The Consumer Financial Protection Bureau (“CFPB” or “Bureau”) published a bulletin clarifying that it “expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law” on April 13, 2012.

This bulletin signals that the Bureau is focusing its supervision and enforcement efforts on both direct providers of consumer financial products and services and their service providers, including companies involved in advertising and marketing, lead generation and affiliate marketing, fulfillment, other back-office services, and customer service.

The bulletin makes clear that the CFPB views the use of service providers as “often an appropriate business decision,” but that entering into a business relationship with a service provider “does not absolve” the supervised entity of responsibility for complying with Federal consumer financial law to avoid consumer harm.  In addition, the bulletin states the Bureau’s expectation that supervised financial institutions have an effective process for managing the risks of service provider relationships.

According to the Bureau, “[a] service provider that is unfamiliar with the legal requirements applicable to the products or services being offered, or that does not make efforts to implement those requirements carefully and effectively, or that exhibits weak internal controls, can harm consumers and create potential liabilities for both the service provider and the entity with which it has a business relationship.”

The CFPB recommends that supervised financial institutions take steps to ensure that business arrangements with service providers do not present unwarranted risks to consumers.  According to the CFPB, these steps include:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with the law;
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with the law; and
  • Taking prompt action to fully address any problems identified through the monitoring process.

Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act authorizes the CFPB to examine and obtain reports from supervised banks and nonbanks for compliance with Federal consumer financial law and for other related purposes and also to exercise its enforcement authority when violations of the law are identified.  Title X also grants the CFPB supervisory and enforcement authority over supervised service providers, which includes the authority to examine the operations of service providers on site.