One Size Doesn’t Fit All – Updated Guidance from CFPB on Third-party Service Providers

Not every third-party vendor requires the same level of scrutiny, the Consumer Financial Protection Bureau made clear in its October 31 guidance update on risk management for third-party service providers. Supervised banks and non-banks have the “flexibility” to perform an inherent risk assessment on the third-party vendors to “allow appropriate risk management” of these relationships, the agency said.

“Some entities may have interpreted the bureau’s 2012 bulletin to mean they had to use the same due diligence requirements for all service providers no matter the risk for consumer harm,” the bureau said in an issue of its Supervisory Highlights publication (October 31, 2016). “As a result, some small service providers have reported that entities have imposed the same due diligence requirements on them as for the largest service providers.”

Instead, the new guidance indicates that the CFPB “expects that the depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed—its size, scope, complexity, importance and potential for consumer harm—and the performance of the service provider in carrying out its activities in compliance with federal consumer financial laws and regulations.”

The CFPB continues to expect that supervised banks and non-banks properly oversee their respective service providers to ensure compliance with federal consumer financial law and to prevent consumer harm.

A service provider is defined as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” (Section 1002-26 of the Dodd-Frank Act (12 U.S.C. 5481(14))).  A supervised bank or non-bank entering into a relationship with a service provider isn’t absolved from liability for the service provider’s services. The supervised bank or non-bank may be liable for its service provider’s unfair, deceptive or abusive acts or practices towards consumers. The CFPB says that supervised banks and non-banks should take the following steps with service providers:

  • Conduct due diligence to ensure the service provider has the requisite knowledge and capacity to comply with federal consumer financial law;
  • Review the service provider’s policies, procedures, internal controls and training materials to ensure they provide for appropriate operations and oversight;
  • Draft contractual provisions with the service provider that provide “clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices”;
  • Establish internal controls and monitoring procedures for surveillance of the service provider to ensure service provider is abiding by Federal consumer financial law; and
  • “Promptly” react to identified problems, including terminating the relationship when necessary.

If you have any questions about the additional guidance from the CFPB, please let us know at