Policies and procedures for managing third-party vendor relationships changed dramatically when the Consumer Financial Protection Bureau (CFPB) came up with a series of regulations in April 2012, and the Office of the Comptroller of the Currency (OCC) followed with an update in October 2013. Both regulators emphasized the same core principles pertaining to the effective management of third-party vendors. While its been more than three years since the regulations came into effect, many banks still find it challenging to comply with these rules; some have even been fined for non-compliance.
It is important to understand the intent of these regulations and the consequences of non-compliance. Broadly, regulators require lenders to have policies and procedures in place for: (i) vendor management planning, (ii) standard guidelines for vendor selection, (iii) contract terms focused on data security and privacy, (iv) oversight mechanisms, (v) reporting, and (vi) periodic audit review plans.
In 2014, the CFPB fined a large regional bank for violation under Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) due to the failure in efficiently overseeing third-party activities. The bank had failed to maintain standard, service-level agreements for vendorsand was found to be lacking adequate monitoring and oversight capabilities. Another bank was ordered to pay USD 37.5 million in damages to mortgage consumers, for being negligent in handling mortgage modifications and providing incorrect information, which led many distressed borrowers into foreclosures. In this case, the lender had outsourced servicing operations to a third-party vendor.
The CFPB emphasizes the need to have a risk-scoring model for vendors and monitor their activities with periodic on-premise visits. The focus must be on critical activities related to higher vendor reliance that have a direct impact on borrowers, such as disclosure preparations and presentments requiring lenders to transmit critical borrower and account information to a third party. Lenders readiness for a regulatory examination with respect to data privacy and security standards also pave the way for a robust business and operations strategy.