We’re starting to see contractual changes and additional requests from clients asking us for more and more as it relates to CFPB and OCC requirements, so we did some research we thought may be interesting to those in a similar position. We reviewed and analyzed CFPB 2012-03 (dated April 13, 2012), and the idea is that CFPB is monitoring banks and certain non-banks to make sure they have an effective process for managing the risks of service provider (SP) relationships. To limit potential harm to consumers, these entities must monitor service providers and:
- Conduct diligence to verify that the SP is capable of complying with federal consumer financial law.
- Request and review SP’s materials to ensure SP conducts appropriate training of employees with compliance responsibilities.
- Include clear expectations about compliance in the SP contract as well as consequences for violation of compliance-related violations.
- Establish internal controls to make sure SP is complying with federal consumer financial law.
- Take prompt action for any compliance-related issues.
The Office of the Comptroller of the Currency (OCC) has similar requirements for banks and their third-party service providers. Here are “highlights” from OCC 2013-29 (dated October 30, 2013):
- A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
- A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
- An effective risk management process throughout the life cycle of the relationship includes:
- Plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
- Proper due diligence in selecting a third party.
- Written contracts that outline the rights and responsibilities of all parties.
- Ongoing monitoring of the third party’s activities and performance.
- Contingency plans for terminating the relationship in an effective manner.
- Clear roles and responsibilities for overseeing and managing the relationship and risk management process.
- Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
- Independent reviews that allow bank management to determine that the bank’s process aligns with its strategy and effectively manages risks.
The language cited below is one of many factors in the risk management process. Here is what OCC 2013-29 states about that process: “The OCC expects a bank to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the bank’s organizational structures”.
Therefore, the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that:
- Could cause a bank to face significant risk if the third party fails to meet expectations.
- Could have significant customer impacts.
- Require significant investment in resources to implement the third-party relationship and manage the risk.
- Could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought “in-house.”
Ultimately, these are suggested factors in the risk management process so it is up to the bank to determine what the process should be compared to the level of risk and complexity of the third-party relationship.
OCC 2014-37 (dated August 4, 2014) is risk management guidance on consumer protection requirements and the application of debt-sale arrangements.