Skip to main content
Outsourcing Obligations
Updated over 2 years ago

Connective don’t endorse or recommend - therefore it’s important for you to carry out your own due diligence to ensure your business needs are met and always get professional legal advice (including checking with your PI Insurance provider) before committing yourself to such an arrangement.

Please find following our reference/guidelines in relation to what key items should be covered within the outsource agreement:

Service levels and performance requirements
The agreement must clearly define the service levels and performance requirements that you require.

Audit and monitoring procedures
The more important the services to your organisation’s core business, the higher the risk of failure of the services and degree of monitoring required. There should also be provision for regular review of these services at periods depending on the services provided. The agreement should also permit review of breaches where service levels/standards have not been achieved.

Default arrangements and termination provisions
An immediate right to terminate the agreement should exist in the event of breach of relevant laws or the terms of your contract or agreement.

Pricing and fee structure
The agreement should provide for a clear and concise pricing and fee structure. It should also state payment terms.

Dispute resolution arrangements
When you enter into an outsourcing agreement everything may be rosy, but that may not always be the case. A mechanism for resolution of disputes between the parties is always a good idea.

Liability and indemnity
Depending on the nature of the services to be provided, our recommendation is that you request that the service provider hold adequate professional indemnity insurance under the terms of your agreement,

Confidentiality, privacy and security of member information
You must ensure that your agreement has provisions requiring the service provider to hold all customer information confidential. There should also be a provision that the service provider hold information in accordance with the Privacy Act 1988 (Cth) and not provide customer information to another party without the consent of the customer.

Protection of intellectual property
Don’t forget to protect your own intellectual property (e.g. name, logo, website address, operational and documented systems and other intellectual property). If the intellectual property is to be used by the service provider, then ensure that it is done so under licence.

Business continuity plans
A plan should exist for a contingency in the event the services are no longer provided. You should also ensure that you take appropriate steps to continue to provide services if the service provider is no longer able to provide the services.

Privacy
Adherence by Service Provider to the Australian Privacy Principles. (https://www.oaic.gov.au/agencies-and-organisations/guides/app-quick-reference-tool#app-1-open-and-transparent-management-of-personal-information)

ASIC recognises that functions relating to credit activities, including administrative and operational functions maybe outsourced either through external parties or other entities. Outsourced functions may include administration duties; loan application and submission processes; file and storage management; technology systems and support. As an authorised/licensed finance broking business, if you outsource functions relating to your credit activity, you remain responsible for complying with your obligations.

For example, if you outsource the marketing and advertising for your business, you are still responsible for ensuring that your marketing and advertising meets requirements.

To comply with your obligations, we expect that you:

· have measures in place for selecting acceptable service providers;
· review and monitor the ongoing business performance of service providers;
· control and take action if any breaches occur;
· adhere to the requirements of your Licensee.

Please be aware that a person must not engage in a credit activity if that person does not hold a licence authorising the person to engage in the credit activity. Credit Activity is defined as finance or credit broking, a person providing credit assistance to a consumer. Engaging in credit activities without being authorised is a breach of the NCCP Act and carries civil and criminal penalties.

Outsourcing Functions to Overseas

If you intend to disclose personal information to anyone overseas, before doing so you need to take reasonable steps to ensure that either they will not breach the Australian Privacy Principles or they are subject to laws which provide similar protection and can be enforced by the individuals whose personal information is being disclosed. This might extend to including this obligation in the contracts and other arrangements you have with that person. If you are unsure about the laws that apply to an overseas recipient and you don’t have an arrangement under which you can require them to comply with the Australian privacy laws:

• inform anyone about whom you collect personal information, that you cannot give any assurances about how the information will be used, stored or disclosed if you disclose it overseas; and
• obtain express written consent before you disclose it overseas.

Disclosure overseas is permitted in other limited circumstances including where it is required by Australian law or an Australian court or tribunal.

Trap: If you disclose personal information overseas and the recipient breaches an Australian Privacy Principle, you may be deemed to have breached the law.
Tip: Ensure that your contracts with overseas recipients require them to comply with the Australian Privacy Principles.

Australian Privacy Principles

An individual’s personal information (e.g. their name and contact details) can be used individual’s personal information for direct marketing if:

· they would reasonably expect you to do so;
· you collected their personal information from them; and
· you provide a simple means for them to request not to receive any more direct marketing communications.

If a person would not reasonably expect you to send direct marketing communications to them, or you collected their personal information from someone other than them, you must not use it for direct marketing unless:

• they consent to receiving direct marketing communications, or it is impracticable to obtain their consent;
• you provide a simple means for them to request not to receive any more direct marketing communications; and
• each direct marketing communication:
• if in writing - contains a prominent statement; or
• if by telephone - makes them aware that, they can request not to receive such communications in the future.

Tip: Don’t assume that clients expect you to send direct marketing communications to them. The test is whether a reasonable person would expect this.

Consider whether:
• they have consented;
• your Privacy Policy explains that you will do this;
• you notified them that one of the purposes of collection of their information was for direct marketing purposes.

Opting Out:
Your direct marketing communications must include a simple means for clients to ‘opt out’ of receiving marketing material, i.e.:
• a clear instruction on what to do;
• a quick and simple process that uses the same communication channel that you used to deliver a direct marketing material (e.g. by email if you sent an email).

Here is a suggested wording, which you can use on your promotional material.

Sample Opt Out Wording:
“<Insert name, of broker> is delighted to provide this <insert type of promotional material, e.g. newsletter> as a service to you. Please let us know if you would rather not receive it and we will remove your name from our distribution list.”

You can’t charge clients to ‘opt out’ and if they have done so, you must not use their details for direct marketing again.

Data Quality and Security of Information

You need to take reasonable steps to ensure that the personal information your outsourcing functions collect, use or disclose is accurate, up-to-date, complete and relevant. Take care to keep it protected from misuse, interference and loss or from unauthorised access, modification or disclosure.

Regularly
• review the information you hold to ensure that it is complete and relevant; and
• ask your clients to confirm the information you hold about them is correct and up to date.

If information has become irrelevant destroy or de-identify it.

Access to and Correction of Personal Information

If a person requests access to personal information you hold about them, respond within a reasonable period and where possible allow access in the manner they have asked for (e.g. send copies of records or allow the person to inspect them at your office). You can refuse access in some circumstances. Check if you have grounds to do so.

Confidentiality

Keep information provided by loan applicants confidential at all times and only disclose it if the law requires you to do so or the client authorises you to do so.
Tip
• when working in an open plan environment, try to minimise the opportunity for conversations about clients or transactions to be overheard.
• don’t leave client information where it can be seen by others.
• don’t discuss or speak about a client’s personal information or situation outside of work.

Credit Guide:

The following details information is recommended to be included into your Credit Guide document relate to your outsourcing functions. Again, it’s a guide only and you can adapt to the nature of your arrangement.

What information do we collect and how do we use it?

From time-to-time, to ensure timely processing of finance applications, we may engage the services of external processing companies. These company’s administrative functions may be based overseas. These companies are subject to the Privacy Act 1988 (Cth).

Will we disclose the information we collect to anyone?

Disclosures to overseas recipients

Some of the recipients to whom we disclose your personal information may be based overseas. It is not practicable to list every country in which such recipients are located but it is likely that such countries will include <insert countries>.

As always please do not hesitate to contact the compliance team for any further assistance.

Did this answer your question?