CFPB Issues New Guidance on Supervision of Service Providers

Yesterday the Consumer Financial Protection Bureau (CFPB)
published a notice in the Federal
Register amending its prior Compliance Bulletin on supervision of Service
Providers. A copy of yesterday’s notice can be found here.

The prior Compliance Bulletin (No. 2012-03), was originally issued
in 2012. In that document the CFPB outlined expectations in the introductory
paragraph.

“The
Consumer Financial Protection Bureau (CFPB) expects supervised banks and
nonbanks to oversee their business relationships with service providers in a
manner that ensures compliance with Federal consumer financial law, which is
designed to protect the interests of consumers and avoid consumer harm. The CFPB’s
exercise of its supervisory and enforcement authority will closely reflect this
orientation and emphasis.”

 Later in the
original Bulletin the CFPB discusses the use of “Service Providers”: 

“The CFPB
recognizes that the use of service providers is often an appropriate business
decision for supervised banks and nonbanks. Supervised banks and nonbanks may
outsource certain functions to service providers due to resource constraints,
use service providers to develop and market additional products or services, or
rely on expertise from service providers that would not otherwise be available
without significant investment. However, the mere fact that a supervised bank
or nonbank enters into a business relationship with a service provider does not
absolve the supervised bank or nonbank of responsibility for complying with Federal
consumer financial law to avoid consumer harm. A service provider that is unfamiliar with the legal requirements
applicable to the products or services being offered, or that does not make
efforts to implement those requirements carefully and effectively, or that
exhibits weak internal controls, can harm consumers and create potential
liabilities for both the service provider and the entity with which it has a
business relationship. Depending on the circumstances, legal responsibility may
lie with the supervised bank or nonbank as well as with the supervised service
provider.” [Emphasis Added by
insideARM.]

The revised
Bulletin is now CFPB Bulletin No. 2016-02, Service
Providers. The summary in the Federal
Register states: 

“The Bureau is reissuing its guidance on service providers,
formerly titled CFPB Bulletin 2012–03, Service Providers to clarify that the
depth and formality of the risk management program for service providers may
vary depending upon the service being performed—its size, scope, complexity,
importance and potential for consumer harm—and the performance of the service
provider in carrying out its activities in compliance with Federal consumer
financial laws and regulations. This amendment is needed to clarify that
supervised entities have flexibility and to allow appropriate risk management.”

 The revised
Bulletin inserts the following additional language: 

“The Bureau expects that the depth and formality of
the entity’s risk management program for service providers may vary depending
upon the service being performed—its size, scope, complexity, importance and
potential for consumer harm—and the performance of the service provider in
carrying out its activities in compliance with Federal consumer financial laws
and regulations. While due diligence does not provide a shield against
liability for actions by the service provider, it could help reduce the risk
that the service provider will commit violations for which the supervised bank
or nonbank may be liable as discussed above.” 

The Federal Register notice
indicates that the newly revised Bulletin 2016-02 will be released on the CFPBs
website on Oct. 31, 2016. 

insideARM
Perspective

The new additional language is an interesting and welcome
addition to this particular Compliance Bulletin.  It confirms what many ARM compliance people
believed was common sense and practical. ARM industry companies were put on
notice with the original Bulletin that they had exposure for not supervising
their service providers.  The issue was
always: What level of supervision for what service providers?

All service providers are not created equal.  The level of due diligence and supervision
for a letter vendor, data provider, collection agency or law firm collecting on
accounts should be different than the level of supervision for a service
provider such as the operator of the vending machine in a break room. The key
is making a risk based decision based upon the potential for “consumer harm.”
This revision recognizes that fact.