U.S. Rules and Regulations Applicable to Outsourcing
Many functions within the relationship of a corporation and outsourcing firm fall directly or indirectly under the governance of U.S. laws. For example, several of the largest U.S. banks outsource their IT systems, data processing, financial research, data storage, or customer transactions to U.S. and foreign-based BPOs. In doing so, some of the rules and guidelines applicable to financial outsourcing include NASD NTM 05-48, The Federal Privacy Rule and the Safeguards Rule of the Gramm-Leach-Bliley Act, and outsourcing rules defined by Federal Financial Examinations Council (FFIEC).
When U.S. public companies outsource accounts receivable, accounts payable, or fixed-asset accounting to a BPO, compliance with Sarbanes-Oxley is still required as compliance is non-delegable. By extension of the outsourcing relationship, both the public company and the BPO work within the governance and compliance of these regulatory requirements. Also, when U.S. healthcare and insurance companies outsource medical records, claims processing, and patient billing information, patient information is protected under the parameters of the HIPAA Privacy Rule even if the patient information is maintained by an offshore BPO.
Rules of Legal Outsourcing (LPO)
Law firms and corporate legal departments typically employ some form of outsourcing within their functions. Services which are not typically considered the practice of law, i.e. document review, litigation support, eDiscovery, etc., are, technically, outsourcing relationships when they are performed by an outside party. The current rules applicable to legal outsourcing were defined by ABA Formal Opinion 08-451. The guidelines include the allowance of non-lawyers to perform certain types of legal work, provided non-lawyers are not engaged in the unauthorized practice of law and they are supervised by lawyers. When an eDiscovery provider is retained by a firm or in-house counsel, there are no restrictions on who may or may not perform culling, searching, and hosting of privileged documents. When paper documents are converted to electronic files by a litigation support company, confidentiality and security requirements exist for personnel handling the documents and the physical dwelling in which the documents are stored. When a non-lawyer in the U.S. or abroad is utilized to review documents for law firm retained by a client, there are no licensing requirements preventing the individual from doing so provided the non-lawyer, again, is working under the supervision of a lawyer. Overall, the combination of the Rules of Professional Conduct sworn to by counsel, counsel’s oversight of its legal outsourcing providers, and the compliance of ABA Opinion 08-451 by legal outsourcing providers appears to be cohesive and effective. Similar to U.S. privacy and confidentiality rules which extend to BPO practices, uniform standards and guidelines should continue to apply to legal outsourcing whether the work is performed in New York or New Delhi. Industry-wide compliance of confidentiality, security, prevention of conflicts, and avoiding the unauthorized practice of law will further substantiate the role of legal outsourcing and eliminate apprehension in its adoption as a standard practice for corporations and law firms. A Fortune 500 company or AmLaw 200 firm seeking to gain value through process improvements and cost reductions from legal outsourcing should be able to so; provided such work is done under their supervision and within the parameters of ABA Formal Opinion 08-451 or similar guidelines.