Strategies for Negotiating Financial Institution Technology Contracts

Financial institutions are increasingly depending on vendors for outsourced technology services to save money, increase speed to market, and reduce their technology footprint.

Regardless of whether functions are conducted internally or by a vendor, financial institutions must implement effective risk management practices. Your board of directors and senior management are responsible for making sure functions are performed safely and securely and comply with applicable laws.

The oversight level required for outsourced functions depends on their importance to financial services operations. Explore key strategies for negotiating technology contracts for your financial institution.

How to evaluate contracts

While contract evaluation may be an intimidating and lengthy process, it can help you obtain a contract that fulfills your needs, documents crucial service levels, and establishes a strong basis for a long-lasting vendor relationship. More specifically, an evaluation allows you to:

• Meet your short- and long-term strategic initiatives
• Address business continuity and incident response risks
• Clearly define rights and responsibilities
• Establish adequate and measurable service level agreements
• Remove adverse provisions

Financial services organizations often wonder why the evaluation process takes so long but soon realize the value of taking the time to thoroughly assess their needs, perform a pricing analysis, and conduct due diligence on new products and services. Investing time in the process allows for verification of required functionality and can lead to increased leverage and potential cost reductions.

What does contract negotiation entail?

Negotiating is an important strategy when selecting a financial services system. Proper planning and negotiation can help you respond to market conditions, drive growth, and improve your balance sheet. With market data and your trusted advisors, you can secure a comprehensive contract with acceptable terms and conditions at a fair price.

Review pricing

Evaluate the vendor’s proposal and appraise pricing related to market value, growth, strategy, and future expenses. Confirm the proposal contains appropriate pricing for your needs.

Pricing example

Scenario

Your financial institution receives a proposal containing bundled pricing instead of the transactional pricing within your current technology agreement. This includes a fixed monthly fee for services.

While bundled pricing is predictable and simplifies budgeting, it also lacks detail and flexibility. If your financial institution anticipates aggressive growth, the bundled pricing may become less cost-effective and not account for increased transactions or services required.

Recommendations

Since anticipated growth could have a significant impact on future operating expenses, the bundled pricing should be negotiated to avoid suppressing future growth. By carefully considering these factors, your financial institution can negotiate pricing aligned with your strategic initiatives.

As you review proposals and pricing:

• Verify the proposal fully describes the fee calculation for base services — including development, conversion, and recurring services — as well as charges based on activity, volume, or special requests.
• Compare the proposed pricing with market rates to confirm it’s competitive and fair.
• Verify there aren’t any additional costs for purchasing and maintaining hardware and software.
• Complete a detailed investment analysis to confirm the proposal aligns with and contains the agreed-upon products and services.
• Request clarification on outstanding questions related to the proposal so discrepancies are addressed.
• Identify pricing requests and negotiate with the vendor.

Appraise terms and conditions

Review contract language carefully making sure it clearly spells out what services the vendor will provide, the technology they’ll be using, and how they’ll support you.

Contract example

Scenario

Your financial institution receives a simplified contract for a new system. A simplified contract may seem preferrable, especially as vendor contracts continue to grow in length and detail. However, it’s important to be aware of the advantages and disadvantages.

In this case, the contract outlines basic terms such as service fees, duration, and general responsibilities, but lacks information about how a data breach would be handled and the notification period.

Recommendations

Since a data breach could have a significant impact on your financial institution from multiple perspectives — including operational, financial, and reputational — language needs to be negotiated stating how the vendor would address a data breach and notification requirements. By identifying these gaps and addressing them, your financial institution can better manage risks.

As you appraise terms and conditions:

• Pay attention to security and risk management issues and make sure you understand service-level agreements.
• Consider backup and recovery services and technical support.
• Work with your trusted advisors to discuss contract language considerations, performance and functionality, and overall relationship expectations.
• Clearly define the rights and responsibilities of both parties.
• Make sure the contract does not contain provisions or incentives that could adversely affect you.
• Look out for future cost increases and substantial termination penalties. Termination penalties can put an end to merger and acquisition discussions if the penalties are so severe the deal is no longer viable.
• Develop a clear understanding of training and implementation requirements for resources, timing, and expectations for new products and services.
• Review personnel and technology requirements and request a training and implementation plan from the vendor.
• Assess monitoring and reporting criteria, the right to audit, third-party reports, and coordination of responses to security events.
• Evaluate transition requirements including migrating data to the vendor at implementation and migrating data away from the vendor at contract termination.
• Verify the vendor has a clear process for reporting and managing incidents, including data breaches or service disruptions.
• Identify contract requests and negotiate with the vendor.

Finalize the agreement

Continue to negotiate until you and the vendor agree on pricing, contract terms, and service levels. Clearly defining expectations and the vendor’s responsibilities helps warrant the contract’s enforceability, limit your liability, and mitigate performance disputes.

Adequate and measurable service level agreements may seem standard, but don’t wait until the vendor experiences downtime to find out whether they are enforceable.

Service level agreement example

Scenario

Your financial institution relies heavily on a cloud service provider for your critical applications and databases, and you experience significant downtime due to a cloud outage, disrupting your online banking services. This period of downtime has both an operational and reputational impact on your financial institution.

When you review your contract’s service level agreements, you discover only hardware availability is covered and there’s no agreement for application-level availability or disaster recovery protection. This means while the cloud service provider was meeting their contractual obligations regarding hardware uptime, your financial institution’s applications and databases were not covered, leaving them vulnerable during the outage.

Recommendations

Stronger service level agreements need to be negotiated to provide protections for your financial institution. By thoroughly understanding and negotiating service level agreements, your financial institution can make sure critical aspects of service continuity are covered.

As you examine service level agreements:

• Understand these agreements are formal documents outlining your predetermined service requirements.
• Verify service levels are measurable and include contractual remedies for missing a service level.
• Define what constitutes an occurrence within your service level agreements and understand any exclusions your vendor has carved out.
• Establish protection against a period of downtime or a service disruption that could impact your system accessibility and your ability to provide services.
• Make sure reporting is available to track your vendor’s compliance with service level agreements.

Contract management

Conduct periodic performance reviews and service-level agreement tracking to determine whether the vendor is delivering the required services and meeting the standards outlined in the contract. Consistently assessing vendor performance enables effective risk management.

As you manage the contract:

• Verify the vendor continues to comply with relevant laws and regulations. This includes monitoring for changes in regulatory requirements affecting the vendor’s obligations.
• Reassess the risks associated with the vendor periodically, including operational, financial, and reputational risks. This helps identify new risks since the contract was signed.
• Conduct regular audits to make sure the vendor maintains robust data security measures. This is particularly important for vendors handling sensitive financial or user data.
• Monitor the vendor’s financial stability to confirm they remain a viable partner. This can include reviewing financial statements and credit ratings.
• Review the contract terms periodically to make sure they remain relevant and enforceable. This includes updating the contract to reflect any changes in service scope or regulatory requirements.