LO 57.3: Describe topics and provisions that should be addressed in a contract with a third-party service provider.
Considerations and contract provisions for third-party service providers should include the following elements:
Scope. A contract will state the rights and responsibilities of each party. Examples include (1) contract duration, (2) support, maintenance, and customer service, (3) training of financial institution employees, (4) policies regarding subcontracting, (5) insurance coverage, and (6) policies regarding the use of the financial institutions assets and employees.
Cost and compensation. A contract should indicate the party (or parties) responsible for the payment of any equipment purchases, legal fees, and audit fees pertaining to the service providers activities. In addition, there should be a listing of all forms of compensation (i.e., fixed, variable, special charges).
Incentive compensation. A contract should include a provision to allow the financial institution to review the appropriateness of incentive compensation (if applicable). Specifically, the service provider may be involved in sales on behalf of the financial institution. Therefore, the incentives should be structured to ensure that the service provider places the interests of the customers (i.e., suitable financial products) over their own interests (i.e., earning higher fees) and to ensure that the service provider does not expose the financial institution to excessive risks.
Right to audit. A contract could optionally contain a provision to allow the financial institution to audit the service provider. It may also require the receipt of various audit reports [e.g., American Institute of Certified Public Accountants (AICPA) Service Organization Control 2 report, Federal Financial Institutions Examination Council (FFIEC) Technology Service Provider examination report] relating to the service provider at stipulated intervals.
2018 Kaplan, Inc.
Page 261
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
Establishment and monitoring o f performance standards. A contract should state specific and measurable performance standards (i.e., metrics) with regard to the service providers work.
Oversight and monitoring. A contract should include a provision requiring the service provider to provide annual financial statements (and the annual report, if applicable) to the financial institution to allow the financial institution to monitor the service providers ability to continue as a going concern. In addition, a provision should be included to allow the financial institution to increase monitoring and oversight activities when performance deficiencies, control weaknesses, and viability concerns are noted. With regard to higher- risk service providers, a contract could stipulate extra reporting by the service provider or additional monitoring by the financial institution.
Confidentiality and security o f information. A contract must contain extensive provisions concerning the confidentiality and security of information pertaining to both the financial institution and its customers. The service provider should only be given such information that is necessary to perform its tasks. Specifically, in the United States, the FFIEC guidance and section 501(b) of the Gramm-Leach-Bliley Act must be followed and should be noted in the contract.
With regard to nonpublic personal information (NPPI) pertaining to the financial institutions customers, a contract should address access, security, and retention of NPPI data by the service provider (if applicable) to comply with privacy laws and regulations. A contract should also require the service provider to give notice to the financial institution of any breaches of data. In that regard, a contract needs to clarify the parties roles and responsibilities pertaining to NPPI data.
Ownership and license. A contract should state when service providers are permitted to use the financial institutions property (i.e., data and equipment). In addition, clarification is needed regarding the ownership and control of data produced by a service provider. In the event of software purchased from a service provider, it could be necessary to have escrow agreements in place so that the financial institution could access the source code and programs under certain conditions, such as discontinued product support or insolvency of a service provider.
Indemnification. A contract should require the service provider to indemnify (i.e., hold harmless) the financial institution in the event of any legal proceedings arising from the service providers negligence.
Default and termination. A contract should clarify the types of actions that would constitute a default together with any reasonable remedies that could be undertaken by the financial institution and methods to overcome default by the service provider. In terms of termination, common reasons, such as change in control, poor performance, and nonperformance of duties, should be explained and measured. There should be a provision that requires the service provider to give sufficient notice of termination to the financial institution in the event of a termination by the service provider. Finally, it is important to include provisions detailing the service providers requirement to return the financial institutions data, records, and any other property.
Page 262
2018 Kaplan, Inc.
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
Dispute resolution. A contract should lay out an agreed-upon dispute resolution plan to resolve disputes quickly and minimize disruption during a dispute.
Limits on liability. A contract may allow for service providers to limit their liability subject to approval by the financial institutions board of directors and management team.
Insurance. A contract should stipulate the requirement of service providers to carry sufficient insurance and provide evidence of coverage. In addition, any significant changes in coverage should be communicated to the financial institution.
Customer complaints. A contract should state which party will deal with customer complaints. If it is the service provider, then they should be required to prepare reports to the financial institution listing the complaints and their status.
Business resumption and contingency plan o f the service provider. A contract should detail how the service provider will continue to provide services should a major disaster occur. The focus should be on critical services and any necessary alternative arrangements. Other items, such as backups, disaster recovery and business continuity plans, responsibility for maintaining and testing of such plans, and frequency of testing of such plans, should be included.
Foreign-based service providers. A contract could attempt to provide for the law and regulations of only one jurisdiction (i.e., the financial institutions) to apply for the purposes of contract enforcement and resolution of disputes. This would avoid potentially confusing situations where the foreign laws differ substantially from local laws.
Subcontracting. The subcontractor should be held to the same contract terms in the event that subcontracting is permitted. The contract should explicitly state that the primary service provider is ultimately responsible for all the work performed by the service provider and its subcontractors. The contract should provide a list of acceptable tasks that may be subcontracted and how the primary service provider will supervise and review the subcontractors work. Finally, the primary service providers method of performing financial due diligence on the subcontractor should be documented in the contract.
2018 Kaplan, Inc.
Page 263
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
Ke y C o n c e pt s
LO 57.1 The following risks could arise when a financial institution outsources its operational functions to third-party service providers: (1) compliance risk, (2) concentration risk, (3) reputation risk, (4) country risk, (5) operational risk, and (6) legal risk.
An effective program to manage outsourcing risk should include (1) risk assessments, (2) due diligence in selecting service providers, (3) contract provisions, (4) incentive compensation review, (5) oversight and monitoring of service providers, and (6) business continuity and contingency plans.
LO 57.2 In performing due diligence on a third-party service provider, a financial institution should involve any relevant technical specialists and/or important stakeholders. The three key areas of review include (1) business background, reputation, and strategy; (2) financial performance and condition; and (3) operations and internal controls.
LO 57.3 Considerations and provisions that should be addressed in a contract with a third-party service provider include the following: (1) scope, (2) cost and compensation, (3) incentive compensation, (4) right to audit, (5) establishment and monitoring of performance standards, (6) oversight and monitoring, (7) confidentiality and security of information, (8) ownership and license, (9) indemnification, (10) default and termination, (11) dispute resolution, (12) limits on liability, (13) insurance, (14) customer complaints, (15) business resumption and contingency plan of the service provider, (16) foreign-based service providers, and (17) subcontracting.
Page 264
2018 Kaplan, Inc.
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
C o n c e pt C h e c k e r s
1.
2.
3.
4.
5.
Bank Inc., (Bank) operates in the United States and has a service contract in place with Service Co. (Service), which operates in France. Service manages a significant amount of confidential customer data for Bank, and recently a computer glitch at Service resulted in the accidental public disclosure of confidential customer data. As a result of the data breach, which of the following risks is Bank least likely to face? A. Compliance risk. B. Country risk. C. Legal risk. D. Operational risk.
Which of the following statements regarding risk management programs with service providers to manage outsourcing risk is correct? A. The program should focus on business continuity and contingency plans. B. The program should contain more detail if there are only a few outsourced
activities to established service providers.
C. The program should contain adequate oversight and controls over all activities
that impact the financial institution.
D. The program should require risk assessments to be updated as a result of
updated risk mitigation techniques on a sufficiently regular basis.
When performing due diligence on a service provider, ascertaining the sufficiency of its insurance coverage would most appropriately be covered under which of the following categories? A. Business background, reputation, and strategy. B. Financial performance and condition. C. Operations and internal controls. D. Oversight and monitoring.
The use of performance metrics to assist in determining an acceptable level of performance by a service provider would most appropriately be included in which of the following provisions of a contract with a financial institution? A. Customer complaints. B. Default and termination. C. Indemnification. D. Right to audit.
Which of the following provisions would a financial institution least likely include in a contract with a third-party service provider? A. Establishment and monitoring of performance standards. B. Indemnification. C. Ownership and license. D. Right to audit.
2018 Kaplan, Inc.
Page 265
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
C o n c e pt Ch e c k e r A n s w e r s
1. B Country risk refers to using a service provider based in a foreign country and subjecting the
financial institution to potential economic and political risks in that country. Clearly, it is not a relevant risk arising from the breach of confidential customer data.
Compliance risk is a possibility given the apparent lack of security controls of the service provider that resulted in the data breach. Operational risk is clearly a relevant risk to the financial institution here given the data breach caused by the service provider. Legal risk is clearly a relevant risk given that the customers affected by the data breach may sue the financial institution as a result of the breach.
2. A Unexpected events could result in the inability of the service provider to provide its services
to the financial institution. Depending on the nature and importance of the services provided, the financial institution may be exposed to substantial losses as a result of the inability of the service provider to provide its services. Therefore, business continuity and contingency plans should be a key focus in any risk management program with service providers.
The program should contain less detail if there are only a few outsourced activities to established service providers given that the risk to the financial institution would be reduced substantially as a result of the service provider being established. The program should not deal with all activities that impact the financial institution but instead focus only on those that have a material impact. The program should require risk mitigation techniques to be updated on a sufficiently regular basis as a result of updated risk assessments.
3. B A review of a potential service providers financial performance and condition would include
queries regarding its level of insurance coverage.
The area of business background, reputation, and strategy takes a more global view of the service provider and would be far less concerned with financial matters such as insurance. Operations and internal controls deal with compliance with relevant laws and regulations, for example, and would be less concerned with financial matters such as insurance. Oversight and monitoring is not an element within the due diligence process, but it is one of the elements (together with due diligence) of an effective risk management program with service providers.
4. B With regard to the default and termination provision, common reasons include poor
performance and nonperformance of duties, which would be detected through the use of performance metrics. The customer complaints provision deals with which party will deal with customer complaints. The indemnification provision deals with the service provider to indemnify the financial institution in the event of any legal proceedings arising from the service providers negligence. The right to audit provision deals with allowing the financial institution to audit the service provider.
5. D The right to audit provision is optional and is the least important provision of the four listed.
The use of performance standards is essential for monitoring and oversight purposes that may result in the determination of default by the service provider and possible termination of the contract. The indemnification provision is important because it deals with the service provider indemnifying (i.e., holding harmless) the financial institution in the event of any legal proceedings arising from the service providers negligence. The ownership and license provision is crucial because it would state when service providers are permitted to use the financial institutions property (i.e., data and equipment) as well as clarify the ownership and control of data produced by a service provider.
Page 266
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
Ba s e l I, Ba s e l II, a n d So l v e n c y II
Topic 58
E x a m F o c u s
This topic provides an overview of the international capital standards put in place by the Basel Committee on Banking Supervision. Basel I (1988) contained the first steps toward risk-weighting bank activities on- and off-balance sheet to relate required capital to risk. Basel I was the first to set a capital to risk-weighted assets requirement, but it only considered credit risk, not market or operational risk. Basel II took a more sophisticated approach to measuring bank credit risk, market risk, and operational risk. For the exam, understand the contribution Basel II makes to risk measurement, and know the differences between the methods used to calculate various risks. Also, know the difference between Basel II and Solvency II, a similar international standard for insurance companies, and the likely repercussions a firm will face if it breaches the standards. In addition, be able to calculate a banks required capital under the various regimes. One of the recurring themes in this topic is the difference between a standardized approach for measuring risk, used by less sophisticated banks (and insurance companies), and an internal approach that is firm specific and more complex but often lowers required capital because it allows banks to use their own model inputs and considers the correlations between assets.