Skip to main content
Skip to footer
Contact Us
We are taking you to another website now.
January 14, 2016

Policies and procedures for managing third-party vendor relationships changed dramatically when the Consumer Financial Protection Bureau (CFPB) came up with a series of regulations in April 2012, and the Office of the Comptroller of the Currency (OCC) followed with an update in October 2013. Both regulators emphasized the same core principles pertaining to the effective management of third-party vendors. While its been more than three years since the regulations came into effect, many banks still find it challenging to comply with these rules; some have even been fined for non-compliance.

It is important to understand the intent of these regulations and the consequences of non-compliance. Broadly, regulators require lenders to have policies and procedures in place for: (i) vendor management planning, (ii) standard guidelines for vendor selection, (iii) contract terms focused on data security and privacy, (iv) oversight mechanisms, (v) reporting, and (vi) periodic audit review plans.

In 2014, the CFPB fined a large regional bank for violation under Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) due to the failure in efficiently overseeing third-party activities. The bank had failed to maintain standard, service-level agreements for vendorsand was found to be lacking adequate monitoring and oversight capabilities. Another bank was ordered to pay USD 37.5 million in damages to mortgage consumers, for being negligent in handling mortgage modifications and providing incorrect information, which led many distressed borrowers into foreclosures. In this case, the lender had outsourced servicing operations to a third-party vendor.

The CFPB emphasizes the need to have a risk-scoring model for vendors and monitor their activities with periodic on-premise visits. The focus must be on critical activities related to higher vendor reliance that have a direct impact on borrowers, such as disclosure preparations and presentments requiring lenders to transmit critical borrower and account information to a third party. Lenders readiness for a regulatory examination with respect to data privacy and security standards also pave the way for a robust business and operations strategy.

Minesh Mudaliar is a business architect with the Lending Advisory Group of TCS’ Banking, Financial Services and Insurance (BFSI) business unit. He has more than 16 years of experience in the lending space and was a retail banker before joining TCS. Having worked on various projects for North American banking players, Minesh has built a strong expertise in the lending domain. He works closely with various TCS banking relationships for thought leadership and domain-related support.


Thank you for downloading

Your opinion counts! Let us know what you think by choosing one option below.