National law does not specifically regulate outsourcing transactions.

Financial services. The outsourcing rules applicable to financial services firms depend on the type of firm and whether the firm is regulated by the:

The FCA and the PRA impose requirements on regulated firms entering into certain types of outsourcing arrangements. These can include requirements in respect of the terms of the outsourcing agreements and the firm's systems and controls for supervising and managing outsourcing arrangements and the associated risk.

As a general principle, a regulated firm cannot delegate or contract out of its regulatory obligations when outsourcing. It must also give advance notice to the FCA or PRA (as applicable) of any proposal to enter into a material outsourcing arrangement and of any material changes to arrangements (see Question 3).

The FCA and the PRA have various enforcement powers at their disposal in relation to firms which fail to manage their outsourcing arrangements, including the power to impose an unlimited fine.

The full impact of the UK's withdrawal from the European Union on outsourcing arrangements between UK and EU financial services firms and service providers remains unclear. However, it is common practice for financial services firms both in the UK and elsewhere in the EU to outsource certain services to businesses based in third countries and this practice is expected to continue to some extent.

See Practice Note, Outsourcing in the UK financial services sector: Key regulatory requirements: Outsourcing by banks, building societies and investment firms.

Public sector. Depending on the nature of the contract and its value, a public-sector outsourcing can be subject to UK regulations on public procurement. If so, the awarding authority can be required to:

The UK public procurement rules are likely to have a significant effect on the:

In addition, UK private finance initiative (PFI) legislation applies to certain public sector outsourcing arrangements. Other laws and guidance can also be relevant; for example, local authority procurement is also subject to requirements under the Local Government Acts.

At the time of writing, the UK government had indicated that it plans to reform the UK's public procurement regime, although the majority of these changes are expected to be evolutionary rather than revolutionary. However, any new regime is unlikely to come into force until 2023 at the earliest. For further details, see www.gov.uk/government/consultations/green-paper-transforming-public-procurement/outcome/transforming-public-procurement-government-response-to-consultation.

Public sector workers are generally entitled to accrue defined benefit pensions. Contractors are expected to fund the continuing provision of those or, in some cases, broadly equivalent benefits.

In a central government outsourcing, the contractor will normally be required to participate in the relevant public sector scheme and pay contributions set by the Government Actuary.

In a local government outsourcing, the contractor will normally have a choice of participating in and contributing to the Local Government Pension Scheme or providing broadly comparable defined benefits under a scheme of its own.

In all cases, the cost of funding these valuable pension benefits is likely to be significantly higher and less predictable than would be the case if the contractor were free to offer pension arrangements of its own choosing.

There are relatively few UK regulatory requirements targeted specifically at outsourcing. However, many activities are subject to specific regulatory regimes which may have implications for outsourcing transactions. Given the limited scope of this Q&A, it is not possible to give a comprehensive overview. However, by way of example, sector-specific authorisations/requirements for licences may be required from the applicable authorities for outsourcings relating to sectors including (among many others):

Licences, permits or approvals may also be required from numerous other bodies such as local authorities, the Health and Safety Executive (in respect of, for example, handling certain chemicals) or government departments (for example, Ministry of Defence approval can be required to carry out certain defence-related activities).

Firms regulated only by the FCA must give notice to the FCA before entering into, or significantly changing, a material outsourcing arrangement. Firms that are also regulated by the PRA must also notify the PRA. Although no period of notice is specified, the appropriate regulator expects firms to discuss matters with it at an early stage, before making any internal or external commitments.

Failure to give this notice to the appropriate regulator is likely to amount to a breach of the regulator's rules. Both the FCA and the PRA have various enforcement powers at their disposal, including the power to impose an unlimited fine.

UK merger control legislation (Enterprise Act 2002) can apply to outsourcings. This legislation is not sector-specific and applies where both:

Notification is not compulsory but completion without the CMA's approval entails certain risks, including the possibility that the outsourcing supplier can subsequently be required to sell all or part of the business acquired, and the contract can be terminated.

According to CMA guidance, an outsourcing arrangement is likely to satisfy the first point above only if the arrangement involves the permanent (or long-term) transfer of assets, rights and/or employees to the outsourcing service supplier and where those transferred elements can be used to supply services other than to the original owner/employer.

The second point above will be satisfied where either:

See Practice Note, Overview: UK competition law: Mergers qualifying for investigation under the UK merger control regime.

As a result of the UK leaving the EU, the UK no longer participates in the so-called "one stop shop" regime provided by the Merger Regulation ((EC) 139/2004). This has two main impacts:

In circumstances where the customer and supplier set up a joint venture (see Question 5), the analysis as to whether merger control applies can be different.

See Practice Note, Transactions and practices: UK Mergers and Acquisitions and Practice Note, Transactions and practices: EU Mergers and acquisitions.

The UK Government has created an extensive regime to strengthen its powers to scrutinise certain transactions on grounds of national security. The National Security and Investment Act 2021 came into force on 4 January 2022, creating a hybrid mandatory and voluntary notification regime. It may therefore be compulsory or advisory to notify and obtain approval from the UK Government in respect of notifiable outsourcings.

See Practice Note, National Security and Investment Act 2021: overview: Transactions within the scope of the NSI Act.

From an outsourcing perspective, the following points should be noted:

The simplest structure is a direct outsourcing (that is, an outsourcing contract between the customer and the supplier). This can comprise one or more separate contracts dealing with core issues (for example, price and duration) with detailed schedules that set out:

If the proposed supplier is not the main trading entity within its group, or does not have sufficient assets to meet its potential contractual liabilities, the customer can require a parent company guarantee.

The structure is more complex if the customer procures services on behalf of itself and its group companies. Generally, the customer either:

A supplier should consider including specific contract provisions that control multiple actions by the customer and its group companies, and ensure that its liability limitations and exclusions apply to each and all of them.

If the supplier intends to use subcontractors, the customer can require:

Direct outsourcing arrangements allow the customer to streamline its operations and take advantage of economies of scale achieved by a large supplier. By retaining a third party to take care of non-core operations, the customer will be better able to focus on the core areas of its business. Many of the potential issues associated with outsourcing are dependent on the sector in which the customer operates and the activities being outsourced. For example, quality control is vital to protect against reputational damage sustained as a result of poor service in call centres. The customer may also find additional obstacles presented by the costs associated with the physical transfer of the services and ongoing costs such as travel and cross-jurisdictional advice.

The customer enters into contracts with different suppliers for separate elements of its requirements. The issues are generally similar to those experienced in a direct outsourcing (see above, Direct Outsourcing) but, in addition, the customer must ensure interfaces between the different suppliers are carefully managed to encourage the seamless provision of an overall service (sometimes referred to as "Service Integration and Management" or SIAM). This will usually involve requiring suppliers to participate in a common governance process involving, for example, regular meetings of all parties and an escalation procedure designed to resolve differences/disputes. The customer may also wish to impose contractual obligations on suppliers to co-operate with one another.

The structure shares similar advantages and disadvantages to direct outsourcing, but the need for effective interfacing between the various suppliers can add layers of cost and complexity. One advantage can be avoiding over-reliance on a single supplier (but only where identical services are sourced from several different suppliers). Another advantage can be that individual contracts can be lower value and shorter (as compared with a contract with a single supplier, where the provider may insist on a longer minimum term and incorporate a premium for managing its own subcontractors).

This is similar to a direct outsourcing (see above, Direct Outsourcing), except that the customer appoints a supplier that immediately subcontracts to a different supplier. Often, the second supplier is located outside the UK, and the first supplier is UK-based.

The structure shares similar advantages and disadvantages to direct outsourcing, but it is potentially harder for the customer to police the activities of, and enforce its rights against, the overseas supplier. The resulting level of management and risk-sharing can erode some of the potential cost savings.

The customer and the supplier set up a joint venture company, partnership or contractual joint venture, perhaps operating in an offshore jurisdiction.

Advantages of this structure include the following:

However, the joint venture structure is complicated and expensive to set up and maintain.

The customer outsources its processes to a wholly-owned subsidiary, taking advice from local suppliers on a consultancy basis.

This gives the customer direct operational control and can have tax benefits in appropriate jurisdictions. However, there will be significant upfront set-up costs and risk cannot pass to a third-party supplier.

The customer contracts with a third-party supplier (perhaps overseas) to build and operate a facility. The supplier then transfers the facility to the customer.

This is a relatively low-risk model but can be expensive. The customer can ask the supplier to operate the facility in the longer term.

The process is typically as follows:

Due diligence should include an assessment of the impact on the proposed outsourcing of changes arising from the UK's withdrawal from the EU (Brexit), bearing in mind that, at the time of writing, many businesses are still adapting to new trading conditions and some changes (such as those regarding UK imports, for example) are not expected to take effect until 2023. For further details, see https://hansard.parliament.uk/commons/2022-04-28/debates/22042822000011/BrexitOpportunities.

In the UK, a customer can send a request for information (RFI) (often called a request for proposal (RFP)) to potential suppliers. Generally, this briefly outlines the areas the customer is considering outsourcing and asks questions relating to the supplier's capabilities and competence.

In addition, or as an alternative to an RFI, the customer can send out an invitation to tender (ITT) (often called a request for proposal (RFP)) and invite responses. The customer should include in the ITT:

The customer assesses the responses and shortlists a small number of possible suppliers. The customer should establish its evaluation criteria at an early stage. The supplier's capacity and ability are likely to be assessed at this stage.

After shortlisting, more detailed negotiations begin. Generally, the potential supplier(s) carry out some degree of due diligence. Work streams are established to conduct commercial, technical and legal negotiation. It is important that these work streams are closely co-ordinated.

The customer can conduct negotiations with:

Either party can carry out further due diligence after contract signature as part of the contract process to establish a baseline against which service provision can be measured.

Transfer of title to immovable property in England and Wales must be in writing (usually by deed), and, in most cases, requires registration at the Land Registry to transfer the legal title and, if this is the case, the transfer must be in one of the forms prescribed by the Land Registry. A plan will also be required if the transfer will result in first registration or if the transfer or lease is of part (as opposed to whole) of a title.

Where the asset is a lease or licence, the consent of the landlord or licensor may also be required. Where the property is charged to secure debt finance, the consent of the lender is usually required.

The transfer of title to immovable property outside England and Wales will be governed by the formalities of the relevant jurisdiction.

A transfer of UK IP rights generally must be in writing and can require registration of the transfer at the UK Intellectual Property Office, depending on the rights involved.

The transfer of IP licences should be by written consent (where the licence is expressed to be personal or there is an express restriction on assignment). Particular attention is needed where the licence is held in the name of another company within the customer's group. Where this is the case, approval should be obtained at an early stage.

Formalities for transferring non-UK IP rights tend to be similar, but important details may vary from the above and appropriate advice should be sought.

A written assignment is usually sufficient to transfer movable property for evidential purposes. Where assets are leased or charged, the transfer can require the counterparty's and/or lender's consent.

The assignment of key contracts must be effected in writing. Any contract to be transferred should be identified at an early stage and its terms reviewed to identify whether assignment is possible without the counterparty's express consent. Alternatively, if the terms of the contract permit, the customer can retain ownership of the contract and allow the supplier to supply the services to the counterparty as agent of the customer on a "back-to-back" basis.

As with the transfer of any contract or licence, consideration should be given as to whether the burden of the contract should also transfer to the supplier, either by:

UK legislation imposes controls on the export of certain goods such as technology which can be used for military or paramilitary purposes. In such cases a licence may be required to facilitate the transfer of assets to a provider based outside the UK. However, in practice, it is unusual for outsourcing transactions to be affected by these controls.

There are no formalities as such for the transfer of data and information; instead contractual provisions are included for providing access to such data or information, and regulating how it is used. If there is copyright in the data or information which is transferred, then the copyright will have to be transferred in writing as referred to above. See also Question 9.

All leases of immovable property in England and Wales for a term of up to three years may be in writing or oral, while those for more than three years must be by deed. It is advisable, although not a legal requirement, that licences of immovable property should also comply with these formalities. Leases of more than seven years must be registered at the Land Registry and must therefore contain prescribed clauses which set out the key details of the lease. The consent of any superior landlord or lender can be needed, which may require financial tests to be satisfied or a guarantee to be provided. Leases or licences of immovable property outside England and Wales will be governed by the formalities of the relevant jurisdiction.

Licences of registered trade marks must be in writing and signed by the licensor. In relation to other IP rights, a written agreement should be entered into as a matter of good practice. It is usually advisable (but not a legal requirement) for an exclusive licensee of registered IP rights (such as patents or registered trade marks) to register the exclusive licence with the UK Intellectual Property Office. For the leasing or licensing of existing licences, see below, Key Contracts.

A written lease or licence should be entered into as a matter of good practice to record the terms agreed.

The concept of a contract being leased or licensed is not generally recognised under English law. In practice:

Therefore, good practice dictates that the customer should:

There are no formalities as such for the licensing or leasing of data or information, except where there is IP in the data, such as copyright, in which case a written agreement should be entered into as a matter of good practice. Consideration should also be given to the inclusion of confidentiality obligations on the recipient of the data or information (see Question 9).

For information on transferring employees in an outsourcing transaction in the United Kingdom, including details of structuring employee arrangements, notice, information and consultation obligations and calculating redundancy pay, see Country Q&A: Transferring Employees on an Outsourcing in the United Kingdom: Overview.

Following the UK's exit from the EU, the General Data Protection Regulation ((EU) 2016/679) (EU GDPR), together with parts of the UK Data Protection Act 2018 (DPA) became part of retained law in the UK. Additional UK legislation made amendments to both pieces of legislation, appropriate to the continued application of the GDPR and the DPA in the UK which became the UK GDPR (UK GDPR). While the UK GDPR has retained many of the EU GDPR's provisions, there are some differences.

See Practice Note, UK GDPR and DPA 2018: quick guide.

The two main legislative instruments governing the protection and processing of personal data in the UK are the UK GDPR and the Data Protection Act 2018 (UK Data Protection Regime). "Personal data" includes any data such as names, contact details, or other data which relates to an identified or identifiable natural person.

The UK GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the UK, regardless of whether the actual data processing takes place in the UK. It is therefore likely to apply to most outsourcings involving UK-based businesses, where the services involve processing personal data. The UK GDPR also applies even where the customer or supplier is established outside the UK, provided that the processing activity relates to offering goods and services, or monitoring behaviour, that target data subjects in the UK.

Under the UK Data Protection Regime, issues can arise:

Organisations may also be caught by the EU GDPR if they fall within its territorial scope, for example:

Therefore, an IT supplier based in the EU, providing outsourced IT services to a UK-based organisation, which require the supplier's processing of personal data about UK data subjects, will have to comply with EU GDPR with respect to that processing. This is because it is being done in the context of its EU establishment (even if the actual processing is done at the customer's site in the UK). It may also have to comply with UK GDPR as a result of obligations in its contract with the UK-based customer.

The Network and Information Systems Regulations is the main legislation in the UK which sets out security requirements in respect of non-personal data (see below).

Use of processors and sub-processors. The UK GDPR distinguishes between entities which are:

For the purposes of many outsourcing arrangements (particularly business process outsourcings), the supplier is likely to be regarded as a processor of data on behalf of the customer. As a result, this section focusses primarily on controller-to-processor arrangements. However, the nature of some outsourced services may mean that in some cases, the supplier is regarded as a controller (or as a joint controller alongside the customer).

Where the supplier is regarded as a processor, the UK Data Protection Regime places certain obligations on controllers. For example, the controller must be satisfied that a processor will implement appropriate technical and organisational measures, particularly in relation to keeping the data safe and secure, and in a way which ensures the protection of the rights of those individuals to whom the personal data relates. The customer/controller must carry out due diligence on the supplier to be satisfied of this. In addition, the contract between the customer/controller and the supplier/processor must include certain mandatory requirements. For example, requiring the supplier to:

If a supplier/processor wishes to sub-contract some of the outsourced services to a third-party, prior written authorisation from the controller is required. Any contract with such processor or sub processor must mirror the obligations as regards personal data in the contract with the controller. In addition, the lead processor will remain liable to the controller for the actions or inactions of any sub-processor.

Liability for breaches of personal data processing requirements (for both the customer and the supplier). The customer as controller is liable for ensuring that it only uses processors which meet the requirements of the UK Data Protection Regime (see above). Both controllers and processors are directly liable under the UK Data Protection Regime for complying with the obligation to implement appropriate technical and organisational measures to protect personal data which is processed pursuant to the provision of outsourced services. Processors also have direct liability to only process personal data in accordance with the controller's instructions, and to notify the controller of any breaches involving relevant personal data.

Security requirements. Both controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk to the personal data which is being processed. Appropriate measures are assessed by reference to a range of factors such as the business sector and established market practice. The UK regulator, the Information Commissioner's Office (ICO), has also avoided being overly prescriptive. However, the ICO has imposed significant fines on businesses for failure to meet this standard. Recent examples include penalties of GBP20 million and GBP18.4 million imposed on British Airways and Marriott International respectively. Industry information security standards such as ISO27001 are also helpful to follow, and it is common practice to ask suppliers whether they have this standard in place.

Mechanisms to ensure compliance. The UK Data Protection Regime is enforced by the ICO, which has extensive powers including the ability to impose significant fines (see below). As between the parties to any outsourcing transaction, the contract documentation will usually impose obligations relating to data protection, often including requirements that staff who are directly involved in handling personal data undertake to observe confidentiality (statutory or otherwise).

Direct liability on processors for certain breaches of the UK Data Protection Regime was a concept which was introduced by the GDPR. As a result, it is more common to see provisions in outsourcing contracts to protect suppliers' positions (to the extent that the customer's actions impact on the supplier's ability to meet regulatory requirements). Also, given the substantial penalties for breach, specific liability apportionment for losses resulting from breach of contractual provisions (and statutory obligations) is more common (with the contracting parties often settling on a special cap in respect of such losses).

Transfer of personal data to third countries. Where personal data is to be exported for processing to a supplier located outside the UK (as in the case of "offshoring") and no "adequacy regulations" (see below) or special derogations apply, additional safeguarding measures must normally be put in place. The most commonly-used safeguarding mechanism to ensure compliant transfers outside the UK is to incorporate a set of standard contractual clauses into the outsourcing arrangement. The ICO issued revised sets of standard contractual clauses, which came into effect on 21 March 2022, to replace the "old" EU model clauses on which businesses previously had to rely. Although there are arrangements in respect of the transition from the old to the new clauses, it is important to ensure that the correct standard contractual clauses are used. These clauses are designed to ensure that the supplier applies the same standards of security as would be applied if the data remained within the UK. As a result of the decision in C-311/18 Data Protection Commissioner v Facebook Ireland and Maximilian Schrems, the use of standard contractual clauses as a safeguarding mechanism must be accompanied by a transfer risk assessment. Among other things, this must take account of any local laws which may undermine the ability for the data to be protected to an equivalent standard as that provided in the UK and set out appropriate measures to address these risks.

In some cases, an alternative legal basis for exporting data may be available, which avoids the need for additional safeguarding mechanisms. For example, certain countries are regarded by the UK ICO as "safe destinations" for personal data because their own national law offers an equivalent level of protection to that available in the UK. The countries that benefit from "adequacy regulations" include Member States of the EEA, and those countries in respect of which the EU had granted adequacy decisions prior to 31 December 2020. Alternatively, suppliers may have obtained approval from the UK ICO for binding corporate rules which allow them to export data to other group companies outside the UK, without the need for specific contractual arrangements governing the transfer. See Practice Note, Cross-border transfers of personal data (GDPR and DPA 2018) (UK): Schrems II – Binding Corporate Rules.

Brexit also has the potential to affect personal data flows out of the EEA to the UK. The adequacy decision adopted by the European Commission in June 2021 in respect of the UK means that the status quo in respect of data transfers from the EEA to the UK has been maintained for the time being. However, the decision is due to expire in 2025 and its long-term future may depend on how the EU reacts to proposed reforms of the UK Data Protection Regime. Without an adequacy decision, organisations within the scope of EU GDPR would have to put in place additional measures in order to continue to transfer personal data to the UK.

Sanctions for non-compliance. The UK ICO can impose civil fines of up to GBP17.5 million, or 4% of the breaching undertaking's annual worldwide turnover in the preceding year, for the most serious breaches under the UK Data Protection Regime. In the case of breach, the ICO can also issue an enforcement notice against a business requiring it to take (or refrain from taking) specified steps to comply with the UK Data Protection Regime.

Under the UK Data Protection Regime, there are a number of criminal offences, notably offences relating to the unlawful obtaining of personal data and selling or offering to sell it.

Individuals can lodge complaints with the ICO in respect of alleged breaches of the UK Data Protection Regime and bring an action for damages against the relevant business, including in some cases, class actions with other affected individuals. Fines can also be imposed for data breaches under sectoral regulatory regimes, for example, financial services firms have been fined substantial amounts for failure to keep customer data secure.

TUPE transfers. Even where the actual services being outsourced do not involve personal data, the UK Data Protection Regime may have implications in respect of employees who are transferring from the customer to the supplier. Care should be taken to ensure that personal data relating to such employees is shared and transferred in a lawful manner, with a clear legal basis under the UK Data Protection Regime for the transfer. Any personal data transferred outside the UK will need to be transferred using one of the safeguarding mechanisms outlined above (see above, Transfer of personal data to third countries).

Network and Information Systems Regulations. These regulations apply to organisations which supply national infrastructure (for example, in sectors such as electricity supply, oil and gas, water, transportation, healthcare and digital infrastructure, including cloud storage providers) and meet certain thresholds, together with relevant digital service providers. In brief, the regulations require such organisations to take appropriate technical and organisational measures to manage the security risks posed to them (for example, by taking appropriate measures to protect against cyber-attacks). The regulations apply, indirectly, to any data that an organisation holds (including non-personal data) and which may be affected by the obligation to take appropriate technical and organisational measures.

Where an outsourcing relates to an activity covered by the regulations, it will be important to ensure that the outsourced activities continue to meet the relevant standards, for example, by mirroring the requirements on the customer by the regulations in obligations imposed on the supplier in the outsourcing contract.

The maximum penalty for breach of the regulations is GBP17 million. As with the UK Data Protection Regime, competent authorities under the regulations can issue enforcement notices, and have powers to investigate and audit compliance of organisations which fall within their scope.

General requirements. Case law has long established that banks owe their customers a duty of confidentiality under English law, subject to certain qualifications, namely, they can disclose information about a customer where:

In any event, UK banks are dual-regulated by the FCA and the PRA (see Question 2 and below, Confidentiality of Customer Data).

While the common law and the constraints of the data protection legislation impose obligations on banks to keep information confidential, tensions arise by virtue of:

Sanctions for non-compliance. Breach of a banker's duty of confidentiality can give rise to:

General requirements. In addition to being subject to the UK Data Protection Regime, and potentially other data protection laws as well, such as the EU GDPR, (see above, Data Protection and Data Security), most outsourcing firms handling data on their customers' behalf are likely to be subject to a duty of confidence towards their customers and potentially also to third parties (for example, their customers' clients).

Financial services. Financial services firms can also be in a fiduciary relationship with their clients, in which case they will be subject to a fiduciary's duty of confidence under English law.

In addition, a duty of confidentiality may arise under FCA and/or PRA rules. For example, SYSC 8 includes a requirement that an outsourcing firm must ensure that the supplier protects any confidential information relating to the firm and its clients.

Mechanisms to ensure compliance. A firm engaging in an outsourcing must ensure that the supplier protects any confidential information relating to the firm and its clients. Generally, firms must ensure that their terms include adequate contractual provisions (including rights of redress and termination) and that their due diligence, oversight and ongoing monitoring procedures are robust. Amongst other measures, firms should consider the following:

Sanctions for non-compliance. Breach of confidence in relation to customer data can give rise to:

Businesses may also face enforcement action by the ICO, including fines (see above, General Requirements). Firms in the financial services sector may be exposed to enforcement action by the FCA and/or PRA (as applicable) for failing to protect customer data (based on financial services legislation rather than data protection law).

There are no specific requirements which must by law be passed onto service providers (other than in the context of a service provider that is acting as a data processor (see Question 9) and, potentially, the sectoral legislation discussed in Question 2). However, there are several areas where it would be recommended for the customer to guard against supply chain risks.

If the applicable thresholds are met (the key one being an annual turnover of GBP36 million or more), the Modern Slavery Act 2015 requires the customer to report on its due diligence processes in relation to slavery and human trafficking in its business and supply chain. As well as satisfying itself at the outset of a relationship that a potential business partner is not engaged in any such conduct, the customer may ask suppliers to adhere to its own modern slavery policy or at the very least warrant to act in compliance with the Act and avoid commission of the slavery and trafficking offences. The company would in all likelihood want to report on measures of this kind in its compulsory modern slavery statement.

Similarly, many companies have anti-bribery and corruption policies which assist in proving compliance with the UK's Bribery Act 2010 and in particular in proving the defence that a company had "adequate procedures" to prevent bribery. Although there is no legal requirement to include them, the official guidance suggests that contractual provisions are a key way of managing bribery risks. Many outsourcing contracts would require suppliers to adhere to the company's Anti-Bribery and Corruption (ABC) policy or provide evidence of its own policy, to contain no less stringent provisions.

Less frequently, an anti-tax evasion provision will also be included, to prove that the company had reasonable prevention procedures in place, but such a clause in isolation is unlikely to be enough to protect a company from prosecution.

Where the supplier is acting as a data processor, the UK GDPR requires certain mandatory terms to be included in the contract (or in a separate data processing agreement). For further details, see Question 9.

In the context of a strong focus on environmental, social and governance (ESG) matters, it is increasingly common to find contractual provisions which require counterparties to adhere to high standards of ESG conduct. These may reference specific international norms (for example, applying the UN Guiding Principles on Business and Human Rights). Legislation is in development that will require certain organisations to conduct due diligence on their supply chain. In this context, organisations are likely to use contractual terms to ensure that suppliers act accordingly, particularly to avoid environmental damage.

Depending on the nature of the contract, the contracting party and the service provided, it may also be advisable to include provisions which require the service provider (and any subcontractors):

A catch-all "compliance with laws" provision could ultimately be relied on if the contract contains no more stringent or specific protections.

The parties usually draft the services specification together, although the supplier often takes the lead, based on its previous experience of similar projects.

Where, after contract signature, the parties agree to develop a detailed specification of the services, the customer's requirements can be attached to the contract as a separate schedule. Usually in these circumstances:

With longer-term contracts in particular, parties may also wish to provide for enhanced termination rights or break clauses if changes in circumstances may undermine key commercial assumptions on which the contract is based. As the services specification may need to change over time, parties should include a change control procedure making clear (among other things) how the extra costs of any changes should be allocated.

The parties usually identify and agree a set of objective, measurable criteria to measure performance (key performance indicators (KPIs) or service levels). These could be that deliveries of products in a logistics contract will be made within specific time periods or that telephone calls to a call centre will be answered within a defined period. These service levels are combined with a:

The service levels and service credits can form part of the services specification or are laid out in a separate schedule to the main agreement (service level agreement (SLA)).

Generally, the service credits are offset against the fees otherwise payable to the supplier and are usually relatively modest. The aim is to compensate the customer for poor service without the need to pursue a claim for damages or terminate the contract, and to motivate the supplier to meet the performance targets.

The service credits should be expressed to be the sole remedy of the customer for the particular failure concerned, but this should be without prejudice to the customer's wider rights in relation to more serious breaches of the contract or persistent failures in performance, both of which should also be dealt with (see Question 19, and Question 24). Service credits are generally enforceable, provided they do not amount to a contractual penalty (i.e. their effect on the contract breaker is not out of all proportion to the legitimate interest which they are designed to protect).

Establishing a baseline against which the service credits will be measured can form part of a due diligence exercise which precedes or follows contract signature. For longer term contracts, it is common to include a change of control procedure designed to allow service levels to be reviewed and modified to reflect changing circumstances.

If Brexit is considered likely to undermine key commercial assumptions on which the contract is based, parties may also wish to provide for enhanced termination rights/break clauses (see Question 24) or rights to re-negotiate certain aspects of the contract (see Question 31).

Escalation mechanisms are commonly included in contact documentation. However, it is not recommended that the parties should rely on them as the sole means of addressing issues with service provision. They should instead be viewed as part of a "package" of measures designed to promote resolution of problems with service provision. The precise content of that "package" is a matter for negotiation but will typically include at least some of the mechanisms discussed in Question 20.

It is common for each party to appoint one or more contract representatives to deal with operational issues. The level of formality surrounding this process varies, often depending on the scale and complexity of the outsourcing. For example, some contracts may simply provide for the contract representative to be a "first point of contact" if issues arise, whereas others may impose extensive reporting requirements on the supplier, provide for regular meetings to review progress and require input from a variety of staff with responsibility for different aspects of the contract (similar to an operational committee).

These governance mechanisms can be helpful in overcoming operational problems where the contract representatives co-operate and are able to agree a way forward. However, it is important to ensure that, if changes are proposed, they are dealt with in accordance with the change management procedures of the contract (see Question 15). There should also be a clear procedure for escalating any issues in cases when agreement cannot be reached (see Question 13).

Most outsourcing contracts contain a "change control" procedure, which allows either party to request a change. Certain changes, such as those required to comply with changes in the law, may be classified as mandatory (and in such scenarios the non-requesting party will be obliged to implement the change). For these situations, it is important to specify which party will bear the cost of the change.

There should also be a clear procedure, ideally with timescales attached, for the agreement of requested changes and their documentation and incorporation into the contract. Typically, this will require the supplier to provide estimates of the cost and impact on the services and a timetable for their implementation. There should also be an escalation procedure if agreement cannot be reached (see Question 13).

The customer may wish to specify that it is entitled to request additional services. Although it would be unusual for these to be mandatory changes, the supplier may be obliged to respond reasonably and in good faith to such a request and to adopt the same pricing models as those which apply in relation to the existing services.

If the customer's needs change so that it requires higher or lower volumes from the supplier, this would normally be addressed by making a request under the change control provisions of the contract (see Question 15). The extent to which the supplier can be obliged to accept the change will depend on the terms of the contract. For example, where the customer anticipates an increase in volumes, it will generally be advisable for it to negotiate a commitment from the supplier to meet such additional demand, should the customer require it. In the absence of such a contractual commitment, the level of flexibility which the supplier can offer is likely to depend on the extent to which it will need to make additional investments and how long it will take to bring those investments "on stream". Conversely, where the supplier is investing on the basis of an assumed level of volume purchases by the customer, it is likely to resist any attempt by the customer to reduce the fees due based on lower volumes.

Typically, most change control provisions only permit material changes where required by law or when both parties can reach agreement; it follows that (in the absence of any provisions specifically addressing the issues) the level of flexibility in practice will be heavily dependent on the approach to charging (see Question 17) and the ability and willingness of the supplier to accommodate any changes requested by the customer.

The parties will adopt different approaches to charging depending on, among other things:

A typical outsourcing contract adopts one, or a combination, of cost plus, fixed price and/or pay as you go.

The customer pays the supplier both:

There are usually additional provisions to ensure that:

In addition, the customer usually includes measures to control costs, such as:

A fixed price is often used where there will be a regular and predictable volume and scope of services (for example, payroll), and the customer wants certainty for budgeting purposes.

The customer pays a pre-agreed unit price for specific items of service (such as volumes of data processed or deliveries made), often based on a rate card (that is, a schedule of fees for each item of service). The supplier may want to add a minimum fee. It is often used where the level and volume of services is less predictable.

Particular consideration can be needed concerning how (if at all) the supplier will be allowed to recover implementation costs (for example, as a specific item of charge, linked to the achievement of measurable milestones or targets, or in an agreed manner over the life of the contract).

The principal terms used in relation to costs are:

(See Question 11 and Question 12).

Customers can seek a right to suspend payment in the event of a genuine dispute over costs, but for obvious reasons many suppliers will be reluctant to agree to this. Disputes as to costs would generally be dealt with through the normal dispute resolution provisions of the contract; where the dispute as to costs is of a technical nature, the contract may provide for resolution by means of expert determination (see Question 31).

The customer has a number of remedies, including:

Customer protections typically include:

Typical supplier obligations are to:

Typical customer obligations are to:

English law implies contractual terms that goods are fit for purpose and of satisfactory quality, and that services will be performed with reasonable skill and care.

The contract often specifically excludes these terms and replaces them with specific wording, with the intention that all relevant obligations are set out expressly in the parties' written agreement. In relation to limits on the right to exclude these terms, see Question 28.

The business insurance market in England and Wales is well developed and numerous different types of policy are available. The following are probably most relevant to outsourcing arrangements:

The following events are generally considered sufficiently serious to justify immediate termination:

However, parties generally specifically provide termination events in the contract.

English law provides that the innocent party will normally have the right to terminate and claim damages if the counterparty breaches a condition of the contract. This is known as a "repudiatory breach". A term is likely to be regarded as a condition where its breach would deprive the innocent party of "substantially the whole benefit of the contract". The right to terminate for breach of a condition normally exists alongside any express contractual termination rights. Most outsourcing contracts also permit termination in the event of "material breach" (which would potentially include breaches which are less severe than a breach of condition). However, termination for such lesser breaches requires an express provision in the contract. It is usual to include a cure period in which the injured party gives written notice of any material breach (provided it is remediable) and allows the counterparty a reasonable period (often 30 to 60 days) in which to remedy it. If the breach is irremediable, the contract may provide for it to be terminated immediately (since any cure period will be irrelevant).

Commercial contracts normally contain provisions allowing either party to terminate immediately if the other is the subject of some form of insolvency proceedings (although in some cases, a party can be prevented from doing so, see below). If either party enters into an insolvency process, an administrator may decide not to honour existing contracts. If the administrator wishes the contract to continue (and the solvent party agrees not to exercise any contractual right to terminate), the debts due under the contract are classified as an expense of the administration and rank higher than unsecured debts on the final distribution of assets. If the administrator elects not to perform as originally agreed, the innocent party can terminate, but the right to sue for breach of condition (see above) will be of little value. On liquidation, the liquidator has the right to disclaim obligations under contracts which he/she considers to be onerous.

English law allows the parties considerable freedom to decide in what circumstances the contract should be terminable. For example, a customer may seek a right to terminate a long-term outsourcing contract on notice, prior to expiry of the full term, without payment of compensation. However, where the supplier is making significant investments in the service, it may not be prepared to accept such a provision at all, or may insist on provision of compensation in the event of early termination (which will be enforceable provided that the level of compensation is a genuine pre-estimate of the supplier's loss arising from early termination, rather than a contractual penalty).

It is also possible to draft termination provisions in a way which would potentially allow termination where insolvency proceedings appear to be imminent but have not actually begun. For example, suppliers may wish to consider this if they are concerned about constraints on their ability to terminate in response to insolvency events (see below). However, as such clauses tend to be mutual, the party seeking a right to terminate for "near insolvency" needs to be prepared to accept that the same termination rights may be invoked against it.

The following restrict the ability of the parties to terminate in reliance on an insolvency event:

In addition, the contract may contain provisions for termination where:

As outlined in Question 19, the main remedies available to the parties under the general law in response to a breach are damages, termination and (exceptionally) specific performance or injunction (available at the discretion of the court). However, many outsourcing contracts modify and/or supplement the remedies available under the general law with some or all of the following:

Customers will often wish to include provisions requiring the supplier to:

Where the supplier has developed or acquired assets (including IP rights) specifically to meet the customer's needs, it may be appropriate to include provisions for the buy-out of those assets and their transfer to the new service provider or the customer. Similarly, it may be appropriate to impose obligations on the supplier to use best or reasonable endeavours to novate or transfer any key agreements with subcontractors in favour of the new service provider or the customer.

As regards IP rights, consideration may need to be given to how far any IP developed specifically for the customer relies on IP of the supplier (so called "background IP"), which it needs to retain for the purposes of its ongoing business. In such cases, it will not be appropriate for the IP rights in the background IP to be transferred to the customer. Instead, the contract will need to provide a licence for the customer to continue to use any such background IP, but only for purposes connected with performance of the relevant services.

Where the customer licenses IP rights to the supplier in connection with the outsourcing, the licence terms generally govern the continued use of those rights by the supplier post-termination (either in the main agreement or a separate document). The customer is usually reluctant to agree a continuation unless it receives some benefit. Where there is no specific agreement and a licence has been implied, it is generally implied that the licence ends on termination. The parties can (and should) make specific provision to regulate how far either will remain entitled to use the other's IP rights post-termination.

Some outsourcing contracts involve a dedicated group of the supplier's employees working primarily for the customer. In such cases, it may be desirable from the customer's perspective for those staff to transfer to the new service provider on termination, as they will already be familiar with the customer's requirements. Legally, dedicated staff would usually transfer by operation of law to the new service provider.

However, achieving this in practice is not always straightforward and requires careful consideration of the legal and practical issues discussed in Country Q&A: Transferring Employees on an Outsourcing in the United Kingdom: Overview).

In particular, the customer may wish to:

In contrast, a new service provider may not wish to inherit the outgoing supplier's employees and may want the ability to dismiss any employees that transfer by operation of law, as well as protection from the associated costs of doing so.

In addition, the contract will usually include confidentiality obligations that survive termination. In some cases, there may be a need for provisions requiring the customer to return property of the supplier or delete copies of the latter's IP, such as software.

To the extent that specific IP rights cover the supplier's know-how, the customer's ability to gain access is likely to depend on the terms of any agreement governing use of IP rights post-termination (see Question 26).

Where the know-how is in the supplier's confidential information, the customer usually expressly undertakes to maintain the information in confidence and use it only in connection with the outsourcing contract. However, if the know-how is the skill and experience of employees engaged in performing the services and the employees transfer to a new supplier (or back to the customer) under TUPE (see Question 8), the customer can benefit from these skills (but not from specific confidential information).

Where the supplier develops know-how (or IP rights) during the term of the outsourcing contract for use in the performance of the services, or otherwise embeds its IP into the assets and systems of the customer, the customer usually requires a written licence to continue using the know-how or IP.

The parties are generally free to exclude most forms of liability, subject to a number of important conditions outlined below:

Subject to the above, a supplier will usually aim to exclude liability for:

In contrast, the customer will usually try to ensure that it is able, under the contract, to recover all its direct loss (including direct loss of profit, business and revenue). It can also specify particular heads of loss that are recoverable to evidence that these are agreed to constitute direct loss. In practice, these are subject to negotiation.

The parties can and frequently will agree a financial limit on liability, subject to the limitations set out in Question 28. This can be a fixed amount, or a percentage or multiple of the contract value (for example, 125%). In negotiating the amount of any cap, account will usually be taken of the overall value of the contract, the potential damage to the customer's business if the supplier fails to perform and the availability of insurance against potential risks.

The extent to which any cap will be held reasonable under UCTA (in cases where it is required to be reasonable) is uncertain. Current practice suggests that a percentage is better than a fixed sum, and that anything under 100% of the contract value can be held to be unreasonable, where the liability covered is significant. When using this approach, it is important to:

The supplier should take care that the drafting of the cap does not restrict its right to recover for non-payment of charges that are properly due to it from the customer.

Most outsourcing contracts will contain force majeure provisions designed to relieve the parties of liability if performance is prevented by certain matters beyond their control, such as extreme weather events or government decisions to make certain activities illegal (such as through the imposition of any sanctions). The customer will typically prefer the scope of this clause to be relatively narrow and may wish to exclude any events which the supplier could reasonably have been expected to plan for in advance. It may also seek a right to terminate if non-performance continues beyond a specified period.

Both parties may seek to include acknowledgements in the contract with a view to limiting the scope of their overall liability. For example, suppliers will typically seek to include an acknowledgment of non-reliance by the customer on any pre-contractual statements not expressly incorporated into the contract. In practice, such provisions can often make it difficult for customers to bring claims based on alleged pre-contractual misrepresentations (such as promises made by sales staff during negotiations, but which were not written into the contract).

Similarly, the customer may wish to include an acknowledgement that the supplier has been provided with sufficient information and carried out sufficient due diligence on the customer's business to establish that it will be in a position to carry out the services to the standards required under the agreement. This makes it more difficult for the supplier to argue that any failure to meet those standards arose because it could not reasonably have been expected to appreciate how certain key aspects of the customer's business were organised.

More generally, careful attention should be paid to the service specification (see Question 11) to ensure that it adequately describes what is required. From the supplier's perspective, it may sometimes be beneficial to specify what is not required as part of the services. See also Question 20 on customer protections and Question 21 on warranties and indemnities.

The main methods of dispute resolution used in this area are set out below.

ADR covers a wide range of procedures, outside traditional arbitration and litigation, from internal conflict escalation steps to more formal mediation processes. Some forms of ADR are automatically binding (such as expert determination (see below)) and some are non-binding. Mediation is a popular ADR mechanism. The mediator, who is appointed by the parties in dispute, acts as a neutral third party. They are not a judge of the merits of each party's case, but facilitate a settlement negotiation, reminding each party of the strengths and weaknesses of their position (in negotiation terms) where appropriate. Mediation is confidential and allows for flexibility, both in terms of the format of the process and in terms of the settlement outcomes that can result. Mediation is not binding unless and until the parties enter into a settlement agreement. The contract should therefore make provision for either arbitration or litigation where mediation is unsuccessful. The English courts will uphold an obligation on a party to make use of an ADR procedure (prior to initiating litigation, for example), provided that the clause sets out the procedure to be followed in sufficient detail. This can be achieved by incorporating the rules of an external ADR body such as those of the Centre for Effective Dispute Resolution.

Expert determination is a private ADR procedure which has been contractually agreed, with the parties agreeing to refer their dispute to a single expert (for example, an accountant if the dispute relates to a financial matter), whose ruling will be final and binding. Unless specifically agreed, the expert is not required to give reasons and there is generally very little scope for appeal.

In practice, expert determination tends to be reserved for disputes concerned with specific aspects of the contract, usually of a technical nature, such as pricing or service levels. Provision should therefore be made for resolution of other disputes by arbitration or litigation.

Litigation involves bringing proceedings to resolve the dispute in the courts. Advantages (as compared with arbitration) include the ability to join third parties, such as subcontractors or other suppliers, so that related disputes can be resolved through one set of proceedings. The English courts are generally well respected with broad order-making powers. Judges in the Technology and Construction Court and the Commercial Court also have considerable experience of hearing disputes involving complex contracts, including outsourcing arrangements. Disadvantages include cost (although only as compared with ADR) and publicity (since the proceedings and the outcome will be a matter of public record). For contracts with a cross-border element, the ability to enforce an English court judgment in relevant overseas jurisdictions should be considered. There may be potential difficulties with the enforcement of some English court judgments in the EU following Brexit.

Arbitration is a private dispute resolution procedure which has been contractually agreed, with the parties agreeing to be bound by the outcome. Potential advantages (as compared with litigation) include the ability for the parties to define their own procedure, appoint persons with relevant experience as arbitrators and keep both the proceedings and the outcome confidential. It is also generally easier to commence arbitration against foreign counterparties and, in certain countries, arbitration awards are easier to enforce. The enforcement of arbitral awards in the EU is generally unaffected by Brexit. Disadvantages include the inability to join third parties, such as subcontractors or other suppliers (which means that related disputes with those parties will have to be resolved by separate proceedings). Arbitration is also usually more expensive than ADR or expert determination and can sometimes be more expensive than litigation.

Arbitration and litigation are mutually exclusive. As such, if the contract provides for arbitration, the parties cannot initiate court proceedings instead, unless they subsequently agree to do so. However, subject to that point, it is possible to use a combination of different approaches (for example, the contract may provide for ADR initially, followed by either litigation or arbitration if ADR proves unsuccessful, but with certain narrowly defined disputes being subject to expert determination).

Where the customer transfers assets to the supplier, there is an actual or deemed sale. The actual price or deemed market value (as appropriate) is treated as disposal proceeds for tax purposes and so can give rise to either a profit (on which tax is due) or a loss (which can be relievable against other tax charges of the customer). In practice, this is not usually a significant concern in outsourcings as typically very few assets of value are transferred. Since the outsourced business will generally have been run as a cost centre within the customer's business, it cannot typically be argued to have any goodwill associated with it. Moreover, assets transferred are often IT equipment or similar, which has minimal second-hand value.

The question also arises of whether the customer is required to charge VAT on the transfer of the assets. In some circumstances, the customer can argue that it is transferring part of its business as a going concern and VAT need not be charged. However, even when VAT is chargeable, it is not usually a significant issue, as any price for the assets is often nil or minimal.

From the date of the transfer, the supplier becomes responsible for the calculation and payment of:

Exceptions apply where the:

Due to the nature of the services provided by the supplier, VAT usually applies. Where the supplier and the customer are both based in the UK, the supplier charges and collects VAT in the usual way. However, depending on the nature of the services, where the supplier is based outside the UK, it is likely that the supplier would not have to charge VAT.

Depending on the location of the customer, the customer may be required to operate the reverse charge procedure and account for VAT relating to the supply, as if it had made the supply itself.

Where the customer's business is fully taxable, it should be able to recover the VAT in full (whether it was paid to the supplier or accounted for it under the reverse charge procedure). However, where the customer's business is not fully taxable, the VAT is not fully recoverable (whether paid conventionally or through the reverse charge procedure). Therefore, the outsourcing gives rise to a significant tax cost. This is a significant issue in the financial services and insurance industries.

Aside from VAT (see above, VAT or Sales Tax), there are no significant service taxes on an outsourcing in the UK.

Stamp duty or stamp duty land tax (or the equivalent in UK jurisdictions other than England) can arise on:

Companies subject to UK corporation tax on their profits (including gains) are liable to pay corporation tax at 19% (based on the rates in force in February 2022). The main rate of corporation tax is due to be increased to 25% from 1 April 2023.

Consideration should also be given to the impact of the proposed outsourcing on any existing tax planning arrangements. Although, in principle, trade in goods with the EU remains tariff-free following Brexit, such treatment only applies if the goods meet the relevant rules of origin. Costs may also increase to reflect the burden of dealing with additional administrative requirements (such as customs declarations), introduced (as regards imports from the EU) from 1 January 2022.