Pop quiz…according to the FFIEC Handbook on Outsourcing Technology Services…
“The ________ is the single most important control in the outsourcing process”:
- Initial due diligence process
- Review of third-party audit reports
- Risk Assessment
- Vendor’s financial stability
I’ve written before about the importance of the third-party review in the ongoing vendor management process (and how that changes with the phase-out of the SAS 70), and of course vendor financial stability can speak to the ability to continue to provide services. And a vendor risk assessment has been an essential component of your Information Security Program since GLBA. All of these are important, but according to the FFIEC;
“The contract is the legally binding document that defines all aspects of the servicing relationship. A written contract should be present in all servicing relationships. This includes instances where the service provider is affiliated with the institution. When contracting with an affiliate, the institution should ensure the costs and quality of services provided are commensurate with those of a non-affiliated provider. The contract is the single most important control in the outsourcing process.“
I’ve already predicted that vendor management would become an area of increased regulator scrutiny in the coming year, and one of the first things they will be looking at are the contracts. Actually, regulators asking to see vendor contracts is nothing new, but lately some have been examining these contracts for specific elements. So here are the 18 elements that should be included (or at least considered) in all critical vendor contracts:
- Scope of Service
- Performance Standards
- Security and Confidentiality
- Business Resumption and Contingency Plans
- Sub-contracting and Multiple Service Provider Relationships
- Ownership and licensing
- Dispute Resolution
- Limitation of Liability
- Regulatory Compliance
Not all contracts, even with critical vendors, will contain all of these elements. But each of them represents an important factor for consideration as you negotiate (or re-negotiate), and your vendor risk assessment should ultimately determine exactly which elements you’ll require.
“The time and resources devoted to managing outsourcing relationships should be based on the risk the relationship presents to the institution. “
And unlike some risk assessments, where smaller financial institutions may have enjoyed less scrutiny because of their size and complexity…
“…smaller and less complex institutions may have less flexibility than larger institutions in negotiating for services that meet their specific needs and in monitoring their service providers.”
So smaller institutions may actually be in for a more rigorous vendor management review than larger institutions!
I’ve created a check-list of all contract considerations listed above, along with a brief description of each one. I hope you’ll find it useful. You can download it here.