Third-Party Contract Expectations and the Interagency Guidance

Third-party risk is managed in large part by your vendor contract. This legal agreement not only sets expectations between you and your vendor, but it also helps mitigate risk through provisions like service level agreements (SLAs) and right to audit clauses. The importance of a well-written vendor contract cannot be overstated, and it’s no surprise that financial regulators have written extensively on this issue in their recent Interagency Guidance on Third-Party Relationships: Risk Management.

Third-Party Contract Expectations in the Final Interagency Guidance

The following is an overview of section 3, titled Contract Negotiation. We’ve provided a brief explanation of each component, along with some general contract management tips.

Note: Text taken directly from the guidance is noted in italics.

• Nature and Scope of Arrangement – Both parties should fully understand each other’s rights and responsibilities, including the third party’s termination or renegotiation rights. Other details might include a description of any supplementary services the third party may provide and whether the third party has access to your customers’ data. 
• Performance Measures or Benchmarks – Some third-party relationships may need to be measured with performance benchmarks like SLAs. The measures might be used to penalize or reward a third party, depending on under or overperformance. 
• Responsibilities for Providing, Receiving, and Retaining Information – The third party should be obligated to retain and provide timely, accurate, and comprehensive information that allows your organization to monitor risk and stay compliant. The contract should address details about the types and frequencies of third-party reports, as well as notification of whether the third party makes any significant changes related to mergers, acquisitions, or the use of subcontractors.
• The Right to Audit and Require Remediation – A third-party contract should include provisions that cover periodic audits of both the third party and applicable subcontractors. The provisions should also address plans to remediate any issues that are discovered during an audit. 
• Responsibility for Compliance With Applicable Laws and Regulations – Your organization can be held responsible if your third party is non-compliant. Therefore, the contract should specify how the third party should remain compliant and give your organization the right to monitor.
• Costs and Compensation – Billing disputes and misunderstandings can occur unless contracts are clear about certain details such as how the cost structure can change or which party is responsible for various audit, legal, or examination fees. 
• Ownership and License – Contracts should include details about how extensively the third party can use an organization’s information, such as its name, logo, and copyrighted material. The contract should also specify if your organization can claim ownership over any of the third party’s data that it generates during your relationship.
• Confidentiality and Integrity – Regulators expect organizations to protect sensitive information, even when it’s accessed, stored, or managed by a third or fourth party. This can be accomplished by contract provisions that state how the third party will protect your information and how and when they will disclose any breaches. Your contract may also require the third party to specify any corrective actions after an incident. It’s also important to consider whether you’ll require your third party to participate in a joint incident management exercise.   
• Operational Resilience and Business Continuity – Unexpected events like cyber incidents and natural disasters can disrupt operations, so it’s important that a third-party contract supports operational resilience. The contract should include details such as the third party’s specific recovery time and recovery point objectives, and potential requirements about joint business continuity plan testing. Business operations can also be interrupted by a third party’s business failure or bankruptcy, in which case the contract should state whether the third party can transfer your organization’s data or activities to another entity.
• Indemnification and Limits on Liability – Indemnification provisions can help clarify which party is responsible for damages if a third party or its subcontractor engages in misconduct or fails to perform. An organization can reduce liability by incorporating these provisions in its third-party contract.
• Insurance – An organization should consider insurance requirements in its third-party contracts to protect itself from any losses it may incur. In general, the third party should provide evidence that it maintains the types and amounts of insurance that’s appropriate for its risk. The contract may also require the third party to notify the organization of any material changes to its coverage. 
• Dispute Resolution – Contract disputes can cause delays and other negative impacts, so it’s important to consider the need for a documented resolution process. Disputes should be resolved quickly, and the contract should state whether the third party is obligated to continue providing products or services during this process. 
• Customer Complaints – If your third party is interacting directly with your customers regarding complaints or inquiries, the contract should include provisions about timely responses. Your third party should also provide your organization with sufficient, timely, and usable information to analyze customer complaint and inquiry activity and associated trends.
• Subcontracting – Third parties may use subcontractors, or fourth parties, which can elevate risk for an organization. Subcontractors can be especially risky if they’re involved in critical activities. Because there’s no direct contract with your organization and a fourth party, it’s important to address this arrangement in your third-party contract. Consider whether you’ll prohibit any subcontracting without consent and whether you have the right to terminate your third-party relationship if the subcontractor fails to comply with your third-party contract.
• Foreign-Based Third Parties – When working with a foreign third party, organizations should consider choice-of-law and jurisdictional provisions, that can resolve disputes under the United States or the other region’s jurisdiction. A third-party contract may be interpreted by foreign courts, so it’s advised to seek legal advice on the contract’s enforceability. 
• Default and Termination – An effective contract should allow an organization to terminate the third-party relationship without facing undue restrictions, limitations, or costs. The contract should include any requirements around termination and notification, as well as assurance that the third party will return or destroy any data in a timely manner.
• Regulatory Supervision – Third parties should understand their role in maintaining regulatory compliance. This can be reinforced through the contract by stating that third-party activities and relevant documentation are subject to examination and oversight by regulators.

3 Third-Party Contract Management Tips to Comply

Understanding regulators’ expectations is an important step in contract management as it can help you identify any gaps within your own processes. But satisfying regulators should be part of a broader strategy that includes other components, such as:

• Understanding roles and responsibilities – Contract management should never be done without the oversight and input of senior management and the board of directors. These individuals should be involved in negotiating, reviewing, approving, and executing third-party contracts.
• Performing ongoing reviews – Many organizations make the mistake of signing a third-party contract and filing it away until the renewal period. Contracts should be reviewed regularly to ensure that your third party is continuing to meet expectations. 
• Creating a central repository – Storing your third-party contracts in a central, easy-to-access repository will help create a more holistic view of your third-party relationships. This is especially important, considering that contract management typically involves multiple departments.

The final interagency guidance provides further evidence of the importance of a well-written third-party contract. There are many details to consider as you negotiate a contract, but they’re intended to keep your organization and customers protected from third-party risk.