Friday, October 28, 2016

CFPB's Compliance Bulletin and Policy Guidance 2016-02 - Service Providers: Questions and Answers

Managing Director
Lenders Compliance Group

On Wednesday, October 26, 2016, the CFPB issued updated guidance on service providers, based on its previous issuance of April 13, 2012, titled CFPB Bulletin 2012-03, Subject: Service Providers (“Bulletin”), that had been published in the Federal Register. The Bulletin is a statement of policy that articulates considerations relevant to the Bureau’s exercise of its supervisory and enforcement authority. This new issuance is published in the Federal Register and is titled Compliance Bulletin and Policy Guidance 2016-02, Service Providers (“Guidance”).

Click HERE for a copy of the Guidance and the Bulletin.

Essentially, this updated guidance provides additional clarifications regarding how supervised entities are to manage their risk management program for service providers. It is meant to clarify that “the depth and formality of the risk management program for service providers” may vary depending upon the service being performed (i.e., the service provider’s size, scope, complexity, importance and potential for consumer harm) and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. 

Much of the guidance is a reiteration of the Bulletin, with a reminder that “while due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable.” This reiterating of the Bulletin seems to have been made necessary because, although other CFPB Bulletins were published in the Federal Register, it appears that the Bureau did not previously publish Bulletin 2012-03 when it was issued.

I have said all along how important it is to work with an outsource due diligence company, if a financial institution is not going to adequately equip and staff an in-house evaluation function, which means ensuring the presence of competent risk management professionals and the required research tools. This is why we established VendorsCompliance Group as the an outsource evaluator that would be far more than a compilation service. 

These compilation services that hold themselves out as evaluators for vendor management purposes are just putting together and providing a compilation rating. That is simply insufficient, viewed from the standpoint of effective due diligence. Vendors Compliance Group does not merely compile information and documentation, which is only a first step, but also it actually evaluates and risk rates service providers by means of hands-on reviews conducted by risk management professionals using state of the art research methodologies. The evaluator actually is often personally in contact with the bank or nonbank to ensure that there is a strong and steady flow of transaction information. 

When Vendors Compliance Group risk rates a service provider, the supervised bank or nonbank can be sure that it is a rigorously derived, vendor compliance risk rating, provided by a due diligence methodology which stands up to regulatory scrutiny.

Let’s review some basics, as set forth in the Guidance. 
I am going to frame this outline in the form of Questions and Answers for the sake of ensuring a broad understanding of the Bureau’s expectations with respect to service provider evaluations. I will use the Guidance as the source document.

Q: Why is a service provider evaluation necessary?
A: The Bureau expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm. 

Q: What is the governing statute for the definition of a Federal consumer financial law?
A: Section 1002(14) of the Dodd- Frank Act (12 U.S.C. 5481(14)).

Q: What institutions are expected to evaluate their service providers?
A: Supervised banks and nonbanks, as follows:
  • Large insured depository institutions, large insured credit unions, and their affiliates (12 U.S.C. 5515); and
  • Certain non-depository consumer financial services companies (12 U.S.C. 5514). 
Q: What service providers are expected to be evaluated?
A: The following supervised entities are to be evaluated:
  • Service providers to supervised banks and nonbanks (12 U.S.C. 5515, 5514); and
  • Service providers to a substantial number of small insured depository institutions or small insured credit unions (12 U.S.C. 5516).
Q: Specifically, how is the term “service provider” defined by the Bureau?
A: “Service provider” is generally defined in Section 1002(26) of the Dodd-Frank Act as ‘‘any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.’’ (12 U.S.C. 5481(26)) A service provider may or may not be affiliated with the person to which it provides services.

Tuesday, October 11, 2016

Cybersecurity - A Model Approach

Managing Director
Lenders Compliance Group

As some of you know, Lenders Compliance Group is the first risk management firm in the country to provide both a risk assessment and a disaster recovery plan for banks and nonbanks. The goal is to make the due diligence approach both affordable and consequential. Importantly, the resulting findings must meet regulatory scrutiny, since liability remains with the financial institution with respect to implementing Internet Technology, Information Security, and Cybersecurity requirements. The review process is conducted by Kevin Origoni, our Director/IT-IS-Cybersecurity, who is a Six Sigma awardee for his knowledge and experience. Our interest in this area has only grown more attentive as federal and state regulators have become very active in implementing disaster recovery and cybersecurity guidelines.

Our attentiveness has been borne out by the recently proposed regulation involving cybersecurity issued by the New York State Department of Financial Services (DFS). The regulation would impose significant cybersecurity standards on entities it supervises. The proposal is subject to a 45-day public comment period, which will end on November 14, 2016. Importantly, some of these standards exceed current state and federal requirements. It is valuable, therefore, to take a brief look at these prospective standards.

The proposed regulation would apply to entities operating or required to operate under a license, registration or other authorization under the New York Banking Law, Insurance Law or Financial Services Law. These covered entities include:
  • New York state chartered banks,
  • New York licensed branches and agencies of foreign banks,
  • insurance companies,
  • money transmitters,
  • licensed lenders,
  • mortgage brokers, and
  • mortgage bankers, lenders and servicers.

Certain small entities would be exempt from some, but not all, of the requirements of the proposed regulation.

If adopted, the proposed regulation would require covered entities to adopt a written cybersecurity program and implement various safeguards to protect nonpublic information, as broadly defined in the proposal. Covered entities would have to annually certify to the DFS their compliance with the proposed regulation.

We believe that the DFS proposal will set a nationwide standard for cybersecurity and should be carefully considered as a model for disaster recovery, IT, IS, and cybersecurity requirements.

As it is currently drafted, the proposed regulation is prescriptive, inasmuch as it goes beyond the requirements imposed by the federal banking regulators on the depository institutions they supervise. For instance, guidance provided by the Federal Financial Institutions Examination Council (FFIEC) in its September 2016 Examination Handbook suggests that financial institutions should implement the type and level of encryption that is commensurate with the sensitivity of information being protected. However, FFIEC does not mandate that all nonpublic information be encrypted while in transit and at rest, or resident, as the DFS has proposed. But the DFS proposal also appears to require multi-factor authentication in a much broader range of circumstances than the guidance provided by federal regulators to depository institutions, which is mostly focused on online banking.

Similarly, the federal banking regulators require financial institutions to provide notice of information security breaches involving unauthorized access to or use of sensitive customer information; however, the DFS would mandate such notification within 72 hours of any cybersecurity event, a timeframe which the federal banking regulators do not require.

The DFS sets forth standards for policies and procedures. Each covered entity’s cybersecurity program would need to be designed to ensure the confidentiality, integrity and availability of the covered entity’s information systems and to perform the following functions: