Financial institutions, lenders, and settlement service providers must consider several factors when negotiating vendor management agreements from both business and regulatory perspectives. The procurement process is critical to making certain the vendor is fully vetted before any services contract is signed. The vendor must be able to demonstrate that it has policies and procedures in place that will provide the necessary level of protection, including IT security requirements, disaster recovery plans, business continuity plans, adequate insurance, and background checks for certain types of vendors. These requirements should be part of any vendor agreement.
Selection and Oversight: Vendor procurement and oversight are key to an effective and complete compliance management system. The procurement process should document how vendors are selected and how risks are addressed. Vendor agreements and supporting procurement information, as well as audits, should be stored centrally (if possible) to facilitate regulator review and demonstrate the rigor and due diligence of an institution’s vendor selection and monitoring processes. Provisions allowing for post-selection oversight and audits should likewise be included. Institutions should insist on the right to review the vendor’s self-audits, particularly relating to data security and testing. Service Level Agreements (SLAs) should establish metrics for the vendor’s performance, particularly if the service is essential to the customer experience.
Incorporating Terms and Conditions: All too often, institutions sign relatively short agreements that appear to cover the vendor’s services, but may overlook a reference in the agreement to the vendor’s onerous online terms and conditions. All terms and conditions should be included in the executed agreement, and any change should require the institution’s consent.
Regulatory Compliance: Regulatory changes such as the TRID (TILA/RESPA Integrated Disclosures) and ATR/QM (Ability to Repay/Qualified Mortgage) Rules need to be considered when drafting the representations and warranties that are at the core of most vendor agreements. For example, an institution may need to include representations and warranties that TRID calculations are being done correctly, and that any third-party software used by the vendor is compliant with state and federal requirements.
Data Security: Institutions should keep their technology teams in the loop to ensure that they are adequately protected, especially when vendors may have access to sensitive data. Vendors should be required to automatically and immediately notify institutions if there has been a data breach. Agreements should also provide the institution with access to information gained in the investigation of the breach. Finally, always make certain that the vendor is required to carry adequate insurance to cover any such breach.
Limitations of Liability/Indemnification: The broader the vendor’s indemnification obligations, the better. Institutions should also take care to make certain that the agreement does not include a cap on liability that fails to cover potential exposure. To the extent that a risk is supposed to be insured by the vendor, consider adding a provision that requires the vendor to indemnify up to the amount of any required insurance if that policy is allowed to lapse.
In short, institutions should scrutinize vendors as part of their compliance management system to be certain the vendor has sufficient systems, procedures, protections, and insurance in place before any agreement is signed. Last, but certainly not least, follow through on audits and mandate regular proof of insurance to ensure that vendors are living up to their end of the bargain.