Join our mailing list to receive the latest updates and alerts Flag Subscribe

A bank’s data processing agreement is typically one of its most important contracts—yet, it is frequently entered into without legal review or without even being read. These contracts are often lengthy, complex, and weighted heavily in favor of the vendor and banks often do not consider that they are negotiable. This article addresses some of the risks associated with a bank’s failure to negotiate the agreement, as well as tips on how to avoid common pitfalls.

Regulatory Risks

Banks have certain obligations relating to oversight of vendors, particularly those who provide critical functions. Regulators have expressed concern that many banks do not have adequate vendor risk management practices in place. It is important to review regulatory agency guidelines relating to vendor diligence and risk management before signing a new data processing contract. Failing to do so may put the bank at risk of failure to properly assess and understand the risks and costs of vendor relationships.

Regulatory guidance requires banks to have proper risk management policies, procedures, and processes in place. In order to comply, a bank must have risk management processes that correspond with the level of risk and complexity, including due diligence, careful vendor selection, contract negotiation, data security and privacy, proper termination mechanisms, and proper oversight. In negotiating terms of a data processing agreement with a vendor, emphasize the regulatory necessities for certain changes or provisions. If unsuccessful negotiating a term like termination fees, the bank should document its efforts to comply with vendor management requirements in case the decision is later challenged by the regulators.

Mergers and Acquisitions

As consolidation pressures intensify, the impact of data processing agreements on mergers and acquisitions is becoming increasingly apparent. In some cases, termination or de-conversion fees are shocking. It is common for termination fees to equal 80 to 100 percent of the remaining fees payable during the term of the contract. This can often amount to a very large number, which significantly reduces shareholder value in a merger or acquisition. In some cases, it may sabotage the deal completely.

However, these fees are almost always negotiable. A data processing vendor typically will agree to a negotiated graduated termination fee schedule such that fees will decrease later in the term. Negotiating a more favorable termination provision on the front end can save a lot of money for the acquiring bank down the road, which ultimately benefits the selling bank as well.

The Contract Negotiation

For the most leverage in negotiating a good deal, start thinking about the negotiation strategy 24 months before entering into a data processing contract. Consider forming a committee that is responsible for reviewing regulations relating to vendor management, reviewing existing data processing contracts and developing a plan that prioritizes the bank’s needs and long-term goals.

Once a quote is received, analyze and negotiate the terms that impact the bank’s needs and goals. A few key terms to consider include:

  • Contract Length. Of course, the vendor would like to make the contract as long as possible. Beware of contract terms longer than five years. Likewise, negotiate the automatic renewal term to be reduced to one year, if it is not already.
  • The Termination Provision. As discussed above, negotiate for a less harsh termination provision.
  • Performance Standards. A data processing contract should define minimum service-level requirements, as well as the remedies for failure to meet these standards. Consider also including a termination-for-cause provision for repeated failure to meet standards.
  • Compliance. The contract should address controls relating to compliance with applicable regulatory requirements. Specifically, contracts must contain compliant provisions for security and privacy.
  • Records and Reporting. Negotiate terms that give the bank access to the vendor’s records relating to the bank. Additionally, data processing vendors maintain customer data and advanced reporting and analytics. Negotiate for the frequency and type of reports that the bank will receive relating to this information.

As products and services are added to the master agreement, do not lose sight of the big picture. Watch out for services with terms longer than the other services in the agreement and ensure that any added services terminate at the same time as the master agreement.

Considering the importance, value, and duration of data processing agreements, it is essential to review and negotiate the proposed agreement with a dedicated team, especially if a future sale or other business combination transaction is being considered. Vendors negotiate these contracts on a daily basis, so be sure to have experts, including legal counsel, on your team as well.


Almost every contract term is negotiable. Thorough analysis on the front end can save unnecessary expenses later on.


Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.