Best Practices in Banking Vendor Management – Contracting

Contracting

The contracting aspect of an effective vendor management program is not just signing a document or turning it over to the lawyers for drafting. Contracting in the context of vendor management requires a disciplined approach by the bank. Since the contract between the bank and the vendor will be the final authority and the point of reference for all expectations from both parties, the process of contracting must be established internally.  In developing this process the bank should consider:

  • Who manages the bank’s contracts?
  • How are the bank’s contracts managed? Is it a centralized, decentralized or hybrid process?
  • Who is responsible for negotiating terms?
  • Can financial incentives impact the vendor’s negotiations?
  • Can operational incentives or issues impact the vendor’s  negotiations?
  • Are there market incentives or issues that could impact the vendor’s judgment?
  • Are there strategic incentives or issues that could impact the vendor’s  judgment?
  • Who manages amendment and renewals?
  • Who is monitoring changes in the environment (technological, market, legal, regulatory, customer base)?
  • What approvals or notifications are necessary for contracts? Are there different tiers for varying costs and impact?
  • Board approval is required for a contract that involves critical activities.
  • Regulatory notification is required for contracts involving check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices and similar items, or any other clerical, bookkeeping, accounting, statistical or similar functions performed for a depository institution. This requirement has been very broadly interpreted by the regulators to include notification of contracts involving any technology-related services.
  • Who is authorized to execute the contracts?
  • Banks should be wary of the risk inherent in a decentralized system, a system that broadly grants contracting authority or practices that give apparent authority to employees and an agent.

Of course, the documentation itself is very important to the contracting process. The final contract should represent the business terms both parties expect, mitigation of the risks identified in the risk assessment, and tools to maintain due diligence and monitor ongoing performance. The key provisions that should be considered in any contractual relationship are:

  • Nature and scope of arrangement

A thorough and complete description of the services to be provided is the core of any services agreement. Regulators recommend that the description also include ancillary services such as software or other technology support and maintenance, employee training and customer service. 

  • Performance measures

Service levels, metrics, deliverables or benchmarks are a second essential element to an outsourcing agreement. Regulators caution that performance measures should not incentivize undesirable performance, such as sacrificing accuracy for speed or compliance requirements, to the detriment of customers. 

  • Cost and compensation

The contract must establish payment terms, but banks should ensure the contracts do not include burdensome upfront fees or incentives that could result in inappropriate risk taking by the bank or the vendor. The contract should specify the conditions under which the cost structure may be changed, including limits on any cost increases and any penalties for any failures to meet service levels, controls and audit requirements, or late payments.

  • Audit rights

The regulatory authorities have broadly applied the legal authority they are granted in the Bank Service Company Act to include rights to directly examine bank vendors.  Banks are presumed to include contractual language that will give them and regulators access to the vendor’s operations, records and employees to conduct examinations and audits when appropriate.

  • Confidentiality and integrity

Contracts must require confidentiality of any customer information provided or even potentially available to the vendor. Vendors must protect that information according to regulatory standards and applicable law. The contract should specify when and how the vendor will disclose information about security breaches, and whether the breach resulted in unauthorized intrusions or access that may materially affect the bank or its customers. The contract should address the power of each party to change security and risk management procedures and requirements, and to resolve any confidentiality and integrity issues arising out of shared use of facilities owned by the third party.

  • Ownership and license

In a world where it is becoming common for banks and vendors to jointly develop or create products and services,  the contract must address ownership rights of jointly developed property as well as ownership rights of property contributing to or utilized in that development. Also, the bank should require the vendor to warrant that any third-party intellectual property used is (1) licensed for the services provided, (2) that such use, and the property or tools the vendor is contributing, will not infringe upon someone else’s intellectual property, and (3) in the case of software and/or hardware, the property will not transmit any unwanted or harmful programs to the bank’s systems.

  • Indemnification

Many times this is a point of contention or confusion. However, it is important that the bank ensure that any indemnities it provides to the vendor make sense from a risk management perspective and that any indemnities it receives from the vendor appropriately assess the risks inherent in the relationship. 

  • Default and termination

Banks should always ensure the contract provides them the right to terminate if the vendor fails to meet its obligations. However, regulators have identified three other points to consider in the default/termination clause:

  1. The bank should determine whether it includes a provision that enables the bank to terminate the contract, upon reasonable notice and without penalty, in the event that, among other circumstances, a regulator formally directs the bank to terminate the relationship. 
  2. The services agreement should permit the bank to terminate the relationship in a timely matter without prohibitive expense. 
  3. The services agreement should include termination and notification requirements with time frames to allow for the orderly conversion to another vendor.
  • Dispute resolution

Most contracts should provide for some form of dispute resolution, either an informal process of meetings between management or a formal plan involving arbitration or mediation.

  • Liability caps

Large risks banks face come from limits of liability. A vendor that a bank pays $50,000 per year could expose the bank to a class action that costs $25,000,000. If the bank has agreed to a limit of liability on the amount of fees paid to the vendor in a year, this outsourcing poses a significant risk. 

To address this risk, the bank also should determine whether any liability caps are in proportion to the amount of loss the bank might experience. Banks should reject the all-too-common “annual fees paid” formulation unless that amount is an accurate reflection of the bank’s risk.

  • Insurance

The contract should stipulate that the third party is required to maintain adequate and appropriate insurance coverage, to notify the bank of material changes to coverage, and to periodically provide evidence of coverage or upon demand.  

  • Customer complaints

When a vendor could receive complaints from customers, the contract should specify whether the bank or vendor is responsible for responding to customer complaints and outline specific standards for when a response is given and instruct the vendor which bank officer should receive the complaint. In those situations, the contract must also address retention guidelines and escalation procedures for customer complaints.

  • Business resumption and contingency plans

Given the increased regulatory attention to disaster recovery, banks would be wise to require the vendor to provide the bank with disaster recovery plans, testing schedules, the ability to participate in the tests and the sharing of the results of those tests.

  • Foreign-based third parties

Contracts with foreign-based third parties should include choice-of-law and jurisdictional provisions that provide for adjudication of all disputes under the laws of a specified jurisdiction. Regulators do not require that the jurisdiction or applicable law be the United States or a political subdivision thereof, bu when a U.S. bank submits to the laws and jurisdiction of a foreign country, there should be a plan in place to protect its rights in that jurisdiction and an articulable reason for accepting the foreign jurisdiction.

  • Subcontracting

The contract should specify: (1) any specific activities that cannot be subcontracted; (2) whether the bank prohibits the vendor from subcontracting activities to certain locations or to specific subcontractors; (3) a notification to the bank before a subcontractor is engaged (with an opportunity to perform due diligence on the proposed subcontractor) or when an existing subcontractor is terminated; and (4) ability to perform an audit and get due diligence on subcontractor. 

The bank should also reserve the right to terminate the services agreement without penalty if the vendor’s subcontracting arrangements do not comply with the contract or if the bank does not approve a proposed subcontractor.

  • Responsibilities for providing, receiving and retaining information

As part of establishing and reporting performance metrics, the contract should require the vendor to provide and retain timely, accurate and comprehensive information that allows the bank to monitor performance, service levels and risks. Additionally, regulators have recommended other reports that many vendors are not eager to accept but actually are very important to maintaining an effective vendor management program.  Specifically:

  • Prompt notification of financial difficulty, catastrophic events and significant incidents such as information breaches, data loss, service or system interruptions, compliance lapses, enforcement actions or other regulatory actions.  
  • Personnel changes, or implementation of new or revised policies, processes and information technology.
  • Notification to the bank of significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures or other business activities that could affect the activities involved.
  • Responsibility for compliance with applicable laws and regulations

The contract should require compliance with laws, regulations, guidance and best-practices standards applicable to the bank. Some vendors will try to avoid this by saying the regulations that govern banks do not apply to them. However, the bank is still responsible for compliance with its laws and regulations, and a vendor that is not meeting those requirements when performing services for the bank is putting the bank at significant risk. Bank vendors must be informed of the requirements, and they must agree to follow and implement relevant rules, regulations and laws that apply to banks.

The bank must always weigh the nature of the services, the risk posed by the outsourcing, and the relationship of the parties to construct contractual provisions that meet the bank’s needs, vendor-management program and legal/regulatory requirements.

评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注