prior to entering into a subcontracting arrangement).
Whilst not required by SPS 231, APRA envisages that the same standards that apply to the service provider in respect of security and confidentiality of information, offshoring, compliance with relevant legislation and regulations, and APRA’s access to information, would equally apply to any subcontractors or outsourcing arrangements entered into by the primary service provider.
Custody agreements
A significant risk arising from a custody agreement is the risk of the custodian failing to adequately safeguard an RSE’s assets. To ensure the protection of beneficiaries’ interests, it is critical that each RSE’s assets are safely and accurately maintained, whether within Australia or across various jurisdictions. APRA expects that an RSE licensee would consider whether the custodian’s internal control framework ensures that an RSE’s assets are secure, that the custodian has appropriate procedures for the acceptance, execution and settlement of authorised transactions and that the assets are priced in accordance with the RSE licensee’s valuation policies.
In using a custodian, APRA expects an RSE licensee to have a full understanding of the assets covered under the custody agreement. Where assets may not be covered under a custody agreement for example, arrangements may exclude bank accounts, real estate or derivatives, APRA expects the RSE licensee to ensure it has appropriate risk management processes around any assets held in a non-custodial environment.
APRA expects an RSE licensee to have a full understanding of the services provided under the custody agreement. These include the services that form the core custody arrangement and those that are additional services. Where additional services are provided, e.g. investment accounting and unit pricing services, APRA expects the RSE licensee to ensure the services are clearly outlined in the agreement. This enables the risks from the arrangements to be identified and properly considered and managed within the RSE licensee’s risk management framework. The provision of additional services may bring critical added risks, e.g. regarding the accuracy of the pricing of the assets and the risks associated with inaccuracy of unit pricing.
[6]
Refer to the Joint ASIC and APRA guide: Unit pricing guide to good practice for further guidance in this area.
APRA expects an RSE licensee to set the policy framework for the outsourced services and that this framework is consistent with the governing rules of its RSEs, disclosure material and any other relevant documentation and practices of the RSE licensee. The policy framework would typically include specific policies, at least at a high level, on relevant outsourced functions such as valuation and unit pricing. While it may be appropriate to utilise or adopt the custodian’s detailed policies where these are considered congruent with the RSE licensee’s policy framework, APRA expects this will only occur as part of a sound due diligence review of the service provider. The RSE licensee remains responsible for ensuring that the policies adopted are consistent with its policy framework and are appropriate for the relevant RSE.
APRA expects an RSE licensee would have a process to provide it with assurance that the custodian’s internal control framework is adequate and continues to operate effectively. This process would provide assurance that the services remain in line with the RSE licensee’s agreed performance standards and risk appetite and comply with relevant RSE licensee policies. APRA also expects an RSE licensee to ensure it receives and actively reviews regular external audit and other reporting from the custodian. If necessary, this would be supplemented by additional enquiry or expert/independent reviews to ensure it has sufficient assurance over the services provided.
APRA considers that a prudent RSE licensee will ensure that the custody agreement clearly addresses the use, and potential use, of subcustodians. APRA envisages that the agreement will require that, prior to arranging for assets of an RSE to be held by a sub-custodian, the custodian will provide the RSE licensee with written notice of the identity of each sub-custodian with which the assets of an RSE are intended to be placed. Further, APRA envisages that the custodian will notify the RSE licensee in writing of any subsequent appointments of new or replacement sub-custodians at the earliest practicable time but, in any event, no later than 10 business days after the appointment has been made.
Offshoring
SPS 231 requires an RSE licensee to consult with APRA prior to entering into offshoring agreements. This includes where a service provider conducts part of an RSE licensee’s material business activity offshore (i.e. the physical location of this part of its work is outside Australia). This prior consultation is intended to provide an opportunity for APRA to review the RSE licensee’s assessment of offshoring risks, and the processes and controls introduced to mitigate them. This will allow APRA to provide feedback to an RSE licensee but APRA does not intend to approve individual offshoring arrangements.
An offshoring arrangement can give rise to a number of particular risks, including:
country risk — the risk that overseas economic, political and/or social events will have an impact upon the ability of an overseas service provider to continue to provide an outsourced service to an RSE licensee;
compliance (legal) risk — the risk that offshoring arrangements will have an impact upon an RSE licensee’s ability to comply with relevant Australian and foreign laws and regulations (including accounting practices);
contractual risk — the risk that an RSE licensee’s ability to enforce the offshoring agreement may be limited or completely negated;
access risk — the risk that the ability of an RSE licensee to obtain information and to retain records is partly or completely hindered. This risk also refers to the potential difficulties or inability of APRA to gain access to the service provider and the material business activity being conducted for prudential review purposes; and
counterparty risk — the risk arising from the obligor’s failure to meet the terms of any agreement with an RSE licensee or to otherwise perform as agreed.
Typically, these and other risks would be specifically addressed during the preparation of a business case, when conducting due diligence and during contract negotiations. These risks would also be considered when conducting the ongoing monitoring and control of that material business activity. Specific risk management expertise may be required when assessing, monitoring and controlling material business activities outsourced to service providers conducting the activities outside Australia.
An offshoring agreement would typically include the following additional provisions:
choice of law — typically, the agreement would specify the particular jurisdiction under which contractual disputes will be resolved. The due diligence process may include an examination of the relevant foreign legislation and regulations by a suitably qualified expert to ensure that contractual provisions are recognised by the foreign jurisdiction and are able to be enforced in the chosen jurisdiction; and
security and confidentiality of information — as a guide, contractual provisions in relation to data would be of the same standard as those required of a domestic service provider and in accordance with requirements under Australian legislation and regulations. The agreement would normally also ensure that all information forwarded to the service provider by an RSE licensee (as well as any information forwarded by the service provider to third parties in the course of providing that service, such as to a backup disaster recovery provider) remains the property of the RSE licensee.
Management and control of the outsourcing relationship
SPS 231 requires an RSE licensee to devote sufficient resources to managing and monitoring an outsourcing relationship.
APRA envisages that the monitoring framework of an RSE licensee would reflect the size and nature of the arrangements. Importantly, the RSE licensee could consider specifically assigning accountability for managing the outsourcing arrangement to an individual or team/committee. This would help to ensure a continued focus on the outsourcing arrangement.
APRA expects an RSE licensee to consider and take into account any actual or potential conflicts of interest between the RSE licensee and the service provider that may have impacted, or may impact, on the RSE licensee’s monitoring of the service provider.
As part of the monitoring framework, APRA envisages that an RSE licensee would regularly seek to satisfy itself that the data managed by the service provider is of high quality, is accurate and complete, and is consistent with the provisions of the agreement. An RSE licensee would typically seek such data quality assurance on a regular basis, including through the regular reporting provided by the service provider. Where appropriate, an RSE licensee may wish to consider being assisted in these reviews by a suitable expert such as an external data quality consultant, another suitable independent party, or the internal or external auditor.
To support the audit function, an RSE licensee would typically arrange for access to those records held by the service provider that are necessary for audit trail purposes.
To address the specific risks associated with offshoring arrangements, APRA would expect an RSE licensee to maintain copies of important documents related to the arrangement, written in English and held at the RSE licensee’s Australian office. Such documents would typically include:
a copy of the contractual agreement;
a copy of the due diligence assessment;
a copy of the service provider’s BCM documentation and details of the latest testing of BCM processes undertaken; and
copies of financial statements, reports and any other information the RSE licensee considers critical to the ongoing monitoring and control of the outsourcing arrangement with the service provider.
In addition, an RSE licensee could consider on-going monitoring of the economic, social and political conditions within the host country to assess the ability of the service provider to continue to adequately perform the contracted service.