Regulations, Third Party Risk

CFPB Ups the Ante on Third Party Risk Management

With its broad focus on consumer protection, the Consumer Financial Protection Bureau (“CFPB”) is holding companies directly responsible for the actions of their service providers. Responding to consumer complaints about unfair and/or deceptive practices the CFPB has handed out over $100M in penalties and fines in the past year. The new regulatory thrust on unfair, deceptive or abusive acts or practices (“UDAAP”) creates a new challenge for any entity that outsources services which require customer interaction.

Companies, particularly those in financial services, have become accustomed to assessing their vendors’ ability to provide suitable risk controls for information security and data protection. Vendor risk rating and risk scoring frameworks have been developed to address the level and frequency that vendor practices in these areas should be scrutinized and assessed. The focus on UDAAP creates a new element in vendor risk management – the need to extend vendor reviews into vendor business practices and procedures that involve customer interaction. It is no longer sufficient to rely on contract provisions which require service providers to operate within appropriate guidelines. It is now necessary to conduct a level of due diligence that allows you to confirm that your vendors are capable of understanding and executing these requirements.

An informal survey of companies that have recently conducted pre-examination engagements reveals that their expectation is that over 80% of CFPB scrutiny will be placed on vendor business practices related to consumer interaction; with the remaining 20% reserved for information and data security practices. While the CFPB has yet to provide meaningful guidance on how these vendor business practices are to be assessed, certain methodologies currently used to evaluate the adequacy of information and data security practices can be extended into this area:

  • Determine what training is provided to employees who interact with your customers
    • What training is provided at hiring?
    • Is training updated and at what frequency?
  • What is the extent of customer interaction?
    • Are additional products and services offered as part of customer service?
      • How are required disclosures addressed?
    • Are payments collected? How is payment information handled?
  • How is customer information obtained as part of customer service treated?
    • Are calls recorded for quality control? If so, customer privacy issues must be considered
  • How are customer complaints handled?
    • Vendor contracts should include disclosure of customer complaints
  • Right to audit must now be extended to include vendor business practices

Perhaps the most important action you can take is to develop a dialogue with your service providers on how to collectively address this new regulatory focus. A proactive approach will allow you to take a reasoned and timely approach to addressing this new area of regulatory scrutiny.

Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad