My youngest son is a high school varsity basketball coach. Each year, before the season begins, he hears of certain areas that the state athletic association wants referees to focus on. These are referred to as ‘points of emphasis’. As a coach, he must learn about officiating updates. Some of these points of emphasis may be due to new rules, while others are due to the progression of the game, causing existing rules to be enforced more diligently. As conditions change, officiating and coaching must evolve. It is important for coaches to be aware of these points of emphasis to avoid being penalized during the season when it matters.
The same applies to financial technology service agreements.
Industry changes question standards and create the need for revisions. One such area of concern is limitation of liability - limitations that exist to protect vendors from excessive financial risk even though they are at fault.
There are several risks that vendors face. Let’s discuss just one of those. If there is a computational error, it quite likely could be systemic affecting all of the vendor’s clients, not just your institution. The potential aggregate liability could be staggering. It could possibly affect the vendor’s financial viability. For this reason, many agreements have had limits on the amount the vendor would be liable for, usually expressed as three, six, or nine months of previously invoiced charges.
Many years ago, these shorter limits were understandable. Before internet banking, the risk profile was primarily constrained to calculations and posting of transactions. If there had been computational errors, a deviation in a day’s general ledger entries for accruals or service charge income would have raised a red flag. Errors in posting would have resulted in an out of balance condition. Bankers ultimately had the responsibility of auditing the results of a vendor’s processing each day. If an error had been found within a mutually agreeable (contractually defined) period of time, the vendor would have had the chance to reprocess the updates to correct the error. That correction might have been a little messy and would have taken some time, but ultimately it would be resolved as if no error had been made. If the bank performed their oversight properly, it would have been rare if an error couldn’t have been corrected. Limits on liability then weren’t as critical.
Today’s risk profile far exceeds what was evident many years ago. Looking back, databases were largely contained, walled off from outside or third party access. That is no longer the case as digital delivery channels expose databases to external access.
Consider the impact if your institution’s database was ‘equifaxed’. A momentary lapse of diligence by your vendor, a missed patch on a router, or an incorrect piece of code, could result in a catastrophic security breach with customer data falling into the possession of fraudsters.
What would the financial impact be on your institution? Reprocessing of updates would not be able to correct this issue. You would not be able to unring this bell!
Traditional limits on liability (three to nine months) would only begin to cover the financial impact on your institution in the event of a breach. Granted, invoices are much larger now than they were 20 years ago - the increase in risks has greatly exceeded the increase in charges. In fact, those limits may not even cover the cost of the discovery and notification phases of a breach. Beyond that, reputational risks would be immeasurable. Limits that were acceptable decades ago are no longer commensurate with today’s risks. Revisions must be made.
In the wake of the Equifax breach, this has become an important point of emphasis when negotiating contracts for the institutions that I am engaged with. Understanding contract limits should be a priority at your institution as well. Review your contract and the limits that are currently in place. I believe everyone is aware of what is at stake, including your vendors. If you feel unreasonably exposed in this area, then it is time to meet with your vendor to discuss more equitable limits of liability.
I am always available to discuss contract limits that apply to your financial institution. This is a critical topic that demands attention at every financial institution and business today.