BankBryanCave.com

Bank Bryan Cave

Bank Regulations

Main Content

Part 3 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

This is part 3 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Location of where the work to is to be performed

Domestic locations. Where is the vendor actually performing the work? Will they need physical access to the bank premises or equipment?  Will they be on-site during or after business hours? The contract should reference security policies governing access to the bank’s systems, data (including customer data), facilities, and equipment.  The vendor should be obligated to comply with the security policies when accessing such resources. If the work is being done at the vendor’s office, the bank will want approval rights any change in the location. Depending on the type of services being provided, the bank may also want the contractual right to go to the vendor’s offices to view the vendor’s internal security systems.

Subcontractors-generally. An important question for the bank to ask is whether any of the work is being outsourced to a subcontractor. If the vendor is using subcontractors, the bank should consider whether it will want notice of and perhaps approval rights over who is being used. In addition, the contract should make it clear that the bank considers the vendor responsible for the performance of the contract regardless of whether it outsources a portion of the work.  The contract should also make it clear that subcontractors are subject to the same confidentiality and security requirements as the primary vendor. Consideration should be given to adding a contractual provision which requires any subcontractors to verify in writing that they will comply with the privacy requirements.

Read More

Part 2 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

This is part 2 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Recitals.

Some contracts will contain several “WHEREAS” clauses at the inception of the document followed by a recitation of various facts about the parties and what they are trying to accomplish by entering into the contract. From a pure legal standpoint, “WHEREAS” clauses are not required but many parties like to include them to properly set the stage for what is to come afterwards. If they are included, the bank needs to review them, particularly those that describe the parties and the services that the vendor will perform. The recitals provide for an introduction to the parties and provide a high level overview of their agreement. It is a bit like looking at a topographical map and following two streams as they wind their way through the mountains before finally coming together. 

If there is a gap between the direction indicated in the recitals and the body of the agreement then there may be legitimate questions about what the true intent of the parties was when they entered into the contract. That becomes significant when a dispute later arises about the work actually being performed as well as the service level of the work. The gap can be created when the vendor uses a version of the contract that was heavily negotiated for a different party but forgets to revert back to its standard form contract when submitting it to the bank. Sometimes it is evidence of lack of sophistication by the vendor who may have simply downloaded the contract off of the internet and uses it without fully understanding the legal implications. Sometimes vendors will respond that they have used a particular form for years and never had a problem. That is confusing luck with carefully draftsmanship.

Nature and scope of the work to be done.

What exactly are the services to be performed? One would expect that the contract will specifically identify the frequency, content, and format of the service, product, or function provided. It is vitally important that the people at the bank, who have the substantive knowledge about the services in question, together with legal counsel, review the scope of services and understand how it relates to other contracts the bank has entered into or strategic initiatives the bank is looking at. A significant factor to keep in mind is whether any fee triggered by an early termination of the contract is of such a size that it becomes a material roadblock to doing a merger or acquisition. There have been instances involving smaller community banks where the termination fee was so large in comparison to the consideration being paid in a planned merger that the deal fell though. Thus, other corporate strategic matters may drive the bank to negotiate a shorter agreement than the vendor normally seeks or to seek out another vendor altogether.

Read More

Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

Introduction

Managing third party vendor relationships has always been an important function in banks. More recently it has become a hot topic for state and federal financial bank regulators. The increasing complexity of what vendors are doing for banks and the related attention to cybersecurity threats all contribute to the greater scrutiny. The 2016 white paper by the OCC, “Supporting Responsible Innovation in the Federal Banking system: An OCC Perspective,” is just one of several guidance documents issued by the federal financial regulators over the past five years that focus to a large extent on third parties providing services and technology to banks. Significantly, some examinations have resulted in the regulators imposing settlements and impose civil money penalties on vendors. Previous to the OCC white paper, the CFPB issued third party guidance in 2012, the FFIEC provided guidance on IT service vendors in 2012 and the OCC and the Federal Reserve issued complementary guidance in 2013 on third party relationships and managing outsourcing risks.

Contractual Requirements

The OCC guidance is generally looked at as the “gold standard” for evaluating issues that need to be addressed in a vendor agreement. That does not mean that every contract a bank signs needs to have every one of those issues addressed or that each one needs to be resolved in favor of the bank. Vendor contracts come in many different shapes and sizes and may affect everything from back office processing, internet delivery systems, use of the “cloud” to the people watering the plants at the branch. vendors will vary from small local operations to multi-national companies. The bargaining power of a bank obviously varies depending on its size. A small community bank is not going to have the same leverage negotiating a vendor contract with a national vendor as a much larger institution. That lack of leverage, however, is somewhat mitigated by the fact that large vendors understand what the regulators are looking for because they hear it from many of their bank customers. That does not mean though that they will always offer it in the first draft of an agreement! Finally, you need to keep in mind that there may be several different ways of approaching a particular issue and drafting the contract language, all of which may be produce an acceptable outcome. As a result, a typical contract may touch on all of the points found in the OCC guidance but the individual contract provisions will fall along a broad spectrum.

The OCC guidance provides a good road map to what state and federal bank regulators (not just the OCC) look for when reviewing a bank’s significant third party contracts. Contracts for significant third party contracts that fail to address the OCC highlighted issues may result in a bank being criticized in an examination report and could be a factor in a CAMELS downgrade of management. Management also needs to be aware that defects in major contracts will come up in due diligence performed in a merger transaction and can affect the viability of a proposed M&A deal. Thus, the “risks” that are being managed are broader than the business risk that occurs because of a non-performance by the vendor and is a good reason why senior management needs to pay close attention to the negotiation of significant vendor contracts.

Vendors should also be examining the guidance and modifying their contracts accordingly because banks are going to be raising the same issues over and over again. Vendor personnel who are on the front lines negotiating contracts need to be aware of the regulatory scrutiny and understand why requests for alterations to the contracts are being made by the bank.

Read More

Economies of Scale Encourage Continued Consolidation

The Federal Reserve Bank of St. Louis just published a short summary of research by economists with the Federal Reserve Bank of Kansas City concluding that compliance costs weigh “quite a bit” more heavily on smaller banks than their larger counterparts in the community banking segment.  Looking specifically at banks under $10 billion in total assets (where additional Dodd-Frank-related burdens are triggered), the study found that the ratio of compliance costs as a percentage of total noninterest expenses were inversely correlated with the size of the bank.  While banks with total assets between $1 and $10 billion in total assets reported total compliance costs averaging 2.9% of their total noninterest expenses, banks between $100 million and $250 million reported total compliance costs averaging 5.9% and banks below $100 million reported average compliance costs of 8.7% of non-interest expenses.

While nominal compliance costs continued to increase as banks increased in size (from about $160 thousand in compliance expense annually for banks under $100 million to $1.8 million annually for banks between $1 and $10 billion), the banks were better able to absorb this expense in the larger banks.  Looked at another way, the marginal cost of maintaining a larger asset base, at least in the context of compliance costs, decreases as the asset base grows.

With over 1,663 commercial banks with total assets of less than $100 million in the United States as of March 31, 2016 (and 3,734 banks with between $100 million and $1 billion), barring significant regulatory relief for the smallest institutions, we believe we will continue to see a natural consolidation of banks.  While we continue to believe there is no minimum size that an institution must be, we also consistently hear from bankers in the industry that they could be more efficient if they are larger… and the research bears them out.

Read More

Banks and Marketplace Lenders Absorb a Blow

In a blow to banks and the marketplace lending industry, on June 27, 2016, the U.S. Supreme Court denied the petition by Midland Funding to hear the case Midland Funding, LLC v. Madden (No. 15-610).  That case involves a debt-collection firm that bought charged-off credit card debt from a national bank.  The borrower’s legal team argued that a buyer of the debt was subject to New York interest rate caps even though the seller of the debt, a national bank, was exempt from those state law rate caps due to preemption under Section 85 the National Bank Act.  The borrower won on this startling argument and the debt collector appealed to the Supreme Court.  The Office of the Comptroller of the Currency (the regulator for national banks), the U.S. Solicitor General and various stakeholders in the banking and lending industries vigorously argued that the 2nd Circuit’s decision contravened established law.  The fear was that, if preemption strips loans of their usury-exempt status when the loans are sold, then banks’ ability to sell consumer loans, including the common practice of banks originating and quickly selling those loans to investors and marketplace lenders, would be significantly limited, if not curtailed.

The Supreme Court denied the debt collector’s appeal without explanation, which means the 2nd Circuit’s ruling is binding law in that Circuit, which includes New York, Connecticut and Vermont.  However, the 2nd Circuit’s ruling is not the law outside of the 2nd Circuit.

Read More

3 Takeaways (a Litigator’s Perspective) from CFPB Supervisory Highlights

The CFPB recently issued its newest edition of Supervisory Highlights Mortgage Serving Special Edition, Issue 11 (June 2016).

From a litigator’s perspective, the Supervisory Highlights do more than summarize recent supervisory findings, they also shine a light on future examination and putative class action risks that are emerging. The CFPB is providing key insights into what it believes should be industry standards. Banks and mortgage servicers should read carefully both the specific findings summarized and slightly more subtle clues to evolving future CFPB requirements.  Here are three takeaways on the Highlights from a financial services class action litigator’s perspective:

  1. ECOA & Special Servicing Populations Continue to be a Strong CFPB focus.

In section 2, “Our approach to mortgage servicing examinations,” the CFPB uses a fair amount of real estate to highlight ECOA requirements. In fact, the report states clearly “…Supervision will be conducting more comprehensive ECOA Targeted Reviews of mortgage servicers in 2016.” (See Supervisory Highlights, p.5).  The report specifically indicates that the ECOA Baseline Modules in the CFPB Supervision and Examination Manual will be a tool used by CFPB examination teams. Banks and servicers would do well, if you are not already, to consider the modules and how your data may be viewed. The CFPB specifically flags Module IV fair lending risks related to servicing including staff training, monitoring and “servicing those customers with Limited English Proficiency.” (See Supervisory Highlights, p.5, and ECOA Examination Modules). Among the module’s areas of inquiry are: whether personnel who are available for limited English speaking customers receive the same training and have the same authority as do other personnel, and the level(s) of discretion that servicing personnel may have in making loss mitigation decisions and referrals for customers with limited English (including controls to monitor such discretion usage).  The Highlights appear to signal that the CFPB will increase focus on these areas in the coming months. Banks and servicers may wish to re-evaluate their progress and operations capabilities in these areas. As always, the plaintiff’s consumer bar may be watching CFPB pronouncements and enforcement, and may initiate consumer class action(s) asserting such claims.

Read More

The CFPB Proposes Ambitious Payday Lending Regulations

On June 2, 2016, the CFPB released its long-awaited proposed regulations for payday loans, vehicle title and certain high-cost installment loans.  Comments on the proposed rules must be received on or before September 14, 2016.

While most payday lenders would need to make significant changes to their products and practices under the proposed rules, the final rules could well be delayed though legal challenges in court.  The scope of the proposal is extraordinary, even requiring a new credit reporting system, that would need to be built, to facilitate the ability-to-repay requirements of the proposal.  The CFPB is relying on its authority under the Dodd-Frank UDAAP provisions to issue the rules, which is admittedly very broad, but even that might not be enough to support this ambitious proposal.

Nevertheless, because we cannot predict how courts would ultimately rule on the CFPB’s authority, it’s important to understand the proposed rules, prepare comments, and consider what business model changes might be needed.   This article therefore summarizes the key provisions of the proposal.

Read More

Hightower Explores Intersection of Fintech and Bank Mergers

Atlanta Partner Jonathan Hightower authored a BankThink piece in the American Banker on May 9, 2016 titled “Don’t Ignore This FDIC ‘Request for Comment.’”  The discusses FDIC Financial Institution Letter FIL-32-2016,  which asks for comment on the agency’s plan to explore the economic inclusion potential of mobile financial services.

Jonathan notes “banks’ focus on mobile products not only provides innovative benefits to underserved consumers who may lack branch access, but in light of regulators’ interest in the potential for mobile technology to expand economic inclusion, this focus may also help institutions overcome regulatory and community-based challenges to mergers.”

Click here to read the whole article.

Read More

How Many Times Do We Have to Tell You Not to Open the Cat Video

Everyone has been in a movie theater when one of the actors approaches that door to the basement behind which strange noises are coming. They reach out to turn the knob and in unison the audience is thinking “Fool, haven’t you ever been to the movies? Don’t you know that the zombies or ghouls or some other equally disgusting creature are waiting for you behind that door. Don’t do it!” They of course open the door, blissfully unaware of the grisly fate waiting for them.

I get the same sort of feeling when I read about cybersecurity lapses at banks. Think about the following:

  • “Someone dropped a thumb drive, I think I’ll just plug it into my computer at work and see what is on it. Surely nothing bad will happen. If nothing else, I’ll give it to one of my kids, they can use it on the home computer.”
  • “My good friend, the one who sends me those emails asking me to pass them along to three of my closet friends, just sent me an email with an adorable cat video. I just love cat videos, I’ll open it on my computer at work and see what is on it. Surely nothing bad will happen. Doesn’t the FBI monitor the internet keeping us safe from bad people?”
  • “Someone from a small European country that I have never heard of has sent me an email telling me that I might be the recipient of an inheritance. I always knew I was destined for better things in life, I’ll just click on the attachment and follow the instructions. Surely nothing bad will happen.”
  • “My good customer Bob just sent me an email telling me that he is stuck in jail in South America. He needs me to wire money to post his bail. I didn’t know that Bob was traveling, I am pretty sure I just saw him in the bank a couple of days ago. I probably won’t try and call his house or wife or his cell phone to doublecheck, I’m sure his email is legitimate.”

If you were in the movie theater you’d be yelling out “Don’t do it!” If this were a movie you would see the green glowing blob patiently waiting to silently flow into the office computer. The blob just sits there though, waiting for the bank officer to hit that keystroke that opens the file. Now we see it watching as the person sits down at the computer and logs in, types in a password and initiates a wire transfer. The blob silently memorizes both the log in ID and the password. Weeks can go by as the suspense builds. The ominous music begins to swell in the background, we know that something is going to happen when as fast as lightning, the blob springs to life initiating wire transfers for tens of millions of dollars.

Read More

Too Small to Succeed or Ownership Structure to Thrive?

Two recent federal banking agency reports show very different pictures of the banking environment for community banks.  In “Too Small to Succeed? – Community Banks in a New Regulatory Environment,” the Federal Reserve Bank of Dallas lays out the “apparent” rising regulatory burden confronting banks today.  In contract, “Financial Performance and Management Structure of Small, Closely Held Banks,” published in the FDIC Quarterly, provides an empirical analysis of the success of closely held community banks in the FDIC Kansas City, Dallas and Chicago regions.

Lots of Community Banks Remain

As a reminder (which often seems forgotten in these discussions), the U.S. banking industry is still full of community banks.  As of December 31, 2015 (the latest data available), there were 6,182 insured depository institutions in the United States (banks and thrifts, exclusive of credit unions).  Only 107 of those institutions had more than $10 billion in assets; 595 institutions had between $1 and $10 billion, 3,792 had between $100 million and $1 billion, and 1,688 had less than $100 million in assets.  (That’s not to say there isn’t significant concentration; the 110 institutions over $10 billion in assets hold over 81% of the assets in the industry.)

As indicated by the otherwise down-beat Federal Reserve paper, community banks (measured as having less than $10 billion in this analysis) have still maintained 55% of all small-business loans and 75% of all agricultural loans (and banks under $1 billion in total assets still provide 54% of all agricultural loans).  As pointed out by the Federal Reserve paper, community banks accounted for 64% of the $4.6 trillion of total banking assets in 1992, but accounted for only 19% of $15.9 trillion of banking assets in 2015.  While we have certainly had consolidation (both fewer banks, and larger banks), the community bank’s aggregate market ownership has, based on the Federal Reserve’s percentages and totals, actually gone up slightly from $2.9 trillion to $3.0 trillion.

Read More
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.