Is outsourcing IT worth the compliance risk?

While the feds have certainly put hurdles in place to prevent abuse, outsourcing IT in a highly regulated industry like banking may very well lead to higher standards and quality outcomes.

 Banking has changed since the global financial crisis in 2008. The steady increase in regulations from Washington, the states and international organizations are now impacting IT leaders. As regulators examine vendor relationships and outsourcing arrangements more closely, there is a significant risk that poorly managed IT could trigger an audit finding, a fine or negative publicity. As IT leaders plan to review and renew IT service providers in 2016, here are some of the risks to manage.

The Office of the Comptroller of the Currency (OCC), another key U.S. financial regulator, also published guidance related to outsourcing in 2013. In OCC BULLETIN 2013-29, the organization stated, “The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.” Specifically, the OCC has noted ineffective practices such as entering into outsourcing without a contract and incentivizing a third party provider to “take risks that are detrimental to the bank.” In the view of regulators, rushing into an outsourcing arrangement to cut expenses is likely to trigger unpleasant regulatory attention.

Regulatory trends: increased enforcement, higher standards

Prior to the financial crisis, many regulatory agencies lacked the resources and support to carry out enforcement actions. In recent years, there’s much greater support for regulatory agencies to impose fines and impose other actions on companies who run afoul of regulations.

“Regulators have taken a deeper interest in outsourcing services that have an impact on either the regulatory posture of the organization or on cyber security and cyber-crime,” explains Bala Pandalangat, president and CEO of Centre for Outsourcing Research & Education (CORE), an organization that provides outsourcing advice and training based in Toronto. CORE’s membership includes Deloitte, IBM, Xerox, large banks, universities and law firms such as Torys LLP.

“We see several common mistakes when it comes to outsourcing arrangements,” says Pandalangat. “The number one mistake is viewing risk management is an after-thought. Many deals emphasize the financial benefit of outsourcing at the expense of risk management. If risk management is not built into the contract, costly adjustments may be required to address that concern.”

Country risk and supplier diversity are other areas where mistakes are commonly made. “We have seen certain major financial institutions being caught off guard with severe disruptions during the reason historic floods in Chennai, India,” says Pandalangat. In late 2015, Chennai suffered the heaviest rainfall of a century which disabled the region’s cellular networks, disrupted travel, closed companies and cost injuries and deaths. Having suppliers based in multiple locations and thoroughly understanding disaster recovery capabilities are ways to address this risk.

Looking ahead to the future, increased regulatory expectations are likely. “Some regulators are working with some of the large advisory firms on developing more stringent guidelines,” says Pandalangat. These new guidelines will likely relate to data breaches, security and related matters.

Responding to due diligence requirements: the Infosys perspective

Infosys is one of the world’s largest outsourcing companies and is widely used by many of America’s largest companies, including banks. In some circles, Infosys is controversial because it’s based in India, which suggests the company’s part of the “offshoring” problem. Nevertheless, Infosys is rapidly gaining in popularity. The company has taken a proactive approach to responding to regulatory demands in the financial industry.

“We are seeing greater interest on due diligence activities for new clients and clients who are renewing agreements with us,” explains Dennis Gada, vice president at Infosys. “I view the guidelines on outsourcing from the Federal Reserve and other regulatory agencies as helpful – it clarifies what is expected.”

Continued development of internal training is a major reason for Infosys’s continued success in the highly regulated financial sector. “We have enhanced the training we do on our side. The internal training program shows our teams what is required in documentation, audit requirements and privacy. Before we assign staff to a financial services clients, they have to pass internal tests and certifications,” says Gada.

Increased due diligence in selecting outsourcing providers goes beyond evaluating a provider’s financial viability. “Current and potential clients are looking at our knowledge management processes, our employee background checks process, internal incident reporting process and process to use sub-contractors,” says Gada. IT managers in banking who work with outsourcing providers can ask similar questions to stay in alignment with regulatory expectations.

Beyond cost reduction: the outsourcing trend for the future

The first wave of outsourcing in IT was driven largely by cost considerations. IT leaders saw the potential to reduce staff costs by assignment activities to developing countries such as India. Cost reduction remains an important reason to consider outsourcing. Yet it’s no longer the only consideration: improving productivity and customer service are now part of the mix.

“For a regional bank in the U.S., we are performing part of their mortgage process. Initially, it was a broken process that took a long time to onboard customers. We used a design thinking approach to transform the process. The result: onboarding now takes two days instead of over 30 days,” says Dennis Gada. Such improvements directly improve the customer experience.

“For banking clients, we are also seeing increasing demand for new services. For example, we are getting involved in mortgage origination and KYC (“Know Your Client”) services,” adds Gada. KYC requirements often include verifying a client’s identity, ensuring compliance with anti-corruption laws and ensuring that appropriate services are provided.

Whether you are planning to expand outsourcing or reviewing existing arrangements, take a broad view. Regarding risk, regulators may ask for evidence that you have conducted effective due diligence in selecting and managing the provider. Infosys’s recent work also shows that outsourcing providers are capable of delivering significant productivity gains. Outsourcing IT and other services is a complex decision that deserves careful thought.

Source: CIO-Is outsourcing IT worth the compliance risk?

Outsourcing can be beneficial, but it isn’t magic

Outsourcing business activities has many advantages. It is often cheaper and more efficient than keeping those same activities in house, and can be an easier way to keep up to speed with industry best practice. More importantly, it frees up valuable internal resources that can instead be focused on the things that really matter.

Financial services firms are no strangers to the benefits of outsourcing; by some accounts, they have made use of it for clerical tasks since the 1970s. But since then, it has become ever more prevalent – particularly with the increased importance of IT – and has grown to cover a more diverse range of activities.

Given the size and complexity of the largest financial firms, some of them now have large armies of contractors and subcontractors scattered across the globe. These vendors – who deal with areas from financial crime software through to credit card processing, call centres and risk analytics – can sometimes be a source of mishaps. Both New York-based data vendor Bloomberg and US custodian BNY Mellon suffered high-profile outages due to third parties in 2015, leading to frustration among clients and negative media coverage.

Plenty of other worrying incidents go unreported, however. In a recent conversation with Risk.net, one operational risk manager at a US bank said some of its outside suppliers had been involved in security breaches, while another was found to be in violation of the law. “What we do in those instances is we exit those relationships,” he added.

To some in the consulting world, outsourcing possesses almost magical qualities. But when it comes to risk, outsourcing is no disappearing act. Outsourcing a business activity changes the risk associated with that activity; it won’t cause it simply to vanish. However, this seems to have been the working assumption of some financial firms, which gleefully outsource activities without thinking about the different sets of controls they need to put into place.

Regulators have noticed this. In 2013, the US Federal Reserve Board and Office of the Comptroller of the Currency both issued separate guidance notes for banks on third-party risk. Reflecting the importance of subcontractors, these pieces of guidance even included references to “fourth-party risk”. That means you don’t just have to care about your vendors, but also your vendor’s vendor too.

Some risk managers argue the guidance goes too far. But it seems to have worked. In some cases, US banks have responded by bolstering the teams that manage and monitor their vendor relationships, while others say they have significantly cut the number of third-party providers they use.

Of course, regulators must be careful not to overdo it. Outsourcing is a fact of modern business life: a tool that, if used appropriately, can deliver positive results. There’s no reason to exclude banks or other financial firms from accessing those. But given the vast scale of outsourcing in financial services – combined with some firms’ apparently wilful ignorance – they are right to focus on it.

 

Source: Risk.net-Outsourcing can be beneficial, but it isn’t magic

Growing cyber agenda behind maturing outsourcing market in the Middle East, says expert

Awareness of the increasing risk of cyber attacks is prompting a growing number of organisations in the Middle East to enter into outsourcing agreements in relation to their telecoms networks and systems, an expert has said.

Diane Mullenex, a specialist in telecoms and IT contracts at Pinsent Masons, the law firm behind Out-Law.com, said the trend was reflected in new figures on the size of the outsourcing market across Europe, the Middle East and Africa (EMEA).
“The sourcing market in the Middle East is not as mature as in other parts of the world, owing in part to the fact that there has traditionally been a practice among organisations present in the region to carry out tasks internally or through special purpose vehicles with partner organisations rather than to outsource them,” Mullenex said. “However, there are two main factors that are beginning to shift attitudes towards outsourcing.”
“Firstly, the reduction in the price of oil has brought about price pressures in countries such as Saudi Arabia and forced local administrators to consider ways of making efficiency savings. Outsourcing is a generally accepted way of achieving this. In addition, across the region there are a growing number of public contracts, particularly in areas such as defence, which are being put out to tender as organisations seek to access the latest, most sophisticated and secure telecoms networks and communication systems in light of growing cyber risk they face.”
According to the latest outsourcing index published by the Information Services Group (ISG), the cost of outsourcing and the length of outsourcing contracts are generally falling globally as a result of the move towards greater use of cloud services, digital technology and automation.
ISG said “cloud, digital and automation drive down average award values and contract durations” and that this had been reflected in the fact that it had seen “the lowest annual mega-relationship activity in 10 years” in 2015.
According to ISG, there are 3,114 “active” outsourcing contracts with an annual value of at least €4 million across EMEA. It said the EMEA outsourcing market in 2015 was worth €57.9 billion, up from €35.8bn in 2006.
Although ISG charted a rise in both the volume and value of outsourcing agreements concluded in the final three months of 2015, it said that overall figures for the year showed the market had shrunk compared to 2014. Last year there were 601 outsourcing deals struck in EMEA, down 7% on 2014, and the total annual contract value of those deals was also down 8% on the previous year at €9.4bn.
There was a record high number of outsourcing contracts concluded in the UK in 2015, ISG said. However, it said the total annual value of those deals was down on 2014 figures.
Despite the weaker performance on 2014 levels, the total value of outsourcing contracts concluded in EMEA in 2015 accounted for nearly half of the total value of all outsourcing agreements struck in the world last year (€19bn), according to the ISG figures.
Across the globe, ISG reported a 12% reduction in the value of IT outsourcing contracts concluded in 2015. IT contracts expert Sarah Cameron of Pinsent Masons, the law firm behind Out-Law.com, said this reflects the “continuing shift to smaller deals” being seen in the market.
“Although there are some record counts, the annual contract value is still falling off,” Cameron said. “The bulk of this is down to the fall off in IT outsourcing because of the shift to cloud. This shows the continuing trend of digital transformation disrupting the traditional outsourcing market.”
“There has been a general reduction in recent times of so-called ‘megadeals’, however the ISG research charted the fact that some major deals struck in the latter months of 2015 helped boost EMEA market performance. However, these megadeals were not enough to buck the overall downward trend in the market,” she said.
According to ISG’s report, the average length of outsourcing contracts agreed in 2015 was three and a half years. In 2006, the average contractual period was five years. ISG’s figures also showed that the average annual value of outsourcing contracts put in place in 2015 was €13.1m, down from €19m in 2006. However, the number of outsourcing contracts agreed globally last year was, at 1,445, more than double the 741 deals recorded in 2006.

Source: Out-Law-Growing cyber agenda behind maturing outsourcing market in the Middle East, says expert

Organisations should learn lessons on outsourcing from BT Cornwall case, says expert

Both customers and suppliers can learn lessons on outsourcing from a recent dispute ruled on by the High Court in London.

The judgment issued by Mr Justice Knowles specifically referred to deficiencies in the drafting and governance of an outsourcing deal between Cornwall Council and BT Cornwall.

The ruling highlights some of the dangers inherent in drafting imprecise termination provisions and how to approach the challenge of terminating all or parts of a long term and high value sourcing contract.

In March 2013 BT Cornwall and a consortium led by Cornwall Council agreed a reported 10 year £160m outsourcing contract which provided for a strategic partnership between the parties covering health, transport, communications and public safety services.
However last month the High Court gave the go-ahead to Cornwall Council to terminate that contract after finding that BT Cornwall was in material breach of the agreement. The court ruled that BT Cornwall had failed to deliver services to service levels set out in the outsourcing agreement.

According to the judgment the outsourcing arrangements got off to a bad start with BT Cornwall breaching a service level agreement due to a “backlog of work”. Cornwall Council and BT Cornwall worked to re-baseline the agreement and sought to agree some revised key performance indicators (KPIs).
However in June last year Cornwall Council wrote to BT Cornwall claiming that it had a right to terminate the outsourcing contract after taking issue with BT Cornwall’s performance of its contractual obligations. This prompted BT Cornwall to take the brave step of issuing legal proceedings in an effort to win an injunction preventing Cornwall Council from serving a termination notice.

It is understandable from BT Cornwall’s perspective why it would not want a threat of termination hanging over the agreement given the early investment it was making during a long term service contract. Suppliers often have to invest heavily in long term contracts in order to transition and transform services, thus making a loss in the early stages of the contract, in order to profit during the mid to later stages of the term. Suppliers also wish to recognise revenue under accounting standards and need to consider their insurance arrangements when threats of termination are made.
In considering the injunction application Mr Justice Knowles criticised the arrangements put in place to underpin the outsourcing. He stated that the outsourcing contract itself was “very hard to work with, including by reason of its impractical length, and the imprecision in some of its drafting.” He said that “its oversight and governance arrangements proved inadequate for all parties when things started to go wrong.”

The judge was also critical of the fact that BT Cornwall and Cornwall Council chose “not to call as witnesses senior people who had obviously material evidence to give”, and viewed dimly an email from a BT employee who had, in an email, encouraged one of his operations team to reduce the impact of KPI breaches through the “manipulation” of certain data. Mr Justice Knowles rejected claims that the message had been “a joke” and said instead that “it reflected both a recognition that things were serious and a preparedness to take inappropriate steps to avoid that”.
Lessons to take from the ruling

It is not easy to interpret from the judgment why the judge was so disturbed by the drafting of the agreement. Long term sourcing contracts of the value of this deal between Cornwall Council and BT Cornwall and involving a wide range of services are by their nature complex and long. Government standard form ICT contracts are good examples.
However, it is clear that neither Cornwall Council nor BT Cornwall was particularly well served by the service levels and KPIs which were set out in the agreement.
The service levels did not seem to have incentivised BT Cornwall to improve its performance and quickly led to the company concentrating its attempts on renegotiating the KPIs which it regarded as not “fit for purpose”. In addition, the judge found that one of the KPIs which Cornwall Council had claimed BT Cornwall had breached was in fact not agreed between the two parties.
Suppliers will be particularly concerned to avoid KPIs and service level breaches giving rise to express customer termination rights, without those termination rights being qualified by a contractually agreed remedy period in which those breaches can be corrected.

In this case BT Cornwall found itself in a completely unsatisfactory commercial and financial position as a result of the breach notice served by Cornwall Council at a relatively early stage of the agreement. Suppliers will wish to ensure that service level breaches provide a service credit remedy rather than an express termination right.
In the event that an express termination right is agreed, suppliers will want to give themselves a remedy period or at least some prescribed period during which the customer has the right to serve a termination notice following service of a material breach notice.
In a long term contract a termination right exercisable immediately is justified in circumstances such as a change of control and insolvency events. It is more questionable that a termination right should be exercisable immediately in the case of service level breach even when the breach is serious and repetitive, as was the case in the Cornwall Council/BT Cornwall contract.

Standard provisions requiring a party to serve a termination notice in a period, usually 30 days, from service of the material breach notice were not used in this agreement. It is usually in both parties’ interests to have a period of time to reach agreement following service of a material breach notice, rather than having to gamble on winning a trial before a judge.

In his judgment Mr Justice Knowles was critical of the governance of the Cornwall Council/BT Cornwall outsourcing arrangement. It is clear from the judgment that the provisions used in the agreement did not appear to put enough pressure on both Cornwall Council and BT Cornwall to reach agreement on their disputed issues. One would expect to see quite prescriptive, mandatory problem management and dispute resolution provisions, although this would perhaps not have helped with the concerns the judge raised about the length and complexity of the agreement in this case.

In outsourcing contracts there needs to be clear linkage between governance, service level breach, problem management, dispute resolution and termination provisions; they need to work in harmony and be clear. Customers and suppliers should ask: will the provisions help them reach agreement on issues which are bound to arise in a contract of this nature, or will they simply help one or other party position itself? There is a balance of risk in major outsourcing contracts and the provisions needs to reflect where the real risk in terms of service delivery lies.

Mr Justice Knowles’ comments about the ‘joke’ email should also serve as a reminder to organisations about the potential impact of communications where disputes have arisen.
In difficult situations where parties face issues which are difficult to resolve, email is often used to vent frustration and make inappropriate comments. Judges used to regard email as chatter and not attach the same evidential weight to email as say, an open letter between the parties sent at senior level. This is not the case any more and employees need to use email with considerable care when issues or disputes arise.

Source: out-law.com-Organisations should learn lessons on outsourcing from BT Cornwall case, says expert by Clive Seddon 

Renegotiating Outsourcing Contracts: What Works and Why

As outsourcing decision-makers gird for another year of engaging with IT and BPO suppliers, it is a good time to reflect on what has worked well over the past twelve months and what could be improved. This is as true for outsourcing contracts as it is for everything else in our lives.

The transition from one year to the next is a good time for companies to ask themselves whether their outsourcing relationships remain fit for purpose and whether they are getting the best value for money from their suppliers. If the answers to these questions are negative, then perhaps it is time to renegotiate the contract.

This article considers the reasons parties renegotiate, and best practices for preparing for and conducting a renegotiation.

Reasons to renegotiate

Parties will usually renegotiate coming up to contract expiry. However, there are various reasons why a customer might want to renegotiate mid-term as well. These include:

• Dissatisfaction with the service provided
• Technology issues
• Poor relationship management
• Financial reasons
• Business change

Read more at: Renegotiating Outsourcing Contracts By Caroline Doherty de Novoa

Cloud computing and privacy series: legal issues related to sensitive

This sixth and final article of our cloud computing and privacy series (links to our previous articles below) discusses the legal issues related to the processing of sensitive data and the hosting of health data in a cloud environment.
Directive 95/46/EC (the “Data Protection Directive”) provides for a special regime applicable to so-called ‘sensitive data’. The rationale behind a reinforced legal regime is based on the presumption that the misuse of such category of data “could have more severe consequences on the individual’s fundamental rights”. For instance, the misuse of health data “may be irreversible and have long-term consequences for the individual as well as his social environment”(1).
Considering that cloud computing services and infrastructures are increasingly being used to store and process personal data of such sensitive nature, the present article examines how the processing of sensitive data, and in particular health data, is regulated in the EU as well as in certain Key Member States(2). Although this article addresses the issues of electronic health records, it does not examine the specific issues relating to non-privacy requirements such as provided under criminal law, medical ethics or health legislations or on patients’ rights.
The concept of sensitive (health) data in the EU
Pursuant to Article 8 of the Data Protection Directive, sensitive data concerns “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and (…) data concerning health or sex life”.
As highlighted by the Article 29 Working Party (the “Working Party”) in its Advice Paper on special categories of data (“sensitive data”) of 4 April 2011, Article 8 of the Data Protection Directive has been implemented in similar ways across the EU. However, there are some differences, notably with respect to the categories of sensitive data.
All national data protection legislations in the Key Member States include the data listed under Article 8 of the Data Protection Directive. Some Member States have, however, included additional types of data. For instance, when focusing on health data, we note that the Czech Data Protection Act explicitly includes in the legal definition of sensitive data genetic and biometric data. Similarly, the Polish Data Protection Act includes genetic code, as well as addictions. Also, a few countries explicitly provide for a more detailed list, such as the United Kingdom which refers for instance to “physical and mental health”.
The Working Party admits that health data represents the most complex area of sensitive data and that it displays a great deal of legal uncertainty. Consequently, the proposition to create new categories of sensitive data has emerged. This notably includes the idea of adding genetic and biometric data, but also data of minors or on individuals’ geo-location. As a result of the problems relating to certain categories of sensitive data, and in particular health data, in the national implementation of the Data Protection Directive, the Working Party has encouraged a revision of the current system.

Read more at: Cloud computing and privacy series: legal issues related to sensitive by Bird & Bird

Protecting Privacy Interests In Outsourcing

An increasing number of companies are outsourcing internal functions to provide a significant cost savings and other benefits to the company. While outsourcing can be extremely beneficial, companies must carefully manage the risks created by placing data into the hands of an outsourcing provider. Outsourcing frequently results in a company’s data being stored outside of the company’s firewalls, often in systems managed by the outsourcing provider. Outsourcing can also result in movement of the company’s data to new and different countries, particularly when the outsourcing involves cloud computing.

Placing company data into the hands of an outsourcing provider raises various risks, perhaps none more pronounced than in data privacy and security. New laws and regulations, an increase in technology solutions and providers, and increased cybersecurity threats heighten the concerns in this area. Companies must respond to these increased risks in three key ways, through: (a) security assessments that lead to a comprehensive written data security plan, (b) the careful selection and monitoring of outsourcing providers and (c) well-crafted contractual protections with those providers. This article discusses some of the key considerations for companies to evaluate in implementing privacy and security protections in outsourcing

Read more at: Protecting Privacy Interests In Outsourcing by Rebecca Eisner and Lei Shen