third party regulation mapping matrix-1-1

Overview of the Spreadsheet "Top-level RACI" Tab: "Planning" through "Other" Tabs: This spreadsheet is meant to analyze the current list of rules, regulations and guidelines pertaining to third-party suppliers. A d found on Tab 2 of this worksheet. Additionally, the SIFMA Vendor Working Group recommends a life-cycle approach to suppli The tabs on this worksheet represent the life-cycle phases as defined by the Office Of the Comptroller Of the Currency (OCC). This workbook can also be used to help a firm profile itself against the requirements set forth by the OCC. The RACI method h help companies determine who is involved regarding a specific compliance point and their role. If no one is involved then tha highlighted as an item requiring a corrective action plan. The roles in the RACI profiling method are: Responsible: This is a person, who performs a task or work and he/she is responsible for the work. Accountable: the primary person in charge of the task or work (e.g. department/division head) . Consulted: Person, who gives feedback and contributes when required. Informed: Person in charge who needs to know the action or decision taken. Scroll to column B and determine if the life-cycle component is performed at your company. If not, highlight the cell in red. T of a project plan to bring your firm into compliance. If your firm feels that this does not apply, use the comments column to d rationale. Columns C through V are suggested functions/business units that are involved in third-party supplier management. Feel free fit your firm. Use the drop down selection to determine what role a department may have with the compliance point. Some f perform multiple roles. Also, select N/A if you feel the function does not apply to you. Follow this practice across the tabs an developed your "profile". Please note there is no scoring since there is no industry function to perform comparisons. Scroll to column E and determine if the compliance point is performed at your company. If not, highlight the cell in red. This w project plan to bring your firm into compliance. If your firm feels that this does not apply, use the comments column to docum Columns F through U are suggested functions/business units that are involved in third-party supplier management. Feel free fit your firm. Use the drop down selection to determine what role a department may have with the compliance point. Some f perform multiple roles. Also, select N/A if you feel the function does not apply to you. Follow this practice across the tabs an developed your "profile". Please note there is no scoring since there is no industry function to perform comparisons. Also, since many firms use some sort of system, spreadsheet or tool, to support their supplier risk program, technology modifi needed to ensure compliance. The ability to extract compliance information will be just as important as performing the functi "N" to any of the quesitons regarding system functionality, that is the basis for a development project to bring a firm's techno

List Of Documents Regulatory Guideline/Bulletin Link • Red Italics: Notes associated with the text from the bottom of the page were added to the spreadsheet. • Red Underline: Additional Text added to frame the section within the spreadsheet. • Italics: In some long sections including a number of sub bullet points, he core component of the sub bullets are summarizedin italics rather than including all of the text. • Bold: identifies supporting documents that are referred to within the section.

Management Summary TPS Life-cycle Phases CPSS 115 IOSCOPD187 IOSCOPD432 Planning ü ü ü ü ü ü ü ü ü ü ü ü Due Diligence ü ü ü ü ü ü ü ü ü ü ü ü Contract Negotiation ü ü ü ü ü ü ü ü ü Ongoing Monitoring ü ü ü ü ü ü ü ü ü ü ü ü ü Oversight & Accountability ü ü ü ü ü ü ü ü ü ü ü ü ü ü Termination ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü Independent Review ü ü ü ü ü ü ü ü Supervisory Review of TSPs ü ü ü ü ü ü ü ü ü ü Other ü ü ü ü ü ü ü ü ü ü ü * As per the text of the rule, the financial companies in scope are: Bank of America Corporation, Bank of New York Mellon Corporation, PLC, Citigroup Inc., Goldman Sachs Group, Inc., JPMorgan Chase & Co., Morgan Stanley, State Street Corporation, and Wells Fargo & Company. OCC Bulletin 2013-29 Federal Reserve – Guidance on Managing Outsourcing Risk (12/5/13) CFPB Bulletin on Service Providers FCA Outsourcing In Asset Mgmt. Industry FFIEC – Supervision of TSP (10/2012) FINRA – Notice to Members 11- 14 (proposed reg 3190) – 5/11 NASD NTM 05- 48 ICI - FICCA Engagements IIROC – Notice 14-0012 GLB / Reg S-P – Privacy of Customer Information Senior Management Arrangements, Systems and Controls (FRA- FCA Outsourcing Working Group - Industry Response To FSA Dear CEO Letter On Outsourcing NIST Framework On Cybersecurity Federal Reserve SR 14-1/14-1A * Documentation and Reporting

Functions Sector / Region Enterprise/Corporate Function Compl. Accounts Payable Sector SRM Regional SRM Head Region SRM Utility Senior Managem ent ESRM Group Third Party Credit Risk Ent. Risk Mgmt Info. Security

ns System Capabilities CoB Comments Existing Capability ? Complian ce Evidence Exists in System? Evidence Easily Extractabl e?

Planning Regulatory Guideline/Bulletin Function Compliance Points 9 ICI - FICCA Engagements Management 10 IIROC Guidance On Outsourcing 11 IOSCOPD187 Program Requirements Conduct ongoing reviews of the quality of outsourced services; 12 IOSCOPD432 Service Standards Technology Planning 13 REG SP4-57427 NA NA 14 FRA-FCA Handbook NA 15 NA NA Describe the following: - Whether or not the company uses subservice providers or subcontractors - The primary partners or subcontractors - Location: onsite, offsite, offshore - Employee Background Checks - Compliance awareness training - Assessment process for subservice providers' or subcontractors' business continuity / disaster recovery plans - The company's policy / practice related to subcontractors, including the following: - How long has this been in practice - Communications protocols - The conditions under which subcontractors are used - How subcontractors are trained and held to the company's standards (e.g., privacy protection) - Whether the contractor has a SSAE 16 report or other form of external oversight report. In not, how the company gains comfort with the subcontractors control environment. A Dealer Member should have a comprehensive outsourcing policy that guides the performance of due diligence assessment(s) that will underlie decisions regarding whether, and how, certain activities can be appropriately outsourced As part of the comprehensive outsourcing policy, an initial assessment should be made as to whether the Dealer Member has the internal expertise that is necessary to perform the due diligence assessment(s) and, if not, the Dealer Member should identify and obtain third party expertise to perform or assist in the performance of the due diligence assessment(s) Establish and carry-out a comprehensive outsourcing risk management program that monitors the risks associated with: • the outsourced activities; and • the outsourcing relationship entered into with the service provider Ensure that third-party service providers have adequate safeguards for keeping information confidential and, where appropriate, for recovering from a business disruption; Develop and test a business continuity plan to minimize disruption to the firm’s business and its clients if the third-party service provider does not deliver the services satisfactorily; and, The following Principles set out regulators’ expectations for outsourcing firms. These principles should be applied according to the degree of materiality of the outsourced activity to the ongoing business of the outsourcing firm and its regulatory obligations. Even where the activity is not material, the outsourcing firm should consider the appropriateness of applying the principles. Annex F outlines five oversight expectations that help ensure that the operations of a critical service provider are held to the same standards as the FMI would be if it provided the same service. These expectations are specifically targeted at ensuring strong risk identification and management, robust information security management, reliability and resilience of systems, effective technology planning, and strong communications with users. (Users are the customers of the critical service provider, and include (an) FMI(s) and its/their participants, as relevant.) Proposed changes to a critical service provider’s technology should entail a thorough and comprehensive consultation with the FMI and, where relevant, its participants. A critical service provider should regularly review its technology plans, including assessments of its technologies and the processes it uses for implementing change. A common platform firm must: (1) when relying on a third party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services (in this chapter relevant services and activities) on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk; Outsourcing Working Group - Industry Response To FSA Dear

Planning Regulatory Guideline/Bulletin Function Compliance Points 15 NA NA 16 NIST Framework NA NA Industry Response To FSA Dear CEO Letter On Outsourcing

Due Diligence Regulatory Guideline/Bulletin Function Compliance Points directly manage 3rd part relationships The bank should consider the following during due diligence: Assess the third party’s information security program. Determine whether the third party has sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology is necessary to support service delivery, assess the third party’s infrastructure and application security programs, including the software development life cycle and results of vulnerability and penetration tests. Evaluate the third party’s ability to implement effective and sustainable corrective actions to address deficiencies discovered during testing. The bank should consider the following during due diligence: Gain a clear understanding of the third party’s business processes and technology that will be used to support the activity. When technology is a major component of the third-party relationship, review both the bank’s and the third party’s information systems to identify gaps in service-level expectations, technology, business process and management, or interoperability issues. Review the third party’s processes for maintaining accurate inventories of its technology and its subcontractors. Assess the third party’s change management processes to ensure that clear roles, responsibilities, and segregation of duties are in place. Understand the third party’s performance metrics for its information systems and ensure they meet the bank’s expectations. The bank should consider the following during due diligence: Assess the third party’s ability to respond to service disruptions or degradations resulting from natural disasters, human error, or intentional physical or cyber attacks. Determine whether the third party maintains disaster recovery and business continuity plans that specify the time frame to resume activities and recover data. Review the third party’s telecommunications redundancy and resilience plans and preparations for known and emerging threats and vulnerabilities, such as wide-scale natural disasters, distributed denial of service attacks, or other intentional or unintentional events. Review the results of business continuity testing and performance during actual disruptions. The bank should consider the following during due diligence: Review the third party’s incident reporting and management programs to ensure there are clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents. Ensure that the third party’s escalation and notification processes meet the bank’s expectations and regulatory requirements. The bank should consider the following during due diligence: Evaluate whether the third party has sufficient physical and environmental controls to ensure the safety and security of its facilities, technology systems, and employees. The bank should consider the following during due diligence: Review the third party’s program to train and hold employees accountable for compliance with policies and procedures. Review the third party’s succession and redundancy planning for key management and support personnel. Review training programs to ensure that the third party’s staff is knowledgeable about changes in laws, regulations, technology, risk, and other factors that may affect the quality of the activities provided. The bank should consider the following during due diligence: Evaluate the volume and types of subcontracted activities and the subcontractors’ geographic locations. Evaluate the third party’s ability to assess, monitor, and mitigate risks from its use of subcontractors and to ensure that the same level of quality and controls exists no matter where the subcontractors’ operations reside. Evaluate whether additional concentration-related risks may arise from the third party’s reliance on subcontractors and, if necessary, conduct similar due diligence on the third party’s critical subcontractors. The bank should consider the following during due diligence: Verify that the third party has fidelity bond coverage to insure against losses attributable to dishonest acts, liability coverage for losses attributable to negligent acts, and hazard insurance covering fire, loss of data, and protection of documents. Determine whether the third party has insurance coverage for its intellectual property rights, as such coverage may not be available under a general commercial policy. The amounts of such coverage should be commensurate with the level of risk involved with the third party’s operations and the type of activities to be provided. The bank should consider the following during due diligence: Obtain information regarding legally binding arrangements with subcontractors or other parties in cases where the third party has indemnified itself, as such arrangements may transfer risks to the bank. Evaluate the potential legal and financial implications to the bank of these contracts between the third party and its subcontractors or other parties.

Due Diligence Regulatory Guideline/Bulletin Function Compliance Points 2 Fed Outsourcing Guidance 3 CFPB Bulletin on Service Providers 4 CPSS 115 NA NA 5 NA 6 Bank Examiners Risk based and Examination Frequency 7 FINRA 11-14 Due Diligence Program Formalized process for entering into contracts Ongoing monitoring process Required reporting to regulators 8 NASD NTM 05-48 9 ICI - FICCA Engagements NA NA 10 IIROC Guidance On Outsourcing Due Diligence Oversight Enterprise Risk Management Team/ Supplier Relationship Managers A financial institution should conduct an evaluation of and perform the necessary due diligence for a prospective service provider prior to engaging the service provider. The depth and formality of the due diligence performed will vary depending on the scope, complexity, and Page 4 of 12 importance of the planned outsourcing arrangement, the financial institution's familiarity with prospective service providers, and the reputation and industry standing of the service provider. Throughout the due diligence process, financial institution technical experts and key stakeholders should be engaged in the review and approval process as needed. The overall due diligence process includes a review of the service provider with regard to: 1. Business background, reputation, and strategy; 2. Financial performance and condition; and 3. Operations and internal controls. Supervised banks and nonbanks Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law; Requesting and reviewing the service provider's policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities; FCA Outsourcing In Asset Mgmt. Industry (1) Resilience risk – If an asset manager’s service provider was to suddenly fail and thereforebe unable to provide their outsource services for an indefinite period, the asset managerin turn would not be able to continue the service it is contracted to provide to itscustomers. For example, investors may not be able to redeem their fund holdings at afair and accurate valuation on a timely basis. Without viable contingency plans in place,this scenario could result in detriment to the asset manager’s customers. FFIEC Booklet on Technology Service Providers Perform ongoing due diligence on each current or prospective third party service provider (including any sub-vendor) to determine if they are capable of preforming the activities being outsourced and can achieve compliance with applicable securities laws and regulations and applicable FINRA and MSRB rules. Supervisory procedures are required when a member outsources covered activities and must include a due diligence analysis of all of its current or prospective third-party service providers to determine whether they are capable of performing the outsourced activities A Dealer Member should have a comprehensive outsourcing policy that guides the performance of due diligence assessment(s) that will underlie decisions regarding whether, and how, certain activities can be appropriately outsourced  As part of the comprehensive outsourcing policy, an initial assessment should be made as to whether the Dealer Member has the internal expertise that is necessary to perform the due diligence assessment(s) and, if not, the Dealer Member should identify and obtain third party expertise to perform or assist in the performance of the due diligence assessment(s) Dealer Members adopt formal due diligence policies and procedures relating to outsourcing arrangements. To facilitate Dealer Members’ efficient assessment of individual proposed outsourcing arrangements, it would be acceptable for Dealer Members to adopt policies and procedures that acknowledge that the extent of due diligence work performed may be proportionate to the materiality and risk of the functions/activities that are proposed to be outsourced.

Due Diligence Regulatory Guideline/Bulletin Function Compliance Points 12 IOSCOPD432 Enterprise-wide risk-management framework Dependencies on third parties Governance of the enterprise-wide risk-management framework Internal audit function Information Technology Security and Business Continuity at the Outsourcing Firm (Due Dilligence) Means for Implementation: Specification of the security requirements of automated systems to be used by the service provider, including the technical and organizational measures that will be taken to protect firm and customer-related data. Appropriate care should be exercised to ensure that IT security protects the privacy of the outsourcing firm’s customers as mandated by law: • service provider maintain appropriate measures to ensure security of both the outsourcing firm’s software as well as any software developed by the service provider for the use of the outsourcing firm • Specification of the rights of each party to change or require changes to security procedures and requirements and of the circumstances under which such changes might occur • Provisions that address the service provider’s emergency procedures and disaster recovery and contingency plans as well as any particular issues that may need to be addressed where the outsourcing firm is utilizing a foreign service provider. Where relevant, this may include the service provider’s responsibility for backing up and otherwise protecting program and data files, as well as regulatory reporting • Where appropriate, terms and conditions relevant to the use of subcontractors with respect to IT security, and appropriate steps to minimize the risks arising out of such subcontracting •Where appropriate, requirement of testing by the service provider of critical systems and back-up facilities on a periodic basis in order to review the ability of the service providers to perform adequately even under unusual physical and/or market conditions at the outsourcing firm, the service provider, or both, and to determine whether sufficient capacity exists under all relevant conditions • Requirement of disclosure by the service provider of breaches in security resulting in unauthorized intrusions (whether deliberate or accidental, and whether confirmed or not) that may affect the outsourcing firm or its customers, including a report of corrective action taken • Provisions in the outsourcing firm’s own contingency plans that address circumstances in which one or more of its service providers fail to adequately perform their contractual obligations. Where relevant, this may include reporting by the outsourcing firm to its regulator. The outsourcing firm may need to require contractually information from the service provider to fulfill this obligation. As part of its reviews of these matters, an outsourcing firm should also take into account whether additional issues are raised when the outsourcing is performed on a cross-border basis. FMI Operations Oversight Expectations The FMI remains ultimately responsible for its operations, including the five oversight expectations outlined in Annex F of the Principles for financial market infrastructures. An FMI may have a contractual arrangement with a third-party service provider that performs, on a continuing basis, activities essential to the operations of the FMI. The continuous, secure, and efficient delivery of these services by the third-party service provider may be critical to the operations of the FMI or, in some cases, multiple FMIs. This assessment methodology mirrors the approach used in the CPSS-IOSCO, Principles for financial market infrastructures: Disclosure framework and Assessment methodology, December 2012. Risk identification and management A critical service provider should have effective processes and systems for identifying and documenting risks, implementing controls to manage risks, and making decisions to accept certain risks. A critical service provider may face risks related to information security, reliability and resilience, and technology planning, as well as legal and regulatory requirements pertaining to its corporate organisation and conduct, relationships with customers, strategic decisions that affect its ability to operate as a going concern, and dependencies on third parties. Information security (Due Dilligence) A critical service provider should have a robust information security framework that appropriately manages its information security risks. The framework should include sound policies and procedures to protect information from unauthorised disclosure, ensure data integrity, and guarantee the availability of its services. In addition, a critical service provider should have policies and procedures for monitoring its compliance with its information security framework. This framework should also include capacity planning policies and change-management practices. For example, a critical service provider that plans to change its operations should assess the implications of such a change on its information security arrangements.

Due Diligence Regulatory Guideline/Bulletin Function Compliance Points 13 REG SP4-57427 NA NA 14 FRA-FCA Handbook 15 OWG Document NA NA 16 NIST Framework NA NA The following should be taken into account where the service provider is not authorized or registered in its home country and/or not subject to prudential supervision. 8.3.6 FCA (1) The firm should examine, and be able to demonstrate, to what extent the service provider may be subject to any form of voluntary regulation, including self-regulation in its home state. (2) The firm should be able to satisfy the FCA that the service provider is committed for the term of the outsourcing agreement to devoting sufficient, competent resources to providing the service. (3) In addition to the requirement to ensure that a service provider discloses any developments that may have a material impact on its ability to carry out the outsourcing ( ¡ SYSC 8.1.8 R (6)), where the conditions are not met the developments to be disclosed should include, but are not limited to: (a) any adverse effect that any laws or regulations introduced in the service provider's home country may have on its carrying on the outsourced activity; and (b) any changes to its capital reserve levels or its prudential risks. (4) The firm should satisfy itself that the service provider is able to meet its liabilities as they fall due and that it has positive net assets. (5) The firm should require that the service provider prepares annual reports and accounts which: (a) are in accordance with the service provider's national law which, in all material respects, is the same as or equivalent to the international accounting standards; (b) have been independently audited and reported on in accordance with the service provider's national law which is the same as or equivalent to international auditing standards. (6) The firm should receive copies of each set of the audited annual report and accounts of the service provider. If the service provider expects or knows its accounts of the service provider. If the service provider expects or knows its auditor will qualify his report on the audited report and accounts, or add an explanatory paragraph, the service provider should be required to notify an explanatory paragraph, the service provider should be required to notify the firm without delay. (7) The firm should satisfy itself, and be able to demonstrate, that it has in place appropriate procedures to ensure that it is fully aware of the service provider's controls for protecting confidential information. (8) In addition to the requirement at ¡ SYSC 8.1.8 R (10) that the service provider must protect any confidential information relating to the firm or its clients, the outsourcing agreement should require the service provider to notify the firm immediately if there is a breach of confidentiality. The outsourcing agreement should be governed by the law and subject to the jurisdiction of an EEA state.

Contract Negotiation Regulatory Guideline/Bulletin Function Compliance Points 1 OCC Bulletin 2013-29 Bank Employees Who Manage Third-party relationships Ensure that the contract establishes the bank’s right to audit, monitor performance, and require remediation when issues are identified. Generally, a third-party contract should include provisions for periodic independent internal or external audits of the third party, and relevant subcontractors, at intervals and scopes consistent with the bank’s in-house functions to monitor performance with the contract. A bank should include in the contract the types and frequency of audit reports the bank is entitled to receive from the third party (e.g., financial, SSAE 16, SOC 1, SOC 2, and SOC 3 reports, and security reviews). Consider whether to accept audits conducted by the third party’s internal or external auditors. Reserve the bank’s right to conduct its own audits of the third party’s activities or to engage an independent party to perform such audits. Ensure the contract addresses compliance with the specific laws, regulations, guidance, and self-regulatory standards applicable to the activities involved, including provisions that outline compliance with certain provisions of the Gramm-Leach-Bliley Act (GLBA) (including privacy and safeguarding of customer information); BSA/AML; OFAC; and Fair Lending and other consumer protection laws and regulations. Ensure that the contract requires the third party to maintain policies and procedures which address the bank’s right to conduct periodic reviews so as to verify the third party’s compliance with the bank’s policies and expectations. Ensure that the contract states the bank has the right to monitor on an ongoing basis the third party’s compliance with applicable laws, regulations, and policies and requires remediation if issues arise. Fully describe compensation, fees, and calculations for base services, as well as any fees based on volume of activity and for special requests. Ensure the contracts do not include burdensome upfront fees or incentives that could result in inappropriate risk taking by the bank or third party. Indicate which party is responsible for payment of legal, audit, and examination fees associated with the activities involved. Consider outlining cost and responsibility for purchasing and maintaining hardware and software. Specify the conditions under which the cost structure may be changed, including limits on any cost increases. State whether and how the third party has the right to use the bank’s information, technology, and intellectual property, such as the bank’s name, logo, trademark, and copyrighted material. Indicate whether any records generated by the third party become the bank’s property. Include appropriate warranties on the part of the third party related to its acquisition of licenses for use of any intellectual property developed by other third parties. If the bank purchases software, establish escrow agreements to provide for the bank’s access to source code and programs under certain conditions (e.g., insolvency of the third party). Prohibit the third party and its subcontractors from using or disclosing the bank’s information, except as necessary to provide the contracted activities or comply with legal requirements. If the third party receives bank customers’ personally identifiable information, the contract should ensure that the third party implements and maintains appropriate security measures to comply with privacy regulations and regulatory guidelines. Specify when and how the third party will disclose, in a timely manner, information security breaches that have resulted in unauthorized intrusions or access that may materially affect the bank or its customers. Stipulate that intrusion notifications include estimates of the effects on the bank and specify corrective action to be taken by the third party. Address the powers of each party to change security and risk management procedures and requirements, and resolve any confidentiality and integrity issues arising out of shared use of facilities owned by the third party. Stipulate whether and how often the bank and the third party will jointly practice incident management plans involving unauthorized intrusions or other breaches in confidentiality and integrity. Ensure the contract provides for continuation of the business function in the event of problems affecting the third party’s operations, including degradations or interruptions resulting from natural disasters, human error, or intentional attacks. Stipulate the third party’s responsibility for backing up and otherwise protecting programs, data, and equipment, and for maintaining current and sound business resumption and contingency plans. Include provisions—in the event of the third party’s bankruptcy, business failure, or business interruption—for transferring the bank’s accounts or activities to another third party without penalty. Ensure that the contract requires the third party to provide the bank with operating procedures to be carried out in the event business resumption and disaster recovery plans are implemented. Include specific time frames for business resumption and recovery that meet the bank’s requirements, and when appropriate, regulatory requirements. Stipulate whether and how often the bank and the third party will jointly practice business resumption and disaster recovery plans.

Contract Negotiation Regulatory Guideline/Bulletin Function Compliance Points Consider including indemnification clauses that specify the extent to which the bank will be held liable for claims that cite failure of the third party to perform, including failure of the third party to obtain any necessary intellectual property licenses. Carefully assess indemnification clauses that require the bank to hold the third party harmless from liability. Stipulate that the third party is required to maintain adequate insurance, notify the bank of material changes to coverage, and provide evidence of coverage where appropriate. Types of insurance coverage may include fidelity bond coverage, liability coverage, hazard insurance, and intellectual property insurance. Consider whether the contract should establish a dispute resolution process (arbitration, mediation, or other means) to resolve problems between the bank and the third party in an expeditious manner, and whether the third party should continue to provide activities to the bank during the dispute resolution period. Determine whether the contract limits the third party’s liability and whether the proposed limit is in proportion to the amount of loss the bank might experience because of the third party’s failure to perform or to comply with applicable laws. Consider whether a contract would subject the bank to undue risk of litigation, particularly if the third party violates or is accused of violating intellectual property rights. Ensure that the contract stipulates what constitutes default, identifies remedies and allows opportunities to cure defaults, and stipulates the circumstances and responsibilities for termination. Determine whether it includes a provision that enables the bank to terminate the contract, upon reasonable notice and without penalty, in the event that the OCC formally directs the bank to terminate the relationship. Ensure the contract permits the bank to terminate the relationship in a timely manner without prohibitive expense. Include termination and notification requirements with time frames to allow for the orderly conversion to another third party. Provide for the timely return or destruction of the bank’s data and other resources and ensure the contract provides for ongoing monitoring of the third party after the contract terms are satisfied as necessary. Clearly assign all costs and obligations associated with transition and termination. Specify whether the bank or third party is responsible for responding to customer complaints. If it is the third party’s responsibility, specify provisions that ensure that the third party receives and responds timely to customer complaints and forwards a copy of each complaint and response to the bank. The third party should submit sufficient, timely, and usable information to enable the bank to analyze customer complaint activity and trends for risk management purposes. Stipulate when and how the third party should notify the bank of its intent to use a subcontractor. Specify the activities that cannot be subcontracted or whether the bank prohibits the third party from subcontracting activities to certain locations or specific subcontractors. Detail the contractual obligations—such as reporting on the subcontractor’s conformance with performance measures, periodic audit results, compliance with laws and regulations, and other contractual obligations. State the third party’s liability for activities or actions by its subcontractors and which party is responsible for the costs and resources required for any additional monitoring and management of the subcontractors. Reserve the right to terminate the contract without penalty if the third party’s subcontracting arrangements do not comply with the terms of the contract. Include in contracts with foreign-based third parties choice-of-law covenants and jurisdictional covenants that provide for adjudication of all disputes between the parties under the laws of a single, specific jurisdiction. Understand that such contracts and covenants may be subject, however, to the interpretation of foreign courts relying on local laws. Foreign courts and laws may differ substantially from U.S. courts and laws in the application and enforcement of choice-of-law covenants, requirements on banks, protection of privacy of customer information, and the types of information that the third party or foreign governmental entities will provide upon request. Therefore, seek legal advice to ensure the enforceability of all aspects of a proposed contract with a foreign-based third party and other legal ramifications of each such arrangement.