May’s “Compliance Matters” blog post, written by Fred Gooch, general counsel and vice president of Compliance, takes a closer look at maintaining vendor relationships under the Consumer Financial Protection Bureau’s (CFPB) unprecedented and stringent vendor management policies. The goal of this new mandate is to ensure financial institutions are communicating and monitoring their third party relationships, and also have effective policies in place to guarantee its vendors are complying with consumer protection laws.
A lender cannot delegate its responsibility for ensuring compliance by outsourcing to a vendor – it simply assumes the vendor’s in addition to their own. A CFPB bulletin (2012-03) and subsequent enforcement actions, make it clear the Bureau will hold lenders responsible for the actions of their vendors. The CFPB expects all lenders to implement a comprehensive compliance management system. It considers oversight of affiliate and third party service providers to be a key component of an effective compliance management system. Vendor management guidelines are not a new issue for banks, but it is a relatively new requirement for other entities that are now regulated.
When comparing past vendor management guidance with current Bureau standards, it is important to note that guidance the Bureau provides expands the coverage and responsibility for vendor management to many other financial institutions. The prior guidance was focused on safety and soundness of financial institutions, while recent Bureau guidance is targeted on consumer protection – a focus that is consistent with their purposes and goals.
The CFPB requires supervised entities to “oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.” Once you have identified your applicable service providers, consider how critical they are to your ongoing business, how to gauge the risks associated with their service and outline any potential contact the service provider will have with your customers. This analysis will help you determine the applicable level of supervision if necessary.
Effective supervision generally requires you to conduct thorough due diligence; Request and review the service providers’ policies, procedures, internal controls and training materials; Include terms in your contracts with vendors that provide clear expectations regarding compliance and contain enforceable consequences for compliance violations and unfair and deceptive practices; Establish internal controls for ongoing monitoring; and adopting processes and procedures that take prompt measures if problems occur.
Ensure your third party vendors are able to perform the services required in a manner that is in compliance with all applicable laws and in a way that is not deceptive or unfair to the consumer. Establish relationships with vendors that have a proven track record of success, are financially secure and have employees that are experts in their particular field with a commitment to adapting changing rules and requirements.