Superannuation trustees are now significant buyers of information technology, data analytics and media services, as well as being investors in new industries such as fintech. We have been lucky enough to work with a number of superannuation trustees on significant information technology and digital transformation projects. Here are some of our learnings from these projects.
Sole purpose and best interests
It may seem trite, but trustee boards should always consider their ‘sole purpose’ and best interests duties, and document their deliberations, when they are about to embark on a project involving significant expenditure and internal resources. Having said that, to satisfy these duties, the trustee board really only needs to answer the same fundamental question that any prudent board would ask itself before embarking on a major project: do the benefits this project will deliver to members justify the resources being used and the risk being taken?
APRA has stated that the sole purpose test is sufficiently broad to encompass the ‘normal activities’ of superannuation fund trustees, but there should always be a ‘reasonable, direct and transparent connection’ between a particular trustee action and the superannuation benefits permitted under the sole purpose test.1 There can be little doubt that effective IT systems and digital infrastructure are now a key component of providing retirement benefits to members. Trustees need to have or procure high-powered resources to comply with SuperStream and other data transfer requirements. Trustees also need to be able to communicate effectively with their members, as a matter of law and to meet members’ expectations. We think expenditure on such projects is consistent with the sole purpose test, but the amount being spent needs to be justified in light of the circumstances and needs of the fund.
Advertising and media campaigns are slightly different, as they are not critical infrastructure. In relation to advertising and marketing, APRA issued a letter to trustees in March 2005 in which it expressed the view that expenditure on member retention and recruitment is appropriate only in limited circumstances. It appeared to be less concerned when the expense was being deducted from the trustee’s fees (provided the trustee did not increase its fees to cover the expenses), but expressed the view that ‘imposing marketing expenses on current members primarily to attract new members is difficult to justify’ and may give rise to inequities among generations of members. The source of funding for any advertising or media campaign therefore needs to be considered. The superannuation industry is a more competitive environment than when APRA issued the letter in 2005 – retention campaigns are now critical to a fund’s long-term sustainability – but trustees still need to justify their advertising expenses in light of their statutory and fiduciary duties.
A broader range of commercial arrangements are now captured by the material outsourcing provisions than was the case before APRA issued Prudential Standard SPS 231: Outsourcing in 2012. Most large scale hardware and software installations will constitute outsourcing of material business activities for the purposes of SPS 231, even though these have traditionally not been a core component of a superannuation trustee’s duties. In addition to processes around due diligence and counterparty selection, SPS 231 requires the agreement with the outsourced provider to meet certain requirements.2 The difficulty comes where SPS 231 prescribes the terms of the agreement between the trustee and the outsourced provider, rather than simply requiring that the agreement cover the issue. This is particularly problematic in IT contracts with large international providers, for whom Australian superannuation funds are not particularly large clients. We are increasingly seeing vendors being open to including some of the more unusual terms required under SPS 231 in their agreements with trustees, but a few still create problems, in particular the requirement that the service provider accept responsibility for the actions of any subcontractor and indemnify the trustee against any liability arising from the failure of the subcontractor to meet its obligations, and the requirement that the service provider cooperate with APRA’s requests for information including conducting on-site visits. APRA can modify the operation of SPS 231 at the request of a trustee3 (although it is unlikely to waive its rights of access) but is only likely to do so if the trustee has conducted a thorough risk assessment of the issue in light of its overall risk management framework.
Privacy and data
Trustees collect and hold a huge amount of personal information about their members, some of which is sensitive information under the Privacy Act 1988 (Cth). Their legal obligations in relation to such information are no different to most other large institutions, but they undoubtedly have a higher public profile than many other institutions and the portability rules allow members to ‘vote with their feet’ if they don’t like the way trustees are acting. As well as the regulatory risk, there is serious reputational risk for trustees associated with privacy or data breaches. A trustee entering into an arrangement with an information technology provider, or in relation to data analytics, needs to be very clear about the flow of personal information, and should give genuine consideration to whether the use of information by the trustee or disclosure of information by the trustee is permissible under the Privacy Act (for example is it a use or disclosure for the purpose for which the information was collected, a related secondary purpose within the reasonable expectations of the member or with the consent of the member). Where information is being used for data analytics or other ‘big data’ related activities, the trustee should put itself in the member’s shoes and ask, ‘If I was the member, would I reasonably expect my personal information to be used in this way?’ Trustees should also be aware of the guidance issued by the Office of the Australian Information Commissioner (OAIC) regarding the Australian Privacy Principles generally4 and the specific draft guidance recently issued by the OAIC regarding the use of personal information for ‘big data’ activities5.
A trustee should also consider the data security arrangements in place in relation to that information to satisfy itself that those data security arrangements are appropriate. This will become even more important with the impending introduction of mandatory notification requirements for data breaches (which the Commonwealth government has recently committed to introduce during 2016).
Most trustees would be familiar with service level agreements from administration and like arrangements, but SLAs in IT agreements can be more complex again. Generally speaking, SLAs in IT agreements should set out standards or levels of service that the trustee expects the relevant technology service to meet (for example standards around uptime or availability, timeframes for response to and rectification of issues or service satisfaction levels). A well drafted SLA regime in an IT agreement should both incentivise a high standard of performance by the IT supplier and provide consequences and remedies for the trustee if the services do not meet the service levels. Jargon should be avoided in favour of plain English in SLAs: people often think commonly used words in the IT industry have an accepted meaning until they try to agree on that meaning!
Some of the key issues we have seen regarding SLAs include:
- the importance of involving the IT and operational teams of the trustee in reviewing SLAs, to ensure the SLA properly captures the standards and requirements important to the trustee;
- ensuring that SLAs are binding (rather than targets or best endeavours obligations); and
- ensuring that the consequences of service level non-compliance by the supplier (such as service level credits or other rights) are clear and act as an incentive for the supplier to perform.
Statements of work and ‘sprints’
The contract structure of IT arrangements can be quite different to the traditional linear structure superannuation lawyers are used to. IT projects will often be delivered in stages, with each stage of the project delivered for acceptance testing and approval before the next stage commences. There may be a ‘discovery’ phase to determine the viability of the project before a more substantial commitment is made. It often won’t make sense for the trustee to spend time and resources negotiating and executing a Master Services Agreement with the vendor until the project makes it past the discovery phase. It is increasingly common for IT projects to be undertaken on an ‘agile’ basis. Agile is a contracting and project management methodology that involves breaking an IT project (such as a development or integration project) into a series of shorter cycles or ‘sprints’. Where IT projects are undertaken on an agile basis, it will be important that the contract addresses key issues for trustees arising from agile projects, including termination rights, dispute resolution and scope and cost management.
Ownership and licensing of intellectual property is often a significant and heavily negotiated issue in IT, digital and media agreements. There will often be extensive negotiation regarding whether the trustee or supplier will own the intellectual property generated from the project (particularly in relation to custom development, digital, media and other project engagements). Trustees should consider whether they really need to own the intellectual property. Often a sufficiently broad, perpetual licence of the intellectual property may be sufficient for the trustee’s purposes. If the trustee has concerns around intellectual property or deliverables being ‘re-used’ for its competitors, this can often be addressed in the exclusivity provisions of the licence or by way of contractual restraints.