On October 31, 2016, the Bureau of Consumer Financial Protection (“CFPB”) reissued Bulletin 2012-03 (Service Providers) to clarify certain aspects of the risk management program for service providers. The intention behind the release is to clarify that appropriate risk management can be accomplished through giving flexibility to supervised entities.
The CFPB expects supervised banks and non-banks to properly provide oversight to their respective service providers to ensure compliance with Federal consumer financial law and to prevent consumer harm. Section 1002(26) of the Dodd-Frank Act (12 U.S.C. 5481(14)) defines a service provider as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” The fact that a supervised bank or non-bank enters into a relationship with a service provider does not mean such bank or non-bank is absolved from liability for the service provider’s product. The supervised bank or non-bank may be liable for its service provider’s unfair, deceptive, or abusive acts or practices towards consumers. Circumstances triggering supervised bank or non-bank liability include a service provider’s unfamiliarity with legal requirements applicable to the product provided, inadequate efforts to implement such requirements carefully and effectively, and insufficient internal controls, among others. Title X authorizes CFPB to exercise enforcement authority over supervised service providers, which includes the ability of CFPB to examine supervised service provider operations on site.
Under the reissued bulletin, the CFPB clarifies that a supervised bank or non-bank risk management program may vary depending on the service being performed. Factors taken into consideration include the service’s size, scope, complexity, importance and potential for customer harm. The CFPB provides that supervised banks and non-banks should take the following steps with service providers:
- Conduct a thorough due diligence to ensure service provider has the requisite knowledge and capacity to comply with Federal consumer financial law;
- Review the service provider’s policies, procedures, internal controls, and training materials to ensure they provide for appropriate operations and oversight;
- Draft contractual provisions with the service provider that provide “clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices”;
- Establish internal controls and monitoring procedures for surveillance of the service provider to ensure service provider is abiding by Federal consumer financial law; and
- “Promptly” react to identified problems, including terminating the relationship when necessary.