Outsourcing in the Financial Services Industry

Basics of Legal Regulation of this Field

(a) Are there any laws that specifically regulate outsourcing transactions in the Ukrainian financial services industry?

There are no laws in Ukraine applicable to outsourcing in the financial services sector in general. However, please refer to the response to question “Latest legal trends in the area” below regarding the upcoming general framework.

(b) Are there any additional regulatory requirements for certain types of outsourcing transactions?

At the secondary legislation level, the National Bank of Ukraine (NBU) adopted an implementing regulation for outsourcing in the banking industry. Outsourcing is defined as a transfer of a bank’s function to an outsourcer for the purposes of cost and process efficiency.^[1]

The regulation makes it clear that the outsourcing bank remains liable for outsourced functions both vis-à-vis its clients and the regulator. A bank is not permitted to outsource its licensable banking activity and risk management function (subject to exceptions). Likewise, a similar regulation issued by the National Financial Services Commission is applicable to the risk managing practices of an insurance company, which makes any outsourcing subject to full compliance with the requirements of this regulation.

In addition, some NBU requirements do not apply to outsourcing as such though they may have an indirect effect on the same. Thus, the NBU adopted specific requirements pertaining to the operational activity of a bank, which may imply that only a bank’s employees may perform certain functions. In view of this, an outsourcing agreement may need to include provisions to ensure that the service provider’s personnel are appropriately authorized to perform the respective functions under an outsourcing agreement.

Key Issues

(a) Legal structure

Please refer to the response to question “Illustrative case studies” below. In the scenario in this question, a local subsidiary of an international or European financial services group may enter into a separate agreement with a shared services entity or service provider outside of Ukraine that provides services to multiple group entities and that is likely to incorporate the terms of the agreement with the parent company. Domestic financial institutions are more likely to contract with local outsourcers.

(b) Procurement Process

It is common to procure outsourcing through a competitive process. For example, through a request for a proposal in the event that case functions are outsourced to a third party provider beyond the financial services group. In the public sector (e.g., if a customer were a financial institution owned or controlled by the state or local community), the process is more formal and subject to specific requirements. That said, if a customer were a bank, it may rely on the available exemption for procurement of services supporting banks in the rendering of their banking services and carrying out of banking operations in accordance with the applicable law.

(c) What are the most material legal or regulatory requirements and issues regarding data protection and data security that may arise on an outsourcing transaction?

The law restricts access to three broad categories of data: confidential data (e.g., personal data), secret data (e.g., professional secrecy) and classified data. Moreover, some data categories that are protected under the law (e.g., banking secrecy, insurance secrecy, etc.), must be processed by an integrated data protection system (IDPS), which is a combined instrument of approved software and hardware devices enabling the adequate protection of data.

(i) Banking Secrecy

Ukrainian law permits a bank to share banking secrecy with an outsourcer, provided that it does so to facilitate the outsourcer to perform functions supporting the bank’s activity as it is defined under law. Notably, certain banks take the view that the relevant provision of the law only permits banks to rely on this legal basis when sharing confidential banking information with a resident entity. Hence, it cannot be excluded that if the project entails sharing relevant data with a foreign outsourcer, the customer might need to seek additional consents from its clients.

(ii) Insurance Secrecy

Unlike banking secrecy, the law does not expressly permit an insurance company to share restricted data with an outsourcer. Therefore, it may need to rely on customized data sharing clauses in its client agreements.

(iii) Personal Data Protection

The Law of Ukraine No. 2297-VI On Personal Data Protection of 1 June 2010 (Data Protection Law) establishes requirements for the processing of personal data and the relevant obligations of both data controllers and processors. Given this, a financial institution handling its clients’ data may be regarded as a controller of such data and an outsourcer — as a processor. The Data Protection Law permits the transfer of personal data on a number of legal bases, including the execution of an agreement with a third party in favor of a data subject. In practice, however, financial institutions in Ukraine tend to rely on a data subject’s consent in the form of a data privacy clause stipulated in a client agreement.

If the project entails the transfer of personal data outside of Ukraine, the Data Protection Law permits transfer, without additional conditions, to a jurisdiction affording the appropriate level of protection. European Economic Area (EEA) countries and jurisdictions that acceded to Convention 108 are regarded as jurisdictions providing such a level of protection. The Ukrainian government was meant to adopt a list of other jurisdictions considered to provide sufficient protection, but it has not yet done so. Therefore, where personal data is to be transferred outside Ukraine to a jurisdiction other than an EEA country or a Convention 108 signatory, a customer may need to consider other legal basis under the Data Protection Law. Hence, an outsourcing agreement may need to include customized provisions to ensure the compliance of such transfer with the Data Protection Law.

(iv) Data Residency Requirements

The applicable standards pertaining to setting up an IDPS do not prohibit the outsourcing of data processing. However, from a practical perspective, the standards are drafted in a manner indicating that it should be created in Ukraine (please note that the applicable standard may indicate that the respective premises of the data center should be built on Ukrainian soil in accordance with the applicable building standards). Given this, the outsourcing of data processing by a bank outside of Ukraine may be subject to additional regulatory coordination with the NBU.^[2]

(v) Data Security Requirements

The NBU has started to implement the ISO/IEC 27000 series of standards. Thus, the applicable regulation specifies the requirements pertaining to the information security management system. These include a few requirements that could potentially be incompatible with the outsourcing environment because they need to be implemented within the “perimeter” of the relevant banking organization rather than outside of it. In view of this, an outsourcing agreement may need to include customized provisions to ensure that the service provider’s personnel are appropriately authorized to access the data system(s) of a financial institution in order to perform the respective functions under the outsourcing agreement.

(d) Intellectual Property

The regulation of IP rights in outsourcing agreements depends on the particular type of outsourcing operation. It could be as simple as the provisions on the IP right transfer from software developers and corresponding NDA provisions for the benefit of the bank, and as complex as a sophisticated licensing arrangement between a financial institution, third parties (holders or licensees of IP) and software developers/companies providing the service on behalf of the financial institution in relation to all sorts of IP rights, including software, copyrights on visual art work, marketing materials, patents on financial data processing, trademarks, etc. While preparing the transaction it is recommended to get a clear understanding of the structure, the parties involved, rights transferred but also market practice on how the particular software development/service delivery is organized and how the software is being developed or service is being delivered.

(e) To What Extent can a Party Limit Liability under Local Law?

Ukrainian law provides for some legislative restrictions on the limitation of liability. Hence, it would be advisable to consider this matter on a case-by-case basis in the context of a specific transaction for the purposes of a bespoke outsourcing agreement.

What Remedies are Available to Customers?

Under Ukrainian law, a customer may receive damages for a breach of the outsourcing contract. Parties may also set out specific penalties in a contract (either a fine, i.e., a lump sum defined as a fixed percentage of a failed obligation or an interest charge (Ukrainian ^­legislation provides for two different forms: penalty interest (“penia”), which is a form of penalty, and interest (“procenty”))^[3].

In addition, Ukrainian law permits “operational commercial sanctions” to be set out in a contract, which may be applied, among other things, as a preventive measure. Given this, the customer may negotiate measures more conventional for outsourcing contracts such as credits for failing to achieve certain milestones, service levels and service level credits, etc. However, these measures are not common in Ukraine at the present time.

Latest Legal Trends in the Area

The Verkhovna Rada of Ukraine recently adopted a draft law on financial services in the first reading, which is designed as a general legal framework for the industry. The objective is for this framework to be adopted together with a set of detailed “deep dive” laws on particular financial services sectors. The draft law provides a general framework on outsourcing in the financial services industry and indicates that a financial services firm can outsource some of its functions and/or processes within such functions, the list of which will be provided in the draft law and aforementioned laws. Moreover, a financial services firm will need to: (i) inform a regulator about its intention to outsource its internal functions/processes; and (ii) ensure that an outsourcing agreement meets the requirements set out by the same regulator.

In addition, on 1 July 2021 the new law on capital markets comes into force, which provides for a separate regime of professional secrecy at the capital markets (similar to those described in question “Key issues” (a) and (b) above). The capital market participant may share professional secrecy data with an outsourcer pursuant to the outsourcing agreement. That said, the law contains a little caveat saying that it may share such data provided the outsourcer is required under the law to protect the respective professional secrecy. It is not entirely clear whether such obligation under the capital markets law extends to the outsourcers, hence, it cannot be excluded that the capital market participant may need to seek additional consent from the client.

Illustrative Case Studies

A common case in the Ukrainian banking sector is the outsourcing of the provision of IT services to a shared service (a designated special purpose vehicle), which entails the transfer of data controlled and processed by a bank to the respective entity. Therefore, from a bank’s perspective, data protection and other regulatory requirements pertaining to the project are the key compliance aspects. Given this, data management schedules or separate agreements would make up a major contractual element of the transaction.

^[1] Separate NBU requirements are applicable to a bank acting specifically in the capacity of an issuer and/or an acquirer of payment instruments.

^[2] Moreover, under the applicable NBU regulation, a bank is required to carry out the processing and storage of banking transaction data on servers and/or other computer equipment that are physically located on the territory of Ukraine. In view of this, the processing of the data controlled by a bank in the outsourcer’s environment outside of Ukraine could technically be regarded as a breach of the above requirement.

^[3] If, however, a customer was a financial institution owned or controlled by the state, depending on the position taken by the customer, the parties might not be able to set out the applicable penalties in a contract because the law sets them out.