Credit Union News

The Latest Industry News Coverage

Top Five Contract Terms to Manage Vendor Risk

Our clients come to us often to vent about their vendors. They share their frustration with unkept promises, unanswered calls and unknown account managers. They express the difficulty in uncovering potential issues before they become big problems for their members/customers. They tell us about the sunk time in trying to sift and sort due diligence documents to uncover enough information to make a safe and sound risk assessment.

Vendor management is a small part of a big task. You’re expected to address risk while trying to exceed members’/customers’ expectations. You need vendors to do that. Unfortunately, most vendor management activities and strategies will only find, document, define, sift and sort vendor risks. This approach won’t do much to manage it and it probably won’t reduce it.

There’s a better way. We’ve always said if you’re not doing the vendor management activities with an eye to the contract, you’re not doing it right. Maple Street works with our clients who understand the only real-world way to reduce vendor risk – and lower fixed expenses simultaneously – is to do it through their contracts.

Your contract is already in place, is legally binding, and tells you everything you can and can’t do with your vendor. Anything not in the contract isn’t real. Your vendors’ promises are only as good as the terms in the contract that require them to keep their promises.

This is what makes your contract your most effective and important control. Maple Street has been negotiating contracts for our clients for almost 20 years and we’ve learned a lot about what should be in a good, balanced contract that will manage risk. Here are the top five contract terms that should be put into any critical vendor agreement.

  1. Performance requirements

Any performance promises and requirements discussed and agreed to in the sales process need to be clearly represented in the contract. Specific performance for you from the vendor for things like reporting, training, implementation time frames, minimum volumes or other items must be defined and written into the agreement in clear, understandable terms. Service Level Agreements (SLAs), covering things like uptime and incident response time, should also be defined and easy to find and understand in the contract.

In a perfect world, failure to meet SLA metrics would include performance penalties, but that gets into some tricky territory disseminating legal language. Be aware of the phrase “commercially reasonable efforts” when it comes to SLAs and performance. All that means, legally, is the vendor will promise to try really hard.

  1. Data breach and notification requirements

First, you should make sure your contract includes a duty to report breaches experienced by the vendor. We’re still shocked when contracts we negotiate come to us without this basic requirement in the 21st century. Potential breaches may be the single biggest form of risk you face when outsourcing and the minimum expectation should be your vendor tells you if they happen.

Second, you need to know the timeframe of the vendor’s duty to report a breach and be aware of what your state requires. All states have laws and requirements around when customers must be notified for breaches to non-public data. You should make certain your contract details the vendor’s breach notification timeframe and that it’s less than what your state requires.

Lastly, your contract should be clear on what assistance the vendor will directly provide you in the event of a breach. It should include things like accurate and timely information for messaging and communication to members/customers, reimbursements for letters and postage, and even discounts for any required actions to correct a breach, like card replacement, security patches or online customer assistance.

  1. Due diligence documentation requirements

Critical vendors should clearly agree in their contracts to provide all available due diligence documentation to you to make an effective risk assessment every year. They should provide you a reasonably-detailed list of what’s available and a means for you to secure it. And they should do this at no cost to you. If you don’t have this in your contract now, you should plan to add it in the next renewal as an amendment.

  1. Billing terms and payment recourse

Contract terms around billing and payment opens a big, broad category of potential tips and recommendations and there’s no end to how many ways a vendor can bill you for services. Instead of focusing on one type of billing and payment structure, we’ll provide three basic tips to manage risk for billing and payment structures for any vendor:

First tip, there should be no time requirement for billing error notification from you or time limits to request refunds for those errors. Errors can be found during audits over time, it can take several payment cycles or even years to determine inaccurate billing happened. It’s ironic that the errors almost always involve overbilling, meaning reimbursement would be expected. Limiting the time you have to find the error, notify the vendor and the vendor to rectify it and reimburse you, gives you all of the responsibility and the risk to manage for a vendor’s mistake.

Second tip, any penalties or fees for non-payment or late payments should be for undisputed amounts only. You shouldn’t have to pay fees for a vendor’s mistake, rush your disputes to avoid fees or be reimbursed if you win disputes of billing errors.

Last tip, price increases shouldn’t happen in the initial term of an agreement, only in a renewal term. The vendor that manages its own business well in a safe and sound manner shouldn’t be raising rates on its customers during their first term of a relationship. Price increases, renewal term or not, if listed, should be capped and any calculations clearly understood. As a point of reference, when Maple Street negotiates contracts for our clients, we try to have any price increase be capped at three percent or the change in the Consumer Price Index (CPI), whichever is less.

  1. Initial and renewal terms – our three cardinal rules
    • Rule 1: NEVER go beyond a three-year term without getting something for it
    • Rule 2: NEVER go beyond a five-year term for anything, but especially software
    • Rule 3: NEVER go beyond a 12-month renewal term

We’ve seen institutions not following these rules encounter overpayment for service, adaptability challenges and strategy-sinking contract roll-overs. The long initial and renewal contract terms vendors push in exchange for skimpy discounts add millions to their bottom line every year. It limits your flexibility, locks you out of making changes to stay ahead of technology, and keeps you from leveraging better contract terms when needed. And it can cost you thousands, if not millions.

If you actually want to manage vendor risk and lower it, not just uncover and track it, you need to use your contract.

To date, Maple Street has saved our clients more than $235 million and our Vendor Advantage System® guarantees reduced expenses, improved vendor performance and managed risk. Our professional negotiators can get you the best terms at the right price. Call 800-513-6839, email or visit to learn more.

Article by Maple Street Inc., a California and Nevada Credit Union Leagues business partner. 

Related News

Become an Industry Supporter

Get membership information

Please contact me about compliance

Contact me about Credit Union Solutions

Education & Professional Development