What the Examiners Expect in Managing Vendor Contracts

Video Transcript

Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder. In this video, we're going to cover:

• A recap of the regulatory guidance on contracts
• The importance of contract management
• A few observations on what examiners may expect

Let’s turn to the regulatory guidance, specifically to OCC Bulletin 2013-29 and Bulletin 2017-7, which has very prescriptive instructions in the category of contract negotiation. I won’t repeat the entire section, but it’s worth a detailed read here.

To summarize some of the key expectations, the guidance lays out the following:

1. Nature and scope of the agreement: laying out key terms for the contract, particularly around the safeguarding of information, the frequency of review and a well-documented process for entering into a new relationship
2. Performance measures or benchmarks: identifying expectations and responsibilities on both sides of the relationship and the regular reporting required to support it
3. Responsibilities for providing, receiving and retaining information: strict standards on frequency and scope of reporting, addressing other regulations and even providing an exit should one party fail to meet its obligations
4. Right to audit and require remediation: again, this one of the items we frequently see missed, the ability to obtain adequate due diligence and review reports of controls and other examinations
5. Insurance: the requirement to provide adequate insurance specific to the nature of the relationship
6. Dispute resolution: determine ahead of time how key differences will be settled
7. Limits of liability: determine who is responsible for loss or damage
8. Default and termination: set standards on what events may lead to termination of the agreement and spell them out in clear and definitive terms
9. Customer/member complaints: require notification and prompt resolution of any level of complaints
10. Subcontracting: establish standards and approval requirements for engaging additional downstream providers, particularly if they have access to your customer’s information
11. Foreign-based third parties: establish expectations on selection, hiring and training of third parties and focus on their standards for protecting your customers’ information
12. Responsibility for compliance with all applicable laws and regulations: self-explanatory, but the service provider must follow the rules of law
13. Cost and compensation: this is often the part that gets the most attention and cause other areas to be overlooked
14. Ownership and license: who can use the bank’s brand, image and, most importantly, impact the reputation
15. Confidentiality and integrity: clear guidelines on expected behavior and proper maintenance of records
16. Business resumption and contingency plans: identify what the protocols are to maintain normal operations, as best possible, when disaster strikes
17. Indemnification: which party is liable in the event of something bad happening

To recap – with your contracts, pay attention to:

• Nature and scope of the agreement
• Performance measures or benchmarks
• Responsibilities for providing, receiving and retaining information
• Right to audit and require remediation
• Insurance 
• Dispute resolution
• Limits of liability
• Default and termination
• Customer complaints
• Subcontracting/fourth parties
• Foreign-based third parties
• Regulator supervision
• Responsibility to be compliant with all applicable regulations
• Cost and compensation
• Ownership and license
• Confidentiality and integrity
• Business resumption and contingency plans
• Indemnification 

And I know that is a lot to digest – it's worth a thorough review of the regulatory guidance and a detailed description in your own program as to how you plan to incorporate each of these activities into your third-party risk management program.

Again, I'm Branan Cooper and thank you for watching! If you haven’t already, please subscribe to the Third Party Thursday series.