Issues To Consider When Choosing An Outsourced Partner

Demand for outsourcing is often accelerated during times of global economic uncertainty as businesses seek to initiate cost-saving organisational changes. Most economists are now forecasting a long recovery period in respect of the current tough economic conditions. Therefore the latest market reports are predicting a strong pipeline of outsourcing deals. In this article we look at various issues which businesses must consider when choosing an outsourced partner, together with legislative changes that may be relevant to those service providers seeking to tap into the increased demand for outsourced services.

Outsourcing And FSA Regulation

Many financial institutions regulated by the Financial Services Authority (FSA) use others to provide all sorts of services that underpin their businesses, from IT and communications through to custody of financial instruments. Some of these outsourced services trigger an obligation for the service provider to become FSA authorised in their own right. That said, key services like IT and many call centres do not require FSA authorisation. However, even if the outsourced service provider is not subject to regulation itself, it will need to be familiar with the relevant regulatory requirements, many of which derive from "MiFID" (the Markets in Financial Instruments Directive), implemented in the UK in November 2007. The FSA is extending the scope of the MiFID outsourcing regulations in April 2009.

Service providers need, in particular, to understand the extent to which a customer's arguments "we have to have X because of MiFID" are justified – the institution concerned may be over-stating the requirement. Key points to consider will include whether the service concerned is "critical or important" since a number of detailed provisions kick in for such services, and that the authorised institution will almost certainly take a conservative view of its ability to meet the higher level obligations imposed on it.

Outsourcing And Consumer Credit

Traditional business process outsourcing providers are increasingly looking at new service offerings beyond routine functions such as customer care and support services. One area experiencing particular growth is financial process outsourcing, including services such as claims processing, debt collection, recovery, billing and payment solutions. In offering these new services, the outsourcing provider will be entering the murky realms of the Consumer Credit Act 1974 (the CCA).

The CCA applies not only to lenders and hirers but also to anyone carrying on activities which relate to credit agreements (known as ancillary credit business). This is so even if the activity forms only a small part of the overall business. Since October 2008 (as a result of the Consumer Credit Act 2006) the CCA regime now also applies to debt administrators. This means if a service provider wishes to carry out activities relating to consumer credit agreements on behalf of another person who is the creditor, they will require a licence to do so.

The Consumer Credit Act 2006 also introduced changes to the statutory test of fitness to hold a consumer credit licence. A more rigorous test of fitness is now applied and account is taken of the skills and knowledge that the service provider and the people participating in the business have in relation to the CCA. These providers will quickly need to get up to speed with the unwieldy piece of legislation that is the CCA.

Outsourcing And Public Sector Contracts

For private sector companies who deal with the public sector, the new Remedies Directive (Directive 2007/66/EC) may be of particular importance. The Office of Government Commerce (OGC), the government agency responsible for public procurement law and practice, is currently reviewing how the new Remedies Directive should be implemented in English law. This Directive will potentially have a significant impact on English law, because it requires EU Member States to permit their courts to declare concluded contracts to be ineffective as a remedy for the breach of the public procurement rules. It is currently a basic principle of English contract law that (other than in exceptional circumstances) a concluded contract cannot be undone by the courts, to provide certainty to the parties to that contract.

In the second half of last year the OGC carried out an initial consultation seeking views of stakeholders on how to implement various options provided for in the Directive. Two of the major issues considered in the consultation paper were: (1) whether the consequences of a concluded contract being rendered ineffective by a court should be the retrospective cancellation of all contractual obligations or the prospective cancellation of such obligations; and (2) how to implement the requirement that fines be imposed on the public sector purchaser or the duration of the contract be shortened as additional or alternative remedies to ineffectiveness. In 2009 the OGC proposes to issue a second consultation paper containing a draft statutory instrument implementing the Directive.

At present, a private contractor tendering for a public sector contract has little or no interest in ensuring that the public procurement rules are complied with, because a contract concluded in breach of those rules cannot be attacked. However once the Directive is implemented that contractor will need to be certain that the contract will remain valid for its duration. What was previously seen as something for only the purchaser to be concerned about now becomes a matter of mutual interest.

Outsourcing And Data Protection

Many of the firms turning to outsourcing services will be passing on customer data and it will be important for these firms to remember that this will not absolve them of responsibility for data security. As a data controller, the firm will still need to comply with the seventh principle of the Data Protection Act 1998 (DPA). This states that a data controller must take appropriate security measures against unauthorised or unlawful processing of personal data and against accidental loss, destruction of, or damage to, personal data. The DPA also includes express obligations on data controllers when a data processor processes personal data on behalf of the data controller.

Therefore when choosing a third party outsource provider, a data controller must seek sufficient guarantees in respect of the technical and organisational security measures the outsource provider takes. The data controller must also take reasonable steps to ensure compliance with those measures.

This is highlighted by the FSA Data Security Report published in April 2008. The FSA warned that many financial services organisations were falling substantially short of what is expected of them in safeguarding the security of customer data. One of the most significant findings in the report was in relation to third party outsourcing providers, as the FSA presented a number of examples of good (and bad) practice in relation to third party supplier management.

Whilst the report focused on financial services organisations and their duties under the FSA's Principles for Business, any organisation engaged in IT or business process outsourcing may wish to have regard to the FSA's recommendations. The report highlights the importance of employing a combination of technical and operational measures, suitable pre-contract due diligence (both practical and legal), appropriate provisions in the outsourcing contract and proactive contract monitoring and enforcement. Compliance with these recommendations will not only assist with compliance of the DPA, the recommendations will also assist to protect firms against damages to reputation, given the increasing awareness of data loss in the media today.

Outsourcing And Employment Issues

The Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) continue to pose problems for employers striving to comply with the obligations imposed on outsourcing and business transfers against the necessity for efficient solutions in the recessionary climate. Litigation on correct interpretation continues. The scope of information and consultation obligations was recently considered by the Employment Appeal Tribunal (EAT) in Royal Mail Group Limited v Communication Workers Union UK. In this case, a question arose as to whether or not employers were obliged under TUPE to provide a correct legal analysis of the implications of the transfer during the consultation process. The EAT has clarified, no doubt to the relief of both transferor and transferee alike, that employers are only obliged to provide their view of the legal implications of the transfer and will not be in breach of the obligation to inform and consult if that view is not correct. Whilst this is to be welcomed, it does not provide employers with a defence to not having informed or consulted at all because they did not realise there was a TUPE transfer.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.