Avoiding Pitfalls in Your Bank’s Data Processing Agreement

September 23rd, 2015

vendor-management-9-23-15.pngA bank’s core processing agreement is often, by far, its most significant vendor agreement. These lengthy and complex agreements are commonly weighted heavily in favor of the vendor and can be rife with traps, such as steep change-in-control and early termination penalties. Nonetheless, many banks enter into core processing agreements without prior review by counsel, or even reading the agreement themselves. In the current regulatory environment, which stresses and scrutinizes vendor risk management and diligence, a bank’s failure to review and negotiate its core processing agreement could easily result in regulatory criticism, as well as unanticipated costs and potential liability.

In the past few years, the bank regulatory agencies have issued new or updated guidance related to vendor diligence and risk management. In those issuances, the regulators express concern that banks’ vendor risk management practices may be inadequate, citing instances in which management has failed to properly assess and understand the risks and costs of their vendor relationships. Regulators are concerned that banks may enter into agreements that are detrimental to the bank’s employees, customers or other stakeholders. Banks are expected to have risk management processes that correspond with the level of risk and complexity of their vendor relationships. Those processes include due diligence, careful vendor selection, contract negotiation, proper termination mechanisms and ensuring proper oversight. Regulators further expect banks to have more comprehensive and rigorous oversight of management of third-party relationships that involve critical activities, which may include significant bank functions, such as payments, clearing, settlements and custody, or significant shared services, such as information technology.

Regulators conducting bank examinations expect to see adequate risk management policies and procedures in place. Proper due diligence, negotiation, and oversight for data processing contracts should be integral to those procedures. Contrary to what many may think, the terms of data processing agreements are negotiable. Some of the most unfavorable terms may be eliminated simply by emphasizing the regulatory or business necessity for those changes during negotiations. Key terms to address in the negotiation process include termination provisions, regulatory provisions, audit rights and performance standards, among others.

A less obvious concern with core processing agreements arises in the context of a bank merger or acquisition. Steep termination fees in a data processing contract can change the economics of a bank acquisition transaction, making the selling bank a less attractive target and negatively impacting shareholder returns on the sale. It is typical for the initial proposal of a data processing agreement to include contract termination fees equal to roughly 80 percent of the remaining fees payable during the term of the contract. In most cases, these termination fees are negotiable, and data processing providers may be receptive to a graduated termination fee schedule, such that termination fees are less severe later in the term of the contract. In addition, termination fee calculations in core processing agreements are often complex. As such, it will be important for bank management to understand the practical implications of those calculations. Data processing providers will often attempt to recoup any past credits or rebates through the termination fee formula. Understanding and negotiating these termination provisions on the front end can save millions of dollars for the acquiring bank, and ultimately increase returns for the bank’s shareholders.

If your bank is considering a new data processing vendor, or reaching the expiration of your current term and considering renewing with your old vendor, you should work through your regulatory vendor risk management and due diligence checklists before entering into a new contract. We further encourage you to identify a dedicated team, with access to bank counsel, to review and negotiate any proposed agreement. If your institution is considering a future sale or other business combination transaction, then negotiating your data processing contract is of paramount concern. Ultimately, an ignored termination provision in your core processing agreement has the potential to undermine a potential merger or materially impair shareholder returns.


John Wilson is an associate at Fenimore, Kay, Harrison & Ford, LLP. His practice focuses on financial institutions, with particular emphasis on mergers and acquisitions, securities offerings, and regulatory compliance.