Our bank is FDIC regulated, but even if you are not I would recommend taking a look at the FDIC Guidance for Managing Third-Party Risk. Section 3 of that guidance goes into great detail concerning contracting recommendations. We initially used this guidance to build a checklist for business owners when reviewing contracts and have subsequently used it as the basis to build a TPRM standard contract. We tied each of the FDIC recommendations to a specific contract provision and are working to risk-rate those provisions as they would not all be required or appropriate for each and every relationship.
I found it beneficial during this process of building the contract to work directly with our CISO on the technology requirements around data privacy. We did not want to be super granular and prescriptive in terms of technical requirements for many reasons. Most important was we did not want to age out the contract and tie it to technology that rapidly becomes obsolete- for example requiring specific encryption. Second reason was we want to take advantage of our vendors knowledge and experience and allow them to implement cutting edge technology without our contract hindering that evolution.
Below is the link to the FDIC guidance:
U.S. Federal Deposit Insurance Corporation. FIL-44-2008, Guidance for Managing Third-Party Risk. Available at: https://www.fdic.gov/news/financial-institution-letters/2008/fil08044a.html
Shelly
------------------------------
Shelly Chase
AVP Operational Risk
------------------------------