Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Website Accessibility – An Exercise in Third-Party Risk Management

Feb 27, 2018

Website accessibility relates to the practice of designing websites and online content in such a way that individuals with visual, hearing, motor, or cognitive impairments are able to access such content in its native format, or through the use of assistive tools such as screen readers, voice recognition, magnification, etc.


Currently, legislation governing the requirements for accessibility of websites and online content for private companies does not exist (and likely will not for the foreseeable future), though there is an abundance of case law indicating several federal circuit courts and the Department of Justice (DOJ) believe websites are in fact included in Title III of the Americans with Disabilities Act (ADA). Title III of the ADA pertains to public accommodations and providing individuals with disabilities equal access to places of business, goods, and services, without causing the individuals undue burden—physical, financial, or otherwise.


Trade associations such as the Independent Community Bankers Association (ICBA) and the National Association of Federally-Insured Credit Unions (NAFCU) have intervened on behalf of financial institutions, issuing cease and desist orders, lobbying state and federal lawmakers, and even asking the DOJ for clarification, but their efforts have yielded limited results. In this legislative vacuum, a handful of law firms saw an opportunity to cash in by sending targeted businesses demand letters, claiming that their websites are not accessible to the impaired plaintiffs the law firm strategically sought out for this purpose. In addition to correcting website accessibility issues promptly, the business must also pay for the plaintiff’s legal fees in order to avoid further legal action.


While definitive website accessibility legislation has yet to be implemented, website accessibility guidelines have been around since 1999. The World Wide Web Consortium (W3C), the primary international standards organization for the Web, updated its Web Content Accessibility Guidelines (WCAG) in 2008. WCAG 2.0 classifies guidelines into levels A, AA, and AAA, indicating their potential impact on impaired individuals and the degree of difficulty to implement them. WCAG 2.0 level AA has been adopted by countries around the world as the standard for Web accessibility. The U.S. government also adopted it as the standard for all U.S. federal agencies and their websites.


It seems then that financial institutions and other businesses have a clear idea of what to do to avoid such settlements and possible litigation: make their websites WCAG 2.0 level AA compliant. The problem, however, is not what to do, but rather how to do it. Most financial institutions manage their website content, but few are responsible for its underlying design and maintenance, the pieces mostly responsible for website accessibility. This is why a sound third-party risk management program is so important.


Financial institutions should consider the implications of website accessibility in the products and services their vendors provide to them and their customers. That includes website design and maintenance, but also electronic banking products (online and mobile banking, billpay, mobile capture), educational content (tutorials, demos, audio/video clips), e-forms (account applications, enrollments, opt-outs, job applications), and more.


Website accessibility should be discussed with existing vendors and should be included in the due diligence process for new vendor relationships, especially for customer-facing products or services. As appropriate, contracts should spell out the vendors’ responsibility to not only deliver a website, online product, or service that is accessible, but also maintain its accessibility over time.


Financial institutions should have proper legal representation that is well-versed in website -accessibility claims. Considering how frivolous and opportunistic some claims are, financial institutions may be able to simply reject a claim based on eligibility factors, including geographic location and membership requirements. In fact, eligibility was noted as a factor in the website accessibility lawsuit recently won by Virginia-based Northwest Federal Credit Union. While the court’s decision was based on its interpretation that ADA Title III does not pertain to websites (a view that runs counter to existing trends), it was noted that Northwest FCU’s field of membership is limited to current and former CIA employees and their immediate families, a requirement the plaintiff in question did not qualify for.


In addition to legal representation, financial institutions should also understand how their insurance coverage applies to such claims and litigation, especially considering that a settlement is often the quickest and cheapest path to resolution, and one that the insurer may require the institution to agree to in order to file a claim.


At the end of the day, finding vendors who offer website design, online products, or services is easy. Finding a vendor who understands financial institutions, their regulatory requirements, customer privacy concerns, and cybersecurity needs takes something more. It takes a sound third-party risk management program.


Pedro J. Pinto
View Profile