On October 26, 2016, the CFPB revised its Compliance Bulletin on service providers, stating that prior guidance must be updated to clarify that although supervised entities are expected to have an effective service provider risk management program, supervised entities have some degree of flexibility to determine the appropriate level of risk management for their service providers.
The new CFPB Bulletin 2016-02 replaces CFPB Bulletin 2012-03, which announced that the CFPB would expand its examination scope beyond supervised institutions themselves and look at their service providers’ interactions with consumers as well. Specifically, CFPB Bulletin 2012-03 stated that the CFPB expects supervised institutions to have an effective process for managing service provider relationships, and that supervised institutions would be held accountable for violations of consumer financial laws committed by their service providers.
The new CFPB Bulletin restates its previous guidance on service providers, and adds the following new language regarding appropriate risk management:
The Bureau expects that the depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed – its size, scope, complexity, importance and potential for consumer harm – and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. While due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable…
CFPB Compliance Bulletin 2016-02 also reiterates the steps that the CFPB expects supervised entities to take to ensure that their business arrangements with service providers do not present unwarranted risks to consumers. According to the CFPB Bulletin, these steps should include, but are not limited to: (1) Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law; (2) Requesting and reviewing the service provider’s policies, procedures, internal controls and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities; (3) Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive or abusive acts or practices; (4) Establishing internal controls and ongoing monitoring to determine whether the service provider is complying with Federal consumer financial law; and (5) Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
The new CFPB Bulletin is available in the Federal Register here: https://www.gpo.gov/fdsys/pkg/FR-2016-10-26/pdf/2016-25856.pdf?utm_campaign=subscription%20mailing%20list&utm_source=federalregister.gov&utm_medium=email.