Adding or upgrading mobile banking is a major project, as is simply changing a bank’s vendor or service provider for mobile banking. This article summarizes the steps involved in doing so.
The banking regulators have all issued guidance on outsourcing activities to third parties. By any measure, a mobile banking service provider is a significant or critical relationship for a bank. The data security demands are significant and the bank is subject to significant strategic, reputation, operational, transaction, and compliance risks, among other risks.
Time may be the single most important consideration. To get the best deal for your bank, start the process of evaluating potential providers, selecting a vendor and negotiation a services agreement 12-18 months before an existing contract is due to renew or before your bank needs to launch a new service.
Due to the significant and high risk nature of mobile banking services, a bank should engage in comprehensive due diligence of its proposed service providers. (And yes, it is recommended that the bank engage in due diligence with more than one service provider, both to ensure it understands the marketplace and also to ensure that it gets a “market” level of service and healthy competition for its business.) Comprehensive due diligence means reviewing financial statements, verifying the vendor’s relevant experience (success in implementing mobile banking for comparable banks) and reputation with comparable banks, the vendor’s regulatory relationships, results of past exams and audits, litigation history, performance issues, data security issues, and consumer complaint history. If the vendor will subcontract or outsource any part of the services, the bank should perform comprehensive due diligence on those subcontractors as well.
The bank’s IT, risk management, business, and legal personnel should be involved in selecting the vendor and negotiating the agreement. All involved persons should receive enough technical information regarding the service so they can make judgments regarding the matters within their expertise. For example, the IT department representative should understand the way the service is provided well enough to spot weaknesses and vulnerabilities that the vendor must address before final selection.
Given the heightened cybersecurity risks associated with mobile banking, a bank adding or changing its mobile banking services should consider upgrading its digital security systems generally. Best practices in information security require multiple strategies and it is a good idea to look at the bank’s overall security practices when adding or changing mobile banking services. End to end encryption of all sensitive data should be strived for and, typically, limiting the type of information generated, received and distributed by the bank helps to reduce risk, as well as limiting the number of persons and entities with access to sensitive data. Some of these related measures might also include requiring customers to adopt additional security measures, adjusting the risk allocation in customer agreements and expanding the bank’s insurance coverages.
Mobile banking warrants the highest level of contract structuring and legal review. The contract proffered by the vendor is only an opening bid. Both the bank and the vendor should expect to engage in significant negotiations to make sure that the bank’s expectations as to overall costs, implementation timeframes and very specific service levels are documented and agreed to. For a high profile service like mobile banking, the contract should expressly limit assignment, transfer and subcontracting. The parties must agree on procedures to allow the bank to properly oversee the services provided by the main provider and its subcontractors, including the right to audit the vendor and obtain regular quality control reports.
Careful selection of legal counsel will pay off. The contract should be structured to reward the bank with discounts as adoption rates increase and as the bank increases in size, organically and through acquisitions. It is also essential to have a clear exit procedure built into the contract. Rights to terminate if a breach is not cured within thirty days is not an effective remedy, since breaches can recur over time and be cured before any termination right kicks in. Termination for convenience fees (as contrasted to reasonable deconversion services fees) serve no function but to punish banks from leaving an unworkable relationship. Termination fees must be eliminated or forced to decline over time. Service level agreements with credits for breaches and termination rights for chronic breaches provide an objective means of discouraging poor performance and terminating the agreement.
Taking extra time to select legal counsel to negotiate a mobile banking contract can pay off handsomely. Counsel that are experienced in negotiating the particular type of contract you have and with the vendor you are dealing with can generate significant vendor cost savings, many multiples of the legal cost involved. The same counsel can efficiently guide the bank through misunderstandings that frequently arise during service implementation and when the contract needs further modification.
This article was originally published in the Western Independent Bankers Director’s Digest.