Service-Level Agreements (SLAs) for Bank Vendor Management

Service-level agreements (SLAs) between banks and third-party providers specify performance standards and establish benchmarks for service. Many standard contracts that vendors offer fail to spell out performance expectations, such as uptime for technology service providers (TSPs) or business continuity plans in the case of an unforeseen event. 

Among the major risks posed by outsourcing activities to a third-party provider, operational, transactional, strategic, compliance, and reputational risks are heightened at financial institutions without service-level agreements. If your FI contracts activities with a third-party technology provider, you must ensure it provides your customers with continuous access to their accounts. 

Do Banking Regulators Require SLAs in Third-Party Service Contracts? 

Over the past several years, regulators have begun to pay closer attention to the connection between vendor risk management and SLAs in third-party contracts.  

In the FDIC’s 2017 report on technology service contracts with FDIC-supervised institutions, it was discovered that “few contracts” between banks and TSPs “established or defined clear performance standards.” And even fewer “established performance metrics and remedies for failure to meet such standards.” 

More recently, interagency guidance from the Federal Reserve, FDIC, and OCC has drawn a clear line between regulatory compliance for banks and the need to define contract performance standards. 

“When technology is a major component of a third-party relationship” between banks and service providers, the guidance explains, “an effective practice is to review banking organizations and third-party information systems to identify gaps in service-level expectations.” 

As with any aspect of vendor management, regulators' primary desire is that banks and their contracted service providers protect the safety and soundness of the financial system and deliver for customers. This means coming as close as possible to 100% uptime for customer products and services. When customers can’t fill up their gas tanks or pay their electric bills due to the failure of third-party systems – which recently occurred with a prominent U.S. fintech – this poses a huge concern for regulators. 

What Should a Service-Level Agreement Contain? 

The main purpose of an SLA is to establish performance standards and accountability. At the same time, you want to ensure that your bank is prioritizing the right measurements. You don’t want to micromanage your third-party providers. Excessive monitoring of TSPs introduces an unnecessary burden for your bank’s employees. 

SLAs should have two goals: 

• Identifying substandard performance and creating remedies for TSPs’ failure to meet their contractual obligations 
• Rewarding and incentivizing good performance 

Four steps enable your bank to create an optimal SLA. 

1. Determine Your Priorities

Successful vendor management means holding third-party service providers accountable, but it also means collaborating with TSPs in good faith. 

Establishing realistic performance metrics begins with focusing on the areas of performance most critical to the success of your financial institution. Decisions on what outsourced activities to include in your SLA shouldn’t be arbitrary. They should be based on your financial institution’s most urgent needs.  

For instance, you likely want to ensure that your FI’s mobile platform is secure and available. Does your TSP’s mobile banking app offer alerts regarding changes made to accounts and irregular activity? In most cases, it should. Defining timely push notices as a priority for your institution gives you a metric to measure performance. 

Priorities for third-party service providers should align with the strategic goals of your financial institution. They can be task-related objectives, such as processing errors or system uptime, or organizational objectives, such as employee engagement and retention. 

According to regulators, your vendors need to address the following to remain compliant: 

1. Availability of service 
2. Confidentiality of data 
3. Help desk support and timely customer complaint management  
4. Business continuity planning 
5. Change control 
6. Security standards compliance

2. Effectively Measure 

Many financial institutions run into trouble when they rely on third-party service providers to determine what went wrong with an activity. For instance, customers today expect payment processing to be immediate. When you outsource payment processing to a TSP and its system crashes, many financial institutions already have standard contracts requiring the vendor to notify your financial institution. 

But reacting to issues that arise with third-party service providers as they occur is a terrible practice. First, what are you measuring? Why did this outage occur, and what systems should you have been monitoring? Second, in this situation, you’re entirely at the mercy of the vendor to accurately assess, report, and remedy the problem. 

Service-level agreements in third-party contracts must decide on performance metrics unique to your institution before entering the relationship. You should identify your institution’s critical activities and define expected performance standards. 

3. Specify Your Measurements 

Well-defined SLAs between your financial institution and third-party service providers – namely, technology service providers – specify the expectations and responsibilities of both parties, including conforming to policies and procedures and compliance with laws and regulations. 

Once you know what you’re measuring, you can specify criteria for measurement. Sometimes standards are easy to define because they have clear rules. Other times, you will need to find a unique solution between your financial institution and a third-party service provider. 

Let’s examine the new interagency guidance to determine the specificity of critical measurements: 

Availability of Service 

Regulators are concerned with the operational resilience of third-party service providers because they understand the risks posed by service disruption. Your service-level agreements with TSPs are especially critical when disruptions adversely impact your organization or customers. 

Confidentiality and Integrity of Data 

The new interagency guidance stipulates that your financial institution must assess any third party’s information security program. You should determine whether their information security program is consistent with your own and conforms to laws and regulations protecting your FI's data's confidentiality, integrity, and availability. Your SLA should include monitoring of performance and penetration testing. 

Security Compliance 

Your SLA should incorporate provisions for security monitoring and insist on independent third-party verification of the adopted security standards and benchmarks. 

Business Continuity 

Internal and external incidents and circumstances, such as natural disasters and cyber breaches, can disrupt a TSP’s ability to perform a given contracted activity. As a result, SLAs should add provisions for the continuity of activity, even when the third party’s operations are impaired or interrupted. 

4. Enforce Consequences

All SLAs hinge on having enforceable consequences. There will always be occasions when third-party service providers fall short of meeting expectations. 

Vendors will always claim they stand behind their services and products. But often, the only consequence of a vendor falling short of delivering goods or services is that they have to remedy what didn’t work, which would have been the consequence of a standard contract anyway.  

Enforceable consequences mean monetary consequences. There are different ways to construct SLAs, but discounting the price your financial institution pays a third-party service provider in the event of their failure to deliver is the most effective way to ensure you receive the products and services your contract stipulates. 

As the interagency guidelines put it, you need to “negotiate performance measures that do not incentivize imprudent performance or behavior, such as encouraging processing volume or speed without regard to accuracy compliance requirements, or adverse effects” on your banking organization or customers. 

Finally, if financial deterrents are insufficient to encourage better service, you need your SLA to define the conditions under which a contract can be terminated.

Want to learn more about SLAs and vendor management? Check out Nstitute, our self-paced, in-depth training program covering third-party risk management.