Vendor Management by Banks:
How Law Firms Are Affected
Peter Swire
Huang Professor of Law and Ethics
Scheller College of Business
Georgia Institute of Technology
Senior Counsel
Alston & Bird LLP
ABA Antitrust Spring Meeting, 2016
Security & Privacy as Priority Issues
 Although compliance risks applies to all aspects
of service provider activities, there is a need for
“special vigilance” with respect to the privacy of
consumer and customer records.
 From Outsourcing by Financial Institutions: A Survey
of Regulatory Guidance
 After JP Morgan – increased regulatory scrutiny
on cybersecurity out-sourcing risk as well.
Risk Mitigation Approaches






Risk assessment
Due diligence and selection of
service providers
Contract provisions and
considerations
Incentive compensation review
Oversight and monitoring of
service providers
Business continuity and
contingency plans
 Risk-Management Lifecycle:
Managing the Five Key Phases
of a outsourcing decision:
Planning
Due diligence and third party
selection
Contract negotiations
On-Going Monitoring
Termination
Due Diligence and Third Party Selection
 Although the RFP process can be time consuming it provides a
critical opportunity for banks to assess and compare various
service providers (OCC)
 Vendor Due diligence should include the following steps:




Ensure that vendor business strategies aligns with the bank
Evaluate the vendor’s legal and regulatory compliance program
Review the vendor’s audited financial statements and financial condition
Assess the proposed fee structure to determine if it creates inappropriate risks
(such as high upfront costs)
 Review the vendor background check policies
 Assess the vendor’s information and physical security programs and
policies
 Assess the vendor’s use of and reliance on subcontractors and its ability
to assess and monitor them