Third-Party Risk Management and CFPB Compliance | Key Requirements

BLOG 4 MINS | November 12, 2019
Third-Party Risk Management and the Consumer Financial Protection Bureau (CFPB)

The Consumer Financial Protection Bureau (CFPB) “makes sure banks, lenders, and other financial companies treat you fairly.” But how does that relate to third-party risk? To address the Bureau of Consumer Financial Protection (CFPB) third-party risk management guidance, organizations should understand the expectations as laid out in Compliance Bulletin and Policy Guidance; 2016-02, Service Providers.

The CFPB makes it clear where liability lies. As stated in the Compliance Bulletin and Policy Guidance; 2016-02, “a business relationship with a service provider (i.e. third party) does not absolve the supervised bank or nonbank of responsibility for complying with federal consumer financial law to avoid consumer harm.”

In this blog post, we’ll outline the key details of the CFPB third-party risk management guidance and provide recommendations for actioning these obligations.

Third-Party Risk Management Scope – Who Does the CFPB Supervise?
The CFPB applies to “supervised banks and nonbanks.” These entities include:

1) Large insured depository institutions, large insured credit unions, and their affiliates (12 U.S.C. 5515); and
2) Certain non-depository consumer financial services companies (12 U.S.C. 5514).

Additionally, the CFPB uses the Dodd-Frank Act’s definition for service providers. So, under the CFPB guidance, service providers are “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.”

Want to learn more about OneTrust Vendorpedia enables organizations to meet CFPB requirements? Request a demo today!

Third-Party Risk Management Key Clarification – Variable Risk Management
The CFPB’s reissued guidance called the Compliance Bulletin and Policy Guidance; 2016-02 to clarify how supervised banks and nonbanks should manage third parties. The guidance emphasizes that not all service providers (i.e. third parties) are equal and risk management may vary depending on the service being performed and “its size, scope, complexity, importance and potential for consumer harm.”

This paves the way for developing a risk appetite that takes into account size, scope, complexity, and potential for consumer harm. In practice, supervised banks and nonbanks break out risks in eight categories:

  • Compliance
  • Reputation
  • Strategic
  • Operational
  • Transaction
  • Credit
  • Country
  • Other Risks – requires context of the service provider relationship

Third-Party Risk Management Expectations – Avoiding Unwarranted Risks to Consumers
The CFPB has a number of expectations for supervised banks and nonbanks in relation to managing service provider risks. These steps are recommended to “limit statutory or regulatory violations and related consumer harm.”

As a best practice, supervised banks and nonbanks should implement the following steps at a minimum.

1. Due Diligence

Organizations should conduct due diligence on third parties to make sure that the service provider understands and is capable of complying with federal consumer financial law.

Use Vendorpedia Assessments & Due Diligence to configure workflows that simplifies the process of sending questionnaires and identifying risks

2. Reviewing

Organizations should request and review its service providers’ policies, procedures, internal controls and training materials. These policies should outline that the service provider implements appropriate training and oversight of employees that have consumer interaction or compliance obligations.

Vendorpedia customers use the platform to build a third-party risk inventory that centralizes information enabling the swift review of policies, procedures, controls, and other security and privacy details.

3. Contract Management

Contracts should make clear that service providers have clear expectations of compliance. Additionally, organizations should have appropriate and enforceable consequences for service providers that fail to meet compliance responsibilities.

Within Vendorpedia, your organization can tie key contract terms to your service providers. Should a service provider fail to meet compliance requirements, your organization can protect itself from liability by providing evidence of contract terms in place.

4. Control Tracking & Ongoing Monitoring

Organizations should establish internal controls and ongoing monitoring tactics to ensure their organization is maintaining oversight on service providers.

Sync your service providers with the Global Risk Exchange to receive alerts when risks arise, meeting the ongoing monitoring provision.

5. Issue Resolution

When problems arise, organizations should have an action plan in place to promptly address issues. This includes having a service provider termination plan in place.

After identifying risks, OneTrust Vendorpedia enables the creation of mitigation workflows, track risks over time, and execute a treatment plan all through a central risk register.

Want to learn more about OneTrust Vendorpedia enables organizations to meet CFPB requirements? Request a demo today!