Guidance Notes and Circulars
advertisement
Guidance Notes and Circulars Superannuation guidance note SGN 130.1 Outsourcing July 2004 www.apra.gov.au Australian Prudential Regulation Authority Superannuation guidance note SGN 130.1 Outsourcing Disclaimer and copyright notice 1. The purpose of this guidance note is to provide general guidance on issues arising out of the legislation administered by the Australian Prudential Regulation Authority (APRA). It is not exhaustive in its coverage of rights or obligations under any law. 2. This guidance note is based on APRA’s interpretation of the relevant legislation and has no legal status or legal effect whatsoever. 3. This guidance note may be affected by changes to legislation. APRA accepts no responsibility for the accuracy, completeness or currency of the material included in this guidance note. 4. Users of this guidance note are encouraged to obtain professional advice on the relevant legislation and to exercise their own skill and care in relation to any material contained in this guidance note. 5. APRA disclaims any and all liability or responsibility for any loss or damages arising out of any use of, or reliance on, this guidance note. 6. This guidance note is copyright. You may use and reproduce this material in an unaltered form only for your personal non-commercial use or noncommercial use within your organisation. Apart from any use permitted under the Copyright Act 1968, all other rights are reserved. Requests for other types of use should be directed to APRA. Australian Prudential Regulation Authority 2 Superannuation guidance note SGN 130.1 Outsourcing Contents Objective 4 Introduction 5 Application of the standard 5 General 6 The outsourcing agreement 7 Assessing outsourcing arrangements 10 Conclusion 11 Australian Prudential Regulation Authority 3 Superannuation guidance note SGN 130.1 Outsourcing Objective 1. The purpose of this guidance note is to provide advice to trustees of Australian Prudential Regulation Authority (APRA)-regulated superannuation funds, approved deposit funds (ADFs) and pooled superannuation trusts (PSTs)1 about the operating standard relating to outsourcing arrangements entered into by trustees and RSE licensees. The standard was introduced under the licensing provisions inserted into the Superannuation Industry (Supervision) Act 1993 (SIS Act) by the Superannuation Safety Amendment Act 2004 (SSAA). The requirements apply to arrangements entered into by trustees granted an RSE licence and to certain other arrangements under transitional provisions. 2. The standard and transitional arrangements are set out in SIS Regulations 4.16 and 4.17 of the Superannuation Industry Supervision Regulations 1994 (SIS Regulations). 3. This document should be read together with the other guidance material prepared by APRA for trustees of APRA-regulated superannuation entities as well as the relevant provisions in the SIS Act and SIS Regulations. These entities are described as registrable superannuation entities (RSEs) – see definition of ‘registrable superannuation entity’ in section 10(1) of the SIS Act. 1 Australian Prudential Regulation Authority 4 Superannuation guidance note SGN 130.1 Outsourcing Introduction 4. Under the SIS Act, trustees are solely responsible and directly accountable for the prudential management of members’ benefits. 5. In November 2001, APRA advised the superannuation industry that requirements relating to outsourced arrangements would be a priority when relevant legislation was amended. APRA’s media release2 accompanying the release of a draft prudential standard on outsourcing arrangements by Approved Deposit-taking Institutions contained the following message to trustees and service providers: Outsourcing is also a significant issue for the superannuation industry and the introduction of a Standard on outsourcing will be a high priority when the relevant legislation is amended to allow it. The Standard is seen as complementary to the specific requirements of the Superannuation Industry (Supervision) Act (SIS) with regard to the use of third parties (such as investment managers and custodians) and the regulations imposed on Approved Superannuation Trustees under their Instruments of Approval. 6. Part 3 of the SIS Act provides for a system of prescribed standards applicable to the operation of regulated superannuation funds, ADFs and PSTs. Amendments to the SIS Act widened Part 3 to enable prescription of standards applicable to trustees and RSE licensees of funds and trusts. Included in the list of matters in relation to which standards may be prescribed are those relating to outsourcing arrangements relating to the operation of funds, ADFs and PSTs. 7. Trustees of APRA-regulated superannuation funds, ADFs and PSTs operating at the commencement of the SSAA provisions (1 July 2004) must apply for an 2 RSE licence during the two year transitional period, or make arrangements for appointment of a licensed trustee or wind-up of the fund during that period. The transition period expires on 30 June 2006. 8. The note to subregulation 4.16(2) of the outsourcing standard states that ‘An RSE licence will not be granted unless APRA has no reason to believe that the RSE licensee law would not be complied with. The RSE licensee law includes this regulation….’ 9. Once licensed, RSE licensees will have to comply continually with the requirements of the outsourcing standard in order to fulfil their duties as licensed trustees. Application of the standard 10. The operating standard applies to material outsourcing agreements, that is, those agreements or arrangements for the performance of a material business activity of an RSE licensee in relation to an RSE, and sets out the requirements for such agreements. These requirements aim to ensure that material outsourcing arrangements entered into by an RSE licensee in its capacity as trustee of an RSE are subject to appropriate due diligence, approval and on going monitoring. 11. An outsourcing agreement is an agreement or arrangement between the RSE licensee and another person (the service provider) for the performance of a business activity of the licensee. 12. In this context, if the RSE licensee is a body corporate, a service provider is not an employee of the RSE licensee or an officer of the body corporate, acting in the capacity of an employee or officer of the licensee. If the RSE licensee is a group of individual trustees, a service provider is not an employee of the APRA media release 01.42 of 7 November 2001. Australian Prudential Regulation Authority 5 Superannuation guidance note SGN 130.1 Outsourcing group or of any member of the group, acting in the capacity of an employee of the group or of any member of the group. 13. ‘Material business activity’ means a business activity which has the potential, if disrupted or poorly performed, to affect members’ or beneficiaries’ interests, or to have a significant impact on the business operations, reputation, rate of return, profitability or net assets of the RSE or of the RSE licensee. 14. The operating standard applies to agreements with independent third parties, to agreements with related parties and to agreements under which an employer-sponsor, or a related party of an employer-sponsor or promoter, provides services in relation to the performance of a material business activity, such as fund administration, whether or not there is a charge for these services3. The operating standard does not distinguish between agreements made by an RSE licensee with overseas based service providers and those domiciled in Australia. In respect of agreements for custody of assets outside Australia, APRA may have regard to relief provided by ASIC in respect of overseas subcustodian arrangements4. 15. The operating standard applies immediately to material outsourcing arrangements entered into after a trustee has applied for and been granted an RSE licence. 16. A transitional provision5 applies in respect of arrangements other than those entered into after a trustee has been granted an RSE licence. The transitional provision applies to arrangements or agreements that: • were entered into before the end of the transition period (30 June 2006); • were entered into by a person who was a trustee of a registrable superannuation entity at the start of the licensing transition period and was not an RSE licensee (or member of a group that was an RSE licensee) at the time the arrangements were entered into; • relate to an activity that would be classed as a material business activity if it was a business activity of an RSE licensee. 17. All agreements or arrangements must comply with the outsourcing standard set out in Regulation 4.16 at or before the end of the transition period, or otherwise be terminated by the person, by that time. General 18. Trustees should recognise that where an outsourcing agreement has been entered into, although the business activity or function is delegated, the trustee remains accountable for the outsourced business activity. 19. This means that, when considering whether to enter an outsourcing arrangement in respect of a material business activity, trustees that apply for and are granted an RSE licence should first decide whether the activity should be outsourced at all, and then be actively engaged in assessing the processes involved in outsourcing the activity, including: (a) consideration as to whether a business activity is material for the purposes of the outsourcing standard. Factors which, at a minimum, should be considered include: (i) financial and/or reputation impact of poor performance by a service provider or the failure of the service provider to perform the relevant activity over a given period; see the definition of service provider in SIS subregulation 4.16(1) See ASIC Pro Forma 209, paragraph 32. 5 See SIS Regulation 4.17. 3 4 Australian Prudential Regulation Authority 6 Superannuation guidance note SGN 130.1 Outsourcing (ii) the cost of the outsourcing arrangement as a share of total fund costs; (iii) the degree of difficulty (including time taken) to find an alternative service provider or to bring the activity in-house; and (iv) the ability of the trustee to meet its legal and compliance obligations if any problems arise with the service provider. (b)due diligence process for evaluation and selection of service providers. This process should: (i) be undertaken prior to any final decision being made as to whether to outsource a material business activity at all, and then in respect of the chosen supplier; (ii) address all material factors that would impact on the service provider’s ability to perform the business activity; (iii) as a minimum, assess the financial and technical abilities, systems and capacities of the service provider to deliver the required services; (iv) include an assessment of the service provider’s internal control framework which should include performance standards, policies, procedures, compliance, reporting and monitoring processes; and (v) where possible, include inquiry into past issues that service providers have faced and how they were addressed. In APRA’s view, a tender process would be a ‘best practice’ component of the due diligence process. Trustees should document the due diligence processes as a part of their risk management strategies. Trustees that are holders of an Australian Financial Services Licence are subject to similar obligations to have measures, processes and 6 procedures in place to ensure that due skill and care has been taken in choosing suitable providers and to monitor their ongoing performance6. (c) monitoring performance of service providers on an ongoing basis; and (d)provision for appropriate exit arrangements and strategies. The outsourcing agreement 20. The standard provides that all material outsourcing agreements must: (a) be in writing; (b)state the commencement date of the agreement; (c) contain default arrangements and termination provisions - in respect to default arrangements, the agreement should clearly specify what constitutes a default event, and identify how, and in what timeframes, these are to be dealt with. The circumstances that would lead to a termination of the outsourcing agreement should be clearly specified in the agreement. It should set out possible reasons for terminating the agreement and procedures to be followed in the event of termination, including notice periods, the rights and responsibilities of the respective parties and transition arrangements. The agreement should address access to, and ownership of, documents, records, processes and software (including licence issues) and hardware. Termination clauses should specify a time period for continuity of business activities to be undertaken by the service provider, handover ASIC PS 164, paragraph PS 164.28 – 31. Australian Prudential Regulation Authority 7 Superannuation guidance note SGN 130.1 Outsourcing practices and transitional arrangements if the activity is brought back in-house or outsourced to another service provider, on a transitional or ongoing basis; (d)contain dispute resolution mechanisms - these mechanisms should define procedures for managing disputes. They should enable the continued operation of the outsourced activity while specific issues are being dealt with, including conciliation and arbitration arrangements; (e) contain liability and indemnity provisions the agreement should specify the extent of liability of each party and, in particular, whether liability for negligence is limited. It should specify any indemnities and provide details of any insurance arrangements. APRA would expect trustees to fully understand the measures the service provider has in place to limit trustee exposure to the outcome of an adverse event. Such measures would include internal audit, and group indemnity and other external insurance arrangements. Trustees should require a copy of any insurance policy which is said to provide cover in respect of the service provider’s performance. Particular care needs to be taken in regard to accepting any limitation of liability on the part of service providers, and in understanding how such limitation would interact with the trustee’s ability to meet the obligations to fund members (trustee risk management strategies and plans should explicitly deal with this issue); (f) provide for confidentiality, privacy and security of information - the agreement should explicitly provide for the confidentiality, privacy and security of the information that comes into the hands of Australian Prudential Regulation Authority the service provider and that breach of confidentiality may result in penalties or, in the extreme, the termination of the agreement; (g) contain a pricing, fee and payments structure in relation to the performance of the material business activity - the agreement should set out explicit pricing arrangements, covering issues such as frequency of payment, invoicing and payment procedures; (h) contain audit, monitoring and assessment procedures - the agreement should clearly set out the procedures in place to allow the trustee to effectively monitor the performance of the service provider. Accordingly, service levels and performance requirements should also be specified in the agreement. The frequency of reporting against performance requirements should reflect the level of risk to the trustee and the fund in the event of failure to perform at the specified level. The agreement should also provide for the extent to which the trustee’s internal or external auditors can obtain sufficient information (including through on-site inspections or the appointment of an external party) to satisfy themselves of the adequacy of risk management systems; (i) provide for business continuity planning, including transfer protocols relating to the handover of functions from the service provider to either a successor service provider or the RSE licensee on the cessation of the agreement - the agreement must include details covering business continuity plans (BCP), to ensure that acceptable service levels are maintained in the event of problems occurring with the service provider. This should address problems arising internally within the service provider (such as a systems breakdown) or 8 Superannuation guidance note SGN 130.1 Outsourcing through external events (such as a power failure). The agreement should include an agreed period for normal service levels to be restored. The BCP should address the back up of both data and software. The agreement should also ensure that this requirement applies to any subcontracting or outsourcing of the activity by the service provider. The agreement should also cover arrangements for dealing with financial or capacity problems experienced by the service provider, including arrangements in the event that the service provider becomes subject to voluntary administration or becomes insolvent. For example, this could address issues such as arrangements for the trustee to take over the ownership of, or have access rights to, the software and computer hardware used by the service provider in the event of administration/insolvency; (j) provide the RSE licensee and APRA with access to information - the agreement must contain a provision requiring the service provider to provide the RSE licensee or APRA with any documents or information in the possession of the service provider relating to the outsourcing arrangement or the business activity performed under the agreement. The licensee or APRA must make the request in writing and specify a time and place for provision of the information or documents that is reasonable in the circumstances. This provision may be used, for example, to request information that the trustee or APRA consider necessary to satisfy themselves as to the adequacy of the risk management systems used by the service provider. The intent of this provision and the following two provisions is to ensure that APRA is not prevented from obtaining information or reviewing an Australian Prudential Regulation Authority activity that it would otherwise be able to obtain from the trustee or review but for the outsourcing of the business activity; (k) provide the RSE licensee or APRA with access to premises - under the agreement, the service provider must allow the RSE licensee or APRA to conduct on-site visits at the service provider’s premises and access any documents or information relating to the superannuation entity held at those premises. This should include arrangements for APRA to meet directly with the service provider. The request must be made in writing and the visit must be at a time that is reasonable in the circumstances. APRA will only request information that it considers necessary in its role as prudential supervisor of the regulated entity or entities; (l) provide the RSE licensee or APRA with the right to require an audit - under the agreement the service provider must have an independent audit of its activities conducted within a specified period if so requested in writing by the RSE licensee or APRA. The time within which the audit must be conducted must be specified in the request and must be reasonable in the circumstances. An independent audit excludes an audit by the external auditor of the service provider and means either an audit conducted by the external auditor of the trustee or by an appropriate external auditor as agreed to by APRA; (m)provide that any arrangement under which the activity is subcontracted to another service provider complies with the standard the agreement between the RSE licensee and the service provider should specifically cover any subcontracting or outsourcing by the 9 Superannuation guidance note SGN 130.1 Outsourcing service provider, including any specific rules or limitations to such arrangements. In particular, the same standards that apply to the service provider in respect of security and confidentiality of information should apply to subcontractors or outsourcing arrangements by the primary service provider. 21. An RSE licensee or a service provider must not charge APRA a fee for the provision of, or provision of access to, any documents or information, or provision of access to the premises of the service provider, or the conduct of an independent audit. This does not prevent the inclusion in the agreement of a provision in relation to the payment by the service provider or the trustee or both, of the cost of complying with such requests made by APRA. 22. An RSE licensee must, if requested by APRA, take all reasonable steps to enforce the agreement against a service provider in relation to the provision of, or provision of access to, any documents or information, access to the premises of the service provider, the conduct of an independent audit or the sub-contracting of the material business activity. Assessing outsourcing arrangements 23. In assessing an application for an RSE licence, where a trustee already has outsourcing arrangements in place, APRA will assess: (a) whether the applicant is aware of any shortfall in existing arrangements compared to the requirements of the operating standard; (b) the steps the applicant has taken and plans to take to ensure that arrangements relating to material business activities meet the requirements of the operating standard; (c) whether the risks, including the risk of breaching a condition of the RSE licence, arising as a result of entering into outsourcing arrangements are appropriately covered in the applicant’s risk management strategy and the entity risk management plan. 24. Some applicants for an RSE licence will have been granted an Australian Financial Services Licence (AFSL) by ASIC. APRA-regulated AFSL licensees are subject to ASIC requirements to have measures, processes and procedures in place to ensure that due skill and care has been taken in choosing suitable providers and to monitor their ongoing performance. However, ASIC relies on APRA supervision of compliance with these requirements by APRA-regulated entities7. 25. In completing section B.3 of the RSE licence application form, applicant trustees may provide to APRA copies of documents that had been submitted in the course of a successful AFSL application. Such documents must be up to date, comprehensive and relevant to the information requested in the APRA licence application form. Applicants that hold an AFSL must demonstrate they meet the operating standard for the purposes of the RSE licence. 7 ASIC PS 164, paragraph PS 164.28 – 31. Australian Prudential Regulation Authority 10 Superannuation guidance note SGN 130.1 Outsourcing Conclusion 26. This guidance note outlines the provisions of the operating standard and the key matters that APRA expects to address in assessing whether an applicant for an RSE licence, or a licensee on an ongoing basis, meets the requirements of the outsourcing standard. Continuing adherence to the requirements set out in the operating standard (as part of RSE licensee law) will be a condition of the trustee’s RSE licence. Australian Prudential Regulation Authority 11 Telephone 1300 13 10 60 Website www.apra.gov.au Mail GPO Box 9836 SYDNEY NSW 2001
