Skip to main content

Planning and contract negotiation for third party relationships

Sageworks
February 20, 2014
Read Time: 0 min

On December 5, 2013, shortly after the OCC release, the Board of Governors of the Federal Reserve System issued “Guidance on Managing Outsourcing Risk” to supplement guidance previously issued on technology service provider risk. As banks continue to increase the number and complexity of third-party relationships, the OCC is concerned that the quality of risk management in the relationship may not be commensurate with the level of inherent risk. 

Prior to entering into a third-party relationship, management should develop a plan establishing the goal of the relationship and the scope of the contract. This enables the bank to discuss inherent risks and evaluate how the contracted activity relates to the bank’s overall strategic goals, objectives and risk appetite—what impact would such a relationship have? 

Banks are also encouraged to perform a cost-benefit analysis at this stage to determine if the potential benefit (e.g., cost reductions, expanded bank operations, increased efficiency, heightened expertise) outweighs the estimated cost (e.g., integration and subscription fees, training, additional staffing, interruption to existing programs) and how it might impact information security. A detailed process as to how the bank will select, assess and oversee the third party must be presented to and approved by the bank’s board of directors when contracting critical activities. 

Once the board of directors has approved the third party relationship, management will likely negotiate or review a contract detailing the responsibilities of each party. Contracts should fully describe compensation, fees and the circumstances under which the cost structure may be changed. Moreover, contracts need to specify what constitutes default and stipulate the conditions for termination. Banks should also re-visit existing contracts to ensure they comply with risk controls and legal protections. 

The contract should also cover performance expectations, and it’s recommended for a bank to use industry standards to evaluate the contract’s service level agreement. For software, these standards might measure service availability, responsiveness of support requests, and/or updates or enhancement timelines.

Again, senior management will need to get approval from the board on all contracts, prior to execution, when critical activities are involved.

For more information on the risk management process and best practices for evaluating third-party relationships, download the whitepaper: Risk Management Guidance on Third Party Relationships. 

About the Author

Sageworks

Raleigh, N.C.-based Sageworks, a leading provider of lending, credit risk, and portfolio risk software that enables banks and credit unions to efficiently grow and improve the borrower experience, was founded in 1998. Using its platform, Sageworks analyzed over 11.5 million loans, aggregated the corresponding loan data, and created the largest

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.

 

Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!