February 25, 2020
Vendor Service Contracts - Not Just Arm's Length Transactions Anymore
Trisha J. Cacciola
The Consumer Financial Protection Bureau's Compliance Bulletin and Policy Guidance; 2016-02, Service Providers addresses the CFPB's expectation that companies oversee their business relationships with service providers in a way that ensures compliance with consumer financial law and establishes a process to manage the risks inherent in service provider relationships. To comply with these requirements, companies must establish a process for conducting due diligence and a risk assessment of potential new vendors, as well as periodically of existing vendors.
The company also will be expected to have a written agreement with the vendor memorializing the parties' relationship. A critical part of this process is the execution of a contract clearly outlining the vendor's obligations and responsibilities for, among other things, compliance with applicable law.
However, we often see that clients, in their haste to get a project involving third-party services underway, will enter into an arrangement with a vendor before fully documenting the transaction. This is especially true in the context of pilot programs, where the perspective of the businesspeople is "less is more." In a pilot, there typically is a rush by management to get the program to market to begin the internal evaluation process. Therefore, management's approach may be that the resources needed to fully negotiate an agreement are not justified unless the pilot is successful and the parties agree to move forward on a longer-term basis. As a result, the pilot may be propelled to proceed with nothing more than a nondisclosure agreement.
The problem with this approach is that while it certainly shortcuts any timing requirements, it has the potential to put the company at risk, particularly when the vendor's services require access to the company's customer information. A simple nondisclosure agreement will not cover the obligations of the vendor to comply with applicable law and may not fully address the company's requirements for confidentiality and data security. However, taking the time to negotiate a full agreement with the vendor may not be practical in a pilot context.
But, there may be a compromise position. Your company may want to consider drafting a pilot agreement template that is tailored to generally cover your approach to vendor relationships, but is flexible enough to be altered quickly to accommodate different kinds of pilot arrangements. This document wouldn't be the full agreement you will negotiate with a vendor if you proceed with a longer-term commitment, but will be much more protective and descriptive of your interests than a mere nondisclosure agreement.
In addition, when the time comes to execute a final agreement between the parties, we often see clients taking shortcuts in those documents as well. This is especially true when the company is required to use the vendor's own agreement as the starting point in the negotiation process.
Not surprisingly, the agreement may not provide the level of representations, warranties, and covenants related to consumer financial protection laws that a regulator would expect to see in an exam. Further, the indemnification may not provide for the type of relief that the company may want to seek if the vendor fails to comply with applicable law. Be especially wary of limitation of liability clauses that cap the vendor's economic responsibility for breaches. In addition, there may be a lack of detail in the obligations of the vendor that could lead to gaps in the service requirements.
Another area for concern is the ownership of the data, including customer information. Most companies intend to retain ownership of their clients' accounts, as the vendor is simply providing a service for the accounts but does not otherwise have an interest in the account itself. The agreement should be clear on that point and limit the use of the data to the service that the vendor has been contracted to provide.
The vendor contract drafting and negotiation process is difficult because the business is often in a rush to bring a product or program to market. There will be pressure to finalize written arrangements with a vendor or ignore them altogether. Internal legal and compliance departments will need to be ready with template forms, or even just standard provisions needed for these types of transactions. It may be helpful to create a checklist of required content for these vendor arrangements in advance to make certain that you cover your legal needs before the vendor begins working for you.