Banks have been using third parties to achieve their strategic goals for years, but new legislation and stricter enforcement of existing regulations are highlighting the need for management to ensure that the selection of and contracting with third party providers is conducted in a manner that guarantees compliance with applicable laws and mitigates supply chain risk.
Legislators and regulators acknowledge that judicious use of third party relationships offer banks legitimate opportunities to increase or ensure profitability, enhance their offerings and improve efficiency. It is equally critical to recognize, however, that use of third parties does not absolve the bank of its duties and responsibilities relative to the performance of those third parties or the bank’s requirements to be compliant with relevant regulations. In fact, there is a fundamental expectation that any bank using a third party will properly oversee and manage that third party relationship to the same extent that it would if it were performing or delivering the service internally. This entails adoption of a formal process that includes four core steps:
1. An assessment of the risks associated with a decision to utilize a third party to perform a service or provide a product (regardless of which third party is selected).
2. Proper due diligence to identify and select the appropriate third party provider.
3. Written contracts that outline clearly the duties, obligations and responsibilities of the parties involved.
4. Ongoing oversight of the third parties and their activities appropriate to the level of materiality the risks present.
Each of these steps is critical and several will require development of an appropriate process, assignment of accountability, allocation of resources and, potentially, implementation of supporting technology. However, the contracting step is relatively straightforward. Immediate actions can be taken to ensure that contracts include relevant provisions to confirm that the bank satisfies its obligations relative to risk management and mitigation. Contracts should be aligned to the level of materiality of risk associated with the product or service to be acquired.
The following list is comprehensive and is intended to be representative of what may need to be included in the contract:
Scope: This should specify the frequency, content and format of the service or product. It should detail the activities the third party is permitted to conduct and any that they are prohibited from doing. It should also specify location, use of bank equipment, space or personnel and any obligations relative to use of subcontractors.
Performance Measures: The contract should clearly delineate the expectations and metrics that will be used to measure success of the arrangement. It should include the timing, mechanisms and process associated with the planned performance management structure.
Management Information: The definition of what information is to be received, by whom and when -- and the fact that it should be timely, accurate and comprehensive -- is core to a bank’s ability to ensure it can adequately assess performance, service levels and risks. Provisions clearly stating notification expectations based upon specific events or circumstances should also be included.
Audit Rights: Per regulations, each of the regulating bodies has the right to audit third party providers at the same intensity that they can audit the bank itself. Therefore, it is critical that contract audit rights be included. These rights should run not only to the bank, but also through to the regulators. At minimum, requirements outlining expectations about what type of third party audits are required/allowed should be included.
Compensation: The contract needs to define all fees and other forms of compensation. It should clearly indicate whether the fees are related to volumes or activities and what triggers the fee. This information is particularly critical when dealing directly with a consumer and/or a governmental entity in order to protect the bank from any inappropriate charges stemming from behavior that could be deemed unfair, deceptive, or even corrupt.
Ownership: It is critical to lay out what rights each party has to the data, the deliverables, any records generated in the process of performing or producing the work and even the logos and trademarks associated with the product or service.
Confidentiality/Privacy: Given the tremendous increase in concerns with protecting the privacy and confidentiality of consumer information, this portion of the contract has become even more critical in the last few years. The contract needs to define the obligations and responsibilities of each party relative to the protection of confidential information, who is responsible for notification of any breach or potential breach and what security procedures are required depending upon the type of information gathered.
Business Continuity: Documentation should include specific requirements for business continuity, disaster recovery and business resumption planning that is expected of the provider. How third parties will be expected to interact with the bank, how frequently they need to test and document their results and even specifications relative to recovery times should be delineated.
Indemnification: Provisions that define liability associated with each party’s negligence or actions need to be included. These provisions must be reviewed to make sure the bank is not assuming an inappropriate allocation of risk.
Limits on Liability: In tandem with the indemnification provisions, the limits on liability are critical to apportion the loss in the event the third party fails in its obligations to perform.
Dispute Resolution: In the event there is a dispute, the contract needs to define what method of resolution is to be utilized (e.g. arbitration or mediation) to ensure that problems are resolved expeditiously.
Customer Complaints: Today, there are clear duties and obligations relative to customer complaint management. The contract needs to spell out exactly what is expected of the third party, by when, to whom and at whose expense these actions are to be taken.
Termination Rights: Typically associated with default or non-performance, the contract should delineate who has the right to terminate the contract and under what circumstances. It should include notice and cure provisions as well as the definition for what constitutes default and whether termination for convenience is allowed.
While many of these provisions may seem fairly basic, each provides the bank an opportunity to manage and mitigate the risk associated with using third parties. There is no one right answer for what these provisions need to include. They are levers that can be utilized as controls to ensure the bank has appropriately aligned the contract with the provider with the level of risk associated with the decision to use that particular third party to perform on their behalf. Effective contract construction is just one facet of a comprehensive third party management framework that will give banks the opportunity to capture the benefits third parties can bring to the table.
Michele Flynn is the chief strategy officer for Hiperos, LLC, which provides solutions designed to simplify third-party management for financial services organizations and other companies.