Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials
New Operating Models - New Challenges
As businesses in Asia grow in scale and complexity, they are increasingly turning to outsourcing and large scale technology procurement, including the deployment of cloud technologies, to support their operations and gain competitive advantage. These initiatives reflect both a maturing of operational strategies for businesses in the region and increasing cost sensitivity: factors giving businesses more incentive to consolidate operating platforms to achieve greater efficiencies and economies of scale and use outsourced service models to support scaling up in new markets. At the same time, electronic data is becoming an increasingly valuable business asset in Asia, as it is elsewhere. “Big Data” doesn’t just mean larger quantities of data – it means higher quality, more useful data derived from increasingly sophisticated analytical tools. With the right investment in technology, it means competitive advantage. A third pressure point is the marked increase in regulation in Asia, including increasingly detailed material outsourcing and procurement regulations in regulated sectors, and the rapid expansion in recent years of comprehensive “European style” data privacy regulation. While much remains possible from a regulatory standpoint, stepped-up regulation is forcing Asia’s regional businesses to evaluate their procurement options more carefully, engage in more rigorous tendering and due diligence processes, manage an increased likelihood of regulatory change and enter into more detailed contractual arrangements in order to achieve compliance. The Challenges for Legal Counsel – Increased Regulation, Increased Risk Legal counsel are faced with a number of challenges in this changing environment, in particular a need to negotiate and manage more detailed and complex contracting structures. This imperative is driven by growth in the scale of business risk, the sophistication of commercial objectives and a need to deal with regulators' increasingly exacting expectations. The consequences of not getting the legal and compliance roles right are increasing in Asia. With greater business automation and increased dependency on IT systems, service failure can be highly visible, both externally to customers and regulators and internally to employees who depend on quality service delivery to get their jobs done. Getting the contractual and regulatory requirements right is taking on a growing importance as a result. How to Prepare? Legal counsel faced with a large scale outsourcing or technology procurement will want to begin with the basics, firstly by gaining an appropriately detailed understanding of the business requirements. Of equal importance is understanding and who the relevant internal stakeholders are for the project and who is (or should be) in the project team. Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials2 Operations, IT and procurement will typically be key stakeholders in sourcing and technology projects, but apart from legal and compliance, HR, finance and tax will often play key roles in assessing risk, inputting to the project business case and formulating a structure for the commercial arrangements that optimise the economic benefits of the project. Early engagement with these stakeholders can be critical. Once the right team is in place, reporting lines and internal approval requirements can be established. Finally, a project management structure that coordinates the various workstreams is essential to project success. Regulation, regulation, regulation The impact of regulation on outsourced service models (including but not limited to cloud) in Asia is significant and growing. While industries such as banking and financial services are typically the most heavily regulated, data privacy regulation, employment laws and, most recently, the emergence of cyber security regulation in Asia, have extended regulatory oversight across most if not all fields of business. The Threshold Questions: Can you outsource? Can you use cloud? In the most heavily regulated industries, such as banking and insurance, regulation will typically stipulate that “licensed business” or “core business” cannot be placed into the hands of an unlicensed outsourced service provider. Only a licensed insurance company, for example, can make an actuarial decision to write an insurance policy, not an outsourced service provider acting on its behalf. While these restrictions are most immediately relevant in the business process outsourcing ("BPO") context, heavily regulated industries in particular may also have prohibitions against handing over core systems, business data or customer data for third party processing, which may impact in the cloud and IT outsourcing context. There are plenty of "grey" areas on this front, and part of the value in legal input can be in fine tuning a service description to address the issues that are front of mind for regulators, such as being clear that business discretion and engagement with customers in the promotion of products and services remain in the hands of licensed businesses and explaining how business data and customer data are secure and remain quickly available to the regulator. Material Outsourcing Regulations Once the threshold question of whether or not the service scope and service model is feasible has been answered in the affirmative, there may be regulations or guidelines that stipulate how the business must evaluate and implement a proposed outsourcing or procurement. The material outsourcing guidelines found in the banking and financial services industries across the region are leading examples. There is a threshold question here as well – is the project a "material outsourcing" or is it not? We are at a stage in which the heightened importance of material outsourcing guidelines to regulators threatens to expand the understanding of a "material outsourcing" into areas that would have in the past been considered ancillary business operations. Informed engagement with regulators on these issues can be key. If material outsourcing guidelines do apply, the focus is typically on risk management, directing the business to carry out an effective evaluation of the service model, the candidate vendors and the agreed contractual terms. Depending on the jurisdiction and the regulator, regulatory approvals or notifications may be required. Completing the regulatory process in good time means effective preparation and an ability to anticipate the questions that are likely to come. A framework for compiling the necessary information and linking contractual requirements to the working draft agreements is key to clearing the regulatory process as quickly as possible. Data Privacy Regulations Recent years have seen an explosion of comprehensive “European style” data privacy regulation across the Asia region, with new laws brought into force in China, India, Singapore, South Korea, Taiwan, Malaysia and the Philippines. Existing advanced regimes, such as those in Hong Kong, Australia and Japan have seen a stepping up of compliance requirements, penalties and willingness on the part of regulators to "name and shame". Most critically in the outsourcing and technology procurement context, many of these new laws have data export controls which can raise obstacles or impediments to plans to consolidate databases, or at least require that steps be taken to make data exports compliant.3 At the very least, data privacy regulation will necessitate an assessment of compliance risks and the agreement of appropriate contractual protections with vendors. The dynamic regulatory landscape in this area also means that customer organisations are well-advised to agree terms dealing with the possibility that regulations change, for better or for worse. HR Considerations Outsourcings often involve the transfer of employees and the management of redundancies. The business will want to identify at an early stage any implications for its human resources in order to carefully manage confidentiality and internal communications about the project, to enable due diligence by the vendor and to address the legal and regulatory requirements. The reputational aspects of human resources management should not be ignored. There are very few "automatic transfer" regimes in Asia that will apply to transfer employment contracts to an outsourced service vendor by operation of law in the same way as Europe's Acquired Rights Directive. AS a result, an "offer and acceptance" procedure will typically be needed. The parties will need to agree, amongst other issues: (i) an allocation of responsibility for employer liabilities; (ii) any sharing of funding responsibility for employee benefits and retention incentives; and (iii) contingency planning to address situations in which not all in-scope employees accept their transfer offers. Asset and Contract Transfers It is not unusual for assets and contracts to transfer to a vendor as part of an outsourced service arrangement. The vendor will need to be in a position to conduct due diligence on these assets and contracts, and the parties will need to agree commercial arrangements, including responsibility for any third party consents and related costs of transfer. Likewise, if premises or facilities are to be made available to a service provider, terms will need to be agreed and documented. Depending on the circumstances, landlord consents and land use permissions may be needed.4 Structural Considerations Contract structure, particularly in the context of multijurisdictional outsourcings in the Asia region, is critical. Many outsourcing arrangements in the region rely upon a master services agreement – local services agreement ("MSA/LSA") structure that involves contracting at a master level (typically backed up with a parent company guarantee) and also implementing local agreements to establish local "point-to-point" contracting, mainly for regulatory reasons and to generate tax efficiencies. The other feature of contracting structure that needs to be understood is the extent to which the service function is dependent on performance by other vendors. If the outsourcing is a "multi-vendor" solution, then care will need to be taken to ensure that appropriate touchpoints are established, perhaps with these formalised through "operating level agreements" ("OLAs") entered into between vendors ensuring that they perform dependencies for each other. Going further, the customer organisation may need to engage an integration manager to co-ordinate service delivery across vendors. As the integration manager will not be operating as a prime contractor with "end to end" responsibility for the other vendors' delivery, there is often difficult negotiation around how the integration manager's performance will be measured and to what extent it bears responsibility for other vendors. Above all else, multi-vendor service delivery is dependent on there being a well thought out vendor governance structure. The Right Contract Once an outsourcing or large scale technology procurement project kicks off, there is enormous pressure to reach terms with a vendor quickly. This is particularly so in Asia, where in-house legal, procurement, operations and technology teams tend to be smaller than their counterparts in Europe and America. Getting the right contract starts with the right tendering process. Parallel discussions with a number of vendors will create useful competitive tension that will drive better terms, but there is a need to balance these advantages against the fact that parallel negotiations are time consuming and may strain client organisation resources. Requiring bidders to mark-up a select set of key legal terms as part of their RFP responses is often a useful middle-ground, providing certainty of negotiated positions on critical issues but without requiring extensive parallel negotiations. Long form agreements should take advantage of unique market conditions in Asia, which can produce more buyer-friendly outcomes. Similarly, market practice in the region tends to produce shorter "long forms" than are seen in the US context, in particular. The Right Price At this stage in market development in Asia, many outsourcings are “greenfield” projects or otherwise involve instances in which there is inadequate historical data within the customer organisation to support sophisticated transaction-based pricing for outsourced services (the exception being certain cloud-based services or other "commoditised" services that often have a readily determined transaction price).5 As a consequence, many services are priced on the basis of either fixed pricing or resource unit- based pricing (whether fixed or variable), often using a fulltime equivalent employee (“FTE”) basis for the resource units. These pricing models can reward inefficiency, and so are often supplemented with productivity improvement guarantees and commitments by the vendor to move to transaction based pricing within a fixed period of time. Third party benchmarking reviews and “most favoured customer” commitments are market practice in Asia for outsourced services, accepting that the relative immaturity of the market may mean that reliable comparator data is limited. In relation to benchmarking, the key for the customer is to have a process which, once activated, runs as quickly and as “automatically” as possible. Breaking the service out into “commodity” elements will help make the benchmarked service more easily referable to comparison data. The Right Service Quality The dynamics around service quality in outsourced services in Asia tend to track the same concerns as seen with pricing. If the customer organisation has not maintained reliable historic service quality metrics or if the project is “greenfield”, vendors will be reluctant to commit to binding service level standards from the outset and may request a “baselining period” to validate the specific service scope and the infrastructure available to deliver this scope. Two immediate problems arising from this approach are: (i) How will service quality be addressed during the interim before the baseline service levels are agreed? and (ii) If service quality is left as an "agreement to agree", what leverage will the customer organisation have in future to agree satisfactory service levels and service credits for breach? The answers to these questions will depend on the specific circumstances. It is clear that there must be some binding service quality standard in place and there must be clarity in the process towards achieving a "steady state" level of service. Compliance, Now and in Future As noted in the sections above, outsourced service models, including cloud services, raise significant regulatory issues. These issues will not stop with contract signing. The service arrangements must contemplate the likelihood that applicable regulations will change over time. The extent to which a vendor is held legally responsible for the customer organisation’s own regulatory compliance is typically a matter of fairly intense negotiation. In Asian markets there is, as yet, no concept of regulated third party administrators under which vendors are licensed to carry out regulated service functions. Further, given the relative immaturity of the vendor market in Asia, there is a reluctance amongst customer organisations in regulated industries to leave the interpretation of the customer’s regulation to the vendor. At the same time, customer organisations will nevertheless expect to benefit from vendors' growing experience in this area, and the practical reality that there is economy of scale in implementing changes across their platform for multiple customer organisations. Managing Risk Outsourcings and technology procurement entail significant risk for customer organisations. While vendor liability will never be a complete answer to risk assessment, the starting point is making the vendor sufficiently accountable to drive the right risk management behaviours and provide the customer organisation with adequate financial recourse. The approach taken to representations and warranties, service levels and service credits, indemnification and other points of risk allocation should be tailored to the customer organisation’s specific business, compliance and risk management requirements.6 Limitation of liability is typically an area of intense negotiation. Market practice is in general to permit the vendor to limit its liability to direct losses, subject to key exceptions for indemnified losses and breaches of terms in areas such as intellectual property rights, compliance with policies and applicable laws, breach of confidence, gross negligence and intentional breach. We recommend that the discussions around liability also take into account areas of the contract that entail higher risk for the customer organisation, such as the transition phase, during which operational risk is typically higher. Non-financial remedies are also important. Termination is obviously the ultimate recourse, but there is often good reason to construct intermediate remedies that focus on recovering a faltering service arrangement rather than terminating it outright. Step-in rights, under which the customer organisation imposes itself on the vendor to either provide or manage the provision of the services is increasingly common in the Asia market. Other remedies can include a third party intervention, such as having an independent consultant review the service delivery arrangements and make recommendations that the vendor must accept and implement as an alternative to termination. Partial termination may also be useful as a remedy, effectively giving the customer organisation the ability to weed out the underperforming areas of service, but there are risks here too. A halfway solution may leave the customer organisation with yet more trouble, having to integrate in a new vendor and deal with potential diseconomies of scale arising from pricing services out separately. Creative Solutions The Global Financial Crisis has added urgency to the need for businesses to think creatively about how they do business, looking to better utilise assets and resources to generate value and competitive advantage, improve efficiency and cut operating costs. Outsourcing and technology procurement is often associated with these efforts, including: • Joint venture models: A more complex arrangement in which the customer organisation contributes technology, operating procedures, knowledge capital or other IP to a joint venture with the service provider, so as to receive a wider economic benefit in addition to an outsourced service. The critical downside is that the customer organisation will likely be opening its IP up to its competitors and will likely lose control of future development. • Incentives to innovate: Innovation may be encouraged by agreeing concrete incentives for vendors as part of the outsourcing arrangements. "Gain sharing", for example, is where the vendor takes a share of any cost reduction derived from service improvements developed by the service provider, ensuring that efficiency gains enhance the vendor's margins rather than simply reducing its charges. • Transformational outsourcing: Asian businesses are increasingly leveraging outsourcing with a view to bringing about new ways of doing business rather than simply lifting out a static business function and transferring it to a service provider with a view to achieving a reduction in operating costs. Transformational outsourcing may achieve institutional change more quickly and effectively than trying to manage change internally. Service providers may bring more sophisticated technology and more advanced operating procedures from other contexts. Outsourcing may also force a decentralisation of decision-making that may be helpful.7 Key Take-aways Outsourcing and large-scale technology procurement (including cloud service models) offer tremendous benefits to Asia region businesses. For legal counsel, these opportunities come with significant challenge and a need for careful planning and evaluation. Key points to bear in mind: • The regulatory constraints on outsourcing are significant and growing: the implications of industry regulation and data privacy, employment and tax laws must, in particular, be properly assessed and managed. • Contracting to maximise value and manage risk often gives rise to complexity: There is a distinct need in Asia to contract for change: change in the customer organisation business, group structure and geographic footprint, changes in applicable regulation and change in the market conditions for service. • Creativity can generate its own rewards: The increasing scale of outsourcing and procurement arrangements in Asia generates opportunities to improve how business is done, explore new business and better capitalise on a business's knowledge capital and data.