Tech & Sourcing @ Morgan Lewis

As noted in our recent blog, business process outsourcing (BPO) providers are promising big savings and improved outputs tied to the design and implementation of digital solutions that will monitor, quality check, facilitate, and sometimes perform the applicable business processes.

Gone are the days when a company could outsource the “people” that perform a business process without considering, and likely including in the outsourcing arrangement, the digital enablement of the underlying workflows and activities.

The business process outsourcing (BPO) market is growing at an unprecedented rate as technological advancements transform traditional BPO models to keep up with evolving business needs. As BPO service providers implement and leverage technologies, such as cloud computing, robotics, data analytics, automation, and traditional and generative AI, to streamline processes and improve productivity and quality, digital transformation is becoming a common component—and selling point—for many BPO engagements.

UK financial regulators recently published their supervisory expectations for critical third party service providers (CTPs) to the financial sector under the United Kingdom’s new regime extending regulatory oversight to CTPs. The final rules align with key themes of other regulatory regimes seeking to reinforce operational resilience (e.g., the EU Digital Operational Resilience Act (DORA)) around risk management, supply chain management, and incident management, among other areas.

In the case of the ownership of intellectual property (IP) developed by a supplier as part of a service agreement with a customer, should the traditional position that the customer should own all developed IP always be the position agreed upon by the parties?

Use restrictions in software as a service (SaaS) agreements work in tandem with the scope of access and use rights provisions to clarify the scope of a user’s right to use a SaaS solution. These restrictions will be extremely important to the SaaS provider, however, consideration of such restrictions is also paramount for the users of the SaaS solution.

The UK Financial Conduct Authority (FCA) on October 31, 2024 published observations and key lessons from how firms responded to the CrowdStrike IT outage. The outage caused disruption across several industries globally, and the FCA highlights for UK financial services the importance of ensuring operational resilience in order to minimize the potential impact of future events on consumers and markets.

One of the commonly advertised features of AI is that it is beneficial for automation and increasing productivity. When a company considers improving its productivity and employing an AI tool, it will typically go through a contracting process with the service provider and assess the terms of use and associated risks for the business. But what happens if an employee presses on and starts using an AI tool that was not vetted by the company?

As we continue to see AI steadily and increasingly be incorporated into service offerings, businesses should pay special attention to previously “standard” provisions when contracting for the provision and use of services that incorporate AI. This is especially true considering there may be situations where service providers use AI at some point in the workstream without the recipient even realizing.

In our latest blog post on preparing for the EU’s Digital Operational Resilience Act (DORA), entering into force on January 17, 2025, we take a look at second-level requirements under DORA covering the classification and reporting of major information and communications technology (ICT) related incidents. These requirements will need to be addressed through operational risk management frameworks and contract remediation efforts with technology vendors.