This document is intended to serve as a resource for banks in addressing specific challenges relating to technology outsourcing. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.
Introduction
Financial institutions increasingly rely on a wide variety of service providers1 to support an array of technology-related functions. Outsourcing information technology to multiple service providers may provide banks with a variety of benefits including access to expert technology skills, lower costs, and increased productivity. However, these arrangements also may alter the risk profile of the institution. Specifically, risk management processes involving outsourced activities are often distributed among several companies and may necessitate a coordinated contract oversight approach by bank management.
This brochure discusses two techniques to manage risks inherent in multiple service provider relationships. The first technique involves the use of a lead contractor to manage the bank’s various technology providers. The second technique, which may present its own set of implementation challenges, involves the use of operational agreements between each of the service providers.
Multiple Service Provider Relationships
A multiple service provider relationship typically involves an environment where two or more service providers collaborate to deliver an end-to-end solution to the financial institution. Each one of the service providers has their own core competence and focus area. Together, these providers strive to deliver an integrated service and solutions package to the bank. The nature of the contractual relationship between the service providers and the bank often varies from institution to institution. In many cases, institutions use a lead provider who, in turn, subcontracts with other service providers. Direct "stand-alone" contracts between the bank and each of its service providers represent another common approach.
Multiple service provider arrangements are often used in the deployment of an electronic commerce solution. For example, a web-hosting firm may work with a communications carrier and one or more application service providers.2 The financial institution may have separate contracts with each provider (carrier, web host, application service provider) or may have one lead entity (such as the application service provider) that then subcontracts with the carrier, web host, and other providers.
Stand-alone contracts with each service provider usually call for increased day-to-day management of each provider. Additionally, if coordination among each provider is not a requirement of the individual agreements, the opportunities for schedule and performance problems and complexities are likely to arise. Contracting for a technology solution by utilizing one lead provider may diminish the need for the bank to become directly involved if subcontractors fail to perform and/or miss their agreed-to schedule. The lead provider will be solely responsible for meeting the contractual obligations of the subcontractors to other service providers and the bank.
Each financial institution will want to consider the most appropriate risk management strategy when contracting for technology services. Assigning a lead contractor and utilizing inter-provider service level agreements are two techniques that, if deployed correctly, can assist the institution in managing risks related to complex technology outsourcing arrangements.
Using a Lead Contractor
Bank management may select to structure a multiple provider outsourcing arrangement by designating a lead contractor who is responsible for establishing subcontracts with the other providers and managing their performance. This structure may result from a bank’s existing relationship with a service provider who subsequently subcontracts with other firms to provide additional applications and features. A lead contractor structure can also result when a group of providers bid on a contract as a team with pre-established roles and relationships.
Regardless of whether the relationship between the lead contractor and the subcontractors was pre-existing, there are techniques that bank management can employ to manage risks associated with dependence on the lead provider. These techniques, which include provisions in the Statement of Work for defining roles and responsibilities of the contracting parties, are detailed further in the Appendix.
An effectively implemented lead contractor relationship ultimately increases the performance risk for the lead provider, even though it simplifies the boundaries of the relationship. This is due to the fact that the lead provider assumes responsibility for all aspects of the contract, and therefore for the performance of all subcontractors. This structure allows the bank to establish a single point of responsibility for the entire relationship. A contract that clearly defines the roles of the lead provider and subcontractors may streamline the negotiations of legal issues such as the limitations of liability, indemnity, and warranty since responsibility need not be divided among multiple parties. It may also enhance the efficiency of the general contracting process.
Many lead contractors may already have existing arrangements with potential subcontractors for the provision of various ancillary services. As a result, there may be a preference for selecting one of the subcontractors with which the contractor already does business. Financial institutions may wish to carefully examine all contractual provisions in their agreements with the lead contractor to determine the level of responsibility the lead contractor is willing to accept for the actions of the subs that the lead contractor selects.
In some cases, the lead contractor may include contract language that attempts to eliminate all responsibility for losses caused by the subcontractors or sets a fixed dollar limit on the lead contractor’s maximum liability for any claims regarding the work of the subcontractors. Financial institutions may wish to consult their legal counsel in order to determine potential exposure to losses for which there may be no ready recovery. It is also important to note that, when using a lead contractor, the financial institution lacks direct privity3 of contract with the subcontractors and will have less influence over the specific activities of each subcontractor.
Using Inter-Provider Operating Agreements
Financial institutions that prefer to maintain a direct contractual relationship with a variety of technology service providers can choose to integrate their efforts by negotiating for operational agreements directly with each of their service providers. This operational agreement can take the form of inter-provider Service Level Agreements (SLAs). This type of SLA is a separate contract requiring each of the providers to meet the other providers’ service or performance requirements. Examples of such requirements include on-time delivery of a critical application or platform, network or platform availability specifications, and security requirements. This type of agreement requires the individual providers to communicate and work together.
Implementing operating agreements between various service providers can be challenging because the bank may lack significant negotiating leverage. Although some additional leverage may be gained by negotiating through user groups, challenges remain in attempting to deviate from the standard forms, contract structure, and delivery approach of established providers. Notwithstanding this, it is important to stress that the intent of the inter-provider agreements is to encourage co-operation and communication between technology providers implementing integrated systems and services.
Communication and co-operation begin with the financial institution developing well thought-out contract goals and objectives that have been agreed to by the senior executives, business managers, and information technology managers and clearly articulating these to the service providers. Contract terms and conditions can be established based on these goals. When determining how goals and objectives will be met, it is helpful to clearly define handoff points between the various service providers.
In addition, bank management and legal counsel may consider establishing the minimum acceptable levels of service that are expected of participating providers as their respective contribution to the team. The minimum service levels provide the performance floor for the inter-provider agreements. Any provider that does not meet these minimum performance standards should be held responsible. Therefore, it may be useful to ask that all service providers participate in developing the inter-provider agreements and accept and agree to the specific terms, minimum performance standards, and the corresponding metrics that will be used to measure their individual and collective performance.
Considerations for Financial Institutions
The following points represent suggested practices that can be helpful to banks in administering outsourced arrangements involving multiple service providers.
- Be explicit about where the ultimate responsibilities lie. If there is a lead contractor, try to make that organization responsible for as much of the overall activity as possible. Be certain everyone knows who is responsible for what, even if some of that responsibility ultimately rests with the institution itself.
- Incorporate protection, in the form of contract provisions for renegotiation, re-evaluation, exit strategies, and other similar activities, into the agreement.
- Include contract provisions that spell out the conditions for subcontractor relationships that are beyond the initial participants. Institutions might define the circumstances for which they have explicit approval and who can be selected to fulfill what function.
- Specify the circumstances when new service providers may be brought into the relationship. This can help minimize the tendency of service providers to resist bringing in new parties and avoid situations where such resistance hinders productive working relationships.
- Retain within the organization the capability to monitor and manage the entire relationship effectively, even if the bank relies heavily on the lead provider or a third party vendor for relationship management.
- Ensure that the lead provider and all subcontractors agree to share and make available all contractor-specific and proprietary technology needed for the services provided. If any sub-contractors or even the lead provider are replaced, all proprietary technology and critical applications should be made available to the replacement provider/subcontractor.
Summary
To manage multiple service provider outsourcing relationships successfully, institutions may find it helpful to focus on three issues:
- Adopt an appropriate outsourcing strategy given the particular objectives sought by the bank (e.g., lead-subcontract approach or multiple single contract relationships).
- Use a contract that comprehensively addresses and outlines the roles and responsibilities of all parties involved. The contract should include provisions for approving subcontractors as well as defining the expected levels of service to be provided to the bank.
- Ensure that effective communication channels are maintained between all relevant parties.
Ultimately, the key to successful management of a multiple service provider environment is contract oversight. Regularly scheduled reviews can help point out problems early enough to effect resolution before matters get out of control. Institutions may wish to develop guidelines in the contract that define regular interaction between the service provider(s) and bank managers.
Return to Introduction | Return to Multiple Service Provider Relationships | Return to Using a Lead Contractor | Return to Bank Technology Bulletins
1 | Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers. |
2 | Application Service Providers (ASPs) specialize in providing business applications and processing power to banks. |
3 | Privity is a legal term defined as "A relation between parties held to be sufficiently close and direct to uphold a legal claim on behalf of or against |