Outsourcing, technology procurement and cloud in Asia: the legal and regulatory essentials

Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials 1 New Operating Models - New Challenges As businesses in Asia grow in scale and complexity, they are increasingly turning to outsourcing and large scale technology procurement, including the deployment of cloud technologies, to support their operations and gain competitive advantage. These initiatives reflect both a maturing of operational strategies for businesses in the region and increasing cost sensitivity: factors giving businesses more incentive to consolidate operating platforms to achieve greater efficiencies and economies of scale and use outsourced service models to support scaling up in new markets. At the same time, electronic data is becoming an increasingly valuable business asset in Asia, as it is elsewhere. “Big Data” doesn’t just mean larger quantities of data – it means higher quality, more useful data derived from increasingly sophisticated analytical tools. With the right investment in technology, it means competitive advantage. A third pressure point is the marked increase in regulation in Asia, including increasingly detailed material outsourcing and procurement regulations in regulated sectors, and the rapid expansion in recent years of comprehensive “European style” data privacy regulation. While much remains possible from a regulatory standpoint, stepped-up regulation is forcing Asia’s regional businesses to evaluate their procurement options more carefully, engage in more rigorous tendering and due diligence processes, manage an increased likelihood of regulatory change and enter into more detailed and complex contractual arrangements in order to achieve compliance. The Challenges for Legal Counsel – Increased Regulation, Increased Risk Legal counsel are faced with a number of challenges in this changing environment, in particular a need to negotiate and manage more detailed and complex contracting structures. This imperative is driven by growth in the scale of business risk, the sophistication of commercial objectives and a need to deal with regulators' increasingly exacting expectations. The consequences of not getting the legal and compliance roles right are increasing in Asia. With greater business automation and increased dependency on IT systems, project failure can be highly visible, both externally to customers and regulators and internally to employees who depend on quality service delivery to get their jobs done. Getting the contractual and regulatory requirements right is taking on a growing importance as a result. How to Prepare? Legal counsel faced with a large scale outsourcing or technology procurement will want to begin with understanding the nature and scope of the project, its objectives and who the relevant internal stakeholders are for the project. Operations, IT and procurement will typically be key stakeholders in sourcing and technology projects, but apart from legal and compliance, HR, finance and tax will often play key roles in assessing risk, inputting to the project business case and formulating a structure for the commercial arrangements that optimise the economic benefits of the project. Early engagement with these stakeholders can be critical. Once the right team is in place, reporting lines and internal approval requirements can be established. Finally, a project management structure that coordinates the various work streams is essential to project success. Regulation, regulation, regulation The impact of regulation on outsourced service models (including but not limited to cloud) in Asia is significant and growing. While industries such as banking and financial services are typically the most heavily regulated, data privacy regulation, employment laws and, more recently, the emergence of cyber security regulation in Asia, have extended regulatory oversight across most if not all fields of business. Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials 2 The Threshold Questions: Can you outsource? Can you use cloud? In the most heavily regulated industries, such as banking and insurance, regulation will typically stipulate that “licensed business” or “core business” cannot be placed into the hands of an unlicensed outsourced service provider. Only a licensed insurance company, for example, can make an actuarial decision to write an insurance policy, not an outsourced service provider acting on its behalf. While these restrictions are most immediately relevant in the business process outsourcing ("BPO") context, heavily regulated industries may also have prohibitions against handing over core systems or data for third party processing, which may impact on the scope to deploy cloud and outsourced IT solutions. There are plenty of "grey" areas on this front, and part of the value in legal input can be in fine tuning a service description to anticipate and address the issues that are front of mind for regulators, such as being clear that business discretion and engagement with customers remain in the hands of licensed businesses and explaining how business data and customer data are secure and remain quickly available to the regulator. Material Outsourcing Regulations Once the threshold question of whether or not the service scope and service model is feasible has been answered in the affirmative, there may be regulations or guidelines that stipulate how the business must evaluate and implement a proposed outsourcing or procurement. The material outsourcing guidelines found in the banking and financial services industries across the region are leading examples. There is a threshold question here as well – is the project a "material outsourcing" or is it not? We are at a stage in which the heightened importance of material outsourcing guidelines to regulators threatens to expand the understanding of a "material outsourcing" into areas that would have in the past been considered ancillary business operations. If material outsourcing guidelines do apply, the focus is typically on risk management, directing the business to carry out an effective evaluation of the service model, the bidding vendors and the agreed contractual terms. Depending on the jurisdiction and the regulator, regulatory approvals or notifications may be required. Completing the regulatory process in good time means effective preparation and anticipating the questions that are likely to come. A framework for compiling the necessary information and linking contractual requirements to the working draft agreements is key to clearing the regulatory process as quickly as possible. We are currently seeing a stepping up of material outsourcing regulations across the region and much closer compliance scrutiny. The Monetary Authority of Singapore (the "MAS"), often seen as a regional leader in policy-making in this area, is consulting on revisions to further strengthen its influential guidelines. The Association of Banks in Singapore has, at the same time, published a set of guidelines that seeks to create a common control audit standard for vendors providing outsourced services to MAS-regulated banks. A further layer of complexity for financial services sector customer organisations is the emergence of recovery and resolution planning ("RRP") legislation, which necessitates a degree of flexibility for transferring and splitting contracts, keeping contracts on foot and a broader issue of ensuring that outsourcing arrangements are consistent with plans agreed with regulators. Data Privacy and Cyber Security Regulation Recent years have seen an explosion of comprehensive “European style” data privacy regulation across the Asia region, with new laws brought into force in China, India, Singapore, South Korea, Taiwan, Malaysia and the Philippines. Existing advanced regimes, such as those in Hong Kong, Australia and Japan have seen a stepping up of compliance requirements, penalties and willingness on the part of regulators to "name and shame". Critically in the outsourcing and technology procurement context, many of these new laws have data export controls that can raise obstacles or impediments to plans to consolidate databases, or at least require that steps be taken to make data exports compliant. At the very least, data privacy regulation will necessitate an assessment of compliance risks and the agreement of appropriate secure processing undertakings with vendors. The dynamic regulatory landscape in this area also means that customer organisations are welladvised to agree terms dealing with the possibility that regulations change, for better or for worse. Cyber security regulation is now gathering momentum in the Asia-Pacific region, adding a further layer of potential regulatory challenge. Data localisation requirements often feature in regulation of this nature, as we've seen in Indonesia's Regulation 82 and the draft Chinese cyber security law, and these requirements can obviously limit the availability of some service models. More broadly, emerging cyber security regulation may come to mandate the use of specific security measures and industry codes of practice. 3 HR Considerations Outsourcings often involve the transfer of employees and the management of redundancies. The customer organisation will want to ensure confidentiality and carefully plan internal communications about the project, but at the same time enable due diligence by the vendor as needed. There are very few "automatic transfer" regimes in Asia that will apply to transfer employment contracts to an outsourced service vendor by operation of law in the same way as Europe's Transfer of Undertakings Directive. As a result, an "offer and acceptance" procedure will typically be needed. The parties will need to agree, amongst other issues: (i) an allocation of responsibility for employer liabilities; (ii) any sharing of funding responsibility for employee benefits and retention incentives; and (iii) contingency planning to address situations in which not all in-scope employees accept their transfer offers. Asset and Contract Transfers It is not unusual for assets and contracts to transfer to a vendor as part of an outsourced service arrangement. The vendor will need to be in a position to conduct due diligence on these assets and contracts, and the parties will need to agree commercial arrangements, including responsibility for any third party consents, tax liabilities and other costs of transfer. Likewise, if premises or facilities are to be made available to a service provider, terms will need to be agreed and documented. Depending on the circumstances, landlord consents and land use permissions may be needed. Structural Considerations Contract structure, particularly in the context of multijurisdictional outsourcings in the Asia region, is critical. Many outsourcing arrangements in the region rely on a master services agreement – local services agreement ("MSA/LSA") structure that involves contracting at a master level (typically backed up with a parent company guarantee) and implementing local "point-to-point" billing through LSAs. LSAs may also be necessary in order to satisfy regulatory requirements. The other key feature of contracting structure that requires careful evaluation is the extent to which the service function is dependent on performance by other vendors. If the outsourcing is a "multi-vendor" solution, then care will need to be taken to ensure that appropriate touch-points between vendors are recognised. It may be desirable to formalise these inter-dependencies through "operating level agreements" ("OLAs") entered into between vendors. Going further, the customer organisation may need to engage an integration manager to co-ordinate service delivery across vendors. As the integration manager will not be operating as a prime contractor with "end to end" responsibility for the other vendors' delivery, there can be difficult negotiations around how the integration manager's performance will be measured and to what extent it bears responsibility for the other vendors. Above all else, the success of multi-vendor delivery models is dependent on there being a well thought out vendor governance structure. The Right Contract Once an outsourcing or large scale technology procurement project kicks off, there is enormous pressure to agree terms quickly. This is particularly so in Asia, where in-house legal, procurement, operations and technology teams tend to be smaller than their counterparts in Europe and America. Getting the right contract starts with the right tendering process. Parallel discussions with a number of vendors will create useful competitive tension that will drive better terms, but these advantages need to be balanced against the fact that extended parallel negotiations are time consuming and may strain customer organisation resources. Requiring bidders to mark up a select set of key legal terms as part of their RFP responses is often a useful middle-ground, providing certainty of negotiated positions on critical issues but without requiring extensive parallel negotiations. 4 Long form agreements should take advantage of unique market conditions in Asia, which can produce more buyer-friendly outcomes. Similarly, market practice in the region tends to produce shorter "long forms" than are seen in the US context, in particular. The Right Price At this stage in market development in Asia, many outsourcings are “greenfield” projects or are implemented without the benefit of quality historical data within the customer organisation that would support volume-based pricing. As a consequence, many services are priced on the basis of either fixed pricing or resource unit- based pricing (whether fixed or variable), often using a fulltime employee equivalent (“FTE”) metric. These pricing models can reward inefficiency, and so are often supplemented with productivity improvement guarantees and commitments by the vendor to move to transaction based pricing within a fixed period of time. Outsourced services that are more commoditised, including cloud services, may be more readily priced on a transaction or usage basis. Third party benchmarking reviews and “most favoured customer” commitments are market practice in Asia for outsourced services, accepting that the relative immaturity of the market may mean that reliable comparator data is limited. In relation to benchmarking, the key for the customer is to have a process which, once activated, runs as quickly and as “automatically” as possible. Breaking the service out into “commodity” elements will help make the benchmarked service more easily referable to comparison data. The Right Service Quality The dynamics around service quality in outsourced services in Asia tend to track the same concerns seen with pricing. If the customer organisation has not maintained reliable historic service quality metrics or if the project is “greenfield”, vendors will be reluctant to commit to binding service level standards from the outset and may request a (baselining period” to validate the specific service scope. Two immediate problems arising from this approach are: (i) How will service quality be addressed during the interim before the baseline service levels are agreed? and (ii) If service quality is left as an "agreement to agree", what leverage will the customer organisation have in future to agree satisfactory service levels and service credits for breach? The answers to these questions will depend on the specific circumstances. It is clear that there must be some binding service quality standard in place from the start and there must be a clear process towards achieving a "steady state" level of service if it is not agreed at the outset. Compliance, Now and in Future As noted in the sections above, outsourced service models, including cloud services, raise significant regulatory issues. These issues will not stop with contract signing. The service arrangements must contemplate the likelihood that applicable regulations will change over time. The extent to which a vendor is held legally responsible for the customer organisation’s own regulatory compliance is typically a matter of fairly intense negotiation. In Asian markets there is, as yet, no concept of regulated third party administrators under which vendors are licensed to carry out regulated service functions. Further, given the relative immaturity of the vendor market in Asia, there is a reluctance amongst customer organisations in regulated industries to leave the interpretation of the customer’s regulation to the vendor. At the same time, customer organisations will nevertheless expect to benefit from vendors' growing experience in this area, and the practical reality that there is economy of scale in implementing changes across their platform for multiple customer organisations. 5 Accountability Outsourcings and technology procurement entail significant risk for customer organisations. While damages and other forms of contractual liability will never be a completely satisfactory remedy from a business perspective, the objective is to make the vendor sufficiently accountable to drive the right risk management behaviours and provide the customer organisation with adequate financial recourse. The approach taken to representations and warranties, service levels and service credits, indemnification and other points of risk allocation should be tailored to the customer organisation’s specific business and its specific compliance and risk management requirements. Limitation of liability is typically an area of intense negotiation. Market practice is generally to permit the vendor to limit its liability to direct losses, subject to key exceptions for indemnified losses and breaches of terms in areas such as intellectual property rights, compliance with policies and applicable laws and confidentiality, and for liability for matters such as gross negligence and intentional breach. Non-financial remedies are also important. Termination is obviously the ultimate recourse, but ending the service may be cold comfort to a customer organisation that has just invested heavily in a new vendor relationship. There is often good reason to construct intermediate remedies that focus on recovering a faltering service arrangement rather than terminating it outright. Step-in rights, under which the customer organisation itself provides or manages the provision of the services, are increasingly common in the Asia market. Other remedies can include a form of third party intervention, such as having an independent consultant review the service delivery arrangements and make recommendations that the vendor must accept and implement. Partial termination may also be useful as a remedy, effectively giving the customer organisation the ability to weed out the underperforming areas of service, but there are risks here too. A halfway solution may leave the customer organisation with yet more trouble, having to integrate in a new vendor and deal with potential diseconomies of scale arising from splitting the delivery platform into two or more pieces. 6 Creative Solutions The Global Financial Crisis has added urgency to the need for businesses to think creatively about how they do business, looking to better utilise assets and resources to generate value and competitive advantage, improve efficiency and cut operating costs. Outsourcing and technology procurement is often associated with these efforts, including: • Joint venture models: A more complex arrangement in which the customer organisation contributes technology, operating procedures, knowledge capital or other IP to a joint venture with the service provider, the objective being to receive a wider economic benefit in addition to the basic benefit of an outsourced service. The critical downside is that the customer organisation will likely be opening its IP up to its competitors and will likely lose at least some control of future development. • Incentives to innovate: Innovation may be encouraged by agreeing concrete incentives for vendors. "Gain sharing", for example, is where the vendor takes a share of any cost reduction derived from service improvements developed by the service provider, ensuring that the improvements enhance the vendor's margins rather than simply reduce its charges. • Transformational outsourcing: Asian businesses are increasingly leveraging outsourcing with a view to bringing about new, transformational ways of doing business rather than simply lifting out a static business function and transferring it to a service provider with a view to achieving a reduction in operating costs. Transformational outsourcing may achieve institutional change more quickly and effectively than trying to manage change internally. Service providers may bring more sophisticated technology and more advanced operating procedures from other contexts. Key Take-aways Outsourcing and large-scale technology procurement (including cloud service models) offer tremendous benefits to Asia region businesses. For legal counsel, these opportunities come with significant challenge and a need for careful planning and evaluation. Key points to bear in mind: • The regulatory constraints on outsourcing are significant and growing: the implications of industry regulation and data privacy, cyber security, employment and tax laws must, in particular, be properly assessed and managed. • Contracting to maximise value and manage risk often gives rise to complexity: There is a distinct need in Asia to contract for change: change in the customer organisation business, group structure and geographic footprint, changes in applicable regulation and change in the market conditions for service. • Creativity can generate its own rewards: The increasing scale of outsourcing and procurement arrangements in Asia generates opportunities to improve how business is done, explore new business and better capitalise on a business's knowledge capital and data. 7 Key Contacts If you would like further information on any aspect of this note, please contact a person mentioned below or the person with whom you usually deal. Mark Parsons Partner mark.parsons@hoganlovells.com T: +852 2840 5033 Hoi Tak Leung Senior Associate hoitak.leung@hoganlovells.com T: +852 2840 5985 This note is written as a general guide only. It should not be relied upon as a substitute for specific legal advice. 8 Note 9 Note www.hoganlovells.com Hogan Lovells has offices in: Alicante Amsterdam Baltimore Beijing Brussels Budapest* Caracas Colorado Springs Denver Dubai Dusseldorf Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Jakarta* Jeddah* Johannesburg London Los Angeles Luxembourg Madrid Mexico City Miami Milan Monterrey Moscow Munich New York Northern Virginia Paris Perth Philadelphia Rio de Janeiro Riyadh* Rome San Francisco São Paulo Shanghai Silicon Valley Singapore Sydney Tokyo Ulaanbaatar Warsaw Washington DC Zagreb* "Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses. The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members. For more information about Hogan Lovells, see www.hoganlovells.com. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney Advertising. ©Hogan Lovells 2015. All rights reserved. *Associated offices HKGLIB01#1153701