April 7, 2014
Authored by: Bryan Cave Leighton Paisner
Both Banks and Their Vendors Must Pay Attention
First there was the bulletin about third-party vendors issued by the Consumer Financial Protection Bureau (CFPB) in April 2012. Then it was the FFIEC’s guidance on IT service providers in October 2012. Next came the FDIC’s September 2013 Financial Institution Letter about payment-processing relationships with high-risk merchants. Then there was the news on October 30, 2013 about the OCC’s guidance on third-party relationships, followed shortly by the Federal Reserve Board’s guidance on managing outsourcing risks in December 2013.
Let’s face it. There has always been guidance and concern about banks and their relationships with third-party service providers. But in recent years it has become quite obvious that the bar has been raised on how banks relate to their third-party processors, program managers, and other service providers. These changes have occurred over time, by a matter of degrees. But it is increasingly plain that we are seeing a significant sea change in how regulators approach the relationships between banks and their third-party vendors. Examiners are digging deeper — especially into the content of bank contracts — and the scope of review is extending to more and more vendors.
In recent months, public commentary from some of the regulators has revealed even more clearly how this recent guidance will impact banks and their vendors. In this article we will describe the regulatory developments and provide some practical guidance as to what this will mean — not only for banks, but for their processors and other service providers. (A print-friendly version is also available.)
Recent Regulatory Developments
Banks and other financial institutions have always been expected to choose their vendors carefully and to monitor the performance of those vendors. Most institutions have done a reasonably good job in this regard. However, recent regulatory publications and the focus of recent regulatory examinations and enforcement actions indicate that the standards and expectations are now much higher.
The CFPB issued a bulletin on April 13, 2012 regarding the use of service providers, accompanied by a press release stating, “CFPB to Hold Financial Institutions and their Service Providers Accountable.” This bulletin, CFPB Bulletin 2012-03 (the CFPB Bulletin), states that the CFPB “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.” (emphasis added).