With myriad new regulations to watch out for, potential HRO buyers need to be careful about their engagements. Data privacy and employee liability remain two of the most compelling concerns today.

by Andy Teng

Potential buyers of HRO, especially those in the European market, face myriad hurdles on the road to actually adopting outsourcing. Aside from the sheer sea change in corporate culture, countless other requirements face the intrepid HR leader tasked with this effort, including winning support from unions and work councils, securing champions at the executive and board level, solving implementation headaches on a continent-wide if not global basis, and other numerous challenges. Of course none of this matters if the deal fails to adequately address perhaps one of the most important consideration: meeting all applicable compliance mandates.

Compliance is big these days, so big that it may be impolite not to mention it when discussing HRO. Depending on the person, outsourcing may be viewed as an invaluable tool or a potential trip-up for an organization trying to build a robust compliance program. On one hand, some see service providers as knowledgeable allies who competently understand the regulatory imperatives of each nation in which it rolls out service on the customer’s behalf. On the other hand, there are concerns about whether outsourcing—never mind offshoring—simply adds layers of complexity, especially as data privacy has become one of the hot topics in the European marketplace in the past year. Whatever the view on HRO’s impact on compliance, this much is clear: Don’t underestimate the importance of compliance on outsourcing.

“I think outsourcing is as much an emotional decision as a rational one. Compliance and privacy are issues you will usually raise,” said Neil McEwen, a managing consultant for PA Consulting Group, a sourcing advisory firm. McEwen pointed out that clients he consults for often cite compliance issues as one of the top concerns they have when considering outsourcing. It’s especially understandable in the EU, where numerous regulations governing workers rights and data privacy have place greater constraints on HRO than in the U.S.

McEwen contended that compliance, like any other concerns about HRO, is usually seen through two sets of lenses. For corporate leaders committed to outsourcing, it’s viewed as another hurdle that can be adequately addressed. For others, compliance may be viewed as a deal-breaker so thorny that it’s prohibitive to outsource.

“If you are positively inclined towards outsourcing, then you see it only as a bunch of issues you just have to work through,” he added.

USUALLY MULTI-JURISDICTIONAL
The problem with complying with all regulatory statutes in big, enterprise deals is that they usually involve a global footprint, and that means complying with numerous laws overseen by a variety of regulatory authorities. For instance, Sarbanes-Oxley is a U.S. law that has ensnared just about most international public companies. That’s because the landmark law elevates disclosure requirements for organizations listed on the U.S. exchanges, not just those with headquarters in the U.S. For instance, businesses with material outsourcing contracts—whether in HR, F&A, or IT—must disclose these deals. Similar requirements are imposed under U.K. regulations governing internal controls for publicly listed U.K. companies. That means multi-domain HRO arrangements—usually those encompassing several countries with a material impact on financial statements—must comply with these types of laws.

“For EU companies that are listed in the U.S., compliance with Sarbanes-Oxley is a big issue. Then there is the whistleblowing with huge variances across Europe,” explained Julian Roskill, head of London the employment group at the law firm Mayer, Brown, Rowe & Maw. He pointed out that in the post-Sarbanes-Oxley era, companies have become very sensitive about internal controls and the need for disclosure. As a result, many international businesses see a greater need to comply with some form of de-facto international compliance standards.

In Section 404 of Sarbanes-Oxley, companies must ensure that service providers have documented financial processes, performed a risk assessment, and have effective controls over financial reporting. For outsourced HR services such as payroll, for instance, it’s critical that providers adhere too all mandates. This function can’t be outsourced and must be performed by the organization internally. Penalties can be quite severe for non-compliance, including sizable fines and even jail time for company executives.

Sarbanes-Oxley is just one regulation with impacts on international outsourcing. Others such as the European Acquired Rights Directive and the Data Protection Directive—two laws that have been around since the late 1990s—have a far-reaching impact on outsourcing as well, although many companies have come to live with these directives in recent years. The more recent phenomenon of HR outsourcing, however, has led to a closer look at what HRO buyers and providers must do to comply with these directives.

Florence Guthfreund-Roland, the head of the outsourcing practice and new technology and data privacy practice at law firm Morgan Lewis in Paris, pointed out that while some of these regulations have been on the books for some time, there seems to be a convergence of compliance issues for HRO buyers. Some are recently enacted, such as Sarbanes-Oxley. Others have come under changes such as the recently revised Transfer of Undertakings (Protection of Employment) Regulations (TUPE) in the U.K. Clearly, she pointed out, compliance has surfaced as a major concern in any outsourcing decision.

“When the employer is undertaking the decision to outsource, new labor and employment [legal] matters are really taken into account,” she added.

DATA PRIVACY HIGH ON THE LIST
If there were any doubts about whether enough attention was being paid to data privacy, then the recent rash of high-profile data-privacy breaches should erase those doubts. Across the world, concerns about loss of data has ratcheted up lawmakers everywhere about protecting personal data—those of employees as well as consumers. For instance, the disappearance and then reappearance of millions of U.S. military veterans’ records on a government laptop earlier this year prompted American lawmakers to call for greater data privacy protection
measures.

In Europe, data privacy has always been a critical concern, with laws in some nations bordering on suffocating. Nevertheless, EU member states continue to take privacy issue very seriously, especially in nations such as France, said Guthfreund-Roland. For example, in June of last year, the French Commission Nationale de L’Informatique et des Libertés (CNIL) opposed plans by McDonald’s France and CEAC (a subsidiary of U.S.-based Exide Technologies) to implement measures that would allow anonymous whistleblowers to report corporate wrongdoing. French authorities contended that such a plan, which was intended to help the companies comply with its Sarbanes-Oxley obligations, would have violated the nation’s privacy laws.

Recently, French authorities came to an agreement with the companies, allowing them to implement the whistleblower provisions only in the area of accounting and financing, Guthfreund-Roland noted. She pointed out that even though French authorities have relaxed the privacy requirements, it also underscores how one jurisdiction’s rule may counter those of another entity. Still, in the end, the authorities recognized that the companies were pinned between conflicting regulations and worked to come up with a mutually agreed solution.

“It shows that European authorities and American authorities are able to take into account the constraints of both legislations,” she added. “It’s interesting to see how the SEC and French authorities are able to find a good solution .”

French law mandates that “controllers” of personal data collect and process the information in a way that satisfies regulatory requirements. The latest ruling indicated that authorities there are acknowledging the need for companies to implement internal controls to address wrongdoings within their organizations.

The French case vividly exemplifies the difficulties companies face when implementing a common policy. For instance, while France may be seen as the most ardent protector of data privacy (although Germany courts last year also issued a similar ruling), privacy regulations are much more relaxed in the U.K. That’s reflected in each nation’s broader employment laws as well.

Mayer, Brown’s Mark Prinsley, head of the firm’s London-based Business Technology Services Group, pointed out that there is a closer alignment of the U.K. with the U.S. than with the rest of Europe. Even so, the EU is unified in its approach to data privacy through the directive, whereas in the U.S. federal laws often differ from state laws on privacy. In fact, many states such as California and New Jersey have imposed much tougher regulations on data privacy.

For outsourcing service providers, there are economic implications to complying with privacy mandates. One way is to indemnify the employer from breaches. Usually, these terms are part of the HRO contract and are accepted under binding corporate rules under the directive. Because the directive has been around for some time, buyers have grown accustomed to including these stipulations in the contract.

However, as more providers look to move HRO operations offshore, complying with privacy regulations becomes increasingly complex, with strict regulations burdening the trend to go offshore. The data privacy directive explicitly governs the movement of employee and consumer information. Mayer Brown’s Roskill added that companies must be mindful that outsourcing to India or China is vastly different from outsourcing to the Czech Republic or Poland.

“When you transfer data outside the EU, you have to do so on terms that protect the integrity of that data and protects the rights of the individual,” stated Mark Prinsley, partner in the London technology and sourcing group at Mayer, Brown, Rowe & Mawe.

Industry observers are also quick to point out that unlike the EU, many offshore destinations lack robust regulations governing the protection of data privacy. Even in India, critics have been quick to point out that the world’s largest outsourcing provider market has weak data privacy regulations. And in emerging markets such as China, there has been little discussion around the issue.

THE REVISION OF TUPE
While data privacy is an issue that affects both the HRO buyer and provider, one recent regulatory change could potentially have a greater impact on the provider community. According to Bill Bierce of the law firm Bierce and Kenerson, the April revision of TUPE increases the liability exposure for the provider community, which may ultimately be reflected in higher pricing to new HRO buyers. While it’s unclear to what extent this U.K. law will affect new contract signings, Bierce said there’s no question it will take some toll on vendors.

“I see the new law will increase the cost of outsourcing and increases complexity with legal risks, which needs to be mitigated in creative ways. Those creative ways will include financial assurances,” Bierce said, pointing out that there are ways to reduce the exposure.

Under the revision, providers who take on the employees of their clients in the U.K. are obligated to assume all liabilities of that client to the transferred employees. In other words, if the transferred employee loses his or her job or the job is significantly changed, then the provider is liable for claims by the worker. While worker protection had been a part of the original law, the revisions were expanded to specifically address outsourcing, insourcing, and resourcing. It also requires the client to deliver employee liability information to the vendor, which then becomes the permanent responsibility of the vendor.

Bierce noted that already at least one vendor has disclosed the risks associated with TUPE to its shareholders. Clearly vendors must weigh the liability of taking on clients’ employees as part of any HRO deal.

Some ways of circumventing the profound impact of the revisions include setting up a joint venture in which the customer continues to be responsible for employment liability; employees work as part of a captive shared-service center managed by the outsourcing provider; and restructuring of the HR department prior to outsourcing so layoffs are issued before the transfer (this approach, according to Bierce, may be the least predictable because it may be subject to court interpretation).

Bierce said how service providers handle the added exposure remains to be seen, but it is clear some will likely litigate to establish precedence to further clarify how the courts will interpret the law. It will also mean that buyers and providers in the U.K. will need to negotiate new, creative outsourcing arrangements or different pricing.

“There’s risk shifting and there’s risk sharing. I think we need to look at risk sharing,” he added.

Facing more compliance requirements than ever, clearly European HRO buyers must overcome greater hurdles than their U.S. counterparts to realize an outsourcing deal. With changes such as the TUPE revision and potentially additional data privacy measures, Europe is indeed a highly regulated environment. However, with more companies viewing outsourcing as a competitive advantage and becoming at ease with HRO as a result of documented successes, these compliance challenges may simply be regarded as just bumps along the road to HR transformation.