With evolving regulatory expectations and increased enforcement exposure, financial institutions are under more scrutiny than ever. Nowhere is this more evident than in the management and oversight of service providers. When service providers are part of an institution’s business practice, understanding the expectations of regulators, investors, and counterparties for compliance with consumer financial laws is critical.

CFPB Guidance

In 2012, the CFPB issued Bulletin 2012-03, which outlines the CFPB’s expectations regarding supervised institutions’ use of third party service providers. Banks and nonbanks alike are expected to maintain effective processes for managing the risks presented by service providers, including taking the following steps:

  • Conducting thorough due diligence of the service provider to ensure that the service provider understands and is capable of complying with federal consumer financial law
  • Reviewing the service provider’s policies, procedures, internal controls, and training materials
  • Including clear expectations in written contracts
  • Establishing internal controls and on-going monitoring procedures
  • Taking immediate action to address compliance issues

Implementing consistent risk-based procedures for monitoring third party service provider relationships is an extremely important aspect of meeting the CFPB’s expectations and mitigating risk to the institution.

The Risk Management Lifecycle and Best Practices

The CFPB is but one of many agencies that have circulated vendor management guidance.  Other federal prudential regulators—most notably the Office of the Comptroller of the Currency—have developed regulatory guidance describing a “lifecycle” for oversight of third parties that supervised institutions are expected to follow.  The risk management lifecycle of a service provider relationship consists of:

  • Planning/risk assessment
  • Due diligence and service provider selection
  • Contract negotiation and implementation
  • Ongoing relationship monitoring
  • Relationship termination/contingency plans

Supplemented by enhanced risk management processes, including meaningful involvement by the Board of Directors and extensive monitoring of performance and condition, the new framework for oversight of third parties can present both cost and operational challenges for all institutions.  Financial institutions would be prudent to implement the following best practices into their vendor management procedures, among others:

  • Staffing sufficiently to ensure that service providers are properly monitored
  • Incorporating Board and senior executive involvement throughout the process
  • Documenting its efforts at every stage of the lifecycle