It’s been almost two years since the CFPB released Bulletin 2012-03 regarding Service Providers, and if you’ve been at an industry conference or trade show in the past year, you’ve probably attended a session that mentions service provider compliance. If you haven’t started your Compliance Management Program, including Service Provider/Vendor audits by now, you should make it part of your 2014 goal. Vendors can expose your business to liabilities which will roll up to your company.
In a press release from April 2012 the CFPB explains: “Consumers are at a real disadvantage because they do not get to choose the service providers they deal with—the financial institution does,” said CFPB Director Richard Cordray. “Consumers must not be hurt by unfair, deceptive, or abusive practices of service providers. Banks and nonbanks must manage these relationships carefully and can be held accountable if they break the law.”
One mistake many companies make is incorrectly defining who their service providers are. Many think that only service providers that are performing collection activities, skip trace activities or legal activities are covered, but it reaches far beyond the scope of those service providers. You need to think about all of your suppliers, subcontractors and vendors that touch any of your consumer data.
According to the CFPB’s Bulletin, a Service Provider is generally defined as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service. A Service Provider may or may not be affiliated with the person to which it provides services.”
Or in layman’s terms – basically anyone you send consumer data to in order to perform their duties for you. Does this include data providers? Yes. Does this include skip trace providers? Yes. Does this include mail houses? Yep. How about telemarketers and marketing vendors? Yes and yes!
So now that you know who you need to monitor, what exactly do you need to monitor them for? Let’s go back to the CFPB’s Bulletin 2012-03 for more insight. In the section regarding service provider relationships, the Bulletin states: “A service provider that is unfamiliar with the legal requirements applicable to the products or services being offered, or that does not make efforts to implement those requirements carefully and effectively, or that exhibits weak internal controls, can harm consumers and create potential liabilities for both the service provider and the entity with which it has a business relationship.” They further go on to state their expectations:
- The CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships. The CFPB will apply these expectations consistently, regardless of whether it is a supervised bank or nonbank that has the relationship with a service provider.
- Supervised banks and nonbanks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers, these steps should include, but are not limited to:
- Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law
- Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities
- Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices
- Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law
- Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
Unfortunately, there is no one audit procedure or list of questions the CFPB provides to help you with your service provider audits. The CFPB’s examination procedures give us some additional insight into what they will be looking for in their Affiliates and Third-Party relationships section of the manual:
- Determine whether the entity uses any service providers in conducting its debt collection activities. If so:
- Identify who the service providers are, whether they are affiliated with the entity, and what services they perform, and
- Assess whether the entity:
- Requests and reviews the service providers’ policies, procedures, internal controls, and training materials to ensure that the service providers conduct appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- Includes in its contracts with its service providers clear expectations about compliance with Federal consumer financial laws as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;
- Establishes internal controls and on-going monitoring to determine whether its service providers are complying with Federal consumer financial law; and
- Takes prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
During a recent InsideARM Webinar, industry expert John Bedard discussed compliance management systems and how to set those systems up. In part of his discussion he went over service provider requirements. From the questions that came in during that section of the program, it was clear that there is still much confusion surrounding service provider audits, and specifically, in identifying who needs to be audited. One attendee commented,”We have over 60 different vendors that we use in the normal course of business, do you mean we have to audit each and every one of them? That will be more than a full time job!” The answer is yes, you have to know who is touching your consumer data, because as Director Cordray said – consumers don’t get to choose where their personal data is going, so you have to be the security guard on their behalf.
As a vendor who services the credit and collections industry, LexisNexis has received a wide range of questionnaires from our customers ranging from 5 short questions in an email to a 21 page interactive fill-in-the-blank word document. While the overreaching theme is the same, there have been a lot of different interpretations of the CFPB’s requests relating to vendors. But the important thing is, those companies ARE doing something to monitor their vendors. Are you?
This article originally appeared in the latest issue of Know Your Debtor, a free quarterly newsletter focused on the U.S. consumer environment. Make sure you’re registered to receive insideARM’s newsletters on your User Profile page.