Legal Issues in Robotic Process Automation


Tim Wright, Partner and Antony Bott, Special Counsel, in Pillsbury’s Global Sourcing & Technology Transactions Practice look at some of the issues to be considered when procuring and sourcing robotic process automation software and solutions

The Future Is Now
You can’t move in the outsourcing industry without hearing about Robotic Process Automation (RPA). And while it might sound like terminology cribbed from a sci-fi novel, the truth is that RPA is already here, and it is transforming the way modern businesses operate. Along with related developments in machine learning and artificial intelligence, automation as a whole has been characterised by the former chief scientist of Baidu as being “as transformative for society as electricity.” Fuelled by continuing developments in computing power, big data, storage and connectivity, the opportunity for companies is to save money, while operating more effectively, scalably and compliantly—it is, in many senses, a compelling opportunity.

Opponents of RPA highlight that it is disruptive, both in relation to the technology and the logistics, and in its interrelation with human nature and organizational politics – but others suggest those are challenges that can be managed, and that the bigger risk is in not implementing RPA, and then being out-competed by those that have embraced the innovation. As with any business change, the answer is to fully understand and consider the decisions, to negotiate contracts that give the right balance of protection and flexibility, and to manage the change with appropriate sensitivity.

What is RPA?
The Institute for Robotic Process Automation describes RPA as “the application of technology that allows employees in a company to configure computer software or a ‘robot’ to capture and interpret existing applications for processing a transaction, manipulating data, triggering responses and communicating with other digital systems.”

Put more simply, RPA is technology that enables computer software to automate human activities that are manual, repetitive and rule-based. RPA works best where the activities in question are high-volume and clearly definable. It has been successfully deployed across a broad array of business functions such as finance, procurement, supply chain management, accounting, customer service and human resources. Examples of tasks that can be automated include data entry, purchase order issuing, invoice processing, know your customer (KYC) checking, fraudulent account closure, and personal loan application processing. RPA software replaces the human activity, working more quickly, accurately, and tirelessly than any person, freeing them to up to tackle tasks benefiting more from emotional intelligence, reasoning, and interaction with the customer.

RPA vs Artificial Intelligence (AI)
While both RPA, and its “big brother” AI, are forms of automation (where a task previously performed by a human, is carried out by some form of automated system), there is a qualitative difference between them.

RPA is “robotic”—it is programmed to carry out a specific set of steps, and it will do so repeatedly and reliably, exactly as it has been coded. In contrast, AI uses machine learning to adapt to outcomes and changes in environment. When it produces a less than optimal output, or encounters a problem it hasn’t seen before, it learns. This makes AI suitable for automating much more complex tasks, involving highly subjective decisions tackled by the use of pattern analysis. Unlike RPA, AI can make sense of unstructured data, which is ambiguous, complex and a challenge to process. Put simply: RPA is programmed. AI is trained.

Why does this matter? AI may produce an answer with a better, more productive outcome, but it may be difficult or impossible to understand how it reached that answer—either because the ‘black box’ of the system is opaque by nature, or because the particular AI system is proprietary and the owner is not willing to open it up to analysis. How can users trust in AI-delivered outcomes if the inner workings of the system are not easily interpretable by a human? This perceived or actual loss of control may mean in the more immediate future, businesses are more ready and willing to deploy RPA than AI. Further, where a business builds an AI solution on a third-party platform, there is a risk of lock-in because the ‘machine-learning’ built up over a period of service may not be transferrable to an alternative third-party AI system.

We will examine legal considerations relating to AI in more detail in a follow up blog; suffice it to say that deploying AI (whether on its own in conjunction with RPA) offers many exciting opportunities for businesses beyond automating the kinds of back office tasks and activities which RPA is so good at.

Why use RPA?
The primary driver for the implementation of many RPA systems is the significant cost savings opportunities they provide—typically somewhere between one-third and one-fifth of the cost of a full-time equivalent (FTE) member of personnel, depending on the location of that individual. There are, however, a number of other potential benefits:

  • improved quality—through the elimination of human errors and delays;
  • better productivity—a robotic workforce can work on a 24/7/365 basis;
  • short return on investment timeframe – RPA deployments can be done over short timescales with minimal configuration or integration needed;
  • a happier, more motivated workforce—a robotic workforce enables redeployment of personnel to focus on higher value and more complex tasks;
  • enhanced resilience and scalability—digital labour doesn’t take holidays or succumb to illness, will carry out the prescribed functions in a consistent manner, and can be scaled up or down to meet changes in demand;
  • enhanced collection of transactional data; and
  • improved compliance and regulatory risk—achieved through all of the above combined with better management information and an auditable transaction trail.

More generally, deploying RPA allows an organisation to re-examine its operational model. For example, processes which were previously offshored can be repatriated and automated. Large, inflexible outsourcing agreements, which are often heavily dependent on FTE pricing models, can be renegotiated and/or broken up. FTEs who previously performed the affected activities may be redeployed to more valuable roles, although in some circumstances their positions in the organisation may become redundant.

Procurement Strategy
Procurement and sourcing groups regularly include RPA (and AI) capability as part of their evaluation frameworks. Pre-contract diligence issues (many of which need to be addressed in the contract) include:

  • financial and operational stability of the software vendor;
  • types of data which will be processed, which can mean data security and data privacy concerns;
  • interfaces needed with legacy systems;
  • ownership of the intellectual property in the software;
  • ease of exit transition to avoid single technology/vendor lock-in;
  • pricing model options, and how to handle changes to the customer’s requirements;
  • defining the “right to use” the software and understanding the limits of any licence;
  • evaluating the availability of disaster recovery and business continuity solutions; and
  • regulated customers will need to address any specific regulatory issues and requirements.

Customers should also review legacy software and system licences to ensure there are no unintended consequences, e.g., price increases under enterprise software agreements resulting from new system interfaces and data feeds. Other ‘internal’ items will also need to be addressed including the impact on staff and the possibility of redundancy.

Contracting Approach
RPA implementations usually follow one of two models: DIY and Outsourced.

  • With the DIY model, the customer enters into a contract (similar to a software licence or software as a service agreement) with the RPA software vendor.
    • The contract will focus on the technology being acquired.
    • The software vendor may also provide implementation and configuration support. Alternatively, this may be handled internally and/or with assistance from an external consulting firm.
    • The agreement with the software vendor may also cover ongoing maintenance and management services.
  • With the Outsourced model, a new or existing outsourcing (or managed services) agreement is used such that some component of the outsourced services is delivered using RPA technology.
    • The contract will focus on the services being performed (implementation and ongoing), rather than the technology used to perform them.
    • Unless the service provider owns the RPA software, it will need to license it from the owner.
    • The service provider will perform the services itself or use a subcontractor to do so, including any ongoing maintenance and management services that may be needed.

In the past, the RPA deployments often started as series of small pilots, on a process-by-process basis; however, as confidence in the technology has grown, the scale of deployments has grown, often in a relatively unplanned manner. Customers should look to structure contracts, whether DIY or Outsourced, to ensure that their leverage is maximised enabling them to flex and scale their RPA solutions as their business requirements change, as well as to benefit from future technological advances.

Businesses typically have at least one, and often many, outsourced service providers, across a wide range of IT and business processes. These outsourcing agreements may be FTE-based, e.g., where the services are delivered from a lower cost country such as India or the Philippines. Some will have been put in place before the rise of RPA in the relevant sector or domain. Many service providers will, however, by now already be using RPA on at least some of their customers’ accounts. Prior experience shows that most service providers will usually try to avoid a re-bid situation and a proactive approach by the customer will often lead to a positive negotiated outcome even if the contract is completely silent, especially where the customer can offer some incentive such as an extended term or scope of work.

Key Contractual Protections
Important items to be covered and/or negotiated include:

  • licence scope, usage permissions (including managed service providers) and volume caps;
  • service levels and performance metrics (which could be in line for adjustment, given the improved speed, reliability and quality that RPA services may offer);
  • intellectual property rights and indemnities;
  • liability caps and exclusions;
  • pricing terms and model (e.g., per unit (robot) versus outcome pricing, implementation and supports costs; alternatively, a managed services fee);
  • change management; and
  • exit transition support.

Governance Framework
The program operating model (including governance, resourcing and execution responsibilities) will also be important. In the Outsourced model, the agreement will usually already incorporate a governance schedule covering both implementation (initial and new projects) and steady state; in the DIY model, the customer (perhaps with an external consulting firm) will work with the software vendor to define required governance.

More generally speaking, customers looking to build RPA centres of excellence within their own organisations, should also look to define and document RPA best practices, challenges in identifying automation opportunities and optimizing return on investment, criteria for selecting RPA tools and technologies, as well as monitoring emerging RPA/AI technologies and capabilities.

People Considerations
The work force carrying out these tasks is digital, not human, but its deployment will impact people nonetheless. Customers looking to implement RPA should engage with human resources early and in some cases with works councils and employee representatives as appropriate. It is also important that the business appoints a senior person to champion the benefits of RPA, both prior to implementation as well as afterwards to communicate successes achieved.

RPA service delivery will have a major transformative impact on how businesses operate. By replacing people with automated systems, RPA can enable large volumes of data to be processed in a significantly reduced time, while delivering unparalleled accuracy, visibility, and a reduction of risk. In what most commentators predict will be a fast-moving, fast-changing environment, businesses will need to stay alert to the strategic decisions, opportunities and risks that will present.