On Friday, July 23, the Federal Financial Institutions Examination Council (“FFIEC”) released two booklets that contain updated guidance for examiners and financial institutions on information technology management and outsourcing. Among other things, these booklets provide an excellent starting point for compiling checklists of what should be considered by bank management and legal counsel in connection with contracting with outside IT vendors.
As attorneys, we often come into the “mix” late in the process. Sometimes, clients have unreasonable expectations as to the necessity for and complexity of documenting the contractual agreement between the bank and the IT service provider. We’ve written on this subject repeatedly, and will continue to do so long as necessary to get the point across that the legal contract is an important part of the process, not a necessary evil or mere “hoop” that has to be jumped through to get a deal done.
From the Management Booklet, the following is the entire, albeit brief, two paragraph subsection on "Contracts" from the section entitled “Management Considerations for Technology
Service Providers.” The term “TSP” refers to Technology Service Providers:
"TSPs and customer financial institutions should negotiate contracts that incorporate the recommended items contained in the IT Handbook’s “Outsourcing Technology Services Booklet”. Financial institutions should negotiate clear, written contracts with sufficient detail to provide assurances for performance, reliability, security, confidentiality, and reporting. A poorly written or inadequately reviewed contract can increase the risk to both the serviced financial institution and the TSP. To avoid or minimize problems in such a contractual arrangement, legal counsel familiar with the terminology and specific requirements of a data processing contract should review it to protect each party’s interests. Since the contract sets the terms of a multi-year understanding between the parties, all items agreed upon during negotiations should be included in the final signed contract."
"Contracts establish baseline performance standards for information processing services. In addition, the contract defines each party’s responsibilities and liabilities. Institutions may encounter situations where service providers cannot or will not agree to terms that the institution requests to manage the risk effectively. Under these circumstances, institutions should either not contract with that provider or supplement the service provider’s commitments with additional controls to mitigate the risk. If an institution experiences problems obtaining regulatory required revisions to existing contracts, it should notify user groups and its primary regulator for additional support."
The “Contract Issues” subsection of the “Risk Management” section of the “Outsourcing Technology Services” booklet contains many gems, among them the following:
"Engage legal counsel early in the process to help prepare and review the proposed contract."
A quick summary:
• Contract issues are serious issues.
• Involve legal counsel in the process, the earlier the better.
---Kevin Funnell