CFPB Warns About Third Parties
The Consumer Financial Protection Bureau (CFPB) released a bulletin clarifying that financial institutions under Bureau supervision may be held responsible for the actions of the companies with which they contract.
The Bureau will take a close look at service providers interactions with consumers, holding all appropriate companies accountable when legal violations occur.
Banks and nonbanks contract with service providers for a number of reasons. They may use service providers to develop and market additional products or services or to provide expertise. Banks and nonbanks may also contract with outside vendors for services they may not have the resources to conduct independently, such as telemarketing or call center services.
Using outside vendors can pose additional risks. A service provider that is unfamiliar with consumer financial protection laws or has weak internal controls can harm consumers. The CFPB wants to ensure that consumers are protected from irresponsible service providers and that banks and nonbanks are contracting with honest third parties.
The bulletin states the Bureaus expectation that supervised financial institutions have an effective process for managing the risks of service provider relationships. The CFPB recommends that supervised financial institutions take steps to ensure that business arrangements with service providers do not present unwarranted risks to consumers. These steps include:
- Conducting thorough due diligence to verify that the service provider understands and is capable of complying with the law;
- Requesting and reviewing the service providers policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;
- Establishing internal controls and on-going monitoring to determine whether the service provider is complying with the law; and
- Taking prompt action to address fully any problems identified through the monitoring process.