For more than a decade, regulators have been reminding banks of their responsibility to ensure that third-party service providers comply with federal laws. Last July, that message got louder when the Consumer Financial Protection Bureau (CFPB) announced the results of its first public enforcement action: a consent order under which Capital One agreed to refund at least $140 million to two million customers and pay $25 million to the agency’s Civil Penalty Fund.
According to the bureau, Capital One violated the Dodd-Frank Act by failing to implement a compliance program effective enough to prevent its third-party call centers from engaging in deceptive practices. But even before Capital One, regulatory agencies were announcing that they would begin to enforce federal consumer financial law to the fullest extent of their authority.
One reason for this has been a general increase in the world’s focus on consumer protection since the mortgage crisis, but it is also a response by regulators who have watched an industry outsource more of its core operations. In the past, banks and other financial services firms relied on outside companies mainly for peripheral services like printing, record storage and transaction processing. But in recent years, cost advantages have driven them to delegate other important functions. Many companies now depend on third parties to prepare mandatory disclosures, conduct compliance reviews and sell products to consumers.
Moreover, financial services firms now routinely contract outside companies to market new services that these institutions did not develop internally, such as investment and insurance options. More than ever, third parties are performing more-regulated functions, and firms must be cognizant of the compliance risks involved. And there are a lot of them.
Every segment of the financial sector is subject to the oversight of myriad regulatory authorities. Some are public agencies, and others are private organizations, such as the Financial Industry Regulatory Authority and the national securities exchanges. Dodd-Frank created the newest of these regulatory bodies, the CFPB, and charged the agency with enforcing the whole of federal consumer financial law, deriving from no fewer than 19 different legislative acts.
To nobody’s surprise, this has led to confusion. So in an effort to minimize inconsistency, the CFPB entered into memoranda of understanding with other governmental entities, including the Federal Trade Commission and the Department of Justice, to coordinate their enforcement efforts.
Fortunately for financial-sector companies, a number of governmental entities, including the FDIC, the Federal Reserve Bank of New York and the CFPB, have offered guidance that should help banks maintain oversight of their third-party service providers. These recommendations generally propose a four-phase process involving due diligence, policy examination, contract review and control creation.
As part of the Capital One consent order, the company agreed to implement a compliance plan within these guidelines, but financial services organizations need not wait for a CFPB enforcement action. In addition to considering the consent order and referring to the bureau’s “Supervision and Examination Manual,” organizations can create a process to monitor this risk by following these six steps.
1. Develop an Understanding of Federal Consumer Financial Law
Without a thorough knowledge of the laws and regulations that apply to the work that third parties perform, banks and other financial services firms cannot hope to control their third-party compliance risk. The breadth of federal consumer financial law can be overwhelming, but, given the CFPB’s mandate and its enforcement priorities, financial services organizations should certainly understand the operation of key statutory provisions.
The key areas to examine are Dodd-Frank’s Section 1031 (which prohibits unfair, deceptive or abusive practices in connection with consumer transactions for financial products and services), and Section 5 of the Federal Trade Commission Act (which prohibits unfair and deceptive practices more generally). For an introduction to the scope of federal consumer financial law, firms should refer to the CFPB manual’s examination procedures for each piece of legislation that the bureau enforces.
2. Identify Products & Services Prone to Consumer Protection Issues
The effort required to understand federal consumer financial law will equip financial services organizations to identify the products and services that carry the greatest compliance risk. As the CFPB continues its Dodd-Frank enforcement activity, firms should conduct an ongoing comparative study of those organizations that fail CFPB examinations and those that are able to avoid compliance issues.
For instance, Capital One teaches that offering add-on products to consumer credit cards, such as payment protection and credit monitoring, presents a great risk of service provider noncompliance. Banks should be especially cautious regarding offers that are part of the card-activation process or those that are selectively marketed to consumers that have a low credit score.
In addition to following CFPB enforcement actions, banks and financial services firms should monitor the nature of the complaints that the CFPB receives to anticipate future regulatory scrutiny. (The agency maintains a public record through its Consumer Complaint Database.)
3. Investigate Third Parties That Offer Those Products and Services
Identifying consumer risk should help financial services firms investigate potential service providers. Organizations must review third parties’ operating histories to determine whether they have a record of regulatory noncompliance or other consumer service issues.
Capital One could have vetted its call centers to determine whether other financial services firms had experienced problems with representatives abiding by their sales scripts or received a high volume of consumer complaints. The bank could also have searched court records to determine the frequency with which the call centers found themselves defending consumer lawsuits related to their practices.
4. Assist in the Development of Third-Party Controls
After conducting their due diligence, financial services organizations should engage third parties in a discussion of the their compliance policies and procedures. Firms should consider taking an active role in assisting them develop a program in accordance with federal consumer financial laws and regulations.
While Capital One developed scripts for its call center representatives to use in marketing its products to consumers, there is no evidence that the call centers trained their representatives in what not to tell Capital One’s consumers regarding the terms and conditions of the add-on services.
5. Create Compliance Obligations and Adjust Incentives
When negotiating with third parties that will interact with consumers, banks and other financial services firms must be sure that their contracts protect them from compliance risk. In addition to clear indemnification provisions, organizations should consider structuring the third-party relationship to promote compliance.
The CFPB’s findings in the Capital One case suggest that the call center representatives were compensated for the number of add-on sales that they made, which may have created an incentive for those representatives to mislead consumers. To decrease the risk of consumer harm, Capital One could have negotiated for terms governing the call center representatives’ compensation based on the result of consumer surveys or some other measure of satisfaction to encourage compliance.
6. Establish Procedures to Monitor Compliance
It is not enough for financial services organizations to rely on due diligence, third-party controls and contractual obligations to protect themselves from the risk of service providers violating federal law. Rather, financial services firms need to create their own comprehensive programs designed to monitor third-party compliance with formal reporting mechanisms and revisit these policies regularly. Preferably, these efforts will emulate the examination procedures set forth in the CFPB supervision manual.
As Capital One demonstrates, the CFPB wants financial services organizations to implement systems that promote compliance by every entity in their chain of services. Fortunately, if financial services organizations abide by the first five steps of this plan, they are well on their way toward maintaining effective oversight. That, more than anything, should help financial firms avoid the costly penalties that other banks have been forced to pay.