How to Manage Vendor CFPB Compliance

NOTE: This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the specific circumstances of each case.

This past July marked the sixth anniversary of the creation of the Consumer Financial Protection Bureau (CFPB). This was a period marked by large and sweeping changes to the regulatory and administrative environment in which financial institutions operate in order to protect the consumer from unfair or deceptive practices by institutions and businesses that provide financial services. Not only did the regulations that were put forth by the CFPB apply to the financial institutions, but also to the vendors used to help perform the financial services.

In the past vendor compliance was managed contractually. When a contract with a vendor was created the financial institution made sure wording existed in the contract that insisted that the vendor maintain CFPB compliance. In other words, compliance risk and responsibility was transferred to the vendor. That changed in 2012.

Now the financial services provider (you) is required to be responsible for the compliance of their vendors as well. In its April 13, 2012 bulletin, the CFPB stated that it “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law” and that “depending on the circumstances, legal responsibility may lie with the supervised bank or nonbank, as well as with the supervised service provider”. In other words, the CFPB expects you (the financial services provider) to oversee your vendors in a manner that ensures compliance with Federal consumer financial law. You can no longer just put a compliance clause in the contract with the vendor and then wipe your hands of it.

As stated by the CFPB, this obligation includes, but is not limited to:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law.
  • Requesting and reviewing the service provider’s policies, procedures, internal controls and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive or abusive acts or practices (UDAAP).
  • Establishing internal controls and ongoing monitoring to determine whether the service provider is complying with federal consumer financial law.
  • Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

To be safe, a best practice is to assume that any vendor with whom you are contracted that plays a role in the debt servicing process may be deemed to be a “service provider” and therefore should be managed as such. Consequently, vendor agreements that you put together with them should (1) contain or expressly incorporate written policies and procedures crafted to ensure vendor compliance with consumer financial protection laws and regulations, (2) establish a regular reporting procedure to document vendor compliance and (3) provide for periodic auditing of the vendor to confirm compliance.

Taking these actions is no guarantee of safety. However, they would, in the event of a CFPB action, go a long way toward showing good faith on the part of the financial institution and provide the ability to respond quickly and completely to any CFPB inquiries.

The CFPB has no tolerance for non-compliance; if one of your vendors is found to be not compliant, fines and penalties can be leveled against you. So take these words to heart and take extensive steps to ensure your vendors are compliant at all times.

BillingTree’s payment processing software is fully compliant to PCI-DSS, HIPAA and SSAE-16 standards so that you can rest assured that financial transactions are being performed within full compliance. If you would like more information contact BillingTree at 877-424-5587.