The Future of Regulation: More, Not Less, Scrutiny
- United States
- 12/13/2007
- Morgan, Lewis & Bockius LLP
For better or for worse, regulators are thinking a lot about outsourcing. Whether it is industry specific regulators, such as the Comptroller of the Currency, self-regulatory organizations such as the National Association of Securities Dealers, or process-specific regulators such as the data authorities in the EU, the trend has been for more rather than less regulation of outsourcing relationships. Regulators recognize that in an outsourced environment, it is harder for the regulated business to consistently impose and make certain that its regulatory compliance criteria are being maintained. The regulators in regulated industries such as banking and pharmaceuticals are increasingly concerned that when service providers are outside of their direct jurisdiction, they lose the ability to instantly audit the processes of a regulated entity to determine whether the regulated entity is compliant with standards. This, they feel, waters down some of the prophylactic affect that is brought about by concern with regulatory involvement.
Companies in regulated business for long have had to deal with and accommodate their “vertical” regulators. As a result, within financial services and pharmaceutical companies the organization is culturally aware of the importance of taking regulatory concerns seriously. So, to the extent that additional regulations are layered upon them by their existing regulators, the additional regulations, while sometimes annoying and potentially costly, will not really alter the way these companies think about their risks and how they contract with their outsourcing service providers.
But even for these companies, the more “horizontal” types of regulations (e.g., Sarbanes-Oxley) require different ways of addressing them.
The regulatory and compliance functions within these institutions do exist so that these horizontal regulations can be assimilated into the organizational culture. However, for these horizontal regulations, a
company’s risk-management group will have to inform, educate and audit a broader swath of the organization, and consider approaches toward dealing with the consequence of non compliance.
Take a commercial bank regulated by the Comptroller of the Currency. The bank is accustomed to implement, and then examine the instructions of the regulators. So, to the extent that such regulations impose additional due diligence requirements on a bank that is thinking about entering into an outsourcing transaction, the bank will have a basis to deal with these new vertical regulations. However, with new horizontal regulations, the institution may not be quite prepared to deal with them.
The scope of the Health Insurance Portability and Accountability Act (HIPAA), for example, is broader than they are with the vertical regulations. Also, the consequences are different. With the vertical regulations, the institution is generally subject to regulatory action (although shareholder suits are possible). While HIPAA does not allow for private right of action, the institution will have to deal with enforcement contexts that it may be unfamiliar with.
These principles apply even more to entities that are not accustomed to regulation. Such entities do not generally have procedures in place to identify, recognize and enforce regulatory mandates — particularly those that do not directly affect their operations. Say that an automotive products company is outsourcing its finance and accounting operations to an offshore service provider, and does not sufficiently protect the accounts receivable history of an EU individual with whom it is doing business. That company may be surprised that it has violated the EU standards, and if subject to the EU regulators will scramble to come up with a response.
The area of privacy controls is one where many companies may face unanticipated costs. Say, for example, a tape containing the personally identifiable information of 100,000 individuals “falls off of the back of a truck” of the outsourcer (this actually happens!). Under many state-notification laws, the company must send notice to individuals potentially affected. This, dealing with the publicity, reputation damage, and dealing with regulators and the individuals after notice, costs money.
In the financial-services industry, and in other industries, the law sometimes requires that the company should provide credit reports for a year to the individuals affected to ensure that their identities have not been impaired as a result of the loss of personally identifiable information. Those credit reports come at a cost of at least $100 for the notice, resulting in a loss to the company of $10 million at 100,000 people. Is the company prepared to negotiate additional penalties with the regulators and to absorb all of that loss — possibly influencing the returns that it anticipated obtaining from the outsourcer?
The point of all of this is that, whether offshore or onshore, the confluence of increased regulations and increased outsourcing will result in increasingly intense scrutiny by regulators of outsourcing relationships. Companies in regulated industries have experience and some base mechanisms for dealing with these. Companies that are not in regulated industries need to be particularly cognizant of these trends (especially before entering into seven to 10 year outsourcing contracts), anticipate the proper cost and risk allocation among themselves and the outsourcers, and establish appropriate internal mechanisms to mitigate those risks.
