Friday, October 28, 2016

CFPB's Compliance Bulletin and Policy Guidance 2016-02 - Service Providers: Questions and Answers

Managing Director
Lenders Compliance Group

On Wednesday, October 26, 2016, the CFPB issued updated guidance on service providers, based on its previous issuance of April 13, 2012, titled CFPB Bulletin 2012-03, Subject: Service Providers (“Bulletin”), that had been published in the Federal Register. The Bulletin is a statement of policy that articulates considerations relevant to the Bureau’s exercise of its supervisory and enforcement authority. This new issuance is published in the Federal Register and is titled Compliance Bulletin and Policy Guidance 2016-02, Service Providers (“Guidance”).

Click HERE for a copy of the Guidance and the Bulletin.

Essentially, this updated guidance provides additional clarifications regarding how supervised entities are to manage their risk management program for service providers. It is meant to clarify that “the depth and formality of the risk management program for service providers” may vary depending upon the service being performed (i.e., the service provider’s size, scope, complexity, importance and potential for consumer harm) and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. 

Much of the guidance is a reiteration of the Bulletin, with a reminder that “while due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable.” This reiterating of the Bulletin seems to have been made necessary because, although other CFPB Bulletins were published in the Federal Register, it appears that the Bureau did not previously publish Bulletin 2012-03 when it was issued.

I have said all along how important it is to work with an outsource due diligence company, if a financial institution is not going to adequately equip and staff an in-house evaluation function, which means ensuring the presence of competent risk management professionals and the required research tools. This is why we established VendorsCompliance Group as the an outsource evaluator that would be far more than a compilation service. 

These compilation services that hold themselves out as evaluators for vendor management purposes are just putting together and providing a compilation rating. That is simply insufficient, viewed from the standpoint of effective due diligence. Vendors Compliance Group does not merely compile information and documentation, which is only a first step, but also it actually evaluates and risk rates service providers by means of hands-on reviews conducted by risk management professionals using state of the art research methodologies. The evaluator actually is often personally in contact with the bank or nonbank to ensure that there is a strong and steady flow of transaction information. 

When Vendors Compliance Group risk rates a service provider, the supervised bank or nonbank can be sure that it is a rigorously derived, vendor compliance risk rating, provided by a due diligence methodology which stands up to regulatory scrutiny.

Let’s review some basics, as set forth in the Guidance. 
I am going to frame this outline in the form of Questions and Answers for the sake of ensuring a broad understanding of the Bureau’s expectations with respect to service provider evaluations. I will use the Guidance as the source document.

Q: Why is a service provider evaluation necessary?
A: The Bureau expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm. 

Q: What is the governing statute for the definition of a Federal consumer financial law?
A: Section 1002(14) of the Dodd- Frank Act (12 U.S.C. 5481(14)).

Q: What institutions are expected to evaluate their service providers?
A: Supervised banks and nonbanks, as follows:
  • Large insured depository institutions, large insured credit unions, and their affiliates (12 U.S.C. 5515); and
  • Certain non-depository consumer financial services companies (12 U.S.C. 5514). 
Q: What service providers are expected to be evaluated?
A: The following supervised entities are to be evaluated:
  • Service providers to supervised banks and nonbanks (12 U.S.C. 5515, 5514); and
  • Service providers to a substantial number of small insured depository institutions or small insured credit unions (12 U.S.C. 5516).
Q: Specifically, how is the term “service provider” defined by the Bureau?
A: “Service provider” is generally defined in Section 1002(26) of the Dodd-Frank Act as ‘‘any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.’’ (12 U.S.C. 5481(26)) A service provider may or may not be affiliated with the person to which it provides services.