How are the regulators viewing real world situations in which organizations that would like to terminate a contract with a vendor due to poor security practices but are unable to because of the iron clad contract signed with these large organizations where there may not be many alternatives to serve their customer base?

This has happened. There are no sort of public pronouncements by regulators on this sort of subject for reasons that make a fair degree of sense. If a contractual requirement was sufficient to overcome a regulatory expectation then everyone would put that in their contract. So the regulators are never going to admit that that is an acceptable outcome. [Note: The CFPB confirmed this position in its January 27, 2015 bulletin on the treatment of confidential supervisory information. See CFPB Bulletin 2015-1 (available at http://files.consumerfinance.gov/f/201501_cfpb_compliance-bulletin_treatment-of-confidential-supervisory-information.pdf).]

That said, I have personally had conversations and have seen this in other examinations where this has come up and the regulator did not take action. What was important in those cases was being able to document to the regulator that the supervised entity had done everything it could to bring the vendor in line. That doesn’t mean you actually have to sue your vendor if you believe they are not complying with the contract or the law. The Bureau’s basically said no to that question.

Now whether in this specific case the contract is really is all that iron clad isn’t clear. You’re going to want to be very sure of that and be very sure that you put the vendor on notice about the issue and that you requested that they remedy it. Essentially, I would just keep requesting over and over. The vendor may get sick of you, but it also sounds like they are not providing the level of service you need. The agreement doesn’t last forever so you’re going to have to start exploring as soon as possible ways to get yourself in a position where you’re working with a vendor who doesn’t raise these concerns.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson