2013 LBA Bank Counsel Conference Hancock Holding Company 2013 LBA Bank Counsel Conference Contract Provisions and Considerations for Managing Third Party Risk
2013 LBA Bank Counsel Conference Hancock Holding Company 2013 LBA Bank Counsel Conference New regulatory focus on contract “T’s & C’s”: • definite term • detailed description of services • performance standards, with penalty • compliance warranty, with penalty • record retention and right to audit • insurance • compensation terms • IP ownership issues • default and termination; dispute resolution process • business continuity; force majeure
2013 LBA Bank Counsel Conference Hancock Holding Company 2013 LBA Bank Counsel Conference How to allocate risk contractually: • Indemnification Provisions • Limitation on Liability carve outs • Confidentiality; Subcontractor issues • Consumer Issues
2013 LBA Bank Counsel Conference Hancock Holding Company 2013 LBA Bank Counsel Conference Indemnification Clauses: Breach of Confidentiality IP Infringement Theft and bodily harm Breach of Compliance Warranty Can be mutual; Never one-sided
2013 LBA Bank Counsel Conference Hancock Holding Company 2013 LBA Bank Counsel Conference Limitation on Liability Indirect and consequential damages are allowed in most cases. Carve outs: (1) Breach of confidentiality obligations (2) Breach of compliance warranty (3) Indemnification obligations (4) Insurance obligations
2013 LBA Bank Counsel Conference Hancock Holding Company 2013 LBA Bank Counsel Conference Confidentiality Obligations: Consumer Information 12 CFR 40.3 (n)(1) definition of Nonpublic Personal Information ( NPPI): Personally Identifiable Financial Information (“PIFI”) (a) a consumer provides to a bank to obtain a financial product or service (b) about a consumer resulting from any transaction involving a financial product or service (c) the bank otherwise obtains about a consumer in providing a financial product or service Any list that is derived using PIFI that is not publicly available. Exclusions: 12 CFR 40.3 (o)(ii) (not in connection with a bank or is non-identifiable) 12 CFR 40.3(n)(2) (information is otherwise publicly available or has been disclosed to a third party without an obligation of confidentiality) Bank Proprietary information
Hancock Holding Company 2013 LBA Bank Counsel Conference Confidentiality Obligations (cont.) Commercial customer information/state law issues: La. R.S. 6:333 Data Security Program: 501(b) of the Gramm Leach Bliley Act; FFIEC Information Security IT Examination Handbook ensure the confidentiality of such information; protect against anticipated threats; protect against unauthorized access Destruction of Confidential Information: 12 CFR Part 30, Appendix B Chain of Control: Subcontractors and sub-subcontractors: recent audit finding
Consumer Issues Hancock Holding Company 2013 LBA Bank Counsel Conference Consumer Issues Federal cites, if applicable: • Unfair, Deceptive and Abusive Acts or Practices (“UDAAP”) • The Dodd–Frank Wall Street Reform and Consumer Protection Act • Fair and Accurate Credit Transactions Act of 2003 • Bank Secrecy Act as amended by the USA PATRIOT Act of 2001 • Regulations administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) • Electronic Fund Transfer Act and Regulation E, • Privacy Laws, including the Gramm–Leach–Bliley Act • Mortgage loan related Guidelines of FDIC, CFPB, FHA, FHLMC, FNMA, GNMA, HUD, USDA/RHS, and VA
Hancock Holding Company 2013 LBA Bank Counsel Conference Hancock Holding Company Consumer Issues (cont.) Complaint Policy and Procedures: who has the duty to respond? What records will be forwarded to bank? Scripts and Letters: Are these in compliance with applicable law? Monitoring Compliance therewith: Does the contract provide specific compliance obligations to assist with Bank’s on-going monitoring of this vendor? 2013 LBA Bank Counsel Conference