The Consumer Financial Protection Bureau (the “Bureau”) is aggressively making examples of consumer lenders who fall short of its expectations of how the entities should conduct their business. In this instance, the Bureau issued Bulletin 2012-03, Service Providers in April 2012 (“Service Providers Bulletin”) providing explicit guidance as to accountability for the acts of service providers and some general expectations regarding oversight of them. Less than six months later, the Bureau concluded an action against American Express, in large part, for inadequate oversight of service providers. In the Order, American Express consented to implement a new and improved oversight policy, pay a civil penalty of $7.8 million, and pay a minimum of $75 million in restitution. Where the Service Providers Bulletin offered only general guidance, the Order provides significant detail regarding the Bureau’s expectations for monitoring and reviewing service provider contracts and performance.
Service Providers Bulletin makes Clear Supervised Entities are Accountable for Service Provider’s Failure to Comply with Federal Consumer Finance Laws
In the Service Providers Bulletin, the Bureau outlined its expectations for an effective process of managing the risks associated with service provider relationships, offering only the following general guidance on what steps a supervised entity should take to effectively manage the risks service providers may pose to consumers:
- Conduct thorough due diligence to verify the service provider understands and complies with Federal consumer finance laws;
- Review service provider’s policies, procedures, internal controls, and training materials to ensure service provider conducts appropriate training and oversight of its employees;
- Enter into contractual provisions expressing clear expectations about a service provider’s compliance, including enforceable consequences for violating any compliance-related responsibilities;
- Establish internal controls for monitoring service provider’s compliance with Federal consumer finance law; and
- Take prompt action to address problems identified through monitoring process including termination of the service provider, if necessary.
Joint Consent Orders with American Express provide Additional Clarity for Ongoing Monitoring of Service Providers
On October 1, 2012, the Bureau and American Express entered into a Joint Consent Order that, among other things, provides a detailed illustration of the Bureau’s expectations for oversight of service providers. For this action, the Bureau relied on a FDIC Compliance Report of Examination dated February 22, 2011. In its investigation, the Bureau found that American Express’ violations included: 1) deceptive debt collection practices; 2) deceptive marketing; 3) excessive late fees; 4) inadequate credit dispute reporting; and 5) inadequate board and management oversight. The Bureau specifically noted that all but one of the violations was a result of deficient oversight of the Bank’s service providers.
In the Order, the Bureau requires American Express to develop policies to maintain effective monitoring, training, record-keeping and audit procedures for the review of a service provider’s contracts and services. As discussed next, the Order provides supervised entities with explicit examples of what it considers adequate oversight of service providers.
Ongoing Monitoring of Service Providers the Bureau Expects
In the Order, we are provided a road map by which to determine the policies and procedures that should be in place to oversee service provider contracts and performance. A supervised entity should, at a minimum, establish the following policies to manage its service providers:
- Review and approve copies of all marketing and solicitation materials and any other materials provided to consumers, including any scripts;
- Maintain all service provider agreements and approved marketing and solicitation materials in its files;
- Monitor performance of marketing and solicitation programs for new accounts;
- Require service providers to provide prompt notification of any regulatory agency inquiries, customer complaints, and/or any legal actions, and maintain these records;
- Establish procedures to ensure that service providers promptly address and resolve consumer complaints;
- Establish procedures for monitoring and auditing collection activities and customer service call centers;
- Review all service provider materials related to Federal consumer finance laws; including but not limited to the service provider’s policy manuals and procedures;
- Establish procedures to monitor and require service providers to establish and document a training program that includes regular, specific, and comprehensive training in consumer protection laws for all employees of service providers having responsibilities that relate to consumer protection laws, including senior management of the service providers; and
- Management must regularly report to the Board detailing whether service providers are in compliance with service provider agreements. The Board is then responsible for ensuring corrective actions are taken to address the findings of the written report and ensuring a full annual review of compliance by service providers is performed.
The takeaways from the Service Providers Bulletin and the Order are clear—know your service providers before you engage them and monitor them closely for compliance with Federal consumer financial law throughout the life of your agreement.