Tech contracts – “Why won’t you just comply with the law?!”

09.08.2019

On the face of it, compliance with laws is a no-brainer for contracting parties – of course we’ll both comply with the law! After all, entering an agreement with a party who refuses to do so is surely an obvious red-flag?

However, on reflection, there is often a much more nuanced discussion to be had.

What’s the problem?

From a customer perspective, the supplier should comply with (and ensure its service/solution complies with) the widest possible scope of laws and regulations, including those that apply to the specific industry in which the customer operates (‘industry-specific laws’).

From the supplier’s perspective, it might want to promise to comply with only the laws that apply to its business or services and that it already monitors, such as corporate governance, data protection, tax, anti-bribery, etc. (‘general laws’) – but probably not the customer’s industry-specific laws.

When does it become an issue?

We have found that this issue often gives rise to misunderstandings and expectation gaps between the parties, which tends to fall into one or more of the following categories:

  • Regulatory complexity and diversification – developments in sectors such as financial services have spawned complexity, with overlapping new and old regulations. Further, the drive for businesses to diversify means organisations are (sometimes unwittingly) exposing themselves to myriad sets of regulations (e.g. energy companies selling smart devices find they are now subject to energy sector, consumer protection and data/security laws). Collectively this is driving up the cost of compliance, which a customer may rather externalise to its suppliers. However, where the customer is operating across multiple sectors, is it reasonable to expect a supplier to monitor and ensure compliance with such a broad set of evolving regulations, and how should the parties price for this?
  • Fines and reputation – there is a current trend for regulators being given ‘sharper teeth’ to enforce compliance with law, for example under the GDPR and the NIS Regulations. There is also a greater public understanding of, and connection between, regulatory breach and brand reliability, meaning the customer’s appetite for risk is much lower and as such, the customer may even want to control the monitoring of this sensitive issue itself.
  • Who is best placed to ensure compliance? – some suppliers choose to install regulatory compliance officers in their business model such that they can state compliance with law as part of their offering, seeking to differentiate themselves from their competitors. However, this general statement may not reflect reality when industry specific laws are more carefully considered. Conversely, customers generally know their businesses and sector better than their external providers so may be better placed to monitor compliance.
  • Deploying existing know-how – it is likely that a customer will have already considered how it complies with law and meets applicable regulatory requirements, often documented in detailed internal policies and procedures that are implemented across the business. As such, it may be sufficient for a supplier to agree to comply with these existing customer policies and procedures. However, a supplier should have experience of compliance issues that arise in delivering its services to other clients that it can translate across to its broader customer base. The extent of this ‘know-how translation’ should be agreed by the parties before signing the contract.
  • Rise of ‘RegTech’ – the availability of technology solutions designed to enable regulatory compliance creates an unrealistic expectation that technology alone can solve the compliance problem that almost every organisation faces. The extent and capability of technical solutions used in compliance needs to be carefully considered and understood by both parties.
  • Letter of the law – in providing its services, a supplier may already be bound by law to comply with certain regulations and as such, there should be no issue in reflecting these obligations into a contract. However, customers should note that regulators usually expect companies to remain accountable for their own compliance, no matter what their supply contracts say. Indeed, regulators may take an adverse view of organisations that seek to delegate this responsibility to external providers.
  • Future regulation and compliance – in an ever-expanding and rapidly evolving technology industry, where regulation has previously struggled to keep pace with developments in the sector, entirely new issues continue to catch regulators off guard. The application of artificial intelligence solutions is a good example of such a regulatory ‘grey area’. Further, political uncertainties, particularly at the time of writing, mean both customers and suppliers alike need to keep an eye on the regulatory horizon, as well as monitoring the current landscape.
Reaching an outcome that drives compliance

As with many contracting issues, the solution is often a compromise. For example, even if the supplier does not contractually commit to complying with industry-specific laws, that should not mean that it is not willing to otherwise support the customer and offer its sectoral expertise to help identify the operational steps that need to be implemented by the customer to ensure compliance with those industry-specific laws.

Contractually, the supplier could promise to help the customer manage changes in its regulatory environment, such as the introduction of new industry laws, and further, grant the visibility, control and oversight rights that would allow the customer to ensure that the service it consumes is fully-compliant, including appropriate audit, step-in, termination and exit rights (perhaps with appropriate cost allocation).

Any discussion regarding compliance with law should be based on practical real-life examples in order to avoid unhelpful conceptual debate. What regulations are in play? How does the customer comply right now and what steps need to be taken? What role does each party expect to play going forward?

Moreover, the parties may both benefit from adopting a collaborative approach that recognises the respective roles of customers and suppliers in achieving overall compliance, which is consistent with recent regulatory guidance issued by the likes of the Financial Conduct Authority[1] and the European Banking Authority,[2] a common theme of which is that regulatory compliance requires more than just what is written in the contract.

[1] FG16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services

[2] Final Report on EBA Draft Guidelines on outsourcing arrangements 

Vikram Khurana

Author

Ralph Giles

Author