Raising the Bar In Third-Party Risk: CFPB Formally Enters Technology Vendor Oversight

In the CFPB May release (Issue 15), the Consumer Financial Protection Bureau referenced updated guidance on third party oversight initiatives. We'll go through what it says, what it means and next steps.

What The May 2017 Summary - Issue 15 Says

On page 25 they state that:

The CFPB recognizes the potential risks to consumers posed by large service providers, which provide technological support to facilitate compliance with Federal consumer financial law, including software packages, electronic system platforms, and other types of technological tools.

These compliance tools are often provided to thousands of participants in a market. As such, compliance risks in an entire market may be heightened when regulatory compliance is not considered and integrated throughout the development lifecycle, change, and configuration of these compliance systems. 

Because a single service provider might affect consumer risk at many institutions, the CFPB has begun to develop and implement a program to supervise these service providers directly. Direct examination of key service providers will provide the CFPB the opportunity to monitor and potentially reduce risks to consumers at their source.

In its initial work, the CFPB is conducting baseline reviews of some service providers to learn about the structure of these companies, their operations, their compliance systems, and their CMS.

In more targeted work, the CFPB is focusing on service providers that directly affect the mortgage origination and servicing markets.

The CFPB will shape its future service provider supervisory activities based on what it learns through its initial work. As with all new examination programs, service provider supervision is folded into the Bureau’s overall risk-based prioritization process.

What could this mean?

There are several considerations to keep in mind with this initiative. However, while it's speculation, it would seem to have some plausibility.

• The CFPB is taking up Vendor Oversight to create its own baseline of risk assessments on vendors who may impact consumer transactions.
  
  
• This oversight seems broader than simply targeting complaint data on the CFPB website. While complaint data was instrumental in identifying key concerns; this initiative takes an approach based on the potential impact of the many tech enabled compliance software systems used in the mortgage origination and servicing process.
  
  
• Given the recent events of a servicing software and operation described by one industry executive as a train wreck, could imply that this effort is aimed at ensuring systems are adequately managed and updated by appropriate compliance expertise.
  
  
• Recognizes the importance that compliance management systems and expertise play throughout the software development lifecycle.

How could this impact vendor risk management?

In many ways, this could raise the bar in the requirements of vendor oversight and examination process but also in a financial institution's own vendor reporting.

After all, if the CFPB has examined a third party vendor and has a baseline of findings, issues and remediation data, how would your organization's own results stand up when presented to the CFPB examiner?    

Your oversight report is only as good as the questions you ask and validate. Given the CFPB mandate of consumer protection, it would be wise to make sure your reviews are thorough and leverage the expertise of internal stakeholders over and above a vendor management team.

As we have discussed in prior commentaries, vendor oversight should not be a check the box type exercise. Without a thoughtful approach of reviewing policy and procedures, SOC reports, audited financials, etc...anything less could be deemed as sub-par.

Next Steps

If you're a vendor active in this space, then I’d suggest that you have been put on notice.

1. Review that you have a strong compliance management system in place. This should include compliance leadership, change management process for SDLC, quality assurance for testing during UAT and production along with thorough testing records including remediation.
   
   
2. If you are a Mortgage Originator or Servicer, it would be prudent to review your compliance management systems and your vendor oversight process and ensure that you have the full expertise to fully manage your tech focused vendors.

Issue 15 contains a lot of valuable information and over and above this one section regarding tech vendor oversight, there is information regarding the recent public and non-public enforcement actions and some timely insight on spike and trend analysis regarding complaint data. All worthy of your attention. 

To read up on vendor oversight on a contract mortgage underwriter, download our infographic.