Macfarlanes hosted a virtual outsourcing forum on 30 September, which brought together lawyers specialising in outsourcing and technology from across Europe. Will Hedges (Partner), Mark Lewis (Senior consultant) and Joy Davey (Senior solicitor) led the session for Macfarlanes. Jimit Arora, Partner at international IT, business process and engineering services adviser, Everest Group, joined us and keynoted on global trends in outsourcing. It was a fascinating session that provided insight into outsourcing trends and key themes nationally and internationally.
While some of the trends were common across countries, there were, inevitably, challenges and differences as a result of local market conditions and legal requirements. An overarching theme is that outsourcings have become increasingly used by businesses in all sectors in the last year to improve operational capability and efficiency, and reduce costs. Covid-19 in particular has driven up price pressure, increased demand for digitalisation and, in turn, resulted in a skilled IT labour shortage. We have seen the balance of power shifting to service providers who are increasingly looking for price increases as a result of a shortage of specialist IT and IT-enabled business talent and increased demand.
As a result of these trends, the key messages for outsourcing customers are that:
- your outsourcing contracts should be as robust as possible to ensure that, for example, service providers cannot unilaterally hike their prices; and
- given the pace of regulatory change, you focus on allocating between you and your provider responsibility for, and the cost of, implementing regulatory changes (often called “changes in applicable law”) in your outsourcing arrangements. This is especially important in the UK and EU regulated financial services sectors.
Here are some of the key trends the group observed.
Regulatory pressures, disguised outsourcing and outsourcing to the cloud
- The impact of regulation on outsourcing arrangements was identified as a major (and growing) challenge. Financial institutions in Europe must navigate a wide range of outsourcing rules and guidance, including the European Banking Authority (EBA) guidelines, MiFID II, AIFMD and Solvency II. These rules and guidance often have widespread implications for financial firms’ business models, as well as their outsourcing arrangements. They also impact outsourcing providers and their approach to contracting in the sector. The operational resilience requirements that will come into force in the UK in March 2022 (implemented by way of SYSC 15A) are another example of the way in which in-scope firms will have to holistically review their business models and their reliance on third party suppliers to support important business services.
- For technology outsourcings, there is a growing challenge in the UK and Europe to identify whether technology-enabled solutions are, in fact, “outsourcing”. Providers often see it otherwise, to avoid regulatory governance or having to accept contractual prime contractor responsibility for what are, in all but name, sub-contractors in outsourcing arrangements. For financial services firms, it is critical to understand if and how these transactions are outsourcings to ensure regulatory compliance.
- Cloud computing raises particular issues. Whatever else it is called, cloud computing can certainly be considered a form of outsourcing; after all, in their rules the EU and UK financial sector regulators refer to “outsourcing to the cloud”. Cloud has in the past not typically been sold and contracted for as an “outsourcing” in the commonly accepted sense, but this needs be reassessed by customers and providers in light of the increasing regulatory focus in this area.
Digitalisation of outsourcing
- There has been a clear move away from labour-arbitrage deals to much more technology-enabled outsourcing: involving platforms, software automation/intelligent automation and AI and machine learning.
- We have seen many first-generation outsourcings to technology platforms and many of our clients have adopted, or are considering deploying, either hybrid or public cloud. We heard that in Ireland, in particular, there has been increasing pressure on retail financial services institutions to review their technology platforms to improve customer experience, bringing with it much consolidation. In the retail banking market, for example, there has been a considerable shake up, with many banks announcing branch closures and moving to online banking. This is in line with a move more widely to banks offering digital services, particularly given the impact of Covid-19.
- There are also many, more familiar, outsourcing transactions in which service delivery is underpinned by public or hybrid cloud, e.g. where platforms or automated processes are hosted in the public cloud. Again, the challenge is often in identifying cloud in the outsourcing supply chain, deciding if it is, in effect, an “outsourcing”, and then whether it is critical or important or material. It can be a challenge for customers to know how to spread and manage risk in cloud computing, given the prevalence of the leading cloud service providers. Regulators in several countries view market reliance on AWS, Microsoft Azure and Google Cloud as a concentration risk and, in the financial services sector, as a systemic risk, too.
More complex third party supply chains
- The move to more complex and extended third party supply chains in outsourcing appears mostly driven by the trend towards digitalisation, and particularly the adoption of specialist advanced technologies like industry specialised analytics, automation and AI and machine learning. This often means that, for customer-side clients, there is a different – and very often smaller, less well capitalised, and overall riskier – set of sub-contractors or “sub-outsourcers” within their technology or business process supply chains. This is often where we come across fintechs in mature financial services firms’ supply chains.
- Identifying and managing more complex supply chains is a regulatory concern. This concern is reflected in the UK’s new operational resilience requirements, the EU’s forthcoming Digital Operational Resilience Act and the EBA guidelines. For organisations in other sectors, there also remains a wider governance issue which comes down to some basic questions: (i) do you know who is in your supply chain? (ii) how material are their technology and related services to your organisation’s operations, risk profile and resilience? (iii) what contractual or practical steps can and should you take to mitigate the likely risk?
- The third party supply chain focus is accelerated by Environmental, Social and Governance (ESG) considerations and the need to satisfy investors and sometimes other stakeholders that ESG principles are maintained throughout the supply chain.