APRA Prudential Standard APS 231 – Outsourcing: Overview and Summary of Requirements

  • By: Staff Editor
  • Date: June 14, 2013
Webinar All Access Pass Subscription


This APRA Prudential standard requires regulated institutions to carry out appropriate due diligence and monitoring of their outsourcing arrangements. The standard requires that regulated institutions have a board-approved policy, legally binding agreements and managing processes for outsourcing of material businesses. It also calls for consulting and notifying the APRA before regulated institutions enters into these outsourcing arrangements.
Outsourcing is defined as an arrangement entered with another party (including a related corporate body) to perform a business activity on a continuing basis. The international business of a Level 2 Group does not constitute as off shoring.
The standard came into effect on January 1 2013.
  • The standard applies to all ADIs including foreign ADIs and NOHCs, all Category C insurers, authorized insurance NOHCs and parent entities of Level 2 insurance groups
  • It also applies to friendly societies, Eligible Foreign Life Insurance Companies (EFLICs) and registered life NOHCs
  • The standard applies whether or not activities are outsourced to related bodies – corporate or third party.
Factors defining ‘Material’ Business Activity
The Prudential Standard applies to outsourcing of material business activities which are those that have a significant financial and operational impact on the regulated institutions. The factors defining the activity as material are:
  • Financial and operational impact on reputation due to service provider failure
  • Cost of outsourcing arrangements
  • Degree of difficulty in finding alternative service provider
  • Ability to meet regulatory requirements due to problems with service provider
  • Potential losses to customers in case of service provider failure
  • The internal audit function
Role of Board and Senior Management
  • All risks associated with outsourcing must be identified, assessed, managed, mitigated and reported
  • The Board of the regulated institution must approve an outsourcing policy with a detailed framework
  • The Board of the head of a Level 2 group must also have an outsourcing policy for material businesses
  • The Board must ensure that the regulated institution’s outsourcing risks are taken into account as part of an overall risk management plan
  • The outsourcing policy must set out specific requirements in relation to outsourcing to related bodies corporate and outsourcing to foreign service providers
Outsourcing Options – Steps for Assessment
The regulated institution must:
  • Prepare a business case for outsourcing the material business activity
  • Undertake tender or other selection process for service providers
  • Undertake due diligence review of the chosen service provider
  • Must involve the Board and the Board committee in approving the decision
  • Establish monitoring procedures for assessing the chosen service provider
  • Detail the renewal process for outsourcing agreements
  • Develop a list of contingency plans
When outsourcing to related bodies corporate, the regulated institution must show it has taken into account:
  • Changes to risk profile of the business activity arising from outsourcing the activity to related body corporate
  • The related body corporate has the ability to conduct the outsourced activity on an ongoing basis
  • Monitoring procedures to ensure related body corporate is performing effectively
Factors to be Addressed in the Outsourcing Agreement
  • The scope of the arrangement
  • Services to be supplied
  • Start and end dates
  • Pricing and fee structure
  • Review provisions
  • Service levels and performance requirements
  • Audit and monitoring procedures
  • Business continuity management
  • Confidentiality, privacy and security of information
  • Default arrangements and termination provisions
  • Dispute resolution arrangements
  • Liability and indemnity
  • Sub-contracting
  • Insurance
  • Offshoring arrangements, if applicable
  • Clause regarding documentation access to APRA
Notification and Consultation
  • APRA must be notified within 20 days of entering the outsourcing agreement
  • APRA must be consulted with prior to entering an offshoring arrangement
Monitoring and Auditing
  • Monitoring must be done through regular contact with the outsourcing agency
  • Performance of the outsourcing agency must be monitored
  • The monitoring process must include informing the APRA of developments that could indicate  significant problems that can affect the institution’s operations and activities
  • The APRA must be informed when an outsourcing agreement is terminated
  • Audit function must review proposed outsourcing activity and service provider
  • APRA may request an external audit agency to assess risk management processes relating to outsourcing arrangements, covering areas such as:
  1. IT systems
  2. Data security
  3. Internal control frameworks
  4. Business continuity plans

Additional Resources

Read the APRA Prudential Standard APS 231 – Outsourcing in full.


Best Sellers
You Recently Viewed