How to Comply With the CFPB’s Service Provider Policy Guidance

Many third-party risk management (TPRM) guidelines and regulations are designed to protect an organization, and by extension, its customers. Regulators have continuously emphasized the need for robust TPRM practices, like due diligence and ongoing monitoring, and the Consumer Financial Protection Bureau (CFPB) is uniquely focused on how these activities will benefit the consumer.

The CFPB’s Compliance Bulletin and Policy Guidance 2016-02, Service Providers, outlines the agency’s expectations on how supervised banks and nonbanks should oversee their third-party relationships. Failure to comply can result in hefty fines and penalties from the CFPB, not to mention legal fees and reputational damage.

While the guidance is brief, it helps to take a closer look at five specific expectations and learn some tips on how to comply.

5 Tips to Comply With the CFPB’s Compliance Bulletin and Policy Guidance 2016-02

The CFPB’s primary mission is to protect consumers from unfair financial products and services. In other words, an organization  should ensure that its business practices, and those of its vendors, aren’t harmful or deceptive to its customers.

The following components are just some of the strategies that should be included in an organization’s third-party risk management program:

Note: Regulatory guidance is noted in italicized text.

1. Due diligence – Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law
   
   Tip: Create a standardized list of required due diligence documentation to assess a vendor’s compliance risk. This should include relevant information on federal consumer financial law, as well as local and state laws or regulations.
2. Documentation review – Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities
   
   Tip: Identify your vendors that interact with your customers and/or help your organization maintain compliance. Verify that these vendors have employee training and oversight policies in place.
3. Compliant contracts – Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices
   
   Tip: Collaborate with your legal team to ensure your vendor contract templates include language about compliance expectations. Existing vendor contracts may need to be renegotiated to include this language.
4. Ongoing monitoring – Establishing internal controls and ongoing monitoring to determine whether the service provider is complying with Federal consumer financial law
   
   Tip: Consider using a subscription-based risk monitoring and alert service, which can notify you of any regulatory or guidance changes or emerging risks with your vendor. Continuously monitoring your vendor’s risk and performance can be a large burden, so this type of service can help give you peace of mind.
5. Issue management – Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate
   
   Tip: Establish an issue management policy that includes details about how to identify, document, track, and resolve a vendor’s non-compliance. This should also include a timeline for resolution and criteria for implementing your organization’s exit strategy.

3 Strategies for Maintaining Vendor Compliance With the CFPB

A lot of work goes into establishing vendor compliance, especially when you consider that it involves external, internal, and contractual obligations. How do you make sure that vendor compliance is maintained throughout the relationship? 

Consider these strategies:

• Document and report. Always remember to document any vendor compliance issues and updates to current laws, regulations, or guidance. This information should also be reported to the board and senior management, who can then make decisions about critical vendor relationships. 
• Keep documentation current. Your vendor’s compliance documentation such as employee training, certifications, and licenses should be kept up to date. Organizing your due diligence documents in a central repository can help you keep track of expiration dates.
• Monitor industry news. Vendor compliance can be impacted by several factors, from new technology like artificial intelligence (AI) or a negative article about a regulatory violation. Stay informed of your vendor’s industry so you’ll know where to focus your TPRM activities. 

Protecting your organization from third-party risk is an important strategy that meets regulatory expectations and ensures that your business can operate as it should. But remember that your TPRM goals should include protecting two groups – your organization and its customers.