[co-author: William Dougherty, Paul Langford]
What is RPA?
Following our successful campaign on blockchain, as part of our TechTalks series we are now focusing our attention on Robotic Process Automation (RPA). What follows is a simple explanation of what RPA is, how it can be used and some of the legal challenges that the technology may face.
What if you could recruit a whole team that was dedicated to completing those repetitive tasks that take up so much of your time? Now you can – with RPA, it is like having a dedicated workforce working 24/7 to complete those repetitive business processes that divert attention away from more important and valuable work.
RPA does not involve physical robots – it is essentially automated software, or a "robot" that has been programmed to carry out specific tasks in the way that a human would. Just like a human, a robot can open emails and attachments, log into applications, read databases, collect and enter data, follow "if or then" decisions and make calculations. The robot can carry out these tasks in a repeatable and reliable manner. This technology allows businesses to do more for less, freeing up an employee's time by reducing time spent carrying out repetitive and often mundane tasks. This allows the employee to spend more time on the things that only a human can do, such as customer-facing tasks and abstract reasoning – adding more value to the business. Meanwhile, the robot is able to do the repetitive tasks faster and more accurately than humans, without needing any breaks. RPA can improve not only the employee's, but also the customer's experience by reducing errors and processing time, as well as supporting regulatory compliance.
RPA uptake in the market
Gartner reported in November of last year that worldwide spending on RPA software was to reach US$680 million in 2018, an increase of 57% year over year, according to their latest research. It has said that RPA software spending is on pace to total US$2.4 billion in 2022.1 Although these numbers are impressive, they are not surprising when the technology offers a potential return on investment of 30-200% in the first year.2
One provider of RPA systems in particular – UiPath – is seeing astonishing growth, gaining 400 customers within a year, with 75% of Japanese banks now signed up to their services. UiPath stands as one of the fastest-ever growing enterprise software companies, having jumped from US$1 million of annual recurring revenue to US$100 million within 21 months. It has said that some 40% of Fortune 500 companies are currently customers.3
How key sectors are using the technology to improve efficiency
RPA is being taken up in a wide range of sectors. The retail sector can utilise the technology for a number of processes, such as in the processing of orders, monitoring inventory and settling invoices. With more than 18%4 of retail sales in Europe carried out online, it is vital that this sector directs its attention towards optimising its digital processes.
The technology is also being utilised in the public sector. North Tyneside council has been successfully implementing RPA in partnership with ENGIE since 2015. The council is estimated to save at least £33.8 million before 2025 by using the technology, vastly improving customer response times.5 HMRC has said that it has sped up processes between four to six times, reducing costs by up to 80% and cutting down call times by as much as 40%.6
The banking and finance sector is seeing a huge uptake in RPA. Gartner has said that RPA will be adopted by nearly three in four corporate controllers within the next 18 months.7 The technology can, for example, assist with client on-boarding processes, such as know your customer and anti-money laundering checks. RPA can also help businesses in this sector by reviewing transaction data and monitoring liquidity and reporting exceptions. Navigating the regulatory landscape in this space can often be challenging. The programmable nature of RPA offers financial institutions a cost-effective way of ensuring a robust compliance strategy, particularly in areas of risk monitoring, risk controls and risk reporting.8
With more and more of our systems becoming automated, questions of liability arise. What would happen if the algorithm itself went awry, if the technology is incorrectly programmed or if the regulations change and the RPA is churning out documents that are no longer compliant? In this respect, any mistakes become embedded and extensively widespread. In these circumstances who would be responsible? Who bears the risk?
These questions need to be addressed in both:
the contract between the supplier and the purchaser of RPA technology; and
the contract between the purchaser of RPA technology and the ultimate end-user.
Contract between the supplier and the purchaser
Where the end-user is a consumer, it makes little sense to limit liability for any issues arising as a result of failure of an automated process. In most cases, consumer law will render any such attempts unenforceable. Most businesses will want to go the extra mile to fix any problems with consumers, not least since the cost of making good any financial loss of a disgruntled customer may be far outweighed by the potentially damaging impact on reputation and goodwill.
Some businesses will take a similar view towards their customers, although the position is somewhat more complex. We can expect certain business customers to be resistant to the use of automated processes (or any new and unfamiliar technology). Many will expect an additional layer of protection. This does not mean, however, that RPA providers should routinely be offering uncapped liability or indemnities just because RPA is being applied.
As new technology becomes mainstream, it becomes part of the IT ecosystem and treated no differently from the risks associated with other, well-established technologies. There was resistance to cloud computing for many years among customers who consistently cited cost and security as their primary concerns. In actuality, cloud has probably earned most organisations significant cost savings and provided a far more secure and robust solution than traditional in-house IT systems. These days, cloud and IT are effectively one and the same.
The approach here should be as it is for any technology: work out the risks, decide who should take on those risks and apply suitable protections against them. Protection measures should not be exclusively contractual. Using cloud as an example, practical remedies are equally as important. If your customer information is all hosted in a data centre which is burnt down, do you have a back-up of the data? For RPA, if an automated process fails, is there an alternative system which can be applied at short notice? If so, who pays for it? A standard step-in clause may be far from sufficient – this issue will need careful planning.
Contract between purchaser and end-user
Many of these issues will be mirrored in the contract between the software supplier and the purchaser. The concerns will be as they are for the liability and contractual protection in any software contract: does it provide for IP, both in terms of performance warranties and indemnities for third party breach? What is the potential cost of failure of the RPA and who will meet that risk? Is any third party software used and, if so, is the supplier offering any warranties in this regard? Should the supplier be underwriting the potential loss of profit/business/cost savings of the purchaser if RPA fails? How is liability assessed where RPA is integrated into the purchaser's own systems? Will the supplier insist on this type of failure being part of a general cap, or will the purchaser want it to be separately capped at a much higher level? Is RPA being used for a high volume, low risk process? What should the contractual position be where the likelihood of failure is low, but costs of failure high? Has the contract been priced to reflect the proposed risk allocation? Who has or can obtain insurance, and at what cost? Does the cost of insurance require the parties to revisit the contract price? Will insurance actually afford any protection when called upon?
The compromise between a supplier who wants liability for RPA to be completely excluded and a customer who wants it uncapped may be to include claims in a higher "super cap", along with data protection and IP claims. This is an increasingly common approach.
A further factor to take into account is the bargaining position of the parties. As we have seen with cloud, much will depend on the negotiating power of service provider and purchaser. Will the RPA market develop with a limited number of big service providers who are able to dictate the terms? Or will we see the opposite, with smaller start-ups having to meet the liability demands of large, risk-averse customers? Only time will tell.
Where correctly implemented, RPA can clearly provide businesses with a competitive advantage by streamlining time-consuming low-value processes. The technology is also proving popular with employees as they are freed up to focus on knowledge-based, creative and strategic assignments, being relieved of more mundane and repetitive work.
As with any new technology, some businesses will approach the subject with a degree of caution. But, with the numbers we are seeing already and the further projected growth over the next few years, it appears that RPA is on its way to becoming mainstream.
As the technology evolves, incorporating other technology such as AI, the legal issues drawn out will become more complex. It will be fascinating to see how the commercial landscape develops and how this will affect the legal relationships between contracting parties.