For the non-bank lender, the process of vendor oversight begins prior to establishing an annual audit schedule. And like any good process, it begins well at the beginning - the contract. Negotiation and execution of a contract is a science and an art. As a client, you may have a need for a service that the vendor offers. For the vendor, there is the potential for an additional revenue stream. With that, a well thought out contract can assist in the vendor audit process.
What CFPB Regulation Says
CFPB Bulletin 2012-03 states:
"Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive or abusive acts or practices."
Vendor Contract Controls
Mixing legal terms with relationship building to ensure that an agreement is fair and equitable is a pre requisite for a strong partnership... But, and this is where it gets interesting, a good vendor management professional will work diligently to incorporate a strong foundation of controls into a contract to ensure that adequate vendor oversight practices can be conducted.
After all, if you do not include a Right to Audit clause in the contract, your initial outreach to include a vendor in an audit cycle may prove challenging. Remember the terms of a contract are binding and are a two way street. If the terms are not set up correctly to begin with then you may later find yourself struggling to effectively manage a vendor who by rights doesn’t have to willingly cooperate. Based on experience, most vendors cooperate to some extent but the process in itself adds extra time and resources to what could possibly have been averted with a clear, concise contract.
In some instances, there may be disconnects between legal departments and vendor management teams. One is focused on the legal terms with a heavy emphasis with regulatory compliance concerns, while the other is focused on the ongoing vendor oversight duties. This is the time to perform a requirement gathering session and meet to address contract requirements that essentially are forward looking and include key items of what the vendor risk oversight team will be looking for a year from now.
9 Key Vendor Contract Items
The following isn't an exhaustive list but is a good starting point when mapping out what is important to you when developing a contract.
- Will the vendor have access to NPPI (Non Public Personal Information)?
- Who will have access to this data and where? Onshore, Offshore, Near Shore?
- Termination Rights - Did the product or service perform? Can you cancel with or without cause?
- Right to Audit – be specific of the documents you require, this helps control any pushback such as " I can give you this, but not that". Negotiate this piece now and not during the audit process.
- Business Continuity – Agree, that the vendor will communicate any outages to the client and that back up plans are in place so that operations are not interrupted.
- Customer Facing - the ability for the client to listen in on customer facing phone calls to ensure quality and recognize satisfactory vendor performance or implement corrective action.
- Service level agreements (SLA's) with penalty.
- Warranties vs As-is we guarantee it or your money back vs. Here is the product. Take it or leave it.
- Consumer Complaints - This helps enforce the timely communication of any consumer complaints the vendor receives to submit to the client to address.
Some of these terms will vary based on transaction type, product or service and, ultimately, only the Line of Business and Business Sponsor can decide how much risk they want to own in conducting business with a vendor.
However, the role of the vendor management team can add great value to the line of business by highlighting the risks involved so that the decision maker can make an informed decision.
For more discussion about vendor contracts, take a look at our eBook.