Outsourcing: UK (England and Wales) overview
A Q&A guide to outsourcing in the UK (England and Wales).
This Q&A guide gives a high level overview of legal and regulatory requirements on different types of outsourcing; commonly used legal structures; procurement processes; formalities required for transferring or leasing assets; data protection issues; customer remedies and protections; contracting parties' remedies; dispute resolution; and the tax issues arising on an outsourcing.
Please note: on 23 June 2016, the UK electorate voted to leave the EU. This is likely to have an impact on a number of areas of law discussed in this Q&A. However, at the time of writing, the precise form of the UK's future relationship with the EU was unclear. In view of this uncertainty, the authors have not sought to speculate in detail on the possible changes. Negotiations over the UK's exit are likely to take some time and as a result it may be several years before any changes become law.
To compare answers across multiple jurisdictions, visit the Outsourcing Country Q&A tool.
This Q&A is part of the global guide to outsourcing. For a full list of jurisdictional Q&As, visit www.practicallaw.com/resources/global-guides/outsourcing-guide.
For the rules relating to transferring employees, visit Transferring employees on an outsourcing in the UK (England and Wales): overview.
Regulation and requirements
The Financial Services and Markets Act 2000 (FSMA) and its subordinate instruments constitute the main legislation regulating financial services. The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) are the regulators established and empowered under the FSMA and each of them issues rules and guidance. The PRA has responsibility for prudential supervision of banks, insurance companies, building societies, credit unions and certain large investment firms (including responsibility for supervision of these firms' outsourcing arrangements). The FCA has responsibility for conduct of business supervision of all financial services firms (including those prudentially supervised by the PRA, which are therefore "dual-regulated"). The FCA is also responsible for supervision of the outsourcing arrangements entered into by those firms not prudentially supervised by the PRA. A regulated firm cannot delegate or contract out of its regulatory obligations when outsourcing. It must give advance notice to the FCA or PRA (as applicable), or in certain cases, potentially to both regulators, of any proposal to enter into a material outsourcing arrangement and of any material changes to arrangements (see Question 4).
Firms regulated solely by the FCA. For firms that are regulated only by the FCA, the rules on outsourcing are found in Chapter 8 of the Senior Management Arrangements, Systems and Controls sourcebook (SYSC 8). They implement the outsourcing requirements of Directive 2004/39/EC on markets in financial instruments (MiFID) and therefore, subject to detailed application provisions, these rules are mandatory for all investments firms undertaking activities falling within the scope of MiFID. However, SYSC 8 also provides that certain other types of firms should treat the rules as if they were guidance and should apply them in a proportionate manner, taking into account the nature, scale and complexity of the relevant firm's business. Although guidance is not binding on firms, the regulators attach considerable importance to the maintenance of adequate systems and controls. It follows that firm that is subject to FCA prudential regulation and is considering a material outsourcing arrangement should understand the potential scope and application of the SYSC 8 rules and, where they apply, ensure that the outsourcing complies with the rules and/or guidance.
Central to the rules are specific requirements in relation to the outsourcing of critical or important functions. A function is deemed to be critical or important if a defect or failure in its performance would materially impair:
The firm's financial performance.
The firm's ability to comply with its conditions of authorisation and regulatory obligations.
The soundness or continuity of its services and activities.
SYSC 8 guidance also provides that, when outsourcing functions that are not critical or important, firms should take the SYSC 8 rules into account in a manner proportionate to the nature, scale and complexity of the outsourcing.
SYSC 8 rules impose requirements on, among other things:
The due diligence to be undertaken in relation to a proposed supplier. For example, the outsourcing firm must ensure that the supplier has the ability, capacity and any authorisation required by law (including, if necessary, authorisation by the FCA and/or PRA) to perform the outsourced functions, services or activities reliably and professionally.
The outsourcing contract's terms.
The basis on which the regulated firm should supervise the outsourced functions and manage the risk of the outsourcing.
Additional requirements apply to those regulated firms that outsource portfolio management for retail clients to a supplier in a non-European Economic Area (EEA) state.
The position in relation to dual-regulated firms is more complicated. The PRA rulebook is divided into a number of different parts, depending upon the activities of the dual-regulated firm and the regulatory regime to which it is subject. For example, part of the PRA rulebook contains specific rules for banks and other firms that are subject to Regulation (EU) 575/2013 on prudential requirements for credit institutions and investment firms (Capital Requirements Regulation), while another part contains rules for insurers that are subject to Directive 2009/138/EC on the taking-up and pursuit of the business of insurance and reinsurance (Solvency II Directive). The specific outsourcing rules that apply to each particular type of firm are set out in each separate part.
Broadly speaking, the PRA requirements are typically similar to those found in SYSC 8 in the FCA handbook, although firms should always check the detailed technical rules as there is some variation between firm types.
The FCA has indicated that in certain situations, a dual-regulated firm (and in particular, certain insurers) may be subject to both FCA and PRA rules in relation to outsourcing. In the FCA's view, this is possible because the relevant FCA rules relate to conduct requirements and are not otherwise inconsistent with the PRA's requirements. Dual-regulated firms should therefore always have regard to the detailed application provisions in both the FCA handbook and the PRA rulebook when determining the outsourcing obligations to which they are subject.
Therefore, for a regulated financial services firm, some of the issues discussed elsewhere in this chapter (for example, service levels (see Questions 11 and 12) and contractual terms (see Questions 13 to 26) are subject to a regulatory overlay and the regulated firm will have to consider the effect of the rules and guidance in SYSC 8, and/or the relevant provisions within the PRA rulebook. In addition, certain firms (for example, Solvency II insurers), will also need to consider the application of directly applicable requirements in EU legislation.
It should be noted that financial services is an area of law that may be affected by the UK leaving the EU.
There are no additional regulations relevant to a business process outsourcing.
IT and cloud services
There are no additional regulations relevant to the outsourcing of an IT system.
There are no additional regulations relevant to the outsourcing of telecommunications/services beyond those mentioned in the answer to Question 3.
Depending on the nature of the contract and its value, a public-sector outsourcing can be subject to UK regulations that implement EU public procurement Directives. If so, the awarding authority can be required to:
Advertise the contract in the Official Journal of the EU and follow special procedures.
Ensure that all bidders are treated equally.
The EU public procurement rules are likely to have a significant effect on the:
Timing of the pre-contract procedure.
Award criteria adopted.
Duration of the outsourcing contract (see Question 22).
Even where an outsourcing by a public body falls outside public procurement legislation, the awarding authority should still generally seek to comply with the spirit of the legislation (OJ C179/2, 1 August 2006). In addition, UK private finance initiative (PFI) legislation applies to certain public sector outsourcing arrangements.
Other laws and guidance can also be relevant, such as the:
Treasury Decision Map Guidance for Procurement.
Detailed guidance published by the Crown Commercial Service.
Local Government Acts 1999 and 2000, and local government standing orders.
Freedom of Information Act 2000.
Human Rights Act 1998.
UK legislation implementing Directive 2007/66/EC, amending Directives 89/665/EEC and 92/13/EEC, with regard to improving the effectiveness of review procedures concerning the award of public contracts.
New EU Directives on public procurement were adopted in February 2014 and have been implemented in the UK. These included new rules on concession contracts, under which the outsourcing provider is given the right to exploit works or services forming the subject matter of the contract. An example would be the outsourcing of the operation of a leisure centre by a public body to a private sector provider, with the latter being remunerated primarily by charging entrance fees to the public (rather than being paid a management fee by the public body). Although the new rules introduce a number of changes, their key relevance as regards outsourcing remains as stated above.
It should be noted that public procurement is an area of law that may be affected by the UK leaving the EU.
Any prospective supplier or customer should always ensure that a proposed outsourcing is not subject to additional regulatory requirements in other sectors.
Outsourcing covers an extremely broad range of sectors, many of which are subject to sector-specific regulation, such as requirements for licences or authorisations. Therefore, it is not possible to give a brief but comprehensive overview of this. However, for the UK, the sectors listed below are subject to industry-specific regulation. The main relevant regulator is stated in brackets (UK regulators' websites usually contain guidance on regulatory requirements for businesses active in that particular sector):
Aviation (Civil Aviation Authority).
Consumer credit (FCA).
Education and childcare (Ofsted).
Financial services (see Question 2).
Food (Food Standards Agency).
Gambling (Gambling Commission).
Health and social care (Care Quality Commission).
Medicines and medical devices (Medicines and Healthcare Products Regulatory Agency).
Pensions (Pensions Regulator).
Premium rate telephone services (Phonepay Plus).
Rail (Office of Rail Regulation).
Road transport (Driver and Vehicle Standards Agency).
Security services (Security Industry Authority).
Telecommunications, broadcasting and postal services (Ofcom).
Water and sewerage services (Ofwat).
This is not an exhaustive list. Depending on the activities of the outsourcing services provider, licences, permits or approvals can also be required from numerous other bodies such as local authorities, the Health and Safety Executive (in respect of, for example, handling certain chemicals) or government departments (for example, Ministry of Defence approval can be required to carry out certain defence-related activities).
It should be noted that a number of the areas listed above may be affected by the UK leaving the EU (including aviation, energy, financial services, food, medicines and medical devices, pensions, telecommunications and water and sewerage services).
Firms regulated only by the FCA must give notice to the FCA before entering into, or significantly changing, a material outsourcing arrangement. Firms that are also regulated by the PRA must normally notify the PRA instead, but due to the possible application of concurrent FCA and PRA outsourcing rules (for example, in relation to certain insurers), in certain circumstances they could be required to notify both the FCA and the PRA. Although no period of notice is specified, the appropriate regulator expects firms to discuss matters with it at an early stage, before making any internal or external commitments.
Failure to give this notice to the appropriate regulator is likely to amount to a breach of the rule requiring a firm to be open and co-operative with its regulator. Both the FCA and the PRA have various enforcement powers at their disposal, including the power to impose an unlimited fine (see Question 2).
Regardless of the industry sector, it may be necessary or advisable in certain circumstances to notify an outsourcing arrangement to the relevant authorities under EU or UK merger control legislation. EU merger control is beyond the scope of this chapter, but if an outsourcing agreement falls within the scope of Regulation (EC) 139/2004 on the control of concentrations between undertakings (Merger Regulation), then it must be notified to the European Commission and implementation of the transaction must be suspended pending clearance. The UK authorities will not be able to apply national merger control (subject to certain exceptions which can allow for a "reference back" of some or all aspects of the transaction). See Transactions and practices: EU Mergers and acquisitions ( www.practicallaw.com/4-107-3705) for further information regarding the EU merger regime.
It should be noted that merger control is an area of law that may be affected by the UK leaving the EU.
UK merger control
Where an outsourcing is not subject to the Merger Regulation, UK merger control legislation can apply (Enterprise Act 2002). This only applies where both:
Two or more "enterprises" cease to be distinct.
One of the two jurisdictional tests set out below is satisfied (in which case consideration should be given to whether the transaction should be notified to the Competition and Markets Authority (CMA)).
Notification is not compulsory but completion without the CMA's approval entails certain risks, including the possibility that the outsourcing service supplier can subsequently be required to sell all or part of the business acquired and the contract can be terminated.
According to CMA guidance, an outsourcing arrangement is likely to satisfy the first point above only if the arrangement involves the permanent (or long-term) transfer of assets, rights and/or employees to the outsourcing service supplier and where those transferred elements can be used to supply services other than to the original owner/employer.
The second point above will be satisfied where either:
The UK turnover of the part of the customer's business being outsourced exceeds GB£70 million.
As a result of the transaction, the supplier and the part of the customer's business being outsourced together supply 25% or more of all the goods or services of a particular description supplied in the UK (or in a substantial part of it). This test can be easily satisfied on the basis of a narrow description of services (it need not be a viable market in economic terms).
Joint ventures and merger control
In circumstances where the customer and supplier set up a joint venture (see Question 5), the analysis as to whether merger control applies can be different. See Transactions and practices: UK Mergers and Acquisitions and Transactions and practices: EU Mergers and acquisitions for more information.
Description of structure. The simplest structure is a direct outsourcing (that is, an outsourcing contract between the customer and the supplier). This can comprise one or more separate contracts dealing with core issues (for example, price and duration) with detailed schedules that set out:
The staff and assets transferred.
The services provided.
The consequences of failing to meet service levels.
If the proposed supplier is not the main trading entity within its group, or does not have sufficient assets to meet its potential contractual liabilities, the customer can require a parent company guarantee.
The structure is more complex if the customer procures services on behalf of itself and its group companies. Generally, the customer either:
Enters into the outsourcing contract as agent on behalf of its group companies.
Includes a third-party rights clause to ensure its group companies have directly enforceable rights under the contract.
A supplier should consider including specific contract provisions that control multiple actions by the customer and its group companies, and ensure that its liability limitations and exclusions apply to each and all of them.
If the supplier intends to use subcontractors, the customer can require:
That the supplier notifies it of the choice of subcontractor.
That the supplier remains liable for its subcontractors' acts and omissions.
A right to veto particular subcontractors.
A right, if the supplier suffers a certain level of financial distress, to pay subcontractors directly and/or require contracts with key subcontractors to be assigned to the customer.
Advantages and disadvantages. Direct outsourcing arrangements allow the customer to streamline its operations and take advantage of economies of scale achieved by a large supplier. By retaining a third party to take care of non-core operations, the customer will be better able to focus on the core areas of its business. Many of the potential issues associated with outsourcing are dependent on the sector in which the customer operates and the activities being outsourced. For example, quality control is vital to protect against reputational damage sustained as a result of poor service in call centres. The customer may also find additional obstacles presented by the costs associated with the physical transfer of the services and ongoing costs such as travel and cross-jurisdictional advice.
Description of structure. The customer enters into contracts with different suppliers for separate elements of its requirements. The issues are generally similar to those experienced in a direct outsourcing (see above, Direct outsourcing) but, in addition, the customer must ensure interfaces between the different suppliers are carefully managed to encourage the seamless provision of an overall service (sometimes referred to as "Service Integration and Management" or SIAM). This will usually involve requiring suppliers to participate in a common governance process involving, for example, regular meetings of all parties and an escalation procedure designed to resolve differences/disputes. The customer may also wish to impose contractual obligations on suppliers to co-operate with one another.
Advantages and disadvantages. The structure shares similar advantages and disadvantages to direct outsourcing, but the need for effective interfacing between the various suppliers can add layers of cost and complexity. One advantage can be avoiding over-reliance on a single supplier (but only where identical services are sourced from several different suppliers). Another advantage can be that individual contracts can be lower value and shorter (as compared with a contract with a single supplier, where the provider may insist on a longer minimum term and incorporate a premium for managing its own subcontractors).
Description of structure. This is similar to a direct outsourcing (see above, Direct outsourcing), except that the customer appoints a supplier that immediately subcontracts to a different supplier. Often, the second supplier is located outside the UK, and the first supplier is UK-based.
Advantages and disadvantages. The structure shares similar advantages and disadvantages to direct outsourcing, but it is potentially harder for the customer to police the activities of, and enforce its rights against, the overseas supplier. The resulting level of management and risk-sharing can erode some of the potential cost savings.
Joint venture or partnership
Description of structure. The customer and the supplier set up a joint venture company, partnership or contractual joint venture, perhaps operating in an offshore jurisdiction.
Advantages and disadvantages. Advantages of this structure include the following:
Customer has a greater degree of control than in other models.
Customer benefits from the supplier's knowledge and credibility.
Customer shares in profits generated by third-party business that the joint venture conducts.
Structure is easier than others to transfer to a new supplier or take back in-house on termination.
However, the joint venture structure is complicated and expensive to set up and maintain.
Description of structure. The customer outsources its processes to a wholly-owned subsidiary, taking advice from local suppliers on a consultancy basis.
Advantages and disadvantages. This gives the customer direct operational control and can have tax benefits in appropriate jurisdictions. However, there will be significant upfront set-up costs and risk cannot pass to a third-party supplier.
Build operate transfer
Description of structure. The customer contracts with a third-party supplier (perhaps overseas) to build and operate a facility. The supplier then transfers the facility to the customer.
Advantages and disadvantages. This is a relatively low-risk model but can be expensive. The customer can ask the supplier to operate the facility in the longer term.
The process is typically as follows:
Initial due diligence.
The customer (and/or its advisers) draws up a specification of the business to be outsourced and identifies potential suppliers. This usually involves the customer conducting due diligence on the function to be outsourced (and any relevant IT), which gives it a clear idea of its requirements, and reduces the potential for having to widen the scope during the tender exercise. It can also conduct some degree of due diligence on potential suppliers (for example, their probity and financial strength, and a review of reference sites).
Request for information
In the UK, a customer can send a request for information (RFI) (often called a request for proposal (RFP)) to potential suppliers. Generally, this briefly outlines the areas the customer is considering outsourcing and asks questions relating to the supplier's capabilities and competence.
Invitation to tender
In addition or as an alternative to an RFI, the customer can send out an invitation to tender (ITT) (often called a request for proposal (RFP)) and invite responses. The customer should include in the ITT:
All information that it considers the supplier needs to make a bid.
A clear and detailed statement of the service requirements.
Preferably, a draft contract on which it invites the supplier to comment.
The customer assesses the responses and shortlists a small number of possible suppliers. The customer should establish its evaluation criteria at an early stage. The supplier's capacity and ability are likely to be assessed at this stage.
Negotiation and further due diligence
After shortlisting, more detailed negotiations begin. Generally, the potential supplier(s) carry out some degree of due diligence. Work streams are established to conduct commercial, technical and legal negotiation. It is important that these work streams are closely co-ordinated.
The customer can conduct negotiations with:
Several short-listed parties (this can be complex and costly).
One preferred bidder (which risks loss of competitive tension in negotiation).
Either party can carry out further due diligence after contract signature as part of the contract process to establish a baseline against which service provision can be measured.
Transferring or leasing assets
Formalities for transfer
Transfer of title to immovable property in England and Wales must be in writing and, in most cases, requires registration at the Land Registry. Where the asset is a lease or licence, the consent of the landlord or licensor can be required. Where the property is charged to secure debt finance, the consent of the lender is usually required. The transfer of title to immovable property outside England and Wales will be governed by the formalities of the relevant jurisdiction.
IP rights and licences
A transfer of UK IP rights generally must be in writing and can require registration of the transfer at the UK Intellectual Property Office, depending on the rights involved.
The transfer of IP licences should be by written consent (where the licence is expressed to be personal or there is an express restriction on assignment). Particular attention is needed where the licence is held in the name of another group company. Where this is the case, approval should be obtained at an early stage.
Formalities for transferring non-UK IP rights tend to be similar, but important details may vary from the above and appropriate advice should be sought.
It should be noted that IP is an area of law that may be affected by the UK leaving the EU.
A written assignment is usually sufficient to transfer movable property for evidential purposes. Where assets are leased, the transfer can require the counterparty's consent.
The assignment of key contracts must be effected in writing. Any contract to be transferred should be identified at an early stage and its terms reviewed to identify whether assignment is possible without the counterparty's express consent. Alternatively, if the terms of the contract permit, the customer can retain ownership of the contract and allow the supplier to supply the services to the counterparty as agent of the customer on a "back-to-back" basis.
As with the transfer of any contract or licence, consideration should be given as to whether the burden of the contract should also transfer to the supplier, either by:
Express indemnity (which leaves some residual risk with the transferor).
UK legislation imposes controls on the export of certain goods such as technology which can be used for military or paramilitary purposes. In such cases a licence may be required to facilitate the transfer of assets to a provider based outside the UK. However, in practice, it is unusual for outsourcing transactions to be affected by these controls.
Data and information
There are no formalities as such for the transfer of data and information; instead contractual provisions are included for providing access to such data or information, and regulating how it is used. If there is copyright in the data or information which is transferred, then the copyright will have to be transferred in writing as referred to above. See Question 10 about dealing with overseas transfers of personal data.
It should be noted that data protection is an area of law that may be affected by the UK leaving the EU (see Question 10).
Formalities for leasing or licensing
All leases of immovable property in England and Wales must be in writing, signed by all parties and must incorporate all the agreed terms in one document. It is advisable, although not a legal requirement, that licences of immovable property should also comply with these formalities. Leases of more than three years must also be executed as a deed and those for more than seven years must be registered at the Land Registry. The consent of any superior landlord or lender can be needed. Leases or licences of immovable property outside England and Wales will be governed by the formalities of the relevant jurisdiction.
IP rights and licences
Licences of registered trade marks must be in writing and signed by the licensor. In relation to other IP rights, a written agreement should be entered into as a matter of good practice. It is usually advisable (but not a legal requirement) for an exclusive licensee of registered IP rights (such as patents or registered trade marks) to register the exclusive licence with the UK Intellectual Property Office. For the leasing or licensing of existing licences, see below, Key contracts.
It should be noted that IP is an area of law that may be affected by the UK leaving the EU.
A written lease should be entered into as a matter of good practice to record the terms agreed.
The concept of a contract being leased or licensed is not generally recognised under English law. In practice:
Rights under a contract can be assigned (subject to consent where necessary).
Rights and obligations can be novated.
A third party can exercise rights or perform obligations as an agent or subcontractor of the contracting party.
Therefore, good practice dictates that the customer should:
Make a written contract that clearly categorises the basis on which it is "leasing" the contract to the supplier.
Consider the need for counterparty consent.
Offshoring. See Question 7, Offshoring.
Data and information. There are no formalities as such for the licensing or leasing of data or information, except where there is IP in the data, such as copyright, in which case a written agreement should be entered into as a matter of good practice. Consideration should also be given to the inclusion of confidentiality obligations on the recipient of the data or information (see Question 10).
It should be noted that data protection is an area of law that may be affected by the UK leaving the EU (see Question 10).
Transferring employees on an outsourcing
On an initial outsourcing, if the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) apply, the customer's employees who are wholly or mainly assigned to the service being outsourced automatically transfer to the supplier. On a change of supplier, employees working on the outsourced service transfer from the existing supplier to the new supplier. TUPE also applies where the outsourcing terminates and the customer brings the services back in-house.
Change of supplier
On a change of supplier, employees wholly or mainly assigned to the outsourced service transfer from the existing supplier to the new supplier.
TUPE also applies where the outsourcing terminates and the customer brings the services back in-house. In this situation, the employees of the supplier who are wholly or mainly assigned to the outsourced service transfer to the customer. It is not possible to contract-out of TUPE. However, in practice, it is common for the financial liabilities for transferring employees to be apportioned in the outsourcing contract between the customer and supplier.
For more information on transferring employees on an outsourcing, including structuring employee arrangements (including any notice, information and consultation obligations) and calculating redundancy pay, see Transferring employees on an outsourcing in the UK (England and Wales): overview ( www.practicallaw.com/9-571-0326) .
It should be noted that employment (including TUPE) is an area of law that may be affected by the UK leaving the EU.
Data protection and secrecy
Data protection and data security
General requirements. Under the Data Protection Act 1998 (DPA), which implements Directive 95/46/EC on data protection, issues can arise in relation to:
Transferring and processing employees' personal data.
Ensuring that the supplier acts in all other respects (that is, other than in relation to its own staff) purely as a data processor; for example, that it applies sufficient security to other personal data (such as data relating to individual clients of the customer) and uses it only for the purposes that the customer permits (Seventh Data Protection Principle (DPA) (Seventh Principle)). Where the customer takes on the role of data controller, as is usually the case in outsourcing arrangements, then under the DPA it is the customer, as data controller, who will be liable for any breaches of the DPA by the supplier as data processor.
Due diligence. The DPA also contains pre-contract obligations (for example, regarding how due diligence on the supplier and transferring employees is carried out). Employees can use an alleged DPA infringement to try to delay or frustrate an outsourcing negotiation.
Mechanisms to ensure compliance. The contract documentation generally deals with the requirements outlined above under "General Requirements", usually by including an undertaking by the parties to comply with the terms of the DPA. The wording also usually reflects the text of the Seventh Principle, in relation to the supplier's obligations as data processor. In some cases, the contract may also provide for additional measures designed to support compliance, such as a right for the outsourcing customer to carry out an audit of the supplier's processes (see below, Confidentiality of customer data), or indemnification for breach of the compliance undertaking.
Overseas transfers. Where personal data is to be exported for processing by the supplier outside the EEA, issues arise under the Eighth Data Protection Principle (DPA) and the parties may need to put in place additional measures to ensure that the export is permitted. The most commonly used mechanism to ensure compliant transfers outside the EEA is to put in place contracts with the supplier incorporating model terms approved by the European Commission. In some cases, alternative mechanisms may be available but this will depend on the specific circumstances of the outsourcing.
For example, some non-EEA countries are regarded as "safe destinations" for personal data because their own national law offers an equivalent level of protection to that available in the EEA. In other cases, suppliers may have obtained approval from European data protection regulators for binding corporate rules which allow them to export data to other group companies based outside the EEA, without the need for specific contractual arrangements governing the transfer.
In addition, where data is to be exported to a third country such as the US (which offers more limited protection to personal data in its national law), compliant transfers may be achieved where the transferee utilises the European Commission's authorised model contractual clauses which contain obligations on the data exporter and the data importer to ensure the transfer complies with Directive 95/46/EC on data protection (Data Protection Directive). In 2015, another mechanism for transferring personal data to the US, known as the "Safe Harbor" scheme, was held to be invalid. It has since been replaced with a new EU-US agreement known as "Privacy Shield". However, at the time of writing, doubts remained as to whether this new arrangement adequately addressed the concerns raised in the ruling of the Court of Justice of the EU on the "Safe Harbor" scheme.
Sanctions for non-compliance. The UK Information Commissioner (IC) can impose civil fines of up to GB£500,000 for "a serious breach" of the DPA. In the case of a breach, the IC can also issue an enforcement notice against a business requiring it to take (or refrain from taking) specified steps in order to comply with the DPA. Failure to comply with an enforcement notice is a criminal offence. The DPA contains a number of other criminal offences, notably offences relating to obtaining or disclosing personal data without consent and selling or offering to sell such data. Prosecutions can also be brought against directors and officers of companies that have committed offences under the DPA. If an individual suffers damage as a result of a breach of the DPA, he can bring an action for damages against the relevant business. In addition, financial services firms may be exposed to much higher fines for failing to protect customer data (see Confidentiality of customer data).
General Data Protection Regulation and "Brexit". The DPA is expected to replace Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) with effect from 25 May 2018. As an EU Regulation, the General Data Protection Regulation will be directly applicable and will not need to be transposed into UK law. However, the UK government will need to legislate to repeal many provisions of the DPA. The General Data Protection Regulation imposes stricter requirements than the DPA in a number of areas, including consent to processing, liability of data processors and a new "right to be forgotten", together with new obligations relating to "data portability" and "data protection by design and by default". It also allows substantially higher fines to be imposed than at present (up to EUR10 million or 2% of worldwide turnover, whichever is higher).
If the UK were to leave the EU before 25 May 2018, the General Data Protection Regulation would not apply (unless the UK agreed to join the EEA or reached a similar agreement with the EU). However, at the time of writing it appeared unlikely that the UK would have completed the withdrawal process by May 2018. In any event, the UK government will need to consider whether, following withdrawal from the EU, obligations similar to those set out in the General Data Protection Regulation should be retained in order to facilitate the exchange of personal data between the EU and the UK (see above, Overseas transfers). It is therefore entirely possible that, despite the vote of the UK electorate in June 2016 in favour of leaving the EU, data protection law in the UK will be amended to bring it into line with the General Data Protection Regulation.
General requirements. Case law has long established that banks owe their customers a duty of confidentiality under English law, subject to certain qualifications, namely, they can disclose information about a customer where:
They are required to do so by law.
It is in the public interest.
It is in the interests of the bank (for example, in the course of instituting proceedings to recover loans).
They have the client's express or implied consent (for example, under an agreement permitting disclosure or setting out exceptions to the duty of confidentiality).
Mechanisms to ensure compliance. See Confidentiality of customer data.
Whilst the common law and the constraints of the DPA impose obligations on banks to keep information confidential, tensions arise by virtue of:
The commercial aspirations on the part of banks (that is, to transfer information to networks of bankers and affiliates and to outsource functions, to trade and transfer their debt and to share information on defaulting customers).
Increasing legal and regulatory initiatives requiring disclosure to counter tax avoidance and evasion (such as the US Foreign Account Tax Compliance Act and the UK regulations promulgated under the UK/US intergovernmental agreement).
Measures contained in the Finance Act 2015, together with money laundering.
The requirements specified in Regulation (EU) 648/2012 on OTC derivatives, central counterparties and trade repositories (European Market Infrastructure Regulation), which imposes obligations on many types and sizes of entities which enter into OTC derivatives transactions to report the details of such trades to a registered trade repository.
Sanctions for non-compliance. Breach of a banker's duty of confidentiality can give rise to:
Injunctions preventing further unauthorised use of the relevant information.
Where the relationship between the bank and its customer is, by virtue of special or exceptional circumstances, determined to be a fiduciary relationship, the bank may be obliged to account to the customer for profits made by virtue of confidential information.
Confidentiality of customer data
General requirements. In addition to being subject to the DPA, most outsourcing firms handling data on their customers' behalf are likely to be subject to a duty of confidence towards their customers and potentially also to third parties (for example, their customers' clients).
Financial services firms can also be in a fiduciary relationship with their clients, in which case they will be subject to a fiduciary's duty of confidence under English law.
All regulated firms have a responsibility for safekeeping customer data under the:
FCA or PRA Principles for Business.
SYSC 8 rulebook.
Treating Customers Fairly (TCF) standard.
A regulated firm cannot delegate or contract out of its regulatory obligations when outsourcing.
SYSC 8 includes a requirement that an outsourcing firm must ensure that the supplier protects any confidential information relating to the firm and its clients.
Mechanisms to ensure compliance. A firm engaging in an outsourcing must ensure that the supplier protects any confidential information relating to the firm and its clients. Generally, firms must ensure that their terms include adequate contractual provisions (including rights of redress and termination) and that their due diligence, oversight and ongoing monitoring procedures are robust. Amongst other measures, firms should consider the following:
Conducting assessments of the risks associated with any data-processing outsourcing arrangements (including due diligence on security measures and IT systems).
Carrying out ongoing monitoring of their supplier.
Instituting procedures to ensure that adequate management information is received relating to monitoring and due diligence procedures.
Setting up reporting lines with their supplier.
Appointing a single manager with overall responsibility for data security; and properly training staff.
Sanctions for non-compliance. Breach of confidence in relation to customer data can give rise to:
Injunctions preventing further authorised use of the relevant information.
In certain circumstances (for example, see Banking Secrecy) an award of an account of the profits made by virtue of use of the confidential information.
Businesses may also face enforcement action by the IC, including fines (see above, General requirements). Firms in the financial services sector may be exposed to significantly higher fines for failing to protect customer data (based on financial services legislation rather than the DPA). For example, in 2010, Zurich Insurance, UK branch, was fined over GB£2 million for failing to protect the security of confidential information when outsourcing to a South African affiliate.
Service specification and levels
The parties usually draft the services specification together, although the supplier often takes the lead, based on its previous experience of similar projects.
Where, after contract signature, the parties agree to develop a detailed specification of the services, the customer's requirements can be attached to the contract as a separate schedule. Usually in these circumstances:
There is an obligation on the supplier to ensure that the service description or specification is developed to reflect the customer's requirements.
The customer's requirements are stated to take precedence over the service description.
It should be noted that the UK's withdrawal from the EU ("Brexit") may have an impact on the regulatory framework to which the outsourcing contract is subject. As part of the service specification, it is common for a supplier to be under an obligation to comply with all applicable laws. In addition, the change control procedure will often provide that variations necessitated by a change in the law must be accepted by the customer. Such provisions may mean that a customer has no choice but to accept higher fees to reflect the increased cost of compliance. The change control provisions of any outsourcing contract likely to last beyond the date of the UK's withdrawal from the EU will therefore need particularly careful consideration. Parties may also wish to provide for enhanced termination rights or break clauses if Brexit is considered likely to undermine key commercial assumptions on which the contract is based.
The parties usually identify and agree a set of objective, measurable criteria to measure performance (key performance indicators (KPIs) or service levels). These could be that deliveries of products in a logistics contract will be made within specific time periods or that telephone calls to a call centre will be answered within a defined period. These service levels are combined with a:
Process for recording and reporting on success or failure in achieving the targets.
Formula under which financial compensation is paid to the customer if targets are not met (for example, variance from the required level of performance by a specified percentage). These are referred to as service credits or liquidated damages.
The service levels and service credits can form part of the services specification or are laid out in a separate schedule to the main agreement (service level agreement (SLA)).
Generally, the service credits are offset against the fees otherwise payable to the supplier and are usually relatively modest. The aim is to compensate the customer for poor service without the need to pursue a claim for damages or terminate the contract, and to motivate the supplier to meet the performance targets.
The service credits should be expressed to be the sole remedy of the customer for the particular failure concerned, but this should be without prejudice to the customer's wider rights in relation to more serious breaches of the contract or persistent failures in performance, both of which should also be dealt with (see Questions 15 to 16 and Questions 22 to 23). Service credits are generally enforceable, provided they do not amount to a contractual penalty (that is, their effect on the contract breaker is not out of all proportion to the legitimate interest which they are designed to protect).
Establishing a baseline against which the service credits will be measured can form part of a due diligence exercise which precedes or follows contract signature.
Flexibility in volumes purchased
If the customer's needs change so that it requires higher or lower volumes from the supplier, this would normally be addressed by making a request under the change control provisions of the contract. The extent to which the supplier can be obliged to accept the change will depend on the terms of the contract. For example, where the customer anticipates an increase in volumes, it will generally be advisable for it to negotiate a commitment from the supplier to meet such additional demand, should the customer require it. In the absence of such a contractual commitment, the level of flexibility which the supplier can offer is likely to depend on the extent to which it will need to make additional investments and how long it will take to bring those investments "on stream". Conversely, where the supplier is investing on the basis of an assumed level of volume purchases by the customer, it is likely to resist any attempt by the customer to reduce the fees due based on lower volumes.
Typically, most change control provisions only permit material changes where required by law or when both parties can reach agreement; it follows that (in the absence of any provisions specifically addressing the issues) the level of flexibility in practice will be heavily dependent on the approach to charging (see Question 14) and the ability and willingness of the supplier to accommodate any changes requested by the customer. Where the customer is reluctant to commit to minimum volumes because of uncertainty over how much it will use the service in practice, it may be possible to address this by providing for an initial trial period, following which minimum volumes would be agreed (based on the usage during the trial period).
Charging methods and key terms
The parties will adopt different approaches to charging depending on, among other things:
The type of services being provided.
Whether the supplier is appointed on an exclusive basis.
Risk allocation between the parties.
A typical outsourcing contract adopts one, or a combination, of cost plus, fixed price and/or pay as you go.
The customer pays the supplier both:
The actual cost of providing the services.
An agreed profit margin.
There are usually additional provisions to ensure that:
Costs are assessed on an agreed and transparent basis, which the customer can review (open book).
Indirect costs (such as overheads, or the cost of investment in new assets, amortised over a specified period) are included on an agreed basis.
In addition, the customer usually includes measures to control costs, such as:
An external third-party review to establish typical market prices (benchmarking).
A pre-agreed inflation adjuster to regulate price increases or decreases (indexation).
Measures to share cost savings between the parties and provide an incentive to the supplier to achieve these.
A mechanism to assess and agree the cost impact of changes in the scope or level of services (charge variation mechanisms).
A mechanism for agreeing annual budgets, which must then be adhered to, subject to permitted variances.
A fixed price is often used where there will be a regular and predictable volume and scope of services (for example, payroll), and the customer wants certainty for budgeting purposes.
Pay as you go
The customer pays a pre-agreed unit price for specific items of service (such as volumes of data processed or deliveries made), often based on a rate card (that is, a schedule of fees for each item of service). The supplier may want to add a minimum fee. It is often used where the level and volume of services is less predictable.
Particular consideration can be needed concerning how (if at all) the supplier will be allowed to recover implementation costs (for example, as a specific item of charge, linked to the achievement of measurable milestones or targets, or in an agreed manner over the life of the contract).
It should be noted that, as discussed in Question 11, the UK's withdrawal from the EU ("Brexit") may have an impact on charges. Similarly, market volatility or market downturns related to Brexit may affect charges which are calculated by reference to the supplier's costs. Parties may therefore wish to consider whether cap and collar mechanisms or other arrangements are appropriate with a view to giving greater certainty over costs/charges.
The principal terms used in relation to costs are:
Charge variation mechanisms.
Payment terms/interest on late payment.
(See Questions 11 and 12).
Customers can seek a right to suspend payment in the event of a genuine dispute over costs, but for obvious reasons many suppliers will be reluctant to agree to this. Disputes as to costs would generally be dealt with through the normal dispute resolution provisions of the contract; where the dispute as to costs is of a technical nature, the contract may provide for resolution by means of expert determination (see Question 31).
Customer remedies and protections
Customer protections typically include:
A detailed measurement of service performance (often by reference to KPIs (see Question 12)) and reporting of actual and foreseeable problems usually combined with audit rights.
Service credits or similar (see Question 12).
Indemnity from the supplier for loss suffered by the customer in specified circumstances.
Other forms of financial penalty, such as loss of exclusivity, a reduction in the minimum price payable to the supplier or the right to withhold payment.
Step-in rights allowing the customer to take over the management of an under-performing service or to appoint a third party to manage the service on its behalf.
Specific provision for termination in defined circumstances (for example, material breach and insolvency) (see Questions 24 to 26).
A requirement for the supplier to hold insurance (for example, for damage to persons or property) and note the customer's interest on its insurance policy.
A parent company guarantee (see Question 5).
Warranties (see Question 18).
An appropriate governance or escalation structure under which each party appoints specified relationship managers to manage problem areas and to escalate them to higher levels if solutions cannot easily be found.
Depending on the nature of the outsourced service, it may also be possible for customers to seek additional practical measures which offer protection in relation to certain events; for example, in relation to certain IT services, the supplier may be able to provide secondary back-up/disaster recovery systems, to be made available in the event of a primary systems failure. However, this carries the risk that supplier insolvency may result in access to both the primary and secondary systems being lost. From a risk management perspective, it may therefore be preferable to contract with an independent third party provider for such back-up/disaster recovery systems (rather than the outsourcing supplier), particularly where the outsourced service is business critical.
Warranties and indemnities
Typical supplier obligations are to:
Confirm that it is entitled to enter into the contract and perform its obligations.
Perform the services with reasonable skill and care in accordance with good industry practice, in a timely and professional manner and in accordance with all applicable laws and regulations.
Indemnify the customer against harm suffered due to the supplier's actions. This can be limited to harm suffered due to default (for example, wilful misconduct, negligence or breach of contract) or can extend to situations where the supplier's liability is not based solely on fault (for example, if performance of the services infringes third-party IP rights).
Indemnify the customer against future liability in respect of employees transferred to the supplier as part of the outsourcing.
Indemnify the customer and any replacement supplier against employees transferring to the customer/replacement supplier upon termination of the outsourcing contract under TUPE (see Question 9).
Confirm that material information provided in the pre-tender and tender stages was and remains accurate, complete and not misleading (for example that the statements made about its services or its financial resources are true).
Make other assurances specifically related to the project or type of services (for example, that the supplier has particular accreditations or operates in accordance with a particular quality assurance system). Many of these can be covered by specific contract terms (for example, in the SLA) instead of in the warranties section.
Typical customer obligations are to:
Confirm that it is entitled to enter into the agreement and perform its obligations.
Confirm that the information provided during the pre-tender and tender stages is accurate, complete and not misleading.
Make assurances as to title, condition and maintenance of assets transferred to the supplier, including the absence of outstanding liabilities under contracts transferred (although there can be negotiation over exactly how the customer will transfer these).
Indemnify the supplier against historic liability relating to employees transferred to the supplier as part of the outsourcing.
Indemnify the supplier against any employees claiming unexpectedly that they should have transferred to the supplier as part of the outsourcing.
English law implies contractual terms that goods are fit for purpose and of satisfactory quality, and that services will be performed with reasonable skill and care.
The contract often specifically excludes these terms and replaces them with specific wording, with the intention that all relevant obligations are set out expressly in the parties' written agreement. In relation to limits on the right to exclude these terms, see Questions 29 to 30.
Typically, an outsourcing contract will envisage that, in the event of breach by either party, remedies will include damages to compensate the innocent party and/or termination. The amount of compensation which can be recovered is often limited by the terms of the contract (see Questions 29 to 30). However, the parties' ability to recover compensation can also be augmented by express contractual rights such as indemnities, liquidated damages and/or service credits. The contract will also usually set out circumstances in which termination is permitted over and above those generally available as a matter of law (see Questions 24 to 25). For discussion of other contractual remedies which are relevant in the event of breach, see Question 26.
Other contractual protections which are sometimes provided for in an outsourcing contract include:
A right for the customer to veto proposals from the supplier to dispose of key assets or redeploy key staff.
An obligation on the supplier to co-operate fully with the customer in the event of termination and handover/migration to a different supplier (or a decision to take the outsourced service back in-house).
The business insurance market in England and Wales is well developed and numerous different types of policy are available. The following are probably most relevant to outsourcing arrangements:
Employer's liability insurance (in the UK, businesses must obtain this cover).
Professional indemnity insurance (for example, to provide cover against claims for negligence in the performance of outsourced services).
Business interruption insurance.
Fidelity or Employee Dishonesty Insurance (to provide cover against fraud committed by employees).
Public liability insurance.
Land and buildings insurance.
Directors' and officers' insurance (to cover directors and officers of a company against claims brought against them in that capacity).
Cyber-liability insurance (to cover against a range of IT-related risks, such as loss of digital assets or data breaches).
Term and notice period
Generally, English law does not impose any maximum or minimum term on outsourcing. The duration of the arrangement is left to negotiation between the parties. An outsourcing arrangement is typically for a fixed term of between three and ten years, although there can be provision for automatic renewal on a rolling annual basis if a party does not give notice of termination, and assuming inclusion of a mechanism for reviewing charges. In the absence of any express duration or termination provision (which would be unusual in practice), the English courts will generally imply a term allowing the contract to be brought to an end on reasonable notice (the length of which may vary considerably depending on the contract).
In public procurement processes (see Question 2, Public sector and Question 4) the contract term is affected by the initial tender statements in the Official Journal and can only be extended under the public procurement rules. If the arrangement is a framework agreement (that is, an agreement under which specific purchases can be made throughout the term of the agreement), the maximum duration is four years (except in exceptional circumstances). If the arrangement takes the form of a concession contract (see Question 2, Public sector ), the duration of the outsourcing cannot be open-ended. In addition, for contracts lasting more than five years, the total duration is not permitted to exceed the time that a concessionaire could reasonably be expected to take in order to recoup its investment. Local authorities must carry out best value reviews every five years.
In certain circumstances, long-term supply agreements that include exclusive or minimum purchase and supply obligations can infringe EU or UK competition law. For certain vertical agreements, Regulation (EC) No. 330/2010 on the application of Article 101(3) of the Treaty on the Functioning of the European Union (TFEU) provides a safe harbour. However, this does not apply to exclusive purchasing obligations and certain minimum purchasing obligations (if the obligation is for a term exceeding five years).
English law does not regulate the notice period required to terminate an outsourcing contract. This is left to the parties to specify in the agreement. The length of notice can vary according to the grounds for termination. In the case of a material breach or insolvency a short notice period is likely to be the only practical solution, although it is subject to a cure period for breaches of contract.
Generally, the nature of an outsourcing arrangement means that an extended notice period is often desirable for the customer to make alternative arrangements. Mechanisms should be included in the contract that oblige the supplier to:
Continue to perform services during the notice period.
Co-operate with the transfer to a replacement supplier (or to bring the services back in-house).
Termination and termination consequences
Events justifying termination
The following events are generally considered sufficiently serious to justify immediate termination:
A particularly severe breach.
A breach that indicates that the counterparty no longer wishes to continue with the contract.
The other party's insolvency, so that it is unable to perform its duties under the contract.
Generally, however, parties specifically provide termination events in the contract (see Question 25).
Breach. English law provides that the innocent party will normally have the right to terminate and claim damages if the counterparty breaches a condition of the contract. This is known as a "repudiatory breach". A term is likely to be regarded as a condition where its breach would deprive the innocent party of "substantially the whole benefit of the contract". The right to terminate for breach of a condition normally exists alongside any express contractual termination rights. Case law suggests that it is possible to exclude this right where the parties clearly intended the express provisions to form a "complete code" with regard to the arrangements for termination. However, in practice, this would be unusual and in any event, the express provisions in the contract would normally be expected to allow termination for severe breaches likely to be regarded as breaches of conditions. Most outsourcing contracts also permit termination in the event of "material breach" (which would potentially include breaches which are less severe than a breach of condition). However, termination for such lesser breaches requires an express provision in the contract (see Question 25).
Termination for convenience. As noted in Question 25, English law allows the parties considerable freedom to decide in what circumstances the contract should be terminable. For example, a customer may seek a right to terminate a long-term outsourcing contract on notice, prior to expiry of the full term, without payment of compensation. However, where the supplier is making significant investments in the service, it may not be prepared to accept such a provision at all, or may insist on provision of compensation in the event of early termination (which will be enforceable provided that the level of compensation is a genuine pre-estimate of the supplier's loss arising from early termination, rather than a contractual penalty).
Insolvency events. Commercial contracts will normally contain provisions allowing either party to terminate immediately if the other is the subject of some form of insolvency proceedings. If either party enters into an insolvency process, an administrator may decide not to honour existing contracts. If the administrator wishes the contract to continue (and the solvent party agrees not to exercise any contractual right to terminate), the debts due under the contract are classified as an expense of the administration and rank more highly than unsecured debts on the final distribution of assets. To the extent that the administrator elects not to perform as originally agreed, the innocent party may terminate, although the right to sue for breach of condition (see above) will be of little value. On liquidation, the liquidator has the right to disclaim obligations under contracts which he considers to be onerous. The Special Administration Regime for investment banks stipulates that providers of certain key utilities and other services may not terminate their agreements until the insolvent party has found alternative suppliers.
It is also possible to draft termination provisions in a way which would potentially allow termination where insolvency proceedings appear to be imminent but have not actually begun. However, as such clauses tend to be mutual, the party seeking a right to terminate for "near insolvency" needs to be prepared to accept that the same termination rights may be invoked against it.
Other. In addition, the contract may contain provisions for termination where:
A party commits an irremediable material breach (or one which, if remediable, has not been remedied within the agreed cure period).
An event of force majeure (as defined in the contract) has occurred.
To the extent that the contract does not deal with such matters, the agreement may be regarded as having come to an end if its performance becomes impossible or if external events conspire to make it radically different from what was originally envisaged by the parties. This is referred to as "discharge by frustration".
It should be noted that the UK's withdrawal from the EU ("Brexit") may affect certain key assumptions about how the contract will be performed. Where this is a concern, a party may wish to specify Brexit as an express termination event or to include a break clause.
The parties are free to agree specific termination rights, which can block or extend rights implied by general law, for example, termination for:
Breach of the contract. Typically, the breach must be material and it is usual to include a cure period in which the injured party gives written notice of the breach and allows the counterparty a reasonable period to remedy it (often 30 to 60 days or more).
Minor but persistent breaches (with the type of breach and number of breaches needed to trigger the termination right defined in the contract).
Insolvency (with the definition of insolvency set out in the contract).
Change of control (ultimate ownership) of the supplier.
Termination for convenience by the customer on notice. This allows the customer to switch suppliers without having to give a reason (for example, if it is generally dissatisfied but unable to demonstrate any clear breach). This is usually an expensive option, since the supplier often requires compensation for early termination.
For a discussion of the UK's withdrawal from the EU, see Question 24.
As outlined in Question 16, the main remedies available to the parties under the general law in response to a breach are damages, termination and (exceptionally) specific performance or injunction (available at the discretion of the court). However, many outsourcing contracts modify and/or supplement the remedies available under the general law with some or all of the following:
Liquidated damages and/or service credits, entitling the customer to recover specified amounts for delays or poor performance.
Indemnities in respect of specific types of loss.
The ability (in relation to a complex services outsourcing) for the customer to terminate the provision of some services, but not others.
Where services have not been provided in accordance with the contract, a right of the customer to require the supplier to re-provide the relevant services to the appropriate standard.
Step-in rights, allowing the customer to take over the management of an under-performing service or appoint a third party to manage the service on its behalf.
IP rights and know-how post-termination
Where the customer licenses IP rights to the supplier in connection with the outsourcing, the licence terms generally govern the continued use of those rights by the supplier post-termination (either in the main agreement or a separate document). The customer is usually reluctant to agree a continuation unless it receives some benefit.
Where there is no specific agreement and a licence has been implied, it is generally implied that the licence ends post-termination. The parties can (and should) make specific provision to regulate how far either will remain entitled to use the other's IP rights post-termination.
It should be noted that IP is an area of law that may be affected by the UK leaving the EU.
To the extent that specific IP rights cover the supplier's know-how, the customer's ability to gain access is likely to depend on the terms of any agreement governing use of IP rights post-termination (see Question 27).
Where the know-how is in the supplier's confidential information, the customer usually expressly undertakes to maintain the information in confidence and use it only in connection with the outsourcing contract. However, to the extent that the know-how is the skill and experience of employees engaged in performing the services and the employees transfer to a new supplier (or back to the customer) under TUPE (see Question 9), the customer can benefit from such skills, except for specific confidential information.
Where the supplier develops know-how (or IP rights) during the term of the outsourcing contract for use in the performance of the services, or otherwise embeds its IP into the assets and systems of the customer, the customer usually requires a written licence to continue using the know-how or IP.
It should be noted that IP is an area of law that may be affected by the UK leaving the EU.
Liability, exclusions and caps
The parties are generally free to exclude most forms of liability, subject to a number of important conditions outlined below:
An exclusion of liability for fraud or fraudulent misrepresentation is unenforceable and should be carved out from any general exclusion of liability.
Explicit wording is usually required if exclusions or limitations are intended to apply to liability arising from a party's negligence or deliberate breach.
Exclusions or restrictions of liability for negligent or innocent misrepresentation must satisfy the requirement of reasonableness in the Unfair Contract Terms Act 1977 (UCTA).
Under UCTA, it is not possible to exclude or restrict liability for death or personal injury resulting from negligence. In the case of other loss or damage, the exclusion or restriction of liability for negligence must satisfy UCTA's reasonableness requirement.
If the parties are dealing on written standard terms of business, any exclusion or restriction of liability for breach of contract must satisfy UCTA's reasonableness requirement. However, in an outsourcing contract, there is likely to be considerable debate as to whether a liability provision (which will usually have been negotiated) is part of the written standard terms.
Implied terms as to title to assets cannot be excluded or restricted, while those relating to satisfactory quality, fitness for purpose and certain other matters can only be restricted where this meets UCTA's reasonableness requirement.
Subject to the above, a supplier will usually aim to exclude liability for:
Indirect and consequential loss.
Loss of business, profit or revenue, where these constitute a direct loss.
In contrast, the customer will usually try to ensure that it is able, under the contract, to recover all its direct loss (including direct loss of profit, business and revenue). It can also specify particular heads of loss that are recoverable to evidence that these are agreed to constitute direct loss. In practice, these are subject to negotiation.
The parties can and frequently will agree a financial limit on liability, subject to the limitations set out in Question 29. This can be a fixed amount, or a percentage or multiple of the contract value (for example, 125%). In negotiating the amount of any cap, account will usually be taken of the overall value of the contract, the potential damage to the customer's business if the supplier fails to perform and the availability of insurance against potential risks.
The extent to which any cap will be held reasonable under UCTA (in cases where it is required to be reasonable) is uncertain. Current practice suggests that a percentage is better than a fixed sum, and that anything under 100% of the contract value can be held to be unreasonable, where the liability covered is significant. When using this approach, it is important to:
Define contract value.
Identify any areas where the liability should not be subject to a cap (for example, the supplier's indemnity in relation to IP rights and/or TUPE is often unlimited).
The supplier should take care that the drafting of the cap does not restrict its right to recover for non-payment of charges that are properly due to it from the customer.
A full description of the pros and cons of each method of dispute resolution is beyond the scope of this guide but the main methods are as follows:
Alternative dispute resolution (ADR). ADR covers a wide range of procedures, outside traditional arbitration and litigation, from internal conflict escalation steps to more formal mediation processes. Some forms of ADR are automatically binding (such as expert determination (see below)) and some are non-binding. Mediation is the most popular ADR mechanism. The mediator, who is appointed by the parties in dispute, acts as a neutral third party. He/she is not a judge of the merits of each party's case, but facilitates a settlement negotiation, reminding each party of the strengths and weaknesses of their position (in negotiation terms) where appropriate. Mediation is confidential and allows for flexibility, both in terms of the format of the process and in terms of the settlement outcomes that can result. Mediation is not binding unless and until the parties enter into a settlement agreement. The contract should therefore make provision for either arbitration or litigation where mediation is unsuccessful. The English courts will uphold an obligation on a party to make use of an ADR procedure (prior to initiating litigation, for example), provided that the clause sets out the procedure to be followed in sufficient detail. This can be achieved by incorporating the rules of an external ADR body such as those of the Centre for Effective Dispute Resolution.
Expert determination. Expert determination is a private ADR procedure which has been contractually agreed, with the parties agreeing to refer their dispute to a single expert whose ruling will be final and binding. Unless specifically agreed, the expert is not required to give reasons and there is generally very little scope for appeal. In practice, expert determination tends to be reserved for disputes concerned with specific aspects of the contract, usually of a technical nature, such as pricing or service levels; provision should therefore be made for resolution of other disputes by arbitration or litigation. Careful drafting is required to ensure that it is clear which mechanism applies to a particular dispute. Generally, the expert will be a person with relevant technical skills and experience; for instance, accountants are frequently appointed in relation to financial matters. It is generally advisable to set out in the contract the procedure to be followed in a reasonable level of detail.
Litigation. Litigation involves bringing proceedings to resolve the dispute in the courts. Advantages (as compared with arbitration) include the ability to join third parties, such as subcontractors or other suppliers, so that related disputes can be resolved through one set of proceedings. The English courts are generally well respected with broad order-making powers. Judges in the Technology and Construction Court and the Commercial Court also have considerable experience of hearing disputes involving complex contracts, including outsourcing arrangements. Disadvantages include cost (although only as compared with ADR) and publicity (since the proceedings and the outcome will be a matter of public record).
Arbitration. Arbitration is a private dispute resolution procedure which has been contractually agreed, with the parties agreeing to be bound by the outcome. Potential advantages (as compared with litigation) include the ability for the parties to define their own procedure, appoint persons with relevant experience as arbitrators and keep both the proceedings and the outcome confidential. It is also generally easier to commence arbitration against foreign counterparties and, in certain countries, arbitration awards are easier to enforce. Disadvantages include the inability to join third parties, such as subcontractors or other suppliers (which means that related disputes with those parties will have to be resolved by separate proceedings). Arbitration is also usually more expensive than ADR or expert determination and can sometimes be more expensive than litigation.
Arbitration and litigation are mutually exclusive. As such, if the contract provides for arbitration, the parties cannot initiate court proceedings instead, unless they subsequently agree to do so. In practice, it is not uncommon for outsourcing contracts to provide for disputes to be resolved by some form of ADR initially, with litigation if the ADR proves unsuccessful. Where expert determination is provided for, it tends to be used for specific types of dispute rather than all disputes under the contract.
It should be noted that dispute resolution is an area of law that may be affected by the UK leaving the EU. For example, enforcement of English court judgments in EU countries may become more difficult, which may in turn affect the choice of dispute resolution mechanism.
Transfers of assets to the supplier
Where the customer transfers assets to the supplier, there is an actual or deemed sale. The actual price or deemed market value (as appropriate) is treated as disposal proceeds for tax purposes and so can give rise to either a profit (on which tax is due) or a loss (which can be relievable against other tax charges of the customer). In practice, this is not usually a significant concern in outsourcings as typically very few assets of value are transferred. Since the outsourced business will generally have been run as a cost centre within the customer's business, it cannot typically be argued to have any goodwill associated with it. Moreover, assets transferred are often IT equipment or similar, which has minimal second-hand value.
The question also arises of whether the customer is required to charge VAT on the transfer of the assets. In some circumstances, the customer can argue that it is transferring part of its business as a going concern and VAT need not be charged. However, even when VAT is chargeable, it is not usually a significant issue, as any price for the assets is often nil or minimal.
Transfers of employees to the supplier
From the date of the transfer, the supplier becomes responsible for the calculation and payment of:
PAYE income tax.
Exceptions apply where the:
Supplier makes payments to the customer's employees before the business is transferred to it.
Customer makes payments to the employees that the supplier acquires after the business has been transferred.
VAT or sales tax
Due to the nature of the services provided by the supplier, VAT usually applies. Where the supplier and the customer are both based in the UK, the supplier charges and collects VAT in the usual way. However, depending on the nature of the services, where the supplier is based outside the UK, VAT is often dealt with as follows:
The supplier does not charge local VAT.
The customer must operate the reverse charge procedure and account for UK VAT relating to the supply, as if it had made the supply itself.
From 1 January 2010, the range of services falling within the reverse charge regime has been greatly broadened and there are very few exceptions.
Where the customer's business is fully taxable, it can recover the VAT in full (whether it was paid to the supplier or accounted for to HMRC under the reverse charge procedure). However, where the customer's business is not fully taxable, the VAT is not fully recoverable (whether paid conventionally or through the reverse charge procedure). Therefore, the outsourcing gives rise to a significant tax cost. This is a significant issue in the financial services and insurance industries.
Aside from VAT (see above, VAT or sales tax), there are no significant service taxes on an outsourcing in the UK.
Stamp duty or stamp duty land tax can arise on:
Transfers of, or the grant of leases in respect of commercial real property at up to 5%, and up to 15% for residential property (depending on the value and the identity of the purchaser).
Transfers of UK shares in companies at 0.5% (although this is rarely relevant to an outsourcing).
Companies subject to UK corporation tax on their profits (including gains) are liable to pay corporation tax at 20% (expected to reduce to 19% in 2017 and then to 17% in 2020).
Other tax issues
The main tax issues which arise on a typical outsourcing are dealt with above. However, consideration should also be given to the impact of the proposed outsourcing on any existing tax planning arrangements.
It should be noted that tax is an area of law that may be affected by the UK leaving the EU (at least with regard to VAT).
Description. Provides free access to the full text of UK legislation in English. Note that, in many cases, legislation has not been updated to incorporate subsequent amendments (although the amending legislation itself is normally available through the site).
Bank of England, Prudential Regulation Authority
Description. Website of the Prudential Regulation Authority (PRA). Provides information on the prudential supervision of banks, insurance companies, building societies, credit unions and certain large investment firms. Outsourcing by such entities is regulated by the PRA as part of its prudential supervision.
Financial Conduct Authority
Description. Website of the Financial Conduct Authority. Provides information on the regulation of all financial services firms, including those subject to prudential supervision by the PRA (see above). Outsourcing by regulated firms which are not subject to PRA prudential supervision falls to be regulated by the FCA.
SYSC 8 Guidance
Description. Links to full text in English of the SYSC 8 Guidance on outsourcing for financial services firms (PRA/FCA combined view).
Description. Website of the Courts Service. Provides information on the court system in England and Wales, including access to the full text of the relevant rules of procedure.
Centre for Effective Dispute Resolution (CEDR)
Description. Website of the Centre for Effective Dispute Resolution (CEDR). Provides information on alternative dispute resolution, including access to the full text of the CEDR's own model procedures (which can be incorporated into outsourcing contracts).
London Court of International Arbitration (LCIA)
Description. Website of the London Court of International Arbitration (LCIA). Provides information about the LCIA's services in relation to arbitration and mediation, including access to the full text of the LCIA's procedural rules (which can be incorporated into outsourcing contracts).
HM Revenue & Customs
Description. Website of HM Revenue & Customs. Sets out the rates of UK tax together with guidance on the computation of UK tax liability.
Travers Smith LLP
Professional qualifications. Solicitor, England and Wales, 1990
Areas of practice. Commercial; outsourcing; strategic alliances; joint ventures.
- Advised Metro Bank, the first new UK high street bank for over 100 years, on all its major outsourcing agreements with third-party suppliers.
- Advised Select Service Partner (operator of Caffè Ritazza, Upper Crust and other food travel outlets) on the outsourcing to 3663 of its business-critical distribution arrangements for provision of products into all SSP's UK outlets.
- Advised Gist Limited on the renegotiation of the outsourcing arrangements by M&S to Gist of its worldwide food logistics operators.
- Advised McColls (the UK's largest independent neighbourhood retailer) on the outsourcing of its business critical warehousing, supply and distribution arrangements to NISA and Palmer and Harvey.
- Advised Shepherd Neame on the outsourcing of its entire UK and European warehousing and distribution operation to Kuehne and Nagel.
Travers Smith LLP
Professional qualifications. Solicitor, England and Wales, 2001
Areas of practice. Employment.
- Successfully defending a whistleblowing claim for around GB£7 million in compensation in the Employment Tribunal.
- Advising on employment protections (including TUPE) on an outsourcing from a national fuel supplier.
- Advising on the enforcement of post-termination restrictions against a departing senior executive.
- Implementing a collective consultation redundancy programme (including training for employee representatives).
- Advising on the removal of an executive board member and the negotiation of agreed terms of a settlement agreement.
Travers Smith LLP
Professional qualifications. Solicitor, England and Wales, 1998
Areas of practice. Commercial; outsourcing; joint ventures; media contracts.
- Advised Firstsource (a leading India-based BPO provider) on Lloyds Banking Group's major long term extension of its outsourcing arrangements to it, covering new customer facing services including payments, mortgage operations, business cards and insurance services.
- Advised Firstsource on Barclays Bank's outsourcing to it of the Barclaycard credit card and payment businesses.
- Advised Utility Metering Services on its outsourcing of electricity and gas metering services to Enterprise and G4S.
- Advised UK broadcaster Channel 4 on the outsourcing of facilities management services for its flagship London headquarters building.
- Advised Charterhouse Print Management (a leading provider of outsourced print solutions) on its outsourcing agreements with many multi-national customers, including McDonalds, Heineken, Coca-Cola, British American Tobacco, Sony and Nuffield Health.
Travers Smith LLP
Professional qualifications. Solicitor, England and Wales, 1999
Areas of practice. Commercial; IP; IT; IP/IT litigation.
- Advised BBI (Channel Islands) Holdings on the outsourcing of the entire IT operations for the billing function of the gas supplier for the Channel Islands and the Isle of Man.
- Advised TSL, one of the UK's leading educational publishers, on three business-critical IT outsourcings with three separate suppliers, Daisy Solutions, Ocean Network Solutions and Cable & Wireless covering its entire web hosting operation.
- Advised Lyceum Capital on the long-term outsourcing of its entire IT function.
- Advised HostelBookers.com, a provider of online travel agency services, on a complex, cloud-based technology outsourcing with Rackspace for the hosting of HostelBookers.com's entire web presence.
Travers Smith LLP
Professional qualifications. Solicitor, Australia, 2003
Areas of practice. Employment
- Advised a major logistics company on the outsourcing of its collection services, including appropriate indemnity protection for employment liabilities.
- Advised a leading international manufacturer of fresh prepared foods on the employment implications of outsourcing part of its laboratory testing services.
- Advised a media technology business on resisting the transfer of employees and employment liabilities from an outgoing contractor after winning a contract from a competitor.
- Advised an online digital marketing agency on managing employment liabilities as the incoming supplier on a second generation outsourcing.