While the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators. A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.
Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”
Meet the New Boss
Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.) Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:
- Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
- Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;
- Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
- Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
(Not the) Same as the Old Boss
While the message from the federal regulators has not varied over the years, recent actions by the various agencies indicate they are more likely to use enforcement as a means of guaranteeing compliance with their vendor management mandates. A detailed discussion of the cases listed below is beyond the scope of this article, but to a large degree each case focused on deceptive sales practices by third-party vendors while marketing a bank product:
- CFPB: Discover Bank, $14 million civil penalty (September 2012)
- OCC: American Express Bank, estimated $6 million in restitution (September 2012)
- CFPB: J.P. Morgan Chase, $309 million in restitution and $20 million civil penalty (September 2013)
- CFPB: American Express, $59.5 million in restitution and $9.6 million civil penalty (December 2013)
Although neither the FDIC, OCC nor the CFPB provides community banks with an explicit exemption from the vendor management mandates, each set of rules does include a statement similar in content to that expressed in FIL-44-2008: “The precise use of a risk management process is dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risk identified.” For community banks that offer only traditional banking services, senior management and the board should use a common sense level of due diligence before, during and after a third-party relationship is commenced.
We Won’t Be Fooled Again
Bank management and boards of directors should not allow recent enforcement actions to deter their use of third-party vendors to provide critical functions. The economics supporting such outsourcing decisions certainly outweigh the risks posed by potential regulatory enforcement action. However, regulators have given notice that a failure to implement and follow vendor management protocols will no longer be tolerated, and boards and management bear ultimate responsibility for any harm caused by a vendor’s failure to adhere to federal consumer financial law.