ten step program to reduce risk in financial services outsourcing
DESCRIPTION
Ten recommendations to help financial institution executives understand the risks and rewards in oursourcing core functions and to address those risks effectively.TRANSCRIPT
Ten Step Programto
Reduce Risk in Outsourcing Agreements
Leslie F. SpasserLeClairRyan, P.C.Norfolk, Virginia
Hallmarks of Outsourcing Agreements• Mission critical services– Online Banking– Loan Processing and Origination– Mobile Applications
• Multi-year, long-term contracts• A few large vendors dominate industry• Complex agreements on vendor’s form• Hosted services/cloud services
Step One
• Lay the Foundation• Conduct Thorough and Effective Due Diligence– Financial condition– Security– Disaster Recovery– Regulatory Compliance Issues– Customer references• Talk to current and former customers of vendor
Step Two
• Cover Me• Evaluate Insurance Coverage Requirements– Vendor’s levels of coverage– Vendor’s types of coverage• All banking technology vendors should have ample
cyber-liability coverage that cover security breaches and technology errors and omissions
– Evaluate bank’s insurance coverage• Consider purchasing cyber-liability policies • Ensure cyber-liability policies cover vendor breaches
Step Three
• Location, location, location– Know where your data is being hosted– Include limitations, where appropriate (e.g., in US)– Ensure limitations cover both primary facilities
and backup or disaster recovery facilities
• Ensure that vendor does not outsource services outside of US without your consent.
Step Four
• Prepare for Armageddon– Review vendor’s Disaster Recovery plan– Include contractual requirements that DR plan
remain the same or improve– Provide for regular testing of DR processes– Be sure that the timing of service restoration
meets your needs– Ensure that Force Majeure provisions do not
eviscerate DR obligations
Step Five
• Consistency is No Hobgoblin– Obtain service level commitments • Availability of service/uptime• Time to respond to/repair problems
– Include appropriate service level credits– Provide right to terminate for chronic service level
failures– Look closely at vendor’s “exclusions” from SLA
requirements
Step Six
• Remember your Regulators– Require vendor compliance with applicable
regulations• Reporting• Responsiveness• Security/Privacy
– Require vendor cooperation with regulatory audits imposed on bank
– Require notice if vendor runs into regulatory problems
Step Seven
• Trust but Verify– Audit right for fees/charges– Audit right for privacy/data security compliance• SSAE 16• Intrusion tests
– Access to security audit reports conducted for vendor by third parties
– Require correction of audit exceptions– Flow down to vendor’s vendors
Step Eight
• What’s Mine is Mine– Clearly define ownership of bank’s data – both
data entered into the system and data processed by the system
– Retain ownership of confidential information– Beware of broad vendor claims of ownership of
platform or of deliverables developed for bank– Beware of provisions permitting vendor to “own”
aggregated data
Step Nine
• Take it to the Limit– Look closely at limitations of liability– Exclude vendor indemnification obligations– Exclude data breaches and breaches of
confidentiality– Ensure that dollar limit provides sufficient
coverage for expedited replacement of vendor in the event of breach
Step 10
• Begin with the end in mind.– Provide clear deconversion/transition obligations– Provide time-line that meets bank’s needs– Clearly define fees and limits• Require vendor to provide deconversion fee schedule
and limit increases• Avoid up front payment in full• Provide for deconversion to be subject to the terms
and conditions of the Agreement.