As far as the regulator is concerned, the supervised entity has the liability and responsibility. Indemnification provisions within a contract – if you specifically direct your vendor to do something a certain way because you believe that is in compliance with an applicable law and it just turns out the regulator has a different view – at some point down the line it may be more difficult to invoke that indemnification provision if you’re the source of the [legal] interpretation. That’s certainly a risk and something you should take into account. But of all the risks at play here, I think that, if you see something in the way your vendor is handling whatever the task might be that you’re concerned creates a compliance issue, the obligation on you is to make sure it’s being done correctly. If that means you’re directing your vendor and taking on yourself the risk that you’re wrong, I think that’s what’s expected of you under all the guidance.
Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.
Answered By: Ben Olson