This document discusses bank vendor management and the vendor risk management life cycle. It provides an overview of understanding vendor risks and regulatory requirements. It describes the categories of vendor risks such as reputation, operational, transaction, financial, legal and compliance, and other risks. It discusses identifying critical vendors and outlines the vendor risk management life cycle, including planning and risk assessment, due diligence and selection, contract review, ongoing monitoring, termination, accountability, documentation, independent reviews, and regulatory reporting.

1. BANK VENDOR MANAGEMENT:
These materials have been prepared by Poyner Spruill LLP for informational purposes
only and are not legal advice. This information is not intended to create, and receipt of it
does not constitute, a lawyer-client relationship.
UNDERSTANDING THE RISK MANAGEMENT LIFE CYCLE
AND AVOIDING THE PITFALLS
MARCH 25, 2015

2. Overview
• Goals of Session
– Understand risks associated with using vendors
– Understand general regulatory requirements
– Understand how to identify “critical vendors”
– Understand the risk management life cycle
2

3. Understanding Vendor Risks
• “The buck stops with YOU”: Reliance on outside vendors
(including compliance consultants) to provide services or
operations to the bank does not relieve a bank from
potential liability or from its responsibility to ensure that
outsourced activities are conducted in a safe and sound
manner and in compliance with applicable laws.
• As a result, problems experienced by vendors can
become the bank’s problems.
3

4. Vendor Risks: Cautionary Tales
• In 2014, the OCC & CFPB assessed $57 million in fines and restitution
against U.S. Bank in Cincinnati for overcharging more than 420,000
consumer accounts for add-on services (such as credit monitoring and
identity theft protection). Accounts were charged by the vendor,
Affinion and its subsidiary Trilegiant, and errors were discovered by
the bank. The bank terminated the vendor relationship but was still
fined two years after the relationship ended.
• In 2013, a processing center for banking software provider Jack Henry
& Associates was flooded by Hurricane Sandy. Bank clients had
transaction processing disruptions and the vendor faced regulatory
enforcement action for failure to resume operations in a timely
manner.
4

5. Vendor Risks: Cautionary Tales
• In 2013, First California Bank was fined by the FDIC for unfair and
deceptive trade practices because its vendor Achieve promoted
certain features on Achieve’s website related to a prepaid reloadable
MasterCard product that weren’t actually available.
• In 2012, the OCC fined Capital One Bank $35 million for failure to
develop a comprehensive enterprise risk management system after
one of its vendors was offering debt cancellation and credit monitoring
programs in an unfair and deceptive manner.
• In 2012, the FDIC and FinCEN fined First Bank of Delaware $15
million for failure to implement an effective BSA/AML compliance
program – specifically, failure to adequately oversee payment
processor relationships and related products and services in a manner
commensurate with associated risks.
5

6. Categories of Vendor Risks
• Reputation risk. Reputation risk is the risk arising from
negative public opinion. Vendor relationships that result in
dissatisfied customers, interactions not consistent with
institution policies, inappropriate recommendations,
security breaches resulting in the disclosure of customer
information, and violations of law and regulation are all
examples that could harm the reputation and standing of
the financial institution in the communities it serves. Also,
any negative publicity involving the vendor, whether or not
the publicity is related to the institution's use of the vendor,
could result in reputation risk to the institution itself.
6

7. Categories of Vendor Risks
• Operational risk. Operational risk is the risk of loss
resulting from inadequate or failed internal processes,
personnel, and systems, or from external events. Vendor
relationships often integrate the internal processes of
other organizations with the bank's processes and can
increase the overall operational complexity.
7

8. Categories of Vendor Risks
• Transaction risk. Transaction risk is the risk arising from
problems with service or product delivery. A vendor's
failure to perform as expected by customers or the
financial institution due to reasons such as inadequate
capacity, technological failure, human error, or fraud
exposes the institution to transaction risk. The lack of
effective business resumption and contingency plans
increases transaction risk. Weak control over technology
used in the vendor arrangement may result in threats to
security and the integrity of systems and resources. These
issues could result in unauthorized transactions or the
inability to transact business as expected.
8

9. Categories of Vendor Risks
• Financial or credit risk. Financial or credit risk is the
risk that a vendor, or any other party necessary to the
vendor relationship, is unable to meet the terms of the
contractual arrangements with the financial institution or
to otherwise financially perform as agreed. Thus, the
financial condition of the party is a key factor in
assessing credit risk.
9

10. Categories of Vendor Risks
• Legal and compliance risk. Legal risk arises when a
vendor exposes a financial institution to legal expenses
and possible lawsuits or even criminal charges.
Compliance risk arises when a vendor violates applicable
laws, rules or regulations or the institution’s own internal
policies/procedures or business standards.
10

11. Categories of Vendor Risks
• Other risks. The types of risk introduced by an
institution's decision to use an outside vendor cannot be
fully assessed without a complete understanding of the
resulting arrangement, and even then it may be difficult if
not impossible to identify all potential risks in advance.
Thus, a comprehensive list of potential risks that could be
associated with a third-party relationship is not possible.
11

12. Regulatory Requirements
• Bank regulators seek to mitigate the risks described above
by requiring institutions to implement and maintain vendor
management controls.
• Vendor oversight is not new. Traditionally, this area has
been regulated from a safety and soundness standpoint.
• In the past, regulators’ concerns were mainly focused on
IT capabilities, information security, service level
standards and the like. Cybersecurity and guarding
against customer data breaches are still at the top of the
list, but now there is also increasing scrutiny in other
areas.
12

13. Regulatory Requirements
• Regulators now expect financial institutions to
appropriately assess, measure, monitor and control a
broader spectrum of service provider risks.
• Vendor risk management is expected to be addressed in
the bank’s compliance management policies/procedures
and systems.
13

14. Regulatory Requirements (Dodd-Frank)
14
• Dodd-Frank vests the CFPB with supervisory and enforcement authority over
large (greater than $10 billion in assets) insured banks and credit unions,
certain non-depository consumer financial services companies, and each of
their affiliates and service providers. For institutions up to $10 billion, the
CFPB may require reports relating to consumer financial protection and may
participate in prudential regulators’ consumer financial protection
examinations on a “sampling” basis, but it does not have direct
supervisory/enforcement authority. It does, however, have direct
supervisory/enforcement authority over service providers that serve a
substantial number of smaller insured depository institutions. The CFPB’s
primary focus is to determine compliance with federal consumer protection
laws and regulations, and it will “take a close look at service providers’
interactions with consumers.”

15. Regulatory Requirements (Sources of Recent Guidance)
• FDIC Letter FIL-13-2014, “Technology Outsourcing: Informational
Tools for Community Bankers” (April 7, 2014)
• FDIC Compliance Manual Section VII-4.1, “Abusive Practices – Third
Party Procedures” (January 2014) (content is similar to earlier FDIC
Letter FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6,
2008))
• FRB Letter SR 13-19, “Guidance on Managing Outsourcing Risk”
(December 5, 2013)
• OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management
Guidance” (October 30, 2013)
• FDIC Letter FIL-46-2012, “Supervision of Technology Service
Providers and Outsourcing Technology Services” (November 6, 2012)
• CFPB Bulletin 2012-03, “Service Providers” (April 13, 2012)
15

16. Vendor Risk Management Programs
• A bank should implement and maintain a vendor risk
management program that is commensurate with the level
of risk and complexity of its vendor relationships.
• The program should ensure that for critical vendors the
risk management and oversight of the vendor relationship
is “comprehensive.”
• Aspects of vendor risk management itself may be
outsourced (for example, to consultants specializing in this
area), but this does not diminish the responsibility of the
bank’s board of directors and senior management to
ensure that vendor risk is addressed in a safe and sound
manner and in compliance with applicable laws.
16

17. Critical Vendors
• As stated above, a bank should adopt comprehensive risk
management and oversight of relationships with critical
vendors.
• When a vendor relationship is or becomes “critical” may
not always be clear, and it may vary depending on the
bank, its business mission and other factors. There is,
however, some guidance from regulators.
17

18. Critical Vendors
• Generally, vendor relationships that involve critical bank
activities such as payments, check clearing, or
custodianship of funds; significant shared services like
information technology; or other activities that:
– could cause a bank to face significant risk if the vendor fails to
meet expectations
– could have significant adverse customer impacts
– require significant investment in resources to implement the vendor
relationship and manage the risk
– could have a major impact on bank operations if the bank has to
find an alternate vendor or if the outsourced activity has to be
brought in-house
18

19. Critical Vendors (Examples)
19
• An online banking/bill pay or mobile banking/deposit platform service
provider is clearly a critical vendor.
• Vendors providing consumer disclosure software for loans, credit
cards, deposit accounts, etc., are likely critical, due to the problems
that can ensue from errors.
• A lawn maintenance service for one or more branches would not be a
critical vendor.
• What about janitorial services? The answer may not be clear-cut.
Probably not “critical,” but they would have access after hours to bank
premises where confidential customer and other information is kept.
Thus, at a minimum, careful attention should be given in choosing the
vendor and in contract negotiations to things like company reputation,
personnel background checks, and bonding/insurance requirements.

20. Community Banks
• Smaller banks tend to rely on vendors more than their larger peers, which
have more resources to keep functions in-house. Smaller banks also often
have more limited resources to monitor vendors. See, for example,
“Regulators step up focus on cybersecurity at community banks,”
charlotteobserver.com, January 30, 2015.
• FRB acknowledges that community bank programs may be simpler and utilize
fewer elements/considerations than those of larger banks.
• OCC note on community bank compliance: Vendor risk management
guidance applies to all banks with outside vendor relationships. A community
bank should adopt risk management practices commensurate with the level of
risk and complexity of its vendor relationships. Just as with larger institutions,
a community bank’s board and management should particularly focus on
identifying those relationships that involve critical activities and ensuring that
the bank has risk management practices in place to assess, monitor and
manage the risks.
20

21. 21
Risk Management Life Cycle

22. Risk Management Life Cycle (Overview)
• A bank’s vendor risk management program should, at a minimum,
address the following processes:
– Planning and Risk Assessment. The bank should assess risk and options for
controlling risk through vendor agreements.
– Due Diligence and Selection. The bank should select only qualified entities to
implement the activity or program.
– Contract Negotiating and Review. The bank should ensure that the specific
expectations and obligations of both the institution and the vendor are outlined
in a written contract prior to entering into the arrangement.
– Ongoing Monitoring and Oversight. The bank should perform continuing
oversight of the operational and financial performance of the vendor on an
ongoing basis to meet the terms of the contract.
– Termination. Contingency plans must ensure that the bank can transition the
activities to another vendor, bring them in-house, or discontinue them when a
contract expires or the terms of the contract have been satisfied, in response
to a default under the contract, or in response to changes in the bank’s or
vendor’s business strategy.
22

23. Risk Management Life Cycle (Overview)
• In addition, a bank should perform the following
throughout the life cycle of the relationship as part of its
risk management process:
– Accountability and oversight. Assigning clear roles and responsibilities for
managing vendor relationships and integrating the bank’s vendor risk
management process with its enterprise risk management framework enables
continuous accountability and oversight.
– Documentation and reporting. Proper documentation and reporting facilitates
accountability, oversight and risk management associated with vendor
relationships.
– Independent reviews. Conducting periodic independent reviews of the risk
management process enables management to assess whether the process
aligns with the bank’s strategy and effectively manages risk posed by vendor
relationships.
23

24. Risk Management Life Cycle (Accountability)
• The bank’s board of directors (or a board committee) and
senior management are responsible for overseeing the
bank’s overall risk management processes. The board,
senior management, and employees within the lines of
business who manage vendor relationships have distinct
but interrelated responsibilities to ensure proper
management of outside service provider risk.
24

25. Risk Management Life Cycle (Accountability)
25
• Board of directors responsibilities include:
– Ensure an effective vendor risk management process is in place consistent with the
bank’s strategic goals, organizational objectives, and risk appetite.
– Approve the bank’s risk-based policies that govern the vendor risk management
process and identify critical activities.
– Review and approve management plans for using vendors that involve critical
activities.
– Review summary of due diligence results and management’s recommendations to
use vendors that involve critical activities.
– Approve contracts with vendors that involve critical activities.
– Review the results of management’s ongoing monitoring of vendor relationships
involving critical activities.
– Ensure management takes appropriate actions to remedy significant deterioration
in performance or address changing risks or material issues identified through
ongoing monitoring.
– Review results of periodic independent reviews of the bank’s vendor risk
management process.

26. Risk Management Life Cycle (Accountability)
26
• Senior bank management responsibilities include:
– Develop, establish and implement the bank’s vendor risk management
process.
– Develop plans for engaging vendors and identify those that involve critical
activities.
– Ensure appropriate due diligence is conducted.
– Review and approve contracts with vendors.
– Ensure ongoing monitoring of vendors.
– Ensure appropriate documentation and reporting throughout the life cycle
for all vendor relationships.
– Ensure periodic independent reviews of vendor relationships.
– Hold accountable bank employees who manage relationships with
vendors.
– Escalate issues involving critical vendors to the board as necessary.
– Terminate arrangements with vendors when appropriate.

27. Risk Management Life Cycle (Accountability)
27
• Bank employee responsibilities include:
– Conduct due diligence of prospective vendors and report results to
senior management.
– Perform ongoing monitoring of vendors and ensure compliance
with contract terms, service level agreements, bank policies, etc.
– Ensure that the bank and/or vendor addresses any identified
problems.
– Escalate significant issues to senior management.
– Notify the vendor of any significant operational issues at the bank
that may affect the vendor.
– Maintain appropriate documentation throughout the life cycle of the
relationship.
– Recommend termination of arrangements with vendors when
appropriate.

28. Risk Management Life Cycle (Independent Reviews)
• Senior management should ensure that periodic
independent reviews are conducted on the bank’s vendor
risk management process, particularly when a bank
involves vendors in critical activities. The bank’s internal
auditor or an outside auditor may perform the reviews, and
senior management should ensure that the results are
reported to the board.
28

29. Risk Management Life Cycle (Documentation)
• A bank should properly document and report on its vendor risk
management process and specific arrangements throughout their life
cycle. Proper documentation and reporting facilitates the
accountability, monitoring and overall risk management associated
with vendor relationships and typically includes:
– approved plans for the use of vendor relationships
– a current inventory of all vendor relationships, identifying critical vendors
– due diligence results and recommendations
– analysis of costs associated with each vendor relationship
– maintenance of executed contracts and any amendments
– regular performance and other reports required from the vendor (for example,
audit reports, security reviews, and reports showing performance in relation to
service level agreements)
– regular reports to the board and senior management on the results of
independent reviews of the bank’s risk management processes and the
monitoring of vendors involved in critical activities
29

30. Risk Management Life Cycle (Regulatory Reporting)
• Bank Service Company Act (12 USC Sec. 1863,1867):
– notice required to primary federal regulator of certain vendor
arrangements, which are then subject to regulation and
examination by the regulator to the same extent as if the services
were performed by the regulated institution itself
– notice must be given within 30 days after the contract is executed
or performance begins, whichever occurs first
– applies to:
• check and deposit sorting and posting
• computation and posting of interest and other credits and charges
• preparation and mailing of checks, statements, notices and similar
items
• any other clerical, bookkeeping, accounting, statistical or similar
functions
30

31. Risk Management Life Cycle (Planning/Risk Assessment)
• Planning and risk assessment are fundamental to the initial decision of
whether to enter into a vendor relationship with respect to any product
or service. Questions to be answered should include:
– Is the function in question appropriate for outsourcing or better handled in-
house?
– Is the proposed relationship consistent with the bank’s strategic planning and
business strategy?
– What are the benefits, costs, legal considerations and potential risks
associated with using an outside vendor (or any particular vendor)?
– What is the bank’s ability to provide adequate ongoing oversight over the
vendor relationship?
– What is the long-term financial impact of the proposed relationship?
• Upon completion of the risk assessment phase, the bank may want to
develop a detailed business requirements document for significant or
critical services to assist in the task of selecting a vendor.
31

32. Risk Management Life Cycle (Due Diligence)
• Due diligence is the process of ensuring that only qualified vendors
are selected, particularly to provide significant or critical services. The
scope of due diligence may vary depending on the importance of the
services and risk to the bank. If applicable, the bank should review a
prospective vendor’s due diligence process for selecting
subcontractors, and the bank may do its own due diligence on
subcontractors.
• Due diligence is not a one-time event. It should be performed prior to
selecting a vendor and periodically during the relationship, such as
when considering a contract renewal.
• “Risk scoring” of vendors is gaining popularity among regulators.
32

33. Risk Management Life Cycle (Due Diligence)
• In conducting due diligence, a bank should assess:
• Technical and Industry Expertise
– assess vendor’s business reputation and experience and
ability to provide services to meet present and future needs
– evaluate principals, key project personnel and any
subcontractors
– assess knowledge of laws/regulations
– verify any required licenses, certifications, etc.
– consider intangibles (values, culture, etc.)
– identify areas where the bank may need to
supplement the vendor’s expertise to reduce risk
33

34. Risk Management Life Cycle (Due Diligence)
• Operations and Controls
– as applicable, evaluate (through audit reports, etc.) adequacy of:
• vendor’s risk management program, including policies, processes and
internal controls
• facilities management (for example, access requirements)
• training for employees (including compliance training)
• data security
• privacy protections
• employment policies including background checks
• insurance coverage (liability, fire and other hazards, fidelity, errors and
omissions, etc.)
• records maintenance (including whether the bank will have timely
access to its data maintained by the vendor)
• business resumption and contingency planning
34

35. Risk Management Life Cycle (Due Diligence)
35
• Financial Condition
– analyze vendor’s financial statements, annual reports, SEC filings,
etc.
– analyze market share (and whether trending up or down)
– consider financial impact of proposed contract on vendor
– assess vendor’s technological expenditures and whether it has
adequate resources to invest in and support necessary technology
– examine significant complaints, litigation or regulatory actions that
might affect the vendor’s financial condition

36. Risk Management Life Cycle (Due Diligence)
• Special consideration should be given to proposed vendor relationships with
affiliated parties and parties that may be wholly or partially foreign based or
that use foreign subcontractors.
• Agreements with affiliated parties must still be on an “arms-length” or
substantially “market terms” basis, in accordance with applicable guidance
and regulations such as Regulation W.
• Vendors with foreign aspects should be evaluated for additional risks of doing
business in the applicable country or countries (for example, risks involving
the economic, social, political or military environment) and for the vendor’s
ability to comply with applicable U.S. laws, regulations and guidance.
36

37. Risk Management Life Cycle (Contracts)
• Any vendor risk identified in risk assessment or due
diligence phase should be addressed in vendor contracts
themselves.
• Contract is critical in satisfying requirement of oversight –
supplier’s controls, conditions, performance, etc.
• Without adequate contract, no effective way to satisfy
regulatory obligations.
• Counsel should review all significant vendor contracts.
37

38. Risk Management Life Cycle (Contracts)
• General principle - the scope of services being provided
and risks associated with those services determine:
– required contract provisions
– importance of contract provisions
– level of detail in contract provisions
38

39. Risk Management Life Cycle (Contracts)
• Required/Suggested Provisions
– scope of services
– performance standards
– security and confidentiality
– controls
– audits and other reports; regulatory oversight
– compliance with laws
– business resumption and contingency plans
– subcontracting (including “offshoring”)
– access to or use of bank’s premises, equipment, and employees
– insurance
39

40. Risk Management Life Cycle (Contracts)
• Required/Suggested Provisions
– costs and compensation
– use of intellectual property and other property
– customer complaints
– duration
– dispute resolution
– indemnifications
– limitations of liability
– default and termination
– assignment
40

41. Risk Management Life Cycle (Contracts)
• Scope of Services
– specifications for services and vendor’s obligations
– bank’s obligations
– time frames for performance
– party responsible for delivering any required customer disclosures
– notification to bank and bank’s approval rights regarding material
changes to services, systems, controls, personnel, locations, etc.
– guidelines for modifying or adding services or renegotiating
contract
41

42. Risk Management Life Cycle (Contracts)
• Performance Standards
– minimum service levels
– remedies/penalties for failure to meet service levels
42

43. Risk Management Life Cycle (Contracts)
43
• Security and Confidentiality
– limits on use and disclosure of information
– compliance with privacy and other laws and bank’s privacy policy
– notification of breaches of security
– corrective actions
– responsibilities relating to destruction/return

44. Risk Management Life Cycle (Contracts)
• Controls
– internal controls of vendor
– records to be maintained by vendor and bank’s access to records
– parameters relating to any financial functions, such as payment
processing or extensions of credit
44

45. Risk Management Life Cycle (Contracts)
45
• Audits and Reports; Regulatory Oversight
– types: financial, internal controls, security reviews, other reports
– internal vs. external audits; on-site examinations by bank
– frequency and timeliness
– costs
– resolution of deficiencies
– access by regulators
• Now includes CFPB under Dodd-Frank

46. Risk Management Life Cycle (Contracts)
• Compliance with Laws
– vendor’s agreement to comply
46

47. Risk Management Life Cycle (Contracts)
• Business Resumption and Contingency Plans
– natural disasters or man-made causes
– backup systems and record protection
– right of bank to obtain copy or summary
– testing and results of testing; at least annual typical for critical
services
– costs
– frequency of updates
– notification when implemented
47

48. Risk Management Life Cycle (Contracts)
• Subcontracting
– “hot button” issue with examiners
– bank to approve significant subcontractors
– primary vendor to be responsible
– notice and approval of changes
48

49. Risk Management Life Cycle (Contracts)
49
• Offshoring
– either foreign vendors or domestic vendors with foreign operations
or subcontractors
– privacy/confidentiality of customer information and bank records in
compliance with U.S. laws
– all information transferred offshore remains bank’s property and
will be returned at termination
– authority of U.S. regulators to examine offshore activities
– choice of governing law and jurisdiction for disputes

50. Risk Management Life Cycle (Contracts)
• Access to or Use of Bank’s Premises, Equipment,
Employees
– conditions for access to premises and/or equipment
– provisions covering vendor’s use of bank employees
• Insurance
– required coverages
– notice to bank of changes
50

51. Risk Management Life Cycle (Contracts)
51
• Costs and Compensation
– fees/calculations for base services
– charges based on activity
– charges for nonrecurring items, special requests or services
– costs/responsibility for purchase and maintenance of hardware
and software
– cost increases and limits
– compensation schemes must be carefully structured for safety and
soundness

52. Risk Management Life Cycle (Contracts)
• Use of Bank’s Intellectual and Other Property
– ownership
– allowable use
– work products developed by vendor for bank
– timely return of items
52

53. Risk Management Life Cycle (Contracts)
• Customer Complaints
– Bank or vendor to respond?
– if vendor responsible, send copies with responses to bank
– periodic reports regarding status and resolution
53

54. Risk Management Life Cycle (Contracts)
54
• Duration
– consider technology involved and state of industry
– benefits of longer terms vs. wisdom of shorter terms for rapidly
changing technologies
– coordination of interrelated contracts

55. Risk Management Life Cycle (Contracts)
• Dispute Resolution
– consider process to resolve problems/disputes expeditiously
55

56. Risk Management Life Cycle (Contracts)
• Indemnifications
– mutual indemnification provisions
– should be carefully reviewed
– bank ultimately responsible for safety/soundness and compliance
56

57. Risk Management Life Cycle (Contracts)
• Limitations of Liability
– supplier may attempt to limit its liability
– bank must consider whether reasonable in light of anticipated loss
from failure to perform
57

58. Risk Management Life Cycle (Contracts)
• Default and Termination
– what constitutes default, remedies, opportunity to cure
– termination provisions vary with service
– convenience
– change in control
– substantial cost increases
– failure to meet service levels or otherwise perform
– insolvency
– ability to timely terminate without prohibitive expense/penalties
– adequate time for notice and transition
– return/destruction of bank’s data, records, other property
58

59. Risk Management Life Cycle (Contracts)
• Assignment
– no assignment without bank’s consent
– no changes to subcontractors without bank’s consent
59

60. Risk Management Life Cycle (Oversight)
• In general
– regularly evaluate relationship in light of bank’s strategic goals
– meet as needed with vendor personnel to discuss performance,
etc.
– oversight activities vary with services
60

61. Risk Management Life Cycle (Oversight)
• Monitor Financial Condition and Operations
– evaluate financial condition at least annually
– ensure vendor meeting obligations to subcontractors and others
– review audit and other reports and evaluate vendor’s systems and
controls; follow up on deficiencies
– review vendor’s adherence to policies regarding internal controls,
security, backup plans, etc.
– monitor compliance with laws and regulations
– assess effects of changes in personnel
– review insurance coverage
– review licensing/registration requirements
61

62. Risk Management Life Cycle (Oversight)
62
• Assess Quality of Service and Support
– review performance reports; follow up on deficiencies
– evaluate vendor’s ability to support bank’s strategic direction
– evaluate adequacy of training for vendor/bank employees
– review customer complaints; follow up as needed

63. Risk Management Life Cycle (Oversight)
• Monitor Contract Compliance and Revision Needs
– review service level performance
– determine whether other contract terms are being met
– assess whether revisions to service levels or other terms needed
– review invoices for proper charges and appropriateness of any
price changes
– monitor external environment (regulatory changes, economic
conditions, competition, etc.) to determine if contract revisions (or
termination) needed
63

64. Risk Management Life Cycle (Oversight)
64
• Monitor Business Resumption and Contingency Plans
– review plans to ensure any critical services can be restored in
acceptable time
– review testing program and results

65. Risk Management Life Cycle (Termination)
• A bank may terminate vendor relationships for various
reasons, including:
– expiration or satisfaction of the contract
– desire to seek an alternate vendor
– desire to bring the activity in-house or discontinue the activity
– breach of contract
65

66. Risk Management Life Cycle (Termination)
66
• The bank’s policies should ensure that relationships terminate in an
efficient manner, whether the activities are transitioned to another
vendor or in-house, or discontinued. In the event of contract default or
termination, the bank should have a plan to bring the service in-house
if there are no alternative vendors. This plan should cover:
– capabilities, resources, and the timeframe required to transition the activity
while still managing legal, regulatory, customer, and other impacts that might
arise
– risks associated with data retention and destruction, information system
connections and access control issues, or other control concerns that require
additional risk management and monitoring during and after the end of the
vendor relationship
– handling of joint intellectual property developed during the course of the
arrangement
– reputation risks to the bank if the termination happens as a result of the
vendor’s inability to meet expectations
– the extent and flexibility of termination rights may vary with the type of activity

67. Questions?
• Chris Roede
• croede@poynerspruill.com
• 919-783-2932
67
• Bardin Simmons
• bsimmons@poynerspruill.com
• 919-783-1031
• Richard Lafferty
• rlafferty@poynerspruill.com
• 704-342-5269
• Martha Svoboda
• msvoboda@poynerspruill.com
• 919-783-2840