Regulatory compliance and third party contractors: best practices for managing risk

Posted: 11/04/2019

Regulated businesses often use third parties to provide services on their behalf. For example, utilities use contractors to construct and repair networks and read meters while other companies increasingly outsource the performance of key functions to technology–based service providers including data processing, security and incident response, and consumer engagement.

Whether you are a regulated business or a third party service provider, it is crucial to:

• know the applicable regulations;
• ensure contract terms and working arrangements reflect the intentions of the parties in dealing with the practicalities of regulatory compliance.
  

Green Deal Marketing Southern Ltd v Economy Energy Trading Ltd & Ors [2019] EWHC 507 (Ch) (06 March 2019), recently showed some of the potential dangers.

Economy Energy (EE) was an energy supplier that employed Green Deal Marketing (GDM) for doorstep sales. Ofgem investigated EE for doorstep mis-selling and EE suspended the GDM arrangement. The resulting commercial dispute and judgment is primarily focused on contract termination and damages, but for a regulatory advisor four points stand out:

• What contract terms?

This was unclear. An earlier time-limited agreement had lapsed and instead an incomplete set of heads of terms was found to provide key contract terms.

• What regulatory obligations and on whom? 

It was EE’s duty to take all reasonable steps to achieve the outcome of not mis-selling (Standard Licence Condition 25 (SLC25)). Ofgem regulated EE, not GDM.

One regulatory problem seems to have been that ‘…EE was overly reliant on GDM to ensure good sales practices and that its lack of internal expertise was highlighted by its unimaginative and unconstructive response to Ofgem's concerns…’

• Commercial (contract) outcome?

The judge concluded that GDM’s sales force did engage in mis-selling and that this was a breach of contract. However, this did not constitute a repudiatory breach allowing EE to terminate the contract as it did.

One of the problems for EE appears to have been that the key measure of GDM’s performance was a series of KPIs that covered cancellations, objections and complaints; these had an indirect link to mis-selling, but KPIs were not being missed at the time EE suspended the arrangement with GDM.

There was a contractual obligation on GDM to ‘Comply with all relevant legal and regulatory requirements and ensure it (sic) acts and omissions do not result in EE being in breach of its legal and regulatory requirements’. However, this was not sufficient to make GDM liable for EE’s compliance with SLC 25, which was the issue Ofgem was investigating.

In contrast, GDM was able to claim repudiatory breach by EE and damages, flowing from EE’s ending of the doorstep sales relationship, in part because of how EE managed the process of ending the arrangement with GDM.

• Regulatory breaches? Evidence?

EE ceased trading before the conclusion of Ofgem’s enforcement process. It was left to the judge to decide whether there had been mis-selling activity, to the extent necessary to decide the contract dispute. However, mis-selling by GDM employees per se was not a breach of SLC 25 and there has been no finding of regulatory breach.

The judgment discusses whether the products of a regulatory investigation are admissible in separate court proceedings. Here, the Ofgem enforcement team’s Summary Statement of Initial Findings (about EE’s SLC 25 compliance) was inadmissible as evidence of fact, particularly regarding any GDM failings.

Key points

Some important points to remember when entering into commercial contracts over a regulated activity, whether you are the regulated business or third party provider of services, and whatever the sector or regulatory regime, are outlined below:

• who is regulated, and in relation to what? In some regimes the third party will be regulated too (eg product liability, data, health and safety), in others not (eg economic regulation);
• what are the regulatory obligations? They often set an elevated standard, eg on consumer engagement. ‘Principles based regulations’ may be in terms such as taking ‘all reasonable steps’ to achieve an outcome, rather than prescribing particular actions;
• remember that you cannot contract out of regulatory obligations. And a regulated party might not be able to make a commercial claim founded on its own regulatory breaches; that said…
• be clear what commercial contract terms are in place;
• think carefully about the degree to which you can, and want to, ‘back-off’ regulatory obligations into third party contract obligations;
• consider how you use the contract and manage the relationship, eg what reporting, oversight, engagement, incentives and rewards, and options for direction, compensation and termination are in place.

Third party providers can be a crucial help to regulated businesses, but all parties need to take commercial, regulatory and legal care.

Return to news headlines