I sent this note to our general council:
I attended a Venminder webinar recently and below are a couple of slides to showcase the list of elements the new guidance outlines having in every contract and then specifically for critical vendor contracts.
It's interesting to see this. Some of these are confusing though. Is this something coming to you as major elements that the BANK should insist on? Or is it more from the vendor point of view? I ask because, for example, it says the contracts should include "limits on liability." These are in almost all of the vendor contracts you receive and in all of them, I would like to strike the provision. In these provisions, the Vendor tries to limit its liability to the Bank by saying that it will only be liable for what the bank has paid in some time period (i.e. the last 6 months). But the Bank wants them to be liable for 100% of the Bank's damages. So, if the software the Bank buys brings the system down, the Bank wants to be made whole and not just be paid for what the Vendor was paid. So it's all pretty tricky.
Does anyone have any feedback on clarification for her? Thank you in advance!
It's not uncommon for the purchasing party to want unlimited liability from the vendor or supplier. But it's also not uncommon for the vendor or supplier to want to negotiate an appropriate limit vs. agreeing to unlimited. The banking regulation doesn't state that the organization can't allow some liability limits or that the language should be stricken completely; what it states is that management needs to assess the limits compared to potential loss the organization might experience - so it's risk-based decision.