It seems unanswerable that an outsourcing supplier should agree to 'comply with all applicable laws'. Often this provision is seen as standard, comfortably buried amongst the boilerplate. However, this short form clause conceals a complicated web of issues that deserve individual negotiation.

The problem

It is a fact of life that regulation is increasing and the costs of failure to comply have never been so high. Health and safety, the HR relationship, data protection, financial services and corporate governance are areas with more regulation carrying potentially severe sanctions. And the rules are developing at an ever faster rate.

On top of this, the outsourcing industry is moving into more heavily regulated areas. Deals have expanded from relatively lightly regulated IT infrastructure deals to business process outsourcings of finance and accounting and HR functions.

Finally, outsourcing as a business model itself attracts the interest of regulators. Financial services rules and Sarbanes-Oxley make it clear that customers cannot outsource their compliance obligations. As a result rules can potentially bite on both customer and supplier. In many areas there is an unanswered question: does outsourcing hinder regulation (by loosening a customer's control of its operations) or promote compliance (by encouraging 'best of breed' suppliers).

The drawback with accepting the short form clause

A supplier will often agree to perform 'in accordance with all applicable laws'. If regulatory is recognised it is usually dealt with simply with the risks being divided, often with the supplier taking 'general changes' (those affecting all services of that type) and the customer 'specific changes' (those applying because of the particular customer).

This is not really adequate for significant deals:

• There are different types of regulation each having different risks - they should be considered separately.
  
  
• Regulation is rarely 'specific' to a customer - this clause may not protect suppliers.
  
  
• Parties should look at the business effect of regulation rather than why it applies.
  
  
• Dealing with regulation effectively requires more than just allocating costs

A differentiated approach

Outsourcing agreements should recognise different types of regulation. These include:

• Licensing requirements - permissions to perform or receive services (eg FSA requirements)
  
  
• Service performance - regulations on how a service must be performed (eg working time regulations, ergonomic requirements, data security)
  
  
• Service receipt - rules affecting how services are received and used (eg data protection)
  
  
• Interdependence of compliance positions - areas where the customer's regulatory position depends on the supplier's performance (eg Sarbanes-Oxley, Basel II)

For each of these, the parties should agree:

• Who is responsible for compliance? Typically each party will promise to comply with the first three categories as these apply to its own obligations. However, a supplier will want to verify by due diligence or warranty that transferred assets and systems are compliant at the outset. It may also require the customer to provide authorisations if there cannot be obtained by a service provider. The last category of risk is more difficult - the customer will often ask the supplier to perform to ensure the customer is itself compliant. The supplier may see elements of this performance as an additional, chargeable activity. It will also need to make sure it is not guaranteeing a customer's own internal policies.
  
  
• Who is to be responsible for monitoring regulatory requirements? A customer will argue that this is a key part of the supplier's role as an expert provider and possibly as the employer of the very personnel who previously did this for the customer. The supplier may reply that it should not be a regulatory watchdog for its customers and a key part of monitoring was actually done by the customer's legal function.
  
  
• How are rules interpreted? Regulations vary across jurisdictions and their application may not always be clear. The customer may demand that its interpretation should prevail until a ruling clarifies matters. This is particularly the case where the supplier's actions could compromise an approval central to the customer's business. The supplier can often agree to this type of provision for laws applying to the customer's business provided that it is protected on costs.
  
  
• How is the risk of change shared? Risk can be allocated by the general/specific mechanism mentioned above although it would be better (for a supplier at least) to judge who takes a risk by whether a regulation is specific to a service type rather than a specific customer. For some categories of risk it may be better to refer to the effects of the change, ie for the supplier to pay for changes to key systems for which it has assumed responsibility.
  
  
• What are the consequences of failure? A customer may be subject to penalties or be forced to suspend its business pending resolution of a problem. Does any indemnity allow full recovery given exclusions on indirect loss? It a claim to recover a fine under an indemnity enforceable? Can a customer pass a fine to its supplier without prejudicing its own relationship with a regulator?

A practical way forward

Regulatory risk should not be treated as a monolith. Different categories of loss should be considered separately. For each, it is important that the parties are obliged to discuss and inform each other of problems and handle any actions under the contract's governance and change control provisions.