All banks rely upon third-party vendors to assist them in their banking business. Banking regulators expect boards of directors and management to oversee bank vendors and manage the associated risks of such use. A bank must conduct adequate due diligence to identify and select a competent and qualified third-party vendor, such as reviewing the business reputation, financial soundness and experience of the third-party vendor. A written contract will then be used to lay out the duties, obligations and responsibilities of the parties. The contract should protect the bank and ensure that the services are performed in compliance with regulatory requirements.
Vendors frequently have form contracts favorable to the vendor which they present to banks as the final agreement. Unfortunately, many banks simply sign the vendor’s forms, without evaluating its terms or negotiating concessions. This is a bad idea which can have significant, adverse consequences if and when the vendor relationship becomes strained.
Problems can arise from use of third-party vendors due to insufficient planning and oversight of the vendor. If there is inadequate due diligence and contract negotiation at the outset of a third party relationship, a bank exposes itself to reputation risk, for example, when the expectations of the bank’s customers are not met or the relationship results in adverse publicity. The bank also exposes itself to transaction, litigation and compliance risk when a third party cannot deliver an expected product because of poor performance, fraud or technological failure.
The federal bank regulators have provided guidance to banks on managing the various types of risks that can arise from using third-party vendors.1 This guidance should be consulted by all banks from time to time in order to evaluate or structure a comprehensive system of risk management. This article concentrates on one area of risk management — negotiating an effective contract with the third party vendor.
Particular attention to the following items should be considered when entering into a contract with a third-party vendor:
The right to audit. Banks need to be able to monitor the performance of a third party, including its internal controls and security. In many cases, it is prudent to require the comprehensive SAS 70 or Type II SAS 70 audit review. A Type II SAS 70 reports on the service provider’s policies, procedures and test of actual controls.
Confidentiality and security. Information security is a hot topic today. All too often there are unsettling news reports of information security breaches in which personal information is wrongfully accessed, including account information and social security numbers. Banks need to know promptly when information security has been breached, the extent of a breach and specific corrective action taken upon discovery of the breach. Many banks are now including contract provisions that require a service provider to reimburse the bank for out-of-pocket costs relating to data security breaches that occurred due to the service provider’s negligence. In addition, certain provisions should survive termination of the contract, including confidentiality obligations and requirements that vendors return all bank and customer data upon contract termination, including any backup copies.
Indemnification. Indemnification provisions are very important in order to protect the bank from liability for potential claims that may arise during the contract, and this is an area where banks should be particularly mindful. Indemnification provisions should be negotiated with the goal of the proper allocation of risk — the risk should be borne by the party best able to control and insure for it. For example, a software vendor should provide an intellectual property indemnification so the bank will be reimbursed if it is sued for copyright, patent or tradename/trademark infringement. Ideally, indemnification provisions should include “defend” as well as “indemnify and hold harmless” language.
Insurance. Indemnification provisions that are not coupled with a requirement for a vendor to maintain a certain level of insurance or contain notification obligations when insurance changes, could render indemnification rights meaningless. A vendor needs to have the means to fund its indemnification obligations, and insurance serves such a purpose. A bank should meet with its own insurance provider to determine the appropriate amounts and types of insurance coverage to request from the vendor. If a vendor is unable to provide the requested insurance coverage, a bank has the option to either obtain its own insurance coverage and reprice the contract in order to account for the additional risk it is assuming, or be prepared to walk away from the relationship.
Limits on Liability. Liability risks are usually vigorously negotiated. Regulators recommend that management determine if the proposed limit is proportional to the amount of loss the bank might experience upon the vendor’s failure to perform. The typical situation is that many vendors limit the dollar amount to the amounts paid under the contract, as well as specific types of damages so that they will not be liable for consequential damages. A bank should be mindful to carve out the intellectual property indemnification from any limits on liability. A bank may want to consider alternative dispute resolution, such as arbitration, to keep costs low should a dispute arise under the contract. Also, in the context of external auditor engagement letters, the FFIEC proposed interagency guidance should be consulted as it disapproves the use of certain forms of limitation of liability and alternative dispute resolution provisions.
Default, termination and renewal. Contracts should allow a bank to terminate upon a reasonable amount of notice (i.e., 30, 60 days or other amounts reasonable to allow for a smooth transition to another provider) for any reason, unless a vendor has priced the contract so that its upfront costs are not recovered until the term expires, which is a somewhat unusual circumstance. Contracts should allow for immediate termination upon breach, a regulator’s objection, change in control, violations of law, insolvency, and bankruptcy. Banks should avoid automatic renewal clauses which can lock a bank into an undesirable contract unless there is an ability to terminate for any reason.
While third parties can provide valuable assistance to a bank or greatly enhance its ability to offer diverse products and services to its customers, all vendors should be managed throughout the relationship. A well drafted contract will be one of the most important tools a bank has available in mitigating risk associated with the use of third-party vendors, along with centralized oversight of all vendor contracts. Centralized oversight will promote consistency of terms, a comprehensive understanding of which contract governs what function, and an awareness of renewal and termination dates.
1 OCC Bulletin 2001-47, Risk Management Principles, Third Party Relationships, November 1, 2001.
* Susan B. Hollinger is admitted in New Hampshire, Vermont and Massachusetts.