© Copyright 2014 Saul Ewing LLP Outsourcing 2014: Negotiating Outsourced Contracts Sarah...

© Copyright 2014 Saul Ewing LLP1

Outsourcing 2014: Negotiating Outsourced Contracts

Sarah (“Sally”) ChurchKevin A. WigginsEvan J. FosterSaul Ewing, LLPOne PPG Place, 30th FloorPittsburgh, PA 15222


Why Outsource?• Concentrate on business’ core

competencies or mission• Take advantage of specialist

expertise, resources or best practices

• Reduce personnel, hardware, software or facilities investment

• Cost efficiencies due to provider economies of scale, leverage, global labor costs


What to Outsource:Employee Benefit Contracts• Retirement Plans

Legal/Audits Trust/Custodial Services/Recordkeeping Investments and Consultants

• Health and Welfare Plans Legal/Audits Insurance Contracts/Administrative Services Business Associate Agreements Pharmacy Management Brokers/Consultants /Payroll (for ACA reporting)


What to Outsource:IT, Recruiting and Business

Processes• IT

Help Desk Data center Desktop or onsite support Server or network operations

• Recruiting and staffing• Business Processes

Finance Customer call center Document processing


Before Selecting a Service Provider

• Define goals and desired outcomes Cost savings, improved performance, flexibility?

• Identify legal requirements• Formal requirements gathering

Ideally, before selection discussions or RFP Separate musts haves from nice to haves Thorough requirements create efficiencies and

reduce risks• What type of relationship do you want?

Length of commitment, tactical vs. strategic, what is the future state?


ERISA Legal Requirements• Duty of Prudence

Applies at initial engagement, ongoing (duty to monitor), and termination of engagement

• Prohibited Transactions ERISA requires fiduciaries to engage in a

prudent process to avoid prohibited transactions

Fiduciaries are generally not liable with prudent process, even if transaction turns out to be a prohibited transaction

© Copyright 2014 Saul Ewing LLP

ERISA Prudence in Selecting a Service

Provider• Engage in objective process

designed to elicit information necessary to assess: Qualifications and Quality of services

offered Reasonableness of fees

• DOL Advisory Opinion 2003-02A• Which outsourcing strategy better

documents a prudent process?7


Outsourcing Strategies

• Sole Source Strategy• Competitive Strategy• Collaborative Strategy


Sole SourceNegotiate with Only One Vendor

Advantages Disadvantages

• Builds on existing relationships

• Less market information

• Reduced costs • Less likely to find highest value

• Reduced processing time • Less of a fiduciary process

• May be required by CBA • Increased potential for self-dealing


Competitive Strategy

• Negotiate with a broad range of vendors in an auction-like process

• Advantages More market information and

competition More likely to find highest value vendor More showing of a fiduciary process Reduced potential for self-dealing


Competitive Strategy

• Disadvantages More time and costs

• RFI and RFP Adversarial process tends to reduce

trust May inhibit vendor’s response and

interaction during process


Collaborative Strategy

• Negotiate with two (or a few) select vendors

• Engage in parallel negotiations with each vendor similar to sole source negotiations

• Advantages Less Adversarial More Trust More Responsive Vendors

• Disadvantages Less competition and market information


Contracting: Who should be involved in the

process?• Depending on the subject

matter, size and complexity, you might assemble a team of one or a team of many.

• Define roles and responsibilities to avoid “too many cooks in the kitchen” or worse, negotiating against yourself.

• Involve experts within the customer organization if the contract contains unfamiliar subject matter or sensitive issues (e.g., IS/IT, Risk Management, HR).

• Don’t assume that other constituencies within your organization know that you are entering into this contract.


What should be included in an outsourcing contract?

• The most important part of the contract may be the exhibits, schedules, or appendices - the devil is in the details!

• Vendor proposals, quotations, Statements of Work or policies often include “legal” terms slipped in. Don’t assume they don’t require legal review.

• Error on the side of over inclusion. If the vendor said it or provided it in writing, consider incorporating it into the agreement.

• Are there specific company policies that the vendor must adhere to?


Contracting Mechanics

• Process differs for different deals depending on team and negotiating dynamic.

• Establish who will have “document control” and be responsible for making changes.

• Use caution to avoid sharing internal comments with the other side (e.g. track changes/ metadata).

• Consider whether negotiations are best handled via phone calls, email and/or face to face meetings.


Contracting Mechanics: Before You Sign on the Dotted Line

• Review the final contract package to make sure it: includes all of the required

attachments, exhibits, schedules and appendices

clearly states what each party’s obligations are

lays out each party’s duty should something go wrong

provides the company with adequate protections should the other party breach the contract or if the company determines that it is unhappy with the services


Form of Agreement

• Master Services Agreement or Master Information Services Agreement The legal terms and conditions

• Scope of Services Single most important element Clear and comprehensive If the vendor promises it, they should put it in

writing• “Don’t worry, we never do that.”

Identify whether services are provided as fiduciary or agent

• Exhibits and Schedules


Master Service Agreements

• Detailed Statement of Work Reporting and Disclosure

• Vendor will provide all information in its possession that plan needs to comply with ERISA

• Including 408(b)(2) for Retirement Plans Before you sign the agreement

Fiduciary Duties (standard of care) Minimum Standards Other


Master Service Agreements• Identify Correct Parties to

Agreement Employer Committee or other plan fiduciary Plan (Trustee)

• Parties Covered by Agreement Make sure all plans that should be

included are included


Outsourcing Risks• Primal fears result from services,

software, content, data and environment being outside the customer’s control: management and oversight availability/uptime backups/disaster recovery data/network security data privacy what if vendor goes dark? what if there is a dispute?


Standard Clauses:Term and Termination

• Term of Contract• Termination

Reasons Notice

• Distinguish expiration from termination Automatic renewal or expiration? Unilateral option to renew Termination for cause or convenience Required notice


Standard Clauses:Termination

• Termination Post-termination services are critical to

outsourced arrangements Obligations should apply regardless of reason for

termination Return, destruction, or retention of data and

confidential information Transition activities and data migration Claim run outs Survival clauses

• Indemnification for fiduciary breach should survive for applicable SOL


Standard Clauses:Intellectual Property

• Ownership of work product “Work made for hire” - must be in writing or

else author retains ownership Assignment - “work made for hire” is limited

• Service provider will want to retain ownership in its processes, knowledge and internal tools May need a license to all of these items for

transition to another vendor or to bring services in-house


Standard Clauses:Representations and

Warranties Legal Compliance

• Most outsourcing includes some outsourcing of compliance functions

Service Warranties• Services will be performed in accordance

with contractual requirements (specifications, RFP, Scope of Work)

• Services be performed at a standard that is generally accepted in the profession (AICPA, ITIL)


Standard Clauses:Confidentiality, security and

data privacy• Data privacy is a hot-button issue with U.S. and

EU lawmakers and regulators. HITECH expansion of HIPAA privacy rules 2009 FTC data breach notification rule for vendors of

personal health records & service providers Numerous state data breach notification laws Gramm-Leach-Bliley, FERPA, other statutes Industry regulation (e.g., Payment Card Industry (PCI)) Proposed changes to EU Data Protection Directive may

mean additional scrutiny • High profile breaches: Target, HomeDepot, JP

Morgan


Standard Clauses:Confidentiality, security and

data privacy• Enhanced B2B scrutiny of data flows to

subcontractors and outsourcing providers.• If you are handling other people’s data, your data

protection/privacy obligations to those people need to flow through to data centers and outsourcing providers.

• Need to pay attention to vendor’s processes, not just physical systems.

• Need to align your privacy commitments, and vendor obligations, with actual behavior

• Individual security audit may be impractical


Standard Clauses:Data backup and Storage Where is data stored? Who has access? Is data stored in a shared, virtualized “multi-tenant”

environment vs. dedicated physical servers? How often are backups made? onsite or offsite? Does

customer have the ability to make its own backup? Does the provider have a disaster recovery plan? Do

you? How does provider fit within your plan? How often is the full plan tested? How long will it take to get services or data back

online? May need special terms to localize data storage (“do

not store outside U.S. or Canada”)


Standard Clauses:Audits

Permissible audits• 5500 Audits• Financial Audits

Date revenue sharing is credited• Compliance Audits• Other Audits• Certified compliance with published standards?

SSAE 16 and ISAE 3402 audits (replaced SAS 70 in June 2011.)

• Type 1 – auditor’s opinion on service organization’s description of controls in operation and suitability of the design

• Type 2 – auditor’s opinion on whether controls are actually operating effectively

ISO 27000, Open Web Application Security Project (OWASP), NIST, etc.


Standard Clauses:Service Levels (SLAs)

• Help measure performance and improvement over services previously delivered internally

• Set baselines, targets for improvement and incentives to meet those targets

• Can be quantitative (uptime, time to complete transaction), financial (% savings) and qualitative (user surveys)


Standard Clauses:Governance and Communication

Critical aspect of any Agreement - Outsourcing arrangements don’t run themselves

Mutual, escalating accountability Who has authority to authorize work,

make decisions, change services? What is the change management and

change control process?


Standard Clauses:Limits on Liability

Unilateral or mutual Single or multiple caps Per claim, aggregate, per plan year, etc. Check for “hidden” limits

• Limits to E&O Insurance• Limits on Fiduciary Insurance

Ask to see policies



Carve-outs• Indemnification• Breach of fiduciary duties• Gross negligence/willful misconduct• Cost to correct Hitech breaches



No indirect, special, or consequential damages

Many vendors limit to fees paid• Limited to 3 X fees paid• Liability over term of contract limited to 3 X

fees paid during that term Watch for disclaimers and

indemnification of all HIPAA/HITECH liability• Some vendors directly liable


Standard Clauses:Indemnification

• Indemnification Indemnify and hold harmless Defend and Pay

• Consider Scope Plan Participants Fiduciaries (Committee) Employer (directors, officers, employees,

etc.) Controlled Group



• Third Party Claims Fraud, willful or intentional misconduct,

gross negligence, recklessness, negligence, breach of agreement• Materiality disclaimers

Running from vendor in favor of employer usually limited to failure to follow directions• Sweep clauses

Acts or failures to act



• Indemnification for Third Party Claims Cross indemnification Timely notice of action Right to control action No settlement clause


Standard Clauses:Dispute Resolution

• Arbitration/Mediation/ADR Not particularly unique to benefit plans Health plan claims cannot be arbitrated

per DOL Regs• Retain right to seek immediate

injunctive relief in court for critical issues


Standard Clauses - Benefits

• Source of Fees Plan/Participants

• Fiduciary duties and prohibited transactions• Most ERISA risk• Vendors prefer credit risk of plan over sponsor

Investments (Revenue Sharing)• Dates for crediting revenue sharing • Who earns interest on revenue sharing• Medium ERISA risk

Employer• Lowest ERISA risk• Watch for plan listed as secondary payor


QUESTIONS?

39

Date post:	23-Dec-2015
Category:	Documents
Upload:	alvin-clarke
View:	216 times
Download:	0 times

© Copyright 2014 Saul Ewing LLP Outsourcing 2014: Negotiating Outsourced Contracts Sarah...

Documents