Bryan Cave Leighton Paisner Banking Blog

Bank Bryan Cave

Outsourcing

Main Content

A Significant Change in the Regulatory Oversight of Third-Party Relationships

Both Banks and Their Vendors Must Pay Attention

Introduction

First there was the bulletin about third-party vendors issued by the Consumer Financial Protection Bureau (CFPB) in April 2012. Then it was the FFIEC’s guidance on IT service providers in October 2012Next came the FDIC’s September 2013 Financial Institution Letter about payment-processing relationships with high-risk merchants.  Then there was the news on October 30, 2013 about the OCC’s guidance on third-party relationships, followed shortly by the Federal Reserve Board’s guidance on managing outsourcing risks in December 2013.

Let’s face it. There has always been guidance and concern about banks and their relationships with third-party service providers. But in recent years it has become quite obvious that the bar has been raised on how banks relate to their third-party processors, program managers, and other service providers. These changes have occurred over time, by a matter of degrees. But it is increasingly plain that we are seeing a significant sea change in how regulators approach the relationships between banks and their third-party vendors. Examiners are digging deeper — especially into the content of bank contracts — and the scope of review is extending to more and more vendors.

In recent months, public commentary from some of the regulators has revealed even more clearly how this recent guidance will impact banks and their vendors. In this article we will describe the regulatory developments and provide some practical guidance as to what this will mean — not only for banks, but for their processors and other service providers.  (A print-friendly version is also available.)

Recent Regulatory Developments

Banks and other financial institutions have always been expected to choose their vendors carefully and to monitor the performance of those vendors. Most institutions have done a reasonably good job in this regard. However, recent regulatory publications and the focus of recent regulatory examinations and enforcement actions indicate that the standards and expectations are now much higher.

The CFPB issued a bulletin on April 13, 2012 regarding the use of service providers, accompanied by a press release stating, “CFPB to Hold Financial Institutions and their Service Providers Accountable.”  This bulletin, CFPB Bulletin 2012-03 (the CFPB Bulletin), states that the CFPB “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.” (emphasis added).

Read More

Regulators Go After Banks for Vendor Management

While the issue of vendor oversight and management is not new to the financial services industry, recent enforcement actions by the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) manifest heightened attention by federal regulators.  A bank’s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution.

Federal regulators traditionally have looked with an understanding, yet skeptical, eye towards the issue of outsourcing. Current guidance is clear, however, as to where the responsibility lies. As summarized by the Federal Deposit Insurance Corp. (FDIC) in FIL-44-2008, “An institution’s board of directors and senior management are ultimately responsible managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.”

Meet the New Boss

Armed with its mandate by Title X of the Dodd-Frank Act to protect consumers, the CFPB entered the vendor management fray by issuing Bulletin 2012-03. Although the message contained in the bulletin was nearly identical to previously issued guidance by the OCC and FDIC, it did provide additional insight. First, the bulletin noted that Title X of Dodd-Frank provides a definition of a “service provider,” which includes “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Although the legislation did not specifically define the word material, bankers should assume such subjectivity will be interpreted broadly by federal regulators.)  Secondly, and more importantly, the bulletin provided banks a non-exhaustive list of “steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers,” which include:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive act or practices;
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
  • Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.