Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

Planning and contract negotiation for third party relationships

February 20, 2014
Read Time: 0 min

On December 5, 2013, shortly after the OCC release, the Board of Governors of the Federal Reserve System issued “Guidance on Managing Outsourcing Risk” to supplement guidance previously issued on technology service provider risk. As banks continue to increase the number and complexity of third-party relationships, the OCC is concerned that the quality of risk management in the relationship may not be commensurate with the level of inherent risk. 

Prior to entering into a third-party relationship, management should develop a plan establishing the goal of the relationship and the scope of the contract. This enables the bank to discuss inherent risks and evaluate how the contracted activity relates to the bank’s overall strategic goals, objectives and risk appetite—what impact would such a relationship have? 

Banks are also encouraged to perform a cost-benefit analysis at this stage to determine if the potential benefit (e.g., cost reductions, expanded bank operations, increased efficiency, heightened expertise) outweighs the estimated cost (e.g., integration and subscription fees, training, additional staffing, interruption to existing programs) and how it might impact information security. A detailed process as to how the bank will select, assess and oversee the third party must be presented to and approved by the bank’s board of directors when contracting critical activities. 

Once the board of directors has approved the third party relationship, management will likely negotiate or review a contract detailing the responsibilities of each party. Contracts should fully describe compensation, fees and the circumstances under which the cost structure may be changed. Moreover, contracts need to specify what constitutes default and stipulate the conditions for termination. Banks should also re-visit existing contracts to ensure they comply with risk controls and legal protections. 

The contract should also cover performance expectations, and it’s recommended for a bank to use industry standards to evaluate the contract’s service level agreement. For software, these standards might measure service availability, responsiveness of support requests, and/or updates or enhancement timelines.

Again, senior management will need to get approval from the board on all contracts, prior to execution, when critical activities are involved.

For more information on the risk management process and best practices for evaluating third-party relationships, download the whitepaper: Risk Management Guidance on Third Party Relationships. 

About the Author


Raleigh, N.C.-based Sageworks, a leading provider of lending, credit risk, and portfolio risk software that enables banks and credit unions to efficiently grow and improve the borrower experience, was founded in 1998. Using its platform, Sageworks analyzed over 11.5 million loans, aggregated the corresponding loan data, and created the largest

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.