Cloud computing, SaaS, AI automation, cybersecurity, digital transformation initiatives, remote work, distributed teams, nearshoring, reshoring, sustainability, and green IT are some of the key market trends shaping the IT landscape. These technologies are making outsourcing and offshoring more seamless by improving communication and connectivity between global teams, such as those in the head office and their counterparts in Manila.

In particular, cloud computing and remote collaboration tools have made interactions between geographically dispersed teams more efficient, resulting in enhanced customer service.

Business process outsourcing (BPO) is evolving with trends such as the integration of robotic process automation (RPA) and AI, a heightened focus on customer experience (CX), and support for digital transformation. The adoption of cloud-based solutions, advanced analytics, and knowledge process outsourcing (KPO) are also prominent. The industry is adapting to remote and virtual BPO models, emphasising multilingual and multichannel support, and prioritising compliance and data security. Additionally, sustainability and corporate social responsibility (CSR) are gaining importance. These developments are enhancing efficiency, cost savings, customer experience, agility, scalability, data-driven insights, and access to specialised expertise, positioning BPO as a key element of modern business strategy.

Another key trend is engaging an existing Philippine “employer of record” (EOR) company to quickly outsource and hire a Philippine team while separately setting up the “owned” Philippine entity (which can take time). An EOR is a third-party service provider that can immediately onboard the Philippine staff by putting them under its own payroll. Once the Philippine entity is registered, the staff are then migrated from the EOR to that owned entity.

New technologies like AI, chatbots, machine learning, robotics, RPA, blockchain, fintech, and smart contracts are having a big impact on how customer service is delivered by BPOs.

On the one hand, they help make things more efficient and cut costs by automating tasks and providing useful insights. Chatbots, for example, can give instant support to customers any time of the day. On the other hand, there are industry concerns that these technologies will also replace the need for human support and interaction, leading to a decline in the BPO industry in the Philippines and job losses.

However, in the short and even medium term, these technologies will likely serve to enhance rather than replace services provided by BPO workers. Services will likely improve for the customer due to the efficiencies these technologies will unlock.

The Philippines is a leading outsourcing destination, known for its skilled, English-proficient workforce and cost-effectiveness. The most commonly outsourced services include customer service and call centres, back office functions like data entry and transcription, IT services such as software development and cybersecurity, and HR and recruitment. Finance and accounting, medical and healthcare services, content creation and digital marketing, legal process outsourcing, engineering services, and e-commerce support are also significant. These services leverage the Philippines’ competitive advantages, making it a preferred choice for businesses seeking efficient and reliable outsourcing solutions. We have had the opportunity to assist with most of these activities and functions that are being outsourced or offshored to Philippine-based staff.

Generally, there are no statutory or regulatory restrictions on technology transactions or outsourcing in the Philippines. However, there are some industries that have restrictions as to what activities can be outsourced by a company, which are discussed in different sections of this chapter.

Where foreign companies outsource specific business processes to the Philippines, there are generally no industry-specific restrictions imposed by Philippine law. Any limitations are more likely to stem from the regulations of the country or jurisdiction where the foreign company is based, which may govern what tasks can be outsourced, how they are outsourced, and where they can be performed.

However, within the Philippines itself (ie, intra-country outsourcing), there are some industry-specific restrictions such as those for Philippine banks, insurance companies, and securities brokers/dealers. 

For Banks

The Manual of Regulations for Banks (MORB) issued by the Central Bank of the Philippines provides that a bank may outsource to third parties or to related companies in the group, in accordance with existing Central Bank regulations, certain services, or activities to have access to certain areas of expertise or to address outsource constraints, as long as it has appropriate processes, procedures, and information systems that can adequately identify, monitor, and mitigate operational risk arising from outsourced activities, and provided that the bank’s board of directors or senior management remain responsible for ensuring that outsourced activities are conducted in a safe manner and in compliance with applicable laws, rules and regulations.

The MORB also provides that the following inherent banking functions cannot be outsourced:

• accepting deposits from the public;
• granting loans or extending other credit exposures;
• managing risk exposures; and
• general management.

For Insurer/Reinsurer Functions

The Insurance Commission has issued a Circular Letter which provides for functions that cannot be outsourced by an insurer/reinsurer as these are directly related to “doing or transacting insurance business”:

• solicitation activities, which shall only be carried out by the insurer/reinsurer, licensed agents and/or brokers, except to the extent allowed by guidelines from the Insurance Commission;
• the decision whether or not to undertake risk/s, which shall only be undertaken by the insurer/reinsurer and/or licensed non-life company underwriter(s);
• the decision whether or not to approve or reject an insurance/reinsurance claim, which shall only be undertaken by the insurer/reinsurer; and
• loss adjustment, which shall only be undertaken by the insurer/reinsurer and/or licensed independent or public adjuster(s).

Notwithstanding the foregoing, the insurer/reinsurer may engage advisory or consultancy services of a BPO provider in the performance of the aforementioned functions or business processes.

For Broker Dealers

The Securities and Exchange Commission (SEC) issued a memorandum circular regulating outsourcing by broker dealers. Broker dealers can outsource back office functions provided such broker dealers do not outsource: (i) material activities or (ii) any activity that involves any interaction or direct contact with the clients of the broker dealer for the purpose of buying and/or selling securities or the solicitation of investments in securities, except in cases permitted under the Securities Regulation Code, the Anti-Money Laundering Act, as amended, or other law, rule or regulation. Further, clearing and settlement activities may only be outsourced to service providers who are authorised by SEC to conduct such activities.

Such outsourced activities may further be subcontracted by the service provider provided (i) the principles and standards provided under such memorandum circular shall likewise be applicable to the subcontractor; (ii) that such outsourcing is without prejudice to the right of the broker or dealer to prohibit any further subcontracting by the service provider; and (iii) that any further subcontracting shall not be implemented without prior notice to SEC.

Foreign companies seeking to outsource to the Philippines should also be aware of any statutory restrictions in their home countries that might impact the outsourcing process.

The Data Privacy Act of 2012 (DPA) governs all forms of personal information processing in the Philippines, setting out clear guidelines on when such processing is permissible. The processing of personal information is allowed under the following circumstances:

• when the data subject has given his/her consent;
• when processing personal information is necessary and is related to the fulfilment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
• when the processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
• when the processing is necessary to protect vitally important interests of the data subject, including life and health;
• when processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfil functions of public authority that necessarily include the processing of personal data for the fulfilment of its mandate; or
• when the processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

It also provides for the criteria for the lawful processing of sensitive personal information:

• when the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
• when the processing of the same is provided for by existing laws and regulations, as long as, such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information and that the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
• when the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
• when the processing is necessary to achieve the lawful and noncommercial objectives of public organisations and their associations, as long as such processing is only confined and related to the bona fide members of these organisations or their associations, that the sensitive personal information is not transferred to third parties, and that consent of the data subject was obtained prior to processing;
• when the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
• when the processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defence of legal claims, or when provided to a government or public authority.

The DPA allows the cross-border transfer of personal information from the Philippines to another jurisdiction. Recently, the National Privacy Commission (NPC) of the Philippines released several advisories and guidelines on the following:

• advisory on model contractual clauses for cross-border transfer of personal data (however, the adoption of these clauses is only recommended rather than mandatory);
• guidelines for obtaining consent from data subjects and guidelines on the legitimate interest (these guidelines, while not specifically for technology transactions and outsourcing, will serve as helpful guidelines for various industries when it comes to processing personal information of clients, employees, suppliers, and other people that they transact with);
• requirements for the security of personal data processed by personal information controllers (PICs) or personal information processors (PIPs) (these guidelines cover, inter alia, transfer of and access to personal information, usage of authorised devices, disposal and destruction of personal data, business continuity plans, and removable or portable storage media for processing of personal information); and
• requirements for a data sharing agreement.

In outsourcing transactions, there is no standard model contract used universally. Typically, companies employ some form of a services contract. For companies seeking tax exemptions, specific provisions are essential, including a detailed description of the services to be provided, the currency in which payment is made, proof of payment, the tax situs of the service, and compliance with tax regulations in invoicing. Additionally, transfer pricing considerations are important when drafting an outsourcing services contract.

The most common contract model is a bilateral services contract between the client and the outsourcing service provider. Joint ventures and multi-sourcing arrangements are rare in the outsourcing sector in the Philippines.

Digital transformation has impacted the delivery of outsourced and offshored services, altering the content of outsourcing contracts. While the contract structure remains largely the same, its contents have become more detailed, especially regarding data privacy, intellectual property, security, and confidentiality.

Due diligence processes have also become more robust when selecting outsourcing providers. To ensure an outsourcing provider is compliant with privacy regulations and its employees are trained with the requirements on handling data, additional specific representations and warranties in the contract are included with regard to data privacy compliance.

The Philippines, as a civil law jurisdiction, bases its customer protection laws primarily on local legislation governing contracts, privacy, and intellectual property. Contract law generally reflects Western legal principles in areas such as perfection, consummation, termination, and dispute resolution. A contract and its terms and conditions are also considered the law between the parties, and customers can typically rely on these for remedies in the event of a dispute.

Privacy laws and regulations generally follow European standards found in the General Data Protection Regulation (GDPR). Intellectual property laws are shaped by the different treaties that the Philippines has acceded to, such as the Convention Establishing the World Intellectual Property Organization (1980), Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) (1994), Patent Cooperation Treaty (2001), and the WIPO Copyright Treaty (2002).

Termination is generally based on grounds provided in the service contract between the customer and the BPO company, which is mostly based on breach of contractual provision. Termination may also be based on law, which is mostly based on the Civil Code of the Philippines.

Likewise, customer rights upon termination are also based on the grounds provided in the service contract between the customer and the BPO company as well as the Civil Code. The allocation of liability for damages will depend on which party is deemed to be in breach of the contract, with the responsible party held liable for any resulting damages.

The distinction between direct and indirect loss is relevant in determining the type of damages that can be claimed.

Under Philippine laws, actual damages constitute compensation for sustained pecuniary loss. However, to be awarded actual damages,  the pecuniary loss must be substantiated with concrete evidence, such as receipts. Both direct loss and indirect loss may be recoverable through actual damages but it is easier to prove direct loss since pecuniary loss is comparatively easier to prove in direct loss rather than in indirect loss.

In the absence of such proof, temperate or moderate damages may be awarded. Temperate or moderate damages may be awarded when the court finds that some pecuniary loss has been suffered but its amount cannot be determined with certainty. Temperate or moderate damages can be awarded for either direct or indirect losses.

Loss of profit forms part of actual damages which must be established with competent proof and a reasonable degree of certainty. Further, loss of profits on account of delay or failure of delivery may be recovered only if such damages were reasonably foreseen prior to contracting.

On the other hand, loss of goodwill is considered part of moral damages. As a general rule, moral damages cannot be awarded to corporations. A corporation may acquire goodwill or reputation of its own, and when it is harmed, the corporation may recover moral damages.

Under Philippine law, rights can generally be waived, though certain exceptions exist. Waivers are invalid if they are contrary to law, public order, public policy, morals, or good customs, or if they prejudice a third party with a legally recognised right.

Notably, any waiver of responsibility for future fraud is void, as responsibility arising from fraud is always enforceable.

Lastly, with regard to liquidated damages, these are pre-agreed amounts specified by the parties to a contract. However, the amount of liquidated damages is limited to the agreed sum unless the nature of the breach does not correspond to the breach for which the liquidated damages were intended. In such cases, the measure of damages will be determined by law, not by the parties’ agreement.

Contracting parties may establish stipulations, clauses, terms and conditions as they may deem convenient, provided they are not contrary to law, morals, good customs, public order or public policy. This means that, generally, laws are deemed written into every contract. Although a contract is the law between the parties, the provisions of positive law which regulate contracts are deemed written therein and shall limit and govern the relations between the parties. These legal principles apply to technology or outsourcing contracts.

Under Philippine laws, if a PIP is processing personal information on behalf of a PIC as their client, the DPA requires that the contracting parties execute a contract or other legal act (like an outsourcing or subcontracting agreement) that will bind the PIP to the PIC.

In outsourcing, the DPA requires that the PIC use contractual or other reasonable means to ensure that proper safeguards are in place to ensure confidentiality, integrity, and availability of the personal data processed, prevent its use for unauthorised purposes, and to comply with the requirements of the DPA, its Implementing Rules and Regulations (IRR), other applicable laws for processing of personal data, and other issuances of the NPC. The IRR of the DPA further provides for certain provisions that must be stipulated in such contract or any legal act entered into by the parties.

On the other hand, if one party is sharing personal information with another party for a completely different purpose, the NPC suggests that a data sharing agreement be entered into by the parties involved.

A data sharing agreement is an agreement that sets out the obligations, responsibilities, and liabilities of the personal information controllers involved in the transfer of personal data. While the execution of a data sharing agreement is not mandatory, it is still best practice to execute one when sharing personal data from one personal information controller to another. The NPC issued a guide for the creation of a data sharing agreement. It details what the NPC expects to find in such agreement. The guide also states that if the disclosure or public access is facilitated by an online platform, the program, middleware, and encryption method that will be used should also be identified.

Both outsourcing and data sharing agreements require that the organisational, physical, and technical security measures to be adopted by the parties for the protection of personal information be included in the outsourcing contract or data sharing agreement.

In both instances, the NPC emphasises the exercise of rights by data subjects. Both documents must include provisions informing data subjects how they can exercise their rights, including how the data subjects can communicate with the data protection officer of each contracting party for the exercise of such rights.

In addition to this, it is not unusual for any contracting party to require the other party to sign a non-disclosure agreement or a confidentiality agreement. Agreements like these serve to protect not just the personal information that is being shared by one party with the other, but other confidential business matters, trade secrets, and intellectual properties that are being shared. 

As regards business continuity, a circular by the NPC requires a PIC or PIP to prepare a business continuity plan in order to mitigate potential disruptive events. The PIC or the PIP should consider the following:

• personal data back-up restoration, and remedial time;
• periodic review and testing of the business continuity plan, taking into account disaster recovery, privacy, business impact assessment, crisis communications plan, and telecommuting policy, among others; and
• contact information and other business-critical matters – eg, electrical supply, building facilities, information and communications technology (ICT) assets.

With a lot of companies in the Philippines practicing a hybrid work set-up, the NPC also provides some security measures that may be taken by PICs or PIPs:

• training on the limitations on use of company-issued computing devices with secure configuration of the PIC’s ICT assets to protect against security risks and cyberthreats such as unauthorised access, malware, data loss, and theft;
• best password management and secured practices in managing online accounts, computers, mobile phones, and network appliances; and
• periodic training on data privacy, cybersecurity, and online productivity, among others.

Just as consumer rights are protected by contract law and terms of service, the performance of an outsourcing service provider is bound by the key performance indicators (KPIs) detailed in the outsourcing contract.

Because the type of services that are outsourced is varied and broad, such as services relating to information technology, accounting, sales, data entry, and customer support, there is no fixed measure of performance for the output of a service provider. Performance generally depends on the type of services provided. However, a common denominator for measuring performance is customer satisfaction. The customer here can either be an internal stakeholder or an external stakeholder being serviced by the outsourcing provider. Although cost savings are often a key motivator for outsourcing, if the service provider’s performance does not meet expectations, the cost-benefit trade-off may not justify continuing the outsourcing arrangement.

In terms of managing and measuring an outsourcing supplier’s performance, the contract terms do not really differ if the outsourcing service is cloud-based. Cloud-based services would affect how the service is delivered, including how fast the service is deployed to the customer. This, in turn, can affect customer satisfaction. But in terms of contract terms, it will not really affect the terms and conditions with the outsourcing service provider.

In the Philippines, there are several ways that a foreign company looking to hire Philippine-based staff may initially hire their employees.

The first is through an employer of record (EOR) model. An EOR refers to a third-party Philippine company that puts the staff on their own payroll and manages the HR function on behalf of the foreign company. The EOR charges the foreign company for employee salaries, along with a service fee.

The second is through an independent contractor relationship with the Philippine-based staff. If hiring through an EOR is not an option, the foreign company may also directly engage the staff as independent contractors. This may have employment law compliance issues later on, despite the staff being classified as independent contractors.

The third option involves setting up a Philippine entity, such as a wholly-owned subsidiary, representative office, branch office, regional headquarters, or regional operating headquarters. These different types of company (or special purpose vehicles) have different functions and limitations and the choice would ultimately depend on the type of activity the foreign company would be carrying out in the Philippines. Each type would also have different tax implications and, with the right preparation, even tax exemptions. Therefore, it is important to properly structure the entity of the foreign company and prepare all requirements for a seamless transfer of employees (including setting up a payroll system and managing social contributions).

It is not unusual for a foreign company to start off with either the first or second method. However, as their operations grow and the need for greater control over staff increases, many companies gradually transition to establishing their own Philippine entity. This third method often becomes more cost-effective in the long run, especially with a larger workforce.

The transition to the third method usually involves the migration and transfer of employees from the EOR or as independent contractors to the foreign company’s own Philippine company.

Under Philippine laws, corporations enjoy separate and distinct juridical personalities, and employees have the right to security of tenure. Thus, the transfer of employees from the EOR may require the termination of employees from the EOR and the payment of separation pay, which could be added to the costs charged to the foreign company. However, it is also possible to maintain the employees’ tenure by transferring them to the foreign company’s Philippine entity by recognising their tenure from their EOR employment to the new Philippine entity. Careful legal and procedural handling of these transfers is essential.

Under current Philippine laws, trade union or workers council consultation is not required for outsourcing. Whether negotiations are required or not would depend on the collective bargaining agreement in force between the company and its employees (if any). At present there is only one network of BPO employees called the BPO Industry Employees Network (BIEN) which currently lobbies for the support of an Anti-Union Interference Bill (House Bill No 407) which seeks to strengthen organising unions in the BPO industry.

Hailed as the “call centre capital of the world”, the Philippines continues to be a preferred service provider for offshore outsourcing. In November 2023, the Information Technology-Business Process Management Association of the Philippines (IBPAP) projected a 7% revenue growth rate in the BPO industry for 2024.

There are three important factors to consider with regard to remote working in a BPO company.

First, the Implementing Rules and Regulations of Republic Act No 11165 (“Telecommuting Act”) mandates employers to notify the Department of Labor and Employment of the implementation of telecommuting work through the Establishment Report System. Telecommuting employees (ie, remote working employees) shall be covered by the same applicable company policies and afforded the same set of benefits under the law and existing collective bargaining agreement, if any. In other words, there should be no discrimination against those working remotely.

Second, BPO companies located in economic zones or tax-free zones are not allowed to have 100% remote working arrangements as it will negatively affect whatever fiscal and non-fiscal incentives they may have under existing laws. In 2022, the Fiscal Incentives Review Board (FIRB) of the Department of Finance rejected the requests for extending work-from-home arrangements, and mandated BPOs located in economic zones or tax-free zones to return to on-site duties beginning 1 April 2022. Given the foregoing, BPO companies that continue to implement work-from-home arrangements may encounter greater costs which can be passed onto their customers.

Third, BPO companies that register with the Board of Investments (rather than with the economic zone authority) are still allowed to have 100% of their employees work remotely.

Remote work remains a highly valued benefit among BPO employees and can be a key factor in attracting and retaining talent. However, maintaining a secure environment for handling customer data is critical. Ensuring strong data privacy compliance, in accordance with Philippine laws, becomes essential for BPOs adopting remote work arrangements, balancing the interests of employees and the security expectations of customers.