Insight Center: Publications

The New Normal: Third-Party Vendors Under the Microscope

Author: Richard P. Eckman


This article was originally published in the Winter 2013 issue of Delaware Banker. No part of this publication may be reproduced without the written permission of the editors. Copyright 2013 by the Delaware Bankers Association. All Rights Reserved. It is reprinted here with permission.

As the financial services industry continues to strive for efficiency, financial institutions, both deposit and nondeposit taking, are increasingly relying on third parties to perform banking or product functions that are either new to the industry or had traditionally been performed by the institutions themselves. This increased reliance on vendors is driven in many cases by legitimate business reasons, most notably cost considerations as vendors are able to provide economies of scale, expertise or additional products that the institutions often could not otherwise achieve or develop on their own. Along with the benefits of vendor relationships, however, comes an enhanced responsibility to monitor these relationships to ensure that vendors comply with both federal and state consumer financial laws. Most importantly, the use of vendors does not shield financial institutions from responsibility for vendors’ actions. To the contrary, financial institutions are solely responsible to regulators for vendors’ actions to the same extent as if the actions were taken by the institutions themselves.

This article reviews applicable regulatory guidance on how financial institutions must manage their vendor relationships and highlights the recent vendor-related enforcement actions taken by the Consumer Financial Protection Bureau (CFPB) and other federal regulators in 2012.

Recent Regulatory Guidance on Managing Vendor Relationships

Highlighting the importance of proper vendor oversight and management and as part of the CFPB enforcement activities discussed below, the federal bank and consumer regulatory bodies have issued updated guidance on best practices in contracting with vendors to help make institutions aware of the risks and responsibilities associated with utilizing vendors and to set the expectations that regulators have on the responsibilities of institutions to properly oversee their vendor relationships.

FDIC Guidance on Payment Processor Relationships

The Federal Deposit Insurance Corporation (FDIC) issued a Financial Institution Letter containing revised guidance on payment processor relationships on January 31, 2012. The letter discusses potential risks, risk mitigation, due diligence, underwriting and ongoing monitoring in the context of payment processors. Emphasized in the guidance is a warning that financial institutions that fail to adequately manage payment processor or merchant relationships may be viewed as facilitating these parties’ fraudulent or unlawful activity and therefore may be liable for such fraudulent or unlawful activity.

Although many payment processors conduct legitimate transactions for reputable merchants, the risk profile of others can vary significantly. For example, financial institutions must recognize that payment processors that deal with telemarketing and online merchants may have a higher risk profile because such entities tend to display a higher incidence of consumer fraud or potentially illegal activities. Institutions must also be alert for payment processors that use more than one financial institution to process merchant client payments, that solicit business relationships with troubled financial institutions, or that have high levels of consumer complaints, returns or charge-backs. To identify these indicia of fraudulent processing activity, financial institutions must implement enhanced due diligence procedures prior to entering payment processor relationships and provide ongoing monitoring of complaints, charge backs and returned funds during the course of the processing relationship.

CFPB Guidance on Service Providers

The CFPB issued its first bulletin related to third-party vendors on April 13, 2012, which provided guidance on compliance with federal consumer financial laws for banks’ and nonbanks’ relationships with service providers. A “service provider” is defined expansively in Dodd-Frank § 1002(26) as “any person that provides a material service to a covered person in connection with the offering or provision by such person of a consumer financial product or service.” Service providers are subject to the CFPB’s supervisory and enforcement authority, which includes on-site examination of operations and new authority to police unfair, deceptive or abusive acts or practices.

Next, the CFPB recognized that while banks and nonbanks have legitimate business reasons to outsource functions to service providers, the resulting relationships do not absolve banks and nonbanks of responsibility for complying with federal consumer financial laws. Violations of federal consumer financial laws by service providers can result in legal responsibility for both the service provider and the bank or nonbank. To avoid being held responsible for the actions of its service providers, banks and nonbanks must have an effective process for managing the risks of their service provider relationships. This includes conducting due diligence on the service provider’s compliance capabilities, reviewing the service provider’s policies and procedures, including a service provider’s contract, to determine if the required compliance expectations and consequences for failure to meet those expectations are set forth, establishing internal controls and ongoing monitoring of the service provider’s compliance with consumer financial laws and promptly taking action in response to violations of those laws.

CFPB Guidance on the Marketing of Credit Card Add-on Products

In conjunction with its enforcement actions, the CFPB issued a bulletin advising financial institutions on their federal consumer financial law compliance obligations surrounding credit card add-on products. CFPB Bulletin 2012-06, issued July 18, 2012, emphasizes that institutions must take steps to ensure that they market and sell add-on products in a manner that minimizes the potential for statutory and regulatory violations and related consumer harm. Examples of violations include failing to adequately disclose important product terms and conditions, enrolling consumers in programs without consent to do so, billing for services not performed and generally using misleading marketing and sales practices.

Applicable consumer protections related to the marketing of credit card add-on products highlighted by the CFPB include, but are not limited to, the Dodd-Frank Title X prohibition against deceptive practices, the Truth in Lending Act and its implementing Regulation Z and the Equal Credit Opportunity Act and its implementing Regulation B. Financial institutions must ensure that all marketing materials reflect the actual terms and conditions of products and are not deceptive or misleading, must structure employee compensation programs such that they do not create incentives to provide inaccurate product information to consumers and must review scripts and manuals used by telemarketing and customer service centers for compliance with consumer laws and regulations.

Vendor-Related Enforcement Actions

  • Capital One Bank (U.S.A.), N.A. - The CFPB announced its first public enforcement action on July 18, 2012, after it found that Capital One Bank (U.S.A.), N.A.’s vendors utilized deceptive marketing tactics that pressured and misled consumers into paying for add-on products when they activated their credit cards. Consumers with low credit scores or credit limits were directed to a third-party call center and offered add-ons through  high-pressure marketing tactics. Some of the products included payment protection, credit monitoring, access to credit education specialists and daily monitoring and notification of credit accounts. During the marketing of these add-ons, consumers were misled about their benefits, deceived about their nature, misled about eligibility, misinformed about costs and enrolled without giving consent. In response, the CFPB ordered Capital One to end its deceptive marketing practices, pay approximately $140 million to an estimated two million consumers and pay a $25 million civil penalty.
  • Discover Bank - On September 24, 2012, the CFPB announced that it was taking a joint enforcement action along with the FDIC against Discover Bank. As in the Capital One enforcement action, the FDIC and CFPB found that deceptive telemarketing and sales tactics were used to mislead consumers into paying for credit card add-on products. The deceptive tactics included telemarketing scripts that contained language likely to mislead consumers about whether they were actually purchasing add-ons and the downplaying of products’ key terms by sales representatives who spoke rapidly when disclosing these terms. Based on these deceptive practices, the regulators found that consumers were (i) misled about the fact that there was a charge for products, (ii) misled about whether they had purchased the products, (iii) enrolled in programs without their consent and (iv) not provided with material information about the eligibility requirements for certain benefits. Pursuant to its enforcement powers, the CFPB entered into a consent order with Discover under which Discover agreed to institute changes to its telemarketing practices, pay $200 million in restitution to more than 3.5 million consumers who were charged for add-on products and pay a combined $14 million civil penalty to the U.S. Treasury and the CFPB’s civil penalty fund.
  • American Express - The CFPB completed a third enforcement action on October 1, 2012, when it ordered AMEX to pay $85 million to consumers who were harmed by what if found to be illegal credit card practices. This action resulted from a multi-part federal investigation after a routine examination of an American Express subsidiary found violations of consumer protection laws.  The CFPB also found that many of the same violations occurred at other American Express subsidiary entities. The violations spanned almost a decade, from 2003 to 2012, and occurred at every stage of the consumer experience. American Express subsidiaries deceived consumers on the terms of signup bonuses, charged unlawful late fees, unlawfully discriminated against new applicants on the basis of age, failed to report consumer disputes to consumer reporting agencies and misled consumers about debt collection. As a result of its continuing, comprehensive violations of consumer protection laws, American Express agreed to end its illegal credit card practices, repay an estimated $85 million to approximately 250,000 consumers and pay a civil monetary penalty of $27.5 million.
  • First Bank of Delaware - On November 19, 2012, the FDIC and the Financial Crimes Enforcement Network announced the assessment of civil money penalties against First Bank of Delaware (FBOD) for violations of the Bank Secrecy Act (BSA) and anti-money laundering (AML) laws and regulations. FBOD also settled civil claims brought by the Department of Justice. All penalties were satisfied by a $15 million payment to the U.S. Treasury and a $500,000 account established to pay consumer claims arising from FBOD’s misconduct. The penalties stemmed from FBOD’s failure to implement an effective BSA/AML compliance program. Specifically, the bank failed to adequately oversee third-party payment processor relationships and related products and services. As a result, FBOD originated withdrawal transactions on behalf of fraudulent merchants and caused money to be taken from the bank accounts of consumers while it knew or should have known that authorizations for the withdrawals had been obtained by fraud.

Immediate Actions Required

Because each of the foregoing enforcement actions dealt with the failure of institutions to properly manage third-party vendor relationships, institutions must develop or augment existing vendor management policies to ensure that they are actively auditing the performance of their vendors. This includes reviewing all vendor contracts to confirm that they allow auditing rights, contain a robust complaint response, reporting, and monitoring system and include adequate representations and warranties relating to the duties of the vendors in carrying out their responsibilities, such as the proper training of staff, compliance with federal and state consumer laws and audit rights and self-testing, to name just a few. Institutions’ failure to ensure that their contractual rights are adequate and that an active management process exists over vendors sets them up for damage to their reputation by having such failures revealed as well as expensive remedies resulting from an enforcement action by the CFPB or even state regulators.


The CFPB and other banking regulators have recognized that financial institutions are utilizing vendors in their businesses at greater levels than ever before. Based on this recognition, these regulators have taken steps to ensure that financial institutions understand the risks and responsibilities associated with utilizing vendors, specifically, that the financial institutions are responsible for vendors’ activities to the same extent as if the institutions had taken the actions themselves. For some institutions, their failure to understand vendor-related responsibilities has cost them hundreds of millions of dollars in refunds and civil penalties. For others, vendor-related enforcement actions serve as a warning that the CFPB is vigilant in its investigation of vendors for compliance with federal and state consumer financial laws and is ready and willing to hold financial institutions accountable for improper actions by themselves or their vendors.

Richard P. Eckman and Andrew R. Mavraganis

More Resources on the Dodd-Frank Act

For additional information, please visit Pepper's Financial Services Reform Resource Center.

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

Data protection laws have changed, so we have revised our Privacy Policy.