The CFPB has amended its guidance on vendor management. According to the CFPB, the amendment was necessary to “clarify that the depth and formality of the risk management program for service vendors may vary depending upon the service being performed – its size, scope, complexity, importance and potential for consumer harm.”CFPB Bulletin 2016-02.The Bulletin, like its 2012 predecessor, makes clear that the supervised entities are responsible with their service providers for their service providers’ compliance with federal consumer financial laws. “While due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable...”
The Bulletin set forth a number of nonexclusive steps it expects covered institutions to take in managing their service providers:
- Doing due diligence to insure their service providers understand and are capable of complying with applicable consumer financial laws;
- Requesting and reviewing their service providers’ policies, procedures, internal controls, and training materials to insure their service providers are providing adequate training and oversight to insure compliance with applicable consumer financial laws;
- Providing contractual provisions in their vendor agreements that provide clear expectations of compliance, as well as appropriate and enforceable consequences for any failure to comply;
- Insuring that service providers are prohibited from unfair, deceptive or abusive acts or practices, as well as violations of specific federal consumer financial laws;
- Establishing internal controls and on-going audits and examinations of service providers to insure their continued compliance; and
- Taking prompt action to address problems identified through the monitoring process, including termination of relationships, if appropriate.
Moreover, the Bulletin makes clear that the CFPB takes the position that it has supervisory and enforcement authority over bank and nonbank supervised service providers and “will exercise the full extent of its supervisory authority over supervised service providers, including its authority to examine for compliance with Title X’s prohibition on unfair, deceptive, or abusive acts or practices.” Service providers and supervised entities alike can expect the CFPB to expand its enforcement net to include entities which are not otherwise covered by the CFPB.
Supervised entities should review their vendor management policies and shore up any weaknesses in their compliance management systems with respect to their vendor management relationships. Service providers, meanwhile, should be reviewing their own policies and procedures to insure compliance with all applicable consumer financial laws. Both supervised entities and service providers should review the CFPB’s Supervision and Examination Manual: Compliance Management Review andUnfair, Deceptive and Abusive Acts or Practices.