CFPB’s Bulletins Revisited: Oversight of Service Providers

From time to time, the CFPB issues Bulletins which reflect the CFPB’s expectations regarding covered institutions and covered business products.  When these are issued, they grab our attention for a time but then our focus changes to the next new thing.  We are now five years into the CFPB’s existence and as they say, hind sight is 20/20 vision.  Looking back, we can see the impetus these Bulletins have had on enforcement actions.  I thought it would be fun to revisit some of these Bulletins over the next few several weeks and see how they have been applied. 

In April of 2012, the CFPB issued a Bulletin on Service Providers.  CFPB Bulletin 2012-03 set forth the expectation that supervised entities oversee their business relationships with service providers in a manner which ensures their compliance with federal consumer financial laws.  The Bulletin makes clear that the supervised entity will be held responsible with its service providers for their service providers’ compliance with federal consumer financial laws.  Its expectations include not only specific statutory compliance, but also prohibits unfair, deceptive or abusive acts or practices. 

The Bulletin set forth a number of nonexclusive steps it expects covered institutions to take in managing their service providers:

• Doing due diligence to insure their service providers understand and are capable of complying with applicable consumer financial laws;
• Requesting and reviewing their service providers’ policies, procedures, internal controls, and training materials to insure their service providers are providing adequate training and oversight to insure compliance with applicable consumer financial laws;
• Providing contractual provisions in their vendor agreements that provide clear expectations of compliance, as well as appropriate and enforceable consequences for any failure to comply;
• Insuring that service providers are prohibited from unfair, deceptive or abusive acts or practices, as well as violations of specific federal consumer financial laws;
• Establishing internal controls and on-going audits and examinations of service providers to insure their continued compliance; and
• Taking prompt action to address problems identified through the monitoring process, including termination of relationships, if appropriate.

The CFPB has put this guidance to use in several of its bank enforcement actions and includes within its examination procedures requirements that their examiners include a review of examined entities’ policies and procedures to ensure the entity’s service providers are compliant.  It is likely that the CFPB will continue to use this approach and its general “unfair and deceptive” jurisdiction to expand enforcement actions to include entities which are not otherwise covered by the CFPB.