Answer:
The only sample contract I know of on the Internet is in Appendix 2 of a document posted by the FDIC, Tools to Manage Technology Providers' Performance Risk: Service Level Agreements which you can get to from this link. I am pointing you to this page instead of directly to the document because it also contains links to two other documents which may prove useful to you and I highly recommend all three of them. That said, if I understand your question correctly, what you are wanting to do -- limit your institution's liability to its customers for the negligence of service providers -- cannot be done.
Regardless of any contract language between the bank and a service provider the bank cannot avoid liability for acts, or failures to act, of the service provider. The regulators have been very clear on this point and do not even want to see contracts which purport to attempt to do so. Any such contract language would only tend to confuse the issues and would be contrary to the law anyway and thus not enforceable between the institution and its customers.
The institution owes duties to its customers and no contract can alter that, even when a service provider performs all actions relating a specific duty or service. The way one attorney for a bank regulatory agency put it: you can contract away the duty, but not the liability. While a bank can hire a service provider to help the institution provide services to customers, there is no escape from liability to the customers if the service provider is negligent. There is nothing which would prevent a service provider from indemnifying the institution for damages suffered by the institution due to the negligence of the service provider, but that is different, more like insurance, and has nothing to do with liability to customers.
This is one of the reasons why the regulators are so serious about financial institutions using due care in selecting service providers and monitoring service providers' information security programs. If an institution is not adequately monitoring a service provider's information security program and a customer is damaged by the negligence of the service provider, the institution will have virtually no chance of defending itself against a lawsuit brought by the customer.
First published on BankersOnline.com 10/1/01
print
share