Repapering: Beware the grey swan!
Repapering is a bona fide nightmare for in-house legal departments: a regulation changes, a law changes, there is a market event or corporate action – firms are triggered into a process of contract risk review and potentially amendment (repapering), that is mostly unwelcome and often, very unwelcome. Firms hit hardest are those with large customer and vendor bases and, if the sector is heavily regulated, the peril is greater still.
Financial services in particular have been heavily impacted over the last 20 years, going all the way back to MIFID 1 in the noughties, through the initial EMIR/Dodd Frank post financial crisis industry reforms in the early twenty teens, reaching its apogee in the Margin Reform and Libor Transition requirements that are still ongoing. For the uninitiated, it’s difficult to envisage the magnitude of these challenges. On the Libor Transition, as an example, the biggest banks in the world have had to manage upwards of 20,000 individual negotiation processes, across products and geographies, involving amendments to complex contracts like ISDA’s and syndicated loan agreements. Even if each of these negotiations only took six hours (which is optimistic), you are still talking about 17,000 odd days of project time and costs probably in the £15-20m range. All things considered, it’s pretty hideous stuff.
There is a now though, a new cloud on the horizon, problematic to all who handle personal data and this is, of course, the fall-out from the Schrems II decision and the consequent invalidation of the Privacy Shield. For many firms reliant on Standard Contractual Clauses (SCC) to compliantly transfer personal data outside the EEA, the Schrems II decision means that these SCC’s have to be updated with additional measures and processes. Going forward, organizations must use the new SCCs for new or updated data transfers and have until 27 December 2022 to migrate any existing EU SCC arrangements to the new SCCs.
Financial services firms are impacted but they are at least “repapering fit” and have recent, if painful, experience of having to navigate these types of challenges. Our concern though is for the average, mid-sized, non-bank corporate, with a couple of thousand customers and a few hundred vendors, who now have to get their heads around the potential legal operational implications of this 27 December deadline, with little to no institutional muscle memory of what this entails.
For unfortunately, at these organizations, it is not uncommon that, at board level, repapering is considered a ‘Grey Swan’ event - a predictable but low probability event that even though high impact (costly), is almost never properly planned or budgeted for. And the fault line where this misstep often manifests is through an immature legal operating model, particularly around digital transformation.
Some of the red flags to look out for here are:
> large concentrations of warehoused physical paper versions of contracts
> where contracts have been scanned, no centralized documented repository or, just as bad, multiple fragmented repositories
> not enough consideration given to the logistics of data extraction or, indeed, what the extraction model needs to be in order to facilitate risk analysis and amendment
> because policy is often not standardized and enforced at regional, national and global levels, there is a proliferation of contract templates. We know of one large corporate with over 400 ‘approved’ templates for a standard customer contract
The punchline here is, for something like SCC repapering, if firms don’t know where their contracts are or what data is in their contracts or don’t have people and technology familiar with volume processing, even just performing a risk review on a small contract estate has to be done manually and has to be based on a low confidence ‘dip stick’ testing approach across the multiple template permutations. This in turn often backs General Counsel into a corner where they have to rely on crude “brute force” amendment/repapering strategies that, because they are based on poor or no data, do not remotely balance the need to manage legal risk against, at best, annoying customers and vendors or, at worst, putting commerce at risk.
So, what are a few quick and pragmatic things that organizations can do to get structurally ready for the new SCC repapering challenge, and also start better positioning themselves for digital transformation in the future?
1. Digitize and centralize all your critical contracts – get them out of physical storage, filing cabinets, desk drawers, inboxes and onto a controlled, indexed, centralized, contract repository
2. Audit your contract estate – as a part of #1, make sure that you have all the executed contracts and ancillary agreements required for each of your vendors and customers
3. Close your audit gaps – use web portals or outreach tools to contact vendors or customers and request document updates or additional information
4. Consider a data model – understand and prioritize key contractual data points to support ongoing portfolio management, risk analysis and future amendment. For Schrems II repapering, this would obviously prioritise data protection clauses
5. Isolate bespoke arrangements – to the extent that they exist, know where there are significant template deviations or bespoke arrangements, so that they can be fully contemplated in any risk and amendment review
6. Extract crucial data – if budget is tight, isolate the crucial data points from #4 and extract those using the most cost effective combination of technology and people
7. Staunch the template noise – whilst you cannot change the proliferation of templates on the legacy book, you can rationalize and control template usage going forward
8. Update policy – to embed #7, ensure that you standardize and streamline policy, wherever possible, up to the global level.
Not all of the above needs to be completed before considering a repapering challenge like SCC repapering but the key thing is to start this journey sooner rather than later. Even at big organizations, this can be pragmatically achieved with one or two people with hybrid legal/change management skillsets who, reasonably quickly, should be able to start providing transparency as to:
> the scope of the impacted vendor/customer base
> the existing contractual data that firms have access to and where the gaps are
> the bespoke provisions and template variability that will need to be considered
> what native technology capability organizations pragmatically have access to in a short time frame
The above should be enough to provide organizations with the minimal viable data required to start shaping a responsible repapering strategy and delivery plan, whilst crucially, presenting senior management with a prioritised list of risks that will need to be recognized in the near term. For the long history of repapering projects is littered with the lesson that it’s best to invest in “bringing out the dead” in the early stages of project thinking rather than to risk having to compensate for findings towards the back end of a project, where new data may need to be extracted or customer/vendors recontacted, all under a pressing deadline and potentially regulatory scrutiny… Here be Dragons or, indeed, Grey Swans!