Avoiding Common Pitfalls in Technology Contracts

By Kendall Wilson

January 10, 2025

As the financial services industry becomes increasingly digital, financial institutions must engage with more and more technology partners to meet the needs of their members and customers.  With FinTech vendors providing services ranging from internal operations to crucial technology solutions like core banking systems and online or mobile banking, technology providers are quickly becoming some of the most important, and riskiest, partnerships that financial institutions enter.

As the banking landscape changes, so too does the legal environment in which the industry operates.  FinTech contracts present unique challenges to a financial institution’s IT, risk, and legal departments.  Below are a few common pitfalls currently trending in technology contracts, and some tips on how to avoid them – or, for those that are unavoidable, to mitigate the risks they present:

• Lack of Product Descriptions or Performance Standards. This may seem basic, but all too often we see technology contracts that lack an understandable description of what the vendor’s technology solution is or does.  Often, contracts will contain only a vague description of what is being purchased (“Vendor agrees to provide the cloud computing services…”), which makes it nearly impossible to hold vendors accountable if their products do not perform.

Ideally, technology contracts will include measurable performance standards such as those commonly found in service level agreements. Where a technology solution is not amenable to such standards, or where a vendor refuses to agree to them, even a brief “executive description” of the product, setting forth in plain language what the technology is intended to do, can be critically helpful in holding technology vendors accountable if performance issues arise.

• Beware the “as is” software contract. Similarly, we have seen an increase in technology contracts, particularly software licenses, that disclaim any and all warranties and assert that the purchased technology is offered “as is,” with no promise that it will perform in any particular way. Financial Institutions should be cautious of such contract language, and approach it with eyes open in light of the nature of the technology being purchased, its criticality, etc. Where possible, if vendors are unwilling to provide warranties or delete “as is” language from their contracts, financial institutions should insist upon pre-execution test environments, preferably with post-execution trial and acceptance periods, to ensure they are not left holding the bag with a product that doesn’t work.
• Disclaimers of Liability. It is common for vendor contracts to contain some disclaimers or limitations of liability. Vendors are not insurers, and will generally seek to limit their liability relative to the nature and amount of the contract at issue. But financial institutions should be cautious of particular liability issues trending in FinTech contracts. One is the inclusion of cybersecurity obligations, but with no liability for breach.  Increasingly, we see vendors including language stating they will implement certain information safeguards, but disclaiming liability for any breach or unauthorized release of information. Financial institutions should be wary of such language, and seek to impose some contractual “teeth” to enforce vendors’ cybersecurity obligations.  Ideally, vendors will indemnify their financial institution customers for liability arising from unauthorized disclosure. As a middle ground, we have seen vendors agree to assist with direct costs associated with a release (such as notification of affected persons), and carveouts for gross negligence or violation of express security requirements. Again, financial institutions should approach these issues with caution, in light of the nature of the agreement and the data being disclosed.

Another issue trending lately is an attempt by vendors to disclaim all liability for the acts of third parties. Many FinTech contracts permit or even require the involvement of third parties and subcontractors. But a contract that broadly allows the delegation of contractual duties to third parties, coupled with a broad disclaimer of liability for the acts or omissions of those parties, can leave a financial institution entirely without recourse in the event of a breach.  These risks can be mitigated by insisting upon contractual language declaring that the primary contractor remains liable for overall performance, even for those duties delegated to a subcontractor.  Another option is to insist upon a direct contract with any subcontractors, or at the very least, involvement in the vetting process for third (or fourth) parties that might provide services under a primary technology contract.

FinTech contracts are, by their nature, highly technical and complex, and present unique legal challenges.  Being on the lookout for these and other potential contractual pitfalls during the negotiation and vendor selection processes will help financial institutions mitigate some of the unique risks associated with these contracts, and help them negotiate contracts that mitigate risk while improving the delivery of financial solutions in this increasingly tech-driven industry.