1. Vendor Management by Banks: How Law Firms Are Affected Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of Technology Senior Counsel Alston & Bird LLP ABA Antitrust Spring Meeting, 2016

2. Security & Privacy as Priority Issues  Although compliance risks applies to all aspects of service provider activities, there is a need for “special vigilance” with respect to the privacy of consumer and customer records.  From Outsourcing by Financial Institutions: A Survey of Regulatory Guidance  After JP Morgan – increased regulatory scrutiny on cybersecurity out-sourcing risk as well.

3. Risk Mitigation Approaches  Risk assessment  Due diligence and selection of service providers  Contract provisions and considerations  Incentive compensation review  Oversight and monitoring of service providers  Business continuity and contingency plans  Risk-Management Lifecycle: Managing the Five Key Phases of a outsourcing decision: Planning Due diligence and third party selection Contract negotiations On-Going Monitoring Termination

4. Due Diligence and Third Party Selection  Although the RFP process can be time consuming it provides a critical opportunity for banks to assess and compare various service providers (OCC)  Vendor Due diligence should include the following steps:  Ensure that vendor business strategies aligns with the bank  Evaluate the vendor’s legal and regulatory compliance program  Review the vendor’s audited financial statements and financial condition  Assess the proposed fee structure to determine if it creates inappropriate risks (such as high upfront costs)  Review the vendor background check policies  Assess the vendor’s information and physical security programs and policies  Assess the vendor’s use of and reliance on subcontractors and its ability to assess and monitor them