Regardless of the industry, businesses rely more and more on outside vendors to provide both standard and custom products and services. Nowhere is this truer than in the financial services industry where the complexity of laws and regulations amplifies the need to seek outside expertise. In-house counsel stands poised as the gatekeeper to manage — or at the very least review — third party vendor relationships. With the Consumer Financial Protection Bureau (CFPB) aggressively reviewing these relationships for “unfair, deceptive or abusive acts or practices” as described in the Dodd Frank Act, in-house counsel must be prepared to assist with the vetting process. Most recently, on July 10, 2013 the CFPB issued a bulletin identifying concerns for creditors as it relates to third party debt collectors. Previous guidance from the CFPB targeted add-on products (often developed by vendors) as sources of potential UDAAP risk. Meanwhile, bank examiners routinely scrutinize vendors and their products and services as part of compliance exams. Often the exam concludes with admonitions to enhance processes or formal orders that require improvement in the vendor management process.
Counsel plays a critical role in assuring that the expectations of the regulators are met and that the risk to their institutions is effectively managed. “Contracts 101″ can be our starting point. However, a deeper dive is needed into the murky waters of regulatory requirements.
Our first step in this endeavor is identifying the myriad relationships that can trigger concerns and then assigning a risk rate to the product or service. In the financial services arena where outsourcing can enable a small town bank to provide an array of accounts to match that of the big city brethren, the biggest and highest risk vendor is the data processor, including the vendor handling online banking services (if different). Critical and high risk vendors also include third parties who provide innovative products and services, like specialty accounts, reward programs, add-on products and other income-generating services. And, although the legal profession may not always like to remember that it is a “business,” lawyers clearly provide third party services that are subject to scrutiny.
Now let’s look at some contract issues that go beyond Contracts 101.
The usual contractual considerations must be covered, including a clear description of the scope of services, performance standards, warranties and penalties for breach, as well as good termination provisions. In the financial services area, many products use innovative technology and thus can be subject to intellectual properties claims. It is especially important to assure that there are appropriate warranties and indemnities or defense obligations if at all possible. Furthermore, many services involve the sharing, permissibly under the Gramm-Leach-Bliley Act (GLBA), of consumer nonpublic information. No consent is needed from the customer for sharing. However, the vendor must provide representations and warranties regarding its procedures for safeguarding customer information. These must include technical, physical, and procedural systems including personnel training to assure that the systems work. In addition, the red flags in identity theft rules should also be covered. The financial institution should require provision of the vendor’s tech audit and a copy of its disaster recovery plan. Appropriate encryption systems should be in place where consumer information is transmitted by email.
By now, most vendors should be able to comply readily with the regulatory expectations for third parties. One sticky area is likely to be convincing professionals like attorneys that they are “vendors” and therefore subject to these requirements. As a practical matter, outside counsel must have systems in place to comply with the requirements for safeguarding consumer nonpublic information. While this may seem obvious on its face, one Texas bank was embarrassed when its collection attorney cleaned out his old files and merely dumped them without shredding. The dumpster was featured on the nightly news with the bank’s name visible on various loan documents.
Vendors should also be familiar with the laws and regulations that circumscribe their products and services, and their contracts should warrant compliance, and yet embarrassing allegations stemming from violations of the anti-kickback rules under the Real Estate Settlement Procedures Act still emerge due to the potential for hyper-technical analysis. Providing anything of value (no matter how small) can trip this one.
As in-house counsel works through the vendor management arena, it should be mindful of the possible tools to assist in compliance. Handbooks from the Federal Financial Institutions Council provide useful guidance, particularly with regard to tech contracts. A good approach in covering the bases is to develop a contract review template that captures the key elements and then acts as a checklist for the wary counsel. Having sample GLBA language regarding the safeguarding of information can be very useful as well.
Finally, we all remember the old lyrics, “breaking up is hard to do.” But the pain can be mitigated by excellent contract provisions from the outset and well-crafted review processes.