Outsourcing Technology Services

After selecting a service provider, management should negotiate a contract that meets their requirements. The RFP and the service provider's response can be used as inputs to this process. The contract is the legally binding document that defines all aspects of the servicing relationship. A written contract should be present in all servicing relationships. This includes instances where the service provider is affiliated with the institution. When contracting with an affiliate, the institution should ensure the costs and quality of services provided are commensurate with those of a nonaffiliated provider. The contract is the single most important control in the outsourcing process. Because of the importance of the contract, management should:

• Verify the accuracy of the description of the outsourcing relationship in the contract;
• Ensure the contract is clearly written and contains sufficient detail to define the rights and responsibilities of each party comprehensively; and
• Engage legal counsel early in the process to help prepare and review the proposed contract.

Examples of contract elements that should be considered include:

Scope of Service. The contract should clearly describe the rights and responsibilities of the parties to the contract. Considerations should include:

• Descriptions of required activities, timeframes for their implementation, and assignment of responsibilities. Implementation provisions should take into consideration other existing systems or interrelated systems to be developed by different service providers (e.g., an Internet banking system being integrated with existing core applications or systems customization);
• Obligations of, and services to be performed by, the service provider including software support and maintenance, training of employees, or customer service;
• Obligations of the financial institution;
• The contracting parties' rights in modifying existing services performed under the contract; and
• Guidelines for adding new or different services and for contract re-negotiation.

Performance Standards. Institutions should include performance standards that define minimum service level requirements and remedies for failure to meet standards in the contract. For example, common service level metrics include percent system uptime, deadlines for completing batch processing, or number of processing errors. Industry standards for service levels may provide a reference point. The institution should periodically review overall performance standards to ensure consistency with its goals and objectives. Also see the Service Level Agreements section in this booklet.

Security and Confidentiality. The contract should address the service provider's responsibility for security and confidentiality of the institution's resources (e.g., information, hardware).The "Guidelines Establishing Standards to Safeguard Customer Information" to implement section 501(b) of the Gramm-Leach- Bliley Act of 1999 (GLBA) promulgated by the FFIEC agencies requires institutions to, among other things, require service providers by contract to implement appropriate security controls to comply with the guidelines with respect to their handling of customer information. The agreement should prohibit the service provider and its agents from using or disclosing the institution's information, except as necessary to or consistent with providing the contracted services, and to protect against unauthorized use (e.g., disclosure of information to institution competitors). If the service provider receives nonpublic personal information regarding the institution's customers, the institution should verify that the service provider complies with all applicable requirements of the privacy regulations. Institutions should require the service provider to fully disclose breaches in security resulting in unauthorized intrusions into the service provider that may materially affect the institution or its customers. The service provider should report to the institution when intrusions occur, the effect on the institution, and corrective action to respond to the intrusion, based on agreements between both parties.

Controls. Management should consider implementing contract provisions that address the following controls:

• Service provider internal controls;
• Compliance with applicable regulatory requirements;
• Record maintenance requirements for the service provider;
• Access to the records by the institution;
• Notification requirements and approval rights for any material changes to services, systems, controls, key project personnel, and service locations;
• Setting and monitoring parameters for financial functions including payments processing or extensions of credit on behalf of the institution; and
• Insurance coverage maintained by the service provider.

Audit. The institution should include in the contract the types of audit reports it is entitled to receive (e.g., financial, internal control, and security reviews). The contract should specify the audit frequency, any charges for obtaining the audits, as well as the rights of the institution and its regulatory agencies to obtain the results of the audits in a timely manner. The contract may also specify rights to obtain documentation of the resolution of any deficiencies and to inspect the processing facilities and operating practices of the service provider. Management should consider, based upon the risk assessment phase, if it can rely on internal audits or if there is a need for external audits and reviews.

For services involving access to open networks, such as Internet-related services, management should pay special attention to security. The institution should consider including contract terms requiring periodic control reviews performed by an independent party with sufficient expertise. These reviews may include penetration testing, intrusion detection, reviews of firewall configuration, and other independent control reviews. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to assess security adequately without compromising the service provider's security.

Reports. Contractual terms should include the frequency and type of reports the institution will receive (e.g., performance reports, control audits, financial statements, security, and business resumption testing reports). The contracts should also outline the guidelines and fees for obtaining custom reports.

Business Resumption and Contingency Plans. The contract should address the service provider's responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. The contracts should outline the service provider's responsibility to test the plans regularly and provide the results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution a copy of the contingency plan that outlines the required operating procedures in the event of business disruption. Contracts should include specific provisions for business recovery timeframes that meet the institution's business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans.

Sub-contracting and Multiple Service Provider Relationships. Some service providers may contract with third parties in providing services to the financial institution. Institutions should be aware of and approve all subcontractors. To provide accountability, the financial institution should designate the primary contracting service provider in the contract. The contract should also specify that the primary contracting service provider is responsible for the services outlined in the contract regardless of which entity actually conducts the operations. The institution should also consider including notification and approval requirements regarding changes to the service provider's significant subcontractors.

Cost. The contract should fully describe the calculation of fees for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity or for special requests. Contracts should also address the responsibility and additional cost for purchasing and maintaining hardware and software. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases. Also see the Pricing Methods and Bundling sections in this booklet.

Ownership and License. The contract should address the ownership, rights to, and allowable use of the institution's data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Ownership of the institution's data must rest clearly with the institution. Other intellectual property rights may include the institution's name and logo, its trademark or copyrighted material, domain names, web sites designs, and other work products developed by the service provider for the institution. Additional information regarding the development of customized software to support outsourced services can be found in the IT Handbook's "Development and Acquisition Booklet."

Duration. Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions' intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract.

Dispute Resolution. The institution should consider including a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as a provision for continuation of services during the dispute resolution period.

Indemnification. Indemnification provisions should require the service provider to hold the financial institution harmless from liability for the negligence of the service provider. Legal counsel should review these provisions to ensure the institution will not be held liable for claims arising as a result of the negligence of the service provider.

Limitation of Liability. Some service provider standard contracts may contain clauses limiting the amount of liability that can be incurred by the service provider. If the institution is considering such a contract, management should assess whether the damage limitation bears an adequate relationship to the amount of loss the financial institution might reasonably experience as a result of the service provider's failure to perform its obligations.

Termination. Management should assess the timeliness and expense of contract termination provisions. The extent and flexibility of termination rights can vary depending upon the service. Institutions should consider including termination rights for a variety of conditions including change in control (e.g., acquisitions and mergers), convenience, substantial increase in cost, repeated failure to meet service levels, failure to provide critical services, bankruptcy, company closure, and insolvency. The contract should establish notification and timeframe requirements and provide for the timely return of the institution's data and resources in a machine readable format upon termination. Any costs associated with conversion assistance should also be clearly stated.

Assignment. The institution should consider contract provisions that prohibit assignment of the contract to a third party without the institution's consent. Assignment provisions should also reflect notification requirements for any changes to material subcontractors.

Foreign-based service providers. Institutions entering into contracts with foreign-based service providers should consider a number of additional contract issues and provisions. See Appendix C included in this booklet.

Regulatory Compliance. Financial institutions should ensure that contracts with service providers include an agreement that the service provider and its services will comply with applicable regulatory guidance and requirements. The provision should also indicate that the service provider agrees to provide accurate information and timely access to the appropriate regulatory agencies based on the type and level of service it provides to the financial institution.