Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ten Step Program to Reduce Risk in Financial Services Outsourcing


Published on

Ten recommendations to help financial institution executives understand the risks and rewards in oursourcing core functions and to address those risks effectively.

Published in: Technology, Economy & Finance
  • Be the first to comment

  • Be the first to like this

Ten Step Program to Reduce Risk in Financial Services Outsourcing

  1. 1. Ten Step Program to Reduce Risk in Outsourcing Agreements Leslie F. Spasser LeClairRyan, P.C. Norfolk, Virginia
  2. 2. Hallmarks of Outsourcing Agreements <ul><li>Mission critical services </li></ul><ul><ul><li>Online Banking </li></ul></ul><ul><ul><li>Loan Processing and Origination </li></ul></ul><ul><ul><li>Mobile Applications </li></ul></ul><ul><li>Multi-year, long-term contracts </li></ul><ul><li>A few large vendors dominate industry </li></ul><ul><li>Complex agreements on vendor’s form </li></ul><ul><li>Hosted services/cloud services </li></ul>
  3. 3. Step One <ul><li>Lay the Foundation </li></ul><ul><li>Conduct Thorough and Effective Due Diligence </li></ul><ul><ul><li>Financial condition </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Disaster Recovery </li></ul></ul><ul><ul><li>Regulatory Compliance Issues </li></ul></ul><ul><ul><li>Customer references </li></ul></ul><ul><ul><ul><li>Talk to current and former customers of vendor </li></ul></ul></ul>
  4. 4. Step Two <ul><li>Cover Me </li></ul><ul><li>Evaluate Insurance Coverage Requirements </li></ul><ul><ul><li>Vendor’s levels of coverage </li></ul></ul><ul><ul><li>Vendor’s types of coverage </li></ul></ul><ul><ul><ul><li>All banking technology vendors should have ample cyber-liability coverage that cover security breaches and technology errors and omissions </li></ul></ul></ul><ul><ul><li>Evaluate bank’s insurance coverage </li></ul></ul><ul><ul><ul><li>Consider purchasing cyber-liability policies </li></ul></ul></ul><ul><ul><ul><li>Ensure cyber-liability policies cover vendor breaches </li></ul></ul></ul>
  5. 5. Step Three <ul><li>Location, location, location </li></ul><ul><ul><li>Know where your data is being hosted </li></ul></ul><ul><ul><li>Include limitations, where appropriate (e.g., in US) </li></ul></ul><ul><ul><li>Ensure limitations cover both primary facilities and backup or disaster recovery facilities </li></ul></ul><ul><li>Ensure that vendor does not outsource services outside of US without your consent. </li></ul>
  6. 6. Step Four <ul><li>Prepare for Armageddon </li></ul><ul><ul><li>Review vendor’s Disaster Recovery plan </li></ul></ul><ul><ul><li>Include contractual requirements that DR plan remain the same or improve </li></ul></ul><ul><ul><li>Provide for regular testing of DR processes </li></ul></ul><ul><ul><li>Be sure that the timing of service restoration meets your needs </li></ul></ul><ul><ul><li>Ensure that Force Majeure provisions do not eviscerate DR obligations </li></ul></ul>
  7. 7. Step Five <ul><li>Consistency is No Hobgoblin </li></ul><ul><ul><li>Obtain service level commitments </li></ul></ul><ul><ul><ul><li>Availability of service/uptime </li></ul></ul></ul><ul><ul><ul><li>Time to respond to/repair problems </li></ul></ul></ul><ul><ul><li>Include appropriate service level credits </li></ul></ul><ul><ul><li>Provide right to terminate for chronic service level failures </li></ul></ul><ul><ul><li>Look closely at vendor’s “exclusions” from SLA requirements </li></ul></ul>
  8. 8. Step Six <ul><li>Remember your Regulators </li></ul><ul><ul><li>Require vendor compliance with applicable regulations </li></ul></ul><ul><ul><ul><li>Reporting </li></ul></ul></ul><ul><ul><ul><li>Responsiveness </li></ul></ul></ul><ul><ul><ul><li>Security/Privacy </li></ul></ul></ul><ul><ul><li>Require vendor cooperation with regulatory audits imposed on bank </li></ul></ul><ul><ul><li>Require notice if vendor runs into regulatory problems </li></ul></ul>
  9. 9. Step Seven <ul><li>Trust but Verify </li></ul><ul><ul><li>Audit right for fees/charges </li></ul></ul><ul><ul><li>Audit right for privacy/data security compliance </li></ul></ul><ul><ul><ul><li>SSAE 16 </li></ul></ul></ul><ul><ul><ul><li>Intrusion tests </li></ul></ul></ul><ul><ul><li>Access to security audit reports conducted for vendor by third parties </li></ul></ul><ul><ul><li>Require correction of audit exceptions </li></ul></ul><ul><ul><li>Flow down to vendor’s vendors </li></ul></ul>
  10. 10. Step Eight <ul><li>What’s Mine is Mine </li></ul><ul><ul><li>Clearly define ownership of bank’s data – both data entered into the system and data processed by the system </li></ul></ul><ul><ul><li>Retain ownership of confidential information </li></ul></ul><ul><ul><li>Beware of broad vendor claims of ownership of platform or of deliverables developed for bank </li></ul></ul><ul><ul><li>Beware of provisions permitting vendor to “own” aggregated data </li></ul></ul>
  11. 11. Step Nine <ul><li>Take it to the Limit </li></ul><ul><ul><li>Look closely at limitations of liability </li></ul></ul><ul><ul><li>Exclude vendor indemnification obligations </li></ul></ul><ul><ul><li>Exclude data breaches and breaches of confidentiality </li></ul></ul><ul><ul><li>Ensure that dollar limit provides sufficient coverage for expedited replacement of vendor in the event of breach </li></ul></ul>
  12. 12. Step 10 <ul><li>Begin with the end in mind. </li></ul><ul><ul><li>Provide clear deconversion/transition obligations </li></ul></ul><ul><ul><li>Provide time-line that meets bank’s needs </li></ul></ul><ul><ul><li>Clearly define fees and limits </li></ul></ul><ul><ul><ul><li>Require vendor to provide deconversion fee schedule and limit increases </li></ul></ul></ul><ul><ul><ul><li>Avoid up front payment in full </li></ul></ul></ul><ul><ul><ul><li>Provide for deconversion to be subject to the terms and conditions of the Agreement. </li></ul></ul></ul>