An unheralded transformation is occurring in the business of banking. Banking is increasingly a business of outsourcing banking operations, as stretched financial institutions work to meet their customers and their regulators’ demands.  Skill in the procurement of third-party vendor services is now a core competency, and the regulatory agencies increasingly recognize it as such. In December of 2013, the Federal Reserve Board issued its updated “Guidance on Managing Outsourcing Risk.” 

Successful outsourcing begins with the creation of the right team.  The key stakeholders will usually include: (i) personnel from the affected operational unit of the bank for which the good or service is intended, as the product must ultimately perform to market and/or regulatory expectations, (ii) a financial officer with budgetary discretion, as the whizz-bang of the vendor’s product options can endanger management’s desired ROI, (iii) legal counsel, as the parties’ contract must effectively capture the hours spent in meetings hammering out everyone’s expectations, and (iv) the now important project manager.  Part diplomat, arm-twister and cat herder, the project manager is the rising star whose skill set is often found nowhere else inside the financial institution.

The Board of Governors’ updated Guidance requires bankers to identify their risks associated with outsourcing in six key areas: Compliance, Concentration, Reputational, Country, Operational and Legal Risks. And for each area, to then implement in an explainable fashion a service provider risk management program. Of these six risk areas, attention in this article is given to the legal risks, and particularly the Guidance’s “contract provisions and considerations.”

In a different compliance document, the FFIEC counsels financial institutions to “engage legal counsel early in the process to help prepare and review the proposed contract.”[1]  A legal contract is, at its heart, is a risk allocation plan.  And when one knows what risks are being allocated to the organization, then one knows where to put the enterprise’s finite resources in order both to create operational controls to manage those responsibilities which have been contractually assumed and to evaluate insurance offerings targeted to each assumed risk in the event of a failure of the operational controls. 

The Board of Governors’ Guidance requires that written contracts properly cover (a) the scope and rights/responsibilities of the parties, (b) cost and compensation, (c) right to audit, (d) performance standards, (e) confidentiality and security, (f) ownership license of data and operational functionality, (g) indemnification, (h) default and termination, (i) dispute resolution, (j) limits on liability, (k) insurance, (l) customer complaints, (m) business interruption and resumption, (n) foreign-based service providers, and (o) subcontracting. As a member of the bank’s procurement team, legal counsel will use her/his familiarity with the banking laws/regulations and her/his understanding of the institution’s business objectives for the acquired service, to suggest legal options that accomplish each of the Guidance’s contractual objectives (and hopefully more). 

The Guidance on Managing Outsourcing Risk establishes regulatory expectations, and for that reason alone is required reading for the institution’s project manager and its legal counsel.  But it also presents a new type of offensive weapon in the bank’s arsenal, as some suspect may have been the regulator’s intent.  For example, vendors often present banks with form contracts that are materially one-sided and not otherwise in the bank’s best interest.  The new Guidance gives the procurement team ammunition for pushing back against such terms.