Banks and Nonbanks must Responsibly Manage their Service Provider Relationships
WASHINGTON, D.C. – The Consumer Financial Protection Bureau (CFPB) today released a bulletin clarifying that financial institutions under Bureau supervision may be held responsible for the actions of the companies with which they contract. The Bureau will take a close look at service providers’ interactions with consumers. It will hold all appropriate companies accountable when legal violations occur.
“Consumers are at a real disadvantage because they do not get to choose the service providers they deal with—the financial institution does,” said CFPB Director Richard Cordray. “Consumers must not be hurt by unfair, deceptive, or abusive practices of service providers. Banks and nonbanks must manage these relationships carefully and can be held accountable if they break the law.”
Banks and nonbanks contract with service providers for a number of reasons. They may use service providers to develop and market additional products or services or to provide expertise. Banks and nonbanks may also contract with outside vendors for services they may not have the resources to conduct independently, such as telemarketing or call center services.
Using outside vendors can pose additional risks. A service provider that is unfamiliar with consumer financial protection laws or has weak internal controls can harm consumers. The CFPB wants to ensure that consumers are protected from irresponsible service providers and that banks and nonbanks are contracting with honest third parties.
Today’s bulletin states the Bureau’s expectation that supervised financial institutions have an effective process for managing the risks of service provider relationships. The CFPB recommends that supervised financial institutions take steps to ensure that business arrangements with service providers do not present unwarranted risks to consumers. These steps include:
- Conducting thorough due diligence to verify that the service provider understands and is capable of complying with the law;
- Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;
- Establishing internal controls and on-going monitoring to determine whether the service provider is complying with the law; and
- Taking prompt action to address fully any problems identified through the monitoring process.