Understanding Contract Terms and Risk Assessments


Understanding contract terms is a key part of understanding the risk of doing business with a vendor. While specific terms should be discussed with credit union or CUSO counsel, credit union compliance officers can expect to be asked about the terms and conditions of contracts with critical vendors. Although meanings of contract terms can vary in every state/jurisdiction, there is general consensus on what certain agreement language is meant to accomplish. Please note that the intent is not to state any particular terms are “bad” or must be negotiated; merely that the terms should be understood so credit unions can manage risks and prepare business plans accordingly.

Overview: important terms to understand

  • Fees: What is the institution paying for?
  • Security: Does the contract meet your requirements?
  • Warranty and Remedies: What happens if the vendor fails to deliver?
  • Indemnification: What happens if a third party sues as a result of the services?
  • Assignment: What rights does the vendor have to sell your contract to someone else?
  • Jurisdiction (and Venue): What law applies to the contract?
  • Term and Termination: How do you wind down the relationship?


Fees would seem to be the easiest part of understanding a contract. Unfortunately, fee disputes are the top reasons for litigation due to misunderstandings or vague language. Credit unions and CUSOs should always be comfortable with fees that are not written into the contract but could be triggered upon certain events. For example, a project quote should make clear what estimates are based on, and what the charges will be for cost overruns.

An organization should always be wary of fees that are not described or provided for in an agreement. Although a credit union or CUSO may be able to get some fees waived by a court, in general providing such fees are unfair or unconscionable can be difficult to prove. Even if the organization can show the fees charged are disproportionate to the market average, courts tend to be reluctant to interfere in these disputes.


The security provisions of the Gramm-Leach-Bliley Act (“GLBA”) extends to vendors by law if the vendor meets the definition of a service provider. A service provider is defined as: “Any party that is permitted access to a financial institution’s customer information through the provision of services directly to the institution.” If a vendor is a service provider under the definition of GLBA, the service provider must agree to provide security in a GLBA compliant manner.

Because GLBA compliance is a moving target, extensively detailing security measures in the contract itself is not practical. Therefore, contracts with service providers should at least make mention of an agreement by the provider to be compliant with GLBA. If the provider has language that states the provider will have “Reasonable” or “Commercially Reasonable” security, those terms are reasonably clear and meet GLBA compliance. “Commercially Reasonable” generally means security at the same or greater level for similarly situated businesses. As most credit unions and CUSOs are aware, examiners may require proof that the credit union has reviewed due diligence materials from the provider, such as SSAE-18 SOC reports.

Warranty and remedies

The warranty is a guarantee of the quality of the services or products delivered. The trend for many vendors is to provide limited or no warranties. If the contract states the warranty is “As Is”, the purchaser will have no remedy so long as a product or service is delivered despite a lack of quality. If the contract has “Professional” and/or “Workmanlike” language, the provider is promising the work will be performed with reasonable care, skill and diligence. A breach of the Professional warranty may make the breaching party liable for all foreseeable damages. For example, consider an accounting firm that provides an incorrect inventory balance due to their own negligence. That error in turn creates a miscalculation of cost of goods sold and, therefore, an error in the calculation of gross profit and net income. The accounting firm could be liable for all foreseeable damages as a result of the errors.

Remedies are what happens if a warranty or the contract is breached by the provider.  Most vendors will limit their liability, so credit unions and CUSOs should be certain their insurance will provide coverage in the event the organization sustains losses as a result of a breach of warranty. Some contracts provide for arbitration in the event there is a dispute. There is no issue with having an arbitration clause, but an important matter is to ensure the organization is aware who bears costs and fees for the arbitration process.


Indemnification is a way of reallocating risk. Indemnification (as well as “Hold Harmless” terms) state when and under what conditions one party will be responsible for damages to the other party and possibly to third parties. For example, a credit union may hire a contractor to remodel part of the office. The contractor may require that the credit union indemnify the contractor if the credit union later makes changes to the contractor’s work, and these changes cause injury to a member. The credit union may require the contractor to indemnify the credit union if the contractor’s workers are injured on the job.

Term and termination

Credit unions and CUSOs should always be aware how long the contract is for, when it terminates, and whether or not the contract renews. If the contact renews, there will often be specific language that states when the credit union or CUSO must send notice of non-renewal. In general, term and termination are part of the process understanding the wind-down process if the parties no longer desire to do business together.

Some agreements allow for “no fault” termination where one or both parties can terminate the agreement without penalty. Credit unions and CUSOs need to have a plan in case a critical vendor has this clause and terminates the services. Otherwise, the credit union or CUSO should be aware what the termination fees and other costs will be if the contract is terminated early.


Assignment is the right of one party to a contract to allow someone else take over the rights and obligations in the contract. If you have a vendor critical to your operations, you need to understand when and how a new vendor can take over these services. This is part of the wind-down process. If a new company purchases your service provider and the credit union or CUSO is no longer happy with the service, under what circumstances can the contract be terminated.

Some assignment clauses have language stating assignment cannot happen without the party’s consent. Other contacts may have consent language but with the clause that assignment consent “shall not be unreasonably withheld.” The “unreasonably withheld” language generally means the credit union or CUSO will not be able to deny assignment to a new party unless services are going to a competitor, or by the assignment essential terms of the agreement are going to change.

Jurisdiction and venue

Jurisdiction means which state’s law will apply, while venue is the court system that will hear any cases if there is a dispute. Most vendors will not negotiate jurisdiction; but having jurisdiction in the contract is usually better than none whatsoever. If there is no jurisdiction in the agreement, the organization may wish to have the jurisdiction added. Credit unions and CUSOs should take into consideration venue and jurisdiction when they consider whether bringing litigation against a service provider is feasible.

Risk assessments

With this information, an informed compliance professional with the credit union or CUSO can develop a risk profile for critical vendors. Either through internal review or with legal counsel, the key terms include:

  • Understanding what the organization is paying for?
  • What has the vendor guaranteed about the products or services?
  • What has the vendor agreed to regarding security?
  • What are the indemnification terms, and will insurance cover any gaps?
  • Can the vendor walk away from the agreement, either through assignment or through termination/non-renewal?
  • How will you wind down the relationship? What is your exit strategy?
  • Which law applies? Will you have arbitration or file suit in a different jurisdiction?

Review before signing

As mentioned earlier, the point is not that these terms need to be negotiated but rather to give the organization insight as to what these terms indicate. The goal is to ensure the credit union or CUSO can confidently report to an examiner that the organization understands key terms of contracts and management has chosen to manage the risk accordingly. Implementing contract review into the vendor risk management program helps create a system with a best practices foundation.


Your email address will not be published. Required fields are marked *