- Examiners at both the state and federal levels are focusing on technology service provider contracts and ongoing vendor management and oversight.
- Before you finalize contracts, evaluate the technology service provider’s proposal and appraise pricing.
- Clearly define the rights and responsibilities of both parties before you sign the contract.
- Establish that you have protection against service disruption that could impact your access to the system and your ability to provide services.
More than ever, financial institutions rely on vendors to deliver outsourced technology services in an effort to lower the total cost of ownership, increase speed to market, and reduce the overall technology footprint.
With the increased complexity of technology services, and concerns surrounding risk management related to third party relationships, examiners at both the state and federal levels have shifted their focus toward scrutinizing:
- Technology service provider contracts at financial institutions
- Ongoing vendor management and oversight
Financial institutions must establish effective risk management practices, regardless of whether functions are performed internally or by a technology service provider. Your board of directors and senior management are responsible for making sure functions are performed in a safe and sound manner and in compliance with applicable laws. The degree of oversight, and review of outsourced functions, depends on how critical the function is to your financial institution’s operation.
Guidance from regulating bodies includes:
- Federal Deposit Insurance Commission FIL-19-2019 notes, “Some contracts do not require the service provider to maintain a business continuity plan, establish recovery standards, or define contractual remedies if the technology service provider misses a recovery standard. Other contracts did not sufficiently detail the technology service provider’s security incident responsibilities such as notifying the financial institution, regulators, or law enforcement.”
- Office of the Comptroller of the Currency (OCC) “OCC Bulletin 2013-29, Third-Party Relationships: Risk Management Guidance” states, “The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships.”
- “OCC Bulletin 2020-10, Third Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29,” includes information on critical activities and how a financial institution can determine the risks associated with third-party relationships.
- The National Credit Union Association “Letter to Credit Unions and Other Guidance 07-CU-13: Evaluating Third Party Relationships” and its enclosed “Supervisory Letter 07-01” are the main sources of vendor management guidance for credit unions.
- The Federal Financial Institutions Examination Council includes a list of actions financial institution management should take prior to signing a technology service provider contract in its “Outsourcing Technology Services” handbook, which includes contract issues. The written contract is the legally binding document that defines all aspects of the relationship and should be present in all servicing relationships.
How to evaluate contracts
Although contract evaluation can be a challenging and time-consuming task, it can help your institution secure a contract that meets your requirements, documents required service levels, and provides a solid foundation for a long-lasting relationship. More specifically, an evaluation allows you to:
- Meet your short- and long-term objectives
- Address business continuity and incident response risks
- Clearly define rights and responsibilities
- Establish adequate and measurable service level agreements
- Remove adverse provisions
Financial institutions often wonder why the evaluation process takes so long, but soon realize the value of taking time to thoroughly assess their needs, perform a pricing analysis, and conduct due diligence on any new products and services being considered. This time investment often leads to the identification of critical functionality, stronger negotiation power, and possible cost savings.
Proper planning and negotiation can help your financial institution respond to market conditions, drive growth, and improve its balance sheet. With the aid of market data, your technology advisor, and legal counsel, you can structure a comprehensive contract, with acceptable terms and conditions, at a fair price for the short and long term. Include these three steps during your negotiations.
Step one: Review overall solution and price
Before you finalize pricing, evaluate the technology service provider’s proposal and appraise pricing as it relates to market value, growth, strategy, and potential future expenses. Confirm the proposal contains the most appropriate pricing method for your financial institution’s needs.
Example: A financial institution receives a proposal from its current technology service provider for a migration from its current core processing system to a similar system offered by the technology service provider. The proposal contains bundled pricing instead of the transactional pricing used in its current technology agreement.
While bundled pricing can be simpler, it can also lack detail and flexibility. In this instance, the financial institution anticipates aggressive growth, both organically and from merger and acquisition activity, and the proposed bundled pricing does not adequately allow for this growth. Since anticipated growth could have a significant impact on future operating expenses, the bundled pricing needs to be negotiated to avoid suppressing future growth.
As you review proposals and pricing:
- Make sure the proposal fully describes the calculation of fees for base services, including any development, conversion, and recurring services, as well as any charges based on activity volume or any special requests.
- Be conscious of additional costs for purchasing and maintaining hardware and software.
- Complete a detailed investment analysis to make sure the proposal aligns with, and contains, all the agreed upon services.
- Request clarification on all outstanding questions related to the proposal so any discrepancies are addressed.
- Identify price requests and hold a meeting with the technology service provider to discuss. Afterward, assess the updated proposal and finalize pricing.
Step two: Appraise terms and conditions
Before you sign a contract, clearly define the rights and responsibilities of both parties and make sure the contract does not contain provisions or incentives that could adversely affect your institution. Look out for significant cost increases after the first few years and substantial termination penalties. Termination penalties, specifically, can put an end to merger and acquisition discussions if the penalties are so severe the deal is no longer viable.
A simplified contract may sound like a good thing, especially as technology service provider contracts continue to grow in length and detail. Often, a simplified contract is created by the technology service provider in order to reduce the overall length of the document and streamline the process. However, be aware of the advantages and disadvantages.
Example: A financial institution receives a simplified contract from its technology service provider which contains gaps, including a lack of agreement about how a data breach would be handled and the notification timeframe. Since a data breach, or attempted data breach, could have a significant impact on a financial institution from multiple perspectives — including operational, financial, and reputational — language must be negotiated to state how the technology service provider would address a data breach and the notification requirements.
As you appraise terms and conditions:
- Review the contract language carefully. Pay attention to security and risk management issues, backup and recovery services, and technical support.
- Understand service level agreements, which are formal documents that outline your financial institution’s predetermined requirements for the service and establish incentives for meeting — or penalties for failing to meet — the requirements. Service levels should be measurable and include contractual remedies if the technology service provider misses a service level.
- Develop a clear understanding of training and implementation requirements for resources, timing, and expectations for any new products and services before finalizing the contract. Review personnel and technology requirements and request a training and implementation plan from the technology service provider. Develop a communication plan, which can lead to a successful implementation of any new products and services.
- Work with your trusted technology advisor and legal counsel to discuss contract considerations related to required services, strategic considerations, performance and functionality, and overall relationship expectations.
- Hold a meeting with the technology service provider after you have identified contract requests.
Step three: Finalize the agreement
Continue to meet until an agreement is reached between your institution and the technology service provider on price, contract terms, and service levels. Develop a contract that clearly defines the expectations and responsibilities of the technology service provider to help limit your financial institution’s liability, enforce the contract, and mitigate performance disputes.
Adequate and measurable service level agreements may seem standard, but don’t wait to find out whether they are enforceable when the technology service provider experiences downtime.
Example: A financial institution experiences an extended period of downtime with its outsourced services provided by its technology service provider. During this downtime, the financial institution is unable to access systems, and therefore user information, and transactions must be performed offline. This period of downtime has both an operational and reputational impact on the financial institution. When the financial institution reviews the service level agreements within its contract, it finds the technology service provider has carved out exclusions including causes beyond its control, which prevents the financial institution from pursuing service credits or termination rights. Stronger service level agreements need to negotiated to provide protections for the financial institution.
As you finalize agreements:
- Define what constitutes an occurrence within your service level agreements and understand any exclusions your technology service provider has carved out.
- Establish protection against a period of downtime or a service disruption that could impact your access to the system and your ability to provide services.
- Make sure reporting is available to track your technology service provider’s compliance with the service level agreements.
- Janine Wright, Director, CLA
Compliments of CliftonLarsonAllen – a member of the EACCNY.