Outsourcing Spotlight - Spring/Summer 2024

Welcome to the second edition of the Travers Smith Outsourcing Spotlight. With an election due in July, we look at the likely impact of a Labour Government on outsourcing in the UK. We also continue our focus on pricing, with a discussion of benchmarking and "best prices" or "most favoured customer" clauses. And we provide a round-up of outsourcing-related developments in areas ranging from AI, contract and employment law, through to financial services and pensions.

What impact would a Labour Government have on outsourcing?

The next UK general election is scheduled for 4 July. A lot could happen between now and polling day – but assuming the polls are right, what impact would a Labour Government have on outsourcing in the UK?

General business environment

It has been suggested that the current UK Government has sometimes exhibited a worrying lack of concern for the UK's reputation as a stable, well-regulated economy, where - by and large - business feels that it "knows what to expect". For example, last year's Retained EU Law Act was widely criticised for generating considerable uncertainty about numerous aspects of the UK's regulatory environment – and the Government's handling of post-Brexit border controls with the EU (which has been subject to repeated postponements and changes) is widely felt to have been sub-optimal. If Labour wins the next election, many businesses will be hoping for a return to "law-making as usual", which will take more account of the interests of "the regulated" and be less prone to abrupt changes of direction. Labour should have reasonably strong incentives to deliver on those hopes, partly because doing so would help it to differentiate itself from its predecessor in Government, but mainly because a stable regulatory environment will be essential if it is to achieve its key aim of improving the UK's economic growth.

That said, Labour has announced plans for major reforms to UK employment law; this is the area where a future Labour Government could, in our view, have the most significant impact on the outsourcing landscape in the UK. Some of these plans are explored in more detail below, followed by a discussion of Labour's likely approach to public sector outsourcing.

Day one unfair dismissal rights?

Labour plans to reform unfair dismissal laws by removing the qualifying period for claims, removing the limit on compensation and making the right available to all workers (not just employees). On the face of it,this last change would, for example, potentially extend unfair dismissal rights to casual workers on zero hours contracts. The proposals would have a significant impact on the number of people who could claim unfair dismissal and the potential cost to employers. Currently, only employees can bring unfair dismissal claims (not all workers) and only after they have clocked up at least two years' service with their employer (in most cases). Compensation is currently also capped (in most cases) at the lower of a year's pay and £115,115.

A key question is whether there will be any probation period during which it would be easier to dismiss on the basis of e.g. unsatisfactory performance - and if so, how long it will be. Recent press reports based on leaked documents suggested that Labour plans to allow "probationary periods with fair and transparent processes", but we have not yet seen any further detail on this.

Implications for TUPE transfers

Ending the employee/worker distinction could also have a significant impact on TUPE transfers, because workers would then fall within the scope of TUPE in the same way as employees. Currently the position of workers on a TUPE transfer is unclear, due to a 2019 Employment Tribunal decision that workers do fall within TUPE (contrary to previous understanding). The Government's recently published consultation on clarifications to TUPE ( section 4 below) proposes to amend TUPE to clarify that it only covers employees and not workers. Even if this change is made, the Labour proposals of a single status could bring workers back within the scope of TUPE. However, the leaked documents suggest that Labour expects to consult "in detail" on these changes and talks in terms of a "transition" towards single status (presumably instead of a "big bang"-style switch). Hopefully this indicates that Labour is mindful of the point made at the start of this article (i.e. the concern amongst businesses that the current Government has at times been somewhat dismissive of their views) – although unions are reported to have pushed back against aspects of the leaked draft seen as "watering down" Labour's commitment to take action within the first 100 days.

Banning zero hours contracts

Labour plans to ban zero hours contracts, although the leaked document talks in terms of banning "exploitative" zero hours contracts (rather than all such arrangements) and "ensuring everyone has the right to switch to a contract that reflects the number of hours they actually work, based on a twelve-week reference period". This suggests that there may be more flexibility than the headline announcement of a "ban" would imply - and that staff who wish to remain on zero hours arrangements could choose to do so. However, union leaders are reported to have pushed back against any watering down of the original commitment to ban zero hours contracts. As a result, until we get more detail on the specifics, businesses should not assume that they will be able to keep staff on zero hours contracts in the event of a Labour victory.

Other proposed employment law changes

Labour's plans also include the following:

• strengthening collective bargaining and trade union rights;
  
• introducing a "right to switch off" and work autonomously;
  
• improving family friendly rights by extending maternity and paternity leave, and reviewing shared parental leave;
  
• making it unlawful to dismiss a woman who is pregnant or on maternity leave, or for six months after her return, except in specific circumstances;
  
• making flexible working a day one right for all workers; and
  
• introducing mandatory ethnicity pay gap reporting for employers with over 250 staff.

Public services: will Labour continue to outsource?

So far as we are aware, Labour has said very little about its attitude towards outsourcing by the public sector, beyond indicating that it would like to give more contracts to SMEs (see page 14 of this document – but note that the current Government would probably say that it shares that aim). Instinctively, Labour is likely to be more enthusiastic than the current Government about taking the operation of certain outsourced public services back "in house". For example, it proposes that as contracts with current passenger rail operators expire, those services will be taken back under the umbrella of GB Railways. However, whilst the same approach could be used elsewhere (e.g. where there has been serious under-performance over a sustained period), the reality is that doing so on any significant scale would be a huge, costly and challenging undertaking. In practice, a Labour Government would almost certainly continue to rely heavily on private sector providers in order to deliver public services – indeed, there may be new opportunities in some areas if increased funding becomes available to deliver key Labour priorities, in areas such as housing, energy, infrastructure and education.

A Labour Government would also inherit a new legislative framework in the form of the Procurement Act 2023 (due to "go live" on 28 October 2024). In our view, there is likely to be limited appetite for further major reform or upheaval in terms of the legal regime. Instead, the emphasis is likely to be on making the existing system deliver better outcomes for taxpayers.

"Buy British" and social value

So what changes are we likely to see? Labour's "New Deal for Working People" states that it will "make, buy, and sell more in Britain to raise standards, awarding more public contracts to British businesses and bringing the jobs of the future to the UK."

If Labour adopted an explicit "Buy British" policy, this could put it in breach of its obligations under the WTO Government Procurement Agreement. Instead, Labour may look to encourage more extensive use of "social value" criteria when inviting bids for outsourcing work - and its reference to "British businesses" may be interpreted quite widely as effectively encompassing any business which employs significant numbers of people in the UK (even if the business itself is not actually British-owned).

Stephen Whitfield, Partner

A tougher line on exclusions

More generally, the new regime will also allow the next Government to take a harder line on excluding bidders from future contracts:

Stephen Whitfield, Partner

Focus on pricing: benchmarking, "best prices" and currency fluctuations

Whether you're typically a customer or a supplier in an outsourcing context, pricing looms large in negotiations. It can be particularly challenging where the arrangements are longer term, because both parties are likely to be concerned about being locked into a pricing arrangement that seemed like a good deal at the time – but quickly gets overtaken by developments such as inflation or new offerings from competing providers of equivalent services.

In the last edition of Outsourcing Spotlight, we looked at different approaches to dealing with high inflation, including indexation clauses and the pros and cons of open book vs closed book pricing. This time, we focus on mechanisms that parties can use to provide assurance that they are still "getting a fair deal" (both in terms of the customer achieving value for money and the supplier being able to achieve an acceptable profit margin).

Best prices or "most favoured customer" clauses

Contractual assurances that a supplier will keep pricing in line with the best prices that it offers to other customers for equivalent services may be attractive to customers – but suppliers are likely to resist this, particularly for more complex outsourcing arrangements, where factors specific to the customer may justify price differentials. Suppliers will want to think carefully about how to define a comparable customer and whether, for example, there should be a de minimis level where a pricing difference of say 5-10% is not stated not to be a breach.

Customers, meanwhile, should ask themselves how they expect to ensure compliance with the obligation. We would advise strongly against talking to your competitors about what they are being charged, because this is often likely to give rise to a significant risk of breaching competition law – potentially leading to enforcement action and substantial fines. Whilst audit clauses could assist here, they would probably need to involve a third party so as to minimise the competition risks. For more discussion, see our briefing "Best prices" or "most favoured customer" clauses: key issues for customers and suppliers.

Benchmarking

Benchmarking is inherently more involved than "most favoured customer" obligations, which has contributed to its reputation for being costly and complex, particularly compared with other pricing mechanisms. On the other hand, it also allows for rather more refinement and nuance than a "best prices" approach, recognising that pricing does not exist in isolation. That should also make it a less adversarial and more collaborative exercise. In our experience, it is worth considering in the context of long term, higher value outsourcings where there is a recognition that prices will need to change but also a desire to minimise the risk of damage to the parties' commercial relationship from that process. For more discussion, including a checklist of key commercial and drafting issues to address, see our briefing: Benchmarking clauses: getting the balance right.

Price-matching rights

Although relatively unusual in the context of outsourcing, price matching rights may be worth considering as an alternative to both "best prices" obligations and benchmarking. Price-matching would normally involve the customer being able to seek offers from alternative providers (usually at specified junctures during the term of the contract). If it finds a better offer than its existing deal, it would have a right to switch provider unless the incumbent can match the alternative offer. It can therefore be said to involve an element of "market testing", similar to benchmarking. However, price-matching exercises have a tendency to become contentious e.g. the incumbent may complain that the customer is not comparing "like with like" – so the definition of what constitutes a matching offer is critical. See further our briefings on disputes between Rangers FC and Sports Direct and Liverpool FC and New Balance.

Currency fluctuations and offshoring

Finally, returning to the topic of external developments such as inflation which can cause problems with pricing, it's worth considering the impact of currency fluctuations – particularly where offshoring is involved. As we explain in our briefing Pricing and payment clauses: who bears the risk of currency fluctuation?, the usual rule is that the risk of currency fluctuation is typically borne by the payor – so if pricing is not in sterling, but the currency used by the offshore outsourcing provider, the customer will bear the risk.

Offshoring: dealing with the impact of currency movements

In practice, most UK-based customers are likely to insist on pricing in sterling. However, problems may still arise if, for example, sterling were to drop in value against the currency used by the offshore service provider to pay its staff. This may undermine the financial viability of the deal for the provider, leading to a deterioration in performance and potentially a breakdown in relations. Whilst it could be argued that this is fair enough - because the provider took the risk of currency fluctuations - the fact remains that currency movements are usually outside the control of either party. In view of this, it may sometimes be preferable to recognise the threat that currency movements pose to the commercial viability of an outsourcing and seek to agree upfront what should happen if the impact of those movements is particularly severe.

AI update: what's the latest on regulation and how will it affect outsourcing?

With an election coming up in July, regulation of artificial intelligence in the UK is currently in a state of flux. The approach to date – as recently confirmed by the current UK administration in the response to its March 2023 White Paper - has been as follows:

• Flexible approach based on existing law: Overall, the current UK administration Government has taken the view that a non-statutory, context-based approach to regulating AI is the best way forward because it offers "critical adaptability". Instead of legislation, regulators in areas such as data protection, financial services or competition law are being asked to produce guidance on their strategic approach to AI.
  
• Regulators to watch: From an outsourcing perspective, the regulators to watch are likely to be the Information Commissioner's Office (personal data), the Equality and Human Rights Commission (bias and discrimination) and – depending on your industry focus – sectoral regulators such as the Financial Conduct Authority, Ofgem or Ofcom.
  
• Extra funding: Following concerns that many regulators had no dedicated AI governance specialists, the current UK administration has committed to providing an additional £10 million in funding to support the development of AI-related regulatory capacity. This is welcome but to avoid leaving gaps in the UK's regulatory framework, regulators will also need to work hard to coordinate their various responses to the challenges posed by AI.

However, if the Labour Party were to form the next UK Government, we could well see changes to this approach. Labour appears to be more open to legislating on AI and may want to consider additional statutory protections around issues such as employee rights (see, for example, the draft AI (Regulation and Employment Rights) Bill being promoted by the Trades Union Congress), bias and discrimination. That said, economic growth is likely to be a key priority, which may make it cautious about over-regulating what is still in many respects an emerging technology.

Where could we (ultimately) see legislation?

• General purpose AI (GPAI): one danger of the current "patchwork" approach based on existing regulation is that the risks posed by GPAI could still "fall through the cracks" – perhaps because regulators fail to adopt a sufficiently "joined up" approach. Both the current UK administration and the Labour Party have stated that GPAI is likely to require a legislative response.
  
• Liability: Another area in which legislation may ultimately prove to be necessary is the question of how to fairly and effectively distribute legal responsibility across the supply chain – but for the time being, contracts are likely to be the key mechanism for regulating this aspect with regard to outsourcing transactions.
  
• Copyright: Government-sponsored attempts to agree a voluntary AI Copyright Code were abandoned in February. The concern here is that intellectual property rights, especially copyright, are being undermined by unauthorised use of data for training and deployment of AI. The Government's lack of progress in this area (and for effectively passing the buck to the courts) has been heavily criticised by a recent House of Lords' report and a new government could conclude that it has to legislate. For more discussion of this area, see our briefing: AI tests intellectual property boundaries.

What about the EU?

The EU continues to take a different approach from the UK, based around legislation. Its AI Act has now been approved by the EU Council of Ministers and is expected to be brought into effect in stages over the next 2-3 years. However, given the longer term nature of many outsourcing transactions, parties looking to include an AI-based solution will want to ensure that whatever system they deploy is likely to pass muster under the legislation. Obviously the Act will not be part of UK law, but it is likely to affect outsourcings implemented in the UK where, for example, the output of the AI system is going to be used by e.g. customers in the EU.

The EU AI Act: a brief overview

The regime set out in the EU AI Act is much more detailed and prescriptive than the UK's approach:

• Certain uses prohibited: AI systems deemed to pose "unacceptable risks" are prohibited outright. These include systems for social scoring, harmful behavioural manipulation, real-time biometric identification systems in public spaces by law enforcement (except in limited circumstances), predictive policing, emotion recognition systems in law enforcement, border management, workplace, and educational institutions and scraping of biometric data from social media or CCTV footage to create facial recognition databases.
  
• High risk systems: Systems deemed to be "high risk" systems be subject to a prior registration regime and will need to pass conformity assessments before deployment. They will also be subject to fairly stringent obligations relating to risk management and appropriate human oversight. High risk systems are those that can have a negative impact on safety or fundamental rights, for example, systems used in, or that are a product subject to, EU product safety legislation, systems used in the management of critical infrastructure, or in employment and HR management, or that influence access to essential services, education or training.
  
• Limited risk systems: A third tier of "limited risk" AI systems will be less tightly regulated and are mainly subject to transparency requirements, for example, chatbots.

AI systems which fall outside these categories are unregulated.

More information

For more discussion of AI and its implications for outsourcing, see:

• A 3 minute primer on AI and outsourcing – partner James Longster provides a bite-sized checklist of the key points to watch out for
  
• Outsourcing Spotlight Autumn 2023 – includes discussion of the key risks to consider when deploying AI systems as part of an outsourcing
  
• Smarter AI Regulation, our series of briefings on the legal aspects of AI, including the general regulatory framework, data protection and IP

Contract law roundup: liability, the 2019 Hague Convention and arbitration reform

Liability (1): beware blanket exclusions, especially when they're mutual

Many outsourcing contracts contain blanket exclusions of certain types of loss, such as loss of profits – and sometimes the parties also agree that such clauses will be mutual (so both service provider and customer benefit from the same exclusion). But a recent dispute between EE and Virgin Mobile highlights the significant impact such provisions can have on a party's remedies for breach – especially where the clause is reciprocal.

The key lesson of the case for outsourcing service providers is that although a blanket exclusion of certain types of loss will normally be to your benefit, you need to be alive to the implications if you agree that the clause will be mutual. In this particular case, it resulted in EE (the supplier) being unable to obtain damages for breach of an exclusivity obligation in its favour – which is probably not what EE intended (but the court ruled that this was what the contract said). From a customer perspective, the case is simply a further reminder of how blanket exclusions can severely constrain your ability to recover damages for breach. For more detail, see our briefing: EE v Virgin Mobile: reciprocal liability clause prevents damages claim for breach of exclusivity.

Liability (2): when do you need to worry about UCTA?

It is relatively rare for contractual limitations of liability to fall foul of the Unfair Contract Terms Act 1977 (UCTA) – so you could be forgiven for thinking that businesses don't need to be too concerned about the legislation, particularly in relation to heavily negotiated outsourcing transactions, where both parties are well advised. But a recent ruling by the Court of Appeal challenges some commonly held assumptions about UCTA and may mean that it becomes more of an issue in future – particularly for suppliers using standard terms. From an outsourcing perspective, this is most likely to be a concern for providers of services such as certain types of business process outsourcing, where the market is based around more standardised offerings (hence the tendency to rely more on standard terms, rather than more heavily negotiated agreements tailored to a customer's particular needs). For more detail, see our briefing: Liability: has the Court of Appeal breathed new life into UCTA?.

Jurisdiction clauses and enforcement of judgments: impact of signing 2019 Hague Convention

In January 2024, the UK Government signed the 2019 Hague Convention on the Recognition and Enforcement of Foreign Judgments in Civil and Commercial Matters (Hague 2019), a framework of rules facilitating the recognition and enforcement of civil and commercial judgments between contracting states. The contracting states to Hague 2019 are currently all EU member states except Denmark, plus Ukraine and Uruguay.

The most important benefit of Hague 2019 is that it will, subject to certain carve outs, apply to English civil court judgments arising from disputes governed by non-exclusive or asymmetric English jurisdiction clauses (or indeed not governed by a jurisdiction clause at all). This will allow UK parties to agree non-exclusive or asymmetric English jurisdiction clauses in contracts with parties from other contracting states, in the knowledge that qualifying English court judgments arising from those clauses should as a matter of Hague 2019 be enforceable in those states – including, importantly, in all EU member states (except Denmark). As such, it improves on the position under the 2005 Hague Convention, which only assists as regards recognition and enforcement of judgments arising from disputes governed by exclusive jurisdiction clauses. This development is therefore of particular importance to cross-border outsourcings where one party is based in the EU (except Denmark).

Hague 2019: what's the catch?

Hague 2019 is not yet in force as regards the UK. It first needs to be ratified by the UK (which hasn't happened yet). There will then be a twelve-month period before it comes into force between the UK and the EU – so realistically it will probably only do so from sometime in 2025 (possibly later if ratification does not take place this year). During the 12 month post-ratification period, it is also at least theoretically open to the EU to lodge an objection to it doing so – albeit that this is thought to be unlikely. It is, however, worth noting that the application of Hague 2019 does not depend on when a relevant jurisdiction clause was entered into – it will apply to proceedings started after it entered into force for both the state in which a judgment originated and the state in which that judgment needs to be enforced, regardless of when the jurisdiction clause was concluded. For more detail, including a reminder of what has happened as regards jurisdiction clause and enforcement of judgments post-Brexit, see our briefing: UK signs Hague 2019 convention – what are the implications?

Reform of the UK legislative framework for arbitration

On 6 September 2023, the Law Commission issued its Final Report and Bill on the proposed amendments to the Arbitration Act 1996 (the "Act"). The UK Government had tabled an Arbitration Bill, which had been expected to enter the statute books later this year. With a UK election taking place on 4 July, however, this now looks unlikely. Much depends on whether the next Government brings it back before Parliament (where it will have to start the legislative process all over again). If it does, the Bill will be the biggest reform of the UK arbitration landscape for almost 30 years – so if arbitration is your preferred dispute mechanism for outsourcing transactions, we strongly recommend taking a look at our briefing: Law Commission Review of the Arbitration Act 1996: Key Areas of Review and Recommended Change.

HR roundup: TUPE, pay transparency, umbrella companies and new laws on sexual harassment, flexible working and holiday

More changes to TUPE

The Government has published a consultation on clarifications to TUPE which proposes making amendments to:

• confirm that TUPE only applies to employees, and not to the wider category of "workers" (to end the uncertainty arising from a 2019 Employment Tribunal decision that TUPE extends to workers); and
  
• provide that where a contract is outsourced to multiple providers, the providers will be required to agree between them which business is responsible for which employee (in response to a 2020 ECJ decision that, on an outsourcing to two providers, an employee's full time contract had to be split between the two providers).

However, if there is a change of Government following the UK election in July, it remains to be seen whether these changes will go ahead.

Beware umbrella companies in your supply chain

So-called "umbrella companies" are used to facilitate provision of staff without the "end user" business having to take them on as employees. Such arrangements can be highly beneficial to outsourcing service providers with a fluctuating demand for staff, as they allow for increased flexibility compared with engaging staff as employees. As the individual's employer, the umbrella company is required to deduct income tax and NICS from salary payments it makes to them. In some cases, individuals may also be required to provide their services through an umbrella company operated by the employment agency which they have signed up with.

Umbrella companies: what's the problem?

Notwithstanding their advantages in allowing businesses to respond to fluctuating demand for staff, HMRC has become concerned about potential abuse of umbrella companies; for example, it is concerned about some umbrella companies paying individuals their salary gross, without deductions for basic rate income tax or NICS. The key point for "end user" businesses to be aware of is that if they have more "dubious" umbrella companies in their supply chain, they may find themselves in HMRC's sights. Not only does this carry reputational risk, but they could even be prosecuted for failure to have adequate procedures to detect non-compliant umbrella companies in their supply chain. "End user" businesses should also be aware that there are circumstances in which they could (under existing or proposed law) become liable for the tax and NICs due on the worker's services. For more detail, see our Talking. Sustainability. podcast on umbrella companies, part of our Good Governance series.

Pay equality and transparency

The UK already has mandatory gender pay gap reporting for large employers (250+ employees). A new EU Pay Transparency Directive will introduce an EU-wide gender pay gap reporting regime from 2026, with stronger enforcement mechanisms. If there is a gender pay gap of 5 percent or more, employers will be required to conduct a joint pay assessment with their workers' representatives and EU member states will be required to introduce penalties for employers that break the rules. While the Directive will not apply in the UK, UK businesses with operations in Europe may be caught. The Directive will initially require annual reporting for businesses with 250+ employees and reporting every three years for businesses with 150+ employees. In the UK, the Government is encouraging voluntary ethnicity pay gap reporting and a Labour Government would introduce mandatory ethnicity and disability pay gap reporting for large businesses.

New sexual harassment duty

From 26 October 2024, employers in the UK will come under a new positive duty to take reasonable steps to prevent workplace sexual harassment. This new duty will apply to all employers regardless of their size or sector. Failure to comply could expose the employer to an uplift in compensation of up to 25 percent in a successful claim or – even where there is no claim – potential enforcement action by the Equality and Human Rights Commission (EHRC).

The EHRC is updating its statutory guidance to take account of the new duty but employers should begin preparing now by reviewing anti-harassment policies and training, thinking about implementing a standalone sexual harassment policy and also considering a wider culture audit to identify risk areas. For more information, please see our briefing on the new duty.

Flexible working and family friendly changes

On 6 April 2024, a number of changes to flexible working and family friendly rights came into effect, including the right to request flexible working becoming a "day one" right. Employers should ensure their flexible working and family friendly policies are updated to reflect the changes. For more details of the changes see our January 2024 Employment Update.

Holiday entitlement and pay

A number of changes have come into force in relation to holiday entitlement and pay for holiday years starting on or after 1 April 2024 (following on from a previous raft of changes introduced on 1 January 2024). The latest changes affect workers with irregular hours (such as casuals, zero hours workers and agency workers) and workers who work part of the year (such as term-time workers). For such workers, holiday will now accrue at the rate of 12.07 percent of hours worked and employers will be allowed to pay "rolled up" holiday pay, by including an element for holiday pay in the worker's hourly rate. Employers may wish to review their policies and practices on holiday and holiday pay in view of the above changes. Our November 2023 Employment Update has more details.

NICS reduction

Finally, a reminder that from 6 April 2024, the main rate of Class 1 employee NICs, charged on annual earnings between £12,570 and £50,270, was cut from 10% to 8%. When combined with the 2% cut that took place at the start of the year, this represents a one-third reduction in the 12% rate that previously applied. However, the rate of Class 1 employer NICs on earnings above £9,100 per year will remain unchanged at 13.8%.

The main rate of self-employed Class 4 NICs, charged on annual profits between £12,750 and £50,270, had already been reduced to 8% for the 2024/25 tax year but was cut even further in the Budget to 6% from 6 April 2024. The requirement for self-employed individuals to pay Class 2 NICs, charged at £3.45 per week, ended from 6 April 2024. In the Budget, the Government announced that it would launch a consultation later in the year to fully abolish Class 2 NICs, but it remains to be seen whether this will be pursued if there is a change of Government following the election in July.

Pensions dashboards: an outsourcing checklist for pensions schemes and administrators

UK pensions schemes and personal pension providers are facing upcoming deadlines to connect their systems to a centralised "pensions dashboards" ecosystem, allowing people to see all of their future pension entitlements online, in one place, via one of a likely range of dashboards providers.

The ultimate deadline for connecting is 31 October 2026 but schemes are required by law to have regard to government guidance and that guidance sets out (among other things) a range of earlier expected connection dates. The applicable date varies by reference to scheme type and size. The earliest is 30 April 2025. Whilst some schemes' deadlines are some way off, schemes and their administrators have a sizeable "to do" list, as explained in our briefing on pensions dashboards more generally: 10 actions for getting to grips with pensions dashboards.

Impact on outsourcing in the pensions sector

Most schemes will require input from third party administrators and/or software providers to ensure they can meet the new dashboard requirements. In particular, schemes may need assistance in establishing access to scheme data via the dashboards, developing search functionality and ensuring that new systems and processes are appropriate and robust.

In the first instance this is likely to involve conversations between schemes and with their administrators and software providers to explore project plans and identify any additional resource or support requirements and any need for further expertise to be brought in. A key part of this assessment will be a review of the terms of existing outsourcing contracts to ensure they remain fit for purpose once the dashboards regime is in place.

Checklist of key contract review issues

As a minimum, the review of an outsourced administration contract should cover the following:

• Service descriptions – are these sufficiently broad to capture the transition to dashboards and compliance with the regulatory framework? Even if the answer is yes, should service descriptions be updated to reflect the detail of the regime or a change to existing practice?
  
• Service levels – should existing KPIs be updated (or supplemented) to align with:
  
  • regulatory obligations in relation to the quality of data and acceptable response times?
    
  • new standards and guidance issued by the Money and Pensions Service or the Pensions Regulator, including obligations to retain management information (see also Action 9 (Record keeping and reporting) in our detailed briefing)?
    
  • changes to the scheme's own risk management processes or other policies?

Any updates need to be realistic, both in view of the provider's resources and technological expertise and the likely uptick in member requests (see also Action 5 (Preparing to engage with members) in our detailed briefing).

• Cost allocation – what are the costs of providing any new services? Does the contract provide any guidance on how the costs should be allocated between the parties and/or any associated protections (e.g. caps, benchmarking rights)? How could the costs change as the regime evolves?
  
• Liability – how will the risks associated with the new regime (e.g. regulatory fines or other costs associated with any breach) be allocated between the scheme and the provider? What steps should the parties take to mitigate the risk of any such liabilities arising?
  
• Implementation – is the provider planning to use a third party solution or develop its own in-house? What milestones or other controls should be in place to give the trustees confidence that the implementation project is on track and that development work will not compromise service standards in the meantime?
  
• Data – What new data protection and cyber security risks will arise under the new arrangements and how will these be addressed and apportioned (see also Action 7 (Data protection and cyber security?) in our detailed briefing)?

By their nature, any changes to the outsourcing arrangements will need to be made in collaboration with the service providers. Trustees should engage with administrators and IT suppliers at an early stage to understand their technical proposals for connecting to the dashboard ecosystem. The Pensions Regulator has warned trustees that "[w]hile you can use third parties to help you meet your duties, you will ultimately remain accountable for ensuring that your scheme is connected to dashboards on time and that you are (and remain) compliant with the requirements."

What if administration is transferring or the current outsourcing is being re-tendered?

Schemes that are changing administrator or are contractually required to retender the administration of the scheme will also need to consider how this could affect their ability to comply. The Government guidance recognises that such a change may make it "excessively burdensome" to connect to the pensions dashboards ecosystem by the dates set out that guidance. The Government also acknowledges that, provided that connection is completed by 31 October 2026, the law does not require schemes to make a formal application to defer if they do not believe it is possible to connect by the dates set out in the guidance, owing to a change of administrator. It nevertheless recommends that schemes communicate their plans with the Pensions Dashboards Programme and the Pensions Regulator at the earliest opportunity.

Regulations also allow schemes some flexibility to apply to defer the connection deadline of 31 October 2026 by up to 12 months where both the following conditions are met:

• it would be disproportionately burdensome (or would put the personal data of members at risk) to comply; and
  
• this is due to a procurement process for a new administrator (or administration system) which had begun before 9 August 2023.

However, that extension is unlikely to be granted where the incoming administrator is already "dashboard-ready". The Government has issued guidance on applying for a deferral. The latest date for making such an application is 8 August 2024.

Financial services: EU and UK tighten regulation of outsourcing

As we reported in the last issue of Outsourcing Spotlight, the UK has been looking at expanding the scope of financial services regulation to encompass "critical third parties" – which would include some businesses providing outsourced services to customers in the financial services sector. More detail on those proposals has now been published and whilst the number of service providers expected to be designated as third parties is small (the Government estimates in the region of 20-30 providers), the compliance obligations involved are potentially onerous and costly (the Government estimates the cost as being £600k-£900K for implementation and ongoing costs of £500K – but these could prove to be conservative). As noted previously, this may prompt certain providers of outsourced services to raise their prices in response to the increased regulatory burden. For more detail, see our briefing Situation critical: Proposed new rules to regulate Critical Third Parties.

What's the timing of the new UK regime?

HM Treasury published a recent paper describing a timeline for the designation process of roughly six months, which implies that the first designations will happen towards the end of the year. We find it mildly surprising that the major cloud service providers – as the obvious targets of the policy – cannot be designated more quickly than that. However, as this is a new process, it appears that HM Treasury would rather take the time to ensure that the process can be done thoroughly and correctly.

What's the EU doing on outsourcing and financial services?

Meanwhile the EU has also been active in this area; the Regulation on Digital Operational Resilience (DORA), which will apply from 17 January 2025, imposes new obligations on EU-regulated financial entities to better manage the risks from their use of outsourced IT service providers. In addition, like the UK critical third parties regime, it also imposes obligations directly on some providers of outsourced services; in very broad terms, this will involve a similar designation regime to the proposed UK regulations outlined above. That said, there will be some differences. Aside from DORA being extremely prescriptive in the way firms must comply, the major difference for third parties is that the bar for designation in DORA is expected to be lower, and the UK test is certainly tied more clearly to major systemic risk. For more detail, see our briefing: DORA: time to review your ICT contracts.

How big a deal are these measures?

The most novel aspect of these measures is the move to give financial services regulators powers to regulate providers of outsourced IT services directly; providers with large numbers of customers and/or significant market shares should look carefully at whether they are likely to be in scope (and if so, they will face a substantial additional compliance burden). However, the reality is that the threshold for this has been set fairly high and the majority of IT providers to the financial services sector are unlikely to meet it. Despite that, they are still likely to be affected by these measures. In particular, we would highlight the following points:

• DORA is already prompting many financial services providers to review their outsourced IT services arrangements across the board. This in turn is likely to require amendments to those arrangements to ensure compliance with DORA. Indeed, the amount of detailed work required means that some jurisdictions are already indicating in private that they will struggle to meet the deadline.
  
• More generally, both the UK and EU measures highlight the importance which financial services regulators attach to third party risk management; the general direction of travel is in favour of more stringent requirements, which is likely to prompt financial services customers to become ever more demanding of IT providers in the name of protecting their own regulatory position.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.