Superannuation (prudential standard) determination No. 3 of 2012

Prudential Standard SPS 231 Outsourcing

Superannuation Industry (Supervision) Act 1993

 

I, Ross Jones, delegate of APRA, under subsection 34C(1) of the Superannuation Industry (Supervision) Act 1993 (the Act), DETERMINE Prudential Standard SPS 231 Outsourcing in the form set out in the Schedule, which applies to all RSE licensees.

 

This instrument commences upon registration on the Federal Register of Legislative Instruments. 

 

Dated: 15 November 2012

 

[signed]

 

 

Ross Jones

Deputy Chair

 

 

 

Interpretation

In this instrument:

APRA means the Australian Prudential Regulation Authority.


Federal Register of Legislative Instruments means the Register kept under the Legislative Instruments Act 2003.

RSE licensee has the meaning given in section 10(1) of the Act.


 

Note 1 It is a condition imposed on all RSE licences that the RSE licensee and, if the RSE licensee is a group of individuals, each of the members of the group, must comply with the RSE licensee law [section 29E(1)(a)]. RSE licensee law includes the prudential standards [section 10(1)]. APRA may direct an RSE licensee to comply with a specified condition of its RSE licence by a specified time if APRA has reasonable grounds to believe that the RSE licensee has breached the condition [section 29EB]. A failure to comply with a direction may lead to cancellation of the RSE licence [section 29G] and may be an offence attracting a penalty of 60 penalty units [section 29JB].


Schedule

 

Prudential Standard SPS 231 Outsourcing comprises the 9 pages commencing on the following page.

 

Prudential Standard SPS 231

Outsourcing

Objectives and key requirements of this Prudential Standard

This Prudential Standard requires that all outsourcing arrangements involving material business activities entered into by an RSE licensee be subject to appropriate due diligence, approval and ongoing monitoring. All risks arising from outsourcing material business activities must be appropriately managed to ensure that the RSE licensee is able to meet its obligations to its beneficiaries.

The ultimate responsibility for the outsourcing policy of an RSE licensee rests with its Board of directors.

The key requirements of this Prudential Standard are that an RSE licensee must:

 

 

 

 

 

  1. This Prudential Standard is made under section 34C of the Superannuation Industry (Supervision) Act 1993 (SIS Act).

2.             This Prudential Standard applies to all registrable superannuation entity (RSE) licensees (RSE licensees) under the SIS Act.[1]

3.             All RSE licensees must comply with this Prudential Standard in its entirety, unless otherwise expressly indicated.

4.             Nothing in this Prudential Standard prevents an RSE licensee from adopting and applying a group policy used by a connected entity or a related body corporate within the group[2], provided that the policy has been approved by the Board of the RSE licensee (the Board) and meets the requirements of this Prudential Standard.[3]

5.             Subject to paragraph 35, this Prudential Standard commences on 1 July 2013.

6.             Outsourcing involves an RSE licensee entering into an arrangement with any other party to perform, on a continuing basis, a business activity that currently is, or could be, undertaken by the RSE licensee itself.

7.             For the purposes of this Prudential Standard, offshoring means the outsourcing by an RSE licensee of a material business activity to a service provider[4] where the outsourced activity is to be conducted outside Australia. Offshoring includes arrangements where the service provider is incorporated in Australia, but the physical location of the outsourced activity is outside Australia. Offshoring does not include arrangements where the physical location of an outsourced activity is within Australia but the service provider is not incorporated in Australia.

8.             This Prudential Standard only applies to the outsourcing of a material business activity as defined in this Prudential Standard.

9.             A material business activity is one that has the potential, if disrupted, to have a significant impact on an RSE licensee’s business operations[5], its ability to manage risks effectively, the interests, or reasonable expectations, of beneficiaries[6] or the financial position of the RSE licensee, any of its RSEs or its connected entities, having regard to such factors as:

(a)          the financial and operational impact and impact on reputation of a failure of the service provider to perform over a given period of time;

(b)          the cost of the outsourcing arrangement as a share of total costs;

(c)          the degree of difficulty, including the time taken, in finding an alternative service provider or bringing the business activity in-house;

(d)          the ability of the RSE licensee to meet regulatory requirements if there are problems with the service provider;

(e)          potential losses to beneficiaries and other affected parties in the event of a service provider failure; and

(f)           affiliation or other relationship between the RSE licensee and the service provider.

10.         For the purposes of this Prudential Standard, the internal audit function is a material business activity.

11.         An RSE licensee must identify, assess, manage, mitigate and report on risks associated with outsourcing to meet its obligations to beneficiaries and protect the financial position of the RSE licensee, any of its RSEs or its connected entities.

12.         An RSE licensee must have procedures to ensure that all its relevant business units are made aware of, and have processes and controls for monitoring compliance with, the outsourcing policy.

13.         The Board is ultimately responsible for any outsourcing of a material business activity undertaken by an RSE licensee. Although outsourcing may result in the service provider having day-to-day managerial responsibility for a business activity, the RSE licensee is responsible for complying with all prudential requirements[7] and all other non-delegable legal obligations that relate to the outsourced business activity.

14.         The Board must ensure that the RSE licensee’s outsourcing risks and controls are taken into account as part of its overall risk management framework and when completing a risk management declaration required to be provided to APRA.[8]

15.         The Board must approve the RSE licensee’s outsourcing policy, which must set out its approach to outsourcing of material business activities, including a detailed framework for managing all such outsourcing arrangements.

16.         An RSE licensee’s outsourcing policy must set out specific requirements in relation to outsourcing to associated entities.[9] The RSE licensee must also identify and address the risks arising from the arrangement and be able to demonstrate that the arrangement is conducted on an arms length basis and in the best interests of beneficiaries.

17.         An RSE licensee’s outsourcing policy must set out the RSE licensee’s approach to conflicts that may arise through outsourcing, including how all risks arising from such a conflict will be identified, monitored, managed and mitigated.[10]

18.         An RSE licensee’s outsourcing policy must set out specific requirements in relation to outsourcing to service providers conducting the material business activity outside Australia.

19.         An RSE licensee must be able to demonstrate to APRA that, in assessing the options for outsourcing a material business activity and entering into an outsourcing agreement, it has:

(a)          prepared a business case for outsourcing the material business activity;

(b)          undertaken a tender or other selection process for selecting the service provider;

(c)          undertaken a due diligence review of the chosen service provider, including the ability of the service provider to conduct the business activity on an ongoing basis;

(d)          taken into account the changes to the risk profile of the business activity that arise from outsourcing the activity and how this changed risk profile is addressed within the RSE licensee’s risk management framework;

(e)          considered how and to what extent outsourcing of the material business activity will assist the RSE licensee in meeting the adequacy of resources requirements, and how these requirements will be monitored on an ongoing basis[11];

(f)           involved the Board, Board committee or senior manager with delegated authority from the Board, in approving the agreement;

(g)          considered all the matters outlined in paragraph 21, that must, at a minimum, be included in the outsourcing agreement itself;

(h)          established procedures for monitoring performance under the outsourcing agreement on a continuing basis;

(i)            addressed the renewal process for outsourcing agreements and how the renewal will be conducted;

(j)            developed contingency plans that would enable the outsourced business activity to be provided by an alternative service provider or brought in-house if required[12]; and

(k)          determined that its conduct in relation to the outsourcing agreement is in the best interests of beneficiaries.

20.         Each outsourcing arrangement must be contained in a documented legally binding agreement. The agreement must be signed by all parties to it before the outsourcing arrangement commences.

21.         At a minimum, the agreement must address the following matters:

(a)          the scope of the arrangement and services to be supplied;

(b)          commencement and end dates;

(c)          review provisions;

(d)          pricing and fee structure;

(e)          service levels and performance requirements;

(f)           the form in which the data is to be kept and clear provisions identifying ownership and control of the data;

(g)          reporting requirements, including content and frequency of reporting;

(h)          audit and monitoring procedures;

(i)            business continuity management;

(j)            confidentiality, privacy and security of information;

(k)          default arrangements and termination provisions;

(l)            dispute resolution arrangements;

(m)        liability and indemnity;

(n)          sub-contracting;

(o)          insurance; and

(p)          to the extent applicable, offshoring arrangements (including through sub-contracting).

22.         An RSE licensee that outsources a material business activity must ensure that its outsourcing agreement includes an indemnity to the effect that any sub-contracting by a service provider of the outsourced function will be the responsibility of the service provider, including liability for any failure on the part of the sub-contractor.

23.         Where:

(a)          an RSE licensee invokes its Business Continuity Plan[13] as the result of an unexpected event; or

(b)          there is a sudden financial or operational failure of an existing service provider,

and, as a result, enters into a new outsourcing agreement, the RSE licensee must comply with paragraphs 21 to 22 inclusive and 26 to 28 inclusive only to the extent that is reasonably possible having regard to the nature of the extreme event or sudden failure. The RSE licensee must notify APRA as soon as practicable of any such outsourcing arrangement.

24.         An outsourcing agreement must include a clause that allows APRA access to documentation and information related to the outsourcing arrangement. In the normal course, APRA will seek to obtain whatever information it requires from the RSE licensee; however, the outsourcing agreement must include the right for APRA to conduct on-site visits to the service provider if APRA considers this necessary in its role as prudential supervisor. APRA expects service providers to cooperate with APRA’s requests for information and assistance. If APRA intends to undertake an on-site visit to a service provider, it will normally inform the RSE licensee of its intention to do so.

25.         An RSE licensee must take all reasonable steps to ensure that a service provider will not disclose or advertise that APRA has conducted an on-site visit, except as necessary to coordinate with other entities regulated by APRA that are existing clients of the service provider.

26.         An RSE licensee must notify APRA as soon as possible after entering into an outsourcing agreement, and in any event no later than 20 business days after execution of the outsourcing agreement. This notification requirement applies to all outsourcing of material business activities.

27.         When an RSE licensee notifies APRA of a new outsourcing agreement, it must also provide a summary to APRA of the key risks involved in the outsourcing arrangement and the risk mitigation strategies put in place to address these risks. APRA may request additional material where it considers it necessary in order to assess the impact of the outsourcing arrangement on the RSE licensee’s risk profile.

28.         An RSE licensee must consult with APRA prior to entering into any offshoring agreement involving a material business activity so that APRA may satisfy itself that the impact of the offshoring arrangement has been adequately addressed as part of the RSE licensee’s risk management framework.

29.         If, in APRA’s view, the offshoring agreement involves risks that the RSE licensee is not managing appropriately, APRA may require the RSE licensee to make other arrangements for the outsourced activity as soon as practicable.[14]

30.         An RSE licensee must ensure it has sufficient and appropriate resources to manage and monitor each outsourcing relationship at all times. The type and extent of resources required will depend on the materiality of the outsourced business activity. At a minimum, monitoring must include:

(a)          maintaining appropriate levels of regular contact with the service provider. This will range from daily operational contact to senior management involvement; and

(b)          a process for regular monitoring of performance under the agreement, including meeting criteria concerning service levels.

31.         An RSE licensee must advise APRA of any significant problems that have the potential to materially affect the outsourcing arrangement and, as a consequence, materially affect the RSE licensee’s business operations, the interests of beneficiaries, or materially affect any of the RSEs or connected entities of the RSE licensee.

32.         Where an outsourcing agreement is terminated, an RSE licensee must notify APRA as soon as practicable and provide a statement about the transition arrangements and future strategies for carrying out the outsourced material business activity.

33.         An RSE licensee’s internal audit function must review any proposed outsourcing of a material business activity and regularly review and report to the Board or Board Audit Committee on compliance with the RSE licensee’s outsourcing policy. Where APRA has exempted an RSE licensee from having a dedicated internal audit function, or approved alternative arrangements under Prudential Standard SPS 510 Governance, APRA may also vary the requirements of this paragraph.

34.         APRA may request the external auditor of an RSE licensee, or an appropriate external expert, to provide an assessment of the risk management processes in place with respect to an arrangement to outsource a material business activity. This could cover areas such as information technology systems, data security, internal control frameworks and business continuity plans. Such reports will be paid for by the RSE licensee and must be made available to APRA.

35.         Paragraphs 29, 36 and 37 of this Prudential Standard commence on the date of registration of this Prudential Standard on the Federal Register of Legislative Instruments (registration date).

36.         An RSE licensee must ensure that, when entering into an outsourcing arrangement covered by this Prudential Standard and from the day after the registration date, it complies with paragraphs 20 to 28 inclusive.

37.         Where an RSE licensee has entered into an outsourcing arrangement covered by this Prudential Standard prior to the registration date, the RSE licensee must, for each arrangement:

(a)          assess the provisions of the arrangement against paragraphs 20 to 28 inclusive;

(b)          identify whether it is satisfied as to the matters in paragraphs 20 to 28 inclusive;

(c)          where the RSE licensee is not satisfied as to the matters in paragraphs 20 to 28 inclusive, identify the anticipated end date of the arrangement;

(d)          where the anticipated end date of the arrangement is on or after 1 January 2014, take all reasonable steps to adjust the terms of the arrangement in order to ensure that the RSE licensee complies with paragraphs 20 to 28 inclusive;

(e)          where, as a result of the reasonable steps taken under paragraph 37(d), the RSE licensee determines that, if it were to renegotiate the terms of the arrangement, it would not be acting in the best interests of  beneficiaries, demonstrate to APRA why it considers the arrangement should continue; and

(f)           report to APRA before 1 July 2013 the extent of any non-compliance with paragraphs 20 to 28 inclusive and the anticipated end date of the arrangement.

38.         APRA may, by notice in writing to an RSE licensee, adjust or exclude a specific prudential requirement in this Prudential Standard in relation to that RSE licensee.[15]

 

[1]  For the purposes of this Prudential Standard, RSE licensee has the meaning given in section 10(1) of the SIS Act.

[2]  For the purposes of this Prudential Standard, a reference to a group’ is a reference to a group comprising the RSE licensee and all connected entities and all related bodies corporate of the RSE licensee,connected entity’ has the meaning given in section 10(1) of the SIS Act and related body corporate’ has the meaning given in section 50 of the Corporations Act 2001.

[3]  For the purposes of this Prudential Standard, a reference to the Board is a reference to the Board of directors or group of individual trustees of an RSE licensee and ‘group of individual trustees has the meaning given in section 10(1) of the SIS Act.

[4]  Service provider is a reference to the entity providing the outsourced activities to the RSE licensee.

[5]  For the purposes of this Prudential Standard, an RSE licensee’s business operations includes all activities as an RSE licensee (including the activities of each RSE of which it is the licensee), and all other activities of the RSE licensee to the extent that they are relevant to, or may impact on, its activities as an RSE licensee.

[6]  For the purposes of this Prudential Standard, a reference to beneficiaries is a reference to ‘beneficiaries of an RSE within the RSE licensee’s business operations’.

[7]  ‘Prudential requirements’ include requirements under the SIS Act, the Superannuation Industry (Supervision) Regulations 1994, the prudential standards, reporting standards, the Financial Sector (Collection of Data) Act 2001, licence conditions, authorisations, superannuation data and payment standards, directions and any other requirements imposed by APRA under legislation.

[8]  Refer to Prudential Standard SPS 220 Risk Management (SPS 220) for more information on the risk management framework and declaration.

[9]  A reference to an ‘associated entity’ is a reference to an associate within the meaning of section 12 of the SIS Act.

[10]  Refer to sections 52(2)(d) and 52A(2)(d) of the SIS Act and Prudential Standard SPS 521 Conflicts of Interest (SPS 521).

[11]  Refer to SPS 220.

[12]  Refer to Prudential Standard SPS 232 Business Continuity Management (SPS 232).

[13]  Refer to SPS 232.

[14]  Where this Prudential Standard provides for APRA to require an RSE licensee to make other arrangements, or otherwise exercise a power or discretion, the power or discretion is to be exercised in writing.

[15]  Refer to section 34C(5) of the SIS Act.