Contract Negotiation & the New Guidance

The final interagency guidance on third-party risk management builds upon the prior OCC guidance and contains a laundry list of expectations impacting the contract negotiation stage.  While the guidance notes it does not carry the same force and effect of law, it provides detailed insight into the areas of focus for the agencies’ examinations.  Thus, it is important that banking organizations understand these requirements.  In this edition, we unpack that laundry list to help understand the focus for each item.     

The final guidance stresses the importance of contract negotiation for banks when entering third-party arrangements.  A banking organization should assess the need for a written contract and ensure it aligns with their business goals and risk management needs. The negotiation process involves establishing contract provisions that facilitate effective risk management and clearly define expectations and obligations. The level of detail in the contract depends on the risk and complexity of the relationship. Banking organizations may request modifications or additional provisions to meet their requirements. In challenging negotiations, the banking organization must understand resulting limitations and risks, potentially considering alternative approaches if the contract is unacceptable. Periodic reviews of executed contracts help confirm that relevant risk controls and legal protections are still in place, and renegotiation may be considered if new risks arise.

Depending on the degree of risk and complexity of the third-party relationship, a banking organization typically considers the following factors, among others, during contract negotiations:

• Nature and Scope of Arrangement

In contract negotiations, a banking organization should clearly define the rights and responsibilities of each party. This includes specifying the business arrangement, ancillary services, activities, and terms governing information use. The organization should also consider the responsibilities of dual employees and the potential for contract termination or renegotiation due to changing circumstances.

• Performance Measures or Benchmarks

Performance measures are crucial in evaluating third-party performance for banking organizations. A service-level agreement helps define expectations and responsibilities, including policy compliance and adherence to laws and regulations. These measures monitor and incentivize performance while avoiding imprudent behavior. Accuracy, compliance, and customer impact are prioritized over processing volume or speed.

• Responsibilities for Providing, Receiving, and Retaining Information

Contract provisions for third-party arrangements should address several key areas. These include the banking organization’s access to timely and accurate data, the use of data by both parties, sharing data with regulators, restrictions on data resale or access by other entities, notification of compliance lapses or significant events, and the type and frequency of reports to be received. These provisions are crucial for monitoring risks, ensuring compliance, and maintaining effective oversight.

• The Right to Audit and Require Remediation

To monitor the performance of a third party, banking organizations often establish the right to audit and remediate issues through contracts. These contracts include provisions for periodic, independent audits based on the risk and complexity of the relationship. They also address the types and frequency of audit reports the banking organization is entitled to receive, such as SOC reports or PCI compliance reports. Additionally, the contracts may reserve the banking organization’s right to conduct its own audits or engage an independent party for this purpose.

• Responsibility for Compliance with Applicable Laws and Regulations

A banking organization must adhere to laws and regulations when engaging with third parties. Contracts should outline the obligations of both the organization and the third party to comply with applicable laws. The organization should have the right to monitor the third party’s compliance and address any issues promptly. Contracts may also consider relevant guidance and self-regulatory standards.

• Costs and Compensation

Contracts that clearly outline costs and compensation arrangements are crucial for reducing misunderstandings and disputes in billing. They also ensure that compensation aligns with banking practices and regulations. Common contract elements include compensation details, cost schedules, base service calculations, volume-based fees, and special request fees. Contracts may also address conditions for cost structure changes and limits on cost increases. It’s important to avoid contracts that incentivize inappropriate risk-taking and to carefully evaluate upfront or termination fees. Additionally, provisions for payment of legal, audit, and examination fees should be specified. Responsibilities for hardware and software procurement and maintenance should also be clarified, where applicable.

• Ownership and License

To avoid ownership and licensing disputes, contracts often outline the third party’s rights to use a banking organization’s information, technology, and intellectual property. Clear provisions regarding data ownership and warranties on intellectual property acquisition help prevent misunderstandings. Additionally, including escrow agreements for software purchases ensures access to source code and programs in specific scenarios, such as the third party’s insolvency.

• Confidentiality and Integrity

Contracts with third parties pose increased risks related to sensitive information and infrastructure access. Effective contracts should prohibit the unauthorized use and disclosure of banking organization and customer information. Third parties receiving personally identifiable information must implement appropriate security measures. Provisions should specify timely disclosure of information security breaches. Considerations include data types, legal obligations, potential consumer harm, and corrective actions. Provisions also address security procedures, confidentiality, integrity, and incident management exercises.

• Operational Resilience and Business Continuity

Contracts between banking organizations and third parties should address the third party’s responsibility for operational resilience, including controls for protecting programs, backing up datasets, addressing cybersecurity issues, and maintaining business continuity plans. The contract should also specify operating procedures in the event of business continuity plans being implemented, as well as testing requirements. Additionally, it is important to consider provisions for transferring accounts, data, or activities to another third party in the event of bankruptcy, business failure, or interruption.

• Indemnification and Limits on Liability

Including indemnification provisions in a contract can protect a banking organization from liability and provide reimbursement for damages caused by a third party’s misconduct. It is important to carefully consider the extent to which the banking organization will be held liable or reimbursed for damages due to the third party’s failure to perform or obtain necessary licenses. This assessment should include evaluating whether any liability limits are proportional to potential losses and if the banking organization is required to hold the third party harmless.

• Insurance

Banking organizations can safeguard themselves against losses from third-party relationships by including insurance requirements in contracts. These provisions necessitate the third party to maintain specified types and amounts of insurance, notify the organization of coverage changes, and provide evidence of coverage. The insurance should align with the risk of potential losses and the third party’s ability to fulfill obligations to the organization.

• Dispute Resolution

Disputes over contracts can cause delays and negative impacts on activities performed by third parties, affecting banking organizations. To address this, banking organizations should consider establishing a dispute resolution process in contracts for prompt problem-solving. It is crucial to assess if the contract includes provisions that might hinder satisfactory dispute resolution, such as arbitration or forum selection clauses.

• Customer Complaints

When customer interaction is important in a third-party relationship, it is beneficial for a banking organization to have a contract provision that ensures proper handling of customer complaints and inquiries. Effective contracts clearly state whether the banking organization or the third party is responsible for responding to these issues. If the responsibility lies with the third party, the contract should include provisions for timely response and provision of necessary information to the banking organization. If the responsibility lies with the banking organization, the contract should include provisions for prompt notification of any complaints or inquiries received by the third party.

• Subcontracting

Third-party relationships in banking organizations can involve subcontracting arrangements, which can introduce risk by reducing direct control over activities. This is especially important when higher-risk activities or critical activities are outsourced. To mitigate risk, banking organizations should establish clear guidelines for subcontracting, including notification requirements and restrictions on specific subcontractors. Contracts should also address the assignment or transfer of obligations without consent. Detailed contractual obligations, such as reporting, auditing, and compliance, should be considered for subcontracted activities. Liability, monitoring, and management responsibilities should be clearly defined. The contract should include provisions for termination without penalty if subcontracting arrangements don’t meet contractual obligations.

• Third Parties

When dealing with contracts involving foreign parties, it’s crucial to consider choice-of-law and jurisdiction provisions for dispute resolution. Understanding that foreign courts may interpret such contracts based on their own laws is important, especially if the chosen jurisdiction is outside the United States. Seeking legal advice on enforceability and other legal implications, such as privacy laws and cross-border data flow, is advisable.

• Default and Termination

Contracts in the banking industry play a crucial role in allowing organizations to change third parties when needed. To ensure effectiveness, contracts should define default, remedies, opportunities for cure, and termination circumstances. It is important to include provisions that facilitate orderly transitions, return of resources, cost allocation, and termination without penalty when directed by the primary federal banking regulator.

• Regulatory Supervision

To ensure regulatory compliance, contracts for third-party relationships in the banking sector should specify that third-party activities are subject to examination and oversight. This includes the retention and accessibility of relevant documentation. This helps clarify the role and liability of third parties in their relationship with a banking organization.

As noted, the guidance related to contract negotiation builds upon the existing OCC guidance.  We expect banking organizations with robust, mature procurement and third-party risk management programs will have less remediation work than smaller banking organizations or those with less mature programs.  However, all banking organizations will need to assess their existing programs to identify gaps both in processes and in documentation and to remediate those gaps as quickly as possible.  

To ensure their contracts align, banking organizations must act now to:

• Identify key contract clauses outlined in the guidance to establish the extent to which the existing contracts contain the required provisions.
• Remediate/renegotiate all contracts found to contain gaps.
• Update contract templates to remediate any gaps.

The guidance impacts all banking organizations and adds to the growing list of compliance requirements they must manage.  The costs of compliance continue to rise:

• 60% increase in compliance spend 2008. [1]
• $270 billion spent annually on compliance.  [2]
• 10% or more of the total bank operating costs are spent on compliance. [3]
  

Given the rising costs, banking organizations can no longer rely on traditional manual reviews to assess and remediate contract gaps.  They must turn to technology to achieve compliance and help control their compliance spend.  Technology can help:

• Expedite contract review.
• Assess large volumes of contracts.
• Enable review across multiple repositories.
• Ensure ongoing compliance with net new contracts.

Access the full Market Insights series here to learn more. Ready for a more empowering experience? Get in touch with an expert here to get started.