Vendor Management: Working out Contract Issues

No matter who the vendor is, or how long they’ve supplied their service or item to your institution, you need a written contract. Even the company who supplies your bottled water needs a simple form contract. The strongest relationships begin with a contract that you and your vendor agree upon. Managing your relationship with the vendor, if problems arise, will come down to what is and isn’t in the contract.

Third party service vendors are looked at by examiners, and your examiner will ask if you’ve done due diligence in performing a thorough risk assessment and vetting the vendor’s ability to provide the service or action for your institution, all according to the same standards that would apply if you did it yourself. The contract with any vendor, to the extent applicable, should cover expectations and responsibilities, the amount of work and cost, type and timings of reporting on the status of work being performed, process for changes in anything in the contracted work and notification of issues, ownership of any work product, an acknowledgement that the vendor is subject to regulatory review, privacy and information security, a process for ongoing monitoring, and supervision and dispute resolution. Because your examiner may review the contract and what it stipulates, as part of your institution’s examination, your legal department should review any significant contracts prior to signing.

A common dilemma with vendor contracts is the expectations and responsibilities of the vendor and the financial institution are not properly addressed. When questions pop up, answers are difficult to define, the institution and the vendor insists that the other is responsible. You will want to consider every contingency in the delivery of the service or item and every possible question, especially ones such as: the vendor’s responsibility and accountability; escalation guidelines, when the vendor must call the institution; and acceptable range of service quality.

The services and the scope they will include must be looked at carefully and answered fully in the written contract. The services scope must at least include: vendor’s services list; what the institution is charged with; delivery of services calendar; what will be installed or delivered, and in what manner. The contract should also have a section regarding fees outside of the stated contract, and what the institution will be responsible for. One important point to include is a performance service level, what standard of quality and timing will be allowed, and what the margin of error will be should be stipulated in the contract. Services that a financial institution may outsource include: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. If you’re dealing with a technology vendor, a service level agreement (SLA) will be required. The SLA will outline the standards of performance and service quality that will be delivered. Under each service outlined in the SLA, the range of accepted service quality will be listed along with a clear wording of what is to be measured in the quality assessment, also a determination of how it will be measured and the formula to calculate the service level and stipulate what will happen if the level isn’t met. Here’s a sample SLA from the FDIC: Sample SLA

Third party service provider contracts should also stipulate the institution’s ability to assess the performance of the provider. The contract should list what is expected from the provider, including reports, audit and internal control (including financial) reports must be available if stipulated. This is very essential in the risk assessment shows that the service provided is highly valuable or a high risk transaction is provided by the provider.

Length of the provider’s contract is also another consideration. Financial institutions should look to have flexible, shorter-term contracts, particularly in technology areas where the winds of change are constantly in flux. You don’t want to be tied to a vendor who won’t or can’t keep up with the newest technology demands. Finally, here is FFIEC Guidance on: Risk Management of Outsourced Technology Services.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.