BankBryanCave.com

Main Content

If the Shoe Fits, Wear It – Bank Third Party Vendors as Institution-Affiliated Parties

May 26, 2017

Authored by:

Categories

When negotiating bank third party vendor contracts it is not unusual to ask the vendor to acknowledge in the contract that bank regulators might exercise some sort of supervision over the vendor. Vendors will oftentimes push back on that point, claiming that since they are not a bank the FDIC has no jurisdiction over their affairs. We typically respond that “if the shoe fits, wear it.”

The fit arises because of the definition of “institution-affiliated party” (“IAP”). The definition was added under FIRREA when the regulatory agencies were seeking additional authority to impose sanctions against lawyers, accountants and appraisers whose negligence may have contributed to the failure of a bank. The language added to the statute is broader than just those professionals and covers any shareholder, consultant joint venture party, any other person determined by the appropriate federal banking agency (by regulation or case-by case) who participates in the conduct of the affairs of the bank and any independent contractor who knowingly or recklessly participates in any violation of law or regulation, any breach of fiduciary duty or any unsafe or unsound practice which caused or is likely to cause more than a minimal financial loss to the bank. (12 USC 1813(u))

The practical application of being designated an IAP was recently driven home in an enforcement action the FDIC took against Bank of Lake Mills, Freedom Stores, Inc. and Military Credit Services, Inc. All three parties entered into Consent Orders with the FDIC. The Bank agreed to fund restitution of $3,000,000 and to pay a civil money penalty of $151,000 while Freedom Stores, Inc. agreed to pay a penalty of $54,000 and Military Credit Services agreed to pay a penalty of $37,000.

Read More

Before You Comment on My Haircut, Think Again

May 10, 2017

Authored by:

Categories

Back in 2008 and 2009 Eddie Liles lent around $102,000 to his brother Dallas to purchase rental properties at 554 South Shore Drive and 540 South Shore Drive in Greenup County, Kentucky, as well as a 2008 Ford 4×4 truck.  The brothers signed a Loan Agreement that provided the loan would be interest free and that the loan for 554 South Shore Drive to be repaid first, followed by the loan for the truck, and finally the loan for the 540 South Shore Drive. The Loan Agreement called for Dallas to make payments of “ [a] minimum of $600.00 per year,” which it specified could be “multi-payments or one payment of $600.00.” It was also clear that Dallas could pay more than $600 per year towards the indebtedness, if he so desired.

The Loan Agreement also provided that if Dallas died, any outstanding balance would be forgiven. If, however, Dallas survived Eddie and the loan remained unsatisfied, the property would revert to Eddie. If both men died at the same time, and before satisfaction of the loan, the property was to pass to John B. Liles, II, or his estate. Eddie filed the Loan Agreement for record with the Greenup County Clerk and Dallas began making payments. As of early 2011 when the brothers had a falling out, Dallas had reduced the indebtedness to $89,400.

According to an affidavit filed by Dallas, the impetus for the falling out was an argument the two had in January of 2011 about a haircut. The argument was bad enough that the two were no longer communicated except for filing legal pleadings. Eddie refused to accept any more installment payments from Dallas and demand payment in full. Dallas refused but continued to make installment payments into an escrow account. Eddie filed suit and later sought summary judgment on the basis that he had full rights to demand payment in full. The circuit court determined that the loan was not a demand obligation and Eddie appealed.

Read More

Do you get Bragging Rights if the Malware Infecting your Computer was Named after Zeus?

April 17, 2017

Categories

Over the last decade as the specter of cyber attacks has increased dramatically, financial institutions have been encouraged to look into the use of cyber fraud insurance as one means of minimizing risk. A recent decision by the 8th Circuit provides an interesting opportunity to see how such policies are going to be interpreted by the courts.

In 2011, an employee at Bellingham State Bank in Minnesota initiated a wire transfer through the Federal Reserve’s FedLine Advantage Plus system (FedLine). Wire transfers were made through a desktop computer connected to a Virtual Private Network device provided by the Federal Reserve. In order to complete a wire transfer via FedLine, two Bellingham employees had to enter their individual user names, insert individual physical tokens into the computer, and type in individual passwords and passphrases. In this instance the employee initiated the wire by inputting the passwords both for herself and the other employee and inserted both of the physical tokens. After initiating the wire the employee left the two tokens in the computer and left it running overnight. Upon returning the next day the employee discovered that two unauthorized wire transfers had been made from Bellingham’s Federal Reserve account to two different banks in Poland. Kirchberg was unable to reverse the transfers through the FedLine system. Kirchberg immediately contacted the Federal Reserve and requested reversal of the transfers, but the Federal Reserve refused. The Federal Reserve, however, did contact intermediary institutions to inform them that the transfers were fraudulent, and one of the intermediary institutions was able to reverse one of the transfers. The other fraudulent transfer was not recovered.

Bellingham promptly notified BancInsure of the loss and made a claim under their financial institution bond which provided coverage for losses caused by such things as employee dishonesty and forgery as well as computer system fraud. After an investigation, it was determined that a “Zeus Trojan horse” virus had infected the computer and permitted access to the computer for the fraudulent transfers. BancInsure denied the claim based on several exclusions in the policy including employee-caused loss exclusions, exclusions for theft of confidential information, and exclusions for mechanical breakdown or deterioration of a computer system. In essence, the policy does not cover losses whose proximate cause was employee negligence or a failure to maintain bank computer systems. Bellingham contested the denial and brought suit in federal court for breach of contract.

Read More

Reviewing Third Party Vendor Service Contracts

November 14, 2016

Authored by:

Categories

OLYMPUS DIGITAL CAMERAManaging third party vendor relationships has always been an important function in banks. More recently it has become a hot topic for state and federal financial bank regulators.

As a result, we have compiled our Seven Part Guide on reviewing third party vendor service contracts into one article.  A checklist for reviewing third party vendor contracts is included in the article, and also available separately.

The analysis covers typical elements that should be found in any third party vendor contract, including provisions on the nature of services to be provided, the location where the word is to be performed, breach and termination, as well as provisions related to the potential outbreak of zombies.

Reviewing Third Party Vendor Service Contracts

Checklist for Vendor Service Contracts

Read More

Pointers for Bank Recipients of Demand Letters Asserting ADA Non-Compliance

October 18, 2016

Categories

Community banks have recently been on the receiving end of demand letters from plaintiffs law firms alleging that the banks’ websites are in violation of the Americans With Disabilities Act of 1990 (the “ADA”).  Interestingly, there are currently no specific federal standards for websites under the ADA. The Department of Justice (“DOJ”) is in the process of developing regulations for website accessibility, but has announced it will not finalize these regulations until 2018 at the earliest. Even so, the DOJ has emphasized that businesses should make websites accessible to the disabled. While the regulations are being developed, many businesses have been applying the Web Content Accessibility Guidelines (WCAG) 2.0 Level AA with the understanding that the DOJ has made clear that it considers a website accessible if it complies with these guidelines.

When a bank receives a demand letter the first thing they need to do is hire counsel to advise them about their various options, including mitigating any damages by curing website defects, litigation or settlement. As a practical matter, the best defense to such claims is making sure that the bank’s website is compliant with the WCAG 2.0 Level AA Guidelines. That may involve the use of internal resources as well as external consultants.  While it is impossible to tell whether suit will be filed in any given situation, banks should take note that the firms sending demands have previously been engaged in filing over 100 of these types of suits against various non-financial defendants over the past year.

Bryan Cave has put together a resource that provides generally accepted recommendations for website accessibility and federal ADA standards for ATM accessibility to help you review how your banks stands.

Read More

Part 7 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

October 12, 2016

Authored by:

Categories

This is part 7 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Indemnification. Indemnification provisions in a third party services contract can be hotly contested. There is no question that banks should include indemnification clauses that specify the extent to which the bank will be protected from claims arising out of the failure of the vendor to perform, including failure of the vendor to obtain any necessary intellectual property licenses. Not surprisingly, they can be one of the most difficult provisions to reach an agreement on.

In its simplest terms, indemnification constitutes an agreement to allocate certain risks of loss among the parties. It is analogous to a guaranty but just like a guaranty, the fact that you have one does not insure a party that they will in fact be protected from loss. An indemnification from a company that has little in the way of assets is no different than a guaranty from someone who has very little net worth. It may have some psychological value but may be worthless from a practical standpoint. Indemnification provisions can be drafted so tightly that they provide little protection and they can be made subject to limitations to the point that the protection offered is illusory.

Read More

Part 6 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

October 4, 2016

Authored by:

Categories

This is part 6 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Ownership of Trademarks, Copyrights, Patents and Other Trade secrets, Source Code escrow Agreements. Typically, each party should own its pre-existing materials and derivative works thereof and materials developed by the parties or their contractors individually and outside of the contract, and each party should provide the other with licenses to its materials necessary to receive or provide the services during the term.  The contract should include intellectual property provisions that clearly define each party’s intellectual property rights for their pre-existing materials and materials developed as part of the contract.

Does the vendor currently own or have the right to use all of the patents, trademarks, copyrights, etc., needed to provide the services under the contract or are they using intellectual property assets owned by the bank? If the contract involves the use of software purchased from a third party which needs to be customized, does the vendor or the bank have the legal rights to do that?  The contract should address who will own any intellectual property created by the vendor as a direct result of the contract. Oftentimes, but not always, that will be the bank.

In contracts where the vendor is providing or using software in delivering the services, issues may arise over ownership and the right to use the software. Banks will generally want the vendor to represent that the vendor has full use of the software and that it is providing the bank with a non-exclusive right to use it. Usually the vendor will be required to indemnify the bank in the event a third party asserts a claim that the bank’s use of the software was improper.  If a successful claim of infringement is made, the bank may want to either obligate the vendor to obtain alternative software to be able to continue providing the services or be able to terminate the contract immediately. As a practical matter, if a successful infringement claim is made, the vendor may simply need to obtain a license from the other party in order to continue providing the software to the bank.

Read More

Part 5 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

September 29, 2016

Authored by:

Categories

This is part 5 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Vendor Notice Requirements

Business -Strategic Changes. There are several categories of events the bank will want to be notified about.  The first involves things like significant strategic business changes, such as mergers, acquisitions, joint ventures, divestitures, or other business activities that could affect the activities involved. In certain instances the bank may want the ability to terminate the contract if the vendor merges with another company or if there is a change in control. Similar to a loan transaction, the bank has “underwritten” the vendor. Bank officers have has met the vendor’s senior management and are comfortable with the general direction of its business. A merger or change of control may change the strategic direction of the vendor and the bank wants to make sure it knows who it is doing business with.

Business Events-Corporate Changes. The contract should address notification to the bank before making significant changes to the contracted activities, including acquisition, subcontracting, off-shoring, management or key personnel changes, or implementing new or revised policies, processes, and information technology. Related provisions in the contract would be sections that without bank consent would prohibit the assignment of the contract; changes in the listed locations of where work is being performed and the use of subcontractors not previously approved by the bank.

Business Events-adverse changes to business operations. This category requires the prompt notification of financial difficulty, catastrophic events, and significant incidents such as information breaches, data loss, service or system interruptions, compliance lapses, enforcement actions, or other regulatory actions. The bank should already have a contingency plan in the event the vendor goes out of business but a timely notification requirement helps to insures that the bank will have adequate time to put the contingency plan into motion.

Business Continuity. The contract should address the issue of what happens if the vendor’s business is affected by natural disasters, human error, or intentional attacks. The contract should define the vendor’s business continuity and disaster recovery capabilities and obligations to enable vendor to continue delivery of the services in the event of a disaster or other service interruption affecting a location from where the services are provided.  Force majeure events should not excuse vendor from performing the business continuity/disaster recovery services. The contract should include the vendor’s disaster recovery plan defining the processes followed by vendor during a disaster including backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans. A contract may include provisions—in the event of the third party’s bankruptcy, business failure, or business interruption—that allow the bank to transfer the bank’s accounts or activities to another third party without penalty. Ensure that the contract requires the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements, and when appropriate, regulatory requirements. Depending on the critical nature of the serve being provided, the bank may also want to consider stipulating whether and how often the bank and the vendor will jointly practice business resumption and disaster recovery plans.

Read More

Part 4 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

September 20, 2016

Authored by:

Categories

This is part 4 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Services level. Services levels should be defined. For example, are the service to be made available 24/7 365 days a year or are they only needed during normal business hours. When the services involve some type of software or online technology, what is the minimum amount of   “uptime” required? Depending on the services involved, uptime might be 99.9%, for example.  vendors will understandably push back on that figure and might suggest 98%. The right figure need not be either one of those numbers and is dependent on the type of service being provided and its criticality to the bank’s delivery of services to its customers. To the extent there is planned downtime for things such as software updates it should occur during off peak time periods. Service level measures can be used to motivate the third party’s performance, penalize poor performance, or reward outstanding performance. Performance measures should not incentivize undesirable performance, such as encouraging processing volume or speed without regard for accuracy, compliance requirements, or adverse effects on customers. Certain products and services have standards that are common across the industry while others may need to be developed to fit the particular transaction. Service levels should be revisited from time to time during the term of the relationship to provide an opportunity for  them to evolve along with the services being provided.

Banks should consider what type of reporting they want the vendor to provide considering performance against the service level targets and what type of remedies to which the Bank is entitled in the event vendor fails to measure or report on the service levels. Banks should also consider including requiring a root cause analysis for incidents and service level failures. In other words, it is not just sufficient to report a failure, what caused the failure and exactly what needs to be done to remedy it. It can be very frustrating when a vendor’s performance affects customers and the bank is unable to explain to those customers how a problem is being fixed so that it will not reoccur.

Read More

Part 3 of Reviewing Third Party Vendor Service Contracts, a Seven Part Guide

September 13, 2016

Authored by:

Categories

This is part 3 of a Seven Part Guide to reviewing vendor contracts. Part 1 can be found here, and other parts can be found here.

Location of where the work to is to be performed

Domestic locations. Where is the vendor actually performing the work? Will they need physical access to the bank premises or equipment?  Will they be on-site during or after business hours? The contract should reference security policies governing access to the bank’s systems, data (including customer data), facilities, and equipment.  The vendor should be obligated to comply with the security policies when accessing such resources. If the work is being done at the vendor’s office, the bank will want approval rights any change in the location. Depending on the type of services being provided, the bank may also want the contractual right to go to the vendor’s offices to view the vendor’s internal security systems.

Subcontractors-generally. An important question for the bank to ask is whether any of the work is being outsourced to a subcontractor. If the vendor is using subcontractors, the bank should consider whether it will want notice of and perhaps approval rights over who is being used. In addition, the contract should make it clear that the bank considers the vendor responsible for the performance of the contract regardless of whether it outsources a portion of the work.  The contract should also make it clear that subcontractors are subject to the same confidentiality and security requirements as the primary vendor. Consideration should be given to adding a contractual provision which requires any subcontractors to verify in writing that they will comply with the privacy requirements.

Read More
The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.