Why should a Third Party Service Provider (TPSP) care about consumer protection regulatory issues? Because your client cares and your client’s examiner and regulator cares.
Examiners and regulators are holding financial institutions accountable for the actions of their TPSPs through enforcement actions, regulatory requirements and examinations. In turn, financial institutions are requiring their TPSPs to meet consumer protection requirements for functions performed on behalf of the supervised financial institution.
Post Dodd-Frank, the industry has seen increased focus on third party risk, across vertical segments including health care, financial services and other regulated industries. Concerns for privacy, cyber security, data protection, online privacy, cloud computing and ethical marketing have all been heightened, particularly consumer protection.
Since July 2012, enforcement actions from the Consumer Financial Protection Bureau (CFPB) and other federal prudential regulators have resulted in $430 million in refunds to consumers and over $100 million in penalties. The focus has been on practices that were deemed unfair, deceptive or abusive (UDAAP) to consumers.
In some instances, these practices were performed by TPSPs and the financial institution was held accountable for the actions of its TPSP resulting in amplified oversight by financial institutions of their TPSPs.
In addition, regulatory requirements for vendor management have been issued by the CFPB, FFIEC and OCC, requiring greater oversight. Expect to see this oversight manifested in contract requirements, increased focus on operational risk, on-site audits, and call center operations.
Questions to ask your service providers (or yourself if you are a TPSP) include:
If the answer is yes, then your TPSP needs awareness of consumer protection requirements and you need to ensure that your TPSPs create no harm to your accountholders. This includes conducting due diligence to verify your TPSP understands and is capable of complying with federal consumer protection law.
Due diligence includes review of service providers’ policies, procedures, controls and training materials for processes with direct customer interaction. Your TPSP contract should address expectations and enforcement consequences for violations, including UDAAP issues.
You should establish controls and on-going monitoring to determine whether your service provider is complying with these requirements and take prompt action to address problems, including termination of the relationship where appropriate.
The bottom line is enhanced scrutiny on consumers so that service providers do no harm to consumers. Look at your practices with consumers and expect the same from your clients, regulators and examiners.
Linnea Solem is the Vice-Chair of the Shared Assessments Program and is the Chief Privacy Officer and Director of Business Risk & Privacy Management for Deluxe Corporation. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management .She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation.