As the financial services industry continues to strive for efficiency, financial institutions, both deposit and nondeposit taking, are increasingly relying on third parties to perform banking or product functions that are either new to the industry or had traditionally been performed by the institutions themselves. This increased reliance on vendors is driven in many cases by legitimate business reasons, most notably cost considerations as vendors are able to provide economies of scale, expertise or additional products that the institutions often could not otherwise achieve or develop on their own. Along with the benefits of vendor relationships, however, comes an enhanced responsibility to monitor these relationships to ensure that vendors comply with both federal and state consumer financial laws. Most importantly, the use of vendors does not shield financial institutions from responsibility for vendors’ actions. To the contrary, financial institutions are solely responsible to regulators for vendors’ actions to the same extent as if the actions were taken by the institutions themselves.
This article reviews applicable regulatory guidance on how financial institutions must manage their vendor relationships and highlights the recent vendor-related enforcement actions taken by the Consumer Financial Protection Bureau (CFPB) and other federal regulators in 2012.
Recent Regulatory Guidance on Managing Vendor Relationships
Highlighting the importance of proper vendor oversight and management and as part of the CFPB enforcement activities discussed below, the federal bank and consumer regulatory bodies have issued updated guidance on best practices in contracting with vendors to help make institutions aware of the risks and responsibilities associated with utilizing vendors and to set the expectations that regulators have on the responsibilities of institutions to properly oversee their vendor relationships.
FDIC Guidance on Payment Processor Relationships
The Federal Deposit Insurance Corporation (FDIC) issued a Financial Institution Letter containing revised guidance on payment processor relationships on January 31, 2012. The letter discusses potential risks, risk mitigation, due diligence, underwriting and ongoing monitoring in the context of payment processors. Emphasized in the guidance is a warning that financial institutions that fail to adequately manage payment processor or merchant relationships may be viewed as facilitating these parties’ fraudulent or unlawful activity and therefore may be liable for such fraudulent or unlawful activity.
Although many payment processors conduct legitimate transactions for reputable merchants, the risk profile of others can vary significantly. For example, financial institutions must recognize that payment processors that deal with telemarketing and online merchants may have a higher risk profile because such entities tend to display a higher incidence of consumer fraud or potentially illegal activities. Institutions must also be alert for payment processors that use more than one financial institution to process merchant client payments, that solicit business relationships with troubled financial institutions, or that have high levels of consumer complaints, returns or charge-backs. To identify these indicia of fraudulent processing activity, financial institutions must implement enhanced due diligence procedures prior to entering payment processor relationships and provide ongoing monitoring of complaints, charge backs and returned funds during the course of the processing relationship.
CFPB Guidance on Service Providers
The CFPB issued its first bulletin related to third-party vendors on April 13, 2012, which provided guidance on compliance with federal consumer financial laws for banks’ and nonbanks’ relationships with service providers. A “service provider” is defined expansively in Dodd-Frank § 1002(26) as “any person that provides a material service to a covered person in connection with the offering or provision by such person of a consumer financial product or service.” Service providers are subject to the CFPB’s supervisory and enforcement authority, which includes on-site examination of operations and new authority to police unfair, deceptive or abusive acts or practices.
Next, the CFPB recognized that while banks and nonbanks have legitimate business reasons to outsource functions to service providers, the resulting relationships do not absolve banks and nonbanks of responsibility for complying with federal consumer financial laws. Violations of federal consumer financial laws by service providers can result in legal responsibility for both the service provider and the bank or nonbank. To avoid being held responsible for the actions of its service providers, banks and nonbanks must have an effective process for managing the risks of their service provider relationships. This includes conducting due diligence on the service provider’s compliance capabilities, reviewing the service provider’s policies and procedures, including a service provider’s contract, to determine if the required compliance expectations and consequences for failure to meet those expectations are set forth, establishing internal controls and ongoing monitoring of the service provider’s compliance with consumer financial laws and promptly taking action in response to violations of those laws.
CFPB Guidance on the Marketing of Credit Card Add-on Products
In conjunction with its enforcement actions, the CFPB issued a bulletin advising financial institutions on their federal consumer financial law compliance obligations surrounding credit card add-on products. CFPB Bulletin 2012-06, issued July 18, 2012, emphasizes that institutions must take steps to ensure that they market and sell add-on products in a manner that minimizes the potential for statutory and regulatory violations and related consumer harm. Examples of violations include failing to adequately disclose important product terms and conditions, enrolling consumers in programs without consent to do so, billing for services not performed and generally using misleading marketing and sales practices.
Applicable consumer protections related to the marketing of credit card add-on products highlighted by the CFPB include, but are not limited to, the Dodd-Frank Title X prohibition against deceptive practices, the Truth in Lending Act and its implementing Regulation Z and the Equal Credit Opportunity Act and its implementing Regulation B. Financial institutions must ensure that all marketing materials reflect the actual terms and conditions of products and are not deceptive or misleading, must structure employee compensation programs such that they do not create incentives to provide inaccurate product information to consumers and must review scripts and manuals used by telemarketing and customer service centers for compliance with consumer laws and regulations.
Vendor-Related Enforcement Actions
Immediate Actions Required
Because each of the foregoing enforcement actions dealt with the failure of institutions to properly manage third-party vendor relationships, institutions must develop or augment existing vendor management policies to ensure that they are actively auditing the performance of their vendors. This includes reviewing all vendor contracts to confirm that they allow auditing rights, contain a robust complaint response, reporting, and monitoring system and include adequate representations and warranties relating to the duties of the vendors in carrying out their responsibilities, such as the proper training of staff, compliance with federal and state consumer laws and audit rights and self-testing, to name just a few. Institutions’ failure to ensure that their contractual rights are adequate and that an active management process exists over vendors sets them up for damage to their reputation by having such failures revealed as well as expensive remedies resulting from an enforcement action by the CFPB or even state regulators.
The CFPB and other banking regulators have recognized that financial institutions are utilizing vendors in their businesses at greater levels than ever before. Based on this recognition, these regulators have taken steps to ensure that financial institutions understand the risks and responsibilities associated with utilizing vendors, specifically, that the financial institutions are responsible for vendors’ activities to the same extent as if the institutions had taken the actions themselves. For some institutions, their failure to understand vendor-related responsibilities has cost them hundreds of millions of dollars in refunds and civil penalties. For others, vendor-related enforcement actions serve as a warning that the CFPB is vigilant in its investigation of vendors for compliance with federal and state consumer financial laws and is ready and willing to hold financial institutions accountable for improper actions by themselves or their vendors.
Richard P. Eckman and Andrew R. Mavraganis
More Resources on the Dodd-Frank Act
For additional information, please visit Pepper's Financial Services Reform Resource Center.The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.