The OCC and CFPB consent orders issued against Wells Fargo on April 20 cited deficiencies in third-party oversight practices. The orders are the latest additions to an ever-expanding body of agency enforcement actions targeting such oversight. These enforcement actions began escalating six years ago, in the aftermath of the CFPB’s first-ever consent order against Capital One in July 2012, which involved sales of third-party credit card add-on products.1 Typically, such orders address the subject institution’s failure to prevent its vendor(s) from engaging in unlawful activities. The CFPB’s order against Wells, however, departs from this norm by asserting that Wells itself engaged in unfair practices by improperly force-placing collateral insurance on consumers’ auto loans, which would have been avoided if Wells had acted on the reporting and other information it was receiving from its insurance vendor.
The cost of the erroneously placed insurance was added to the customers’ loan balances, which compounded the resulting overcharges. The CFPB consent order alleges that Wells either knew or should have known that its third-party oversight practices were both insufficient and likely to result in excessive loan payments. In this regard, the order includes findings that Wells:
As a result of the forced-placed insurance practices and unrelated unfair practices concerning failure to honor “rate-locks” on consumer mortgage loans, the CFPB ordered Wells to provide monetary remediation to harmed customers totaling $500 million and pay a $1 billion civil penalty. The OCC’s consent order required Wells to pay an additional $500 million civil penalty.
While the enforcement sections of the CFPB and the federal banking agencies were aggressively pursuing enforcement actions against institutions for third-party oversight deficiencies over the past six years, the advisory sections of those agencies were equally active in establishing new and revised expectations for such oversight. In April 2012, the CFPB issued Bulletin 2012-03 (Service Providers), which was revised and reissued in October 2016 as Bulletin 2016-02. In October 2013, the OCC replaced longstanding Bulletin 2001-47 (Third Party Relationships: Risk Management Guidance) with the significantly expanded Bulletin 2013-29. In June 2017, the OCC issued Bulletin 2017- 21 (Frequently Asked Questions to Supplement OCC Bulletin 2013-29), which has a strong focus on relationships with fintech companies. And in December 2013, the Federal Reserve Board issued Supervisory Letter 13-19 (Guidance on Managing Outsourcing Risk), which provides guidance to state-member banks. Finally, although the FDIC has yet to revise or reissue FIL 2008-44 (Guidance for Managing Third-Party Risk), in July 2016, the agency solicited public comment on proposed Third Party Lending Guidance, which remains pending.
The agency bulletins regarding third-party oversight expectations issued since 2012 place a much greater emphasis on the institution’s internal control structure for managing third-party risks than the bulletins they replaced. For example, nearly one-half (i.e., 8 out of 17 pages) of OCC Bulletin 2001-47 consisted of a detailed discussion of contract terms, and the bank’s board of directors was mentioned 11 times. In contrast, Bulletin 2013-29 devotes just two pages to contract terms while the board of directors is mentioned 22 times, including in a subsection that outlines the board’s role in an effective oversight program. In reflection of this new emphasis, the OCC premised its $500 million civil penalty against Wells on the institution’s lack of “an effective enterprise-wide compliance risk management program” and not on any deficiencies in contact terms or conditions.
1 For example, on March 28, 2018, the FDIC issued a consent order against Cross River Bank in connection with third-party oversight deficiencies involving a third-party managed debt consolidation loan product.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.