As the regulatory magnifying glass continues to intensify for financial institutions, many are choosing to outsource important business functions to third party service providers. Third party service providers can increase efficiency and provide cost savings for financial institutions; precisely why more vendor services are being sought. However, the Consumer Financial Protection Bureau (CFPB) has made it clear institutions must implement effective vendor management policies to ensure that vendors are complying with consumer protection laws.
The vendor relationship guidelines published by the CFPB are a vague generalization of what they truly require; partly to allow lenders flexibility in monitoring vendors based on several different risk factors. Unfortunately, this broad approach also leads to frustration and an overall lack of understanding as to what is an adequate vendor management program.
It is crucial that lenders consider multiple factors when choosing a vendor and to continue monitoring them based on the potential risks associated with the services provided. Lenders must consider all these components to ensure a healthy relationship with their vendors—which reduces risk, increases efficiency and ensures a positive experience with their customers.
A lender cannot delegate its responsibility for ensuring compliance by outsourcing to a vendor—it simply assumes the vendor’s in addition to their own. A CFPB bulletin (2012-03) and subsequent enforcement actions, make it clear the Bureau will hold lenders responsible for the actions of their vendors. The CFPB expects all lenders to implement a comprehensive compliance management system. It considers oversight of affiliate and third party service providers to be a key component of an effective compliance management system. Vendor management guidelines are not a new issue for banks, but it is a relatively new requirement for other entities that are now regulated.
The key to an effective and appropriate vendor management strategy is found in the referenced CFPB bulletin above and in other sources [OCC 200-9: Third-Party Risk, NCUA Letter 01-CU-20: Due Diligence Over Third Party Service Providers (2001) and OCC 2001-47: Third-Party Relationships.] Reviewing these sources of guidance, along with an assessment of the risks associated with each vendor relationship, is vital for a compliant, working relationship.
When comparing past vendor management guidance with current Bureau standards, it is important to note that guidance the Bureau provides expands the coverage and responsibility for vendor management to many other financial institutions. The prior guidance was focused on safety and soundness of financial institutions, while recent Bureau guidance is targeted on consumer protection—a focus that is consistent with their purposes and goals.
Your Vendor Compliance Checklist
The CFPB requires supervised entities to “oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.”
The first step in ensuring compliance is identifying your applicable service providers. For the purpose of supervision, a service provider is defined as “any person who provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.”
Once you have identified your applicable service providers, consider how critical they are to your ongoing business, how to gauge the risks associated with their service and outline any potential contact the service provider will have with your customers. This analysis will help you determine the applicable level of supervision if necessary.
Effective supervision generally requires you to conduct thorough due diligence; Request and review the service providers’ policies, procedures, internal controls and training materials; Include terms in your contracts with vendors that provide clear expectations regarding compliance and contain enforceable consequences for compliance violations and unfair and deceptive practices; Establish internal controls for ongoing monitoring; and adopting processes and procedures that take prompt measures if problems occur.
Ensure your third party vendors are able to perform the services required in a manner that is in compliance with all applicable laws and in a way that is not deceptive or unfair to the consumer. Establish relationships with vendors that have a proven track record of success, are financially secure and have employees that are experts in their particular field with a commitment to adapting changing rules and requirements.