This is part 5 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Vendor Notice Requirements

Business -Strategic Changes. There are several categories of events the bank will want to be notified about.  The first involves things like significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures, or other business activities that could affect the activities involved. In certain instances the bank may want the ability to terminate the contract if the vendor merges with another company or if there is a change in control. Similar to a loan transaction, the bank has “underwritten” the vendor. Bank officers have has met the vendor’s senior management and are comfortable with the general direction of its business. A merger or change of control may change the strategic direction of the vendor and the bank wants to make sure it knows who it is doing business with.

Business Events-Corporate Changes. The contract should address notification to the bank before making significant changes to the contracted activities, including acquisition, subcontracting, off-shoring, management or key personnel changes, or implementing new or revised policies, processes, and information technology. Related provisions in the contract would be sections that without bank consent would prohibit the assignment of the contract; changes in the listed locations of where work is being performed and the use of subcontractors not previously approved by the bank.

Business Events-adverse changes to business operations. This category requires the prompt notification of financial difficulty, catastrophic events, and significant incidents such as information breaches, data loss, service or system interruptions, compliance lapses, enforcement actions, or other regulatory actions. The bank should already have a contingency plan in the event the vendor goes out of business but a timely notification requirement helps to insures that the bank will have adequate time to put the contingency plan into motion.

Business Continuity. The contract should address the issue of what happens if the vendor’s business is affected by natural disasters, human error, or intentional attacks. The contract should define the vendor’s business continuity and disaster recovery capabilities and obligations to enable vendor to continue delivery of the services in the event of a disaster or other service interruption affecting a location from where the services are provided.  Force majeure events should not excuse vendor from performing the business continuity/disaster recovery services. The contract should include the vendor’s disaster recovery plan defining the processes followed by vendor during a disaster including backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans. A contract may include provisions—in the event of the third party’s bankruptcy, business failure, or business interruption—that allow the bank to transfer the bank’s accounts or activities to another third party without penalty. Ensure that the contract requires the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements, and when appropriate, regulatory requirements. Depending on the critical nature of the serve being provided, the bank may also want to consider stipulating whether and how often the bank and the vendor will jointly practice business resumption and disaster recovery plans.

Another important element of business continuity is who is going to be responsible for notifying bank clients of potential disruptions in the vendor’s operations when the vendor is providing a bank client related service.

Information Breaches and Compliance Lapses – The compliance and information security requirements of the contract should include obligations to promptly notify the bank in the event vendor becomes aware of or reasonably suspects an information or data breach or compliance issue has occurred. This is not something that the bank wants to discover from reading the paper or even worse, from a bank customer who calls. A breach raises a whole host of other issues depending on the type of information that may have been impacted by the breach. There may be both federal and state law implications requiring notification to customers arising out of such a breach.  The out-of-pocket costs of investigating and reporting a data breach can be substantial and the contract should be clear about any indemnification obligations of the vendor. The bank may want to consider what type of insurance the vendor should carry in order to satisfy the indemnification obligation.

Bank Notice Requirements. A typical provision might call for the bank to notify the third party if the bank implements strategic or operational changes or experiences significant incidents that may affect the third party. This may be such an unlikely event that vendors will only raise it as an issue in certain unusual situations. If the provision does get included it should define exactly what the events might be that would trigger the notice requirement.

Audit rights. As Ronald Reagan famously said, one should “trust but verify.” Depending on the type of contract and the nature of the services being provided, the bank may want to have the right to audit, monitor performance, and require remediation when issues are identified. Generally, a third-party contract should include provisions for periodic independent internal or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions to monitor performance with the contract. A bank should include in the contract the types and frequency of audit reports the bank is entitled to receive from the third party (e.g., financial, SSAE 16, SOC 1, SOC 2, and SOC 3 reports, and security reviews).

If an audit is required, the bank will want to consider whether to accept audits conducted by the vendor’s internal or external auditors. Obviously, the level of oversight will depend on the type of services being provided, the scope of the contract, the size and sophistication of the vendor. The bank may wish to reserve the right to conduct its own audits of the vendor’s activities or to engage an independent party to perform such audits. Audit reports should include a review of the vendor’s risk management and internal control environment as it relates to the activities involved and of the third party’s information security program and disaster recovery and business continuity plans.

The contract should be clear about who will conduct any required audit, it should not be an item left up to the parties to decide on an informal basis post-closing. If the bank is reserving the right to audit the vendor, the contract should specify that vendor must permit audits by bank’s auditors, designees, and any government regulator, including allowing access to facilities, personnel, and records.  The bank should be permitted to perform financial, operational, and security audits to verify that the vendor is complying with the contract.  The vendor should be required to develop a remediation plan and remediate issues uncovered during any audit.

If possible, the bank would prefer that the contract contain an affirmative statement that the vendor is obligated to cooperate with the party conducting the audit.

The vendor is going to have several concerns about an audit provision, the first being who is going to pay for it. A typical provision provides that the audit is to be performed at the bank’s expense but a variation of that would be to shift the expense to the vendor if the audit reflects material violations. The vendor will also have concerns over how often the bank can conduct an audit and on what type of notice. The right to conduct an annual audit coupled with the right to conduct one more often if something has occurred such as an information breach is one common approach. Finally, the vendor will want to know what type of notice will be given for an audit. The bank may prefer to leave it more vague but the vendor will generally want either a specific number of days notice or at a minimum, a “reasonable” time period.

Compliance with laws and regulations. The contract will generally require both parties to comply with specific laws, regulations, guidance, and self-regulatory standards applicable to the activities involved, including provisions that outline compliance with certain provisions of the Gramm-Leach-Bliley Act (GLBA) (including privacy and safeguarding of customer information); BSA/AML; OFAC; and Fair Lending and other consumer protection laws and regulations.. This can be a hotly contested provision. Parties on both sides of the contract will oftentimes seek to modify this provision to make it a bit more forgiving. Compliance with all laws is an aspirational target but the reality is that in our very complex society, anyone can find themselves having run afoul of some law or regulation. Thus, a vendor may seek to limit the applicability of this requirement to those laws and regulations that are directly applicable to it and its operations. Second, both parties may seek to limit the applicability to material compliance with those laws and regulations. To the extent the bank maintains policies and procedures outlining laws and regulations it is subject to and how it complies, depending on the type of services being provided, it will also want to require the vendor to comply with those policies. This item will also be addressed in the bank’s ability to audit the vendor.

Compensation. Compensation for the services can be as simple as a monthly or annual fee or can involve a complicated calculation based upon various usage levels and vendor support. The contract should fully describe compensation, fees, and calculations for base services, as well as any fees based on volume of activity and for special requests. There may be separate fees incurred for on-site training as opposed to online training.

The contract should address any expenses that will simply be passed along to the bank. The contract should identify the types of taxes that will be borne by bank and whether those taxes are included in the fees or charged on pass-through basis.  The contract should also identify which party is responsible for any tariffs, duties, and import/export fees imposed on the services.

You should scrutinize the contact to see if there are any expenses for materials or services from other parties being incurred by the vendor that they are trying to pass along to the bank. If there are such expenses how does the bank know what to expect? Are there any caps on such expenses? Preferably, all such expenses are simply assumed by the vendor as overhead and not passed along to the bank.

Banks should also be on the lookout for fee structures that might have the unfortunate effect of incentivizing risky behavior on the part of the vendor.

Part 6 is now available here, and other parts are available here.