APRA Prudential Standard APS 231 – Outsourcing: Overview and Summary of Requirements

• By: Staff Editor
• Date: June 13, 2013

• The standard applies to all ADIs including foreign ADIs and NOHCs, all Category C insurers, authorized insurance NOHCs and parent entities of Level 2 insurance groups
• It also applies to friendly societies, Eligible Foreign Life Insurance Companies (EFLICs) and registered life NOHCs
• The standard applies whether or not activities are outsourced to related bodies – corporate or third party.

• Financial and operational impact on reputation due to service provider failure
• Cost of outsourcing arrangements
• Degree of difficulty in finding alternative service provider
• Ability to meet regulatory requirements due to problems with service provider
• Potential losses to customers in case of service provider failure
• The internal audit function

• All risks associated with outsourcing must be identified, assessed, managed, mitigated and reported
• The Board of the regulated institution must approve an outsourcing policy with a detailed framework
• The Board of the head of a Level 2 group must also have an outsourcing policy for material businesses
• The Board must ensure that the regulated institution’s outsourcing risks are taken into account as part of an overall risk management plan
• The outsourcing policy must set out specific requirements in relation to outsourcing to related bodies corporate and outsourcing to foreign service providers

• Prepare a business case for outsourcing the material business activity
• Undertake tender or other selection process for service providers
• Undertake due diligence review of the chosen service provider
• Must involve the Board and the Board committee in approving the decision
• Establish monitoring procedures for assessing the chosen service provider
• Detail the renewal process for outsourcing agreements
• Develop a list of contingency plans

• Changes to risk profile of the business activity arising from outsourcing the activity to related body corporate
• The related body corporate has the ability to conduct the outsourced activity on an ongoing basis
• Monitoring procedures to ensure related body corporate is performing effectively

• The scope of the arrangement
• Services to be supplied
• Start and end dates
• Pricing and fee structure
• Review provisions
• Service levels and performance requirements
• Audit and monitoring procedures
• Business continuity management
• Confidentiality, privacy and security of information
• Default arrangements and termination provisions
• Dispute resolution arrangements
• Liability and indemnity
• Sub-contracting
• Insurance
• Offshoring arrangements, if applicable
• Clause regarding documentation access to APRA

• APRA must be notified within 20 days of entering the outsourcing agreement
• APRA must be consulted with prior to entering an offshoring arrangement

• Monitoring must be done through regular contact with the outsourcing agency
• Performance of the outsourcing agency must be monitored
• The monitoring process must include informing the APRA of developments that could indicate  significant problems that can affect the institution’s operations and activities
• The APRA must be informed when an outsourcing agreement is terminated
• Audit function must review proposed outsourcing activity and service provider
• APRA may request an external audit agency to assess risk management processes relating to outsourcing arrangements, covering areas such as:

1. IT systems
2. Data security
3. Internal control frameworks
4. Business continuity plans

Additional Resources

Read the APRA Prudential Standard APS 231 – Outsourcing in full.