We developed a standalone third-party service agreement on Bank paper, currently with our legal team for fine tuning so not in full production yet. The main driver was tightening up our risk management and ensuring that there was standardization in contract wording, provisions and SLA's across the bank.
We used the FDIC FIL 44 Guide to Managing Third Party Risk as a starting point. That guidance includes detailed contract and structuring recommendations:
FDIC: FIL-44-2008: Guidance for Managing Third-Party RiskAlso worked closely with business unit owners, specifically IT and InfoSec, on developing standardized SLA's and technical requirements such as encryption standards etc to build in.
My preference in negotiating contracts is to negotiate off the bank's contract versus trying to negotiate the bank's requirements into a third party's contract. As with all things third party risk in my experience its vendor by vendor. Some vendors are willing to use a contract that is not on their own paper, some will not. If a vendor won't use our contract, we will negotiate our standardized wording in as much as we can depending on the risk.
------------------------------
Shelly Chase
AVP Operational Risk
------------------------------
Original Message:
Sent: 10-06-2022 11:46 AM
From: Brandon Mayfield
Subject: Contracts
Is anyone using a standard Bank-drafted contract, agreement, or addendum to supplement any vendor contracts or MSAs they are asked to sign? Particularly for any vendors who create regulatory compliance risks and have access to customer data and information. Would appreciate any thoughts from anyone that has done this or explored this at their institution. Thank you!
------------------------------
Brandon Mayfield
Vendor Management
------------------------------