BankBryanCave.com

Main Content

Part 7 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

October 12, 2016

Authored by:

Categories

This is part 7 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Indemnification. Indemnification provisions in a third party services contract can be hotly contested. There is no question that banks should include indemnification clauses that specify the extent to which the bank will be protected from claims arising out of the failure of the vendor to perform, including failure of the vendor to obtain any necessary intellectual property licenses. Not surprisingly, they can be one of the most difficult provisions to reach an agreement on.

In its simplest terms, indemnification constitutes an agreement to allocate certain risks of loss among the parties. It is analogous to a guaranty but just like a guaranty, the fact that you have one does not insure a party that they will in fact be protected from loss. An indemnification from a company that has little in the way of assets is no different than a guaranty from someone who has very little net worth. It may have some psychological value but may be worthless from a practical standpoint. Indemnification provisions can be drafted so tightly that they provide little protection and they can be made subject to limitations to the point that the protection offered is illusory.

Read More

Part 6 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

October 4, 2016

Authored by:

Categories

This is part 6 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Ownership of Trademarks, Copyrights, Patents and Other Trade secrets, Source Code escrow Agreements. Typically, each party should own its pre-existing materials and derivative works thereof and materials developed by the parties or their contractors individually and outside of the contract, and each party should provide the other with licenses to its materials necessary to receive or provide the services during the term.  The contract should include intellectual property provisions that clearly define each party’s intellectual property rights for their pre-existing materials and materials developed as part of the contract.

Does the vendor currently own or have the right to use all of the patents, trademarks, copyrights, etc., needed to provide the services under the contract or are they using intellectual property assets owned by the bank? If the contract involves the use of software purchased from a third party which needs to be customized, does the vendor or the bank have the legal rights to do that?  The contract should address who will own any intellectual property created by the vendor as a direct result of the contract. Oftentimes, but not always, that will be the bank.

In contracts where the vendor is providing or using software in delivering the services, issues may arise over ownership and the right to use the software. Banks will generally want the vendor to represent that the vendor has full use of the software and that it is providing the bank with a non-exclusive right to use it. Usually the vendor will be required to indemnify the bank in the event a third party asserts a claim that the bank’s use of the software was improper.  If a successful claim of infringement is made, the bank may want to either obligate the vendor to obtain alternative software to be able to continue providing the services or be able to terminate the contract immediately. As a practical matter, if a successful infringement claim is made, the vendor may simply need to obtain a license from the other party in order to continue providing the software to the bank.

Read More

Part 5 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

September 29, 2016

Authored by:

Categories

This is part 5 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Vendor Notice Requirements

Business -Strategic Changes. There are several categories of events the bank will want to be notified about.  The first involves things like significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures, or other business activities that could affect the activities involved. In certain instances the bank may want the ability to terminate the contract if the vendor merges with another company or if there is a change in control. Similar to a loan transaction, the bank has “underwritten” the vendor. Bank officers have has met the vendor’s senior management and are comfortable with the general direction of its business. A merger or change of control may change the strategic direction of the vendor and the bank wants to make sure it knows who it is doing business with.

Business Events-Corporate Changes. The contract should address notification to the bank before making significant changes to the contracted activities, including acquisition, subcontracting, off-shoring, management or key personnel changes, or implementing new or revised policies, processes, and information technology. Related provisions in the contract would be sections that without bank consent would prohibit the assignment of the contract; changes in the listed locations of where work is being performed and the use of subcontractors not previously approved by the bank.

Business Events-adverse changes to business operations. This category requires the prompt notification of financial difficulty, catastrophic events, and significant incidents such as information breaches, data loss, service or system interruptions, compliance lapses, enforcement actions, or other regulatory actions. The bank should already have a contingency plan in the event the vendor goes out of business but a timely notification requirement helps to insures that the bank will have adequate time to put the contingency plan into motion.

Business Continuity. The contract should address the issue of what happens if the vendor’s business is affected by natural disasters, human error, or intentional attacks. The contract should define the vendor’s business continuity and disaster recovery capabilities and obligations to enable vendor to continue delivery of the services in the event of a disaster or other service interruption affecting a location from where the services are provided.  Force majeure events should not excuse vendor from performing the business continuity/disaster recovery services. The contract should include the vendor’s disaster recovery plan defining the processes followed by vendor during a disaster including backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans. A contract may include provisions—in the event of the third party’s bankruptcy, business failure, or business interruption—that allow the bank to transfer the bank’s accounts or activities to another third party without penalty. Ensure that the contract requires the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements, and when appropriate, regulatory requirements. Depending on the critical nature of the serve being provided, the bank may also want to consider stipulating whether and how often the bank and the vendor will jointly practice business resumption and disaster recovery plans.

Read More

Part 4 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

September 20, 2016

Authored by:

Categories

This is part 4 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Services level. Services levels should be defined. For example, are the service to be made available 24/7 365 days a year or are they only needed during normal business hours. When the services involve some type of software or online technology, what is the minimum amount of   “uptime” required? Depending on the services involved, uptime might be 99.9%, for example.  vendors will understandably push back on that figure and might suggest 98%. The right figure need not be either one of those numbers and is dependent on the type of service being provided and its criticality to the bank’s delivery of services to its customers. To the extent there is planned downtime for things such as software updates it should occur during off peak time periods. Service level measures can be used to motivate the third party’s performance, penalize poor performance, or reward outstanding performance. Performance measures should not incentivize undesirable performance, such as encouraging processing volume or speed without regard for accuracy, compliance requirements, or adverse effects on customers. Certain products and services have standards that are common across the industry while others may need to be developed to fit the particular transaction. Service levels should be revisited from time to time during the term of the relationship to provide an opportunity for  them to evolve along with the services being provided.

Banks should consider what type of reporting they want the vendor to provide considering performance against the service level targets and what type of remedies to which the Bank is entitled in the event vendor fails to measure or report on the service levels. Banks should also consider including requiring a root cause analysis for incidents and service level failures. In other words, it is not just sufficient to report a failure, what caused the failure and exactly what needs to be done to remedy it. It can be very frustrating when a vendor’s performance affects customers and the bank is unable to explain to those customers how a problem is being fixed so that it will not reoccur.

Read More

Part 3 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

September 13, 2016

Authored by:

Categories

This is part 3 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Location of where the work to is to be performed

Domestic locations. Where is the vendor actually performing the work? Will they need physical access to the bank premises or equipment?  Will they be on-site during or after business hours? The contract should reference security policies governing access to the bank’s systems, data (including customer data), facilities, and equipment.  The vendor should be obligated to comply with the security policies when accessing such resources. If the work is being done at the vendor’s office, the bank will want approval rights any change in the location. Depending on the type of services being provided, the bank may also want the contractual right to go to the vendor’s offices to view the vendor’s internal security systems.

Subcontractors-generally. An important question for the bank to ask is whether any of the work is being outsourced to a subcontractor. If the vendor is using subcontractors, the bank should consider whether it will want notice of and perhaps approval rights over who is being used. In addition, the contract should make it clear that the bank considers the vendor responsible for the performance of the contract regardless of whether it outsources a portion of the work.  The contract should also make it clear that subcontractors are subject to the same confidentiality and security requirements as the primary vendor. Consideration should be given to adding a contractual provision which requires any subcontractors to verify in writing that they will comply with the privacy requirements.

Read More

Part 2 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

September 6, 2016

Authored by:

Categories

This is part 2 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Recitals.

Some contracts will contain several “WHEREAS” clauses at the inception of the document followed by a recitation of various facts about the parties and what they are trying to accomplish by entering into the contract. From a pure legal standpoint, “WHEREAS” clauses are not required but many parties like to include them to properly set the stage for what is to come afterwards. If they are included, the bank needs to review them, particularly those that describe the parties and the services that the vendor will perform. The recitals provide for an introduction to the parties and provide a high level overview of their agreement. It is a bit like looking at a topographical map and following two streams as they wind their way through the mountains before finally coming together. 

If there is a gap between the direction indicated in the recitals and the body of the agreement then there may be legitimate questions about what the true intent of the parties was when they entered into the contract. That becomes significant when a dispute later arises about the work actually being performed as well as the service level of the work. The gap can be created when the vendor uses a version of the contract that was heavily negotiated for a different party but forgets to revert back to its standard form contract when submitting it to the bank. Sometimes it is evidence of lack of sophistication by the vendor who may have simply downloaded the contract off of the internet and uses it without fully understanding the legal implications. Sometimes vendors will respond that they have used a particular form for years and never had a problem. That is confusing luck with carefully draftsmanship.

Nature and scope of the work to be done.

What exactly are the services to be performed? One would expect that the contract will specifically identify the frequency, content, and format of the service, product, or function provided. It is vitally important that the people at the bank, who have the substantive knowledge about the services in question, together with legal counsel, review the scope of services and understand how it relates to other contracts the bank has entered into or strategic initiatives the bank is looking at. A significant factor to keep in mind is whether any fee triggered by an early termination of the contract is of such a size that it becomes a material roadblock to doing a merger or acquisition. There have been instances involving smaller community banks where the termination fee was so large in comparison to the consideration being paid in a planned merger that the deal fell though. Thus, other corporate strategic matters may drive the bank to negotiate a shorter agreement than the vendor normally seeks or to seek out another vendor altogether.

Read More

Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

August 30, 2016

Authored by:

Categories

Introduction

Managing third party vendor relationships has always been an important function in banks. More recently it has become a hot topic for state and federal financial bank regulators. The increasing complexity of what vendors are doing for banks and the related attention to cybersecurity threats all contribute to the greater scrutiny. The 2016 white paper by the OCC, “Supporting Responsible Innovation in the Federal Banking system: An OCC Perspective,” is just one of several guidance documents issued by the federal financial regulators over the past five years that focus to a large extent on third parties providing services and technology to banks. Significantly, some examinations have resulted in the regulators imposing settlements and impose civil money penalties on vendors. Previous to the OCC white paper, the CFPB issued third party guidance in 2012, the FFIEC provided guidance on IT service vendors in 2012 and the OCC and the Federal Reserve issued complementary guidance in 2013 on third party relationships and managing outsourcing risks.

Contractual Requirements

The OCC guidance is generally looked at as the “gold standard” for evaluating issues that need to be addressed in a vendor agreement. That does not mean that every contract a bank signs needs to have every one of those issues addressed or that each one needs to be resolved in favor of the bank. Vendor contracts come in many different shapes and sizes and may affect everything from back office processing, internet delivery systems, use of the “cloud” to the people watering the plants at the branch. vendors will vary from small local operations to multi-national companies. The bargaining power of a bank obviously varies depending on its size. A small community bank is not going to have the same leverage negotiating a vendor contract with a national vendor as a much larger institution. That lack of leverage, however, is somewhat mitigated by the fact that large vendors understand what the regulators are looking for because they hear it from many of their bank customers. That does not mean though that they will always offer it in the first draft of an agreement! Finally, you need to keep in mind that there may be several different ways of approaching a particular issue and drafting the contract language, all of which may be produce an acceptable outcome. As a result, a typical contract may touch on all of the points found in the OCC guidance but the individual contract provisions will fall along a broad spectrum.

The OCC guidance provides a good road map to what state and federal bank regulators (not just the OCC) look for when reviewing a bank’s significant third party contracts. Contracts for significant third party contracts that fail to address the OCC highlighted issues may result in a bank being criticized in an examination report and could be a factor in a CAMELS downgrade of management. Management also needs to be aware that defects in major contracts will come up in due diligence performed in a merger transaction and can affect the viability of a proposed M&A deal. Thus, the “risks” that are being managed are broader than the business risk that occurs because of a non-performance by the vendor and is a good reason why senior management needs to pay close attention to the negotiation of significant vendor contracts.

Vendors should also be examining the guidance and modifying their contracts accordingly because banks are going to be raising the same issues over and over again. Vendor personnel who are on the front lines negotiating contracts need to be aware of the regulatory scrutiny and understand why requests for alterations to the contracts are being made by the bank.

Read More

How Many Times Do We Have to Tell You Not to Open the Cat Video

April 11, 2016

Authored by:

Categories

Everyone has been in a movie theater when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door. Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.

I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:

  • “Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home computer.”
  • “My good friend, the one who sends me those emails asking me to pass them along to three of my closet friends, just sent me an email with an adorable cat video. I just love cat videos, I’ll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor the internet keeping us safe from bad people?”
  • “Someone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, I’ll just click on the attachment and follow the instructions. Surely nothing bad will happen.”
  • “My good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didn’t know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably won’t try and call his house or wife or his cell phone to doublecheck, I’m sure his email is legitimate.”

If you were in the movie theater you’d be yelling out “Don’t do it!” If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit that keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the log in ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars.

Read More

Divided Supreme Court Results in Non-Uniform Application of Reg B

March 25, 2016

Authored by:

Categories

In what goes for kicking the can down the road at the Supreme Court, the Court has evenly split on an appeal arising from the Eight Circuit Court of Appeals decision in Hawkins v. Community Bank of Raymore, 761 F3d 937 (CA8 2014) where that court found that the Federal Reserve had overstepped its bounds in adopting rules under the Equal Credit Opportunity Act to protect spousal guarantors. The case arose out of a series of loans in 2005 and 2008 made by the Bank—totaling more than $2,000,000—to PHC Development, LLC to fund the development of a residential subdivision. In connection with each loan and each modification, the principals of the LLC and their spouses (who had no interest in the LLC) executed personal guaranties in favor of Community to secure the loans.

The spouses defended themselves in an action brought by the bank on the basis that Community had required them to execute the guaranties solely because they were married to their respective husbands. They claimed that this requirement constituted discrimination against them on the basis of their marital status, in violation of the ECOA.. the federal district court concluded that the spouses were not “applicants” within the meaning of the ECOA and thus that Bank had not violated the ECOA by requiring them to execute the guaranties. Accordingly, the district court granted summary judgment in favor of the Bank on the ECOA claim and on the ECOA-based affirmative defense to the Bank’s breach-of-guaranty counterclaims.

Read More

Can a Guarantor Waive his Right to a Foreclosure Confirmation Proceeding in Georgia?

February 23, 2016

Categories

Yes.

On Monday, February 22, 2016, in a case closely watched by commercial real estate lenders, borrowers and guarantors, the Supreme Court of Georgia issued its opinion in PNC Bank, N.A.  v. Smith, et al., S15Q1445.  The case was before the Supreme Court on two certified questions from the United States District Court for the Northern District of Georgia.  The two Certified Questions were: (1) Is a lender’s compliance with the requirements contained in OCGA § 44-14-161 a condition precedent to the lender’s ability to pursue a borrower and/or guarantor for a deficiency after a foreclosure has been conducted?; and (2) If so, can borrowers or guarantors waive the condition precedent requirements of such statute by virtue of waiver clauses in the loan documents?

In answering the first question in the affirmative, the Georgia Supreme Court upheld its reasoning in First Nat. Bank & Trust Co. v. Kunes, 230 Ga. 888, 890-91 (1973). The Georgia Supreme Court echoed the reasoning in Kunes by stating “that notice to both sureties and guarantors is necessary to satisfy the purpose of the confirmation statute— ‘to limit and abate deficiency judgments in suits and foreclosure proceedings on debts’ and to enable sureties and guarantors ‘an opportunity to contest the approval of the [foreclosure] sales.”

Read More
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.