Tech & Sourcing @ Morgan Lewis


As part of our Spotlight series, we spoke with Mike Pierides, the deputy leader of our technology, outsourcing, and commercial transactions team and a co-leader of our digital solutions industry team, on outsourcing in the financial services (FS) sector.

From an outsourcing perspective, what makes the financial services sector different from other sectors?

The FS sector continues to be at the forefront of outsourcing developments and innovation as it pushes into the uptake of cloud and AI, and is arguably the sector which was really the first mover in outsourcing (although I’m far too young to remember that). This makes it a very mature outsourcing sector, which comes with positives like a sophisticated understanding of outsourcing, but also some negatives, including significant and complex legacy systems which can make moving to new technologies challenging and expensive.

Regulation is also a key distinguishing factor to most other sectors, which has shaped many contracting approaches in the sector.

Tell us a little more about the regulatory framework.

To a large extent, the European Union, and the United Kingdom, have led the way with a number of outsourcing-related FS regulatory guidelines, built up over the last 20 years or so. There are now specific guidelines in place from the European Banking Authority, the European Securities and Markets Authority for investment companies, and the European Insurance and Occupational Pensions Authority—which are largely but not entirely aligned. The UK has similar rules in place.

The United States also has similar guidelines in place, at both federal and state levels. One of the most important developments in the US is the proposed “Guidance on Third-Party Relationships: Risk Management,” which has been issued for consultation by the board of governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency.

What do these regulations cover?

A key theme, for all regulators, is ensuring adequate controls for the institution and its regulators over the outsourced functions, so that they can oversee and audit them while they are in place, or terminate them and bring them back in-house or move them elsewhere if there are issues with the supply. Another critical topic to call out is information security. Ultimately, the regulations are about de-risking the use of a third party to provide a function of the institution.

The current direction is certainly for more, rather than less, regulation, and outsourced arrangements, or even SaaS and cloud-based arrangements such as CRM platforms, deal execution platforms, virtual desktop infrastructure, and so on are all coming within the remit of the regulations.

What is their impact on negotiating outsourcing contracts?

My experience is that outsourcing transactions in the FS sector are usually taking longer to negotiate. There is in general a good understanding across the industry, and also across the suppliers to the industry, of the issues that have to be addressed, but where there is a lack of understanding, or a cautious interpretation or even misinterpretation of the regulatory requirements, then this inevitably slows down negotiations.

The significant interaction required with small and medium-sized enterprises whose functions are subject to these regulations, in particular, perhaps in the context of infosec, also adds time and complexity.

The regulations can also act as a form of barrier to entry for new suppliers without the experience and knowledge of the FS sector.

Finally, you mentioned legacy systems and digital transformation; can you add a few words on these?

We have advised on a number of FS-related transformations as institutions such as banks or insurers look to move away from, or overlay, their core legacy systems to or with cloud-enabled or cloud-native solutions. Of course, these are business-critical activities, as FS institutions look to automate processes or use digital platforms to service and interact with their clients.

Digital transformation is also potentially high risk, and in a regulatory context in particular, any material downside impact to services during transformation will not be acceptable to the institution or its regulators. While the key challenges at one level may seem mostly technical —for example, ensuring the functionality of the new system aligns to the customer’s requirements, ensuring that data is mapped and transitioned without major issues—it is not usually the technology that fails. More frequently it is poor interactions between people, the teams at the customer and the supplier, which cause most issues.

The outsourcing contract, and its enforcement, are very powerful tools, perhaps the most powerful alongside senior leadership engagement, to motivate and incentivize appropriate behaviors on both sides. My view is that ensuring the contract deals holistically with the transformation plan and processes, with related change mechanisms and commercial incentives and disincentives, is essential to ensuring the success of transformation, and mitigating the institution’s risk of embarking on a transformation program.