Contemporary Letter

Document Sample
Contemporary Letter Powered By Docstoc
					New Jersey Department of Community Affairs                                               9/6/2001
Division of Local Government Services                                               EGG Number: 5

                    E-Government for Government
                    Donald T. DiFrancesco        Jane M. Kenny            Anthony C. Cancro
                    Acting Governor              Commissioner             Acting Director

                    Distribution: All Local Unit Chief Administrative Officers, Chief Finance
                    Officers, and Purchasing Agents. Municipal Clerks to forward to Governing Body
                    and recreation program officials.

                              On-Line Registration Services
Third-party service providers are                     waters,” prudence should temper the risk-
organizations that provide computer                   taking of these ventures.
services and expertise to handle specified
functions for their clients. Third-party              In most instances, the local unit may
service providers are often called upon to            choose to use a third-party service provider
provide services through the Internet for             because it does not have the expertise or
their clients. This EGG provides local units          resources to perform the requested
with guidance on the use of third party               services in a cost effective manner. To use
service providers for on-line registration            these services a local unit must enter into a
services.                                             contractual relationship with the third-party
                                                      service provider.
On-line registration services, for the
                                                      A third-party service provider should
purpose of this EGG, are those services
                                                      demonstrate to the local unit that the
that allow program participants to use a
                                                      service being offered meets their needs. As
website to register for local government
                                                      appropriate to the service, the third-party
programs and pay the program fees by
                                                      service provider’s representations or
credit card. Typically, the activities would
                                                      assertions should relate to the provider’s
include registrations for sports teams, bus
                                                      business practices, transaction integrity,
trips, community theater tickets and other
                                                      security, online privacy, system availability,
activities that might be a part of a
                                                      confidentiality, and non-repudiation. If the
municipality’s recreation or senior citizen
                                                      local unit does not secure such
                                                      representations the local unit may be
             What To Expect                           purchasing an unknown or uncertain
                                                      product. A local unit’s lack of expertise of
                                                      on-line registration services can present an
The advent of Internet-based service
                                                      additional challenge when determining if
providers presents new challenges for local
                                                      claims made by the third-party service
governments. Many businesses on the
                                                      provider are accurate or significant. From
Internet can provide valuable services at
                                                      the standpoint of the third party service
lower costs; however, they may involve
                                                      provider industry - this problem results in
risks because the businesses are new and
                                                      client reluctance to use their services. To
local units may be uncomfortable in using
                                                      allay the fears of clients, third-party service
relatively untested services. Thus, for
                                                      providers have opted in any of a number of
those local units looking to “test the

101 South Broad Street                         PO Box 803                    Trenton, NJ 08625-0803                          609.943.4724
On-Line Registration Services                                                    9/6/2001
EGG Number: 5                                                                       Page 2

ways to deal with the reservations of               What Local Units Can Do

   1) Some have published their policies    Obtain guidance before signing a
      (examples include the privacy         contract
      policies posted on many web pages);   The local unit should seek out information
                                            or advice to determine what requirements
   2) Some follow a self-declaratory        should be deemed important of a third-
      model, tagging their sites with the   party service provider. Having determined
      standards declared to be in use       the levels of service (privacy, security,
      (BetterWeb, TRUSTe, BBB Online);      availability, etc.) that are crucial, the local
                                            unit should then determine what level of
                                            assurance it wants from the third-party
   3) Some have tagged their pages          service provider.
      with information on peer
      opinions and shopper ratings          Require written and measurable
      (e.g., BizRate consumer-rated         assurances as a part of the contract
                                            The local unit has no assurances if the
                                            third-party service provider does not offer
   4) Some have tagged their pages
                                            any written documentation. Even if the
      with an expert opinion on their
                                            third-party service provider does submit
      ongoing practices (WebTrust);
                                            documentation, the local unit may not be
   5) Some will provide financial           able to detect or determine compliance.
      guarantees of service to the          Thus, in addition to written guarantees, the
      customer in the form of performance   local unit should make certain that the
      bonds or other guarantees; or         agreed upon assurances are physically met.
                                            This may be done through testing, checking
                                            with users, and ensuring that contract
   6) Those involved in processing          provisions are being met.
   financial transactions may provide
                                            Require that assurances meet industry
   American Institute of Certified
   Public Accountants Statement on
   Auditing Standards (SAS) #70             With the exception of WebTrust, the
   audits. A SAS #70 report is              services listed above, do not offer
   authoritative guidance that allows       continuous monitoring of third-party service
   service organizations to disclose        providers by independent experts. Due to
   their internal control activities and    the cost of WebTrust compliance, most
   processes to their customers and         third-party service providers who are
   their customers' auditors in a           concerned with the application of security
   uniform reporting format. Being          and privacy standards subscribe to the self-
   able to examine an independent           declaratory model.
   auditor’s review of the providers
   internal control activities can          As a guide, the local unit may apply the
   provide insight on the ability of the    following with regard to reasonable
   provider to perform the services.        expectations of a third-party service
On-Line Registration Services                                                     9/6/2001
EGG Number: 5                                                                        Page 3

   1. When choosing to use a third-party          3. Although the claims themselves are
      service provider, the local unit should        critical, the degree to which the local
      look for claims that are reasonable,           unit will rely on the accuracy of such
      given the relationship it will have            claims will determine what level of
      with the third-party service provider.         assurance will be required of the
      If that provider cannot or will not            provider. The local unit needs to do
      provide such claims in writing, it is          its homework! Some providers may
      appropriate not to consider that               be able to provide the local unit with
      provider.                                      a current SAS #70, SysTrust, or
                                                     WebTrust report. The local unit,
   2. If the services expected from the              could also pay for a similar
      third-party service provider are               examination to be performed.
      generally accepted industry
      standards, the claims offered by the        4. Know the third-party service
      provider should meet those                     provider. In the vast majority of
      standards. Examples of industry                cases, the local unit will have to do
      standards include, but are not limited         its own legwork. It is recommended
      to, BetterWeb, TRUSTe, BBB Online              that the local unit visit the provider’s
      and WebTrust. However, the                     facilities, ask questions, and get
      standards tend to be specific in               references. Don’t rely solely on
      nature. Therefore, if the user wants           references given by the provider! Go
      to know if a particular website meets          to the provider’s website and find
      a standard regarding privacy or                users that were not listed on the
      security, the user should look at the          provider’s reference list and call
      seal or “through the seal” to                  them. Try other local unit’s sites,
      determine its coverage. Looking                and get comments from residents or
      “through the seal” means to click on           groups that use the sites, not just
      the seal found on a web page to see            the municipality that sponsors the
      that the provider is current with its          sites you sample
      representations, and what the
      standards are that are being applied.       5. Use good judgment. Rules like “If it
      The following are examples of some             sounds too good to be true, it
      of the seals you may encounter:                probably is,” are important to apply
                                                     in this context. Third-party service
                                                     providers are in a relatively new
                                                     industry when it comes to taking
                                                     advantage of the Internet. Many
                                                     such third-party service providers
                                                     overestimate their own capacity or
                                                     rely on their technical experience
                                                     without having any in-depth
                                                     knowledge of the services they are

                                                Involve the governing body
On-Line Registration Services                                                        9/6/2001
EGG Number: 5                                                                           Page 4

Don’t wait until the contract goes to the         Under the Contracts Laws, this service
governing body for approval before getting        qualifies as a “concession” type of contract.
their input! Going to a Web-based                 Under concession provisions, where the
registration can be fun and challenging; be       service involves a “pass-through” of
sure to get support at each step along the        revenue, the determination of the bid-
way. Also, the input of the users can be          threshold is based on the amount of
critical to a successful implementation.          revenue retained by the service provider,
                                                  not the total fee of the program.
Have a non-Internet alternative plan
                                                  Thus, in an activity registration service, the
                                                  amount of the contract is based on the
                                                  amount of revenue generated by the
If the local unit is going to provide a service
                                                  service charge to the local unit or the users
through an Internet-based third-party
                                                  of the service. If the estimated amount of
service provider, make certain that people
                                                  the service charge exceeds the bid
without access to the Internet can take
                                                  threshold of the local unit, the concession is
advantage of whatever program is being
                                                  subject to public bidding or competitive
offered. For example, if activity
                                                  contract procurement. If the amount is
registration over the Internet is being
                                                  under the bid threshold, normal quotation
offered, also permit residents, who do not
                                                  or sound business practices are used.
have or want to use the Internet, to
register at an office (even if it’s the local
unit’s staff accessing the website for them).         Application of the Local Fiscal
                                                               Affairs Law

     Application of the Local Public              A third-party service provider, though an
            Contracts Laws                        agent of the contracting unit, is an
                                                  independent entity. As such, its collection
The Local Public Contracts Laws applies to        practices, depository relationships, holding
Internet-based third-party service providers      periods, and requirements for forwarding of
as they do to non-Internet based third-           funds to the contracting unit are controlled
party service providers. One primary              by the provider’s management and
difference between Internet and non-              contracting terms. Therefore, contracts
internet based providers, is that the             with third-party service providers should
business model of some service providers          specify the local unit’s requirements. These
do not charge the local unit for their            may include the timing for forwarding
services.                                         payments or collection of fees from moneys
                                                  received. Such contract provisions are vital
In these instances, it is the user of the         because the third-party service provider is
service that pays fees, which may be              not necessarily bound by the statutes and
incorporated into the cost of services. An        regulations that apply to the local unit.
example of this service is an activity
registration service where the vendor adds        For example, a third-party service provider
a service charge to the cost normally             is not required to comply with the statutory
charged by the local unit as the provider’s       provision that funds must be deposited
fee, while only the base fee is remitted to       within 48 hours. Typically third-party
the local unit.                                   service providers will hold money collected
                                                  for periodic transfer to the local unit.
                                                  However, the local unit will want funds
On-Line Registration Services                                                     9/6/2001
EGG Number: 5                                                                        Page 5

transferred quickly so that it can cover the   to be covered by a fidelity bond, a third-
costs of programs.                             party service provider should provide the
                                               contracting unit with sufficient bonds or
The contract should explicitly state when      insurance naming the contracting unit as
and how such transfers should take place.      loss payee, to cover the highest cumulative
The options may include:                       level of risk for the calculated exposure that
   • daily automatic transfers which could     will exist.
      increase contract costs;
   • to allow the third-party service          Remember that the third-party service
      provider to hold funds to the date of    provider is representing the local unit. The
      an event; or,                            contract is more than a simple expression
   •   to allow the third-party service        of economic requirements. It is the formal
      provider to hold the funds up to a       recognition of both party’s expectations.
      certain date.                            Do not accept a boilerplate contract from a
                                               vendor for these services. The local unit’s
Under current law, transfers can be made       governing body and its management should
electronically, by phone, by fax, or by        see to it that their concerns are clearly
paper instruction, in addition to the          expressed in the contract.
traditional check. The contracting unit
should favor the fastest and most secure       For further information on on-line
means of receiving funds, which will           registration third-party services please call
typically be an automated bank-to-bank         609.943.4724 or email us at
transfer of funds. Whatever methods and
timing are determined should be a part of
the contract.

The Local Fiscal Affairs Law is intended to
safeguard the public resources entrusted to
the government unit. The local unit should
hold a third-party agent to the same
standards of internal controls that it uses.
This is accomplished in two ways within the
contract. First, certain standards may be
required as to the timeliness, accuracy and
completeness of reporting provided by the
third-party service organization. Secondly,
the third-party service provider must
assume responsibility for any losses that
occur as a result of its operations.

Applying the guidelines on page 3 can help
the local unit avoid problems before they
occur. Nevertheless, steps should also be
outlined in the contract that specifically
identify remedies when errors and loss do
take place. These may include damages,
penalties, and termination of the contract.
Just as the law requires certain employees

Shared By: