It is not often that an informal, three-page bulletin can result in substantial changes to the operations of a significant portion of the economy. However, the Consumer Financial Protection Bureau’s (“CFPB”) April 13, 2012, bulletin did just that: financial services companies both large and small have made and continue to make extensive changes to the way they conduct business and, in many instances, the focus of those changes does not relate directly to their own operations.
In Bulletin 2012-03 (“Bulletin”), the CFPB placed supervised institutions, whether they are banks or non-banks, on notice that it would hold those institutions directly responsible for oversight of the business relationships that they maintain with third-party service providers. The CFPB stated that the supervised institutions are responsible for ensuring that their service providers act in a manner that is consistent with federal law and that supervised institutions make certain that the processes in place to ensure compliance will be designed to protect the interests of consumers in seeking to avoid consumer harm. For purposes of the Bulletin, a “service provider” includes any third party that “provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” Therefore, a significant number of vendors to financial services companies are captured by these requirements.
In drafting the Bulletin, the CFPB sought to place supervised institutions on notice that they cannot abdicate responsibility for compliance by simply hiring a third party to perform certain business functions and trusting that such third party will comply with federal consumer financial laws and regulations. Because a service provider that is unfamiliar with relevant laws and regulations could potentially cause serious consumer harm, the CFPB commands that regulated institutions make certain that their respective service providers are complying with applicable law. In short, responsibility for compliance with federal consumer financial laws is now duplicated – the third-party service provider must comply with applicable laws and the supervised institution also has legal responsibility to ensure compliance. Moreover, the financial institutions, rather than the CFPB, are now the watchdog for these third-party vendors.
To ensure that supervised institutions meet their responsibilities under the Bulletin, the CFPB has confirmed that supervised institutions must have an effective process for managing the risks of outsourcing certain functions to service providers. The CFPB expects that supervised institutions will take the following steps in order to ensure that their vendors do not pose undue risks to consumers: (1) conduct thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial laws; (2) request and review the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts the appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities; (3) include in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices; (4) establish internal controls and ongoing monitoring to determine whether the service provider is complying with federal consumer financial laws and regulations; and (5) take prompt action to fully address any problems identified through the monitoring process, including terminating the relationship where appropriate.
The impact of the Bulletin has been felt by all members of the financial services industry, regardless of whether they are expressly subject to regulation by the CFPB. Prior to the issuance of the Bulletin, financial institutions and major non-depositories already conducted due diligence activities when they hired a third party to conduct activities on their behalf. Unlike the past, however, diligence actions at the onset of a relationship and ongoing monitoring of third parties have changed. Particularly for non-bank regulated entities, ongoing monitoring of third-party vendors did not occur or certainly was limited in scope. Now, financial services companies cannot afford to simply contract with a third party and expect that an entity’s compliance needs will be met. In essence, the issuance of the Bulletin has created a compliance waterfall; requirements imposed upon larger entities are extended to their service providers.
Moreover, the practical impact of vendor management oversight can be felt in recent consent agreements entered into between the CFPB and certain financial service providers. Although the actions are not entirely related to vendor management, agreements where vendor management concerns were raised have resulted in settlements in excess of $600,000,000.
The implications of the CFPB’s Bulletin are many for the financial services industry. For example, supervised institutions are now looking at their information technology providers and attempting to evaluate whether those technology providers maintain appropriate safeguards. However, it is questionable whether a financial services company, or any company for that matter, is in a position to capably evaluate the compliance and safeguards in place in an industry other than its own. For vendors that provide services in a related industry, risk often can be appropriately evaluated by a supervised institution because of the level of familiarity and expertise in the related field. However, when vendors are outside of an institution’s core area of expertise, an evaluation for risk may pose challenges. For example, a financial services company is not in the technology business; institutions purchase critical software programs from third parties so that they can maximize the proficiencies and experience of those companies and then put that technology to use.
The CFPB’s insistence that supervised institutions have responsibility for compliance of third parties makes sense from a consumer protection standpoint: where previously often only one party was responsible for compliance with applicable law, now two parties have that responsibility. However, it undermines the ability of supervised institutions to perform their business functions and to delegate compliance resources to other areas within the business that might benefit from such added resources. Moreover, particularly for smaller supervised institutions, the weight of increased regulation already impacts margins and limits efficiencies in business. So, it remains to be seen whether the vendor management requirements imposed by the CFPB will extend a benefit to consumers or, instead, potentially adversely impact consumers because compliance resources are shifted away from certain core business functions.
Nevertheless, financial services companies have made wholesale revisions to their internal policies and procedures as they relate to the relationships that they maintain with their third-party vendors. These revisions include: (1) reviewing policies and procedures to determine whether there is a review process in place at the onset and during a business relationship with a third party; (2) understanding how the entity will supervise third-party vendors to ensure compliance with applicable law; (3) evaluating how the third-party vendors will ensure compliance with their own legal responsibilities; and (4) evaluating whether internal training materials should be made available to third-party vendors in certain instances to ensure that the necessary level of skill is in place with the vendor’s personnel.
Supervised institutions also have implemented risk ratings on their third-party relationships. Certain characteristics of a vendor and the relationship that an entity maintains with a vendor could mean that such a relationship poses greater or lesser risk. For example, if an entity contracts with a large third party that has a significant level of sophistication, doing so may pose less risk than contracting with a small vendor performing the same functions. However, the degree of reliance upon such third-party vendor may contribute to a differing level of risk. For example, if the engagement is more substantial and the third-party vendor is the only service provider that provides such function to an institution, that relationship poses a greater risk than an engagement that involves multiple companies performing the same service. To control for such risk, financial services companies have developed methods whereby they can rate the risk that a particular engagement poses and then rate the entity or entities that provide services relating to that particular engagement.
Often, trends in the financial services industry quickly expand to other industries. The value of being proactive in the area of vendor management cannot be overstated, as companies that proactively implement vendor management compliance strategies will be better prepared as these requirements extend beyond the financial services space. To do so, follow the example set in the Bulletin, and begin by evaluating what your current process involves when you secure the services of a third-party vendor. To the extent that such process is not robust, we suggest reviewing and revising the relevant policies and procedures concerning that process to enhance the manner in which services are retained. Any new process should involve the review and revision of standard contracts to ensure that your company has the ability to examine and audit third-party vendors for compliance and must ensure that penalties, including termination of the contract, are set forth in the event a vendor does not meet its compliance responsibilities. Such process should involve a thorough due diligence in advance of hiring any key third-party service providers. However, due diligence must not cease at the onset of the contract and instead should continue throughout your relationship with the vendor. Once the new process is established and put in place, evaluate whether the updated process improves your relationships with and performance from third-party service providers, while ensuring that it does not interfere with securing third-party assistance. An appropriate vendor management process will ultimately improve the deliverables your company receives from those third parties, while increasing the protection and overall compliance of your company.
Published June 26, 2014.