Getting the law on your side

The Toronto-based business law firm McMillan Binch LLP cites six phases of an outsourcing deal, each of which can benefit from legal advice: due diligence, RFP, vendor selection, negotiation, risk assessment, transition and compliance. IT Focus asked George Atis, chairman of the firm’s technology and outsourcing practice groups, for details relevant to the financial services sector.

IT Focus: What are some of the issues relating to outsourcing in the financial services sector from your legal perspective?

George Atis: Any FI that is federally regulated has to comply with certain OFSI (Office of the Superintendent of Financial Institutions) guidelines. Because outsourcing is such a sensitive topic, that regulator OFSI came out with certain guidelines that said ‘FIs that are under OFSI’s control have to comply with certain guidelines because we don’t want problems in the financial institution industry because it’s so core to our society.’

Outsourcing generally is not a very regulated industry. Outsourcing law, if you will, encompasses a number of disciplines. In the private sector, these OFSI regulations are quite unique because they do impose regulations on outsourcing.

When I approach an outsourcing deal on a client side, the first step I would deal with when advising an FI is to say ‘are you aware of the OFSI guideline?’ – most are – and ‘what have you done to begin to comply with that guideline?’

There are actually two separate criteria: one involves an internal risk management assessment. It is a very detailed guideline called OSFI Guideline B-10. At the end of the day it obliges the FI looking at outsourcing to have done an internal risk assessment at the very senior board level to say ‘what are the risks associated with this outsourcing?’ and ‘have we satisfied ourselves with respect to these risks?’ [It is] your classic risk assessment but you have to go through that and arrive at a decision, consider it, identify the risks. That’s compliance generally with that guideline.

Involved in that risk assessment is your choice of outsourcer. Generally speaking, a big FI will have to deal with a very well known, reputable, well-capitalized company so this is not a situation where you can go to a very small outsourcer to try to save money and cut corners. The risk assessment has to factor in the quality, reputation, financial viability of your target service provider.

There is another interesting guideline which often crops up unknowingly and that is OSFI Guideline E-3, Cross-Border Information Processing. This would arise when an FI goes through risk management assessment, chooses an outsourcer, vendor, service provider that perhaps has cross-border operations. To the extent that the processing of the FI’s data is going to be done down south, cross-border, it has to get special dispensation from OFSI. When that data actually leaves Canada, OFSI wants to make sure that it will have access to the data, it’s going in a jurisdiction where it is generally secure, etc. and there are actually certain legal provisions that you have to write into the agreement.

If you are dealing with a service provider located wholly in Canada, then you won’t have to worry about Guideline E-3. But outsourcing is becoming more worldwide and offshore so if you were to do a major deal today and you wanted to crunch the data somewhere in a jurisdiction where it is really cost-efficient to do so – India is often mentioned in this respect – FI outsourcing would not be a good candidate for offshore outsourcing because of the risks. Could you do it? Yea, you could probably get it done and if OFSI was satisfied that the data is in a jurisdiction that is secure and they have access, then they would grant it. There’s no prohibition against it. It’s just I think for a Canadian financial institution you’re probably better off going with a Canadian service provider or a worldwide service provider that’s going to process your data and do the transactions and process the information within Canada.

IT Focus: What comes next?

Atis: Once we get over the basic regulatory issues in terms of ‘have you considered this,’ the next step I try to take my clients through is the due diligence aspect prior to going to market with the RFP for the outsourcer. That involves an assessment of all the legal contracts related to the services that you propose to outsource. To process the amounts of data of an FI, there are typically mainframes involved with large sophisticated software vendors to run the software on those mainframes. There are hundreds of other related software contracts and hardware contracts, etc., but the big ones are the large mainframe software vendors. You have to examine those contracts to understand whether you can outsource. Some of them contain prohibition on outsourcing and what that means is that you’re looking at a very intense negotiation with those mainframe software providers in order to be able to do the deal.

A lot of these mainframe software providers know that outsourcing is a potential source of revenue for them. Why? Because the minute you have to do an outsourcing deal, they can extract huge licensing fees. So your first order of business is to look at those contracts and see what type of large material exposure does the FI have if it chooses to outsource. Are there penalties written into the agreement? Are there any extra licensing fees in terms of shifting from an internal environment to the service provider? That’s often a very, very dicey issue. What I tell clients at the beginning is: ‘if you are at a cycle where you are refreshing your software contracts, in other words renegotiating them, try to get an outsourcing license put in there – a clause or provision that will allow you to outsource if you have to.’ Your best leverage to do that as an FI is at the time you renew it. These contracts are typically worth many millions of dollars.

Part of that due diligence includes an analysis of all the contracts relating to those types of services. What do I have to do to take those services I want to outsource and transfer them over? There is literally a hundred-page checklist which I attempt to go through with clients to assess the risks involved in a deal from a legal perspective. It is a tedious process but the success of your deal in terms of structuring the RFP and knowing what you can represent to the service providers that are going to bid on your job – you really can’t go to them until you have that picture.

IT Focus: What other consideration do you recommend financial institutions leaning to outsourcing keep in mind?

Atis: I do want to emphasize that the legal role in this is an important role but it is not the only role. There’s the technology consultant that will be right in there at the due diligence phase doing an analysis of the company’s IT position and preparing either the RFP or some sole source document so the service provider knows what it needs to bid on. The lawyer can talk about the terms and conditions that can be included in the RFP to try to start aligning the service provider with the type of contract you want to see, but the technical aspects and size and capacity of mainframes, that’s where you need your technology consultant.

The other thing I would emphasize is these transactions are very high profile so they have to be sponsored and be understood at the very highest levels of the organization. Typically with an FI outsourcing, you will be dealing with C-level executives, possibly all the way up to the CEO and president; definitely the CIO and CFO would be very actively involved.

IT Focus: When should one get one’s lawyer involved when considering outsourcing?

Atis: This sounds self-serving but it is important to get legal counsel involved early in the planning of the deals, even if you’re using them for very limited purposes throughout the deal. There are two philosophies. There’s the philosophy of ‘let’s get the deal done and then give it to the lawyers to paper’ and then there’s the other philosophy of ‘let’s bring in the lawyers early to help structure the deal.’

You have to remember when the technology consultants go away and the CFOs and CIOs get back to routine, the last line of defence is your outsourcing contract. It has to be in a way that both protects the bank but is an operational document that the people administering it know what it is all about. So in order to get a quality legal document, it is my belief that you have to approach these deals in stages and you have to bring in legal advice at the beginning. I believe the earlier you get legal counsel involved even if it is for limited purposes in each phase, the better deal you end up with at the end of the day.

IT Focus: We haven’t talked yet about SLAs (service level agreements)…

Atis: The SLA is the essence of the deal. In a true outsourcing when you are transferring assets, you are putting a lot of faith in the [service providers] of the world because you are giving over all the assets you would typically keep to run all those services. Again it goes back to the quality of your contract. If you don’t get that right and you don’t take the time and you think it is only about economics or you focus on other areas, you could get into a lot of trouble.