Back
Financial Law Update Back to article summary.
Managing the risk of outsourcing- financial services sector

With ever-greater competition in the financial services sector, financial institutions are increasingly outsourcing non-core business processes and functions in order to find new efficiencies, reduce costs and increase shareholder value. Outsourcing presents particular challenges for financial institutions as regulated entities, as they will remain responsible to their supervisory authorities and customers for the actions of the service providers to whom they outsource, writes Anne-Marie Bohan of Matheson Ormsby Prentice.
Introduction

With ever-greater competition in the financial services sector, financial institutions are increasingly outsourcing non-core business processes and functions in order to find new efficiencies, reduce costs and increase shareholder value. Outsourcing presents particular challenges for financial institutions as regulated entities, as they will remain responsible to their supervisory authorities and customers for the actions of the service providers to whom they outsource. This and other potential exposures can, however, be managed by putting in place a contract that reflects the particular requirements and policies of the business. We look here at some of the principal ways of contractually mitigating the inherent risks of outsourcing from the point of view of an Irish bank or financial institution.
Anne-Marie Bohan



Development of an Outsourcing Contract

Prior to an outsourcing any service or function, it is essential to undertake internal due diligence and risk analysis, to identify not only the strategic objectives and priorities for an outsourcing, including the measure of savings that might be realisable, but also to understand in detail the processes and functions that make up the business to be outsourced and the interface between that business and the retained business and functions. Any legal, regulatory and compliance issues that may impose restrictions on the services than can be outsourced should also be considered. Tax and VAT advice should be taken at an early stage.

Service Description and Performance Regimes

The heart of a successful outsourcing is a clear and comprehensive description of the services to be provided, the required service levels, and the associated costs. Where responsibilities are shared (for example, first level support provided by the customer and second level support by the service provider), the demarcation lines should be clearly drawn and any points of necessary interface identified.

It is important that the service level or performance regime is properly designed so that it encourages good service on a consistent basis. Service credits or liquidated damages are not, however, a perfect solution to non-performance and have to be constructed with care in conjunction with other mechanisms (such as reporting requirements and escalation, and implementation of remedial plans) designed to identify and mitigate poor performance.

Regulation

A regulated entity’s use of outsourcing to achieve its strategic aims does not diminish its ultimate responsibility to ensure that the activity is conducted in a proper manner and in compliance with all applicable laws and regulations. Hence, the regulated entity will need to construct a contract such that its regulatory obligations vis-à-vis the outsourced services are imposed ‘back to back’ on the service provider, and such that it has appropriate audit and other protective rights to identify and respond to breaches.

Outsourcings in the financial services sector are subject to supervision by the Irish Financial Services Regulatory Authority (‘IFSRA’). While IFSRA does not have a formal list of requirements for outsourcings it has recently applied certain high level principles on outsourcing including those published by the Committee of European Banking Supervisors (‘CEBS’). The Joint Forum of the Basel Committee on Banking Supervision has also published a consultation paper on outsourcing with a view to assisting financial institutions in relation to the implementation of Basel II (and the draft Capital Requirements Directive) and the potential use of outsourcing as a mitigating factor to the capital charge for operational risk. The Joint Forum principles apply to the banking, insurance and securities sectors, and apply whether or not the service provider is a regulated entity. The concerns of regulators and regulated entities alike, in relation to continued regulatory compliance notwithstanding the outsourcing, are addressed through principles which, at a high level, seek to minimise strategic, compliance and reputational risk by requiring:

  • that the regulated entity has an outsourcing policy for which the directors have taken responsibility
  • that a proper risk assessment, including due diligence on the service provider and consideration of business continuity issues, has been undertaken
  • that the outsourcing arrangement neither diminishes the regulated entities ability to fulfil its obligations to customers and regulators, nor impedes effective supervision by regulators
  • that a formal and comprehensive contract is put in place;
  • that the regulated entity will be in a position to continue to comply with its regulatory obligations
  • that confidentiality of information is preserved


Employee related issues

If not managed correctly, outsourcing can cause staff disruption, affecting morale and productivity. Employees engaged in providing the services to be outsourced may have rights under the European Communities (Safeguarding of Employee Rights on Transfer of Undertakings) Regulations 2003. Pursuant to these regulations, employees who have the right to transfer to the service provider are entitled to do so on their current terms and conditions of employment. The regulations also impose an obligation to consult with the affected employees no later than thirty days prior to any transfer, unless not reasonably practicable. While rights under the regulations cannot be contracted waived, the customer and service provider are free to apportion the costs arising from application of the regulations, a common approach which is typically supported by appropriate indemnities.

Data Protection and Confidentiality

Data protection and confidentiality will be critical issues in any financial services outsourcing, as the service provider is likely to have access to personal information about the regulated entity’s employees and customers. This results not only in the need to ensure that the service provider undertakes to comply with applicable data protection laws and other regulatory requirements, but may also necessitate examination of those laws and requirements in the context of the outsourcing and service delivery structures.

During the tender process and following contract award the parties will also exchange other confidential information. It is important to put a confidentiality agreement in place with each prospective service provider from the point of first contact and to ensure that suitable obligations of confidentiality continue to bind the chosen service provider during the life of the contract and for an appropriate period thereafter.

Disaster Recovery and Business Continuity

The contract should provide that appropriate disaster recovery and business continuity plans must be implemented and tested by the service provider in accordance with good industry standards to cater for foreseeable events such as systems failure. While it may be reasonable, in certain circumstances, that a force majeure event reduces the liability of the service provider, such events should not amount to an absolute excuse and the contract should specify the mitigating action the service provider is to take in such circumstances.

Liability

One of the most contentious issues in any outsourcing is the allocation of liability and risk between the customer and service provider. The service provider will want the degree of liability it assumes to reflect the reward it is receiving, while the customer may wish to transfer all risk to the service provider. Many of the contractual structures outlined in this article will be effective tools to help the parties to manage the risk in a practical sense. Ultimately, however, a commercial solution, based on a proper understanding of the outsourcing and the conflicting concerns of the parties, will be required, and can usually be found.

Future Proofing and Maintaining Price Competitiveness

As both business strategies and regulatory regimes often change, an outsourcing contract must be flexible. It is, for instance, important to ensure that the contract has sufficient scope for change and that the process of agreeing and implementing change is systematic, with pre-agreed and transparent change cost controls.

The charging structure in the contract (volume related pricing, target pricing, time and materials, open book or fixed costs, etc) should be clearly set out, and should be subject to appropriate audits. Benchmarking and other forms of market testing, indexation and gain-sharing are often used to help maintain value for money.


Termination and Exit Management

From a customer's perspective, it is critical to ensure that there is no deterioration in service levels. Accordingly, in addition to service credits and a dispute resolution mechanism, the customer will need clear termination rights in the event of persistent or material breach of contract; insolvency scenarios or for a change of ownership or control of the service provider. The customer should also consider having a right to terminate the contract for convenience to allow it to downsize or perhaps bring the services back in-house due to a change in business strategy, albeit that such a right usually has a financial price attached.

The question of how the services are transferred back to the customer or to an alternative service provider in the event of termination of the contract is critical. A detailed exit plan including provisions allowing for the orderly transfer of services; post-exit assistance; staff transfer, assignment of sub-contracts, and ownership and return of equipment, data and intellectual property, should be considered at the outset. Where, for example, intellectual property rights are not assigned, it is particularly important for the customer to agree what rights it will have post termination so it can continue to make use of the intellectual property for at least a transitional period.

Corporate Governance and Contract Management

A number of recent US studies have shown that a consistently absent factor in failed outsourcings is a proper governance and contract management structure. The issue of corporate governance needs to be set out with a jointly appointed management committee, a dispute resolution mechanism, an escalation procedure and other classic signatures of good corporate governance. In-house expertise should be maintained to manage the outsourcing and the cost of such contract management should also be factored into the overall costs.

Conclusion

Major outsourcings differ considerably in both size and complexity, and each outsourcing contract should reflect the unique requirements of the overall business of which it forms a strategic part, as well as requirements of the regulatory framework within which that business operates. Certain fundamental principles are, however, common to all outsourcings, and utilising the governance and operational structures set out in the contract to build a robust relationship between customer and service provider will be critical to a successful outsourcing.


© Matheson Ormsby Prentice 2006 Author Details: Anne-Marie Bohan is a partner in the Banking and Financial Services Group at Matheson Ormsby Prentice. She can be contacted by phone: +353 1 619 9000 or by email: annemarie.bohan@mop.ie Further information on the firm is available at www.mop.ie