Managing third party vendor relationships has always been an important function in banks. More recently it has become a hot topic for state and federal financial bank regulators. The increasing complexity of what vendors are doing for banks and the related attention to cybersecurity threats all contribute to the greater scrutiny. The 2016 white paper by the OCC, “Supporting Responsible Innovation in the Federal Banking system: An OCC Perspective,” is just one of several guidance documents issued by the federal financial regulators over the past five years that focus to a large extent on third parties providing services and technology to banks. Significantly, some examinations have resulted in the regulators imposing settlements and impose civil money penalties on vendors. Previous to the OCC white paper, the CFPB issued third party guidance in 2012, the FFIEC provided guidance on IT service vendors in 2012 and the OCC and the Federal Reserve issued complementary guidance in 2013 on third party relationships and managing outsourcing risks.
The OCC guidance is generally looked at as the “gold standard” for evaluating issues that need to be addressed in a vendor agreement. That does not mean that every contract a bank signs needs to have every one of those issues addressed or that each one needs to be resolved in favor of the bank. Vendor contracts come in many different shapes and sizes and may affect everything from back office processing, internet delivery systems, use of the “cloud” to the people watering the plants at the branch. vendors will vary from small local operations to multi-national companies. The bargaining power of a bank obviously varies depending on its size. A small community bank is not going to have the same leverage negotiating a vendor contract with a national vendor as a much larger institution. That lack of leverage, however, is somewhat mitigated by the fact that large vendors understand what the regulators are looking for because they hear it from many of their bank customers. That does not mean though that they will always offer it in the first draft of an agreement! Finally, you need to keep in mind that there may be several different ways of approaching a particular issue and drafting the contract language, all of which may be produce an acceptable outcome. As a result, a typical contract may touch on all of the points found in the OCC guidance but the individual contract provisions will fall along a broad spectrum.
The OCC guidance provides a good road map to what state and federal bank regulators (not just the OCC) look for when reviewing a bank’s significant third party contracts. Contracts for significant third party contracts that fail to address the OCC highlighted issues may result in a bank being criticized in an examination report and could be a factor in a CAMELS downgrade of management. Management also needs to be aware that defects in major contracts will come up in due diligence performed in a merger transaction and can affect the viability of a proposed M&A deal. Thus, the “risks” that are being managed are broader than the business risk that occurs because of a non-performance by the vendor and is a good reason why senior management needs to pay close attention to the negotiation of significant vendor contracts.
Vendors should also be examining the guidance and modifying their contracts accordingly because banks are going to be raising the same issues over and over again. Vendor personnel who are on the front lines negotiating contracts need to be aware of the regulatory scrutiny and understand why requests for alterations to the contracts are being made by the bank.
This post is one of seven that will address different issues involving vendor contracts. The seventh post will include a checklist that can be used as a quick guide to reviewing a vendor contract. Again, please keep in mind that simply because an issue is flagged for discussion does not mean that the final outcome is preordained. There can be multiple ways of addressing an issue depending on the relative negotiating strength of the parties and the services in question. As with any contract, compromises will be made on the final terms. The most important outcome for a bank is to be able to show the regulators that a conscious decision was made about which issues were important for the contract in question and how the contract reached its final form.
Once all of the posts have run, the entire set of posts together with the checklist will be made available as one document.
Typical Elements of the Third Party Vendor Contract
Parties to the Contract.
Vendor and Vendor Affiliates. Let’s start with what is supposed to be one of the most elementary issues, who are the parties to the contract? Occasionally, a bank will negotiate a contract only to find that the contract is actually going to be signed in the name of a subsidiary or affiliate of the party they were negotiating with. The bank may still wish to proceed with signing the contract but it should do only after considering whether the subsidiary is capable of performing under the contract and can satisfy any claims for indemnification that might arise due to vendor mistakes. If the bank has any concerns in this regard they may want to consider obtaining a guaranty or other written commitment by the parent company to financially support the subsidiary. When dealing with a large company that has several affiliates, the bank should make at least a cursory review of how the various parts fit together and whether there are any affiliations that might cause regulators some concern.
Bank. It sounds simple, but you will be surprised how many times a vendor contract (at least the first draft) uses an incorrect spelling or completely different name for the bank. You should make sure that the contract names the bank correctly, including on the front page, the signature page and throughout the document including the notices section. All addresses, email addresses and other contact information should be filled in and correct. It is not unusual to see a contract that has the correct name of the bank on the first page but uses the name of another institution in other places in the document. These types of “artifacts” from other agreements can pose problems for the parties down the road, particularly if they affect the notice provisions. You want to know exactly who to call when there is vendor error and likewise, when the vendor is providing notice of upcoming downtime for software updates you want that notice to get to the right people at the bank.
Assignments. Typically the bank will not want to allow the vendor to be able to assign the contract unless they first obtain the written consent of the bank. The vendor will typically push back on this and seek pre-approval for an assignment to an existing affiliate. The vendor may also seek certain approval rights should the bank seek to assign the contract. Both parties will generally want to allow assignments by operation of law such as those that occur as part of a merger. The bank may have some concerns on this particular point inasmuch as there may be other vendors that the bank does not wish to do business with. It is not an easy point to negotiate but the bank may want to consider requesting the right to terminate the contract in the event of a merger. A bank’s success in getting that type of provision added to the contract will vary depending on the size of the vendor.