Financial institutions under Consumer Financial Protection Bureau supervision can be held liable for third-party vendors, the Bureau explained in a bulletin.
The CFPB “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm,” according to the bulletin.
The Bureau has supervisory and enforcement authority over these “supervised service providers” and expects that supervised banks and nonbanks have an effective process to manage the risks of service-provider relationships.
According to the CFPB, steps should include:
- Conducting thorough due diligence to verify that the service provider understands and is capable of complying with the law;
- Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;
- Establishing internal controls and on-going monitoring to determine whether the service provider is complying with the law; and
- Taking prompt action to address fully any problems identified through the monitoring process.