A new twist on an existing issue has recently surfaced for financial institutions (FI) in managing vendor risk. Patent infringement lawsuits, which are not new to the banking community, have grown as FIs have become more dependent on vendor-provided technologies. FIs are being drawn into more legal proceedings, or the threat of them, in which a party sues for alleged infringement of a patent on a product or process that a vendor has provided the FI. In particular, allegations of infringement have targeted technology enhancements related to scanning and imaging, mobile banking and payments, data storage, debit and prepaid card production, and transaction management processes. In a number of cases, the FI pays a royalty or fee to settle the dispute and avoid further legal expenses.

Some aggressive patent infringement groups have become active over the last several years. Targeting financial services vendors and FIs, these "patent assertion entities" (PAEs) (or, more derisively, "patent trolls") are characterized in the June 2013 White House report Patent Assertion and U.S. Innovation as focusing "on aggressive litigation, using such tactics as: threatening to sue thousands of companies at once, without specific evidence of infringement against any of them; creating shell companies that make it difficult for defendants to know who is suing them; and asserting that their patents cover inventions not imagined at the time they were granted." According to the report, patent infringement lawsuits initiated by PAEs now represent 62 percent of all infringement suits—up from 29 percent just two years ago. The greatest danger from such aggressive legal action is a chilling effect on the development and adoption of innovative technologies.

So what might a financial institution do to mitigate its risk in this area? Federal and state officials are examining the problem and will likely make recommendations for policies or regulations that will provide a reasonable level of protection. However, this effort is likely to take time. In the interim, we suggest a number of potential actions for FIs and their legal counsel to evaluate. A critical element in risk management is understanding the sources of risk and their threat level. Consequently, FIs should consider a requirement in the vendor agreement that requires the vendor to immediately notify the FI of any such claims. Second, FIs should include an indemnification clause in the vendor agreement to protect themselves from being drawn into the legal dispute. And the FIs' lawyers should make sure that this clause requires vendors to stand behind the FI if the lawsuits target them for using vendor-provided technology. Lastly, FIs should consider obtaining or requiring the vendor to obtain patent infringement insurance.

Risk assessment and developing mitigation tactics should be an ongoing effort for all FIs. We would like to hear how your company is addressing this issue.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed