Yesterday the Consumer Financial Protection Bureau (CFPB) published a notice in the Federal Register amending its prior Compliance Bulletin on supervision of Service Providers. A copy of yesterday’s notice can be found here.
The prior Compliance Bulletin (No. 2012-03), was originally issued in 2012. In that document the CFPB outlined expectations in the introductory paragraph.
“The Consumer Financial Protection Bureau (CFPB) expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm. The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis.”
Later in the original Bulletin the CFPB discusses the use of “Service Providers”:
“The CFPB recognizes that the use of service providers is often an appropriate business decision for supervised banks and nonbanks. Supervised banks and nonbanks may outsource certain functions to service providers due to resource constraints, use service providers to develop and market additional products or services, or rely on expertise from service providers that would not otherwise be available without significant investment. However, the mere fact that a supervised bank or nonbank enters into a business relationship with a service provider does not absolve the supervised bank or nonbank of responsibility for complying with Federal consumer financial law to avoid consumer harm. A service provider that is unfamiliar with the legal requirements applicable to the products or services being offered, or that does not make efforts to implement those requirements carefully and effectively, or that exhibits weak internal controls, can harm consumers and create potential liabilities for both the service provider and the entity with which it has a business relationship. Depending on the circumstances, legal responsibility may lie with the supervised bank or nonbank as well as with the supervised service provider.” [Emphasis Added by insideARM.]
The revised Bulletin is now CFPB Bulletin No. 2016-02, Service Providers. The summary in the Federal Register states:
“The Bureau is reissuing its guidance on service providers, formerly titled CFPB Bulletin 2012–03, Service Providers to clarify that the depth and formality of the risk management program for service providers may vary depending upon the service being performed—its size, scope, complexity, importance and potential for consumer harm—and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. This amendment is needed to clarify that supervised entities have flexibility and to allow appropriate risk management.”
The revised Bulletin inserts the following additional language:
“The Bureau expects that the depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed—its size, scope, complexity, importance and potential for consumer harm—and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. While due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable as discussed above.”
The Federal Register notice indicates that the newly revised Bulletin 2016-02 will be released on the CFPBs website on Oct. 31, 2016.
The new additional language is an interesting and welcome addition to this particular Compliance Bulletin. It confirms what many ARM compliance people believed was common sense and practical. ARM industry companies were put on notice with the original Bulletin that they had exposure for not supervising their service providers. The issue was always: What level of supervision for what service providers?
All service providers are not created equal. The level of due diligence and supervision for a letter vendor, data provider, collection agency or law firm collecting on accounts should be different than the level of supervision for a service provider such as the operator of the vending machine in a break room. The key is making a risk based decision based upon the potential for “consumer harm.” This revision recognizes that fact.