August 5, 2021 BY MQMR Blogger
What contract provisions should a lender ensure are present in its vendor contracts?
Answer: It depends.
Because vendors offer different types of services, the corresponding risk associated with a vendor also varies. A successful vendor management program starts with a correct categorization of vendor risk. Tier 1 or high-risk vendors are those that provide critical services to a lender, usually involving access to Non-Public Information. In such a case, the lender should be on the lookout for privacy obligations in relation to the vendor’s handling of NPI. Is the vendor obliged to notify the lender in case of a breach of NPI? What are the mechanisms in place to address a breach of NPI? Can the vendor outsource some or all of its services to a third party, and if so, who remains liable in case a breach occurs at the third-party level? If there is a breach of obligations regarding NPI, does the lender have recourse via an Indemnification provision? Does the vendor have appropriate insurance during the course of the engagement to cover the appropriate risk they pose to the lender? Does the vendor warrant compliance with the lender’s regulatory oversight requirements?
These questions are especially relevant in today’s work environment which has begun to accommodate for remote work arrangements, where some or all of the usual security measures against data breaches are not present. This, coupled with the perennial threat of fraud, phishing, and security attacks continue to challenge lenders in being vigilant about the content of their vendor contracts.
While they may pose a lesser risk than Tier 1 vendors, Tier 2 and Tier 3 vendors should not be exempt from having enforceable confidentiality obligations. Proprietary information, trade secrets, and other relevant data provided by a lender (or consumer) should be safeguarded, and a lender should still aim to include an indemnification provision, or at least, an option to terminate the contract, in the event of a breach by the vendor.
In essence, a lender should want Privacy and/or Confidentiality, Indemnification, and Termination provisions in all of its vendor contracts. Negotiations may not always lead to these provisions being included in the final contract between parties, but when a lender is aware of the risk associated with a specific vendor, the lender is in a better position to bargain for the most crucial provisions to protect itself and its consumers. A good rule to remember is: high-risk vendors warrant more protections for the lender and/or consumers. These protections may then come in the form of additional contractual provisions, tighter and more enforceable language, or in an ideal scenario, both.