= Subscriber content; or subscribe now to access all American Banker content.

Tighter Focus on Contracts Could Kill Some Vendor Relationships

Regulators' tough new rules on banks' vendor relationships are changing everything about the way banks choose and work with vendors, including how the two sides draw up contracts.

Regulatory guidance spells out many new details that banks and their vendors will have to put in writing, including who is responsible when something goes wrong. While banks generally support having more ironclad provisions in contracts, they suspect that the requirements could wind up shrinking the pool of qualified vendor partners.

Potential risks of all kinds such as the possibility of a customer data breach or of a vendor not being able to provide sufficient backup in a storm will need to be addressed in the contract, and there's widespread belief that some vendors will be unable to meet all requirements.

"There will be some smaller vendors providing services in a sensitive area that won't be able to satisfy all of the bank's requirements," says a compliance officer at a large Northeastern bank. "If the banks can't get the clauses they need in the contract, they'll be forced to move on and find somebody else, even though this may have been a perfectly good vendor, a good relationship."

The requirements could potentially change the dynamic of the financial technology industry, making it difficult for small vendors, startups, and large and established companies that have been hit with consent orders or lawsuits to win business.

For banks, the consequences of having fewer vendors to work with include limited choices, higher prices and less innovation. When a few large vendors have a lock on a market, they're under little pressure to innovate and update their technology.

The guidance from the Office of the Comptroller of the Currency lists a number of topics that should be addressed in a bank's third-party service contracts, including compensation for the services to be provided, performance benchmarks, required notifications, confidentiality, insurance, indemnification and limits on liability, customer complaints, dispute resolution and termination rights. It also gives the bank the right to audit the vendor and relevant subcontractors.

In the past, banks might have accepted that vendors couldn't provide certain types of protection if they were otherwise happy with the relationship. In the new environment, they may have no choice but to cut ties with such vendors.

Still, bank advisors say that, on balance, the contract requirements are good for banks because they provide them with protections they have not always had.

The clearer the language and more specific the metrics defined in a contract, the better the chance that the expectations of both parties defined in that contract will be met, says Paul Reymann, partner, McGovern Smith Advisors in Washington, D.C.

"I like the guidance the OCC released in October a lot because it gets to the heart of the contracts," he says.

Mercedes Kelley Tunstall, partner at Ballard Spahr, says contracts must clearly spell out which party is responsible for what, and should be crystal clear about reporting requirements.

"You want to know and the OCC guidance underlines this if there are customer complaints coming through at a high level with respect to whatever it is the vendor is doing," Tunstall says. The bank should also be informed if the vendor has any pending litigation or regulatory inquiries that might affect its work with the bank, she adds.

Banks also have more authority to request reports that would let them identify any risks in the work the vendor is doing for them. For instance, if an agreement says that the phones will be answered within five minutes 90% of the time, it also needs a provision that documents how well the vendor is meeting that requirement.

"Vendors will often say, 'We don't have an automatic way to do the reporting, it's too much of a burden for us,'" Tunstall says.

Contracts should be specific about banks' right to audit their vendors. Audits have always been a stated but never enforced element of risk management, Reymann observes.

"The vendors are getting used to it, but they don't like the idea of being audited," Tunstall adds.

And banks need to build provision into their contracts for "compliance-based termination." For instance, a clause might specify that an agreement can be killed if the vendor fails a risk audit.

"If contracts are clearly written and the obligation to meet consumer compliance requirements is clearly spelled out and everybody's expectations are clear, the bank should be able to terminate," says Reymann. Most contracts will provide the vendor a recovery period, anything from two weeks to 120 days, in which it can redeem itself, he says. In an extreme case, such as a data breach, there most likely won't be a recovery phase; the relationship will be ended abruptly.

Clarity around termination is especially important when a bank is working with a startup.


(2) Comments



Comments (2)
Small banks are held to the same, or perhaps even higher standards than the large banks. The large institutions were, for the most part, responsible for the abuses that lead up to the 2008 financial crises, and yet it is the small banks that are now choking in the regulatory aftermath. It is far easier for examiners to pick apart every single detail in every transaction or vendor relationship in a small bank and make figurative mountains out of molehills. Our economic strength lies in diversity, and strangling small banks in more regulatory red tape is killing diversity.
Posted by PRLynn | Thursday, May 15 2014 at 12:22PM ET
Here is another way that I believe smaller banks will be affected more so than larger banks. Smaller banks rely to a greater extent on outsourcing. They also tend to build relationships with smaller vendors which more appropriately match their needs and may be less expensive. Smaller banks do not have a staff of attorneys to review and write contracts for individual vendors.This is just another way that the government/regulators are telling us how to run our banks. Again, the issue here is, "Are smaller banks systemically a risk to the financial system?" Of course not. Is this type of "control" of smaller banks necessary to protect the system? Absolutely not! Outsourcing and vendor relationships are very important to community banks for their survival. Impeding or eliminating those relationship or choices will greatly affect the cost and services they receive. Just another example of the continuing escalation of micro managing of banks and the continuing threat to the existence of community banks. In my opinion, the cost/benefit is just not justified. As always, my suggestions would be to carve smaller institutions out of this type of regulatory requirement for their vendors. We simply do not pose a significant threat to the financial system but this poses a significant threat to us.
Posted by GeorgeBailey | Thursday, May 15 2014 at 10:04AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.