RISK MANAGEMENT FOR SERVICE PROVIDERS

I.          INTRODUCTION

The Consumer Financial Protection Bureau (CFPB) has reissued guidance to clarify that the depth and formality of the risk management program for service providers may vary depending upon the service being performed – its size, scope, complexity, importance and potential for consumer harm and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations.

II.        SERVICE PROVIDER RELATIONSHIPS

The CFPB recognizes that the use of service providers is often an appropriate business decision for supervised banks. Supervised banks may outsource certain functions to service providers due to resource constraints, use service providers to develop and market additional products or services, or rely on expertise from service providers that would not otherwise be available without significant investment.

However, the mere fact that a supervised bank enters into a business relationship with a service provider does not absolve the supervised bank of responsibility for complying with Federal consumer financial law to avoid consumer harm. A service provider that is unfamiliar with the legal requirements applicable to the products or services being offered, or that does not make efforts to implement those requirements carefully and effectively, or that exhibits weak internal controls, can harm consumers and create potential liabilities for both the service provider and the entity with which it has a business relationship. Depending on the circumstances, legal responsibility may lie with the supervised bank as well as with the supervised service provider.

III.       CFPB’S EXPECTATIONS

The CFPB expects supervised banks to have an effective process for managing the risks of service provider relationships. While due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank may be liable.

To limit the potential for statutory or regulatory violations and related consumer harm, supervised banks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers. These steps should include, but are not limited to:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law;
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and
  • Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

Compliance Handbook Search

STAY CONNECTED

Nebraska Bankers Association

233 South 13th Street, Suite 700
Lincoln, NE 68508
402-474-1555
​Digital Millennium Copyright Act Policy