Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font


<<   CONTENTS   >>

Three Tools for Better Contracts

We provide three tools for mitigating risk in technology contracts involving financial service companies. First, as in the other chapters in this book, we provide a brief exploration of common key considerations for these types of contracts. Second, at the end of this chapter is a very detailed list of regulatory requirements relevant to technology agreements, including references to applicable regulations, laws, and guidances. The checklist is broken down into general requirements, professional service engagements, software licenses, and offshore engagements.

Finally, in the appendix, we have included a complete copy of the Federal Financial Institutions Examination Council’s Information Technology Examination Handbook “Outsourcing Technology Services Booklet” {FFIEC Handbook). The FFIECHandbook is essentially the guide regulatory auditors use to confirm a financial service company’s technology agreements satisfy good contracting practices and mitigate risk to the company and its customers. Everyone involved in negotiating technology agreements for financial services companies should read and understand the handbook. The handbook is also an excellent means of explaining to vendors the regulatory obligations with which the financial services company must comply.

Key Considerations

■ First and foremost, negotiators on behalf of the financial services companies must be conversant with their regulatory requirements and be prepared to explain them in plain and simple English to the vendor. The foregoing is one of the most critical points to ensuring negotiations run smoothly and that the goals of the financial services company are achieved. Tire checklist at the end of this chapter and the FFIEC Handbook are two excellent resources for achieving the level of understanding needed to convey the concerns of the financial services company to the vendor.

■ Many businesses invest substantial money, in some cases tens of millions of dollars, in developing and maintaining their trademarks and trade names. They are very careful about granting any third party, including their vendors, rights to use those marks and names. Failing to do so may adversely impact their ability to maintain and enforce their rights as trademark owners. In addition to the concerns of any trademark owner, financial services companies are also concerned with use of their names to imply an endorsement of a third party or, worse yet, a recommendation that someone should invest in that third party. Consider a vendor who, without permission, places a statement in its marketing materials that XYZ Broker recommends and endorses its products as the “best in the industry.” That statement could be construed as a recommendation by the XYZ Broker to invest in the vendor, resulting in potential regulatory issues for the broker. It is for these reasons that most financial services companies are extremely strict about granting vendors the right to use their names and marks in customer lists, marketing materials, and case studies. In fact, most include language in their contracts expressly prohibiting the vendor from making any use of their names or marks without the customer’s prior written authorization.

■ Given the sensitive data involved and the many laws and regulations applicable to highly sensitive financial data, the agreement should include a fully fleshed-out confidentiality clause. That clause should define the types of data at risk, including personally identifiable data, trading information, and potential “insider” information. The contract should make clear the vendor’s obligations to hold that data in strict confidence and ensure the information is used solely for performance of the agreement for the financial service company’s benefit.

■ Most confidentiality clauses include some limitation on their duration (e.g., the obligations of confidentiality will continue for a period of five years after termination). While this may be acceptable in a normal engagement, protection of sensitive financial information, particularly personally identifiable information, should continue in perpetuity. As mentioned in the chapter on nondisclosure agreements, protection of trade secret information should also continue for as long as the information remains protected under applicable law as a trade secret.

■ In addition to the various restrictions in the agreement, the vendor should be obligated to comply with the customer’s privacy policy with regard to personally identifiable information. The contract should also ensure the vendor is bound by any future updates to the policy. Except in highly unusual situations, the vendor’s privacy policy should never take precedence over the policy of a financial services company with regard to its data.

■ In the event the vendor breaches security, personally identifiable information is compromised, and a state or federal law would require notice to a consumer, the financial services company should control the content and timing of the notice and be reimbursed by the vendor for the cost of providing the notice. It is also common to require the vendor to reimburse the customer for the cost of providing identity theft insurance to the impacted consumers and the cost of investigating the breach.

■ Avoid provisions affording the vendor broad rights to use undefined “aggregated data” (i.e., data that has been cleansed to ensure it cannot be identified to an individual or entity) derived from performance of the agreement. If those rights must be granted, the language should (i) clearly define what aggregation means (in some instances, specific steps to properly cleanse the data of personally identifiable information should be specified, including a clear statement that it is statistically impossible to reidentify any data with an individual); (ii) state that the data is being provided entirely as-is by the financial services company; and (iii) require the vendor to fully indemnify and hold the financial services company harmless from any and all damages, fines, and costs that may arise out of the vendor’s failure to adequately cleanse the data and from any use the vendor may make of the data. In some instances, financial services companies may have previously granted exclusive rights to certain forms of aggregated data to others. These obligations should be carefully reviewed before granting rights in aggregated data to others.

■ Require the vendor to have conducted background checks on its personnel. In many instances, the customer will also want to conduct its own checks, particularly of on-site workers.

■ Depending on the extent and type of data at risk, in addition to the vendor’s confidentiality obligations, the contract should specify the vendor’s obligations with regard to information security. At its heart this language should require the vendor to comply with, for example, “best industry practices for securing information of the kind provided under the agreement, but in no event less than the level of protection required under all applicable local, state, federal, and international privacy, confidentiality, consumer protection, advertising, electronic mail, data security, data destruction, and other similar laws, rules, and regulations, whether in effect now or in the future.” Most financial services companies, however, provide more detailed language. In some instances, exact specifications regarding the level of encryption and firewalls to be employed should be included as part of the contract. At minimum, the contract should address these points:

  • - Use of best industry practices, consistent with applicable law (see example language above), to protect the data.
  • - A requirement that the vendor promptly report any potential or actual breach of security or confidentiality.
  • - A requirement that the vendor furnish log files and other forensic information to assist in the investigation of a breach and to preserve that information.
  • - Tire right of the financial services company to conduct audits of the vendor’s security measures and compliance with the agreement.
  • - Tire right for the financial services company to conduct joint security testing, including penetration testing.
  • - A requirement that the vendor supply the financial services company with copies of any SSAE 16 or similar audits.
  • - Requirements for secure removal/scrubbing of sensitive data from the vendor’s systems on termination or expiration of the agreement or from discarded media or in the event the vendor decommissions storage equipment. These requirements are frequently tied to a known data destruction standard (e.g., NIST Special Publication 800-88, Guidelines for Media Sanitization or DoD 5220-22-M Standard).

■ Breaches of confidentiality and indemnification obligations should be excluded from all limitations and exclusions of liability.

■ In addition to the indemnification rights discussed elsewhere in this book for technology agreements (e.g., an indemnity for intellectual property infringement), the vendor should also indemnify the financial services company for any damages, fines, sanctions, and liabilities that may arise from the vendor’s breach of confidentiality, particularly breaches relating to personally identifiable information.

■ As noted above, the financial services company should have the right to audit the vendor with regard to security and contractual compliance. In addition, the financial services company should be able to audit to confirm the accuracy of fees charged. Finally, governmental regulators having authority over the financial services company should have the right to audit and review the vendor.

■ In addition to standard termination rights for breach and bankruptcy, the financial services company should have the right to terminate the agreement if one of its regulators identifies the contract and/or the vendor as presenting a material risk that cannot be resolved through negotiations between the parties.

■ Some vendor agreements include broad rights of the vendor, and even its agents, to enter and conduct broad audits of the customer. Given the highly regulated nature of a financial services company and the highly sensitive data it controls, these types of rights should generally be rejected. Instead, the customer can offer records for off-site review by the vendor.

■ As discussed in the FFIEC Handbook, arrangements in which the pricing and purchase of various products are linked to other purchases should be reviewed carefully.

■ Use of subcontractors, particularly those who will provide on-site services, have access to sensitive data or are located offshore should be strictly controlled. No subcontractors should be permitted without the customer’s express approval. Financial services companies are generally obligated to conduct due diligence of their vendors. Depending on the nature of the subcontractor’s involvement, the customer may be under an obligation to also conduct due diligence of the vendor’s subcontractors. In some instances (e.g., where the subcontractor will have substantial access to highly sensitive data), it may be appropriate for the financial services company to require the subcontractor to sign a nondisclosure agreement—placing the vendor in direct contractual privity (i.e., they are both parties to the same agreement) with the customer.

- Beware of vendors who use offshore entities to perform the agreement, particularly if they will be sharing personally identifiable information with those entities. In addition to obvious security and confidentiality concerns, moving data across borders may require consumer consents that may be very difficult to obtain.

■ Where the software or service being purchased relates to a regulated activity (e.g., a software platform for processing trades or maintaining account information), the contract should include a warranty that the software or service complies with all applicable laws and that the vendor will furnish, without additional charge, any updates necessary to maintain compliance during the term of the engagement.

 
<<   CONTENTS   >>

Related topics