Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font


<<   CONTENTS   >>

Summary

Financial services companies have unique challenges in negotiating technology agreements. In addition to the concerns any customer would have in those types of engagements, financial services companies must also ensure compliance with a wide range of laws, regulations, and guidances from their regulators that directly impact the protections they must require in their technology contracts. To minimize compliance issues, we recommend all financial service companies develop checklists, such as the one at the end of this chapter, to ensure key issues are not overlooked. In addition, negotiators for these entities must be ready to explain and justify these issues to their vendors.

Note: The provisions described in the following checklists typically should be considered and included as described in relevant agreements; however, depending on the facts and circumstances of the services, products, software, service provider, and relationship, discretion and judgment may be required in determining whether to include or modify certain provisions.

The checklist can be used to evaluate and comment on each relevant agreement and retained as a record as to whether and how each issue is addressed.

The first column identifies the regulatory/contractual issue. The second column describes the relevant law, regulation, or guidance as to which the issue relates. The third column is used in evaluating a prospective contract to identify whether a particular requirement is present in the draft agreement. The final column is used to include section references in the proposed agreement that address a particular issue and to record any other issues or comments.

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered ?

Yes/No/NA

Section Ref./ Comments

Precontract due diligence. Where relevant and dependent on the level of risk presented, the financial institution should conduct appropriate due diligence of the service provider. Where appropriate, some or all of the following diligence should be conducted:

  • • Experience in implementing and supporting the proposed activity, possibly to include requiring a written proposal
  • • Audited financial statements of the service provider and its significant principals (the analysis should normally be as comprehensive as the financial institution would undertake if extending credit to the party)
  • • Business reputation, complaints, and litigation (by checking references, the Better Business Bureau, state attorneys general offices, state consumers affairs offices, and, when appropriate, audit reports and regulatory reports)
  • • Qualifications, backgrounds, and reputations of company principals, to include criminal background checks, when appropriate
  • • Internal controls environment and audit coverage
  • • Adequacy of management information systems
  • • Business resumption, continuity, recovery, and contingency plans
  • • Technology recovery testing efforts
  • • Cost of development, implementation, and support

Office of Comptroller of Currency ("OCC") 2001-47 Selecting a Service provider and Due Diligence; FFIEC IT Examination Handbook (June 2004), Due Diligence, p. 11

Transactions Involving Financial Services Companies ■ 213

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provisio n/lss ue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

  • • Reliance on and success in dealing with subcontractors (the financial institution may need to consider whether to conduct similar due-diligence activities for material subcontractors)
  • • Insurance coverage
  • • Business strategies and goals, human resources policies, service philosophies, quality initiatives, and policies for managing costs and improving efficiency
  • • Service provider's culture, values, and business styles should fit the financial institution's environment.
  • • Particular diligence should be exercised with respect to use of offshore service providers. (See the Checklist for Foreign/Offshore Service providers.)

Reporting. Reports from service providers should be timely, accurate, and comprehensive enough to allow the financial institution to adequately assess performance, service levels, and risks. Discuss frequency and type of reports received (e.g., performance reports, internal controls, control audits, financial statements, security reports, and business resumption testing reports). Consider materiality thresholds and procedures to notify financial institution when service disruptions, security breaches, and other events pose material risk to the financial institution. Consider requiring the service provider to notify in the event of financial difficulty, catastrophic events, material change in strategic goals, and significant staffing changes, all of which could result in a serious impact to service provider service.

OCC2001-47 Responsibilities for providing and receiving information; FFIEC Handbook, Controls, Audit and Reports, p. 14

214 ■ A Guide to IT Contracting

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Books and records; audit rights. Service provider required to maintain accurate and complete books and records relating to performance; Financial institution must have right to audit service providers (and their subcontractors) as needed to monitor performance under the contract (including OCC). Ensure that periodic independent internal and/or external audits are conducted at intervals and scopes consistent with in-house functions. Include types and frequency of audit reports the financial institution is entitled to receive from the service provider (e.g., financial, internal control, and security reviews). Reserve the right to conduct audits of the function or to engage an independent auditor. Consider whether to accept independent internal audits conducted by the service provider's audit staff or external audits and reviews (e.g., SAS 70 reviews). Audit reports should include a review of service provider's internal control environment relating to the service or product being provided. Reports should also include review of service provider's security program and business continuity program.

OCC 2001-47 The right to audit; FFIEC Handbook, Controls, Audit and Reports, p. 14

OCC supervision. State that performance of services by service provider is subject to OCC examination/oversight and audit by OCC.

OCC 2001-47 OCC Supervision; FFIEC Handbook, Controls, p. 14

Transactions Involving Financial Services Companies ■ 215

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provisio n/Issue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Cost/compensation/fees/payment. Fully describe compensation, fees, license fees, and calculations for base services, as well as any charges based upon volume of activity and fees for special requests or services. Indicate which party is responsible for payment of legal, audit, and examination fees associated with the activity. Cost and responsibility for purchasing and maintaining hardware and software. Conditions under which the cost structure can be changed should be addressed in detail, including any limits on any cost increases. Preferable to limit cost escalation and increases to inflation index (e.g., CPI), specified percentage, or service provider's actual increased out-of-pocket costs, as applicable. Applicable taxes should be addressed, including a requirement the service provider assist the financial institution to more accurately determine its tax liability and to minimize such liability to the extent legally permissible. In certain jurisdictions, purely electronic delivery of software and associated documentation may not be subject to sales tax. (See the note below regarding taxes and offshore service providers.)

OCC 2001-47 Cost and compensation; FFIEC Handbook, Cost, p. 15, Pricing Methods, p. 17

216 ■ A Guide to IT Contracting

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Bundling. The vendor may attempt to entice the institution to purchase more than one system, process, or service for a single price—referred to as "bundling." The financial institution should avoid bundled pricing. This practice may result in the financial institution getting a single consolidated bill that may not provide information relating to pricing for each specific system, process, or service. Although the bundled services may appear to be cheaper, the financial institution cannot analyze the costs of the individual services. Bundles may include processes and services that the financial institution does not want or need. It also may not allow the financial institution to discontinue a specific system, process, or service without having to renegotiate the contract for all remaining services.

FFIEC Handbook, Bundling, p. 18

Contract inducements. Financial institutions should not sign servicing contracts that contain provisions or inducements that may adversely affect the financial institution. Such contract provisions may include extended terms (up to ten years), significant increases in costs after the first few years, and/or substantial cancellation penalties. In addition, some service contracts improperly offer inducements that allow the financial institution to retain or increase capital by deferring losses on the disposition of assets or avoiding expense recognition.

FFIEC Handbook, Contract Inducement Concerns, p. 19 OCC 2001-47

Transactions Involving Financial Services Companies

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Confidentiality and security. Service providers must ensure confidentiality and security of financial institution data and information. Prohibit service provider and agents from using or disclosing financial institution's information, except as necessary to provide the contracted services.

If service provider receives nonpublic personal information regarding the financial institution's customers, financial institution should notify service provider to assess the applicability of the privacy regulations, and service provider must implement appropriate security measures designed to meet the objectives of regulatory guidelines with which the financial institution must comply.

Confidentiality and security; FFIEC Handbook, Security and Confidentiality, p. 13, Information Security/ Safeguarding, p. 28

Where appropriate, include specific information security requirements. Financial institutions should require service provider to fully disclose breaches in security resulting in unauthorized intrusions that may materially affect the financial institution or its customers. Service provider should report to the financial institution when material intrusions occur, should estimate the intrusion's effect on the financial institution, and should specify the corrective action taken. Address ability of each party to change security procedures and requirements; changes should remedy any confidentiality/security issues arising out of shared use of facilities owned by the service provider.

OCC2001-47

Reputation risk;

Fl EC Handbook, Reputation Risk, p.

6

218 ■ A Guide to IT Contracting

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Publicity. The agreement should prohibit service provider from being able to use the financial institution's name or trademarks in any advertising, promotions, or press releases without the financial institution's prior written consent.

Privacy. Require service provider to comply with all applicable privacy laws (e.g., G-L-B and FACTA), and financial institution's privacy policies. (See the Checklist for Foreign Offshore Service providers.)

OCC 2001-47 Confidentiality and security; FFIEC Handbook, Security and Confidentiality, p. 13; G-L-B; FACTA

Business resumption, disaster recovery/contingency plans. Provide for continuation of the business function in the event of problems affecting the service provider's operations, including system breakdown and natural (or man-made) disaster. Address service provider's responsibility for backing up and otherwise protecting program and data files, for protecting equipment, and for maintaining disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to financial institution. Consider requiring the service provider to provide operating procedures to be carried out in the event business resumption contingency plans are triggered. Include specific timeframes for business resumption and recovery that meet the financial institution's business requirements.

OCC 2001-47 Business resumption and contingency plans; FFIEC Handbook, Business Resumption and Contingency Plans, p. 14, Business Continuity Planning, p. 25

Transactions Involving Financial Services Companies ■ 219

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered? Yes/No/NA

Section Ref./ Comments

Indemnification. Service provider should be required to defend, indemnify, and hold the financial institution harmless from third-party claims for intellectual property infringement, and claims arising out service provider's alleged negligence, breach of confidentiality (particularly with regard to customer information), and violation of law. In the event financial institution indemnifies service provider, financial institution should not be liable for claims arising out of any acts, omissions, or failure of the service provider.

OCC 2001-47

Indemnification; FFIEC Handbook, Indemnification, p. 16

Insurance. The service provider should maintain adequate insurance and should notify the financial institution of material changes to coverage. Insurance requirements should reflect the level of risk presented by the proposed engagement.

OCC 2001-47 Insurance; FFIEC Handbook, Controls, p. 14

Dispute resolution. Consider whether to provide for a dispute resolution process (arbitration, mediation, or other means) for the purpose of resolving problems between the financial institution and service provider in an expeditious manner, and whether it should provide that the service provider continue to perform during the dispute resolution period.

OCC 2001-47

Dispute resolution; FFIEC

Handbook,

Dispute

Resolution, p. 16

220 ■ A Guide to IT Contracting

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provisio n/Issue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Limitations/disclaimer of liability/damages. Most standard service provider contracts limit the service provider's liability. The financial institution should determine whether the proposed limit is in proper proportion to the amount of loss the financial institution might experience as a result of the service provider's failure to perform. A waiver of consequential damages is acceptable provided there is a carve-out for indemnification claims and breach of confidentiality/ security. Negotiations fora cap on damages should start at no less than two times all fees paid and financial institution should not agree to less than twelve months of fees paid during the prior year without senior management approval; and cap on damages should include the same carve-out for indemnification claims and breach of confidentiality/ security. Limitations of liability should be drafted to provide mutual protection for both parties. Avoid limitations of liability that protect only the service provider.

OCC 2001-47 Limits on liability; FFIEC Handbook, Limitation of Liability, p. 16

Transactions Involving Financial Services Companies

NJ

NJ

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Term/termination/default. Significant risks are associated with contract default and/or termination. Stipulate clearly what constitutes default; identify remedies; allow for opportunities to cure defaults (typically thirty days). Extent and flexibility of termination rights sought may vary with the type of service. Termination rights for change in control, merger or acquisition, convenience, substantial increase in cost, repeated failure to meet service standards, failure to provide critical services and required notices, failure to prevent violations of law or unfair and deceptive practices, bankruptcy, company closure, and insolvency. Consider renewal terms and appropriate length of time required to avoid automatic renewal. Provide for financial institution's right to terminate upon reasonable notice and without penalty in the event that the OCC formally objects to the particular service provider relationship. Allow for financial institution to terminate the relationship in a timely manner without prohibitive expense. Provide timeframes to allow for transition assistance and the orderly conversion to another service provider; and timely return of the financial institution's data and other financial institution resources. Any costs and service provider's obligations associated with transition assistance should be clearly stated (e.g., service provider expense if termination due to service provider default).

OCC 2001-47 Default and termination; FFIEC

Handbook, Duration, p. 15, Termination, p. 16

222 ■ A Guide to IT Contracting

Checklist for Regulatory Considerations in Technology Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Customer complaints. Where relevant, service provider required to forward any complaints it receives from the financial institution's customers. Specify whether the financial institution or service provider is responsible for responding to the complaints. If the service provider responds, a copy of the response should be forwarded to the financial institution.

OCC 2001-47 Customer complaints

Background checks. Provide for financial institution's right, at its discretion, to require full criminal, employment, and/or drug background checks on all service provider personnel performing services for the financial institution. (Consider whether the checks should be conducted prior to engaging service provider.) Background checks are particularly relevant in offshore engagements.

Assignment. Service provider should not be permitted to assign the agreement without financial institution's consent. Financial institution should be able to freely assign to an affiliate or in the event of a sale, merger, acquisition, change of control.

OCC 2001-47

Selecting a Service provider and Due Diligence; FFIEC Handbook, Due Diligence, p. 11

Miscellaneous. Consider appropriate miscellaneous provisions to include, such as governing law and venue in an acceptable jurisdiction, survival, integration/entire agreement, modifications only in writing, and inapplicability of click-wrap/web-based terms, conditions, licenses, and disclaimers.

OCC 2001-47 Scope of arrangement; FFIEC Handbook, Assignment, p. 16

Transactions Involving Financial Services Companies ■ 223

Checklist for Professional Services Agreements

Provisio n/Issue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Description of services and/or products. Clearly identify the scope of services and/or products to be provided, including the frequency, content, and format of the services or products to be provided. Where applicable, reference statement of work, schedule, milestones, and deliverables.

OCC 2001-47 Scope of arrangement; FFIEC Handbook, Scope of Services, p.13

Support services. Identify software support and maintenance, training of employees, and customer service.

OCC 2001-47 Scope of arrangement; FFIEC Handbook, Scope of Service, p. 13

Third-party software. Identify third-party software required to use the services and responsibility for acquiring and fees. Identify or prohibit, as applicable, open-source software supplied by service provider. Require identification of all applicable third-party terms and conditions.

Permitted activities; financial institution premises. Describe which activities service provider is permitted to conduct, whether on or off the financial institution's premises, and describe the terms governing the use of the financial institution's space, personnel, and equipment.

OCC 2001-47 Scope of arrangement

Joint responsibilities. When financial institution and service provider employees are used jointly, their duties and responsibilities should be clearly articulated.

OCC 2001-47 Scope of arrangement; FFIEC Handbook, Scope of Services, p.13

224 ■ A Guide to IT Contracting

Provision/lssue

Regulatory Reference

Covered? Yes/No/NA

Section Ref./ Comments

Subcontracting. Indicate whether the service provider is prohibited from assigning any portions of the contract to subcontractors or other entities. Preferable to prohibit subcontracting core or critical services, and maintaining control and approval rights over permitted subcontracting. Subcontracting services that involve access to customer information should be strictly controlled. See the Offshore Checklist for subcontracting to offshore service providers. Prohibit subcontracting to offshore service providers where appropriate.

OCC 2001-47 Scope of arrangement;

FFIEC Handbook, Sub-contracting and Multiple Service Provider Relationships, p. 15

Testing and acceptance. Include provision for testing and acceptance by financial institution, including procedure for determining acceptance criteria, and service provider obligation to remedy failures, refund for failed implementation.

OCC 2001-47 Performance measures or benchmarks; FFIEC Handbook, Performance Standards, p. 13, Controls, p. 14, Regulatory Compliance, p. 16

Warranties. Include appropriate service provider warranties such as services warranty (professional, competent, trained employees); compliance with all applicable laws and regulatory requirements; authority to enter into agreement; conformance to specifications; and noninfringement.

Transactions Involving Financial Services Companies ■ 225

Checklist for Professional Services Agreements

Provision/lssue

Regulatory Reference

Covered? Yes/No/NA

Section Ref./ Comments

Service levels/performance measures. Performance measures should define the expectations and responsibilities for both parties. Requirements should be sufficient to enable effective monitoring of ongoing service provider performance and success of the arrangement; used to motivate third-party performance, especially if poor performance is penalized or outstanding performance rewarded. Industry standards should provide a reference point for commoditylike services, such as payroll processing. Use agreed-upon range of measures for customized services. Ensure service provider has an obligation to report service level compliance. Set and monitor parameters for financial functions, including payments processing or extensions of credit on behalf of the financial institution.

OCC 2001-47 Performance measures or benchmarks; FFIEC Handbook, Performance Standards, p. 13, Controls, p. 14, Service Levels Agreements, p. 17

Change control. Include provisions governing provision of services, scope of work, and compensation for services outside the original scope of the agreement, including changes to systems, controls, key project personnel, and service locations.

OCC 2001-47 Scope of arrangement; FFIEC Handbook, Controls, p. 14

Staffing; employment issues. Allow for reasonable financial institution control over approval and replacement of service provider staffing, particular for personnel on site; consider limits on reassignment of key personnel; require service provider to promptly notify financial institution and replace personnel where necessary and to accomplish continuity of services.

226 ■ A Guide to IT Contracting

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Include language making clear the financial institution will not be deemed the employer of any service provider personnel and that the service provider will indemnify and hold the financial institution harmless from any employment-related claims. The service provider is solely responsible for payment of all employment-related taxes.

OCC 2001-47 Scope of arrangement; FFIEC Handbook, Controls, p. 14

Intellectual property ownership/license. State whether and how service provider has the right to use the financial institution's data, hardware and software, system documentation, and intellectual property, such as financial institution's name, logo, trademark, and copyrighted materials. Any use of financial institution property should be subject to a clearly worded license. Indicate whether any records generated by service provider are the property of the financial institution. Consider whether developed software and other intellectual property should be owned by the financial institution, or if not, financial institution granted exclusivity for a period of time. If not owned by financial institution, ensure the financial institution has an appropriate license to use the developments. If licensing software, consider establishing escrow agreements to provide for financial institution's access to source code and programs under certain conditions (e.g., insolvency of the service provider), documentation of programming and systems, and verification of updated source code.

OCC 2001-47

Ownership and license; FFIEC Handbook, Ownership and License, p. 15

Transactions Involving Financial Services Companies

Provision/lssue

Regulatory Reference

Covered? Yes/No/NA

Section Ref./ Comments

Scope of license. Clearly identify the software and scope of license rights being granted; ability of financial institution to use contractors and outsourcers; and ability of affiliates and divested entities to use software.

OCC 2001-47 Scope of arrangement;

FFIEC Handbook, Scope of Services, p.13

Support services. Identify software support and maintenance, error corrections, telephone support/help desk, updates, modifications, training of employees, customer service, and backups. Consider minimum period of time (e.g., five years) when service provider will be required to support if support is renewed by financial institution.

OCC 2001-47 Scope of arrangement; FFIEC Handbook, Scope of Services, p. 13, Duration, p. 15

Third-party software. Identify third-party software required to use the service provider software, responsibility for acquiring and fees. Identify or prohibit, as applicable, open-source software. Require identification of all applicable third-party terms and conditions.

OCC 2001-47 Scope of arrangement

Permitted activities; financial institution premises. Describe which activities service provider is permitted to conduct, whether on or off the financial institution's premises, and describe the terms governing the use of the financial institution's space, personnel, and equipment.

228 ■ A Guide to IT Contracting

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Joint responsibilities. When financial institution and service provider employees are used jointly their duties and responsibilities should be clearly articulated.

OCC 2001-47 Scope of arrangement

Subcontracting. Indicate whether the service provider is prohibited from assigning any portions of the contract to subcontractors or other entities. Preferable to prohibit subcontracting core or critical services, and maintaining control and approval rights over permitted subcontracting. Subcontracting services that involve access to customer information should be strictly controlled. (See the Offshore Checklist for subcontracting to offshore service providers. Prohibit subcontracting to offshore service providers where appropriate.)

OCC 2001-47 Scope of arrangement; FFIEC Handbook, Sub-contracting and Multiple Service Provider Relationships, p. 15

Testing and acceptance. Include provision fortesting and acceptance by financial institution, including procedure for determining acceptance criteria, service provider obligation to remedy failures, and refund for failed implementation.

Warranties. Include appropriate service provider warranties such as software will conform to specifications, services warranty (professional, competent, trained employees); compliance with laws; authority to enter into agreement; noninfringement; no viruses/destructive code; DST compliance; and no known performance issues.

Transactions Involving Financial Services Companies ■ 229

Provisio n/lss ue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Service levels/performance measures. Performance measures should define the expectations and responsibilities for both parties. Requirements should be sufficient to enable effective monitoring of ongoing service provider performance and success of the arrangement, and should be used to motivate third-party performance, especially if poor performance is penalized or outstanding performance rewarded. Consider service levels for availability of software (particular if service provider hosted), problem call response times, and time to repair. Ensure service provider has an obligation to report service level compliance.

OCC2001-47 Performance measures or benchmarks; FFIEC Handbook,

Performance Standards, p. 13, Service Level Agreements, p. 17

Intellectual property ownership/license/modifications/escrow. State whether and how service provider has the right to use the financial institution's data, hardware and software, system documentation, and intellectual property, such as financial institution's name, logo, trademark, and copyrighted material. Any use of financial institution property should be subject to a clearly worded license. Indicate whether any records generated by service provider are the property of the financial institution. Consider whether financial institution will obtain any source code and/or be permitted to make modifications and ownership of such modifications. Consider establishing escrow agreements to provide for financial institution's access to source code and programs under certain conditions (e.g., insolvency of the service provider), documentation of programming and systems, and verification of updated source code.

OCC 2001-47

Ownership and license; FFIEC Handbook, Ownership and license, p. 15

230 ■ A Guide to IT Contracting

Checklist for Foreign/Offshore Service Providers

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Precontract due diligence. In addition to due diligence appropriate for a domestic service providers (see Checklist for General Provisions/AII Service providers), the financial institution should engage in even higher due diligence prior to engaging an offshore service provider. The due diligence process should include an evaluation of the foreignbased service provider's ability—operationally, financially, and legally — to meet the financial institution's servicing needs given the foreign jurisdiction's laws, regulatory requirements, local business practices, accounting standards, and legal environment. The due diligence also should consider the parties' respective responsibilities in the event of any regulatory changes in the United States or the foreign country that could impede the ability of the financial institution or service provider to fulfill the contract.

OCC 2002-16 Due Diligence; FFIEC Handbook, Appendix C, Due Diligence, p. C-3

Privacy. Pay special attention to protecting privacy of customers and the confidentiality of financial institution records given US law and the foreign jurisdiction's legal environment and regulatory requirements. Appropriate warranties, confidentiality provisions, and information security requirements should be included in the agreement.

OCC 2002-16; FFIEC Handbook, Арр. C, Security, Confidentiality and Ownership of Data, p. C-3

Transactions Involving Financial Services Companies

NJ

Provisio n/lss ue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

Choice of law. Carefully consider which country's law should control the relationship and insert appropriate choice of law and jurisdictional language that provides for resolution of all disputes between the parties under the laws of the acceptable jurisdiction. (Note: Choice of law and jurisdictional provisions help to ensure continuity of service, to maintain access to data, and to protect nonpublic customer information. The provisions, however, can be subject to interpretation of foreign courts relying on local laws, which may substantially differ from US laws in how they apply and enforce choice of law covenants, what they require of financial institutions, and how they protect financial institution customers. As part of due diligence process, financial institution should obtain legal review from counsel experienced in that country's laws regarding the enforceability of all aspects of the subject contract and any other legal ramifications.)

Taxes. Identify any applicable local taxes. Address responsibility for changes in local taxes (e.g., service taxes in outsourcing engagements) that may occur during the term of the agreement.

OCC 2002-16 Choice of law; FFIEC Handbook, App. C, Choice of Law, p. C-4

Confidentiality. Ensure service provider is prohibited from disclosing or using financial institution data or information for any purpose other than to carry out the contracted services. All information shared by the financial institution with service provider, regardless of how the service provider processes, stores, copies, or otherwise reproduces it, remains

232 ■ A Guide to IT Contracting

Provision/lssue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

solely the property of the financial institution. Require service provider to implement security measures that are designed to safeguard customer information. (Note: Sharing of nonpublic customer-related information from US offices with a foreign-based service provider must comply with the OCC's privacy regulation, including requisite disclosures to and agreements with customers who would be affected by the financial institution's relationship with the service provider. The financial institution should not share any nonpublic OCC information, such as an examination report, with a foreign-based service provider except with express OCC approval. Such nonpublic OCC information remains the OCC's property, and the financial institution should take all required measures to protect the in forma tion's confidentia lity.)

OCC 2002-16 Confidentiality of Information; FFIEC Handbook, Security and Confidentiality, p. 13, FFIEC Handbook, App. C, Security, Confidentiality and Ownership of Data, p. C-3

Financial institution access to information. Critical data or other information related to services provided by a foreign-based service provider must be readily available at the financial institution's US office(s). Such information should include copies of contracts, due diligence, and oversight and audit reports. In addition, the financial institution should have an appropriate contingency plan to ensure continued access to critical information and service continuity and resumption in the event of unexpected disruptions or restrictions in service resulting from transaction, financial, or country risk developments.

OCC 2002-16 Access to Information; FFIEC Handbook, App. C, Regulatory Authority, p. C-4, Regulatory Agency Access to

Information, p. C-5

Transactions Involving Financial Services Companies ■ 233

Checklist for Foreign/Offshore Service Providers

Provisio n/Issue

Regulatory Reference

Covered?

Yes/No/NA

Section Ref./ Comments

OCC access to information. Use of a foreign-based service provider and the location of critical data and processes outside US territory must not compromise the OCC's ability to examine the financial institution's operations. Agreement should establish the relationship in a way that permits and does not diminish the OCC's access to data or information needed to supervise the financial institution. The financial institution should not outsource any of its information or transaction processing to third-party service providers that are located in jurisdictions where the OCC's full and complete access to data or other information may be impeded by legal, regulatory, or administrative restrictions unless copies of all critical records also are maintained at the financial institution's US offices. Copies of the results of the financial institution's due diligence efforts and regular risk management oversight, performance and audit reports on the foreign-based third-party service provider, as well as all policies, procedures, and other important documentation relating to the financial institution's relationship with the service provider, should be maintained in English for review by examiners at the financial institution's office(s).

OCC 2002-16 Access to Information; FFIEC Handbook, App. C, Regulatory Authority, p. C-4, Regulatory Agency Access to Information, p.

C-5

234 ■ A Guide to IT Contracting

 
<<   CONTENTS   >>