In 2012, the Consumer Financial Protection Bureau issued a bulletin indicating that it expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with federal consumer financial law. But until recently, the CFPB had not used its supervisory and enforcement authority over service providers directly. Recent enforcement actions and the Bureau's Spring 2017 Supervisory Highlights confirm that the Bureau is growing more focused on the activity of service providers.

The Dodd-Frank Act defines "service provider" as any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service, including a person that (i) participates in designing, operating, or maintaining the consumer financial product or service; or (ii) processes transactions relating to the consumer financial product or service. While the statute exempts certain vendors (such as general data processors and media advertisers), the term is probably broad enough to encompass most vendors who provide work for consumer finance companies-primarily because the term "material" is undefined.

Cases involving service providers suggest that a vendor's services are sufficiently "material" if they are important or necessary to providing a consumer financial service or product. For example, claims that entities prequalified students for private loans, performed underwriting, screened accounts for fraud, and acted as liaisons between depository institutions and payment processors sufficiently alleged materiality. In each case, the court focused on the vendors' substantial involvement in the operation or maintenance of consumer financial products and services.

Recent CFPB enforcement actions also indicate that the term "service provider" can include marketing companies; credit card add-on vendors; identity theft protection companies; lead generators; and lead aggregators. In each of those actions, the activity of the vendors amounted to heavy participation in the design, operation, or maintenance of consumer-facing financial products or services offered by covered entities. Notably, the CFPB brought actions directly against each of the technology companies.

CFPB supervisory activity also reflects the mounting concern with service providers demonstrated through enforcement activity. In the CFPB's Spring 2017 Supervisory Highlights, the Bureau announced its new "service provider examination program," where the CFPB will supervise service providers directly. The Bureau is admittedly concerned with companies providing technological support to facilitate compliance with federal consumer financial law, "including software packages, electronic system platforms, and other types of technological tools." But given these developments, all vendors providing an important service to a company offering consumer financial products or services should be concerned with their obligations under Dodd-Frank.