Pub. 5 2014 Issue 2

summer 2014 21 West Virginia Banker customer information, BSA/AML, OFAC, Fair Lending and other consumer protection laws. The OCC and Federal Reserve guidance require a bank and third party vendor to consider these issues and to adopt procedures and plans to address concerns relating to business interruption and cyber attacks. Limits on Liability The OCC and Federal Reserve recommend that banks determine whether the contract limits the third party’s liability and whether the proposed limit is in proportion to the amount of loss the bank might experience because of the third party’s failure to perform or to comply with applicable laws. Typically, liability caps are heavi- ly negotiated in third party contracts, and the guidance provides some ammunition to banks to counter attempts by the vendor to limit liability to the contract amount. Default and Termination The OCC and the Federal Reserve guidance require contracts to define events of default, the remedies for such default, and the consequences of termination of the contract. The OCC guidance indicates that the contract must permit the bank to terminate the relationship in a timely manner without prohibitive expense. The OCC guidance also states that a bank should determine whether the contract should include a provision that enables the bank to terminate the contract, upon reasonable notice and without penalty, in the event that the OCC formally directs the bank to terminate the relationship. The guidance on default and termination will provide some lever- age to banks to negotiate a termination right in which the bank does not bear all of the risk in the event of a required termination by a regulator and to negotiate reasonable termination penalties. Regulatory Supervision All contracts with service providers should provide for federal and state bank regulator access to the service provider, includ- ing access to all work papers, drafts, and other materials. The OCC generally has the authority to examine and to regulate the functions or operations performed or provided by third parties to the same extent as if they were performed by the bank itself on its own premises. In addition, the West Virginia Division of Finan- cial Institutions has the authority to inspect, examine and audit the books, records, accounts and papers of all financial institu- tions as circumstances warrant and such examination authority extends to the operations of third party providers. Because the OCC and Federal Reserve guidance require banks to address areas that third parties historically have refused to address or negotiate, they can be a useful tool to support the bank’s posi- tion when negotiating these provisions. Although banks not reg- ulated by the OCC or the Federal Reserve are not directly subject to the new guidance, recent revisions to the FDIC Compliance Manual addressing third party relationships suggest heightened regulatory scrutiny of bank outsourcing by this agency. In light of the FDIC’s renewed interest in this area and the ability of the West Virginia Division of Financial Institutions to examine such relationships, state nonmember banks should strongly consider consulting the new guidance when negotiating contracts with third parties. Should you require more information, please feel free to contact Sandra M. Murphy or Amy J. Tawney. Ms. Murphy and Ms. Tawney are partners with Bowles Rice LLP. Ms. Murphy and Ms. Tawney focus their practices in banking, commercial law, and corporate transactions. Bowles Rice LLP is general counsel to the West Virginia Bankers Association. The authors present these materials with the understanding that the infor- mation provided is not legal advice. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using these materials should always research original sources of authority and update this information to ensure accuracy when dealing with a specific matter. No person should act or rely upon the information contained in this publication without seeking the advice of an attorney. Sandra M. Murphy E-mail: smurphy@bowlesrice.com Phone: (304) 347-1131 Amy J. Tawney E-mail: atawney@bowlesrice.com Phone: (304) 347-1123 1 Critical activities include: (1) significant bank functions such as payments, clearing, settlement and custody; (2) those involving significant shared services such as information technology; and (3) activities that could have significant customer impacts, require significant investment in resources, or significantly impact bank operations if the relationship failed. 2 The Federal Deposit Insurance Corporation has not issued new third-par-ty risk management guidance. State-chartered non-member banks should continue to rely on existing FDIC guidance, including the Financial Institution Letter entitled "Guidance for Managing Third-Party Risk" dated June 6, 2008 (FIL-44-2008). However, the FDIC Compliance Manual was updated in January, 2014 to provide guidance to examiners when evaluating an institution’s third party risk. The examination manual addresses items that should be included in agreements with third parties and some of the same concerns addressed in the OCC and the Federal Reserve guidance are noted in the FDIC Compli- ance Manual. n The OCC and Federal Reserve guidance require a bank and third party vendor to consider these issues and to adopt procedures and plans to address concerns relating to business interruption and cyber attacks.