Location of where the work to is to be performed.
Domestic locations. Where is the vendor actually performing the work? Will they need physical access to the bank premises or equipment? Will they be on-site during or after business hours? The contract should reference security policies governing access to the bank’s systems, data (including customer data), facilities, and equipment. The vendor should be obligated to comply with the security policies when accessing such resources. If the work is being done at the vendor’s office, the bank will want approval rights any change in the location. Depending on the type of services being provided, the bank may also want the contractual right to go to the vendor’s offices to view the vendor’s internal security systems.
Subcontractors-generally. An important question for the bank to ask is whether any of the work is being outsourced to a subcontractor. If the vendor is using subcontractors, the bank should consider whether it will want notice of and perhaps approval rights over who is being used. In addition, the contract should make it clear that the bank considers the vendor responsible for the performance of the contract regardless of whether it outsources a portion of the work. The contract should also make it clear that subcontractors are subject to the same confidentiality and security requirements as the primary vendor. Consideration should be given to adding a contractual provision which requires any subcontractors to verify in writing that they will comply with the privacy requirements.
The fact that a vendor performs all of the work in-house today is not a guaranty that they will always do so. You should expect that the ways in which vendors provide services will continue to change and you should not assume that a topic does not need to be addressed simply because the vendor does not engage in that practice today.
Assuming that the use of subcontractors is addressed in the contract the bank should consider what will occur if the vendor uses the subcontractor in a fashion that is not authorized under the contract. The conduct may be such that the bank will want to be able to declare the vendor in default under the contract.
Offshore outsourcing. Will the vendor, or a subcontractor of the vendor, be performing any of the work overseas? This has become such a commonplace occurrence that a bank should never assume that all of the work or the support function for the products and services it is negotiating to purchase are all occurring within the United States. Depending on what the product or services being provided to the bank entail, this may be a minor or very major issue. For example, if the vendor has access to personal identifying information on consumers, are you comfortable with that information being sent overseas? Even if the information does not involve consumer information, are you comfortable with the security procedures used in the foreign operation? The contract should also prohibit the outsourcing of work to subcontractors overseas unless the bank is first made aware of the practice and consents. When work is being offshored, it is common to attach an exhibit to the contract describing in detail the security procedures used in the offshore location including what type of background checks are conducted and other internal security processes. The bank needs to know where its information is being sent and will want approval rights if the location is being changed.
Dual employees. Certain types of vendor arrangements will involve using “dual employees,” i.e., existing employees of the bank who also become employees of the vendor. The contract should clearly articulate their responsibilities and reporting lines. Issues that should also be addressed include how such persons are being compensated. In certain instances, it may be that the bank is not allowed to compensate the employee for certain matters but the vendor can. The contract should make it very clear that the bank is not making any sort of prohibited payments.