Think your bank is compliant and following the law? You can’t be sure unless you’re closely monitoring your vendors.
That’s a lesson Santander Bank learned the hard way. Earlier this summer the Consumer Financial Protection Bureau (CFPB) slapped the bank with a $10 million fine for illegal overdraft practices—even though not a single one of its employees violated Reg E.
The source of the violation: Santander’s vendor.
Reg E’s Opt-In Rule requires that financial institutions get consumers’ opt-in consent before charging overdraft fees. The vendor ignored those rules and used deceptive practices to enroll customers in the bank’s overdraft program without consent and misrepresented the cost of the service, according to the CFPB.
“Santander tricked consumers into signing up for an overdraft service they didn’t want and charged them fees,” said CFPB Director Richard Cordray in a statement.
Unfortunately for Santander, a bank can’t outsource responsibility for following laws and regulations. Regulators including the FDIC, the OCC, the Federal Reserve and the CFPB have made it clear that a financial institution’s board and senior management are ultimately responsible for the activity of its vendors—including compliance with laws and regulations. Part of a strong vendor management program is monitoring vendors to ensure they are compliant.
The CFPB found that Santander didn’t do enough to identify and stop these practices. While Santander briefly stopped the program when it found violations in 2010, it started back up again within days, according to the consent order, and it failed to find violations that continued through 2014. Meanwhile, Santander rewarded the vendor financially for hitting “specified sales targets.”
It’s a problem Santander won’t have again any time soon. The bank is now banned from using vendors for their overdraft services to customers. The CFPB is also making the bank update its vendor management policies for consumer communications—something you’d hope Santander had already undertaken on its own to prevent future problems.
Make sure your institution is limiting its exposure to risk—and possible fines—by including vendor monitoring and due diligence in its vendor management program. A careless vendor can cost you.