Vendor Management: Working out Contract Issues
No matter who the vendor is, or how long theyâ€™ve supplied their service or item to your institution, you need a written contract. Even the company who supplies your bottled water needs a simple form contract. The strongest relationships begin with a contract that you and your vendor agree upon. Managing your relationship with the vendor, if problems arise, will come down to what is and isnâ€™t in the contract.
Third party service vendors are looked at by examiners, and your examiner will ask if youâ€™ve done due diligence in performing a thorough risk assessment and vetting the vendorâ€™s ability to provide the service or action for your institution, all according to the same standards that would apply if you did it yourself. The contract with any vendor, to the extent applicable, should cover expectations and responsibilities, the amount of work and cost, type and timings of reporting on the status of work being performed, process for changes in anything in the contracted work and notification of issues, ownership of any work product, an acknowledgement that the vendor is subject to regulatory review, privacy and information security, a process for ongoing monitoring, and supervision and dispute resolution. Because your examiner may review the contract and what it stipulates, as part of your institutionâ€™s examination, your legal department should review any significant contracts prior to signing.
A common dilemma with vendor contracts is the expectations and responsibilities of the vendor and the financial institution are not properly addressed. When questions pop up, answers are difficult to define, the institution and the vendor insists that the other is responsible. You will want to consider every contingency in the delivery of the service or item and every possible question, especially ones such as: the vendorâ€™s responsibility and accountability; escalation guidelines, when the vendor must call the institution; and acceptable range of service quality.
The services and the scope they will include must be looked at carefully and answered fully in the written contract. The services scope must at least include: vendorâ€™s services list; what the institution is charged with; delivery of services calendar; what will be installed or delivered, and in what manner. The contract should also have a section regarding fees outside of the stated contract, and what the institution will be responsible for. One important point to include is a performance service level, what standard of quality and timing will be allowed, and what the margin of error will be should be stipulated in the contract. Services that a financial institution may outsource include: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. If youâ€™re dealing with a technology vendor, a service level agreement (SLA) will be required. The SLA will outline the standards of performance and service quality that will be delivered. Under each service outlined in the SLA, the range of accepted service quality will be listed along with a clear wording of what is to be measured in the quality assessment, also a determination of how it will be measured and the formula to calculate the service level and stipulate what will happen if the level isnâ€™t met. Hereâ€™s a sample SLA from the FDIC: Sample SLA
Third party service provider contracts should also stipulate the institutionâ€™s ability to assess the performance of the provider. The contract should list what is expected from the provider, including reports, audit and internal control (including financial) reports must be available if stipulated. This is very essential in the risk assessment shows that the service provided is highly valuable or a high risk transaction is provided by the provider.
Length of the providerâ€™s contract is also another consideration. Financial institutions should look to have flexible, shorter-term contracts, particularly in technology areas where the winds of change are constantly in flux. You donâ€™t want to be tied to a vendor who wonâ€™t or canâ€™t keep up with the newest technology demands. Finally, here is FFIEC Guidance on: Risk Management of Outsourced Technology Services.