Contract Management

 View Only

  • 1.  Minimum Contract Terms/Contract Language

    Posted 10-19-2021 10:47 AM
    Hi Everyone,

    I am a Senior IT Risk Analyst for an FI (and Director of Risk Management for a nonprofit) and I am seeking information/feedback/answer to the following:

    In my experience, setting up minimum contract terms is this more complex than it sounds - and often requires something like a checklist along with a process to document (and potentially remediate) gaps. Does anyone have a "minimum contract terms/language" template they use? (I also have an upcoming OCC examination and need this prior to their visit)*


  • 2.  RE: Minimum Contract Terms/Contract Language

    This message was posted by a user wishing to remain anonymous
    Posted 10-19-2021 11:34 AM
    This message was posted by a user wishing to remain anonymous

    We are not OCC regulated however we do use their guidance in part in developing our contract checklist:

    Contract Provisions- Required by Policy

     

    Legal review of contract (prior to executing) required for:

    ·        Operationally critical third parties,

    ·        Foreign based third parties,

    ·        Contracts >$100,000, or

    ·        Any complex contract at the discretion of the business unit.

    *agreement with foreign based 3rd party may be subject to interpretation of foreign courts relying on local laws and may deal with enforcement of contracts differently

     

    Confidentiality Agreement (includes NDA and important NPPI provisions)

    ·        This can be incorporated into the contract or be the standalone Confidentiality Agreement document available in Sharepoint:

     

    Monitoring and performance standards (Service Level Agreement or SLA) establishing service expectations and metrics and remedies or penalties if not met.

     

    Process to respond to a security or cybersecurity incident and breaches in data security including notification requirements amongst the parties, regulators, and law enforcement

     

    Indemnification to hold Bank harmless for any claims/liability resulting from vendor negligence

     

    Contract Provisions- Recommended

    Confidentiality, security of information and encryption requirements

     

    Nature and scope of arrangements/service:

    ·        Rights of each party,

    ·        Responsibilities of each party,

    ·        Timeframe of relationship (term),

    ·        Product/service(s) being contracted for,

    ·        Training to be provided to bank employees,

    ·        Support to be provided,

    ·        Customer Service included

     

    Responsibilities for providing and receiving information required to conduct business and use of that information

     

    Ownership and license:

    ·        Ability and circumstances under which service provider may use property inclusive of data, hardware, software and intellectual property,

    ·        Ownership of any information generated by vendor,

    ·        *Ability to access source code and programs under certain circumstances * (if applicable)

     

    Cost and compensation:

    ·        Description of how fees calculated and which party responsible for any fees for non-recurring items or special requests including:

    ·        Legal, audit or examination fees,

    ·        Expense related to purchasing and maintaining equipment, hardware or software

     

    Business resumption and contingency plan of vendor in the event of operation failures including:

    ·        Responsibility for backing up information,

    ·        Requirement to have and to maintain disaster recovery and contingency plans,

    ·        Responsibility for testing plans and providing testing results,

    ·        Remedies if miss recovery standard,

    ·        *Right to participate in BCP testing and/or be provided with a copy of testing results*

     

    Notification and Bank approval of changes to service/product

     

    Type and frequency of due diligence or other reports to be provided to the bank (i.e. usage, SOC, regulatory, audit, financials, BCP)

     

    Limits on liability (typically limited by vendor to 1 year of fees paid) review to determine if any limitation is reasonable compared to amount of potential loss

     

    Insurance (liability, cybersecurity insurance etc.)

     

    Dispute resolution including:

    ·        Choice of governing law [both domestic (state) and international (if foreign based service provider)],

    ·        Dispute resolution process (arbitration, mediation, etc),

    ·        Continuation of arrangement between parties during resolution process period

     

    Compliance with laws, regulations and regulatory requirements including:

    ·        Privacy laws and regulations relating to NPPI (nonpublic personal information) including state (MA General Law 201 CRM 17.00) and GLBA

    ·        Subjection to regulatory examination oversight (will allow regulatory agencies to review vendor documents)

     

    Default and termination in the event 3rd party: violates law, fails to meet performance standards, fails to provide required notices, increases cost substantially or experiences bankruptcy, insolvency, closure, acquisition and merger.  Should also address:

    ·        Notification requirements for 3rd party violations,

    ·        List of acceptable remedies and opportunities for curing,

    ·        Preservation and timely return of data, records and other resources.

     

     

    Record maintenance (example- software, something is broken need to notify)

     

    Terms relating to use of bank premises, equipment or employees (if applicable)

     

    Subcontracting and multiple service provider relationships requirements including:

    ·        Permissibility/prohibition of 3rd party to subcontract or use another party to meet its obligations with regard to the contract and any notice/approval requirements

    ·        Clearly stating that vendor has accountability for all service it and its subcontractors provide,

    ·        Define services that may be subcontracted

    ·        For critical vendors, vendor's due diligence process for engaging and monitoring subcontractors to include assessment of financial condition,

    ·        Any limitations on subcontracting such as prohibition from certain data or services being located or handled outside of US

     

    Controls at vendor are tested and audited independently if applicable to service or due diligence requirements (examples- independent audit for annual Service Organization Control Report- SOC, internal testing or independent model validation)

     

    The right to audit (by bank or bank's representatives) and to require remediation based on results

     

    Identification of which party responsible for delivery customer statements or disclosures

     

    Customer complaints received by 3rd party (who handles Bank or 3rd party) and associated notice or reporting requirements

     

    Internal controls will be maintained sufficient to reasonably ensure ability to perform services and to meet requirements (example- internal controls over financial reporting)

     

    Original Message


  • 3.  RE: Minimum Contract Terms/Contract Language

    Posted 11-29-2021 10:02 AM
    Hi Wesley, so we are not OCC regulated but are FDIC regulated.  The FDIC has a great resource that we use as one of the basis of our contract "checklist", the link is below.  See section 3, Contract Structuring and Review.
    FDIC: FIL-44-2008: Guidance For Managing Third-Party Risk

    The contract matrix we have created includes the following: 

    Confidentiality , security of information and encryption requirements

    Monitoring and performance standards (Service Level Agreement or SLA) establishing service expectations, metrics by which service will be measured and remedies or penalties if agreed upon service levels not met.

    Nature and scope of arrangements/service:

    ·         Rights of each party,

    ·         Responsibilities of each party,

    ·         Timeframe of relationship (term),

    ·         Product/service(s) being contracted for,

    ·         Training to be provided to bank employees,

    ·         Support to be provided,

    ·         Customer Service included

    Responsibilities for providing and receiving information required to conduct business and use of that information

    Ownership and license:

    ·         Ability and circumstances under which service provider may use property inclusive of data, hardware, software and intellectual property,

    ·         Ownership of any information generated by vendor,

    ·         *Ability to access source code and programs under certain circumstances *

    Cost and compensation- description of how fees calculated and which party responsible for any fees for non-recurring items or special requests including:

    ·         Legal, audit or examination fees,

    ·         Expense related to purchasing and maintaining equipment, hardware or software

    Business resumption and contingency plan of vendor in the event of operation failures including:

    ·         Responsibility for backing up information,

    ·         Requirement to have and to maintain disaster recovery and contingency plans,

    ·         Responsibility for testing plans and providing testing results,

    ·         Remedies if miss recovery standard,

    ·         *Right to participate in BCP testing and/or be provided with a copy of testing results*

    Notification and Bank approval of changes to service/product

    Type and frequency of due diligence or other reports to be provided to the bank (i.e. production, QA, usage, SOC, regulatory, audit, financial, BCP and testing and results)

    Indemnification to hold Bank harmless for any claims/liability resulting from vendor negligence

    Limits on liability review to determine if any proposed damage limitation is reasonable compared to amount of potential loss

    Insurance (liability, cybersecurity insurance etc.)

    Dispute resolution including:

    ·         Choice of governing law [both domestic (state) and international (if foreign based service provider)],

    ·         Dispute resolution process,

    ·         Continuation of arrangement between parties during resolution process period

    Compliance with laws, regulations and regulatory requirements including:

    ·         Privacy laws and regulations relating to NPPI (nonpublic personal information) including state (MA General Law 201 CRM 17.00) and GLBA

    ·         Subjection to regulatory examination oversight (will allow regulatory agencies to review vendor documents)

    Process to respond to a security or cybersecurity incident and breaches in data security including notification requirements amongst the parties, regulators and law enforcement and continuation of service

    Default and termination in the event 3rd party: violates law, fails to meet performance standards, fails to provide required notices, increases cost substantially or experiences bankruptcy, insolvency, closure, acquisition and merger.  Should also address:

    ·         Notification requirements for 3rd party violations

    ·         List of acceptable remedies and opportunities for curing,

    ·         3rd party's preservation and timely return of data, records and other resources,

     

    Record maintenance (i.e. software, something is broken need to notify)

    Terms relating to use of bank premises, equipment or employees (if applicable)

    Notifications of subcontracting and multiple service provider relationships including:

    ·         Clearly stating that vendor has accountability for all service it and its subcontractors provide,

    ·         Define services that may be subcontracted, vendor's due diligence process for engaging and monitoring subcontractors to include assessment of financial condition,

    Any limitations on subcontracting such as prohibition from certain data or services being located or handled outside of US

    Permissibility/prohibition of 3rd party to subcontract or use another party to meet its obligations with regard to the contract and any notice/approval requirements

    Controls at vendor are tested and audited independently

    The right to audit and to require remediation (by bank or bank's representatives)

    Identification of which party responsible for delivery customer statements or disclosures

    Customer complaints received by 3rd party ( who handles Bank or 3rd party) and associated notice or reporting requirements

    Internal controls required of vendor (not previously addressed)


    ------------------------------
    Shelly Chase
    Senior Risk Analyst Officer
    ------------------------------

    Original Message


  • 4.  RE: Minimum Contract Terms/Contract Language

    Posted 11-29-2021 11:03 AM
    Hi Wesley.   We created an excel spreadsheet which helps us to insure that we understand the terms of the contract but also to document any changes we requested to the contract language.  We use this in conjunction with a risk review worksheet which the business area completes.   I save this document and use it when necessary to demonstrate how we determined that the contract addresses the appropriate controls as it relates to a regulation and to insure the contract terms match our minimum standards whenever possible.  We also maintain a library of standard (pre-approved) contract clauses that correspond with many of the items on this list allowing for a quick redline when needed. 

    Hope this is helpful.

    SECTION 3 - TERM  YES NO N/A Redlined COMMENTS
    Are Term/termination rights/Renewal procedures defined adequately?          
        One year, two year, three year Contract?          
        Does the contract auto-renew?          
        Notice for term 30/60/90?          
        Can we terminate for convenience?          
        Is there a termination fee?          
        For Breach, notice period required? Cure period?          
    Are transition services required when contract ends?  Incorporated into contract terms?          
    Is Return of materials addressed if needed?          
    IS Keep one copy for regulatory purposes addressed?          
    SECTION 4 - PRICING/FEES  YES NO N/A Redlined COMMENTS
    Does pricing represent what was agreed upon via proposal?          
    IS it clear how pricing is configured? By User, By License, time and Materials, Fixed Fee?          
    Are there minimum fees?  User Thresholds?          
    Does Invoice Address reflect new AP email?          
    Have we agreed to pay for expenses?          
    Expenses In accordance with our travel policy?          
    Payment in US dollars?          
    Paid by invoice? Within 30 days?          
    Price increase (CPI) for successive years? Capped at 5%?          
    Late payment penalties?  'limit to 1% per month          
    Dispute of Fees (within 30, 60, 90 days) Can we withhold disputed fees Y/N          
    Dow we need to retain fees against completion of the project (Retainage)          
    Tax clause addressed?          
    Taxes included on bills?          
    No responsibility for their income tax?          
    SECTION 5 - INTELLECTUAL PROPERTY YES  NO N/A Redlined COMMENTS
    Is supplier creating any deliverables for us which we would want to own?          
    Does Contract define who owns what?          
    Does the supplier grant ownership of deliverables to us?  If the deliverables are specially commissioned by us, we should own all rights in the deliverables.  At a minimum, we should have a worldwide, perpetual, royalty-free license to use, execute, reproduce and modify the deliverables.          
    Does the contract warrant that the services and deliverables provided by the vendor will not infringe any intellectual property (e.g., copyright, patent, trade mark, trade secret) or any other rights of third parties?)          
    IS there a Remedy or right to term if it can't be conformed?          
    SECTION 6 - SERVICE LEVEL AGREEMENTS YES  NO N/A Redlined COMMENTS
    Do we need Service SLAs in contract to govern availability, uptime, response time, capacity, support, retention, call pick up etc.)?          
     Penalties for failure?          
    Warranty          
    Are there Security SLA's in contract to govern security requirements and/or personal data protection?          
    SECTION 7 - CLOUD HOSTED CONCERNS  YES NO N/A Redlined COMMENTS
     IS a third party providing cloud hosting?          
    Clause in contract to insure third party provider adheres to terms of our contract with supplier?          
    IS the service in the cloud an application that we just use for processing, no storage.          
    IS the service in the cloud an application that we use and store our data there? Software as a service          
    SECTION 8 - DATA SECURITY YES NO N/A Redlined COMMENTS
    Storing or transmitting confidential info?          
    Does it fall under requirements of NYDFS Cyber Security Regulation? Has appropriate data security language been added to agreement?  Control Docs reviewed?          
    Does it fall under requirements of HIPAA?            
    Do we have a completed/approved SSAE18 or SOC II Report or Cyber Security Questionnaire on file?           
     If service is critical to operations do we have their BCDR plan on file?           
    IS Breach notification within 24 hours language incorporated?          
    Is end of agreement data handling addressed?          
    Are they a Tier 1 or Tier 2 supplier?          
    SECTION 9 - CONSTRUCTION/LEGAL TERMS YES  NO N/A Redlined COMMENTS
    IS the governing contract referenced correctly?          
    Is order of Precedence clear?          
    IF affiliate usage is required, Is affiliate language included?          
    Notice Provisions included? In writing, trackable delivery?          
    If Subcontracted work is authorized, have we incorporated subcontractor clause?          
    Publicity (exclude right to use our name in publicity)          
    Force Majeure?  Right to Term if not resolved in 30/45 days?          
    Relationship between parties (defined)?          
    Assignment rights? Mutual? Written Consent Only or No consent needed to affiliate or successor          
    Governing Law:  Governed by laws of CT or NY?                
    Venue: NY or CT?          
    Dispute Resolution?  Arbitration? Location?  Prevailing party pays Attorney Fees?          
    Time limit on legal claims?          
    Whole Agreement? Supercedes all others?          
    Amendments in writing only?          
    Notify counsel of Other Covenants (Non solicit, Do Not Hire, Other Restrictions)          
    Is protection of confidential information addressed adequately? Confidentiality  incorporated? Separate NDA in place?          
    Is sharing of information with auditors, regulators, counsel, consultants (as needed) allowed without requiring notice          
    Privacy - Notify Attorney overseeing privacy - What data is being collected or shared?  Do we have consent from customer for use?          
    Does supplier have a privacy policy and/or acceptable use policy?  Are terms acceptable?          
    IF they perform a function for us which fulfills a regulatory requirement on our behalf, have we notified Compliance?          
    If they touch our internal controls, have we notified Audit and requested a SOC 1 report?          
    SECTION 10 - REPS AND WARRANTIES YES  NO N/A Redlined COMMENTS
    Warrant that no staff will be posted with us who have a felony.  Background checks required and legal to work in US.  Credit check for those working with Money.          
    Conduct services in compliance applicable with laws and regulations          
    Services and deliverables will materially conform to the specifications in the SOW          
    Entering into this agreement will not breach or violate terms of any other agreement          
    They will Maintain insurance coverage during the term listing us as additional insured. Cyber coverage?          
    SECTION 11 - LIABILITY AND INDEMNIFICATION YES  NO N/A Redlined COMMENTS
    Are hold harmless and indemnification clauses acceptable?          
    Indemnification for Infringement, breach of confidentiality, misuse of services, willful misconduct, gross negligence          
    Is remedies provision adequate?  Review remedies provisions. Determine the worst that can happen if a default occurs. Explore ways to limit  liability. Also determine what types of remedies we need in the event of default by the other party          
    Are there limits to their liability?  Ours?  Exceptions?  Cap on liability?  Terms Acceptable?          
    Carve outs for infringement, breach of confidentiality, willful misconduct, criminal activity, negligence to the extend not already indemnified          
    SECTION 12 - AUDIT RIGHTS YES  NO N/A Redlined COMMENTS
    Do we need audit rights included in the contract for us?          
    Are audit rights included for them?          
    Is Notice period defined and appropriate?          
    Handling of expenses addressed?          
    Are Penalties for nonconforming use addressed?          

    Original Message