Evidence from around Asia indicates that banks and other financial institutions that have substantial information technology and telecommunications service requirements are considering more closely the option to outsource the provision of such services. This article identifies the principal commercial considerations, and legal and regulatory issues, for a bank when preparing for, and negotiating and managing, an outsourcing arrangement.
What is outsourcing?
Outsourcing means different things to different people. It can encompass a broad range of different services. In the context of IT and telecommunications, however, it covers the provision to a user of the services of managing computer, data processing and/or telecommunications network facilities. Outsourcing, as distinguished from facilities management, refers to the situation where a user' s facilities are to be managed off-site, and often involves the migration or removal of existing applications.
Why choose outsourcing?
Outsourcing is typically chosen for a combination of reasons. However, the reasons that are most often cited include:
Many users insist on there being a demonstrable cost benefit, in the absence of which they will not consider outsourcing. In practice, a direct cost benefit can be difficult to establish. Indeed, cost savings alone are generally considered not to be a valid reason to outsource the provision of such business critical services as IT and/or telecommunications.
Improved quality of service
Improved quality of service can be a primary driver for outsourcing. One argument is that better quality of service can be achieved because an external service provider is likely to be more responsive than an internal department. In addition, the service provider, being a dedicated specialist, should have superior expertise in the management of IT and/or telecommunications facilities. Many organisations also find it easier to require a third party service provider to do something which it is bound to do under an arm's length contract, than a fellow employee.
Many banks and financial institutions, for which IT and/or telecommunications are not core business competencies, experience difficulty in recruiting and retaining properly qualified staff. An employer whose core business is the provision of IT and/or telecommunications services (i.e. the service provider) is often better placed to offer relevant career incentives and thereby obtain increased commitment from staff.
Before any outsourcing option can be accurately assessed, the user needs to establish:
(1) how much it pays to "self-provide" the services that will be outsourced; and
(2) the service levels to which those services are "self-provided" .
It is only against these cost comparitors and quality benchmarks that the potential benefits (or not) of outsourcing can be objectively judged.
Transferring contracts, software and equipment
Figures 1 and 2 (below) illustrate the different nature of the contractual relationships that exist where an organisation is "self-providing"services from where it has outsourced the provision of the same services.
In order to move from the "before"position in Figure 1 to the "after"situation in Figure 2, it is necessary for relevant contracts, software and equipment to be transferred from the user to the service provider. Such transfers can be complicated for a number of reasons. For example, software licences are often expressed to be personal to the licensee and/or site or equipment specific. If a third party is to run the software on hardware installed at a different site, even though it may be on behalf of the licensee, a new licence is likely to be required.
In preparation for an outsourcing, therefore, the user should compile an inventory of all assets and agreements that may be subject to the outsourcing, and undertake due diligence to ascertain the extent to which such assets and agreements may be transferred to the service provider and any restrictions that would apply. The timetable for concluding an outsourcing agreement should allow sufficient time for negotiations with suppliers under such agreements (for example, to negotiate the grant of a new licence or consent to the transfer of an existing licence).
The question whether existing third party agreements should be assigned to the service provider sometimes arises. Notwithstanding the position illustrated in Figure 2, it may in practice be preferable for the user to retain such agreements in its own name, but for the service provider to perform obligations under those agreements on the user's behalf. In this way, it is often easier for the user to obtain necessary permissions from the supplier. It will also be easier for the user to regain control of its operations should the relationship with the service provider terminate for any reason.
Outsourcing can raise difficult employee issues, particularly if it will lead to redundancies. The solution will depend on the extent to which the user wishes the service provider either to employ the user's employees or to manage them while they remain employed by the user.
Clearly the user will want to be sure that the individuals who will provide the services have appropriate skills and training, particularly since improved quality of service is often the main driver for outsourcing, and the services agreement should expressly require this. It may also be appropriate for the service provider to guarantee to provide the services of certain named key personnel and for each party to agree not to poach key staff from the other.
If a business, or any part of it, is transferred to the service provider it will be necessary to determine whether this amounts to the transfer of a business as a going concern. Consideration should also be given (as part of due diligence) to whether the transfer of employees will give rise to claims for severance or long service payments, or redundancy claims, since the costs involved will be relevant to the commercial negotiation.
In Hong Kong, the Transfer of Businesses (Protection of Creditors) Ordinance may also be relevant. Failure to give the required notices under this Ordinance may render the transferee (i.e. the service provider) liable for the debts and obligations incurred or arising out of the carrying on of the business by the transferor (i.e. the user).
Define the services precisely
It is essential to define as clearly and comprehensively as possible the services that are to be provided. This is important for both the user and the service provider. It is helpful, and usually possible, to divide the various elements of the services into separate categories. In order to achieve clarity of definition, it is also sensible to combine a detailed technical specification of requirements with a more general description (also in clear terms) of the overall service to be provided.
The user will usually only be concerned that the services (as defined "outputs" of the arrangement) are provided, and will be less concerned with the precise means by which such services (or outputs) are delivered. The services specification should therefore be output-based. For example, if the outsourcing relates to a payroll IT system, relevant outputs might include, for each employee, the payment of the correct amount of salary into the correct bank account on the correct date in each month and the same day mailing of an accurate payslip to the employee s home address. The user will not typically be concerned as to the technical solutions by which the service provider delivers these outputs.
Nevertheless, the services agreement should specify the agreed technical solutions, since pricing will have been determined, at least in part, on the basis of such solutions. Specifying the services to be provided by reference to outputs protects the user in the event of the technical solutions failing, since the services agreement obliges the service provider to deliver the specified outputs. Where the service provider requires information or assistance from the user to enable the service provider to deliver an output (for example, in the payroll IT system, the service provider will need details of the user s employees, their salaries, their bank accounts, their addresses, the salary payment date and changes to any of this information), the information requirement should be stated in the services agreement. A failure by the service provider to deliver an output that is caused by the user's failure to provide the required information will typically be excused.
Having defined the services to be outsourced, it is necessary to agree the standard or level to which such services will be provided. This is often a difficult area in which to reach agreement. Service levels and targets are necessarily specific to each transaction, and each type of service provided, but as a general comment service levels should always be both capable of accurate measurement and realistically achievable.
Typically, users of outsourcing services want to secure a defined set of outputs for a fixed price. While the user "owns" the requirement (to be provided with defined services), the service provider must "own" the solution. The user should accept that, in order to obtain the best possible deal, an outsourcing arrangement must achieve the transfer of manageable risks from the user to the service provider. Without such a transfer, the service provider will not be fully empowered to innovate in order to provide quality services for a price that both delivers value for money to the user and adequately rewards the service provider.
The pricing mechanism should oblige the user to pay only for what it receives in terms of delivered outputs. Input costs should not determine the price paid by the user for the services. The pricing mechanism may also try to incentivise technology refreshment by the service provider during the term of the outsourcing.
Banks and other financial institutions operate in highly regulated industry sectors. Although most banking regulators recognise the value of outsourcing to the institutions they regulate (and to the customers their regulation is designed to protect), and do not object in principle to outsourcing, they are generally concerned to ensure the service provider will implement adequate systems and controls and that customer data will remain secure and confidential after an outsourcing occurs. For this reason, bank regulators in most major jurisdictions have developed guidelines in respect of outsourcing. Set out below is a brief overview of the outsourcing guidelines published by the Hong Kong Monetary Authority ("HKMA"). These are broadly similar to those published by the United Kingdom s Financial Services Authority (" FSA").
The first important consideration, both to comply with the guidelines and as a practical matter, is that an authorised institution that proposes to outsource (whether to an independent third party or to a related entity) should discuss its proposals with the HKMA at an early stage. It should satisfy the HKMA in respect of the HKMA's major supervisory concerns before it implements its plans. These concerns are described out in Section 2 of the HKMA's Supervisory Policy Manual on "Outsourcing" .
Under the HKMA outsourcing guidelines, authorised institutions are required to satisfy the HKMA that:
- they will remain accountable for all outsourced activities;
- they have undertaken comprehensive operational, legal and reputational risk assessments, and have adequately addressed all identified risks before cutover. A similar assessment should be repeated regularly during the term of the outsourcing arrangement;
- they have undertaken appropriate due diligence on the proposed service providers. This should cover the proposed service providers' financial soundness, reputation, managerial skills, technical capabilities, operational capability and capacity, compatibility with the institution' s corporate culture and future development strategies, familiarity with the banking industry and ability to keep pace with developments in the market;
- a binding services agreement will be entered into that clearly sets out the types and levels of services to be provided and the parties' respective liabilities and obligations;
- the arrangement complies with all relevant statutory and common law requirements relating to customer confidentiality and personal data privacy. This will require controls and safeguards to be put in place to protect the integrity and confidentiality of customer information;
- they have effective procedures in place for monitoring the performance of, and managing the relationship with, the service provider;
- contingency plans will be developed, maintained and regularly tested to ensure business continuity;
- access to data by auditors and the HKMA will not be impeded by the outsourcing arrangement; and
- in relation to an overseas outsourcing, they understand the extent, and the authorities, to which they may be compelled to provide information and that customers have been informed of the country in which the service provider is located. The services agreement should preferably be governed by Hong Kong law.
The principles of the FSA guidance are similar to those of the HKMA guidelines. Specifically, the FSA guidance applies to any "material outsourcing". The FSA is concerned to ensure that there is no adverse effect from such an outsourcing. In order to achieve this, licensed institutions must set up the terms of the service provider's appointment properly, monitor the service provider's performance, respond rapidly to performance problems and provide adequate contingency plans.
The HKMA guidelines can be accessed at the HKMA web site at http://www.gov.hk/ the Supervisory Policy Manual icon.
The FSA guidance can be accessed at the FSA web site at http://www.fsa.gov.uk/ under the heading "Outsourcing" .
During the term of a typical outsourcing arrangement, the user is likely to want to modify the services provided. It is essential to ensure that the services agreement clearly sets out, at the very least, the procedure for agreeing changes to the services. Outsourcing is typically a medium- to long-term relationship that should be flexible enough to evolve over time. The services agreement should therefore also address (by providing a practical resolution procedure) the possibility that no agreement will be reached on a service change, either because the user's requirements are unrealistic or because the service provider does not have the necessary resources to implement the change. Such a resolution procedure should allow the user either to engage an alternative supplier to provide and/or to "self-provide" the relevant elements of the service itself if the supplier is unwilling or unable to do so.
Changes to the services will inevitably lead to changes in pricing. The services agreement should establish the principles by which pricing may be changed, although it is unlikely to specify by how much (in exact money terms) prices may change. The experience of many users is that, once the service provider has been appointed, it is adept at gradually increasing the scope of the services it provides (often referred to as "scope creep"). Thus, although additional services are provided, the total cost to the user also increases. It is, however, possible for the services agreement to mitigate the financial impact on the user of scope creep. For example, the parties may agree that software developed for the user by the service provider may be licensed by the service provider to third parties, in return for which the user will be paid a percentage of the licence fees generated.
The way out
It is essential, both for the purposes of ensuring continuity of service provision and of maximising the user's bargaining strength, to establish and agree an exit strategy and the consequences of termination of the outsourcing arrangement before the services agreement is entered into. On any termination (other than at the expiry of the term), the user will face a choice between transferring service provision back in-house and transferring it to a new service provider. In either case, in order to achieve an orderly transfer of service provision, the user will require the co-operation of the first service provider. Such co-operation should be expressly provided for in the services agreement, since it may be difficult to agree once the relationship has deteriorated.
In many respects, the transfer of service provision to a subsequent service provider or back in-house will involve the same issues as when entering into the original services agreement. The process will be made significantly easier by anticipating such issues at the time of negotiating the original agreement, however. For example, in respect of software to be developed by the service provider, the user should guarantee (by means of an escrow agreement) its access to source code in the event of termination. Likewise, any agreements entered into by the service provider in relation to the outsourcing should be drafted so as to include the user's right to require their assignment or novation by the service provider either to a subsequent service provider or to the user in the event of termination of the services agreement.
The nature of even the most straightforward outsourcing transaction is that it involves the complex inter-relationship of legal, commercial and technical issues. Banks and financial institutions have additional regulatory compliance requirements to navigate. There are potential traps in each of these areas into which organisations unfamiliar with the issues can fall. However, with an understanding of where the issues arise and with attention to detail, outsourcing transactions can successfully add value to many business organisations.
An edited version of this article is published in HKIB, March issue.