💡 Plain English Explanation

Regulatory examination and audit rights clauses grant financial institutions and their regulators the ability to inspect and review the operations, records, and systems of parties receiving confidential information. These provisions are not merely contractual conveniences; they are often regulatory requirements that banks and financial institutions must include in their service provider agreements.

Federal banking regulators (OCC, FDIC, Federal Reserve) and state regulators require financial institutions to maintain oversight of their service providers and to ensure regulators have access to service provider records when needed. The interagency guidance on third-party relationships and the OCC's risk management guidance specifically require contractual audit rights.

Audit rights clauses typically address:

Why This Clause Matters

Regulatory Mandates: The Bank Service Company Act requires federal banking agencies to have the authority to examine services performed for banks by third parties. OCC Bulletin 2013-29 and subsequent guidance require banks to ensure contracts include audit and examination provisions.

Third-Party Risk Management: Financial regulators hold banks responsible for the actions of their service providers. Audit rights enable banks to fulfill their supervisory obligations and demonstrate to examiners that they maintain appropriate oversight.

Examination Support: During regulatory examinations, examiners may request to review service provider operations, documentation, and controls. Contracts must ensure the bank can facilitate this access without breaching confidentiality obligations.

Remediation Authority: Audit findings often require corrective action. Strong audit clauses establish the right to require remediation and to terminate relationships if material deficiencies are not addressed.

📄 Clause Versions

Balanced Version: Provides reasonable audit rights meeting regulatory requirements while respecting the service provider's operational needs. Includes provisions for cost allocation and protection of proprietary information. 
REGULATORY EXAMINATION AND AUDIT RIGHTS

1. Audit Rights. The Disclosing Party and its designated representatives shall have the right to audit, examine, and inspect the Receiving Party's:

(a) Books, records, and documentation relating to the services provided under this Agreement and the handling of Confidential Information;
(b) Facilities, systems, and infrastructure used to store, process, or transmit Confidential Information;
(c) Internal controls, policies, and procedures relevant to the services and data protection;
(d) Compliance with the terms of this Agreement and applicable laws and regulations.

2. Audit Procedures. Audits shall be conducted as follows:

(a) The Disclosing Party shall provide at least thirty (30) days' prior written notice of its intent to conduct an audit, except in the case of a security incident or regulatory examination requiring expedited access;
(b) Audits shall be conducted during normal business hours in a manner that minimizes disruption to the Receiving Party's operations;
(c) Audits shall not occur more than once per calendar year, unless required by regulatory authorities or triggered by identified deficiencies;
(d) The Disclosing Party may engage qualified third-party auditors, provided such auditors are bound by confidentiality obligations.

3. Regulatory Access. The Receiving Party agrees to permit examination of its records and operations by any federal or state regulatory authority having jurisdiction over the Disclosing Party, including but not limited to the Office of the Comptroller of the Currency, Federal Reserve, FDIC, CFPB, and state banking regulators. Such examination rights shall be:

(a) Exercisable with reasonable notice, subject to the authority's examination procedures;
(b) Inclusive of access to facilities, personnel, records, and systems relevant to services provided to the Disclosing Party;
(c) At no additional cost to the Disclosing Party.

4. Cooperation. The Receiving Party shall cooperate fully with any audit or examination, including providing access to personnel, documentation, and systems as reasonably requested.

5. Audit Reports. Upon request, the Receiving Party shall provide copies of relevant third-party audit reports (such as SOC 1, SOC 2, or similar reports) to satisfy audit requirements in lieu of on-site audits, where the Disclosing Party determines such reports provide adequate assurance.

6. Remediation. If any audit reveals material deficiencies, the Receiving Party shall develop and implement a remediation plan within thirty (30) days. The Disclosing Party shall have the right to verify implementation of remediation measures.
Disclosing Party Favor: Comprehensive audit and examination rights with minimal restrictions, broad scope, and strong remediation requirements. Appropriate for critical service provider relationships where the financial institution requires maximum oversight capability. 
REGULATORY EXAMINATION AND AUDIT RIGHTS

1. Comprehensive Audit Rights. The Disclosing Party, its affiliates, and their respective internal and external auditors, consultants, and representatives shall have the right, at any time and from time to time, to conduct audits, examinations, and inspections of:

(a) All books, records, accounts, documentation, and data (in any form) relating to the Receiving Party's performance under this Agreement;
(b) All facilities, data centers, systems, networks, and equipment used in connection with the services or Confidential Information;
(c) All personnel involved in providing services or handling Confidential Information;
(d) All internal controls, security measures, business continuity plans, and compliance programs;
(e) All subcontractors and third parties engaged by the Receiving Party in connection with this Agreement;
(f) Any other matters the Disclosing Party deems relevant to assessing the Receiving Party's performance, security, or compliance.

2. Unlimited Regulatory Access. The Receiving Party acknowledges that the Disclosing Party is subject to regulation and examination by various federal and state authorities. The Receiving Party agrees to:

(a) Permit any federal or state banking examiner, regulator, or their designees to examine, audit, and inspect any records, facilities, personnel, and operations of the Receiving Party relating to services provided to the Disclosing Party;
(b) Respond promptly and completely to any examination requests or information requirements from regulatory authorities;
(c) Appear before regulators and provide testimony as requested;
(d) Treat regulatory examination requests as having the highest priority;
(e) Not assert any confidentiality, trade secret, or privilege objection to regulatory examination;
(f) Bear all costs associated with facilitating regulatory examinations.

3. No Notice Required. The Disclosing Party and regulatory authorities may conduct audits and examinations without prior notice if:

(a) A security incident has occurred or is suspected;
(b) A regulatory authority requests immediate access;
(c) The Disclosing Party has reason to believe a material breach has occurred;
(d) Fraud or illegal activity is suspected.

4. Frequency. There shall be no limit on the number or frequency of audits that may be conducted under this Section.

5. Records Retention. The Receiving Party shall retain all records relevant to this Agreement for a period of seven (7) years following termination, or such longer period as may be required by law or regulation, and shall make such records available for audit throughout the retention period.

6. Immediate Remediation. Upon identification of any deficiency through audit or examination:

(a) The Receiving Party shall immediately cease any activity contributing to the deficiency;
(b) The Receiving Party shall implement a remediation plan approved by the Disclosing Party within fifteen (15) days;
(c) The Disclosing Party may suspend performance or terminate this Agreement if deficiencies are not cured to its satisfaction;
(d) The Receiving Party shall bear all costs of remediation.

7. Subcontractor Flow-Down. The Receiving Party shall ensure that all subcontractors and fourth parties are bound by audit provisions equivalent to this Section.
Receiving Party Favor: Reasonable audit rights that meet regulatory requirements while protecting the service provider from excessive burdens. Includes limitations on frequency, scope, and cost allocation. 
REGULATORY EXAMINATION AND AUDIT RIGHTS

1. Audit Rights. Subject to the limitations set forth herein, the Disclosing Party may conduct audits of the Receiving Party's records and operations relating directly to services provided under this Agreement and the handling of Confidential Information.

2. Audit Procedures and Limitations.

(a) Notice: The Disclosing Party shall provide at least forty-five (45) days' prior written notice of any audit, specifying the scope, duration, and purpose.
(b) Frequency: Audits may be conducted no more than once per calendar year.
(c) Duration: On-site audits shall not exceed five (5) business days without the Receiving Party's consent.
(d) Scope: Audits shall be limited to records and systems directly related to the Disclosing Party's data and services; the Receiving Party shall not be required to disclose information relating to other customers, proprietary methodologies, or trade secrets.
(e) Timing: Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Receiving Party's operations.
(f) Personnel: The Disclosing Party shall identify audit personnel in advance; the Receiving Party may object to any individual with a conflict of interest.

3. Third-Party Reports. The Receiving Party shall make available, upon request:

(a) SOC 1 and SOC 2 Type II audit reports;
(b) PCI-DSS attestation of compliance (if applicable);
(c) ISO 27001 certification (if maintained);
(d) Results of penetration testing (summary form).

The Disclosing Party agrees that receipt of satisfactory third-party reports shall satisfy the Disclosing Party's audit rights for the applicable period, absent specific concerns identified in writing.

4. Regulatory Examinations. The Receiving Party acknowledges that the Disclosing Party is subject to regulatory examination and agrees to:

(a) Permit examination by regulatory authorities having jurisdiction over the Disclosing Party, upon reasonable notice and subject to applicable legal requirements;
(b) Cooperate with regulatory examinations to the extent required by law;
(c) Provide information to regulators through the Disclosing Party where permitted.

The Receiving Party reserves the right to assert any applicable legal privileges or protections in regulatory proceedings, subject to applicable law.

5. Cost Allocation.

(a) The Disclosing Party shall bear the costs of its audits, including auditor fees, travel, and related expenses.
(b) The Receiving Party shall bear only its own internal personnel costs in facilitating audits.
(c) If an audit reveals a material breach by the Receiving Party, the Receiving Party shall reimburse the Disclosing Party's reasonable audit costs.

6. Confidentiality of Audit Information. All information obtained through audits shall be treated as Confidential Information of the Receiving Party and shall not be disclosed to third parties except as required by law or regulation.

7. Remediation. If an audit identifies deficiencies, the parties shall work together in good faith to develop an appropriate remediation plan with reasonable timelines based on the nature and severity of the deficiency.

💬 Key Considerations