Author
Cheng Lim  
Partner
Cheng Lim  
Partner
T +61 3 9643 4193

Sydney
Jim Boynton  
Patrick Gunning  
Greg Hammond  
Nicole Heller  
John Stumbles  

Melbourne
Cheng Lim  
John Malon  
Ian Paterson  
Mark Weber  

Perth
John Naughton  

Brisbane
Berkeley Cox  
John Swinson  
Ensure compliance of outsourcing arrangements with new prudential standards on outsourcing. This will require reviewing existing contracts and making them compliant before 1 January 2007.

11 October 2006

New APRA Prudential Standards on Outsourcing

On Friday 6 October 2006, the Australian Prudential Regulation Authority (APRA) released its new prudential standards on outsourcing for authorised deposit-taking institutions (ADIs), general insurers and life companies (regulated institutions). ADIs, general insurers and life insurers must comply with the new prudential standards from 1 January 2007.

What has been released?

Three prudential standards have been released, specific to ADIs, general insurers, and life companies. Until now there has only existed a prudential standard on outsourcing for ADIs, dating from 2002. This has been superseded by the new ADI prudential standard.

The release of these standards was accompanied by the release of a practice guide on outsourcing and a practice guide on custody arrangements. The practice guide on custody arrangements supersedes Cross Industry Circular No 1 - Custodian Requirements for APRA Supervised Entities as of the date of release of the practice guide (ie 6 October 2006).

Who do the prudential standards apply to?

Each of the three prudential standards applies to a different industry, namely ADIs, general insurers and life companies.

The practice guide on outsourcing applies to all three of the prudential standards. However the practice guide on custody arrangements, only applies to general insurers.

What do they apply to?

The prudential standards apply to the outsourcing of material business activities. Material business activities are defined as those that have “the potential, if disrupted, to have a significant impact on the insurer’s business operations or its ability to manage risk effectively”. These typically include investment management functions, professional services, custodial arrangements and various IT functions, among others, but are not intended to include contractor relationships or secondments.

For general insurers, the practice guide on custody arrangements states specifically that an external custody arrangement concerning assets that are material in value will typically be considered a material outsourcing arrangement.

What do the prudential standards say?

The new standards are in part based on the 2002 ADI prudential standard, but provide additional guidance on various provisions, in particular on the assessment of outsourcing options, arrangements with related parties and arrangements with offshore service providers.

Key features of the new standards include the following.

  • Outsourcing policy: Regulated institutions must have a Board-approved outsourcing policy. This must specify that the regulated institution remains responsible for compliance with prudential requirements. The company’s risk management framework must include considering outsourcing risk.
  • Demonstrated assessment of options: Regulated institutions must be able to demonstrate certain matters in their assessment of a proposed outsourcing. In an outsourcing to a related body corporate, matters to be demonstrated include matters such as considering changes to the risk profile of the business activity, and considering the ability of the related body corporate to conduct the business activity on an ongoing basis. However in an outsourcing to a third party, the regulated institution must be able to demonstrate not only these matters, but also preparation of a business case, establishment of procedures for monitoring performance, and development of contingency plans, among others.
  • Outsourcing agreements: Regulated institutions must have legally binding agreements with third parties for outsourcing, which must be executed before the outsourcing arrangement commences. These requirements do not apply to outsourcing arrangements with related bodies corporate, unless APRA (after consultation) has notified the regulated institution that the outsourcing arrangement must be evidenced by a written, legally binding agreement, or this is required by another prudential standard. The prudential standards specify minimum requirements for outsourcing agreements. For instance, an outsourcing agreement must address service levels, business continuity management and subcontracting.
  • APRA access to service providers: Any outsourcing agreement must also contain a clause allowing APRA access to the documentation relating to the outsourcing arrangement. APRA must also be given the right to conduct on-site visits with the service provider when it considers it necessary.
  • Notification requirements:
    a) Regulated institutions must consult with APRA before entering into an outsourcing agreement with an offshore service provider.
    b) Regulated institutions must notify APRA after entering into any outsourcing agreement. This notification should not take place later than 20 business days after execution of the relevant outsourcing agreement.
  • Monitoring: A regulated institutions must have sufficient monitoring processes to manage the outsourcing. The regulated institution must advise APRA of any problems that arise with the potential to materially affect the outsourcing arrangement.
  • Audit: The business’s internal audit function must review any proposed outsourcing of a material business activity and must regularly review and report to the Board or the Board Audit Committee.

International compliance

APRA states that the new standards are consistent with relevant international regulations, including those of the Joint Forum, overseen by the Basel Committee on Banking Supervision (BCBS), the International Organization of Securities Commissions (IOSCO), and the International Association of Insurance Supervisors (IAIS).

Implications for ADIs

ADIs must comply with the new prudential standards from 1 January 2007.

The standards will not affect any agreement entered before that date (until the next scheduled review date of that agreement), as long as the Board is generally satisfied that the existing agreement complies with the new prudential standard.

The major changes made by the new prudential standard are that:

  • ADIs must consult with APRA prior to entering into any outsourcing agreement to an offshore service provider.
  • ADIs must now be able to demonstrate required matters in their assessment of outsourcing options (as mentioned earlier). These matters extend beyond what had been required to be covered in the risk management framework under the previous standard.
  • There are additional requirements to what was specified under the previous standard that must be addressed in any outsourcing agreement.
  • Outsourcings to related bodies corporate do not need to be documented in a formal written agreement unless APRA (after consultation), or another prudential standard, requires it.

Therefore ADIs will need to review existing outsourcing agreements to determine whether they comply with the new prudential standard in light of those changes.

Some elements that were previously in Guidance Note AGN 231.1 - Managing Outsourcing Arrangements have been made explicit. For example, the Board must now specifically approve the ADI’s outsourcing policy.

There are no provisions for transitional relief for ADIs in relation to the new prudential standard.

Implications for general insurers and life companies

General insurers and life companies must comply with the new prudential standards from 1 January 2007. They must also notify APRA of all existing outsourcing agreements involving material business activities within 20 business days of 1 January 2007. The standards will not affect any agreement entered before the effective date (until the next scheduled review date of that agreement), as long as the Board is generally satisfied that the existing agreement complies with the new prudential standard.

This means that general insurers or life companies will need to review existing agreements for compliance with the new standards. If an existing agreement does not satisfy the relevant new standard, the general insurer or life company:

  • will have until 31 December 2007 to make it compliant; or
  • if that is not possible, should seek transitional relief from APRA.

APRA will only grant transitional relief to a general insurer or life company where, in APRA’s view, the Board and senior management have taken all reasonable steps to comply with the relevant standard but will nonetheless not be able to comply by the effective date.

Note that APRA has stated that when assessing requests for transitional relief, APRA will take into account whether the application for relief was submitted at least 20 days before the effective date (ie 1 January 2007).