Service Providers Relationships Risks Identified by CFPB

By: Laura Pringle

 May 2012


As we discussed in a recent article on these issues published on, third-party service providers have long been the focus of regulatory oversight and now the CFPB has weighed in on the importance of due diligence, contracting, and monitoring service providers and other related issues. It appears that the CFPB’s perspective is somewhat different than other primary federal regulators in that the CFPB is particularly concerned that “consumers not be hurt by unfair, deceptive, or abusive practices of service providers” and the responsibility to address these concerns is squarely placed on the financial institution which chooses to have the relationship with the third-party service provider. It is important that, in addition to other guidances from the Federal Financial Institutions Examination Council (“FFIEC”) and from federal regulators on risk management processes which should currently be in place for due diligence, contracting, and other steps when dealing with third-party service providers, financial institutions and third party service providers should consider the information presented in this recent release.

Specifically, on April 13, 2012, the CFPB released a bulletin which clarified that financial institutions under CFPB supervision may be held responsible for the actions of the companies with which they contract. This recent CFPB bulletin can be found on the CFPB Web site at the following address: The CFPB stated that it will take a close look at service providers’ interactions with consumers and hold all appropriate companies accountable when legal violations occur. The CFPB explained that using outside vendors can pose additional risks, particularly if a service provider is unfamiliar with consumer financial protection laws or has weak internal controls. The CFPB stated that it wants to ensure that consumers are protected from irresponsible service providers and that institutions are contracting with “honest” third parties.

In this issuance, CFPB provided that a “supervised service provider” refers to the following entities supervised by the CFPB: (1) service providers to its supervised banks and nonbanks and (2) service providers to a substantial number of small insured depository institutions or small insured credit unions. The CFPB explained that CFPB understands that financial institutions may outsource certain functions to service providers due to resource constraints, use service providers to develop and market additional products or services, or rely on expertise from service providers that would not otherwise be available without significant investment. However, the CFPB went on to state that, depending on the circumstances, “legal responsibility” may lie with the financial institution as well as with the supervised service provider.

The CFPB cited Title X of the Dodd-Frank Act as authority for the CFPB to examine and obtain reports for compliance with Federal consumer financial law and for other related purposes and also to exercise its enforcement authority when violations of the law are identified. The CFPB noted that Title X also grants the CFPB supervisory and enforcement authority over supervised service providers, which includes the authority to examine the operations of service providers on site. The CFPB stated that it will exercise the full extent of its supervision authority over supervised service providers, including its authority to examine for compliance with Title X’s prohibition on unfair, deceptive, or abusive acts or practices. The CFPB also stated that the CFPB will exercise its enforcement authority against supervised service providers as appropriate.

The CFPB highlighted steps to be taken “to ensure that business arrangements with service providers do not present unwarranted risks to consumers.” Those highlighted steps include, but specifically were not limited to, the following steps:

  • Conduct thorough due diligence to verify that the service provider understands and is capable of complying with the law;
  • Request and review the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  • Include in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;
  • Establish internal controls and on-going monitoring to determine whether the service provider is complying with the law; and
  • Take prompt action to address fully any problems identified through the monitoring process.

It is important for all financial institutions to have effective processes for managing the risks of third party service provider relationships. These service providers may be affiliated with the financial institution and already part of examinations of the financial institutions. In addition, ongoing examinations of affiliated and unaffiliated service providers are conducted currently on a rotating basis by the primary federal regulatory agencies of financial institutions. Additional scrutiny of these service providers by the CFPB should be helpful to financial institutions in the due diligence and related risk management processes regardless of whether the CFPB has direct supervisory authority over the financial institution. Those examination results and any resulting enforcement actions and/or corrective action can be part of the due diligence and ongoing monitoring of service providers in each financial institution’s risk management processes and documentation.

These issues have also been addressed in the PRINGLE Programs particularly in the Internal Compliance Review and Unfair, Deceptive, or Abusive Acts or Practices topics in the Compliance Program and in the Electronic Banking, Internet, & Third Party Technology-Related Risk Management topic in the Safety and Soundness Program.


©PRINGLE® 2012

This Article was also published at Wolters Kluwer’s Compliance Headquarters™ website: