Friday, October 28, 2016

CFPB's Compliance Bulletin and Policy Guidance 2016-02 - Service Providers: Questions and Answers

Managing Director
Lenders Compliance Group

On Wednesday, October 26, 2016, the CFPB issued updated guidance on service providers, based on its previous issuance of April 13, 2012, titled CFPB Bulletin 2012-03, Subject: Service Providers (“Bulletin”), that had been published in the Federal Register. The Bulletin is a statement of policy that articulates considerations relevant to the Bureau’s exercise of its supervisory and enforcement authority. This new issuance is published in the Federal Register and is titled Compliance Bulletin and Policy Guidance 2016-02, Service Providers (“Guidance”).

Click HERE for a copy of the Guidance and the Bulletin.

Essentially, this updated guidance provides additional clarifications regarding how supervised entities are to manage their risk management program for service providers. It is meant to clarify that “the depth and formality of the risk management program for service providers” may vary depending upon the service being performed (i.e., the service provider’s size, scope, complexity, importance and potential for consumer harm) and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. 

Much of the guidance is a reiteration of the Bulletin, with a reminder that “while due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable.” This reiterating of the Bulletin seems to have been made necessary because, although other CFPB Bulletins were published in the Federal Register, it appears that the Bureau did not previously publish Bulletin 2012-03 when it was issued.

I have said all along how important it is to work with an outsource due diligence company, if a financial institution is not going to adequately equip and staff an in-house evaluation function, which means ensuring the presence of competent risk management professionals and the required research tools. This is why we established VendorsCompliance Group as the an outsource evaluator that would be far more than a compilation service. 

These compilation services that hold themselves out as evaluators for vendor management purposes are just putting together and providing a compilation rating. That is simply insufficient, viewed from the standpoint of effective due diligence. Vendors Compliance Group does not merely compile information and documentation, which is only a first step, but also it actually evaluates and risk rates service providers by means of hands-on reviews conducted by risk management professionals using state of the art research methodologies. The evaluator actually is often personally in contact with the bank or nonbank to ensure that there is a strong and steady flow of transaction information. 


When Vendors Compliance Group risk rates a service provider, the supervised bank or nonbank can be sure that it is a rigorously derived, vendor compliance risk rating, provided by a due diligence methodology which stands up to regulatory scrutiny.

Let’s review some basics, as set forth in the Guidance. 
I am going to frame this outline in the form of Questions and Answers for the sake of ensuring a broad understanding of the Bureau’s expectations with respect to service provider evaluations. I will use the Guidance as the source document.

Q: Why is a service provider evaluation necessary?
A: The Bureau expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm. 

Q: What is the governing statute for the definition of a Federal consumer financial law?
A: Section 1002(14) of the Dodd- Frank Act (12 U.S.C. 5481(14)).

Q: What institutions are expected to evaluate their service providers?
A: Supervised banks and nonbanks, as follows:
  • Large insured depository institutions, large insured credit unions, and their affiliates (12 U.S.C. 5515); and
  • Certain non-depository consumer financial services companies (12 U.S.C. 5514). 
Q: What service providers are expected to be evaluated?
A: The following supervised entities are to be evaluated:
  • Service providers to supervised banks and nonbanks (12 U.S.C. 5515, 5514); and
  • Service providers to a substantial number of small insured depository institutions or small insured credit unions (12 U.S.C. 5516).
Q: Specifically, how is the term “service provider” defined by the Bureau?
A: “Service provider” is generally defined in Section 1002(26) of the Dodd-Frank Act as ‘‘any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.’’ (12 U.S.C. 5481(26)) A service provider may or may not be affiliated with the person to which it provides services.


Q: Can supervised banks or nonbanks be absolved of responsibility for complying with Federal consumer law to avoid consumer harm by entering into a business relationship with a service provider? 
A: The mere fact that a supervised bank or nonbank enters into a business relationship with a service provider in order to comply with Federal consumer financial law does not absolve the supervised bank or nonbank of responsibility for complying with Federal consumer financial law. 

Q: What types of concerns should be considered in evaluating service providers?
A: A service provider may be unfamiliar with the legal requirements applicable to the products or services being offered, or it may not make efforts to implement those requirements carefully and effectively, or it may exhibit weak internal controls.

Q: How can a service provider cause harm to a consumer or a supervised institution?
A: It can harm consumers and create potential liabilities for both the service provider and the entity with which it has a business relationship. Indeed, depending on the circumstances, legal responsibility may lie with the supervised bank or nonbank as well as with the supervised service provider. The Bureau has stated: “while due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable.”

Q: To what extent is vendor compliance and service provider vetting relevant to examinations?
A: Firstly, Title X authorizes the Bureau to examine and obtain reports from supervised banks and nonbanks for compliance with Federal consumer financial law and for other related purposes and also to exercise its enforcement authority when violations of the law are identified. Secondly, Title X also grants the CFPB supervisory and enforcement authority over supervised service providers, which includes the authority to examine the operations of service providers on site. So, the Bureau will exercise the full extent of its supervision authority over supervised service providers, including its authority to examine for compliance with Title X’s prohibition on unfair, deceptive, or abusive acts or practices. Certainly, the Bureau should be expected to exercise its enforcement authority against supervised service providers as appropriate.

Q: What must supervised banks and nonbanks do to ensure compliance with the Guidance?
A: The Bureau expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships. 

Q: Are there criteria to be considered when establishing a vendor compliance or service provider evaluation method?
A: The depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed – the service provider’s size, scope, complexity, importance and potential for consumer harm – and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. 

Q: What steps can be taken by supervised banks and nonbanks to ensure that their business arrangements with service providers do not present unwarranted risks to consumers?
A: Although not meant to be comprehensive, the following five steps should be taken in business arrangements with service providers in order to avoid unwarranted risks to consumers:
  1. Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law;
  2. Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  3. Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
  4. Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and
  5. Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
For more information pertaining to the responsibilities of supervised banks or nonbanks having business arrangements with service providers, please review the Bureau’s Supervision and Examination Manual, at page 34, “Compliance Management Review,” and at page 174, “Unfair, Deceptive, and Abusive Acts or Practices.”