Contracts are risk-management tools, especially as millions of dollars in liability—and the bank’s reputation and customer relationships—can be at stake.
By Charles J. NerkoBanks are often hit with a wide range of tech legal claims, by customers, credit card companies and even other financial institutions, over everything from privacy and website accessibility to overdraft fee calculations.
Many of those claims result from a third-party vendor’s technology, even though banks are the targets of the litigation. Banks are often stuck with the tab unless the contract places the liability elsewhere.
Banks can protect themselves by crafting a tech contract that is as airtight and comprehensive as possible. It’s not just an agreement. It’s a risk-management tool, especially as millions of dollars in liability—and the bank’s reputation and customer relationships—can be at stake.
The checklist below can guide banks large and small through the negotiation and contract process to make sure the tech vendor is the responsible party when something goes wrong:
Create a realistic indemnity framework. This goes to the heart of the reason a robust contract is necessary. Banks need to ask at every juncture of the contract process whether they will be encumbered with responsibilities that are in the tech vendor’s jurisdiction. Data breaches, code issues and intellectual property infringement, for example, clearly should be under the vendor’s umbrella. The vendor’s insurance policies must be analyzed to ensure the indemnity has meaningful financial backing.
Banks need to be aware of other provisions that may render an indemnity illusory. Some vendors will provide an indemnity for inaccurate records, yet 20 pages down in the contract, require a bank to review all its records and report discrepancies in 48 hours. This unreasonable requirement makes the indemnity meaningless.
Specify performance standards and remedies. The best contracts leave no doubt as to the vendor’s responsibilities, deadlines and expected level of performance. And remedies for noncompliance should be clear. Banks won’t get a second chance to recut the deal once it’s been signed.
Performance pledges made in marketing materials, an RFP response or even during negotiations can be legally worthless if not backed up in the contract. The bank’s attorney needs to be tech-savvy and up to date about these types of agreements so they are tight enough to hold the parties accountable but flexible enough to anticipate changes.
Be aware of contract end dates. With all the attention on the start of the contract, many banks fail to take note of the end date or the automatic renewal clause and get buried by these provisions. A contract should set a specific end date rather than have one measured from when the services begin. When a contract feature is added later, it sometimes starts the contract’s clock anew. Keeping track of end dates and non-renewal notice deadlines is crucial.
Banks learn to come up with their own approaches. For instance, David Chinnery, EVP, COO and vice chairman of the Bank of Prairie Village in Kansas, has a strict policy about auto-renewals. Every time he signs a contract, he submits a non-renewal notice. As a result, he never faces an automatic renewal.
The bank also should outline details of how to proceed when its relationship with the vendor breaks up.
Seek strong security measures. Because they are heavily regulated, banks face security requirements not imposed on other industries. The contract should spell out the vendor’s security obligations, such as use of firewalls and authentication. It also should delineate each party’s responsibility in the event of a security incident, including for remediation and notification.
The role of an independent third party with the authority to randomly check on the vendor’s security needs to be specified in the contract. All this is assuming the bank has thoroughly researched the vendor—including its financial statements, cybersecurity measures and litigation history, among other factors—before signing the contract.
Own your data. The contract should make clear that even though the vendor can access bank data in the course of its work, the bank owns the data. A provision requiring return of the data in a usable form after the relationship concludes is paramount. Otherwise, the vendor has little reason to protect, return or make the data usable by a successor vendor without an exorbitant additional fee.
Be detailed with fees. Key fees should be clearly enumerated in the contract. Avoid wording such as “standard” or “customary” rates. Such terms create a breeding ground for confusion and differing expectations by both sides. A disagreement over something that should be straightforward from the start can lead to unanticipated excess costs.
Carefully consider subcontracts. Subcontracts may be used if it is clear that the vendor is responsible for the subcontractor’s work and if the subcontractor’s identity is made known to and approved by the bank. It’s also important to know of other countries where the subcontractor stores and processes data. Those locations might make the bank subject to foreign privacy laws, or not offer the bank sufficient legal protections.
Evaluate non-contractual remedies. If a bank is saddled with liability based on a vendor’s services, it should consider pursuing non-contract claims, particularly if the contract remedies are limited. Asserting claims based on property damage, negligence, fraud, trade secret misappropriation or other non-contract theories may provide grounds for recovery even when a contract is disadvantageous.
The only universal component throughout the entire contract process is the importance of having an experienced attorney vigilantly craft and review each agreement based on the needs of the particular bank. Then evaluate potential claims against a vendor when issues arise. As Sultan Meghji, my friend and former chief innovation officer at the FDIC, advises: “I would always suggest bringing in outside partners to help.”