In April 2012, the CFPB released a bombshell on financial institutions – not only could they be held responsible for any violations of consumer protection laws, but now they could also be held responsible for the actions of the companies they use as vendors. Financial institutions are now required to proactively assess, measure, monitor and control the compliance of third party vendors they work with to provide consumer financial products or services. The CFPB took no time in enforcing this new regulation and initiated its first public enforcement action against a large credit card provider in July 2012. The company was ordered to pay more than $300 million in refunds to customers because the CFPB found that its vendors used deceptive marketing tactics to mislead consumers into paying for add-on products when activating credit cards.
Many financial service providers may be surprised that they have to now monitor the acts of their default service providers, foreclosure trustees, brokers, payment processors, telemarketers and even law firms! Some of the ways financial institutions can ensure that business arrangements with service providers are compliant with consumer protection laws include:
- Conducting due diligence to verify that the service provider understands and is capable of complying with law.
- Requesting and reviewing their service providers' policies, procedures, internal controls, and training materials.
- Developing written contracts to outline the duties and obligations of each party, as well as appropriate and enforceable consequences for violating any compliance-related responsibility.
- Establishing an ongoing oversight program to determine whether the service provider is fulfilling its duties.
Given that there are significant consequences for third party management weaknesses, financial institutions should ensure that their vendor management program is aligned with the guidance issued by CFPB regulators. An analysis should be conducted to compare the activities of an institution's third party vendors against the regulations. If any gaps are identified, it is crucial that the institution develop an action plan to update its existing programs.
In the ever-changing world of consumer finance protection laws, it is imperative that financial institutions make sure that not only are they fully compliant with the regulations, but also that their vendors are. So take some time and review your vendor agreements and oversight programs to make sure that everything is in order. If any questions or issues arise, Baker Donelson is fully equipped to handle all of your vendor risk management needs.