This is part 7 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Indemnification. Indemnification provisions in a third party services contract can be hotly contested. There is no question that banks should include indemnification clauses that specify the extent to which the bank will be protected from claims arising out of the failure of the vendor to perform, including failure of the vendor to obtain any necessary intellectual property licenses. Not surprisingly, they can be one of the most difficult provisions to reach an agreement on.

In its simplest terms, indemnification constitutes an agreement to allocate certain risks of loss among the parties. It is analogous to a guaranty but just like a guaranty, the fact that you have one does not insure a party that they will in fact be protected from loss. An indemnification from a company that has little in the way of assets is no different than a guaranty from someone who has very little net worth. It may have some psychological value but may be worthless from a practical standpoint. Indemnification provisions can be drafted so tightly that they provide little protection and they can be made subject to limitations to the point that the protection offered is illusory.

If you look at a typical indemnification provision you will see, depending on the products or services being provided, some of the following items addressed:

  • claims resulting from bodily injury, death, or damage to personal or real property caused by the vendor
  • vendor’s capacity as an employer of a person.
  • intellectual property (patent, copyright, trade secret infringement or other intellectual property right claim) infringement claims
  • vendor’s violation of laws, rules, regulations, or orders applicable to it.
  • claims resulting from the vendor’s failure to comply with the bank’s policies
  • vendor’s breach of bank third party contracts for software, business methods or services used by the vendor
  • vendor fraud, criminal acts, or intentional misconduct
  • claims for vendor tax obligations arising from the provision of the services under the contract
  • claims by vendor subcontractor or vendors relating to the contract
  • vendor’s failure to obtain any necessary consents needed to perform under the contract
  • claims resulting from vendor intentional refusal to perform any portion of the services
  • claims resulting from vendor breach of the intellectual property, confidentiality, or data privacy provisions
  • claims that would have been covered by insurance but for vendor’s breach of its obligations to maintain insurance.

Obviously, the types of losses possible from the operation of heavy equipment will differ from a contract which provides financial software and the indemnification provision should be tailored to fit the situation. A vendor may push back quite strongly on claims for injury and death when the product being provided is merely computer software. A bank might reasonably conclude that the risk of physical injury is so small that the indemnification section need not cover such claims. The decision to include an indemnification agreement should be tied in with a determination by the bank about the vendor’s actual ability to meet its obligations under the indemnification section. The vendor may be strong enough financially on its own but typically, the bank will also want the vendor to maintain certain insurance coverage to support the indemnification obligations. Obtaining an indemnification from a party that is clearly unable to perform does not add a lot of value.

Indemnification Limitations. When negotiating indemnification provisions you should be aware that those obligations are oftentimes affected by “limitation of liability” provisions found elsewhere in the contract. A typical provision might limit the vendor’s liability to an amount which does not exceed the amount of fees it has been paid by the bank for a certain time period. Likewise, the provision may be set up so that one party absorbs the first amount of damages up to a specified dollar amount with the other party absorbing the damages above that amount. Another typical limitation is that the vendor will typically want to exclude any punitive damages or contract claims for lost profits.

The actual limitation agreed upon and ultimate allocation of losses will depend on the negotiating position of the parties. Whether you are a money center bank or a small community bank, however, you will want to know where you stand vis-à-vis the vendor in the event damages occur.

When considering the dollar amount limitations, the bank may want to consider carving out certain events due to the outsize exposure the bank might incur. These would include events such as damages arising from a party’s failure to pay required taxes; failure to comply with applicable laws, rules, and regulations; breach of the data privacy obligations and payment for remediation actions; misappropriation and/or unauthorized use or disclosure of confidential information, intentional misconduct, criminal acts, or fraud and reaches of the intellectual property provisions.

Carefully scrutinize any provision in the contract that requires the bank to indemnify the vendor. While the bank will typically seek to minimize its indemnification obligations, there may be situations where the vendor is unwilling to move forward unless the bank provides a certain level of indemnification. If indemnification is going to be required the bank should examine its insurance to determine whether the indemnification claims would be covered by the bank’s policy.

Insurance.  The requirement that the vendor maintain insurance is related in some ways to the indemnification provision but is also independent of that provision. The bank may expect that, depending on the scope of any indemnification limitations, certain of the obligations arising under the indemnification section may need to be satisfied by access to an insurance policy.  Outside of the indemnification obligation, the bank will want to know that the vendor will be able to satisfy claims brought against it for any one of a multitude of claims and still remain in business. A contract will generally stipulate that the vendor is required to maintain adequate insurance, notify the bank of material changes to coverage, and provide evidence of coverage where appropriate. Types of insurance coverage may include fidelity bond coverage, liability coverage, hazard insurance, and intellectual property insurance.

Customer Complaints. Who is charged with responsibility for responding to customer complaints? Specify whether the bank or vendor is responsible for responding to customer complaints. If it is the vendor’s responsibility, specify that the vendor will receive and respond timely to customer complaints and forwards a copy of each complaint and response to the bank.  The vendor should submit sufficient, timely, and usable information to enable the bank to analyze customer complaint activity and trends for risk management purposes. The contract should address the time frame within which the vendor should respond to customers as well as when it will notify the bank of the complaint. The vendor should also inform the bank of the resolution of the complaint within a specified time frame.

The vendor should be expected to document how each complaint is made, whether by letter, email or phone call.  Copies of correspondence to and from the customer should be retained and provide to the bank. The bank needs to have sufficient information to be able to respond to bank regulatory agency requests about a particular complaint. A typical contract provision might require the vendor to provide the bank with a quarterly summary of all complaints in the form and manner determined by or acceptable to bank. The bank will also want to be able to access all pending complaints and responses.

Bank Regulatory Oversight. A best practice is to go ahead and incorporate a provision in the contract whereby the vendor acknowledges the federal banking agency regulatory oversight. Some vendors will be surprised to find out that their activities are subject to such oversight and will push back on any such provision. As a practical matter, it does not matter whether a provision is included in the contract, the federal regulators take the position that they have the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself on its own premises. It is more of a “heads up” type of provision just to make sure that the vendor is not surprised if the FDIC or OCC reaches out to them.

Zombies. Somewhat surprisingly, federal bank regulatory guidance does not suggest how vendor service agreements should deal with zombies. This was apparently an oversight on their part and we have been assured that the interagency taskforce comprised of members from the Federal Reserve, the OCC and the FDIC are under intense pressure to come out with guidance  now that the CDC has beaten them to the punch.  While there are some commentators who believe that the force majeure clause sufficiently covers service disruptions due to zombie attacks, others believe that you should be more proactive.  For example, Amazon Web Services provides that certain restrictions of the use of its services no longer apply “in the event of the occurrence (certified by the United States Centers for Disease Control or successor body) of a widespread viral infection transmitted via bites or contact with bodily fluids that causes human corpses to reanimate and seek to consume living human flesh, blood, brain or nerve tissue and is likely to result in the fall of organized civilization.”  We will leave it to you to decide whether you want to deal with zombies under force majeure or a more custom drafted provision.