Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


How to Comply With the CFPB’s Service Provider Policy Guidance

4 min read
Featured Image

Many third-party risk management (TPRM) guidelines and regulations are designed to protect an organization, and by extension, its customers. Regulators have continuously emphasized the need for robust TPRM practices, like due diligence and ongoing monitoring, and the Consumer Financial Protection Bureau (CFPB) is uniquely focused on how these activities will benefit the consumer.

The CFPB’s Compliance Bulletin and Policy Guidance 2016-02, Service Providers, outlines the agency’s expectations on how supervised banks and nonbanks should oversee their third-party relationships. Failure to comply can result in hefty fines and penalties from the CFPB, not to mention legal fees and reputational damage.

While the guidance is brief, it helps to take a closer look at five specific expectations and learn some tips on how to comply.

5 Tips to Comply With the CFPB’s Compliance Bulletin and Policy Guidance 2016-02

The CFPB’s primary mission is to protect consumers from unfair financial products and services. In other words, an organization  should ensure that its business practices, and those of its vendors, aren’t harmful or deceptive to its customers.

The following components are just some of the strategies that should be included in an organization’s third-party risk management program:

Note: Regulatory guidance is noted in italicized text.

  1. Due diligence Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law

    Tip: Create a standardized list of required due diligence documentation to assess a vendor’s compliance risk. This should include relevant information on federal consumer financial law, as well as local and state laws or regulations.
  2. Documentation review – Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities

    Tip: Identify your vendors that interact with your customers and/or help your organization maintain compliance. Verify that these vendors have employee training and oversight policies in place.
  3. Compliant contractsIncluding in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices

    Tip: Collaborate with your legal team to ensure your vendor contract templates include language about compliance expectations. Existing vendor contracts may need to be renegotiated to include this language.
  4. Ongoing monitoringEstablishing internal controls and ongoing monitoring to determine whether the service provider is complying with Federal consumer financial law

    Tip: Consider using a subscription-based risk monitoring and alert service, which can notify you of any regulatory or guidance changes or emerging risks with your vendor. Continuously monitoring your vendor’s risk and performance can be a large burden, so this type of service can help give you peace of mind.
  5. Issue managementTaking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate

    Tip: Establish an issue management policy that includes details about how to identify, document, track, and resolve a vendor’s non-compliance. This should also include a timeline for resolution and criteria for implementing your organization’s exit strategy.

comply with CFPB service provider policy guidance

3 Strategies for Maintaining Vendor Compliance With the CFPB

A lot of work goes into establishing vendor compliance, especially when you consider that it involves external, internal, and contractual obligations. How do you make sure that vendor compliance is maintained throughout the relationship? 

Consider these strategies:

  • Document and report. Always remember to document any vendor compliance issues and updates to current laws, regulations, or guidance. This information should also be reported to the board and senior management, who can then make decisions about critical vendor relationships. 
  • Keep documentation current. Your vendor’s compliance documentation such as employee training, certifications, and licenses should be kept up to date. Organizing your due diligence documents in a central repository can help you keep track of expiration dates.
  • Monitor industry news. Vendor compliance can be impacted by several factors, from new technology like artificial intelligence (AI) or a negative article about a regulatory violation. Stay informed of your vendor’s industry so you’ll know where to focus your TPRM activities. 

Protecting your organization from third-party risk is an important strategy that meets regulatory expectations and ensures that your business can operate as it should. But remember that your TPRM goals should include protecting two groups – your organization and its customers.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo