ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
ADVERTISEMENT
Home Compliance and Risk

Third-Party Tactics: Six Strategies for Negotiating Contractual Terms

June 21, 2017
Reading Time: 4 mins read

By Krista Shonk

When engaging in contract negotiations with a third-party, have you ever been told “other banks don’t request that provision”? Or, how about “your requested terms are not industry standard”?

It’s a common reply from service providers that have a limited number of competitors and from fintech companies that are not aware of the regulatory standards to which banks are held. One thing is clear: banks of all sizes are frustrated with the “you are the only bank” response.

However, a recent FDIC Office of Inspector General (OIG) study of contracts between banks and technology service providers (TSPs) provides some useful insights that banks can and should leverage during the contracting process.

The study examined 48 contracts involving 19 financial institutions, all of which involved TSPs designated as “critical” or “high” risk to the financial institutions’ operations. The OIG concluded that frequently bank contracts with TSPs do not adequately describe TSP responsibilities related to business continuity and responses to cybersecurity breaches. In light of these findings, the OIG recommended that the FDIC more closely evaluate bank contracts with TSPs.

Strategies for successful contracts

As regulators step up their scrutiny of TSP contracts, institutions may want to consider the following takeaways from OIG’s report when negotiating new contracts, renewing existing ones, or adding additional services with existing third-parties.

1. Ensure contract terms provide clear and specific definitions. Most contracts that the OIG reviewed did not use key terms that are found in regulatory guidance, or failed to clearly define them. Some contracts provided limited definitions that were tied to broad generalizations or general regulatory references. In other cases, subjective terms such as “potential breach,” “unauthorized access,” “containment,” “material impact” and “timely notification” were undefined and could be subject to differing interpretations. The OIG recommends that banks clearly define key contract terms that are important in understanding bank rights and TSP responsibilities in the event of a business disruption or computer security incident, particularly for those TSPs that institutions identify as “critical” or that have access to sensitive or personally identifiable information. 

2. Address TSP responsibilities for recovery and resumption of critical systems, services and operations. The OIG also found that contracts with TSPs frequently lacked specificity and completeness with respect to business continuity and incident response procedures and obligations. Contract provisions that detail key business continuity responsibilities could provide banks with greater assurance that systems, services, and operations will be recovered and resumed timely and effectively if there is a disruption.

  • Business continuity plan. Approximately half of the contracts the OIG reviewed did not require the TSP to establish a business continuity plan. Those that did so failed to describe the TSP’s responsibility to maintain continuous risk management processes or ensure capacity necessary to restore services to multiple clients under adverse scenarios. Some contracts limited the TSP’s business continuity responsibilities in the event of a disaster.
  • Business continuity reporting. More than half of the contracts required only limited reporting by TSPs, such as financial statement audit reports and independent third-party reviews (e.g., SOC reports). In many cases, TSP reporting responsibilities did not include management information system monitoring reports, performance reports, internal control reviews, security and business resumption testing, and regulatory examination reports.
  • Performance standards. Few contracts established or defined clear performance metrics and remedies for failure to meet business continuity obligations.

3. Specify obligations to contain, control and report incidents. Most contracts reviewed by the OIG addressed TSP responsibilities for information security and confidentiality by requiring the TSP to notify the bank of intrusions that may materially affect the bank or its customers. However, the contracts did not specify TSP responsibilities for assessing and responding to a potential incident, determining the potential effect on the institution and its customers, or reporting to regulatory and law enforcement authorities. Additionally, the contracts typically did not provide remedies for failure of the TSP to meet incident response and reporting requirements. In the event of a data security breach, contracts that specify incident response and reporting obligations could help to minimize harm to the bank and its customers.

4. Address the use of subcontractors. The FDIC’s June 2008 guidance on managing third-party risk states that “significant“ contracts should prohibit third parties from subcontracting their obligations to another entity unless the financial institution determines that the subcontracting arrangement would be consistent with the due diligence standards used to select the third party. Contracts associated with 18 of the 19 financial institutions that the OIG reviewed (95 percent) allowed service providers to subcontract assigned work. However, only 4 out of 19 institutions (21 percent) documented consideration of subcontractor use within their TSP due diligence and risk assessment matrices, as required by regulatory guidance.

5. Discuss business continuity plans and incident response expectations for existing contracts. The FDIC does not expect institutions to renegotiate current contracts solely in response to the OIG report. However, the FDIC “encourages” institutions to discuss business continuity and incident response concepts, guidance, and expectations with their service providers, even if a contract is not up for renewal.

6. Employ staff sufficiently knowledgeable about or engaged in contract management. The OIG is concerned that banks may not be adequately involved in writing and negotiating contracts to ensure that the bank’s rights and the TSP’s responsibilities are clearly defined. Most of the contracts that the OIG reviewed appear to have been drafted by a TSP and were based on standardized forms that lacked specificity needed to protect the bank’s needs regarding business continuity and incident response. Not surprisingly, many of the contracts were drafted to favor the TSP. In short, lack of contract management expertise can weaken a bank’s control environment.

What’s next?

In addition to pointing out the OIG’s findings during future contract negotiations, banks should expect increased regulatory scrutiny of contractual terms. In response to the OIG’s study, the FDIC committed to:

  1. Communicate to supervised institutions the importance of effective contracts.  This could include issuing additional guidance or exam procedures or conducting additional exams and off-site monitoring. Targeted completion date: June 2018.
  2. Prepare a full horizontal review that assesses third party contract adequacy and oversight across multiple institutions. Targeted completion date: October 2018.

Banks entering contract negotiations should consider how to leverage this increased regulatory focus to negotiate more favorable contract terms with respect to business continuity and incident response.  Perhaps there is hope after all for quashing service provider comments that “no one else asks for this.”

Krista Shonk is VP for mortgage finance and senior regulatory counsel at ABA.

This article is the first in a new series focused on third-party risk management. Third-Party Tactics, which will appear bimonthly on the ABA Banking Journal site, explores leading practices and practical tips for third-party risk management.

ADVERTISEMENT
Tags: Risk managementThird-party risk
ShareTweetPin

Author

Monica C. Meinert

Monica C. Meinert

Monica C. Meinert is a senior editor at the ABA Banking Journal and VP for executive communications at the American Bankers Association.

Related Posts

ABA donates to Texas flood relief efforts, urges bankers to contribute

FDIC issues regulatory relief guidance for Texas

Compliance and Risk
July 11, 2025

The FDIC released guidance with steps intended to provide regulatory relief to financial institutions and facilitate recovery in areas of Texas recently affected by severe storms and flooding.

BIS drafts guidance for central banks on AI adoption

BIS releases report on connections between banks and nonbanks

Compliance and Risk
July 11, 2025

Differences between regulations for banks and those for nonbank financial intermediaries may have created incentives to shift business activities to the NBFI sector, so bank supervisors should apply “close scrutiny” to such interactions, according to the report.

Regulators take issue with discrimination definition in proposed appraisal standards

HUD reverses Biden-era policies on appraisal review

Compliance and Risk
July 11, 2025

HUD eliminated several of the core policies adopted by the Property Appraisal and Valuation Equity task force, an interagency group of 13 federal agencies formed during the Biden administration to address alleged discrimination in the appraisal process.

Fed releases agenda for upcoming conference on large bank capital requirements

Fed seeks public input on large bank rating system revision

Compliance and Risk
July 10, 2025

The Federal Reserve requested comment on a proposal to revise its supervisory rating framework for large bank holding companies to address the "well managed" status of the firms.

FinCEN, IRS-CI launch series to help banks combat fentanyl trafficking

FinCEN extends compliance dates for fentanyl orders

Compliance and Risk
July 9, 2025

FinCEN has extended by more than a month the effective dates for orders involving three Mexico-based financial institutions with alleged ties to fentanyl trafficking, according to an agency statement.

ABA Regulatory Policy and Compliance Inbox: Must banks disclose all co-branding relationships?

ABA Regulatory Policy and Compliance Inbox: Just what is reportable under CRA?

Compliance and Risk
July 9, 2025

What about refinances and renewals for small business, small farm and community development loans? And: Understanding risk-based pricing notices.

NEWSBYTES

ABA, associations seek clarity about Fannie, Freddie credit scoring change

July 11, 2025

ABA DataBank: Copper prices rise on tariff announcement

July 11, 2025

FDIC issues regulatory relief guidance for Texas

July 11, 2025

SPONSORED CONTENT

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

Navigating Disruption in Ag Lending – Why Tariffs Are Just the Tip of the Iceberg

July 1, 2025
AI Compliance and Regulation: What Financial Institutions Need to Know

Unlocking Deposit Growth: How Financial Institutions Can Activate Data for Precision Cross-Sell

June 1, 2025
Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

Choosing the Right Account Opening Platform: 10 Key Considerations for Long-Term Success

April 25, 2025
Outsourcing: Getting to Go/No-Go

Outsourcing: Getting to Go/No-Go

April 5, 2025

PODCASTS

Breaking down the bank-related provisions in the big budget bill

July 10, 2025

Podcast: Inside ABA’s new Treasury Check Verification System API

June 25, 2025

Podcast: Staying close to clients amid tariff-driven volatility

June 18, 2025
ADVERTISEMENT

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2025 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2025 American Bankers Association. All rights reserved.