On April 13, 2012, the Consumer Financial Protection Bureau (CFPB) released Bulletin 2012-03, which stated that the CFPB will expand its examination scope beyond supervised institutions themselves and examine their service providers as well. If the CFPB believes that service providers are not complying with a consumer financial services law, or are committing a UDAAP violation when interacting with the supervised institution’s customers, the CFPB plans to hold both companies accountable.
According to CFPB Director Richard Cordray, holding both companies accountable makes sense since “[c]onsumers are at a real disadvantage because they do not get to choose the service providers they deal with—the financial institution does” and “[c]onsumers must not be hurt by unfair, deceptive or abusive practices of service providers. Banks and nonbanks must manage these relationships carefully and can be held accountable if they break the law.” In the bulletin, the CFPB defined the term “service providers” to include both “service providers to supervised banks and nonbanks (12 U.S.C. § § 5515, 5514),” as well as “service providers to a substantial number of small insured depository institutions or small insured credit unions (12 U.S.C. § 5516).”
Other banking regulators have had guidance in place for years relating to a bank’s use of third-party service providers. E.g. FDIC guidance here and here; OCC guidance here. Traditionally, however, unless a major problem has been identified with the service provider, the OCC and FDIC do not directly examine service providers.
In this announcement, the CFPB seems to be signaling that it actually will directly examine service providers as a matter of course. This means that service providers to supervised institutions need to prepare themselves now for the possibility of either an examination by the CFPB and/or a increased scrutiny and examination by supervised institutions themselves, in preparation for the institutions’ own CFPB examinations. Indeed, the CFPB stated in the bulletin that it “expects” supervised entities to conduct such audits of their service providers. As a result, service providers could end up investing significant time and resources in responding to an examination even if not directly subject to CFPB supervision under Dodd-Frank. In particular, service providers who have never undergone any type of significant regulatory examination before may find the prospect of facing examination to pose an unknown and sizeable challenge.
Service providers in the consumer financial services space are all well-advised to identify and address any potential deficiencies in their compliance with consumer financial services laws and UDAAP concerns now rather than later in light of the CFPB’s recent pronouncement. Importantly, Ballard Spahr’s Consumer Financial Services Group already is involved with advising supervised institutions as well as service providers in connection with active CFPB examinations and internal compliance assessments. Please contact any member of our Consumer Financial Services Group if you believe your institution could benefit from our expertise and experience with the CFPB.