On November 1, the CFPB issued an update to its previous guidance on risk management for third-party service providers. The update is substantially similar to the Bureau’s previous guidance on third-party risk management, but clarifies that the depth and formality of an entity’s risk management program for service providers may vary depending upon (i) the service being performed, and (ii) the service provider’s compliance with federal consumer financial laws and regulations. With this update, the CFPB emphasized that supervised entities have flexibility to allow appropriate risk management of these relationships.