Picture this: a customer calls to tell you the new mobile payment application you offer through your third party data processor resulted in an unauthorized draw on his $50,000 credit line. The result is an improper electronic payment being made to an outside party.
When you look into the matter, you discover the customer did not properly protect their security procedures. Someone hacked an employee phone and forwarded the money.
It is possible that this error could have been caught by the third party service provider, but when you look at the agreement your bank has with its vendor, the agreement notes that they have no responsibility for ensuring security protocols. Worse, their maximum liability is capped at $2,500 per instance.
Your bank, however, has no such agreement with its customer capping the bank’s liability for their negligence. Your client is demanding payment and reimbursement directly from the bank and is threatening a lawsuit if the bank doesn’t comply. It’s a hypothetical scenario, sure, but also one that’s entirely probable.
Banks routinely encounter similar scenarios and often there are gaps between what a bank’s third party vendor contracts say and what the bank’s own agreements with customers provide.
One of the best ways for banks to mitigate risks, therefore, is to have their own tailored agreements with customers that set forth the terms, guidelines and use of the products that third-party vendors provide. This suite of bank agreements with customers are often referred to as Treasury Management Agreements.
These agreements can include such things as ACH agreements, wire transfer agreements, bill pay, mobile banking, online banking, remote deposit, positive pay or any other suite of electronic or payment services. When preparing and entering into treasury agreements with customers, there are five key areas were bankers should focus:
Banks should make sure the terms of its vendor contracts are mirrored in its customer contracts. For example, if a particular vendor contract allows a bank to put back certain transactions to the vendor, or avoid liability if it reports errors within a two-week period, the bank’s contract with its customer shouldn’t contain a four week period to notify the bank of any issues. The bank’s treasury agreements with its customer should marry up to the time periods contained in third party vendor contracts which provide the service the customer utilizes.
Likewise, banks should ensure that customers take proper security measures to comply with prudent banking practices for the various services, which align with the procedures the vendors require.
Treasury agreements should clearly establish what security procedures and requirements customers must utilize to access the third-party services and the consequences if the customer fails to follow the security requirements. Examples of security requirements can include the procedural steps that must be utilized to access the bank’s system, and setting up the proper authorized parties to initiate transactions, or take other actions permitted under the different treasury agreements.
The bank’s contracts should reflect the services, processes and day-to-day practices the bank utilizes when providing a product. If the bank has an option from a third-party vendor to process an electronic transaction once every hour, the bank’s agreement with the customer shouldn’t reflect that as the standard if the bank only processes those transactions once a day at 3:00 p.m.
A bank’s agreements with its customers shouldn’t create unrealistic expectations and should instead reflect the bank’s real-life practice to ensure that the customer understands how the service is provided.
Risk Allocation and Liability
Many times, vendors will significantly shift risk of loss, security breaches or other damage away from itself and to the bank. This begs the question: What if a breach or loss occurs as a result of negligence that occurs outside of the bank? Your treasury agreements should contain provisions that shift risk from the bank to the customer if the customer is negligent.
Similarly to how vendors disclaim liability, you will want to ensure that you take a proper view of risk tolerance as it relates to a customer’s actions to ensure that your bank is not ultimately responsible for actions outside of its control.
The starting point would be to look at what potential liability the vendor has for its actions and mirror that liability limitation in the bank’s own treasury agreements. Liability provisions can be especially important in establishing things like a maximum cap on the bank’s liability to its customers and setting a time period for a customer to make a claim. These provisions can greatly benefit a bank in its overall vendor management and electronic banking services.
Finally, treasury management and services offered to customers must contain a right for the bank to exit the service in a timely manner, consistent with your vendor’s rights to stop providing a service. An example would be if a vendor can terminate a particular service with 30 days prior notice, but the bank’s treasury agreement with its customers stipulate termination with 60 days’ notice. These inconsistencies can create significant potential exposure for your bank.
Additionally, any termination provision should contain not only a right to exit upon a prior written notice, but certain provisions that would allow for quicker exit in the event of unforeseen changes with the vendor or inappropriate actions by the client.
A strong set of treasury management agreements that the bank regularly reviews and has customers enter into can be very important in a bank’s third party relationships as well as the ability to protect the bank itself from undue liability or exposure. A suite of treasury agreements can be set up in many different ways to facilitate smooth operations for the bank and ease of implementation and future modifications, while ensuring your bank meets its regulatory requirements for third-party vendor management and safety and soundness in its operation.
Author Bio: Anton J Moch is a member of the Winthrop & Weinstine, P.A., community banking group. Contact him at [email protected] or 612-604-6671.