Tech & Sourcing @ Morgan Lewis


In business process outsourcing (BPO) transactions, some of the toughest negotiation points often involve responsibility for compliance with applicable laws and regulations. If you have negotiated BPO transactions, you know that there is not an industry position that can be applied across the board on all deals. We find key determiners as to how responsibility is allocated to include the type and size of the transaction, whether the service is a “utility” or one to many model, the intended scope of the service offering, impact to fees (if any), vendor capabilities, and negotiating leverage.

When considering compliance with laws, at a high level we break the issue down into four components:

  1. Responsibility for monitoring applicable laws and regulations and changes thereto
  2. Responsibility for implementing process and system changes to comply with laws and regulations
  3. Responsibility for overseeing that the systems and processes are compliant, including fines and penalties for noncompliance
  4. The costs associated with each of the foregoing

The common argument for the vendor assuming compliance responsibility is that if the vendor wants to be in the XXX (name the business process) market, they need to understand and comply with the laws and regulations that are necessary to operate and manage the business process. On the other hand, vendors may argue that they are not a compliance or legal department but rather the provider of administrative services as directed by customers through standard operating procedures.

We have seen the issue resolved in many different ways, from

  • the vendor taking all compliance responsibility with respect to laws applicable to the services (note not “provision of the services”);
  • the vendor taking responsibility for a certain group of laws and regulations;
  • the customer taking monitoring responsibility with an obligation to inform the vendor how to comply, and then the vendor has implementation responsibilities (with the fees for implementation being part of the financial discussions);

to many variations of all of the foregoing.

It also is worth noting that in some instances, specific compliance responsibilities can be delineated in the scope documents (e.g., filing XXX document by XXX date or in compliance with XXX regulation), which is a way to at least handle specific regulations that are of particular importance.

It is critical when negotiating BPO transactions in particular to be clear as to who has responsibility for what compliance responsibilities, including monitoring and implementation. The liability provisions will typically follow who has responsibility as set out in the compliance section in the agreement.

Compliance is a tricky topic in BPO deals – developing a position early on (as early as the RFP and its responses) will help frame the issue as one of the gating topics to be negotiated.