How banks should negotiate a third-party vendor contract
All banks rely on third-party vendors to assist them in their banking business. Banking regulators expect boards of directors and management to oversee bank vendors and manage the associated risks of such use. A bank must conduct adequate due diligence to identify and select a competent and qualified third-party vendor, such as reviewing the business reputation, financial soundness and experience of the third-party vendor. A written contract used to lay out the duties, obligations and responsibilities of the parties should protect the bank and ensure that the services are performed in compliance with regulatory requirements. Vendors frequently have form contracts favorable to the vendor that they present to banks as the final agreement. Unfortunately, many banks simply sign the vendor’s forms, without evaluating its terms or negotiating concessions. This is a bad idea that can have significant, adverse consequences if and when the vendor relationship becomes strained. If there is inadequate due diligence and contract negotiation at the outset of a third-party relationship, a bank exposes itself to reputation risk, for example, when the expectations of the bank’s customers are not met or the relationship results in adverse publicity. The bank also exposes itself to transaction, litigation and compliance risk when a third party cannot deliver an expected product because of poor performance, fraud or technological failure. Particular attention to the following should be considered when entering into a contract with a third-party vendor: • The right to audit: Banks need to be able to monitor the performance of a third party, including its internal controls and security. • Confidentiality and security: All too often, there are unsettling news reports of information security breaches in which personal information is wrongfully accessed, including account information and Social Security numbers. Banks need to know promptly when information security has been breached, the extent of a breach and specific corrective action taken upon discovery of the breach. Many banks are now including contract provisions that require a service provider to reimburse the bank for out-of-pocket costs relating to data security breaches that occurred due to the service provider’s negligence. In addition, certain provisions should survive termination of the contract, including confidentiality obligations and requirements that vendors return all bank and customer data upon contract termination, including any backup copies. • Indemnification: Indemnification provisions are very important in order to protect the bank from liability for potential claims that may arise during the contract. Indemnification provisions should be negotiated with the goal of the proper allocation of risk - the risk should be borne by the party best able to control and insure for it. For example, a software vendor should provide an intellectual property indemnification so the bank will be reimbursed if it is sued for copyright, patent or trade name/trademark infringement. Ideally, indemnification provisions should include “defend” as well as “indemnify and hold harmless” language. • Insurance: Indemnification provisions that are not coupled with a requirement for a vendor to maintain a certain level of insurance or contain notification obligations when insurance changes, could render indemnification rights meaningless. A vendor needs to have the means to fund its indemnification obligations, and insurance serves such a purpose. A bank should meet with its own insurance provider to determine the appropriate amounts and types of insurance coverage to request from the vendor. If a vendor is unable to provide the requested insurance coverage, a bank has the option to either obtain its own insurance coverage and re-price the contract in order to account for the additional risk it is assuming, or be prepared to walk away from the relationship. • Limits on liability: Liability risks are usually vigorously negotiated. Regulators recommend that management determine if the proposed limit is proportional to the amount of loss the bank might experience upon the vendor’s failure to perform. The typical situation is that many vendors limit the dollar amount to the amounts paid under the contract, as well as specific types of damages so that they will not be liable for consequential damages. A bank should be mindful to carve out the intellectual property indemnification from any limits on liability. A bank may want to consider alternative dispute resolution, such as arbitration, to keep costs low should a dispute arise under the contract. • Default, termination and renewal: Contracts should allow a bank to terminate upon a reasonable amount of notice for any reason, unless a vendor has priced the contract so that its up-front costs are not recovered until the term expires, which is a somewhat unusual circumstance. Contracts should allow for immediate termination upon breach, a regulator’s objection, change in control, violations of law, insolvency, and bankruptcy. Banks should avoid automatic renewal clauses that can lock a bank into an undesirable contract unless there is an ability to terminate for any reason. While third parties can provide valuable assistance to a bank or greatly enhance its ability to offer diverse products and services to its customers, all vendors should be managed throughout the relationship. A well-drafted contract will be one of the most important tools a bank has available in mitigating risk associated with the use of third-party vendors, along with centralized oversight of all vendor contracts. Centralized oversight will promote consistency of terms, a comprehensive understanding of which contract governs what function, and an awareness of renewal and termination dates. nhbr Susan B. Hollinger, a shareholder-director of the Concord law firm of Gallagher, Callahan & Gartrell, practices banking and business law on a full range of issues primarily related to the financial services industry.