Practical tips to mitigate risk when outsourcing

Key provisions and best practice to include in your outsourcing contracts.

As technological capability and complexity increases exponentially, more and more financial services organisations are turning to third parties to help them manage and streamline their business operations. Whilst there are many well-documented upsides associated with digital transformations and other outsourcings, it can also often constitute a material line item on the balance sheet of an organisation, and where a project goes wrong it has the potential to badly impact the operation of the business.

Key provisions to include in your outsourcing contracts

Financial services organisations operate within a rigorous regulatory framework, including the European Banking Association (EBA) guidelines on outsourcing arrangements and the PRA’s Statement SS2/21 on outsourcing and third party risk management. It is beyond the scope of this article to document them all, however, here are some of the key provisions you’ll need to include in your contracts if they’re deemed ‘material outsourcings’ (you’ll see that most are good practice in any event):

  • Careful service definition: make sure you (and your legal team) know what you’re outsourcing and what you hope to achieve (the rules mandate you include a ‘clear description of the outsourced function’). Are you looking for the service provider to carry on the status quo? Or improve it? Or transform it entirely? Be clear on the current service specification (it takes a fair while to describe a business process, and your lawyers can help you describe what you have, and what you need). Look out for hidden assumptions and dependencies. Consider future-proofing your contract at the outset – we all know how fast technology moves!
  • Payment structure: how are you paying for the services? Are payments milestone-based? If the service provider misses them, do you have a remedy (such as liquidated damages) in place? Do you want or need open book visibility on the service provider’s costs? Do you want to regulate margin or operate a form of gain-share if margin growth exceeds the initial predictions in the financial model? If there is a management layer / service charge, what is this intended to cover?
  • Term, termination and exit: how long should the agreement last? What are the notice periods for renewing or terminating? Do you have a unilateral right to extend? How and when can the arrangement come to an end? Just fault-based, or can you exit early for convenience (sometimes called ‘no-fault’)? If so, expect the service provider to look to recover costs it had invested into the relationship and which it had been looking to recover over the lifetime of the contract. And make sure that the service provider is still obliged to carry on performing services during an exit, but expect to pay for that. Note that the rules require you to consider termination and exit strategies for stressed and non-stressed scenarios.
  • Sub-outsourcing: the contract will need to clarify whether (or not) the sub-outsourcing of a material function is permitted and, if so, under which conditions. You also need to insert requirements on the service provider to (a) disclose, on an ongoing basis, the identity of all sub-outsourced service providers; (b) comply with all applicable laws, regulatory requirements, and contractual obligations; (c) grant the firm, the Bank of England, and the PRA equivalent contractual access, audit, and information rights to those granted to the service provider. You’ll also need to have a contractual right to object to or terminate any proposed material sub-outsourcing which could have significant adverse effects on a material outsourcing arrangement or would lead to a substantive increase of risk.
  • Various other rights: for example, audit rights, reporting obligations, service levels / KPIs against key service lines and requirements for both parties to implement and test business contingency plans. Critical also is ensuring the contract contains provisions to ensure that data owned by the financial services organisation can be accessed promptly in the case of the insolvency, resolution, or discontinuation of business operations of the service provider.
  • Data: are you a ‘controller’ or a ‘processor’, or a hybrid? It’ll all depend on what you do with the personal data, which a good ‘data’ lawyer (we have lots of them) will help you figure out. It is likely that the arrangement will involve the service provider processing data belonging to you or your customers, some of which may be personal data, to which complex legislation applies, such as GDPR and the Data Protection Act 2018. In addition to the general requirement to comply with all laws, the rules requires firms to ‘define, document, and understand their and the service provider’s respective responsibilities in respect of any data which is transferred or accessed and take appropriate measures to protect them’. The guidance is quite detailed on extra-contractual, requirements, such as: data classification, assurances from third parties, sharing data with third parties, adopting a risk-based approach to data localisation, implementing robust controls for data in transit, data in memory and data at rest, monitoring of insider threats, data segregation, data deletion policies.
  • The governing law of the contract: it may seem obvious, but we have seen cases where this ‘boilerplate’ provision has been overlooked. There are complex sets of rules to apply if you omit this, and, depending on how the contract is structured and where services are delivered and received, those rules may not work in your favour.

Key best practice provisions when outsourcing

In addition to the above, consider also the following key best practice provisions when outsourcing, some of which overlap with the rules above:

  • Liability: this is an area where lawyers come into their own. What does ‘consequential loss’ mean? Spoiler alert: see the second limb of Hadley v Baxendale (1854), a case which is loved by all good contract lawyers. And does the phrase ‘All indirect and consequential loss is excluded, including loss of profit’, mean that you might be able to recover direct loss of profit? And if it does (or doesn’t), what does that even mean in practice? The courts are reluctant to interfere with a bargain made between businesses – so write in the contract exactly what you mean. And if you’re really backed into a contractual corner, consider a clause exonerating you from liability to the extent that your liability only arises due to an act or omission of the service provider (you can weave in some protective drafting).
  • Intellectual Property and third parties: what IP is each party bringing to the agreement? Is third party IP or infrastructure involved – if so, how is that regulated (does the service provider arrange for this via sub-contracts, or are you required to enter into direct licensing or other agreements)? What about IP created during the agreement? Remember that silence on newly arising IP normally works in favour of the service provider, so if you are paying for new IP to be developed, and you want to own it, make sure that the contract expressly assigns it to you.
  • Employees and pensions: does the transfer of the service or function involved affect staff dedicated to that function? Those staff may well transfer to the service provider under TUPE, whatever the contract might say. And what about pension arrangements for those staff? And don’t forget that a prudent contract will consider not only TUPE and associated provisions at the start of the contract (entry) but also at the end (exit), whether that’s back in-house or to a new service provider.

Sam Jardine is a partner and Nikhil Shah is a director in the Technology and Data group at Fieldfisher.