Contracted-Out Services UK: Guide to Compliance & Pricing

Overview

Contracted-out services let UK organisations buy defined outcomes from a provider, not just people or hours. In a true service model, the supplier owns the “how” of delivery and manages the team. The provider carries delivery risk and is paid on acceptance of deliverables or service performance. This reduces day-to-day management overhead and limits IR35 exposure.

This guide is for UK operations leaders, procurement and legal teams, HR/contingent labour owners, and PMO leaders deciding between contracting out, contractors, or FTEs. It covers model selection, compliance (IR35, TUPE, GDPR), pricing comparators with examples, SoW drafting, governance, KPIs/SLAs, supplier selection, transition, risk, and exits. Use it to deliver value with confidence.

What this guide covers and how to use it

We begin with a concise definition and model contrasts. We then move into UK compliance essentials and practical playbooks for pricing, SoW drafting, governance, KPIs/SLAs, RFPs, transition, risk, and exit.

If you are short on time, scan the decision tree, the SoW blueprint, and the KPI libraries. Come back to pricing and governance when budgeting and mobilising.

Key terms at a glance (IR35, SoW, SLA, TUPE)

Key terms matter because they anchor compliance and operating mechanics.

• IR35/Off-Payroll: UK tax rules assessing whether a worker should be taxed as an employee; since April 2021, medium/large private and all public bodies generally determine status for off-payroll engagements. See the HMRC Off-Payroll Working rules.
• Statement of Work (SoW): A contract describing scope, deliverables, milestones, acceptance criteria, pricing, and governance for a service engagement.
• Service Level Agreement (SLA): Measurable service targets (e.g., response times, uptime) and consequences (e.g., service credits) tied to ongoing services.
• TUPE: Regulations protecting employees when a business or service transfers; covers “service provision changes” like outsourcing or insourcing. See GOV.UK TUPE guidance.

Contracted-out services: definition and model mechanics

Contracted-out services are engagements where a supplier is contracted to deliver outcomes (a result or service), not to supply named individuals under client control. The provider plans and manages delivery and decides who does the work and how. Payment is based on objective acceptance or service performance against SLAs.

A proper service contract is documented via a SoW that fixes scope and acceptance, often under a master services agreement. Payment links to milestones or service performance. The client monitors outputs, not individuals. This distinction is central to IR35 compliance and protects you from a “provision of labour” reclassification.

Core hallmarks of a contracted-out service (scope, control, risk, payment basis)

A contracted-out engagement is characterised by:

• Clearly defined scope and outputs with acceptance criteria.
• Provider control over “how” the work is delivered, including team composition and supervision.
• Provider assumes delivery risk and rework obligations until acceptance.
• Payment tied to milestones or service outcomes (not solely time spent).
• Performance monitored via SLAs/KPIs, not line management of individuals.

When these hallmarks are diluted—e.g., the client selects and manages named workers—the engagement starts to look like a labour supply.

Client, provider, and supply-chain roles

In this model, the client defines outcomes, constraints, and acceptance tests. The client also provides timely inputs and decisions.

The provider proposes the method, manages people and tools, controls day-to-day delivery, assures quality, and evidences performance. Any intermediaries (agencies, MSPs) should not erode provider control or acceptance-based payment. If they do, you increase the risk of IR35 misclassification across the supply chain.

Contracted-out vs provision of labour, outsourcing, MSP, BPO, and consultancy

Contracted-out services are adjacent to other models but differ on control, risk, and pricing. Provision of labour (staff augmentation) supplies people for client direction and is typically billed time-and-materials. The client manages tasks and bears delivery risk.

Outsourcing and BPO are broader, often multi-year managed services for a whole function or process. The provider takes end-to-end responsibility and transformation risk. MSP/VMS focuses on contingent labour procurement and governance, not outcomes. Consultancy may be advice-led or outcome-led; where it is outcome-led with acceptance-based payment and provider control, it resembles a contracted-out service.

Understanding these boundaries helps you pick a model that matches your need. It also reduces the risk of HMRC treating a deal as disguised employment under the Off-Payroll rules.

Decision tree: service vs labour supply tests

Use this quick flow to evidence your model choice and support audits.

• Is the output defined as deliverables or measurable service outcomes with acceptance criteria? If no, you are likely in labour supply.
• Who decides “how” the work is done, including methods, schedule, and resourcing? If the client directs daily tasks, it leans to labour supply.
• Is the provider paid on acceptance of results or performance, with rework obligations for defects? If payment is purely hours/days, risk increases.
• Are individuals interchangeable at the provider’s discretion (genuine substitution)? If named workers are fixed and client-approved, risk increases.
• Are performance reports and governance at service level rather than individual timesheets and appraisals? Service reporting indicates true contracting out.

Document the answers in your SoW and governance pack. This evidence is valuable if HMRC queries your arrangements.

Operating model contrasts: SoW vs MSP/VMS vs RPO vs BPO vs staff augmentation

An SoW-based managed service places delivery ownership with the supplier and links payment to milestones or SLAs. MSP/VMS optimises contingent labour acquisition but rarely owns outcomes.

RPO focuses on recruiting FTEs, not delivering projects. BPO runs an entire process with transformation and continuous improvement built in. Staff augmentation injects capacity but keeps delivery control and risk with the client. If you need predictable outcomes with fewer internal management demands, an SoW-based service or BPO is typically stronger than pure augmentation.

When to choose contracted-out services vs contractors or FTEs

Choose contracted-out services when you need defined outcomes, speed to value, and the ability to flex scope without hiring. This model suits projects with clear deliverables and functions amenable to SLAs (e.g., IT support, payroll). It also helps where compliance (IR35, information security) trumps day-to-day control of individuals.

Contractors are useful when you must integrate deep expertise directly into your team and can supervise daily work. FTEs suit core capabilities that need long-term knowledge retention and tight cultural integration. For uncertain or exploratory work, a T&M pilot can precede a fixed-price or outcome-based phase once scope stabilises.

Single-provider vs multi-supplier considerations

Consolidating with one provider simplifies governance, reduces interface risk, and can improve accountability. Multi-supplier sourcing allows best-of-breed capabilities, price tension, and risk diversification.

If the service has strong interdependencies or handoffs, lean to a single accountable provider. If scope slices cleanly and market specialisation is high, a multi-supplier model can outperform with a strong service integration layer.

Onshore vs near/offshore considerations

Onshore delivery eases time zone collaboration and aligns cultural norms. It also helps manage sensitive data residency needs, albeit at higher cost.

Nearshore balances overlap hours and cost. Offshore maximises savings but increases coordination and potential permanent establishment and withholding tax considerations. For personal data transfers, ensure appropriate safeguards under UK GDPR, such as IDTA or EU SCCs as applicable. Verify the provider’s security posture (e.g., ISO 27001, Cyber Essentials).

UK compliance essentials: IR35/Off-Payroll, TUPE, GDPR, health & safety, IP and data residency

Compliance for contracting out spans tax status, employment transfers, data protection, security, safety, IP, and procurement obligations. Anchoring your model to outcomes, acceptance, and provider control reduces Off-Payroll risk.

Understanding TUPE triggers avoids costly surprises. Aligning to UK GDPR and recognised security certifications supports due diligence and audit readiness.

IR35/Off-Payroll: HMRC’s view and evidence expectations

Since April 2021, medium/large private sector clients and all public authorities are generally responsible for determining employment status for off-payroll engagements. They must issue a Status Determination Statement (SDS) with reasonable care, per HMRC guidance.

HMRC looks beyond labels to the reality of control, substitution, and mutuality of obligation. Evidence such as an acceptance-based SoW, service-level reports, change logs, and substitution records supports your position. If the engagement operates as a labour supply in practice, liability can propagate through the supply chain.

When TUPE applies and how to prepare

TUPE can apply on outsourcing, insourcing, or retendering of a service when an organised grouping of employees principally dedicated to the service transfers, as set out in GOV.UK guidance. Prepare by identifying in-scope staff, collecting employee liability information, planning consultation, and aligning commercial terms to handle inherited obligations.

Create a TUPE readiness pack that covers staff lists, pensions and benefits impacts, indemnities, and mobilisation plans. Early engagement reduces disruption and builds trust during transition.

Data protection and security certifications (GDPR, ISO 27001, Cyber Essentials, SOC 2)

Under UK GDPR, you must establish lawful bases and define controller/processor roles. Include mandatory data processing clauses and assess international transfers; see the ICO Guide to UK GDPR.

Expect suppliers handling personal or sensitive data to hold recognised certifications such as ISO/IEC 27001 for information security management and the NCSC Cyber Essentials scheme as a UK baseline. SOC 2 can add assurance for service organisations processing customer data. Align certifications with your data classification and risk appetite as a practical selection criterion.

Public sector procurement (PCR 2015) nuances

UK public bodies must follow the Public Contracts Regulations 2015 for above-threshold procurements. They must select procedures (e.g., open, restricted, competitive dialogue) and maintain auditable trails.

Expect transparency requirements, standstill periods, and detailed evaluation records. Consider frameworks to streamline sourcing. Ensure your specification separates outcomes from labour to avoid IR35 and supply-chain risk.

Regulated industries: finance and healthcare

Financial services firms face enhanced outsourcing and third-party risk management obligations. These include resilience, data access, and audit rights—see the PRA SS2/21 Outsourcing and third party risk management.

Healthcare entities must address patient data controls and UK data residency where feasible. This is often evidenced through the NHS Data Security and Protection Toolkit. For regulated sectors, embed audit rights, exit provisions, and incident reporting aligned to supervisory expectations.

Pricing models explained: fixed-price, time-and-materials, and outcome-based/gainshare with example calculations

Pricing should align incentives and risk with scope certainty. Fixed-price suits stable, well-defined deliverables. T&M fits evolving scope with strong client governance. Outcome-based/gainshare ties fees to business results when both parties can influence KPIs and measure baselines credibly.

Fixed-price: benefits, risks, and guardrails

Fixed-price gives budget certainty and pushes delivery efficiency to the provider. It requires crisp scope, dependencies, and acceptance tests.

Use a change budget or contingency to handle controlled variations. Ensure acceptance criteria are objective to avoid disputes. Milestone payments should reflect value delivered; for example, a 20/30/50% split across design, build, and acceptance phases aligns cash flow with risk burn-down.

Time-and-materials with budget controls

T&M offers flexibility when scope is fluid or discovery is needed. Control costs with capped T&M, rate cards by role and location, and transparent timesheets cross-referenced to deliverables.

Add stage gates and earned value tracking. For instance, a cap of £250k with a 10% management reserve and monthly burn reports keeps T&M investment visible and governable. Use it while you converge on a fixed or outcome-based phase.

Outcome-based/gainshare mechanics

Outcome-based deals reward measured improvements. Examples include cost-to-serve reduction, SLA attainment, or throughput gains.

Establish a credible baseline, define how attribution works, set floors and ceilings, and make calculations auditable. A simple construct might be: base fee £40k/month plus 20% share of verified savings over baseline, with a 2x cap. If monthly savings are £100k vs baseline, the variable fee is £20k, total £60k, with clawbacks if performance falls below threshold for two consecutive periods.

Example TCO scenarios and ROI ranges

Total cost of ownership should capture provider fees, internal governance effort, tooling, transition, service credits, and exit. As a rule of thumb, mature managed services can deliver 10–30% savings vs in-house for scalable, standardised functions.

They also improve speed-to-value for project outcomes. For a 24/7 IT support desk, an onshore/nearshore blended service might cost £25–£40 per ticket at volume with 15–25% savings over a fragmented in-house model. A specialised payroll service could run at £1.20–£2.00 per payslip depending on complexity, integrations, and compliance overhead. Your actuals will vary by sector, data sensitivity, scale, and quality baselines—use pilots to validate assumptions before committing long-term.

Drafting an IR35-safe Statement of Work — scope, deliverables, acceptance criteria

An IR35-safe SoW anchors the engagement in outcomes, not headcount. It defines what will be delivered, how performance will be measured, and how changes flow without reverting to day-rate control of individuals.

Scoping and deliverables

Start with a clear definition of outcomes and boundaries so payment and acceptance can be objective.

• Describe in-scope services and out-of-scope boundaries, assumptions, and client dependencies.
• Break work into deliverables or service components with milestones, artefacts, and due dates.
• Specify environments, tooling, and access the provider will use or provision.
• Include data protection roles (controller/processor), security requirements, and audit obligations.
• Define reporting, governance cadence, and named roles for acceptance and escalation.

Ensure each deliverable has a tangible artefact or measurable service result so acceptance is unambiguous.

IR35-safe clause patterns (control, substitution, acceptance)

IR35 hallmarks should be reflected in contract language and operating practice. Example clause patterns:

• Control: “The Provider will determine the method, scheduling, and personnel for delivering the Services. The Client will not supervise or direct the Provider’s personnel.”
• Substitution: “The Provider may substitute personnel with appropriate skills without prior Client approval, provided service levels and security clearances are maintained.”
• Acceptance/payment: “Fees are due upon acceptance of Deliverables or verified achievement of Service Levels, subject to the Acceptance Criteria and Service Credit regime.”

These clauses should be matched by behaviours in governance to avoid “label vs reality” issues.

Acceptance criteria and sign-off

Set measurable, binary tests so acceptance is fact-based and timely. Define:

• Objective quality gates (e.g., pass rate ≥ 98% on test cases; uptime ≥ 99.9%).
• Evidence artefacts (test reports, audit logs, samples).
• Review and defect windows (e.g., 5 business days; material/minor defect definitions).
• Rework obligations and timelines, with partial acceptance where appropriate.
• Sign-off authority and method (e.g., recorded in the monthly service report).

Tighter acceptance reduces dispute risk and aligns payment to value delivered.

Change control and variations

A lightweight but disciplined change process prevents scope creep from undermining pricing. Use:

• Change request logged with description, rationale, and priority.
• Impact assessment (scope, cost, schedule, risk) within an agreed SLA.
• Approval thresholds (e.g., PM up to £10k; Steering Committee above).
• Baseline updates and traceability, with contingency or change budgets.

Operating this cycle visibly helps maintain IR35-safe boundaries and commercial discipline.

Governance and performance: RACI, cadences, change control, acceptance testing, and dashboards

Good governance makes services predictable and auditable. Define who decides, who informs, and how performance is reviewed.

Use a simple RACI, a structured meeting cadence, and a standard reporting pack so issues are surfaced early. Keep evidence of service delivery readily available.

RACI and roles

Agree who is Responsible, Accountable, Consulted, and Informed for scope, changes, risks, and acceptance. Typical roles include Client Service Owner (A for acceptance), Provider Service Manager (R for delivery), Client PMO (C on reporting), and InfoSec/Legal (C on compliance).

Clarity on RACI reduces decision latency. It also supports audit trails for IR35, GDPR, and PCR 2015 where applicable.

Meeting cadence and reporting pack

Run weekly operational reviews for incidents, changes, and actions. Hold monthly service reviews for SLAs, risks, improvements, and credits.

Use quarterly business reviews for strategy, capacity, and value realisation. The reporting pack should include SLA dashboards, ticket or milestone trends, backlog health, risk/issue logs, service credits, and continuous improvement items with owners and due dates.

Service review dashboards and baselines

Establish baselines in month one and trend line charts thereafter. Include targets, actuals, and variance commentary, plus root cause and remediation plans for misses.

Tie improvements to KPI movement and document evidence. This supports both performance management and HMRC’s “reality of operations” tests.

Dispute resolution and escalation paths

Define stages and timelines: operational resolution within 5 business days; escalation to Service Owners; then Executive Sponsors; finally formal dispute resolution per contract (mediation/arbitration).

Clear gates and timeboxes prevent drift and preserve relationships. They also protect continuity.

KPIs and SLAs by function (IT support, payroll, facilities, accounting, cleaning, manufacturing)

KPIs must reflect business value, be objectively measurable, and be costed into pricing. Start with 3–7 KPIs per service, with clear definitions and data sources.

Below are reasonable ranges commonly used in the UK. Calibrate to your baseline and risk appetite.

IT support: incident response/resolution benchmarks

For a 24/7 blended desk, typical ranges are:

• First response: P1 within 15 minutes; P2 within 30 minutes.
• Resolution: P1 within 4 hours; P2 within 8 hours; P3 within 2 business days.
• First contact resolution: 60–75%.
• Customer satisfaction (CSAT): ≥ 90%.
• SLA attainment: ≥ 98% across priorities with defined exclusions.

Balance strictness with service credits to avoid perverse incentives like over-prioritising low-effort tickets.

Payroll/accounting: accuracy and timeliness

In finance and HR processes, precision is critical:

• Payroll accuracy: ≥ 99.5% payslips error-free.
• On-time payroll: 100% by agreed pay date.
• Journal posting timeliness: ≥ 98% within 2 business days.
• Reconciliation completeness: 100% monthly critical accounts.
• Compliance: zero late filings to HMRC and regulators.

Tie credits to error severity and customer impact rather than raw counts alone.

Facilities/cleaning: safety and quality metrics

Safety and hygiene expectations must be explicit:

• Planned preventive maintenance (PPM) completion: ≥ 95% on time.
• Reactive call-outs: critical within 1 hour on-site, 4 hours fix or safe state.
• Cleaning quality audits: ≥ 90–95% pass rate on agreed standards.
• Health & safety incidents: zero RIDDOR-reportable events attributable to provider.
• Statutory compliance: 100% certification in force (e.g., gas, electrical).

Include sampling methods and unannounced audits to validate performance.

Manufacturing: throughput, defect rate, OEE

For production environments:

• Overall Equipment Effectiveness (OEE): target baseline + 5–10% over 6–12 months.
• First pass yield: ≥ 98% depending on process complexity.
• Defect rate (PPM): set by product class, with continuous improvement targets.
• Changeover time reduction: specified % improvement quarter-on-quarter.
• On-time in-full (OTIF): ≥ 95–98%.

Acceptance sampling plans should be documented and statistically sound.

Supplier selection and RFP: due diligence and evaluation scorecards

Strong supplier selection reduces delivery and compliance risk. Your RFP must probe capability, controls, and value for money. Your due diligence must validate what is claimed. Your scoring must balance price, quality, and risk transparently.

Due diligence: financials, security, insurance

Before award, validate solvency, security posture, and coverage.

• Review audited accounts, credit scores, and going-concern status.
• Verify certifications (ISO 27001, Cyber Essentials) and pen test summaries.
• Confirm data processing posture and sub-processor management.
• Check insurance: professional indemnity, public/employers’ liability, and cyber with limits proportionate to risk.
• Validate references and sample reports (e.g., SLA dashboards, QBR packs).

Document findings with risk ratings and mitigations that feed into contract terms.

RFP question bank aligned to risk/capability

Ask questions that expose delivery method, control, and resilience:

• Describe your delivery approach and how you manage scope, quality, and change.
• Provide a sample SoW and reporting pack for a comparable service.
• Detail your information security controls, certifications, and incident response.
• Explain your approach to TUPE, mobilisation, and knowledge transfer.
• Provide KPI/SLA proposals with benchmarking and service credit methods.
• Describe your supply chain (subcontractors), audit rights you accept, and exit support.

Score narrative answers and insist on evidence artefacts to validate maturity.

Evaluation scorecards and weighting

Use weighted criteria such as solution fit (30–40%), capability and references (20–25%), commercial value (20–25%), security/compliance (10–15%), and social value/sustainability (5–10% for public sector). Calibrate weights to risk—regulated data or critical operations should give more weight to security and resilience.

Keep a clear audit trail of scoring and moderation.

Transition and knowledge transfer: mobilisation, handover, documentation

Mobilisation is where most risks surface. A disciplined first-90-days plan, structured handover, and robust documentation ensure continuity and set the tone for governance.

Mobilisation checklist and timelines

Stand up governance and delivery foundations early, then scale.

• Appoint roles, exchange contacts, and hold a kick-off to confirm scope and assumptions.
• Provision tools, environments, credentials, and data access.
• Complete TUPE or onboarding actions and verify clearances and training.
• Baseline KPIs, risks, and assets; agree the reporting pack format.
• Run day-30/60/90 checkpoints with readiness criteria and go/no-go gates.

Keep a visible RAID log and publish progress to both leadership teams.

Handover and shadowing plan

Knowledge transfer benefits from structured shadowing. Begin with provider shadow-run under the incumbent, then move to parallel operations.

Next, use reverse shadowing as the provider runs and the incumbent observes. Use playbooks and checklists per process, with sign-offs at each stage. This reduces silent failure modes.

Documentation standards and knowledge base

Define the minimum documentation set upfront: service catalogue, process maps, work instructions, asset/configuration inventories, interfaces, and runbooks. Store in a shared knowledge base with ownership, versioning, and a review cadence.

Tie document updates to change control so artefacts stay current.

Risk management and remediation: liabilities, insurance, audit rights, HMRC reclassification, service credits

Contracts should allocate risk proportionately and give you levers to remediate performance issues. Insurance and audit rights underpin resilience. HMRC red flags should be monitored operationally. Well-designed credits and incentives align behaviour with outcomes.

Liability caps, indemnities, and insurance levels

Set liability caps relative to contract value and risk profile—commonly 100–200% of annual fees for direct loss, with carve-outs for IP infringement, data protection breaches, or wilful misconduct. Indemnities should cover third-party claims, TUPE failures, and IP.

Require insurance such as professional indemnity, public/employers’ liability, and cyber. Set minimums aligned to potential loss scenarios rather than arbitrary numbers.

Audit rights and right-to-audit clauses

Your right to audit should cover service delivery, security controls, data processing, and subcontractors. Use reasonable notice (e.g., 10–20 business days) and allow for-cause audits on incidents.

Define remediation timelines and consequences, including suspension rights for material security non-compliance. For regulated sectors, align with supervisory expectations on data access and audit.

HMRC reclassification red flags and mitigation

Watch for operational drift into labour supply:

• Client assigning tasks to named individuals or approving all personnel moves.
• Timesheets and appraisals used as the primary performance mechanism.
• Payment based only on hours with no acceptance or SLA linkage.
• Provider staff embedded in rotas and policies indistinguishably from FTEs.
• No evidence of substitution, method control, or service-level reporting.

Mitigate by enforcing SoW boundaries, using service-level dashboards, recording substitutions, and linking payments to acceptance. Keep a file with SDS rationale and evidence consistent with HMRC guidance.

Service credits, earn-backs, and bonus/penalty structures

Service credits should be proportionate and targeted. Example: monthly fee £100k; SLA weights total 100 points. If uptime misses by 2 points and response time by 3 points, total miss 5 points; credit = 5% of monthly fee = £5k, with a floor/cap (e.g., 10%).

Earn-backs allow recovery when the provider overperforms next period. Bonuses can reward stretch achievements or sustained improvements (e.g., 10% share of incremental KPI uplift verified against baseline). Keep maths simple and auditable to avoid disputes.

Exit, termination, step-in rights, and back-sourcing

Well-structured exits protect business continuity and reduce tail risk. Plan your exit like a mini-transition, with data, knowledge, and access cleanly handed back or over to a new provider. Make cost and timing visible upfront.

Termination triggers and notice

Include termination for cause (material breach, repeated SLA failures, insolvency), for convenience with notice (e.g., 60–90 days), and on change of control. Define wind-down obligations: knowledge transfer, data extraction, licence handback, and reasonable assistance at agreed rates.

Pre-price exit support days to avoid last-minute negotiations.

Step-in rights and business continuity

Step-in lets you temporarily take control if there is critical failure or serious risk (e.g., security incident, sustained SLA breach). Define triggers, scope, duration, and cost responsibilities, with a clear handback plan once stability returns.

Align step-in with business continuity and disaster recovery testing in the service.

Back-sourcing and knowledge retention

For back-sourcing or re-tender, require current documentation, asset and config inventories, and training materials. Ensure IP created under the contract is owned or licensed as needed, and that you have access to data in open formats.

Run an exit rehearsal 3–6 months before contract end to validate readiness and avoid cliff-edges.

By anchoring your engagements in outcomes, acceptance, and provider control—and by embedding UK-specific compliance, pricing discipline, and governance—you can gain the benefits of contracted-out services while minimising tax, legal, and delivery risk.