Guess Who’s Getting Directly into the Vendor Management Business?

In a regulatory field already crowded with federal and state regulators mandating the processes financial services companies employ in managing their vendors, the rather short insertion in the Spring 2017 issue of the Consumer Financial Protection Bureau’s (CFPB) Supervisory Highlights  may initially have sailed largely under the collective industry radar. Recently, however, trade publications have drawn attention to what may represent yet another seismic change impacting a vendor population already burdened by multiple, overlapping, intrusive customer/client oversight processes. The CFPB has, in short, given fair warning that it intends to move beyond review of vendor oversight processes and into the business of direct vendor oversight.

The CFPB’s focus on third-party service providers is not new. As the Supervisory Highlightspoints out, the CFPB addressed this topic in the Fall 2016 issue, where the CFPB noted that evidence of good compliance management systems (CMS) included “strength in their oversight programs for service providers. In particular, they defined processes that outlined the steps to assess due diligence information, and their oversight programs varied commensurate with the risk and complexity of the processes or services provided by the relevant service providers.” Perhaps more ominously and prophetically, in the Summer 2016 issue of Supervisory Highlights, the CFPB warned that it would “consider appropriate action if law violations are identified at institutions or their service providers, consistent with the Bureau’s authority.” In a 2016 Compliance Bulletin and Policy Guidance, the CFPB returned to the subject and reminded the regulated community that: “[t]he [CFPB] expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm. The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis.” The CFPB recently carried through on the threat of enforcement against third-party service providers, with enforcement actions filed against financial service vendors such as Experianand Frederic J. Hanna & Associates, P.C.

The Supervisory Highlights begin by echoing  a statement from the Fall 2016 issue reminding the regulated community of their obligation to oversee vendors: “[t]he CFPB has and will continue to evaluate the oversight of service providers in its compliance management reviews according to these expectations.” However, having reiterated this point, the CFPB devotes the entire next paragraph to emphasizing the “potential risks to consumers posed by large service providers” — particularly those in the technology space — “which provide technological support to facilitate compliance with Federal consumer financial law, including software packages, electronic system platforms, and other types of technological tools.” This delineation and statement of heightened risk serves as the logical underpinning for the next paragraph, where the CFPB pivots into its new oversight role.

“Because a single service provider might affect consumer risk at many institutions, the CFPB has begun to develop and implement a program to supervise these service providers directly. Direct examination of key service providers will provide the CFPB the opportunity to monitor and potentially reduce risks to consumers at their source” (footnote omitted). In other words, the CFPB believes that the level of third- party service provider risk is sufficient to justify the CFPB’s transition from reviewing the vendor management programs of financial service companies to directly overseeing and evaluating actual financial service company vendors. Rather than simply receive audit requests from their customers, third-party service providers may expect direct oversight and communications from the CFPB.

Having announced its intention to exercise oversight authority over third-party service providers, the CFPB devotes the last paragraph of the section to discussing process and next steps: “In its initial work, the CFPB is conducting baseline reviews of some service providers to learn about the structure of these companies, their operations, their compliance systems, and their CMS. In more targeted work, the CFPB is focusing on service providers that directly affect the mortgage origination and servicing markets. The CFPB will shape its future service provider supervisory activities based on what it learns through its initial work. As with all new examination programs, service provider supervision is folded into the Bureau’s overall risk-based prioritization process” (footnote omitted). In other words, the CFPB already has begun the process of establishing lines of communication with third-party service providers and gathering relevant information from them. The CFPB will ultimately use this information to develop standards, guidance, and processes that will allow them to exercise their authority in a consistent manner.

These are tempestuous times for the CFPB, where it is facing both political and legal challenges that threaten it on an existential basis. Accordingly, reading too far into the future is a risky and uncertain endeavor. However, there is every indication that the CFPB will continue to bring its oversight and enforcement authority to bear on third-party service providers. While that focus appears initially aimed at technology companies, there is every reason to expect it will expand to all third-party service providers used by financial services companies in the origination and servicing space. Additionally, financial services companies will need to watch closely the steps the CFPB takes as it develops and implements its oversight program and to ensure that there are no gaps between their programs and the CFPB’s. In short, the vendor management landscape is about to get a lot more crowded and perhaps a lot more adversarial.