Report: Your Vendor Contracts Need Improvement
I have said it before and I will say it again: With the increasing use of third-party vendors, a credit union’s compliance program is only as good as its contracts. Unfortunately, financial institutions continue to do an inadequate job of ensuring that they can exercise proper oversight over their third-party service providers. This is the key conclusion of a report issued by the FDIC’s Inspector General. I know the FDIC doesn’t have jurisdiction over credit unions, but the concerns it addresses are by no means unique to banks and could very well influence future dictates from the FFIEC, of which NCUA is a member. Even if you think your institution has no vendor issues, the report provides an excellent synopsis of privacy laws and obligations.
So what did the Inspector General conclude? Only slightly more than half the financial institutions it reviewed performed a pre-contract due-diligence review of potential vendors or mandated ongoing due-diligence reviews of existing vendors.
Additionally, slightly less than half of the contracts did not address third-party business continuity plans. This is troubling since many vendors provide services critical to the day-to-day operations of financial institutions; if they are not up and running, neither is your credit union. As for the reporting of data breaches, many of the contracts reviewed did not adequately address the responsibility of vendors to report compromises.
Furthermore, the report was critical of the use of vague contract language which did not adequately define third-party provider responsibilities. For example, it was concerned that many contracts included terms such as “adverse event” and “disaster” without defining what types of incidents would fall within these definitions. This is not surprising since, as the Inspector General noted, most contracts were prepared by the third-party provider.
So what are my takeaways from all this? First, many of you are being penny wise and pound foolish if you refuse to get a legal review of vendor contracts. Even if a third-party service provider agrees to protect and indemnify you against its mistakes, this doesn’t protect you in the eyes of your regulator. “The vendor made me do it” is not a defense.
Secondly, a contract is not the end of the process but the beginning. You must ensure that someone on your staff is responsible for monitoring a vendor’s performance on an ongoing basis.
Third, don’t be afraid to negotiate. I was talking with a banker friend the other day, and he argued that it is unrealistic to think that a small financial institution has the ability to force changes to contracts with large service providers. Fair enough, but this doesn’t mean you shouldn’t try, and your efforts should be documented for your examiner. In addition, for your most important vendor relationships, such as with core processors, the absence of key clearly defined provisions should be a deal breaker.
Finally, everything I have said varies depending on the size and sophistication of the service for which you are contracting. No one is suggesting that you need the same level of due-diligence for contracting with a cleaning service as you do for your webmaster.
Entry filed under: General.