The single most important vendor management control

The single most important vendor management control

Pop quiz…according to the FFIEC Handbook on Outsourcing Technology Services

“The ________ is the single most important control in the outsourcing process”:

  1. Initial due diligence process
  2. Review of third-party audit reports
  3. Contract
  4. Risk Assessment
  5. Vendor’s financial stability

I’ve written before about the importance of the third-party review in the ongoing vendor management process (and how that changes with the phase-out of the SAS 70), and of course vendor financial stability can speak to the ability to continue to provide services.  And a vendor risk assessment has been an essential component of your Information Security Program since GLBA.  All of these are important, but according to the FFIEC;

“The contract is the legally binding document that defines all aspects of the servicing relationship. A written contract should be present in all servicing relationships.  This includes instances where the service provider is affiliated with the institution. When contracting with an affiliate, the institution should ensure the costs and quality of services provided are commensurate with those of a non-affiliated provider. The contract is the single most important control in the outsourcing process.

 I’ve already predicted that vendor management would become an area of increased regulator scrutiny in the coming year, and one of the first things they will be looking at are the contracts.  Actually, regulators asking to see vendor contracts is nothing new, but lately some have been examining these contracts for specific elements.  So here are the 18 elements that should be included (or at least considered) in all critical vendor contracts:

  • Scope of Service
  • Performance Standards
  • Security and Confidentiality
  • Controls
  • Audit
  • Reports
  • Business Resumption and Contingency Plans
  • Sub-contracting and Multiple Service Provider Relationships
  • Cost
  • Ownership and licensing
  • Duration
  • Dispute Resolution
  • Indemnification
  • Limitation of Liability
  • Termination
  • Assignment
  • Foreign-based
  • Regulatory Compliance

Not all contracts, even with critical vendors, will contain all of these elements.   But each of them represents an important factor for consideration as you negotiate (or re-negotiate), and your vendor risk assessment should ultimately determine exactly which elements you’ll require.

“The time and resources devoted to managing outsourcing relationships should be based on the risk the relationship presents to the institution. “

And unlike some risk assessments, where smaller financial institutions may have enjoyed less scrutiny because of their size and complexity…

“…smaller and less complex institutions may have less flexibility than larger institutions in negotiating for services that meet their specific needs and in monitoring their service providers.”

So smaller institutions may actually be in for a more rigorous vendor management review than larger institutions!

I’ve created a check-list of all contract considerations listed above, along with a brief description of each one.  I hope you’ll find it useful.  You can download it here.

Print Friendly, PDF & Email
Tom Hinkel
As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Write a Comment