Contract Management

 View Only
  • 1.  EULA's, Sales Order Forms, etc.

    Posted 10-18-2022 09:13 AM
    How does your organization address service/solution providers whose agreements are lacking in the legalese that is expected by governing bodies like FFIEC? With a lot of our technology service providers, we see them simply provide us a sales form or a EULA. I'm admittedly not very familiar with EULA's, but it's my understanding that it mainly protects the licensor. We also see sales sheets which require only our signature. 

    Does your organization accept this risk, do you request they sign your institutions contract (and if so, are the vendors receptive to this), or is there something else I'm missing? Any insight is greatly appreciated!

  • 2.  RE: EULA's, Sales Order Forms, etc.

    Posted 10-25-2022 10:27 AM

    Hi Jackson,

    Quite often with software service providers, we see that the vendor only provides an order form with a link to an online EULA or clickwrap agreement.  Dependent on the service/solution the vendor provides, I suggest having your legal team thoroughly review the terms to ensure your institution is protected.  If the service provider will have access to confidential or sensitive information, you could prepare an in-house Data Processing Addendum or other document including data protection, security and business continuity provisions to present on such occasions.  While there are no guarantees the vendor will sign this, it would be good practice to have one ready.  I would love to hear thoughts from others in the community on this.

  • 3.  RE: EULA's, Sales Order Forms, etc.

    Posted 11-04-2022 03:54 PM
    The Click-Through and Shrink Wrap End User Licensing Agreement problem! Exacerbated by the use of Value Added Resellers (VARs). 

    There are a few ways to tackle; none fun.
    As Heather suggested, have an agreement in hand to have the licensor execute; I call it a Shrink Wrap Addendum. It expressly states it supersedes the EULA and any online terms. I use it to cover confidentiality, security, IP Indemnification and limitation of liability concerns related to those three areas. :-) If there's data exchanged, I'll include our Data Processing Agreement. 

    The addendum must be simultaneously executed with any order forms, prior to the business getting hands on the software. With respect to signatures. If I have to sign, they have to sign. I use DocuSign today (maybe Adobe Sign tomorrow); and I control execution; that is, I issue the DocuSign request. The VARs can get in the way; but I tell the VAR, they need to provide me some Value in the transaction as well. So I have them drive/explain the requirements and help engage the licensor. I have some licensors say; take it or leave it. But a large number will work with us on an addendum or even with updating their EULA.  Keep in mind a Risk based approach. So sometimes you can accept the risk; but make that a formal process so you can demonstrate the business was made aware of the risk and they accepted (and track risk acceptance so you can report on it). 

    The real trouble is, most of us (in the Financial Industry) don't have robust Procurement processes. If you have a Purchase Order process, you can put some controls in place that force a pre-vetting of Technology; and ensure all engagements have a contract, even if it's just the contract you include on the back of the Purchase Order. Put all the FFIEC required terms there. :-) then every transaction has a contract. 

    The pre-vetting I do before I push the business to Venminder.  (the workflow in Venminder is still too heavy and manual to pre-screen)
    I treat Venminder as the Enhanced Due Diligence. and I keep the KY3/KYV process outside of Venminder.  I'm looking at other tools to support a Vendor Registration process; and KY3. I'm using my supplier diversity and ESG programs to support that side. 

    Good luck! :-)

    Bradley Martin