Outsourcing arrangements can be an efficient and effective way of subcontracting a business activity to an external third party, perhaps because of a dearth of resources, knowledge or IT infrastructure. However, the risks that they present should not be underestimated; a business is only as strong as its weakest link and remains accountable for all its contractors' actions, both good and bad.

Depending on the nature and scale of the arrangement, the contract should also cover matters such as:

• client confidentiality;
• IT security;
• fees and arrangements;
• liability in the event of transgressions or underperformance;
• guarantees and indemnities;
• the third party's obligation to provide relevant records to the business, regulators or auditors;
• dispute resolution protocols;
• business continuity obligations;
• the choice of law; and
• the termination of the contract.

Data and cyber security; business continuity

As we said earlier, a supply chain is only as strong as its weakest link. The service provider is almost certainly exposed to the risk of a data or cyber-security attack or general problems that affect its business infrastructure and operations, such as floods or the failure of a telephone system.

In addition to the contractual provisions we have mentioned above, the compliance officer must put practical measures and safeguards in place to protect confidential data that is stored on his firm’s systems. Owing to the digital nature of the age in which we live, data and cyber security attacks are inevitable. The compliance officer should ask the provider to swear that it has identified its weaknesses and set up effective controls to deal with the risks. He should ask it to testify to the fact that its data and cyber-security response plan is comprehensive, reviewed and tested regularly. He should also ask it to avow that its business continuity/disaster recovery plan is comprehensive and resilient and that somebody is reviewing it and testing it regularly. He should demand to know when the last test was conducted, whether there were any adverse findings and whether the third-party firm has done anything about them.

The third party may feel reluctant to give other companies specific details about its weaknesses, but the compliance officer must at least persist in asking for confirmation from its most senior officers that it has carried out tests and resolved all the problems.

Confidentiality

The compliance officer must determine whether the third party in question is a data controller or processor (as defined in the European Union's General Data Protection Regulation) and, if necessary, ensure that it has effective ways of guaranteeing data privacy. The GDPR states that the data protection standards to which the outsourcer's jurisdiction adheres must be 'adequate.'

In the event of a data breach (an EU term that pertains to any mishandling of data that contravenes the GDPR), the compliance officer must ensure that he has procedures in place to report problems to the authorities as soon as he has identified them. The business may have to report the breach to its own data-protection authority and the data subjects (people on whom it or its contractor hold information) and strict reporting timeframes apply here. He must ensure that the third party does not cause the business to breach its own obligations to report various things.

If the third party has access to other confidential information, such as intellectual property, the compliance officer must ensure that it is clear that nobody should be allowed to misappropriate it.

Termination of the relationship

Both parties must be able to terminate the contract in a timely and orderly manner, especially if it is broken. One might expect a contract to be null and void in its entirety if broken, but there are clauses that can survive such an event (known as 'termination breach'), especially those that concern confidentiality. It is often possible, alternatively, for the wronged party (in this case the private bank that has received some bad service) to tell the contractor that the contract is now null and void but nevertheless to ask it to keep providing the sub-standard service during a period of transition. The contractor often agrees to this because it is still able to earn some money from the continuation. This allows the customer-firm enough time to teach internal staff new skills or to find a suitable replacement.

Concentration of outsourcing

The compliance officer must ensure that the third party has enough resources and capacity to fulfil the objectives that he has set it in the service-level agreement. He must look for signs that it is struggling and must communicate with it proactively to find out whether this-or-that problem is related to internal resourcing or to infrastructure and must find out whether it is doing anything about it.

The compliance officer ought to impose these controls on both regulated and unregulated businesses, such as accountancy firms or estate agents. He must remember, at all times, that his firm's reputation is on the line.

* Sandra Lawrence can be reached on +44 1481 734808 or at sandra.lawrence@collascrill.com