New Technologies, New Regulations and New Vulnerabilities: The Forces Changing Outsourcing in 2024

Although organisations have used outsourcing to drive innovation and efficiency for decades, the rapid evolution of new technologies, major shifts in the global regulatory landscape, and the need for digital resilience are requiring companies to fundamentally rethink their sourcing strategies. Lawyers, procurement specialists and business leaders must evolve their sourcing programmes to respond to the challenges and opportunities presented by these forces. Those companies that adapt to the new realities on an enterprise level, in terms of what they outsource and how well they do it, will better be able to compete in their respective markets.

Background

Outsourcing is the practice of engaging third parties to perform functions (such as supplying products and performing services) that a company otherwise would perform for itself. It was originally introduced as a means for an organisation to shed non-core elements of its operations so that it could focus investment and human capital on functions central to the enterprise’s mission and revenue generation. Since its adoption, outsourcing has become a common business practice used by organisations for a range of reasons. These include achievement of greater efficiencies, realisation of cost savings, improvement of performance levels, access to scarce talent, and – in some instances – risk mitigation. Some entities also rely on outsourcing to gain a first-mover advantage for the implementation of next-generation technology solutions.

The practice originated with back-office IT operations, but outsourcing today can be used for almost any business function, including those normally reserved for a company’s middle and front offices. Commonly outsourced areas today include:

• IT functions such as infrastructure management, applications development, cloud services, and co-location;
• business process functions, including finance and accounting, procurement, recruiting, call centres, and transaction processing; and
• implementation and maintenance of major new technology, such as core banking systems, enterprise resource planning (ERP) systems, claims processing platforms, and other mission-critical systems.

For customers, a successful outsourcing arrangement must reflect a well-thought-out business case, and must adequately address the customer’s strategic, technical, operational, regulatory, security, legal, and financial requirements. Appropriate flexibility is also important so that the parties can adapt their relationship over time. However, outsourcing involves inherent commercial and legal risks, including the potential for poor service quality, confidentiality and data breaches, cost overruns, loss of in-house expertise, and heighted regulatory scrutiny in certain industries.

Key trends and developments

Companies, especially those with a global footprint, are currently confronted with pressures on an unprecedented scale, including the need to adopt next-generation technology, comply with increasingly complex global regulatory structures, and operate digitally resilient businesses. These trends have a major impact on how, what, and when companies outsource to third parties.

Innovative tech solutions and qualified tech talent are in high demand

The rapid advancement and proliferation of technology, most notably AI, has led to a growing expectation and demand for transformational digital solutions. These include, for example, better solutions for operational technical support, more efficient data analytics and commercialisation, enhanced cybersecurity, and optimised customer experience. This trend exists for enterprises of various sizes and across industries, and organisations continually face the choice between building and maintaining new solutions in-house or leveraging the marketplace for third-party solutions.

Given the pace of technological change, most companies opt to seek out third parties to provide these innovations. Reliance on third parties through outsourcing in these instances reduces risk and enables greater flexibility as these new technologies rapidly advance, allowing for upgrades and advancements to be rolled out in the future. In many cases, a company will not have the in-house capabilities to embark on a large-scale development programme to create and implement new technology.

Additionally, the development and implementation of new technology solutions requires qualified talent, including engineers, data scientists and – in today’s climate, increasingly – AI specialists. These resources are in incredibly high demand and are difficult to find and retain. Although this challenge is also present for the world’s most sophisticated third-party providers of technology and outsourced services, an organisation is far more likely to acquire the reliable talent it needs through its third-party suppliers.

Regulatory compliance demands are increasing

Regulatory compliance for customers is a critical concern in outsourcing. Laws and compliance requirements that apply directly or indirectly to outsourcings affect nearly all organisations (eg, regulations governing AI, anti-bribery, privacy, sanctions, and export control), but companies in highly regulated industries must contend with specific obligations. Examples of this increasingly complex regulatory framework in the USA include the following.

• In financial services, regulators in the USA have issued interpretive guidance that requires financial institutions to establish and maintain risk management practices for their third-party relationships, which ensure the safety and soundness of their activities. On 6 June 2023, the Office of the Controller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation issued the Interagency Guidance on Third-Party Relationships: Risk Management, which aims to promote consistency in the agencies’ supervisory approach to third-party risk management, outlines the third-party risk management life cycle and applicable principles for each stage, and describes sound risk management principles.
• In healthcare, outsourcing is affected by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and the Health Information Technology for Economic and Clinical Health Act of 2009, which focus on privacy and security of protected health information (PHI). All covered entities and their business associates, which include suppliers with access to PHI, are subject to specific privacy and security requirements. Failure to comply may lead to civil and criminal penalties by federal and state regulators. State-level laws supplement federal requirements and focus on protecting PHI.
• State laws regulating privacy and the use of AI play an increasingly significant role in the regulatory landscape for outsourcing in the USA. Privacy laws ensure that organisations conducting business in or engaging with residents in these states adhere to specific requirements regarding personal information collection and processing. By way of example, California pioneered the California Consumer Privacy Act, as amended by the California Privacy Rights Act, which grants consumers extensive rights over their personal data (including the right to know, access and delete it) and imposes stringent obligations on businesses regarding data handling and transparency. In addition, many states are actively pursuing regulation of AI, with laws ranging in application and scope (including regarding governance, transparency, third-party review, and non-discrimination). The recent Colorado Artificial Intelligence Act is a front runner in state AI regulation and requires developers of high-risk AI systems to use reasonable care to avoid algorithmic discrimination. Organisations outsourcing data processing activities or procuring AI-driven services must ensure that their third-party providers comply with all applicable state-level requirements to avoid compliance risk.

Outside the USA, the EU has in place several laws that have a particular impact on what, where and how an organisation outsources. Although some of the following are not outsourcing-specific, all affect US-based companies with operations or customers in the EU.

• The General Data Protection Regulation (GDPR) is an EU regulation that came into effect on 25 May 2018. It is designed to protect the privacy and personal data of EU citizens and residents and applies to any organisation that processes the personal data of such individuals, regardless of where the organisation is located. Key provisions of the GDPR include the right to access, the right to be forgotten, the right to data portability, and the requirement for organisations to obtain explicit consent before processing personal data. Non-compliance with the GDPR can result in significant fines.
• The European Banking Authority (EBA) has established stringent guidelines for financial institutions regarding outsourcing arrangements. These Guidelines on Outsourcing Arrangements, effective since 30 September 2019, aim to ensure that financial institutions maintain robust governance frameworks and manage risks associated with outsourcing.

The guidelines require institutions to perform thorough due diligence on service providers, maintain a detailed register of all outsourcing arrangements, and ensure that contracts with third-party vendors include specific provisions for data and system security. Additionally, critical or important functions often referred to as “material outsourcing” must meet enhanced scrutiny to ensure they do not impair the institution’s ability to manage risks and comply with regulatory obligations. Further, the contracts with third-party vendors for critical or important functions must ensure full access to all relevant business premises, and unrestricted rights of inspection and auditing.

EU branches of non-EU institutions are required to comply with the guidelines, including in cases of intra-group outsourcing. However, the guidelines do not apply to intra-entity outsourcing (eg, where an EU branch outsources a function to the headquarters or another branch of the same legal entity). Failure to comply with the EBA’s requirements can lead to banking activity limitations or suspension.

• The European Union Artificial Intelligence Act (the “EU AI Act”) is a 2024 law that aims to regulate the use of AI within the EU. The EU AI Act establishes a risk-based approach to AI regulation, with AI classified as posing unacceptable risk, high risk, limited risk and minimal risk. Most of the law addresses high-risk AI systems and most obligations fall on the providers of such systems, with particular emphasis on general-purpose AI providers. Requirements include establishment of a risk management system throughout the AI system’s life cycle, data governance for training, validation and testing data sets, adequate record-keeping, and human oversight.

The law has extraterritorial application and applies to any AI providers that intend to place on the market or put into service AI systems in the EU or if the AI system’s output is used in the EU, as well as to third-country AI users if the AI system’s output is used in the EU. The EU AI Act also sets out penalties for non-compliance, which can reach up to EUR35 million or up to 7% of an organisation’s worldwide annual turnover for the preceding financial year (whichever is greater).

• The Digital Operational Resilience Act (DORA) aims to enhance the security and resilience of the financial sector in the face of increasing digital threats and challenges. DORA entered into force on 16 January 2023 and applies from 17 January 2025.

Companies (and regulators) double down on resilience

In today’s volatile world, building digital resilience and redundancy is imperative for organisations. Outsourcing agreements must be flexible and adaptable to accommodate unforeseen disruptions, corporate events, and changing business needs. Disruptions can include natural disasters as well as man-made events such as cyber-attacks. In addition, the increased expectation and prevalence of remote working continues to affect outsourcing arrangements, as certain functions cannot be delivered remotely in accordance with required specifications.

Global regulators are focusing increasingly on resilience. By way of example, the aforementioned DORA is intended to enhance the cybersecurity and cyber-resilience of the financial sector in the EU by establishing a common set of rules and standards for information and communication technology (ICT) risk management, testing, reporting, and oversight for financial entities and ICT service providers. It also seeks to foster information sharing and co-operation among financial authorities and stakeholders in order to address potential cyberthreats and cyber-incidents. DORA applies to US-based financial institutions to the extent they have operations in the EU.

In the USA, the Securities and Enforcement Commission (SEC) has issued cybersecurity rules that aim to protect investors and markets from cyberthreats. The rules require public companies to disclose material information about their cybersecurity risks and incidents, as well as to maintain effective policies and procedures to prevent, detect, and respond to cyber-attacks. The rules also impose sanctions and penalties for violations of the SEC’s cybersecurity standards and guidance.

Conclusion

The pressure on businesses to operate cost-effectively, to remain at the forefront of new technology, and to keep operations resilient will continue to propel outsourcing as a key business strategy. The functions a company outsources – and how well the company does so – will ultimately have a material impact on core business performance. Those entities that can ensure the risks of outsourcing are understood and mitigated will be able to realise the greatest commercial gains and best leverage their outsourcing relationships.