Contract legal risk management

Contracts, as legally enforceable agreements, have a legal lifecycle from due diligence, analysis and negotiation, through to acceptance, implementation, administration, storage, dispute resolution and termination.

Contracts carry an element of risk, especially if they are material to the business.

If you are an APRA-regulated entity, you must have a supplier register to track your contracts and identify which service providers are “material”. It must record the critical operation that the contract relates to, the start and end date, and which manager is accountable for it. CPS 230.

Most businesses identify key commercial terms but do not have internal guidance on which terms are essential and non-negotiable, and which terms can be varied and why.

A pre-signing review should check that important operational requirements are included and correctly documented.

Businesses that contract with ongoing service providers for repetitive products may be presented with a summary “Order Form” or “Statement of Work”, but they sometimes do not realise that it incorporates by reference a separate Master Service Agreement, which contains important general contractual terms.

Recent contracts also include provisions relating to services where the seller may be using AI Systems in the provision of the services or relate to a software product with embedded or integrated AI capabilities.

APRA-regulated entities are required by CPS 230 to notify APRA of an Operational Risk Incident, a breach of Critical Operation Tolerance and a new or change to a material arrangement and/or offshoring.

Even if you have done due diligence on your contractor, how do you know whether they have subcontracted their services to a fourth party and whether they comply with the same standards?

And how will you know whether they have made a ransomware payment in response to a cybersecurity incident, which must be reported?

Privacy protection provisions are an essential part of contracts: does the contract deal with customer personal data protection, notification of data breaches and the transfer of data overseas?

Contracts should also be checked to determine whether they grant any security interest to the counterparty, which may be registrable under the Personal Property Securities Act.

Understanding your supply chains is now a critical part of every financial services business that outsources functions, particularly concerning information security, service levels, business continuity and customer privacy.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.