The OCC and CFPB consent orders issued against Wells Fargo on April 20 cited deficiencies in third-party oversight practices. The orders are the latest additions to an ever-expanding body of agency enforcement actions targeting such oversight. These enforcement actions began escalating six years ago, in the aftermath of the CFPB’s first-ever consent order against Capital One in July 2012, which involved sales of third-party credit card add-on products.1 Typically, such orders address the subject institution’s failure to prevent its vendor(s) from engaging in unlawful activities. The CFPB’s order against Wells, however, departs from this norm by asserting that Wells itself engaged in unfair practices by improperly force-placing collateral insurance on consumers’ auto loans, which would have been avoided if Wells had acted on the reporting and other information it was receiving from its insurance vendor.

The cost of the erroneously placed insurance was added to the customers’ loan balances, which compounded the resulting overcharges. The CFPB consent order alleges that Wells either knew or should have known that its third-party oversight practices were both insufficient and likely to result in excessive loan payments. In this regard, the order includes findings that Wells:

  • failed to monitor sufficiently its vendor and internal processes, resulting in control and execution weaknesses, such as within the insurance-verification and cancelation processes and the protocols for processing refunds
  • failed to provide data and information to its vendor that could have allowed the vendor to more effectively execute its obligations
  • knew through quarterly reports received from its vendor, as well as its own daily reports, that forced placements of insurance were being canceled at an usually high rate, and received regular briefings on the root causes of such cancelations
  • received presentations from its vendor showing that borrowers who had no lapses in required insurance coverage, or who only had a partial lapse, were improperly required to purchase forced-placed insurance
  • was informed by its vendor that since 2005, roughly 28 percent of all of its forced-placed insurance was canceled after learning that the borrower had duplicative coverage.

As a result of the forced-placed insurance practices and unrelated unfair practices concerning failure to honor “rate-locks” on consumer mortgage loans, the CFPB ordered Wells to provide monetary remediation to harmed customers totaling $500 million and pay a $1 billion civil penalty. The OCC’s consent order required Wells to pay an additional $500 million civil penalty.

While the enforcement sections of the CFPB and the federal banking agencies were aggressively pursuing enforcement actions against institutions for third-party oversight deficiencies over the past six years, the advisory sections of those agencies were equally active in establishing new and revised expectations for such oversight. In April 2012, the CFPB issued Bulletin 2012-03 (Service Providers), which was revised and reissued in October 2016 as Bulletin 2016-02. In October 2013, the OCC replaced longstanding Bulletin 2001-47 (Third Party Relationships: Risk Management Guidance) with the significantly expanded Bulletin 2013-29. In June 2017, the OCC issued Bulletin 2017- 21 (Frequently Asked Questions to Supplement OCC Bulletin 2013-29), which has a strong focus on relationships with fintech companies. And in December 2013, the Federal Reserve Board issued Supervisory Letter 13-19 (Guidance on Managing Outsourcing Risk), which provides guidance to state-member banks. Finally, although the FDIC has yet to revise or reissue FIL 2008-44 (Guidance for Managing Third-Party Risk), in July 2016, the agency solicited public comment on proposed Third Party Lending Guidance, which remains pending.

The agency bulletins regarding third-party oversight expectations issued since 2012 place a much greater emphasis on the institution’s internal control structure for managing third-party risks than the bulletins they replaced. For example, nearly one-half (i.e., 8 out of 17 pages) of OCC Bulletin 2001-47 consisted of a detailed discussion of contract terms, and the bank’s board of directors was mentioned 11 times. In contrast, Bulletin 2013-29 devotes just two pages to contract terms while the board of directors is mentioned 22 times, including in a subsection that outlines the board’s role in an effective oversight program. In reflection of this new emphasis, the OCC premised its $500 million civil penalty against Wells on the institution’s lack of “an effective enterprise-wide compliance risk management program” and not on any deficiencies in contact terms or conditions.

Pepper Points

  • The CFPB and OCC consent orders against Wells illustrate the enormous potential costs — in the form of customer restitution, civil penalties and damage to business reputation — that may result from an ineffective third-party oversight program.
  • The CFPB’s Wells consent order also illustrates that the agency’s new leadership is willing to impose harsh consequences on institutions that engage in unlawful practices that harm consumers. In his public statements, acting Director Mick Mulvaney has said that the CFPB will no longer “push the envelope” in interpreting federal consumer laws and regulations. However, he has also emphasized the agency’s willingness to pursue enforcement actions when quantifiable harm to consumers is shown.
  • Ensuring that vendors do not engage in unlawful practices is only one component of an effective third-party oversight program. The CFPB’s Wells consent order shows that it is equally important to act on information that is received from vendors. In this regard, the CFPB’s findings indicate that Wells’s contract with its forced-placed insurance carrier ensured that useful information would be reported to bank management, which was in fact received. However, bank management allegedly grossly failed to take appropriate steps in response to that information.