May Vendor Management News

Reading up on latest vendor management news can only help your risk programs. We'll help you out!  Below we've listed some articles from this past week that we recommend checking out. 

Recently Added Articles as of May 30

We're not sure if it's just a slow news week or if it's due to the holiday but it's a lighter one this week. Nonetheless, there are some noteworthy articles to share. 

Regulators (several of them) tell companies to pay attention to complaints: State officials and the CFPB urge organizations to monitor complaints. They also recommend that you look to your competitors as a way to discover a potential issue that your organization may have yet you may not even realize it. That’s some of our famous advice, too!

FDIC resolves 'Operation Choke Point' lawsuit: A payday lender's lawsuit against companies such as Advance America, Cash Advance Centers and Check Into Cash, just to name a few, has been resolved. With the dismissal, the FDIC is issuing two things. First, a summarization of their policies and guidance. Second, a cover letter to the plaintiffs that reiterates any prior correspondence.

This speaks volumes on why due diligence is important in determining ownership: The Corporate Transparency Act of 2019, a proposed amendment to the Bank Secrecy Act, is an act that would require legal entities in the U.S. to disclose the beneficial owners. The beneficial ownership would be reported to FinCEN and updated as needed. The OCC, FinCEN and FBI all shared their perspective before the senate committee on risks that arise due to anonymous corporate structures. All three feel there are many advantages to a national database of beneficial owners.

Huge data leak begs the questions how and what’s next?: The holiday weekend started off rocky for many. First American Financial accidentally exposed 885 million sensitive documents. These documents contained bank account numbers, tax documents, social security numbers and more. The biggest reason this leak is so scary is the fact that there wasn’t necessarily a breach; however, the data was easily available online due to a website design error called Insecure Direct Object Reference (IDOR). First American hasn’t reached out to customers to help them protect themselves yet. We wonder what their next step will be. This is a reminder that a data leak can happen to anyone so be sure that you’re making every effort to be as secure as possible. In this case, a simple issue caused massive data exposure.

Recently Added Articles as of May 23

A lot of news articles to share this week, and even a video! We’ve seen surveys released that indicate third party/vendor risk are key areas of concern, a data breach, regulators releasing compliance updates, CFPB leadership changes, clarification around the proposed FDCPA changes and so much more.

The gap between the two major parties’ stymies chances of regulatory relief: The debate continues. Democrats and republicans still aren’t seeing eye to eye on the proposed regulatory relief. Many democrats feel the regulatory relief bill enacted last year is only to benefit the wealthy stating that the increase in bank loans over the last 5 years is due to bank’s processing “shady” loans for people who lack wealth. Republicans, on the other hand, do not agree. The divide is prevalent in other areas too, such as regarding future policy decision making like the changes to the Community Reinvestment Act. Will everyone come to an agreement sooner rather than later?

Third party due diligence, core processors and vendor risk management continue to be key areas of concern: In the Fed’s update to the financial services committee, Quarles echoes statements made by the OCC. That is that third party due diligence, core processors and vendor risk management continue to be significant areas of concern. In addition, Quarles touches on regulatory development, tailoring requirements based on an institution’s size, creating transparency in guidance and more.

SEC stresses need for strong compliance programs: The SEC reminds firms that they need to implement strong compliance programs. These programs should address anti-money laundering (AML), microcap securities, paying agents and cybersecurity. The SEC’s director says don’t wait until your OCIE exam. The time is now. Perhaps a “no-brainer” but one that bears repeating.

OCC vs NYDFS over the FinTech charter heats up: Pop some popcorn and enjoy this battle royale. We previously shared that the NYDFS is challenging the OCC’s proposed FinTech charter and that the courts have determined that NYDFS may indeed have a leg to stand on. Well, the OCC just submitted a letter requesting a 2-week extension to respond to the complaint stating, “OCC believes the Court’s order likely renders the matter ripe for entry of a final judgment. We therefore request additional time to complete our internal deliberations on this issue and confer with plaintiff’s counsel.” This is getting interesting quickly!

Otting to revamp OCC: Joseph Otting, Comptroller of the Currency, wants to implement a single supervisory platform for all banks by next year. This will mean instead of having two OCC exams – one for large institutions and one for mid-size and community banks – all exams will fall under one platform/umbrella. Check out this interview with Otting to learn more about the bold moves to modernize the comptroller’s office.

Duke University/FDIC collaboration conference on FinTech – also challenges FDIC to make things easier for community banks: Want a quick break from reading for a moment? Check out the video regarding the FDIC FinTech conference. Chair McWilliams is a terrific speaker with tremendous insight. If your heart is really set on more reading, here’s a link to an article, too!

A FinTech wants to be the first in its space to offer banking services: Pangea, a digital remittance company, wants to be the first to offer a branded checking account that accompanies their core product. They say customers have requested the bank account option. With the new service, account holders will receive a Visa debit card, no monthly maintenance or overdraft fees, an option for their paycheck to be deposited two days early and no need for a minimum balance. Pangea said they do not have any competitors who offer a similar service. Is this an outlier or the start of a wave of new banks?

The hazards of too much data. Latest breach is 200 million consumer names: A data breach exposes sensitive information of 200 million individuals. As of right now, we’re not sure if the data was a list that was initially compiled by Experian or by another third party. It appears to be a marketing list that originated in 2015. Experian’s name is all over the files, but they deny that the list is originally theirs. With another data breach, there is a lesson to be learned. Try to reduce your organization’s data collection footprint. Only collect and store data this is absolutely necessary. By doing this, should your organization be breached, at least not as much sensitive data will be exposed.

OCC highlights key risks: OCC released their Semiannual Risk Perspective for Spring 2019. And guess what? Vendor risk is right in there, as well as a focus on credit quality, operational risk, compliance risk and interest rate risk.  

CFPB files complaint against debt-collection law firm: We’ve talked a lot about reforms to FDCPA, but in the meantime, it’s still a very hot topic for regulatory enforcement action. The CFPB brings this action against the firm due to their involvement in debt-collection acts that were harmful to consumers such as filing collection lawsuits against consumers without meaningful attorney involvement. This means that the firm violated the Fair Debt Collection Practices Act (FDCPA).

Outstanding analysis of the new proposed collections rule: This analysis gives a concise overview of the CFPB’s proposed amendments to the FDCPA. It describes the significant details and some new insight that has been made available since the proposal was published. In addition, stay tuned for a date to be announced regarding a webinar to discuss the FDCPA proposal in more detail. It will be hosted by McGuireWoods. We’re happy to see so much great coverage out there to help everyone fully understand the FDCPA proposal as much as possible.

SEC collects fines at a very slow pace: It looks like the SEC collects fines at what appears to be a leisurely rate. Over the last 5 years, they’ve collected only 55%. Do you think they need to implement a more aggressive fine collection strategy?

OFAC on compliance: In OFAC’s recently released framework for compliance commitments, they share 5 essential components to a compliance program. The five components include management commitment, risk assessment, internal controls, testing and auditing and training. They also share 10 common pitfalls that they see. Have you taken the time to review? Is your compliance program in check?

CFPB leadership changes: CFPB’s head of enforcement has resigned. Not many senior managers hired by the former director, Richard Cordray, are left at this point. Kristen Donoghue was one of few. With so many leadership positions opening due to resignations, the CFPB’s current director, Kathy Kraninger, has a decision to make. Will she place political appointees in these leadership roles?

2019 operational risks – the top 10: Risk.net released their yearly ranking of the biggest operational risks. The list includes things like data compromise, IT disruption, IT failure and more. And oh yeah, cybersecurity and third party risk!

Recently Added Articles as of May 16

There are big news weeks and then there are mind-blowing life-altering holy mackerel news weeks. This week would be the latter… Let’s see what we’ve heard this week:

CFPB Kraninger on the proposed changes to FDCPA: CFPB’s director gives a speech at the Debt Collection Town Hall in which she discusses the proposed Fair Debt Collection Practices Act (FDCPA) changes further. She mentions that many of the debt collection complaints in recent years can likely be attributed to the fact that the guidance is over 40 years old. In the guidance, very outdated forms of communication such as the use of postcards, telegrams and collect calls are addressed. The Notice of Proposed Rulemaking will take into consideration new communication strategies. Since everyone is more accessible these days, she shared it will take into account when, where and how consumers can be contacted as well as allow them to request collectors stop using specific channels to contact them during certain times, such as at night. The changes should give consumer’s much more transparency in debt collection practices.

NYDFS launches new consumer protection department: They’re calling it a new “powerhouse”. NYDFS announced their newest department which is the Consumer Protection and Financial Enforcement Division. The new department consolidates the Enforcement and Financial Frauds Division and Consumer Protection Division. Given that NYDFS is one of the most active state regulators, do you think others will follow suit and do the same?  

Justice Department updates guidance on compliance programs – yes, it references third party management: The US Department of Justice (DOJ) provided updated compliance guidance which further expands on the 2017 release. It provides a lot of clarification and more transparency. The guidance reiterates what we’ve essentially said all along. There is no checklist for a perfect compliance program. According to the guidance, there are 12 fundamental elements of any compliance program such as risk assessment, policies and procedures, training and communications and more. Check it out to learn more about what your compliance program is expected to look like.  

CFPB considers taking the consumer complaints database private: At the same time complaints are increasing, particularly among the credit reporting agencies. Kraninger, CFPB’s Director, shares that discussion around the complaint database and how it’s presented is on the agenda for this year. Some feel by keeping the database public it keeps financial institutions accountable, but others aren’t so sure. According to the article, former Acting CFPB Director, Mick Mulvaney, called it “essentially a taxpayer-funded Yelp for financial institutions”. Here’s an interesting fact! Half of all the complaints in the database are filed against the same 10 companies. So, considering that, is it really helping? Are you for or against the public complaint database?

Ballard Spahr on the proposed new rules in collections and why you should care: Ballard Spahr shares a little more on why creditor and servicers should care about the CFPB’s proposed FDCPA changes. Some of the top reasons include: you must take action prior to the debt being sent off to a collection agency in order to utilize the agency’s use of electronic communications with the customer, creditors will be required to conduct third party oversight over debt collectors that they work with and. finally, there's the possibility that the rules will be directly applied to creditors and servicers. If you’re a creditor or servicer, it behooves you to carefully analyze the proposed rules and think about implementing process changes as needed.

NAFCU breakdown of the OFAC Compliance Program: Recently we shared with you that OFAC published their compliance framework. In case you wanted more clarification on the focus, this NAFCU blog helps break it down further.

Banks at fault for mobile app failures: Open Banking Implementation Entity (OBIE) Interim Head of Technology shares that faults in mobile banking applications are due to technology problems on the bank’s end. They are not due to flaws in new regulations. He says Open Banking isn’t usually the cause of a flaw in mobile banking technology. In his opinion, banks have trouble with Open Banking because many aren’t technology focused companies and they’ll outsource a lot of the development of their technology development to third parties or contractors. Seems like he's saying this can ultimately cause some flaws in the security, but it isn’t because of the app. Interesting.

Fiserv hit with lawsuit by $39 million credit union in PA over information security practices: Bessemer System Federal Credit Union filed suit against Fiserv due to issues they’ve had such as security lapses and inaccuracy in member information updates. They said Fiserv is in breach of contract, fraud, negligence plus more. Fiserv feels the suit has no merit. This suit wouldn’t be too surprising but then you realize it’s a very small financial institution – taking on the big guys!

OCC cites third party risk management as leading cause of operational risk: In particular, they cite core processors. Refer to page 4. They say banks often rely on third parties for core services and there are only a handful of them which increases the risk. In addition, some other factors contributing to operational risk are cybersecurity, fraud and mergers and acquisitions.

Recently Added Articles as of May 9

Some big news for this week. There is a large OFAC action, proposed changes to the FDCPA which has been in place since 1977, fintech news regarding national charters and “controlling influence”, a large CFPB enforcement action and more. Honestly, there’s all sorts of fun reading this week!

Third party cyber liability insurance on the rise: Cyber liability insurance sales are increasing as no one is immune to a cyber breach. It used to be that only large corporations focused on cyber liability insurance. However, given all the recent breaches, these large corporations are requesting companies of all sizes – even smaller ones – invest in cyber liability insurance in order to do business with them. There’s a big exposure to risk so they’re trying to cover their bases. Can you blame them?

FinTech charters and requirements proposed by the Fed: A Fed proposal has been announced regarding the Bank Holding Company Act of 1956 (the BHC Act). If accepted, the “controlling influence” test in the act will be further clarified. This should spark some interest by 3 specific groups: FinTechs and FinTech investors who are looking into bank charter options, FinTechs seeking capital investments and community banks requesting investors and private capital to assist with things like lending, growth, investment and more. This significant amendment will increase transparency of the Federal Reserve’s rules for determining controlling influence over a company by putting forth a well-developed regulatory framework for control determinations. It seems like many regulators are providing more transparency lately… and we’re okay with that! How about you?

CFPB settles with student loan servicer: Conduent Education Services (f.k.a ACS Education Services) has agreed to a $3.9 million settlement for violating the Consumer Financial Protection Act of 2010. The company engaged in unfair practices by failing to timely adjust principal balances of student loans that were created under the Federal Family Education Loan Program. This caused a delay in the adjustments, often for years, and for some borrowers, the inability to consolidate their loans. Just another reminder to perform fair consumer practices.

NY lawsuit against FinTechs can move forward: The New York Department of Financial Services (NYDFS) may proceed with their lawsuit against the OCC. Its goal is to stop FinTechs from offering bank services at the national level. These services include things like lending money and paying checks nationally. However, FinTechs still wouldn’t be able to accept bank deposits. The NYDFS feels this could ultimately result in predatory lenders and hurt consumers due to a lack of visibility in overseeing these FinTechs who have obtained a national license. The judge shared that statute makes it clear, and only depository institutions can receive an OCC national bank charter.

OFAC announces a large settlement against MID-SHIP Group LLC: MID-SHIP Group LLC has agreed to pay a $871,837 fine to settle five violations of the Weapons of Mass Destruction Proliferators Sanctions Regulation. This is because, in 2011, the company processed five electronic funds transfers with blocked vessels that were on OFAC’s List of Specially Designated Nationals and Blocked Persons. Moral of the story? Take OFAC requirements seriously regardless of the industry.

OFAC publishes compliance framework: OFAC announces U.S. economic and trade sanctions programs against targeted foreign governments, individuals, groups and entities. This is in line with national security and foreign policy goals and objectives. They’re requesting a risk-based approach to sanctions compliance be employed by developing, implementing and updating a sanctions compliance program. Check it out for more information on the expectations.

CFPB begins amending FDCPA: With this Notice of Proposed Rulemaking (NPRM) to the Fair Debt Collection Practices Act (FDCPA), consumers will have a clear understanding of their rights and protections against debt collectors. In addition, they’ll have outlined options that are straightforward regarding how they can address or dispute debts. Taking it a step further, it will also clarify how many outreaches debt collectors can make to a consumer on a weekly basis and how collectors may communicate with newer technology such as voicemails and text messages – in a lawful way. Since the FDCPA was originally enacted in 1977, there has of course been a lot of technology developments that can assist with debt collectors’ outreach. Given that, this amendment seems very warranted.  

Wells Fargo hears regulatory demands and creates new department: An operations unit has been created at Wells Fargo. Due to the bank’s previous scandals, regulators have shared their dissatisfaction with the bank’s progress. The operations unit will be specifically focused on improving and meeting regulatory demands. A very unusual move. We’re interested to see how it pans out for them.  

Recently Added Articles as of May 2

Bringing us into a new month, we had a much lighter news week but there are definitely some highlights worth reading more about. Read about regulation, commentary from a fintech forum and tax reform.

Regulation by enforcement may be lightening up: New CFPB director, Kathleen Kraninger, announced the agency’s priorities and it looks like the direction may be shifting. To prevent consumer harm, she plans to focus on educating consumers by providing informed consumer choice and prohibiting acts or practices which impact their ability to choose the best product or service. This is instead of a focus on enforcement to protect consumers. With this, she also announced that she’d like slower rule making processes so that there is a chance for industry input and that the rules will be articulated better and in a clearer way for regulated entities. Also, she hopes the agency will need to use their enforcement tool less often. If you’re a compliance officer, this may be music to your ears.

CFPB Prepaid Rule now in effect. What does this mean: More CFPB news? As of April 1, 2019, the prepaid rule is in effect. Essentially, this is an amendment to the Truth in Lending Act and the Electronic Funds Transfer Act. It adds new terms like “prepaid account” and extends credit card-like protections. Another interesting aspect of the new rule is that it has expanded the number of accounts that fall under the Prepared Rule. Do you have more than 3,000 open prepaid accounts? If you do, it’s definitely time to make sure you’re in compliance under the new rule.

From the FDIC / Duke fintech forum – lots of interesting commentary: Did you check out the “Fintech and the Future of Banking” conference that we mentioned in last week’s news? Quick update as there was some interesting commentary. They mentioned that it seems like a lot of the fintechs applying for bank charters are having a difficult time providing proof of sufficient capital and profitability in their business plans (a requirement), there was discussion around reforms to the Community Reinvestment Act (CRA), the FDIC shared they’ve begun studying data aggregation and data sharing between banks and third parties – that means sharing with fintechs too – and more.

You’ve heard our experts talks on webinars about tax refund fraud – here’s more info: In the past, identify theft through tax refund schemes has been at an all-time high. However, in 2019, this type of fraudulent act seems to be dropping due partly to high watch by the IRS, state governments, tax preparers, etc. But wait! That doesn’t mean you’re in the clear. Now they’re targeting tax professionals, human resources departments, payroll companies and more sophisticated outlets. What does this mean for your organization? Make sure you’re doing proper due diligence to protect your organization from a breach like this. If you see something like a large payment out of the ordinary, you may want to dig further to be safe.

Protect you and your customers by building an effective third party risk program. Download the infographic.