Asset management: Risk allocation and liability profiles in technology contracts and outsourcings for asset managers

Sourcing a technology solution

Within the asset management industry there is a range of technology platforms available for use by an asset manager. These include:

• Straight-through processing (STP) systems (linking distributors and fund providers in the wealth management chain).
• Technology systems for supporting wealth management and administration services (including for investment wrappers and managed funds).
• Administration platforms for retirement savings (both corporate and personal plans), pensions and loans (including structured products).

In each case, an asset manager is seeking to reduce operational risk and lower its costs by buying the functionality of the technology platform in order to replace its current legacy system or to migrate from an inferior third party system to a new platform. It will generally retain its staff engaged in providing asset management services to its customers, with the exception of any headcount efficiencies that it can make from the new technology.

End-to-end service responsibility?

The result of deploying such technology is that the end-to-end service provided by an asset manager to its customers is made up of, internally, a combination of third party systems supporting the service, the asset manager’s own technology, and the services of its own staff. 

Given such an operational profile, suppliers typically resist accepting responsibility for failures in the end-to-end service that result from components over which they may have no control (such as errors made by the asset manager’s staff or by its own technology).

Responsibility (and liability) in technology contracts therefore tends to be allocated between the asset manager and the supplier based on failures in the technology itself (as opposed to failures in the end-to-end service). Such technology contracts are characterised, in terms of a liability profile, as inputs-based contracts. Supplier performance under them is generally measured by reference to supplier inputs, rather than by reference to the outputs made up of the end-to-end service (of which the supplier inputs form only part).

Software failures

Asset managers sourcing technology are naturally keen to ensure that the technology does what it is supposed to do as a measurable input. Ideally, they would have their suppliers guarantee the functionality of the system for the term of the contract. Conversely, suppliers are conscious that technology is rarely fault free and that errors often arise when a system is used in a live operating environment, or in combination with other systems that may not have been designed to be compatible with the supplier’s system.

While the early life of a technology deployment may reveal a number of operating faults in a live operating environment, it is not necessarily the case that the effluxion of time will result in fewer faults in the technology. This is because software within the technology may well be required to process more and more new scenarios against which it has never been tested.

For this reason, risk-averse suppliers (particularly those operating in US markets) typically attempt to transfer the risk of the software containing faults (whether known or unknown) to the asset manager by requiring the asset manager to accept in the contract that the software:

• Is taken “as is”, without a performance warranty linked to a functional or technical specification.
• Will not operate “uninterrupted or error-free”.

Subject to the remuneration they receive reflecting the additional risk, some suppliers are prepared to accept responsibility for a supplied system performing in accordance with its functional or technical specification. In contracts for traditional on-premise software, often this is only for a short warranty period of between thirty to ninety days. After that time, a supplier will usually only assume responsibility contractually to correct errors as part of a paid service to support or maintain the system on an ongoing basis.

For software that is cloud-based or provided “as-a-service”, the supplier is more likely to accept ongoing responsibility for performance linked to a functional specification, but this is subject to the supplier retaining the right to change the software and its accompanying specification on an ongoing basis.

Third party elements

Suppliers are also increasingly building technology systems on top of core technology made available by other providers that can be adapted for specific sectors or customer types. 

At best, such a supplier will pass on the functionality and other commitments obtained from the underlying technology providers (which are often not particularly robust). 

Where the asset manager is required to obtain their own direct licence from the provider to use the underlying technology, the supplier will likely exclude all responsibility for the underlying technology. In either scenario, the supplier may insist on excluding its liability for availability or performance issues caused by changes in the underlying technology over which it has no control. 

Liability for heads of loss

All suppliers will usually exclude responsibility for various heads of loss, such as consequential loss and loss of profit, anticipated savings, contract, business or opportunity. Asset managers procuring cloud-based solutions should be cautious of accepting two common exclusions:

• “Loss of data” and “corruption of data”, which is not an appropriate allocation of risk in circumstances where the supplier is responsible for storage and security of the asset managers’ data. 
• “Loss of use”. 

Acceptance testing

Suppliers argue that the risk of a technology solution not working should predominately be borne by an asset manager customer because the asset manager (rather than the supplier) is best placed to:

• Know its own business needs.
• Test the software properly to ensure that it functions as required.

However, such a risk allocation ignores the reality that asset managers often look to their suppliers to deliver the required business functionality though the supplied technology (and an asset manager may not have the internal resources or technical expertise to specify its own technical requirements against which a system must deliver).

Similarly, an asset manager may have insufficient time or internal resources to undertake comprehensive user acceptance testing. Conversely, the supplier will argue that, while the customer has the opportunity to carry out some acceptance tests, the supplier’s ability to test is also limited as it is not in a position to test in a live environment (only a test environment).

Outsourcing

Unlike a technology solution, an outsourced solution typically involves a complete transfer of a function of the asset manager’s business to the supplier, such as its middle or back office functions. The supplier will be providing the technology (as an input) that underpins the end-to-end service (as an output), as well as its own staff. In some instances, the supplier is required to perform the outsourced function using the technology selected and/or procured by the asset manager. 

Asset management outsourcings (or what is commonly referred to as middle and back office outsourcing) can encompass a number of services, including:

• Custody.
• Depositary services.
• Fund administration.
• Fund accounting.
• Transfer agency.
• Other middle and back office services.

As a technical legal matter, the outsourcing concept really captures functions which lie, prima facie, with the asset manager and are then delegated to others. The depositary function, for example, by its nature does not really sit in this category – it is a third party oversight function and is not therefore the asset manager’s to delegate. 

However, we discuss these roles under the broad “outsourcing” umbrella because arrangements with third parties that provide services that support critical or important business functions (but are not technically outsourcings) are increasingly subject to similar requirements.

While a regulated firm cannot outsource its regulatory responsibilities, a well-advised asset manager can nonetheless take steps to ensure that it can fully discharge its responsibilities by reflecting them in the contract in granular, back-to-back tasks and deliverables for which the supplier has responsibility. 

Such an approach will require a legal and compliance review of detailed service descriptions, service levels, governance and other contractual provisions. 

The liability profile differs depending on the outsourced asset management service at issue. However, risks of the type considered above (in relation to sourcing technology solutions) are relevant to the liability profile for any outsourced solution, regardless of the type of service outsourced.

End-to-end solutions and inputs vs. outputs

Because such outsourcings generally involve the provision of an end-to-end solution (that is, one delivering outputs):

• The supplier may be more comfortable in committing to contractual performance targets applicable to the outputs (when compared with an inputs-based technology solution).
• Given the focus on outputs, the supplier may resist attempts to regulate or control what inputs it uses to deliver the outputs (for example, technology components or solutions), arguing that its obligation is to deliver to a service description and service levels (which measure outputs), and that it should not be fettered in what methods it chooses to do this.

The freedom that suppliers demand in outputs-based outsourcings can be problematic for asset managers:

• Sometimes control over what inputs are used by a supplier (for example, a type of system, technology or process) can manage (or reduce) the risk that the outputs will contain errors. 
• An asset manager may want the comfort that the supplier is using a known or industry-accepted technology, and that the supplier’s inputs are sufficiently resilient and robust to reliably deliver the required outputs every time. Suppliers may resist this, especially where the technology chosen by the asset manager is not robust or proven in the industry.  In other cases, the chosen third party technology will form a core part of the Supplier’s service delivery model to the point where the asset manager cannot simply swap that third party technology out without renegotiating the whole outsourcing.

Regulatory requirements

Asset managers who are subject to regulatory requirements on outsourcing and third party arrangements may also find it difficult to reconcile the operational freedom demanded by their outsource suppliers with the requirement that the regulated entity retains control over subcontracting by the supplier and the locations from where the services are provided. 

Allocating liability for errors and faults

Whether or not an asset manager is successful in being able to control the technologies a supplier uses in delivering an end-to-end service, if well-advised, it will in any event want the outsourcing contract to address risk allocation in relation to errors more generally.

For example, the contract may characterise certain types of errors as leading to losses that are recoverable by the asset manager, regardless of whether a court would otherwise regard them as direct (recoverable) or indirect/consequential (irrecoverable) losses. 

Current market practice is for the contract to prescribe a non-exhaustive list of losses in respect of which the supplier will be liable. The supplier will want to make sure that this list is as specific and as narrowly defined as possible. 

Service credits

It is common to incentivise suppliers to respond to faults and resolve them (or use reasonable endeavours to do so) within specified timeframes. An outsourcing contract will usually provide that failure to meet these timeframes (known as service levels) results in a supplier having to pay a service credit. This is an amount of money (sometimes offset against invoices due) that is generally capped at around ten to fifteen per cent of the monthly fees payable under the contract, but it can rise to higher percentages for sustained service failure.

It is often the case that the losses suffered by an asset manager as a result of an error or fault (when the supplier fails to fix it in time) will be significantly greater than the service credit payable by the supplier. For example, a failure by an outsourced solution to generate accurate reports could, in certain circumstances, prevent the asset manager from carrying out trades, causing it significant losses.

How do well-advised asset managers address this risk? There are a number of options:

• Price adjustment: It is common practice for the contract to state that service credits are simply a price adjustment for poor service (or a refund for the value of services not received), and that they are not the asset manager’s sole or exclusive remedy under the contract or at law. This leaves open the possibility that an asset manager could recover its other losses (over and above the value of the service credit) at law, such as losses to the fund. Suppliers typically try to resist this.
• Sole and exclusive remedy: Alternatively, an asset manager may be prepared to concede that service credits are its sole and exclusive financial remedy. This is not ideal from the asset manger’s perspective, but it means that it is still open to it to terminate the contract (if the breach is sufficiently serious to justify termination). However, depending on the actual wording used, this mechanism may preclude an asset manager from recovering its other losses should it decide to terminate the contract (which considerably weakens the appeal of this particular risk allocation).
• Sole and exclusive remedy up to a threshold: A compromise position may be to provide that service credits are an asset manager’s sole and exclusive remedy (perhaps just a sole and exclusive financial remedy) for a particular failure, but only up to a specified accrual of service credits. When that level is reached, the asset manager can then have all rights and remedies available to it, including the right to sue for damages for its additional losses, such as losses to the fund and (if there is a sufficiently serious breach) the right to terminate the contract.

Standard of liability in ICT procurement and asset management outsourcings

Aspects of the liability profile for certain types of asset management outsourcings are prescribed (to some degree) by regulation. In particular, the “standard of liability” may be provided for in regulation, depending on the outsourced services at issue.

The standard of liability refers to contract defaults in respect of which an asset manager is required (by regulation) to require a supplier to agree (under the outsourcing contract):

• Unlimited liability.
• A certain threshold for establishing liability.

Regulation may affect the standard of liability because the supplier is providing a regulated service (such as custody), and regulatory rules applicable to the outsourced service affect the supplier’s liability profile when providing it. 

The UK Financial Services Authority (FCA), for example:

• Prohibits FCA-regulated suppliers from excluding or restricting any duty or liability it may have to a client under the UK regulatory system.
• Requires custodians to accept liability for any nominees they control and through which custody assets are held.

Depositories

Alternatively, an asset manager may itself be subject to regulation that directly or indirectly governs the liability standard of its suppliers.

For example, asset managers who manage funds (as opposed to segregated portfolios) in the UK or EU may be subject to the Alternative Investment Fund Managers Directive (AIFMD) or the UCITS V Directive (UCITS V), each as applicable and as implemented in the UK and EU respectively. The AIFMD and UCITS V impose liability on depositaries of UK and EU funds for certain losses. Depositaries are:

• Subject to a form of “strict” liability (that is, liability not dependent on establishing fault) to return any financial instruments held in custody which are lost. 
• Also liable for “all other losses” suffered by them as a result of their negligent or intentional failure to perform their obligations.

While the AIFMD and UCITS V would seem to preclude depositaries of UK or EU funds from capping their liability, there may be scope for the parties to negotiate around the precise contractual language used. Service recipients may wish to see regulatory liabilities reflected in the contract, and regulatory obligations assumed as contractual obligations of the supplier. Suppliers will often resist this:

• On the basis that regulatory and contractual liabilities are distinct.
• In order avoid different liability outcomes and potentially double recovery.

Where liabilities or obligations are reflected in the contract, depositaries (for example) will often wish to stick closely to the terminology of the AIFMD or UCITS V, but either party may wish to incorporate more granular language to address liability for particular forms of breach.

External valuations

The AIFMD restricts the ability of suppliers appointed to perform “external valuations” for funds to limit their liability for this service. 

The AIFMD provides that an external valuer to a fund will have unlimited liability for losses arising as a result of its negligence or intentional failure in performing its task as external valuer. 

Merely calculating and disclosing NAV would not make a supplier an “external valuer” for these purposes – the role is more one of valuing the portfolio assets of a fund (including exercising subjective judgement on the valuation of individual assets). 

Suppliers will want to be clear that their scope of service either does not involve them acting as an external valuer or, if it does, may seek in the contract to clarify and qualify their responsibilities as such in detail.

Other fund administration services

The AIFMD is not prescriptive in relation to the standard of liability for other fund administration services. Accordingly, the standard of liability for fund administration could be the breach standard linked to a cap operating by reference to fees. This means that:

• Damages are recoverable for any breach of a contractual obligation.
• Liability can be capped and excluded by the supplier.

Many suppliers seek to avoid liability by applying a negligence standard to fund administration services (rather than the typical breach standard). This means that:

• To be liable in contract for damages, the supplier must first have breached a duty of care owed to the asset manager.
• If there is no negligence by the supplier, then it is not liable for damages in contract.

DORA

The EU Regulation on digital operational resilience for the financial sector (more commonly known as DORA) and the DORA Directive have applied since 17 January 2025. 

DORA establishes a harmonised digital operational resilience framework across the EU financial sector by requiring a range of EU financial entities, including most EU asset managers, to manage their Information and Communication (ICT) risks in a robust and effective way. 

The rules set out in DORA require financial entities to have written contracts with ICT third party service providers that clearly allocate their respective rights and obligations and specify which services are permitted to be subcontracted to a third party. 

Unlike other regulations, as set out above, DORA does not assign liability to the ICT third party service provider for any services it provides. However, while asset managers must remain responsible vis-à-vis the regulator for their regulatory responsibilities, DORA does not preclude asset managers from allocating liability for the ICT services procured from ICT third party service providers as a matter of contractual and commercial negotiation. 

Standard of liability for managed benefits

In agreeing the allocation of risk and a contractual liability scheme for an outsourcing contract with a supplier, a well-advised asset manager should be aware that the negligence standard of liability is not appropriate for certain supplier contractual commitments, which should continue to be assessed by reference to the standard of liability for contractual breach. 

In other words, the negligence standard should not apply across the board to all the supplier’s contractual commitments, but it may be appropriate (or be required) for some of the contractual commitments.

For instance, in the case of middle and back office outsourced services, obligations of confidentiality, intellectual property rights provisions, exit commitments, security obligations, business continuity plans and service level commitments should logically be subject to the standard of liability for contractual breach, with a remedy in contract for breach if they are not adhered to.

It would not be uncommon to group such provisions together in the contract. They are often referred to as “managed benefits” and apply:

• In relation to any custody services.
• Where the supplier has adopted a negligence standard of liability in relation to fund administration or accounting services.

This approach means that breach of a managed benefit by a supplier will give rise to a contractual remedy of damages, which is recoverable by an asset manager subject to any liability caps and exclusions in the outsourcing contract. 

Problems can arise when applying managed benefits within a framework agreement to services other than middle office outsourced services, such as custody, depositary and off-shore services, as these do not lend themselves to a managed benefits scheme.

Indemnities

Asset managers should be aware that it is an established market practice in asset management outsourcings for suppliers to request a trio of indemnities (as a minimum) from their asset manager customers, typically on an uncapped basis:

Fines or sanctions

The first indemnity is in relation to fines or sanctions imposed by a regulator as a consequence of any inadequacy in the completeness of anti-money laundering records and any costs incurred by the supplier in remedying the breach. 

A supplier generally requires such an indemnity on the basis that it ought to be entitled to assume that the asset manager has carried out sufficient money laundering checks in respect of the investors. As a regulated organisation, the supplier will be subject to the same requirements, and will therefore potentially be in breach of its own regulatory responsibilities if there are any deficiencies in relation to such checks.

Asset manager’s instructions

The second indemnity is in relation to the supplier’s compliance (in accordance with the outsourcing contract) with an asset manager’s instructions. 

For instance, where the supplier acts as a custodian, it will be responsible for acting on instructions to process corporate actions or to settle transactions for the fund or portfolio.

Supplier’s proper performance

The third indemnity is in relation to the supplier’s proper performance of its obligations under the outsourcing contract (otherwise known as a “no-fault” indemnity). 

The main purpose of this indemnity is to act as a shield from third party claims where an investor makes a claim against the supplier instead of (or in addition to) a claim against the customer. 

If the scope of this indemnity is drafted widely enough, it could replace the first two indemnities. In essence the supplier is saying that, if it incurs any unanticipated third party costs in relation to proper performance of the services, then the customer will pick these up (whether they are charge-backs, fines, penalties, third party investor claims etc.) because the supplier has only incurred those liabilities by virtue of its appointment and not because of any fault on its part.

For more information on the scope of indemnities more generally, see our publication, Indemnification.

Wider commercial considerations

While aspects of the liability profile of an asset management outsourcing follow market practice or are prescribed by regulation, ultimately a supplier’s appetite for assuming risk is determined by the relationship between its risk and reward.

Extracting the lowest price from a supplier may not be the best strategy if, operationally, the supplier is then incentivised to claw back costs in what it delivers. Price is as much an issue of risk management as the contractual liability regime. 

It follows that creative solutions in pricing and contractual governance ought to augment an asset manager’s risk management strategy in relation to its outsourcings.