1.1 Who should read this practice note?
Solicitors and practices that are thinking about entering into, or who have already entered into, an outsourcing arrangement.
1.2 What is the issue?
The Solicitors Regulation Authority (SRA) implemented outcomes-focused regulation (OFR) in October 2011. OFR is a move away from a rules-based approach to one that focuses on high-level outcomes governing practice and the quality of outcomes for clients.
The SRA has published a Handbook, which sets out all the SRA's regulatory requirements. It outlines the ethical standards that the SRA expects of practices and practitioners and the outcomes that the SRA expects them to achieve for their clients.
The SRA Handbook includes a Code of Conduct (the 'SRA Code'), which replaced the Solicitors' Code of Conduct 2007 (the '2007 Code'). The SRA Code establishes outcomes-focused conduct requirements and each chapter outlines outcomes and indicative behaviours (IBs).
The SRA Handbook and Code has been in force since 6 October 2011. Accordingly, the 2007 Code and all of its rules and guidance no longer apply to solicitors' conduct, save in respect of any review by the SRA of conduct taken prior to 6 October 2011 to which the 2007 Code will still be applied.
An overview of OFR can be found on the Law Society's website. This provides information on what the SRA Handbook contains, including a summary of the chapters in the Code of Conduct and a summary of the reporting requirements included throughout the Handbook.
Outsourcing is an increasingly growing area in legal service delivery. This practice note provides you with an overview of outsourcing in the SRA Code. It includes information on:
- The SRA Handbook
- Examples of outsourcing activities
- Management of your practice
- Risk assessment
- Equality and diversity
2 Examples of outsourcing activities
The SRA has provided some examples of outsourcing which the outcomes in the SRA Code are intended to capture. These include services which are critical to the delivery of legal activities, for example legal secretarial services and proofreading.
The following is not an exhaustive list:
- activities which would normally been undertaken by a paralegal
- initial drafting of contracts
- legal secretarial services- digital dictation to an outsourced secretarial service for word-processing or typing
- document review
- Companies House filing
- due diligence, for example in connection with the purchase of a company
- IT functions which support the delivery of legal activities
- business process outsourcing
The examples are provided in the SRA handbook Q&A on outsourcing.
The SRA notes in Q&A 4 that the outsourcing provisions in the SRA Code do not apply if you use a specialist service to assist with the provision of legal services to a client, for example instructing counsel, medical experts, tax experts or accountancy services.
The SRA has highlighted that the outsourcing of business and legal processes is increasing. The SRA emphasised the possible lack of due diligence over outsourcing arrangements generally in its 2013/14 Risk Outlook and in its 2014/15 Risk Outlook, the SRA focused attention on the more narrow area of the outsourcing of IT systems because of its connection to cyber crime, an issue which itself remains one of the SRA's priority risks identified in its 2016/17 Risk Outlook.
3.1 SRA Code
Outsourcing presents specific challenges to confidentiality. There is a risk outsourcing will result in loss of confidentiality and that information may be disclosed to third parties. You must make sure that the outcomes in chapter 4 of the SRA Code on Confidentiality and disclosure are adhered to when work is outsourced.
Chapter 4 is about the protection of clients' confidential information and the disclosure of material information to clients. There are specific provisions on outsourcing. One of the outcomes that must be met is:
'Outcome (4.1) you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents'
Practices that are planning to outsource any work relating to confidential client information must take all necessary steps to ensure that the third party providing the service will keep that information confidential. This should include putting an adequate confidentiality agreement in place.
Chapter 4 also includes a specific IB on outsourcing. This is:
'IB (4.3) you only outsource services when you are satisfied that the provider has taken all appropriate steps to ensure that your clients' confidential information will be protected'
You should consider that outsourced providers will not be constrained by the same professional duties as solicitors and must therefore make providers aware of your professional duties in relation to outsourcing. In addition to having confidentiality agreements in place, you should consider auditing and checking the outsourcing provider's confidentiality processes.
The SRA published ethics guidance on client confidentiality in January 2015, which confirms that it is a firm's responsibility to consider the adequacy of protections against electronic information being destroyed or passed to a third party (including separate entities within a group) and especially if information is shared across different jurisdictions.
This guidance highlights that information stored via cloud computing may be more vulnerable and that firms will need to be able to demonstrate that they have consider the risks and that clients have consented to information being stored in a particular way.
3.2 Law Society good practice
In addition to taking all necessary steps to ensure information will be kept confidential by third parties, you should ensure that the client is aware, for example through the practice's terms and conditions, that such outsourcing may take place. You should also consider whether specific consent is needed from clients prior to outsourcing taking place.
The Law Society's practice note on client care outlines that it is good business practice to set out terms of business, including on the outsourcing of work. There is a risk that your outsourced provider may breach client confidentiality when you outsource work on client files. Drawing the client's attention to this risk may mitigate any breach of confidentiality which then occurs. However, you still risk regulatory action so should consider taking the steps outlined in 4.1
Examples of what you should include in your terms and conditions on outsourcing are outlined in the client care information practice note.
4 Management of your practice
4.1 SRA Code
Chapter 7 in the SRA Code on Management of your business sets out requirements on the management and supervision of your practice. When considering how to meet the outcomes in this chapter you should take into account the size and complexity of your practice and the type of work you undertake. Chapter 7 covers:
- systems and controls
- monitoring risk
- monitoring financial stability
- complying with relevant legislation
- training of staff
There are two outcomes in chapter 7 that specifically reference outsourcing. Outcome 7.9 prohibits you outsourcing reserved legal activities to a person who is not authorised to conduct such activities.
Outcome 7.10 refers to the outsourcing of 'legal activities or any operational functions that are critical to the delivery of any legal activities'. Operational functions that are critical to the delivery of legal activities may include initial drafting of contracts, research, document review, due diligence and IT functions. This outcome outlines that you must ensure such outsourcing:
- does not adversely affect your ability to comply with, or the SRA's ability to monitor your compliance with, your obligations in the Handbook;
If you outsource work you must ensure that this does not adversely affect compliance with any of the requirements in the Handbook and that it does not affect the SRA's ability to monitor or regulate.
- is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions;
You must ensure that the SRA can obtain access to relevant information if necessary. You must secure rights of inspection for the SRA in all outsourcing contracts that cover legal activities or operational activities that are critical to the delivery of legal activities. You should ensure that the outsourced provider with whom you have the agreement is aware of your professional obligations in this area.
- does not alter your obligations towards your clients; and
You must ensure that any outsourcing arrangement does not affect your professional obligations towards your clients, including the requirements set out in chapter 1 of the SRA Code on Client care. You should consider whether it is in your client's interest to outsource and should inform clients about any arrangements which are made in relation to outsourcing (see section 3 on Confidentiality). You will need to carefully consider the contents of your client care letter to ensure that it includes all relevant information.
- does not cause you to breach the conditions with which you must comply in order to be authorised and to remain so.
4.2 Law Society good practice
As noted above, the SRA has not defined outsourcing but outcome 7.10 refers to outsourcing of 'legal activities' and 'operational functions that are critical to the delivery of any legal activities'. However, you must bear in mind that at all times practices must remain responsible for any work that is outsourced.
In the Law Society's view, you should also ensure that any outsourcing that is not critical to the delivery of legal services does not affect your ability to comply with your obligations in the Handbook. Non critical outsourcing activities might include branding activities such as graphics and design, social media activity, cleaning and office maintenance.
You should consider and monitor the regulatory risks of outsourcing arrangements to your practice. One of the IBs (7.3) in chapter 7 sets out that you may tend to show that you have achieved the outcomes by:
'IB (7.3) identifying and monitoring financial, operational and business continuity risks including complaints, credit risks and exposure, claims under legislation relating to matters such as data protection, IT failures and abuses and damages to offices
Outsourcing carries specific risks and further information on risk assessment and the specific risks of outsourcing is outlined below.
5 Risk Assessment
The SRA has emphasised the need for practices to take a risk-based approach to compliance and managing their business. This will mean practices identifying and assessing risk. You may find the Law Society practice note 'OFR: an overview' helpful for a general overview of risk assessment.
There are specific risks in relation to outsourcing and practices must thoroughly assess any risks before making the decision to outsource. These risks must be monitored throughout the term of the outsourcing and not just at the outset of the outsourcing arrangement. The level of risk will depend on the particular type of outsourcing eg whether the practice is outsourcing an administrative function or whether it is outsourcing legal activities.
Risks that are specific to outsourcing are:
- SRA Handbook - ensuring compliance with all the requirements in the Handbook, including the principles and Code of Conduct. Outsourcing providers may not be constrained by the same professional duties as solicitors, for example in relation to confidentiality and conflicts of interests, so you may want to consider whether restrictions/safeguards need to be introduced in contracts.
- Client care - is outsourcing always in the client's interests? Is there a risk that you may not meet the requirements, and provide the standard of service, as outlined in chapter 1 of the SRA Code on Client care? Can you meet outcome 7.10 in chapter 7 of the SRA Code and ensure outsourcing does not alter your obligations towards your clients?
- Lack of confidentiality - there is a risk that confidentiality will not be protected and information could be disclosed to third parties. This is outlined in section 3 above.
- Conflicts of interest - there are a limited number of outsourcing providers. This increases the risk of the provider being involved in the same matter thus resulting in a conflict of interests and possibly compromising your independence. You should consider what process could be put in place to prevent this.
- Quality of service - are there risks to the quality of the work provided by outsourcing providers and are you getting the same quality of work as if you had done it yourself? How will you assess the quality of work provided?
- Your business - you may face a risk to your business if your outsourcing provider fails to deliver.
- The third party/outsource provider - have you carried out due diligence on the potential supplier? Are there any marketing or branding issues, e.g. is the third party/outsource provider using the name of your firm on their own website? Will your arrangement affect your ability to comply the separate business outcomes in the SRA Code?
- Other regulatory risks - these might include data protection (see the Law Society Data protection practice note and Information security practice note and the SRA's Silver Linings: cloud computing, law firms and risk, November 2013 and Spiders in the web: The risks of online crime to legal business March 2014 and bribery (see the Law Society Bribery Act 2010 practice note).
The SRA handbook Q&A on outsourcing provides a diagram to help you identify all the possible risks.
Having identified the specific risks that outsourcing presents, you may find it helpful to consider the following questions:
- What activities, either legal activities or operational functions, do you want to outsource and why?
- Which outsource provider are you intending to use and how will this arrangement work?
- How will you monitor the quality of the outsourced work? Whom will the work be undertaken by and what is the level of expertise of those who undertake it?
- How will you monitor compliance with the Handbook, including compliance with client care, confidentiality, conflict of interest, and equality and diversity requirements?
- How will you highlight any relevant working relationships you may have with third party suppliers and ensure that your policies are aligned with data protection laws in both the United Kingdom and the European Union?
The systems and process your practice has in place play an important role in enabling compliance.
6 Equality and diversity
Practices should consider equality and diversity requirements when entering into outsourcing arrangements. Chapter 2 in the SRA Code on Equality and diversity is about encouraging equality of opportunity and respect for diversity and preventing unlawful discrimination in your relationship with clients and others.
7 More information
7.1 Advice and support
7.1.1 Practice advice
The Law Society provides support to solicitors on a wide range of areas of legal practice. The service is staffed by solicitors and can be contacted on 020 7320 5675 from 09:00 to 17:00 on weekdays.
Vist the Practice Advice Service website.
Solicitors Regulation Authority's Professional Ethics Helpline for advice on conduct issues
Guide to outsourcing - Have you considered using legal process outsourcing (LPO) services but are not sure where to start? The Law Society's guide explains the basics, highlights key issues to consider and profiles the experience of firms that have used LPO both onshore and offshore.
Download the guide (PDF 500Mb)
7.1.3 Law Society Consulting
If you require further support, Law Society Consulting can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliance. Please contact us on 020 7316 5655, or email email@example.com.
Find out more about our consultancy services
7.1.4 SRA resources
SRA handbook Q&A on outsourcing.
The resources tab throughout the Handbook is also a source of information.