By Krista Shonk
When engaging in contract negotiations with a third-party, have you ever been told “other banks don’t request that provision”? Or, how about “your requested terms are not industry standard”?
It’s a common reply from service providers that have a limited number of competitors and from fintech companies that are not aware of the regulatory standards to which banks are held. One thing is clear: banks of all sizes are frustrated with the “you are the only bank” response.
However, a recent FDIC Office of Inspector General (OIG) study of contracts between banks and technology service providers (TSPs) provides some useful insights that banks can and should leverage during the contracting process.
The study examined 48 contracts involving 19 financial institutions, all of which involved TSPs designated as “critical” or “high” risk to the financial institutions’ operations. The OIG concluded that frequently bank contracts with TSPs do not adequately describe TSP responsibilities related to business continuity and responses to cybersecurity breaches. In light of these findings, the OIG recommended that the FDIC more closely evaluate bank contracts with TSPs.
Strategies for successful contracts
As regulators step up their scrutiny of TSP contracts, institutions may want to consider the following takeaways from OIG’s report when negotiating new contracts, renewing existing ones, or adding additional services with existing third-parties.
1. Ensure contract terms provide clear and specific definitions. Most contracts that the OIG reviewed did not use key terms that are found in regulatory guidance, or failed to clearly define them. Some contracts provided limited definitions that were tied to broad generalizations or general regulatory references. In other cases, subjective terms such as “potential breach,” “unauthorized access,” “containment,” “material impact” and “timely notification” were undefined and could be subject to differing interpretations. The OIG recommends that banks clearly define key contract terms that are important in understanding bank rights and TSP responsibilities in the event of a business disruption or computer security incident, particularly for those TSPs that institutions identify as “critical” or that have access to sensitive or personally identifiable information.
2. Address TSP responsibilities for recovery and resumption of critical systems, services and operations. The OIG also found that contracts with TSPs frequently lacked specificity and completeness with respect to business continuity and incident response procedures and obligations. Contract provisions that detail key business continuity responsibilities could provide banks with greater assurance that systems, services, and operations will be recovered and resumed timely and effectively if there is a disruption.
- Business continuity plan. Approximately half of the contracts the OIG reviewed did not require the TSP to establish a business continuity plan. Those that did so failed to describe the TSP’s responsibility to maintain continuous risk management processes or ensure capacity necessary to restore services to multiple clients under adverse scenarios. Some contracts limited the TSP’s business continuity responsibilities in the event of a disaster.
- Business continuity reporting. More than half of the contracts required only limited reporting by TSPs, such as financial statement audit reports and independent third-party reviews (e.g., SOC reports). In many cases, TSP reporting responsibilities did not include management information system monitoring reports, performance reports, internal control reviews, security and business resumption testing, and regulatory examination reports.
- Performance standards. Few contracts established or defined clear performance metrics and remedies for failure to meet business continuity obligations.
3. Specify obligations to contain, control and report incidents. Most contracts reviewed by the OIG addressed TSP responsibilities for information security and confidentiality by requiring the TSP to notify the bank of intrusions that may materially affect the bank or its customers. However, the contracts did not specify TSP responsibilities for assessing and responding to a potential incident, determining the potential effect on the institution and its customers, or reporting to regulatory and law enforcement authorities. Additionally, the contracts typically did not provide remedies for failure of the TSP to meet incident response and reporting requirements. In the event of a data security breach, contracts that specify incident response and reporting obligations could help to minimize harm to the bank and its customers.
4. Address the use of subcontractors. The FDIC’s June 2008 guidance on managing third-party risk states that “significant“ contracts should prohibit third parties from subcontracting their obligations to another entity unless the financial institution determines that the subcontracting arrangement would be consistent with the due diligence standards used to select the third party. Contracts associated with 18 of the 19 financial institutions that the OIG reviewed (95 percent) allowed service providers to subcontract assigned work. However, only 4 out of 19 institutions (21 percent) documented consideration of subcontractor use within their TSP due diligence and risk assessment matrices, as required by regulatory guidance.
5. Discuss business continuity plans and incident response expectations for existing contracts. The FDIC does not expect institutions to renegotiate current contracts solely in response to the OIG report. However, the FDIC “encourages” institutions to discuss business continuity and incident response concepts, guidance, and expectations with their service providers, even if a contract is not up for renewal.
6. Employ staff sufficiently knowledgeable about or engaged in contract management. The OIG is concerned that banks may not be adequately involved in writing and negotiating contracts to ensure that the bank’s rights and the TSP’s responsibilities are clearly defined. Most of the contracts that the OIG reviewed appear to have been drafted by a TSP and were based on standardized forms that lacked specificity needed to protect the bank’s needs regarding business continuity and incident response. Not surprisingly, many of the contracts were drafted to favor the TSP. In short, lack of contract management expertise can weaken a bank’s control environment.
In addition to pointing out the OIG’s findings during future contract negotiations, banks should expect increased regulatory scrutiny of contractual terms. In response to the OIG’s study, the FDIC committed to:
- Communicate to supervised institutions the importance of effective contracts. This could include issuing additional guidance or exam procedures or conducting additional exams and off-site monitoring. Targeted completion date: June 2018.
- Prepare a full horizontal review that assesses third party contract adequacy and oversight across multiple institutions. Targeted completion date: October 2018.
Banks entering contract negotiations should consider how to leverage this increased regulatory focus to negotiate more favorable contract terms with respect to business continuity and incident response. Perhaps there is hope after all for quashing service provider comments that “no one else asks for this.”
Krista Shonk is VP for mortgage finance and senior regulatory counsel at ABA.
This article is the first in a new series focused on third-party risk management. Third-Party Tactics, which will appear bimonthly on the ABA Banking Journal site, explores leading practices and practical tips for third-party risk management.