Regulators' tough new rules on banks' vendor relationships are changing everything about the way banks choose and work with vendors, including how the two sides draw up contracts.
Regulatory guidance spells out many new details that banks and their vendors will have to put in writing, including who is responsible when something goes wrong. While banks generally support having more ironclad provisions in contracts, they suspect that the requirements could wind up shrinking the pool of qualified vendor partners.
Potential risks of all kinds such as the possibility of a customer data breach or of a vendor not being able to provide sufficient backup in a storm will need to be addressed in the contract, and there's widespread belief that some vendors will be unable to meet all requirements.
"There will be some smaller vendors providing services in a sensitive area that won't be able to satisfy all of the bank's requirements," says a compliance officer at a large Northeastern bank. "If the banks can't get the clauses they need in the contract, they'll be forced to move on and find somebody else, even though this may have been a perfectly good vendor, a good relationship."
The requirements could potentially change the dynamic of the financial technology industry, making it difficult for small vendors, startups, and large and established companies that have been hit with consent orders or lawsuits to win business.
For banks, the consequences of having fewer vendors to work with include limited choices, higher prices and less innovation. When a few large vendors have a lock on a market, they're under little pressure to innovate and update their technology.
The guidance from the Office of the Comptroller of the Currency lists a number of topics that should be addressed in a bank's third-party service contracts, including compensation for the services to be provided, performance benchmarks, required notifications, confidentiality, insurance, indemnification and limits on liability, customer complaints, dispute resolution and termination rights. It also gives the bank the right to audit the vendor and relevant subcontractors.
In the past, banks might have accepted that vendors couldn't provide certain types of protection if they were otherwise happy with the relationship. In the new environment, they may have no choice but to cut ties with such vendors.
Still, bank advisors say that, on balance, the contract requirements are good for banks because they provide them with protections they have not always had.
The clearer the language and more specific the metrics defined in a contract, the better the chance that the expectations of both parties defined in that contract will be met, says Paul Reymann, partner, McGovern Smith Advisors in Washington, D.C.
"I like the guidance the OCC released in October a lot because it gets to the heart of the contracts," he says.
Mercedes Kelley Tunstall, partner at Ballard Spahr, says contracts must clearly spell out which party is responsible for what, and should be crystal clear about reporting requirements.
"You want to know and the OCC guidance underlines this if there are customer complaints coming through at a high level with respect to whatever it is the vendor is doing," Tunstall says. The bank should also be informed if the vendor has any pending litigation or regulatory inquiries that might affect its work with the bank, she adds.
Banks also have more authority to request reports that would let them identify any risks in the work the vendor is doing for them. For instance, if an agreement says that the phones will be answered within five minutes 90% of the time, it also needs a provision that documents how well the vendor is meeting that requirement.
"Vendors will often say, 'We don't have an automatic way to do the reporting, it's too much of a burden for us,'" Tunstall says.
Contracts should be specific about banks' right to audit their vendors. Audits have always been a stated but never enforced element of risk management, Reymann observes.
"The vendors are getting used to it, but they don't like the idea of being audited," Tunstall adds.
And banks need to build provision into their contracts for "compliance-based termination." For instance, a clause might specify that an agreement can be killed if the vendor fails a risk audit.
"If contracts are clearly written and the obligation to meet consumer compliance requirements is clearly spelled out and everybody's expectations are clear, the bank should be able to terminate," says Reymann. Most contracts will provide the vendor a recovery period, anything from two weeks to 120 days, in which it can redeem itself, he says. In an extreme case, such as a data breach, there most likely won't be a recovery phase; the relationship will be ended abruptly.
Clarity around termination is especially important when a bank is working with a startup.
"If you're dealing with a vendor providing new or untested technology, in your agreement you want to add language that allows for flexible termination rights," Tunstall says. Flexibility is critical because it may be hard to anticipate the risks related to the situation. If there's any security risk or threat to consumer data, the bank should be able to immediately suspend the vendor's service.
Tunstall runs through a battery of 12 different termination scenarios with clients when drafting a vendor agreement to figure out if additional controls or wind-down provisions need to be added. At times, this exercise has driven her to go back to the negotiation table to ask for additional protection.
Banks should even build responsibility for compliance with applicable laws and regulations into the vendor agreement, Tunstall says.
"Some vendors say, 'this is your responsibility, you're on the hook, we want nothing to do with this,'" she says. "That's been their standard MO even before the guidance, before Dodd-Frank and this focus on vendor management."
One thing is certain in this new environment: standard master services agreements that are not specific to the services provided won't cut it. Indeed, Tunstall says she is advising clients to be as specific as possible so as to not raise any unnecessary red flags with regulators.
"Some banks decide to put everything including the kitchen sink into their master services agreement and just tell everyone they have to sign everything and agree to everything," she says. "The problem with that approach is if you say in your agreement that you have data sharing provisions but there's no consumer data sharing occurring between the bank and the vendor, that suggests to the regulator looking at the agreement that perhaps there is consumer data being shared. You have to spend a lot of time proving that there is no consumer data being shared.
This is the third in a series of articles on vendor management.