I wanted to add some additional information to the response above.
Some might mistake this engagement as a simple consulting arrangement. However, HR firms are almost always dealing with sensitive data (your employee data). As such, those HR firms must meet or exceed the same information security and privacy protection standards for which your company would be held accountable. I would suggest obtaining documents detailing Information Security and Privacy, including:
- Attestations or certifications for security controls, processing integrity, confidentiality, and privacy of their data systems. These certifications might include an SSAE SOC2 Type II, ISO/IEC27001 Certifications, Penetration Testing reports, or other Third-Party Audits.
- Information Security Program Documents, including policies and a list of controls.
- Technical and procedural measures for network protection through a firewall
- Data Security policies that cover:
- Data classification and encryption methodologies
- Data loss prevention
- Data retention and destruction
- Documented incident response policy, standards, and processes
- Data security and confidentiality protections against threats or hazards
- Data privacy and confidentiality
Additionally, to create an effective AAP (Affirmative Action Plan) process, HR Firms must follow robust compliance requirements. A significant reason to pursue an AAP would be to enable regulatory reporting, such as an OFCCP report (Office of Federal Contract Compliance Programs). I would want to review an inventory of the regulations they will consider for the AAP, making sure they are up to date.
I would also request a recent copy of their general compliance policy and employee compliance training plan. The compliance policy and training plan should have been reviewed and or updated within the last 12 months.
Those are my thoughts. Does anyone have anything to add?
Original Message:
Sent: 02-24-2021 10:34 AM
From: heather garnett
Subject: Bank outsourcing sale to Third Party agency
Hi,
This question has many tentacles and we are still doing some research to provide a response but in the meantime, here are a few provisions that you may want incorporated into your contract:
- Description of exactly what vendor will provide. Clearly defined terms of the rights and responsibilities of each party.
- Definition of minimum service level requirements, remedies and penalties for failure to meet SLA.
- Description of how fees are calculated for base services.
- Provisions stating clear responsibility of costed related to facilitating the services.
- Provisions addressing vendor-provided internal controls for maintaining and safeguarding institution's information.
- Description of audit reports the institution is entitled to receive.
- Provision for maintenance of Business Continuity/Disaster Recovery plans.
- Description of any sub-contracting agreement and provisions for approval by institution.
- Description of limitation of liability that can be incurred by vendor.
Also, do you know if the agency will continue to have a relationship with customers after they're established with the bank? Is this considered a vendor relationship or a partnership?
If anyone else has additional insight, please feel free to share!
Original Message:
Sent: 02-19-2021 03:39 PM
From: Anonymous Member
Subject: Bank outsourcing sale to Third Party agency
This message was posted by a user wishing to remain anonymous
Hi everyone,
In the third party variable model,if a Bank outsources the sale of credit cards,loans etc
The third party agency is responsible for all operational costs including salary,visa ,office lay out etc.
The Bank pays a premium agreed amount on successful approved applications only,
What will be all the inherent risks involved and what should be the risk controlling contract clauses?