Of all of the areas of third party risk management, perhaps the most difficult is handling contracts effectively. Whether it’s negotiating, tracking or simply finding all of them, contracts can be a real challenge.
Let’s talk about what an effective contract management system looks like.
First, what is vendor contract management?
Vendor contract management is a well-managed process for handling all agreements with the financial institution’s third parties from start to finish. This includes all aspects of the contracts, such as:
- Standards on what should be included
- Who is authorized to sign
- How they are centrally stored
- How they are tracked
- Key provisions that must be included
- How your customer’s information is protected
Best practices in contract management
Ideally, your institution will have one designated area for all contracts – stored in one repository with tracking to make sure key terms, like expiration dates and renewal notice periods, are always observed.
If the contract process was already decentralized, it is extraordinarily difficult to get it all into one location, physical or electronic. It’s not unusual to have people rifling through filing cabinets to find old forgotten contracts. Putting the time and the effort into it are well worth it – after all, there is a great deal of responsibility written into each party’s side of the contract. Ideally, the contract negotiation and writing is done by an experienced staff, including your legal counsel.
Common issues and problems in managing contracts
Setting aside the decentralized, often fragmented location of contracts, there are many other things that can go horribly wrong in contract management. In a haphazard approach to handling the agreements, you may have multiple contracts with the same company from your different lines of business – this can result in inconsistent provisions, poor tracking and even missing pricing opportunities.
Additionally, if the authority to develop and negotiate a contract is delegated out to various business areas, you can easily inadvertently omit key parts of the contract simply because the business manager wasn’t aware what needed to be included.
Consequences of not managing contracts well
There are too many bad things that can happen to possibly list them all, but some of the big ones bear mentioning. The real dangers are missing key dates, such as allowing a contract to auto-renew because you missed the date to notify this under-performing vendor that your financial institution “wants out”.
Additionally, if the contract doesn’t have strong mutual performance expectations, you may have little or no leverage to ensure that the vendor behaves the way that you’d expect. Perhaps the contract doesn’t contain the rights to audit or obtain appropriate due diligence, doesn’t have agreements to safeguard your members’ confidential information or strong requirements around regular reporting, or notification provisions in the event of a data breach – all of these can put your institution (and your customers) at real risk.
What do the examiners expect in the managing of contracts?
Let’s turn to the regulatory guidance, specifically to OCC Bulletin 29-2013, which has very prescriptive instructions in the category of contract negotiation. I won’t repeat the entire section, but it’s worth a detailed read (click here).
To summarize some of the key expectations, the guidance lays out the following:
- Nature and scope of the agreement – laying out key terms for the contract, particularly around the safeguarding of information, the frequency of review and a well-documented process for entering into a new relationship
- Performance measures or benchmarks – identifying expectations and responsibilities on both sides of the relationship and the regular reporting required to support it
- Responsibilities for providing, receiving and retaining information – strict standards on frequency and scope of reporting, addressing other regulations and even providing an exit should one party fail to meet its obligations
- The right to audit and require remediation – again, this one of the items we frequently see missed, the ability to obtain adequate due diligence and review reports of controls and other examinations
- Insurance – the requirement to provide adequate insurance specific to the nature of the relationship
- Dispute resolution – determine ahead of time how key differences will be settled
- Limits of liability – determine who is responsible for loss or damage
- Default and termination – set standards on what events may lead to termination of the agreement and spell them out in clear and definitive terms
- Customer complaints – require notification and prompt resolution of any level of complaints
- Subcontracting – establish standards and approval requirements for engaging additional downstream providers, particularly if they have access to your customer’s information
- Foreign-based third parties – establish expectations on selection, hiring and training of third parties and focus on their standards for protecting your customers’ information
- OCC supervision – the OCC, or your prudential regulator, will expect the rights to review all work products associated with the service provider
- Responsibility for compliance with all applicable laws and regulations – self explanatory, but the service provider must follow the rules of law
- Cost and compensation – this is often the part that gets the most attention and cause other areas to be overlooked
- Ownership and license – who can use the bank’s brand, image and, most importantly, impact the reputation
- Confidentiality and integrity – clear guidelines on expected behavior and proper maintenance of records
- Business resumption and contingency plans – identify what the protocols are to maintain normal operations, as best possible, when disaster strikes
- Indemnification – which party is liable in the event of something bad happening
Contract management isn’t easy – it requires a commitment, not only by the parties involved, but by your entire institution to make sure that agreements are entered into only in a very prescribed, controlled, centrally managed and uniformly enforced manner.
Your board and your senior management team must rigidly adhere to these standards, in the best interests of your institution, your examiners and your customers.