Document Sample
DATA INTEGRITY Powered By Docstoc
					              DATA INTEGRITY

                SG VENKATRAMANI

General Manager, Specialised Institutions (Central)
   Australian Prudential Regulation Authority

        Conference of Major Super Funds


I Introduction
    1. When the wondrous human genome experiment inexorably advances to
        deciphering the composition of the prudential regulator, a starting
        hypothesis will be needed. Based on my experience, I offer the four distinct
        elements: Firstly, the party pooper:          in a time of raging irrational
        exuberance, as in a few years ago, a gentle tap on the shoulder - ‘slow
        down and avoid the hangover’; Secondly, the agony aunt: when everything
        looks gloomy and lost, as in recent times, a comforting shoulder - ‘perk up,
        things can only get better’; Thirdly, the helpful counsel: when short term
        issues crowd out the long term ones that are overlooked, a nudge into
        strategic thinking – ‘let us deal with this looming issue before it overwhelms
        us’; Finally, the judge executioner – when all else fails, a reluctant, yet
        firm, move into the enforcement mode - ‘So long’.

    2. I was a party pooper at the 2008 CMSF Conference. Not being particularly
       adept at playing the agony aunt, I crave your indulgence to shift into phase
       three today, with some friendly counsel. In so doing, I implore the
       superannuation industry to consider an important aspect that can and must
       be tackled.

II The issue
    3. Data in all its aspects form the ‘life blood’ of superannuation. Whether
        qualitative or numerical, primary or derivative, internally or externally
        sourced, fund operations depend on the existence, accuracy, completeness,
        maintenance and smooth flow of data in a secure fashion for meeting the
        obligations to members. The nature of superannuation – compulsory,
        preserved till retirement, supported by ongoing concessional tax treatment,
        with little or no capital-backing to smooth adverse developments – makes
        this an imperative. Changes to the basics such as member investment
        choice, choice of fund, transition to retirement pensions enabling members
        to be simultaneously in accumulation and withdrawal phases and improving
        longevity make the task more difficult and urgent. The known problem of
        multiple member accounts, although being addressed through a range of
        initiatives, does not make it easier.

    4. The number of stakeholders in super as members pass through the system
       from entry to final exit, and potentially via many funds, is large. As the
       data is being processed, the weakest link determines the outcome.
       Establishing accountability for errors in a practical, as distinct from a legal
       sense, becomes therefore difficult.

    5. For the affected members and contingent beneficiaries, the issue is quite
       opaque: a black box. In many instances the issue may become too difficult
       or even impossible to fix, if not tackled at an early enough stage.

    6. The availability of reliable data is a necessary1 pre-condition to funds
       working out member entitlements such as tax, investment earnings,
       insurance and other costs.

 But not sufficient, as the many unit-pricing and crediting rate errors the industry has had
to remedy have shown.

7. Despite the ongoing attention to improving members’ financial literacy and
   engaging their attention in their retirement plans, success remains patchy.
   Complete data integrity cannot be achieved without an interested and
   engaged membership but trustees can, and should, be able to ensure there
   is an increased level of data integrity even while striving for improved
   member engagement.

8. More fundamentally, how and when could trustees know that data may be
   compromised? Do the controls facilitate timely detection and rectification?

9. Who will bear the cost of fixing errors: in an economic sense, it is always
   the consumer, over time. Within this, the equity of allocating the cost
   between classes of members and over time poses challenges. This assumes
   that the errors are able to be fixed appropriately. If the underlying data
   cannot be reliably retrieved and validated, approximations become
   inevitable, with their consequences for equity and integrity.

10. The super licensing regime, without doubt, involved seeking, and to some
    extent achieving, enhanced risk management. More fundamentally, at the
    trustee and the responsible officer level, fitness standards are required.
    Data integrity is closely linked to these.

11. These considerations lead to the conclusion: while there is no need for
    panic yet that in Australia data issues have significantly affected the
    entitlements of beneficiaries, the very nature of the industry and the
    experience of other jurisdictions show that we cannot be complacent. To
    avoid collectively costly, in some cases hard-to-remedy situations, we need
    short and medium term actions, now.

12. APRA is keen to play its part in this task by ensuring that there is sound
    information available on good practices and expectations and encouraging
    the industry to appropriately deal with this important area.

III Objective
13. The object is to recognise the need for identifying and dealing with data
     issues, by involving
     o Trustee and responsible officers;
     o Outsourced service providers;
     o Internal audit;
     o Professional advisers;
     o Employers;
     o Insurers;
     o Members, and
     o Regulators.

IV Evidence – anecdotal, overseas
14. Recognising that the industry is preoccupied with many difficult issues at
    the moment – substantive as well as procedural - what evidence do we have
    that we are not beating up a non-issue?

15. We have anecdotal and investigation-based evidence.
o Some scary stories from other jurisdictions should serve as a wake-up call:
o Japan 2007: 14 million accounts were found not having been integrated with
    pension agency data;

    o   Japan 2007: 50 million bungled pension payments;
    o   UK: Dec 2008: 100,000 public service pensions were found to have been
        wrongly calculated, since 1978;
    o   UK: Oct 2008: pensioner details leaked from audit records;
    o   US: 2006 – employee laptop with AHOLD US pension data checked in as
        airline baggage, and lost;
    o   US: Aug 2007 – California State Pension Fund breaches the security of
        445,000 retirees’ data;
    o   March 2006: Fidelity laptop with HP staff data stolen;
    o   Nov 2008: NY Express scripts threatened with an attempted extortion to
        expose patient records.

    16. The incidents range from system design problems, including legacy aspects;
        calculation errors; security lapses, whether human or system-based; and
        fraud. The magnitude of reworking calculations (assuming the necessary
        data can be retrieved from ancient systems and validated), not to mention
        the impact on public confidence, is stunning.

    V Evidence – investigative, Australian
    17. In Australia, specific industry investigations2 have highlighted two disturbing
        attitudes on the part of some trustees. One is deliberate indifference to
        the need for periodical and pro-active testing of data quality, completeness
        and security. This is demonstrated by an attitude of ‘we know we are all
        right’, - a touching, if somewhat naïve, faith in their own invincibility.
        While the personal preferences of regulated industry boards and
        management, spiritual or secular, are of no concern to APRA, we do seek a
        more evidence-based approach on matters that affect the interests of

    18. Of greater concern is the attitude of conscious avoidance. This arises
        where there is the awareness that anecdotally and empirically, data quality
        needs ongoing attention. This is followed by a fear ‘why look, lest we find
        issues?’ or ‘If we don’t find it, we won’t have to fix it’. The resulting short
        term avoidance could lead to long term distress.

    19. Of the 19 projects3 conducted by ITM in 2008, covering 600,000 members,
        there were some very basic issues found:
    o Basic member details in 14
    o Key dates and numbers in 14
    o Duplicate numbers in 11
    o Benefit Payments in 8, and
    o Contributions in 5.

    20. The type of errors identified included:
    o Failure to follow up data errors systemically
    o Financial losses
    o Critical data errors – eg., payments but no exit record, negative
        contributions, post June 2007 contributions with no TFN
  These have been conducted by Independent Transition Management Pty Ltd (ITM) an
Australian service provider in the area of testing and remedying data issues. APRA is
grateful for their input into this presentation.
  Anti-Money Laundering as well as Income Stream aspects not covered. Thus the real
extent may be understated.

o   Benefits wrongly paid
o   Breaches of the law
o   Platform bugs
o   Duplicate / Dummy data, and
o   Issues being dealt with post migration (too late).

21. The good news is that these are issues that trustees can, and should be,
    addressing with planning and with a proper focus on risk mitigation in this
    important area.

VI APRA experience
22. While we have been spared the trauma of major episodes, by no means are
    we immune. APRA’s experience reveals the following:

23. When we examined Eligible Rollover Funds, we came across a number of
    data issues, including multiple instances of dummy dates of birth. The
    nature of ERFs makes data cleansing more difficult, given the lack of access
    to, or responses from, members.

24. When successor fund transfers take place, we have received requests for
    dispensation to permit a freeze on redemptions and rollovers during a
    temporary period while data is checked, transferred and reconciled. While
    we are responsive to practical implementation aspects, a more robust
    attitude to data quality would have avoided the incidence and extent of

25. Since mid 2008, we have undertaken a review of fund liquidity. In assessing
    the impact of the market volatility and underlying fund freezes, we had
    sought specific information to delineate trends, especially in the context of
    past movements in areas such as member investment switching. This
    revealed limited trustee ability to extract such useful information at short
    notice - a clear indication that trustees have not seen this as an important
    area for them to consider and monitor. APRA believes such information is
    essential for trustees in managing fund operations and preparing for

26. While specific data issues were being dealt with by individual trustees, we
    have not seen a uniform practice across the industry to periodically test and
    cleanse data. This is desirable and, in a fast consolidating industry as well
    as in one where members move between funds, perhaps necessary.

27. Remediation of identified issues has been sporadic, being neither pro-active
    nor systemic. It is as if the trustees have said: ‘We have disposed of this
    issue. Let us wait for the next’, rather than ‘What can we do to mitigate
    the risks of another data issue?’

28. The various unit pricing and crediting rate calculation issues (which the
    industry has been addressing, following well-publicised episodes) have
    highlighted that the ability of members to realise there is something wrong
    is limited. The onus therefore shifts to other parties: trustees primarily, but
    there is also a role for service providers, advisers and regulators.

29. You will be aware that we are currently in the course of a review of a
    number of fund administrators to understand their operational processes

          better and cascade the findings for trustee guidance. Expected to be
          completed in 2009, to date this project has already indicated that trustees
          have a vital role to coordinate and drive data integrity initiatives across the
          range of involved parties for a particular fund.

      30. In short, our experience corroborates the overseas and local evidence

      VII The ATO experience4
      31. Working with the ATO, in their capacity as revenue collectors rather than
          SMSF regulators, APRA has obtained further corroboration. The ATO has a
          continuing focus on ensuring that APRA regulated funds meet their
          superannuation reporting obligations in an accurate and complete manner.
          This covers member contributions, lost and unclaimed super and departing
          Australia payments.

      32. Last financial year (2007/8) there were 120 accuracy and completeness
          audits conducted. Every second fund audited was found non-compliant on at
          least one audit issue. Audits of lost member statements contained the most
          issues, which commonly included:
      o Non-reporting and / or non-payment of unclaimed money. In particular, a
          lack of documented procedures resulting in large numbers of members over
          the age of 65 still being recorded on the lost member register;
      o Lost members reported with incorrect or nil account balances;
      o Contributions still being received for members reported lost;
      o Lost members ‘found’ not being reported or reported twice;
      o Lost members so reported, not fitting the criteria;
      o Information held (such as TFN) not being reported;
      o Rejected information not being rectified, and
      o Transfers to ERFs not reported.

      33. The ATO has been working with funds, administrators, software providers
          and professional associations to foster better compliance, and encourage
          voluntary disclosures. Last year, a large administrator, involving nine funds
          found systemic deficiencies in their reporting software. As a result of the
          work done by all parties, more than 600 members could be removed from
          the lost member register with a value close to $ 100 million.
      Other failures commonly seen in ATO audits include:
      o Failure to return incorrect co-contribution payments to the ATO with the
          payment variation form;
      o Member contribution statement with missing or incorrect employer and
          rollover information;
      o Incorrect processing of departing Australia payments and misreporting; and
      o Superannuation holding account payments from the ATO not being reported
          correctly as ‘employer contributions’.

      34. The corrective actions suggested by the ATO include:
      o Enhancing the reporting software
      o Relodgement
      o Reviewing and implementing revised fund procedures
      o Reviewing and implement stringent quality control checks

    APRA is grateful to ATO for sharing their generic audit findings.

    35. All of this should spur trustees into action. As an incentive, the ATO has
        helpfully scheduled another 120 audits in 2008/9!

    VIII Other industries
    36. All prudentially regulated industries require reliable, secure and complete
         data, and have to have the appropriate framework of culture, governance,
         risk management, as well as policies and procedures that are implemented
         effectively. The superannuation industry presents some additional
         challenges, given its differences.

    37. As an integrated regulator taking a consistent approach on comparable
        risks, APRA takes, where possible, a principles-based approach across
        industries. Excessive prescription is likely to lead to a rule-based approach
        by regulated entities, which could miss significant risks in the context of
        changing markets and operating environments.

    38. For example in March 2007, in the context of Basel 2 implementation, we
        wrote to the relevant deposit takers seeing accreditation of their advanced
        modelling approaches outlining the approach we wished to see in relation to
        data management. These included:
    o a data management framework;
    o overarching architecture;
    o lifecycle management;
    o data validation;
    o defining and testing quality metrics;
    o a robust issue management process including the root causes;
    o independent assessment and
    o inculcating staff awareness.

    39. We are currently finalising a prudential practice guide on IT Security Risk
        Management that will apply to all our regulated industries. Again, this will
        detail principles which we expect individual boards and management to
        adapt to their business strategies.

    IX The UK guidance
    40. Following industry consultation, the UK Pensions Regulator (TPR)5 has
        released its good practice guide ‘Record Keeping’ for measuring member
        data. At this stage, TPR seeks to educate and enable stakeholders in
        achieving data integrity, whilst flagging its intention to move into
        enforcement as the next phase.

    41. Whilst a careful study of the guide will provide many useful pointers to
        trustees and others in Australia, I highlight its salient features:
    o TPR suggests that fund operators measure ‘core’ (applicable across all
        funds) and ‘conditional’ (dependent on individual schemes) data;
    o They should report on numerical aspects by proving suitable commentary to
        provide context;
    o They should assess internal controls for their ability to capture risks;
    o They should develop improvement plans and implement them on agreed
        time frames;
    o Annual data measurement, and

 ‘Record keeping’ issued in December 2008. In preparing this presentation, APRA
acknowledges the assistance provided by TPR’s work in this area.

o   TPR will review the outcomes in 2009.

42. A sobering lesson for us in Australia, where relative to the UK we have
    accumulation funds dominating the superannuation landscape, is that our
    funds demand more work in preserving data integrity. Here, members bear
    most of the risks in particular operational consequences including
    remediation. The number and incidence of account movements are more
    complex and less predictable, compared with the employer and member
    contributions in DB schemes. To add to the excitement, our taxation regime
    (including the ability to use foreign tax credits) has certain features that do
    not apply to overseas regimes.

43. The UK (DB pensions) regime has undergone some searing experiences which
    our regime (founded on accumulation and compulsory super guarantee
    contributions) has not had to contend with. The resulting buy-out in the UK
    of corporate pension liabilities by financial providers has, among other
    things, revealed the glaring issues in data management, probably leading to
    the initiatives TPR has undertaken.

44. Even so, it would clearly be sensible for the Australian super industry to
    pick up the lessons from this guidance.

X APRA expectations
45. In the light of such overwhelming evidence, what does the regulator expect?

Trustee actions
46. First and foremost, trustees being legally responsible for ensuring
    beneficiaries will, under all reasonable circumstances, receive their
    entitlements accurately and on time, must set the tone. From determining
    the culture of the fund operations through embedding it in its data
    management framework (as part of its risk management strategy and fund-
    specific plan), arranging for documented policies, procedures and controls,
    periodical reviews and final implementation by internal as well as external
    providers the entire process must carry trustee involvement and
    endorsement. In particular, trustee deliberations need to consider data
    issues as a regular feature (similar to investment performance,
    contributions flow or member complaints) rather than merely in response to
    identified hiccups.

A suggestion for better data management
47. An interesting example: trustees can clawback contribution taxes from the
    ATO after enhancing the death benefits to a member’s estate under ‘the
    anti-detriment’ provision applicable under the tax laws. However, the
    ability of trustees to correctly work out the actual contribution taxes paid
    in respect of members at any given moment is notably absent. Rollover
    payments do not transfer this information. As a result, trustees who
    implement this beneficial provision, while clearly acting in the best
    interests of members by doing so, are constrained. Recourse to
    approximations, including the formula provided in the relevant explanatory
    memorandum, becomes necessary. Surely our trillion dollar industry
    (admittedly, pre-GFC!) should figure out a way to record, maintain and
    pass on this important piece of data?

    Check before change
    48. A key message is that waiting for a major system or administrator change is
        futile to resolve or improve data issues. In the past data many migration
        exercises and administrator changes have highlighted inherent data issues,
        holding up the project implementation. Futile too is the practice of
        cleansing data after a successor fund transfer. If there are issues they are
        better found and dealt with before. In extreme cases, serious data quality
        issues could prevent the trustees establishing (as required under SIS) the
        equivalence of benefits, and the member service quality post transfer could
        deteriorate to an unacceptable level.

    Unit pricing and crediting rates
    49. Unit pricing and crediting rate calculations are severely impacted by poor
        data quality (in addition to system, formula and estimation issues). Given
        the good work done by the industry in this area, it would be a pity to erode
        the advantages gained.

    50. It would be sensible for trustees to set up a process of attestation of data
        quality completeness and security, through a cascading mechanism – the
        CEO provides an annual attestation to the Board, supported by similar well-
        supported work through the internal and external chain of data flow. With
        external audit representation letters now being an accepted practice, why
        should this not be extended internally to such a vital area of the
        superannuation business?

    Internal audit
    51. Internal audit should be enlisted as an ally in ensuring data quality. Their
        programmes must be so designed.

    Service providers
    52. What trustees expect of administrators, custodians, investment managers,
        insurers must be clarified in contracts and followed up in discussions, with a
        commensurate process to track performance.

    Professional advisers
    53. External advisers, such as actuaries, auditors and asset consultants should
        be asked to highlight data issues as they are encountered in the course of
        their professional work. Additionally, it would be good practice to
        periodically measure the data held and validate it. Independent assessment,
        including by specialist agencies, would be worthwhile once in a couple of

    GS 007
    54. In a timely move, the new audit guidance GS 0076 effective from 2008/9
        contains more prescriptive control objectives with a minimum set
        prescribed for each service: custody, asset management, property
        management, superannuation member administration, investment
        administration and registry. Its part A guides fund auditors and part B
        auditors of service providers who provide assurance report to fund auditors.

 ‘Audit Implications of the Use of Service Organisations for Investment Management
Services’ released by AuASB on 12 March 2008. It replaces AGS 1026 entirely, and AGS 1042
to the extent it applies to investment management services.

   This should enable trustees to query service providers, by requiring
   appropriate rigour of their own auditors.

55. The relationship with employers is crucial. In the current competitive
    environment in super, it may not be easy to demand of employers what
    data should be provided, and when. How practical is it to expect a trustee,
    in these days when economies of scale are an imperative, to refuse to
    accept contributions in the absence of accompanying complete and
    validated data? On the other hand, if employee data are not passed on to
    the trustee and therefore the insurer on time, there is a distinct chance
    that insurance cover that should be in place in terms of the disclosed PDS
    may not exist, with disastrous consequences if a claim arises. Without being
    unrealistic, APRA believes setting mutual expectations at the outset and
    following up regularly will save significant problems later: ‘a stitch in time
    saves nine’. Perhaps the relevant industry bodies can work with employer
    associations to facilitate this.

56. Finally the role of members: axiomatically, the best results would ensue if
    an interested and involved membership will take an active interest in their
    super throughout the course of membership, and question information that
    is clearly erroneous. At the most basic level, some information can best be
    provided and checked by members. If section 64 (after tax) contributions
    paid in a year are not shown on member statements, due to the fund’s
    mistake, employers error or worse, the member is best placed in terms of
    knowledge and self-interest to identify this and alert the trustee.

57. We all know that traditionally members have been very much unengaged
    with their superannuation. This has clearly changed to some extent with
    the investment market turmoil we have seen in the last twelve months.
    However, it is a significant challenge to encourage member engagement.
    This is an important area for trustees, however, and cannot be put in the
    'too hard' basket. Trustees can clearly enhance data integrity for their
    funds even without significantly increased member engagement but they
    should also be considering (and not just for data integrity reasons) avenues
    to encourage members to take a greater interest in their superannuation.

58. We will cover data management in our prudential reviews, paying special
    attention to trustee processes, IT management and outsourcing. Risk
    assessments and our supervisory stance will then be tailored to include data
    integrity and linked to trustee fitness. Remediation should be agreed on
    suitable time frames. An effective voluntary system to ensure data
    integrity, designed and implemented by an enlightened industry, is
    invariably more effective than a statutory imposition.

The proposed Clearing House
59. The Government initiative to set up a clearing house recognises the
    operational risks to which our generally sound system is exposed. In
    introducing it in November 2008, the Minister for Superannuation and
    Corporate Law, Senator Nick Sherry, noted that the present system is like a
    ‘sprawling city with each house and suburb struggling to develop their own
    water and power distribution networks and then trying to interconnect

        them’. He noted that administration is struggling under frequent policy
        changes and the industry’s massive size. If other industries can compete on
        products and services, yet collaborate on shared services to leverage the
        economies of scale, why can’t super?

    60. A useful by-product of the clearing house system would be increased central
        access to member level data (already available in many other countries)
        that would be useful in industry analysis, targeted policy and separating
        good performers from ‘momentum huggers’.

    61. Noting the success of the good work done by the ATO in integrating the data
        and records of taxpayers, it is anticipated that the initiative will yield

    Competitive advantage
    62. While serious effort needs to be directed by a range of participants to
        improve the system when we still have some time, there is a bright side:
        trustees who proactively ensure data integrity would have a clear
        competitive advantage in terms of marketing. Substantively, their
        operational risk would be significantly lower, resulting in lower costs over

    XI Conclusion
    63. I have highlighted the data risks we face and what we should collectively do
        about them, now. As I hypothesised, the prudential regulator can shift into
        different phases as the occasion demands, and you will note the reluctance
        with which we shift into phase four, if indeed we must.

    64. Our biggest concern is not about the problems which demand hard work. We
        can overcome them, as we have in other areas. The worry is the ‘wise’
        people unshakeably convinced nothing needs to be done or that it is all too

    65. Perhaps Shakespeare might shake them up:
                God give them wisdom that have it,
                And those that are fools7,
                Let them use their talents.                             - Twelfth Night

    66. Here is wishing the know-alls a healthy dollop of foolishness!

 The allusion to ‘fools’ here is as in ‘clowns’, regarded more talented than the merely