Outsourcing To India: An In-House Counsel's Perspective

Wednesday, November 1, 2006 - 01:00

The Editor is fortunate to report on comments by Joleen S. Willis, Senior Vice President and Associate General Counsel, JP Morgan Chase & Company, from the Practising Law Institute web program entitled Legal Issues In Outsourcing To India: What Attorneys And Corporations Need To Know Now. To hear her full remarks and other leading experts' commentary, visit www.pli.edu.

Editor: What are some of the regulatory concerns associated with outsourcing to India?

Willis: The risks of any outsourcing transaction can be significant, particularly in a heavily regulated industry. Within the last two years in particular, regulators have focused their attention on the outsourcing activities in the financial services industry. The regulators do not differentiate between captive facilities and outside service providers.

Regulators want the company's executive management to analyze situations, make well-informed decisions and monitor progress. Such oversight functions can result in high operational overhead, but they are an important part of outsourcing.

In addition, companies like ours have to comply with bank secrecy laws, which are unique for financial services companies, and data privacy laws. Compliance and sound management must come together in order for outsourcing programs to be successful.

Editor: How can a company mitigate the risks associated with their outsourcing programs?

Willis: Companies view outsourcing as a migration where a business process is moved to another country or company. This means that the contractual arrangements with outsourcers play an important role in risk management to help ensure that the business process is properly performed.

Since commercial law in India is not as robust as in the U.S. legal system, companies protect themselves by working with Indian service providers that have substantial U.S. holdings. Contracts are often three-party agreements including the company, the service provider and its U.S. holding company. The contracts are governed by U.S. law and subject to U.S. jurisdiction.

We have a captive facility in India where processes are performed by direct employees, and we use outside service providers, as well. We treat all of our outsourcing the same for risk assessment purposes. Because financial services providers handle a lot of private customer information, they must control access to that information. It makes sense to limit the information these facilities can access and to use a captive service facility for back- and middle- office processing.

Editor: What advice would you give to companies that are considering outsourcing to India?

Willis: Companies must make a commitment to provide the resources necessary to run an effective compliance program. We have all heard stories about a lack of oversight for outsourcing programs because of the related costs. An executive level commitment to oversee the operations is necessary.

Once that commitment is made, companies need to develop a coherent strategy to implement the program. We are a large organization with several lines of business that have their own way of doing things. They all use the same Indian services providers, so someone has to set the company's strategy, select the location and develop provisions on concentrations of activities in the country. It has to be done by an executive committee and not by the separate lines of business.

The implementation has to have that consistency so that there is standardized execution methodology. The contracts and due diligence must be the same. This is the only way to do this long term while preserving the benefits.

Editor: How does Indian law impact an outsourcing program?

Willis: A company with a captive facility will be subject to Indian law. Here it makes sense for companies to use Indian counsel because they are more likely to understand the regulatory and bureaucratic issues that may arise. I would advise those thinking about outsourcing to become familiar with Indian counsel.

Editor: What are a few of the labor law considerations in outsourcing to India?

Willis: If you decide to use the captive model, you will be subject to Indian labor law. Today India's labor market is undergoing a period where employees have a better bargaining position than the employers. If you combine the country's stringent labor requirements with these retention problems, labor becomes a huge consideration for companies considering outsourcing.

Editor: What intellectual property issues can affect a company's decision to outsource to India?

Willis: Once you are in India, regardless of relationship, you may find that you need to transfer use of particular software to India. Sometimes it is software that is licensed from a third party. You have to make sure that you have the right to do that because the third party may not be excited that the software is being moved to India. Counsel needs to review software contracts before transferring any technology to an Indian facility.

When making a cost-benefit analysis of investing in India, it may be difficult to justify applying for many patents in the country because patent enforcement is not strong there. As a financial services company, not many of our patents cover our middle- or back- office processes, so we do not have as much exposure to patent infringement as companies in other industries may have.

Editor: What about protecting trade secrets or data?

Willis: We have extremely robust confidentiality language in our agreements. We have hedged those with extremely robust security measures to ensure our information is protected. This includes provisions prohibiting workers from downloading information to portable media or from accessing websites that allow for cross-transferring of information.

Along with bank secrecy, data protection is our biggest challenge when outsourcing to any country, not just India. We have robust information security policies and requirements. We have an auditing capability so that we can monitor security on a consistent basis. We also limit the data that can be accessed by our outside facility workers.

The human element is the most difficult to oversee when monitoring data privacy. For example, when dealing with U.S. service providers that will work with customer data, we do FBI background checks on their employees. This doesn't exist in India. There is no uniform database that you can use, and so there is a great risk. For instance, a major international bank recently had a worker from a service provider in Bangalore, India, who took customer information and passed it off to an organized criminal syndicate in the UK. That group was able to take money from several customer accounts. The Indian criminal system is improving and was able to take action against that individual.

Editor: How do you make sure that you are doing everything that is necessary to protect intellectual property in India?

Willis: We work with a limited number of service providers that agree that anything developed for us is property of JP Morgan Chase. That right has to reach down to the subcontractors.

Because companies cannot rely on the Indian court system to enforce their rights, there is a need for self help. For example, with some service providers that have misused intellectual property, we have used the threat of discontinuing business until the company comes in line with the agreement. We work with them to implement a training program for employees so that they know what they should and should not do with our systems.

Editor: Do outsourcing programs have any implications in the U.S.?

Willis: Outsourcing programs can have a negative impact on companies that provide services to state governments. Many states have laws prohibiting companies from working with non-U.S. service providers. Even a program where middle and back office functions are run in India can run afoul of these laws. You need to deal with these situations on a case-by-case basis. Whether it will impact your service contracts will depend on the service being provided, as well as the language of any applicable statute, regulation or ordinance.