International Outsourcing Forum - Best Practice in International Outsourcing


Published on

Seminar given to IOF in Dallas, TX, June 2013 on legal, regulatory and contractual best practice in international outsourcing deals, focusing on practical risk management.

Published in: Business, Economy & Finance
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

International Outsourcing Forum - Best Practice in International Outsourcing

  1. 1. Best practice in law and regulation of international outsourcing Mark Lewis, Partner and Head of Outsourcing Practice
  2. 2. Best practice approach to… • Contract structures • Operational risk management • Managing regulatory requirements • Staff transfers • Data security, privacy and data transfers • Managing contractual liabilities Page 2 © Berwin Leighton Paisner
  3. 3. Approach • What is “international outsourcing”? • Focus on international outsourcing, not outsourcing as such • Big points – big messages Page 3 © Berwin Leighton Paisner
  4. 4. Contract structures • Framework contracts and local agreements: risk management gateway #1 • Structures • Location: onshore-nearshore-offshore • Drivers to structure and location • GBS and shared services • Multisourcing: opportunity and operational and legal challenge • Contractual change and flex Page 4 © Berwin Leighton Paisner
  5. 5. Key international outsourcing risks #1 • More pronounced corporate and cultural differences • Local bureaucracy • Inexperienced customer-side management • Language barriers • Time-zone differences • Geographic distance • Continuing compliance with home-country regulation • Compliance with foreign country regulation • Legal effectiveness of contract(s), governing law and choice of courts: risk of overriding local law • Local court systems and processes • Right structure for transaction • Geopolitical and economic instability • Reputational risk for customer organisation • Data sovereignty • Infrastructure issues, e.g. deficient or variable communications, bandwidth, power and/or utilities Page 5 © Berwin Leighton Paisner
  6. 6. Key international outsourcing risks #2 • Quantifying TCO of the outsourcing, e.g. extensive and frequent foreign travel, additional management time, local recruitment and retention • Changes in direct and indirect tax affecting both customer and provider • Actions of local revenue authorities • Exchange rate risk • Restrictions on staff mobility, e.g. immigration/visa rules • Travel disruption, e.g. ash and epidemics Page 6 © Berwin Leighton Paisner • Ready availability of offshore disaster recovery and business continuity facilities • Knowledge transfer from provider to customer • Availability of physical, logical and/or legal protection for IT security and corporate and personal data • Physical, logical and/or legal IPR protection • Performance risk impact. e.g. difficulty managing different business operations, processes and systems in different countries
  7. 7. Operational risk management • Pre-contract Full location, financial, operational, technological, legal and regulatory due diligence – and address in contract • Initial contract stage Transition processes: risk management gateway #2 “Big bang” vs “staggered transition” approach Formal, highly specified, transition phase with specific deliverables, UATs/gateways and timelines, especially in international outsourcing • Contract through-life Audit: contract controls and operation Asset and operational inventory/ deposit Formal, highly specified, central and local governance structures and processes • Contract end Formal, highly specified, pre-agreed exit management terms What gets handed over Regulatory requirements: who does what, and to whom Page 7 © Berwin Leighton Paisner
  8. 8. Managing regulatory requirements • Due diligence Pre-contract, horizon-scanning, and ongoing generic and sector-specific regulation • Generic regulation Tax: direct/indirect, customs and import/export duties Immigration and visas Encryption and technology imports and exports, e.g. China and Hong Kong SAR National security General regulatory approvals for establishment and doing business, e.g. India Country-specific generic regulation, e.g. South African Black Empowerment programme and impact on multi-sourcing and supply chain in outsourcing • Sector specific regulation Financial services: outsourcing and operational risk Country/region-specific sector regulation, e.g. Middle East financial services outsourcing and Sharia-compliant structures and contract terms Healthcare, e.g. HIPAA Utilities and national critical infrastructure • Use local country agreements as necessary Page 8 © Berwin Leighton Paisner
  9. 9. Staff transfers • Understand local resourcing and “outsourcing” models, e.g. Russian and CEE “agency” and “outsourcing” models • Local mandatory regulations in EU – Acquired Rights Directive, 2001/23/EC of 12 March 2001 • Legal and commercial impact on 1st and 2nd and following generation outsourcing • Impact on timing and processes for outsourcing • Implemented differently in EU Member States • Other similar local controls on staff transfers: legal and business practice implications • Undertake detailed due diligence • Understand impact on timetable for outsourcing projects • Allocate specific responsibilities, risk and liability in contract Page 9 © Berwin Leighton Paisner
  10. 10. Data security, privacy, data transfers: the issues • Data sovereignty • Sectorial approach to data security, e.g. financial services, utilities, healthcare • Sectorial “scope creep”, e.g. CPI DSS compliance being applied more widely • Privacy, big data and ethics big news: Bloomberg • New EU data protection regulations will make life more difficult for all outsourcing parties in the EEA • Each EEA country has historically applied data protection, and cross- border data transfer rules, differently • Countries that apply EEA standard to data protection, e.g. Canada, Australia, Switzerland, Israel, New Zealand, Argentina, Uruguay • Other local data protection and privacy regulations, e.g. India Page 10 © Berwin Leighton Paisner
  11. 11. Data security, privacy, data transfers: what to do • Understand how data protection/transfer laws work: “processing” may not be what you think • Do your due diligence and horizon scanning • Understand and plan your data routing or that applied by outsource provider • Make formal and detailed provision in your MSA and/or Local Country Agreements • Allocate specific responsibilities and liabilities, and ensure regulatory compliance through contract, e.g. EU Binding Corporate Rules (BCR) and Model Clauses Page 11 © Berwin Leighton Paisner
  12. 12. Managing contractual liabilities: the issues • Different markets/sectors approach liabilities allocation and liability differently in practice, e.g. financial services BPO/ITO • Sectorial regulatory requirements, e.g. financial services • Different jurisdictional approaches: • legal effectiveness of exclusions and limitations of liability • what kinds of loss are recoverable? • concepts of “direct” and “indirect” loss • Interaction with multi-country MSAs and local country agreements • Claims management and “claims herding” Page 12 © Berwin Leighton Paisner
  13. 13. Managing contractual liabilities: what to do • Get legal advice early in the deal on market, sector and jurisdictional differences in approaches to liability • Understand the insurance position globally and in relevant markets • Allocate liability levels where the greatest risk lies, not necessarily on “universal cap basis” • Be very specific in your MSA and/or local country agreements about what losses are included and excluded, and have drafting reviewed and signed off by qualified counsel Page 13 © Berwin Leighton Paisner
  14. 14. Q&A This document provides a general summary only and is not intended to be comprehensive. Specific legal advice should always be sought in relation to the particular facts of a given situation.