Best Practice - Contract must-haves

I've been reading some pretty dry government documents put out by the FFIEC, about audit practices for financial institutions. They list what I hold to be an obvious but good framework of "must haves" for outsourcing contracts (or any contracts, really). I've been intending to write down my own thoughts on contract framework best practices ever since I went through the process of developing my own MSA and SOW templates.

So seeing this written out in a nice neat list catalyzed me. Here, paraphrased, is what a bunch of allegedly smart people in the US government believe should be defined in your outsourcing contract:

Best practices for outsourcing contracts - the short list:

• Scope of services to be delivered
• Performance standards for same
• Pricing for same
• Controls
• Financial and control reporting
• Right to audit
• Ownership of data and work product
• Regulatory compliance
• Indemnification
• Limitation of liability
• Dispute resolution
• Contract duration
• Restrictions on / around sub-contractors
• Termination
• Return of data and work product
• Insurance coverage
• Prevailing jurisdiction
  
• Choice of law
• Regulatory access to data
• Business continuity planning

The FFIEC doesn't list this, but I'd add:

• Security restrictions
• Key staff special handling
• Non-solicitation
  
• Non-compete
• Insurance coverage
  

Disclaimer: I am not a lawyer, and this should in no way be construed as legal advice. If you're writing, reviewing or negotiating a contract you should get your company's legal team involved. You can point them to this blog post but they'll probably already know this stuff. And if they're good, they'll have their own contractual boilerplate with this info and a lot more spelled out in that special kind of excruciatingly complex language that can only be written by people who bill by the hour.

---