video
What the Examiners Expect in Managing Vendor Contracts
Ensure you're contract management is up to par for examiners.
Learn what examiners expect regarding vendor contract management - straight from third-party risk guidance on contract negotiation.
You may also be interested in:
Video Transcript
Welcome to this week’s Third Party Thursday! My name is Branan Cooper and I’m the Chief Risk Officer here at Venminder. In this video, we're going to cover:
- A recap of the regulatory guidance on contracts
- The importance of contract management
- A few observations on what examiners may expect
Let’s turn to the regulatory guidance, specifically to OCC Bulletin 2013-29 and Bulletin 2017-7, which has very prescriptive instructions in the category of contract negotiation. I won’t repeat the entire section, but it’s worth a detailed read here.
To summarize some of the key expectations, the guidance lays out the following:
- Nature and scope of the agreement: laying out key terms for the contract, particularly around the safeguarding of information, the frequency of review and a well-documented process for entering into a new relationship
- Performance measures or benchmarks: identifying expectations and responsibilities on both sides of the relationship and the regular reporting required to support it
- Responsibilities for providing, receiving and retaining information: strict standards on frequency and scope of reporting, addressing other regulations and even providing an exit should one party fail to meet its obligations
- Right to audit and require remediation: again, this one of the items we frequently see missed, the ability to obtain adequate due diligence and review reports of controls and other examinations
- Insurance: the requirement to provide adequate insurance specific to the nature of the relationship
- Dispute resolution: determine ahead of time how key differences will be settled
- Limits of liability: determine who is responsible for loss or damage
- Default and termination: set standards on what events may lead to termination of the agreement and spell them out in clear and definitive terms
- Customer/member complaints: require notification and prompt resolution of any level of complaints
- Subcontracting: establish standards and approval requirements for engaging additional downstream providers, particularly if they have access to your customer’s information
- Foreign-based third parties: establish expectations on selection, hiring and training of third parties and focus on their standards for protecting your customers’ information
- Responsibility for compliance with all applicable laws and regulations: self-explanatory, but the service provider must follow the rules of law
- Cost and compensation: this is often the part that gets the most attention and cause other areas to be overlooked
- Ownership and license: who can use the bank’s brand, image and, most importantly, impact the reputation
- Confidentiality and integrity: clear guidelines on expected behavior and proper maintenance of records
- Business resumption and contingency plans: identify what the protocols are to maintain normal operations, as best possible, when disaster strikes
- Indemnification: which party is liable in the event of something bad happening
To recap – with your contracts, pay attention to:
- Nature and scope of the agreement
- Performance measures or benchmarks
- Responsibilities for providing, receiving and retaining information
- Right to audit and require remediation
- Insurance
- Dispute resolution
- Limits of liability
- Default and termination
- Customer complaints
- Subcontracting/fourth parties
- Foreign-based third parties
- Regulator supervision
- Responsibility to be compliant with all applicable regulations
- Cost and compensation
- Ownership and license
- Confidentiality and integrity
- Business resumption and contingency plans
- Indemnification
And I know that is a lot to digest – it's worth a thorough review of the regulatory guidance and a detailed description in your own program as to how you plan to incorporate each of these activities into your third-party risk management program.
Again, I'm Branan Cooper and thank you for watching! If you haven’t already, please subscribe to the Third Party Thursday series.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources, and more to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.