In April 2012, the Consumer Protection Financial Bureau issued Bulletin 2012-03, a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial institutions. Since then, the Bureau has often referenced the Service Provider Bulletin in subsequent guidance and enforcement actions, but has not provided much in the way of detailed requirements for managing service providers. Despite the absence of strong guideposts, the CFPB has nonetheless sent unmistakable signals to highlight conduct which fails to meet the Bureau’s expectations on a variety of vendor relationship issues.
“The CFPB has voiced its dissatisfaction on a number of occasions with supervised entities that fail to perform adequate vendor oversight,” according to Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In particular, nonbanks and service providers that are still coming up-to-speed on federal agency supervision and enforcement have to be alert and aware of important trends in recent enforcement actions that challenge outdated notions of vendor management.”
McGinn notes that a pattern appears to be emerging regarding the Bureau’s preference for the inclusion of certain contractual language in vendor agreements. Confidentiality obligations, audit rights, training responsibilities, and remedies for contractual breaches are among the thornier terms and conditions that may need to be enhanced in light of these developing trends. One of the ways to minimize the vendor management risks is to be proactive when performing due diligence of potential service providers. Thorough examination of a vendor’s policies, procedures, and practices as they relate to compliance with federal consumer financial law is often the most important preventative step that a regulated entity can take to ensure that outsourcing relationships do not expose the financial institution and its customers to costly regulatory risks and unwarranted harm. In addition, consistent, risk-based procedures for monitoring existing service provider relationships are critical to meeting the CFPB’s expectations.
“The notion that a CFPB-supervised entity can avoid liability by asserting that a service provider is responsible for legal violations that caused harm to customers has long been dispelled,” says Moorari Shah, Counsel in BuckleySandler’s Los Angeles office. “In fact, in many enforcement actions, the CFPB has gone so far as to prohibit the supervised entity from invoking indemnification rights or insurance coverage to satisfy civil money penalties assessed by the Bureau, even if the supervised entity has negotiated the right to do so in its contract with the service provider.”