Financial institutions outsource functions related to consumer products and services for a variety of business reasons. Outsourcing to vendors (also known as service providers or third-party service providers) can allow a financial institution to focus more time and energy onmits particular strengths. Incorporating third parties into the business process can also add valuable technologies, business relationships, services, and other operational expertise. However, an outsourcing arrangement does not absolve a financial institution of the responsibility to ensure that its products and services comply with the law.
Recent actions of federal regulators demonstrate the need for financial institutions to renew their focus on the oversight of and responsibility for acts of their third-party vendors. Such recent actions include the issuance of updated regulatory guidance on third-party service provider management and a series of high profile enforcement actions against financial institutions as a consequence of vendor management issues. These enforcement actions have resulted in steep financial penalties, significant restitution requirements, and other business requirements.
In light of this heightened regulatory scrutiny and its potential consequences, prepaid card issuers need to implement vendor management policies that ensure vendors are not only capable of compliance but actually do comply with applicable law. A financial institution should also ensure that it has the ability to take appropriate action to remediate any identified violations, including termination of the vendor relationship, if necessary. For a prepaid card issuer, vendors may include program managers, data processors, card distributors, and card sellers.
Recent Regulatory Guidance
In April 2012, the Consumer Financial Protection Bureau (CFPB) issued a bulletin advising financial institutions to be cautious when selecting service providers and clarifying that the institutions could be held responsible for any violations committed by their service providers (see the June, 2012 issue of the Prepaid Law Wire). The bulletin signaled heightened regulatory scrutiny over financial institutions’ management of service providers, particularly in connection with the service providers’ consumer interactions. Among other things, the bulletin set forth the CFPB’s expectation that financial institutions will have “an effective process for managing the risks of service provider relationships.” The CFPB identified certain steps that should be taken to ensure that financial institutions’ business relationships with service providers “do not present unwarranted risks to consumers.” These steps include: (a) conducting due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law, (b) requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure it conducts appropriate training and oversight of employees and agents that have consumer contact or compliance responsibilities, and (c) establishing internal controls and ongoing monitoring to assess whether the service provider is complying with federal consumer protection laws. The bulletin is accessible at
http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf.
At the end of October 2012, the Federal Financial Institutions Examination Council (FFIEC) issued an updated “Supervision of Technology Service Providers Booklet” providing guidance to federal examiners, financial institutions, and technology service providers on the regulatory supervision of technology service providers. Among other things, the booklet stresses that financial institutions, including their management and board of directors, are ultimately responsible for ensuring that activities outsourced to service providers are performed in compliance with the law in a safe and sound manner. Concurrent with the FFIEC’s issuance of the updated booklet, the federal banking agencies issued “Administrative Guidelines – Implementation of Interagency Programs for Supervision of Technology Service Providers,” which describes the process for implementing the interagency supervisory program and includes the reporting templates utilized by examiners. The FFIEC Booklet is accessible at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_SupervisionofTechnologyServiceProviders(TSP).pdf. The Administrative Guidelines are available at http://ithandbook.ffiec.gov/media/153533/10-10-12_-_administrative_guidelines_sup_of_tsps.pdf.
Recent Regulatory Enforcement Actions
In July 2012, both the CFPB and OCC announced agreement with Urban Trust Bank. The agreement takes aim at the bank’s association with an unsupervised payday lender and the use of prepaid cards issued by the bank to facilitate payday lending. In a letter to the National Consumer Law Center, which alerted the OCC to concerns about the bank’s relationship with a payday lender, the OCC indicated that the relationship raised reputational, legal, compliance, and safety and soundness risks for the bank. In addition to requirements addressing payday lending issues and other bank shortcomings, the enforcement agreement imposes various conditions designed to address deficiencies in the bank’s oversight of vendors. The enforcement agreement is accessible at http://www.occ.gov/static/enforcement-actions/ea2012-190.pdf. The OCC letter to the National Consumer Law Center is accessible at http://www.nclc.org/images/pdf/high_cost_small_loans/letter-occ-check-smart-urban-trust-bank.pdf.
Also in 2012, the CFPB, jointly or concurrently with other federal banking agencies, announced major enforcement actions against financial institutions in which it cited the failure to adequately supervise vendors as a key or contributing factor. These enforcement actions resulted in steep financial penalties assessed against the financial institution. Of note in each case is the fact that the CFPB prohibited the financial institution from seeking indemnification from its vendor regarding the penalty, with the apparent intent of holding the financial institution directly responsible for the vendor’s violations. We summarize the key points in a couple of these actions below.
American Express
In October 2012, the CFPB announced enforcement actions, taken together with other federal financial regulators, against three American Express subsidiaries (American Express). These enforcement actions resulted from violations of law identified during a routine examination. The agencies found that American Express engaged in unlawful and deceptive card practices through multiple stages of the cardholder’s credit card experience, including marketing, application, enrollment, payment, and debt collection. The agencies also asserted that American Express engaged in unsafe and unsound banking practices relating to oversight of third-party providers, specifically citing the ineffective oversight and control by their board of directors and senior management of the compliance function, particularly with respect to vendors.
As a result of these enforcement actions, American Express was required to refund a total of $85 million to about 250,000 consumers, pay an aggregate penalty of $27.5 million, and, among other things, develop policies to maintain effective monitoring, training, record-keeping, and audit procedures to review each aspect of the agreements with service providers, as well as the services performed pursuant to these contracts. In addition, following the announcement of the enforcement actions, a shareholder filed a lawsuit against the board of directors of American Express Co. for failing to sufficiently oversee the credit practices resulting in the enforcement actions. The full text of the CFPB Consent Orders against American Express is available at http://www.consumerfinance.gov/pressreleases/cfpb-orders-american-express-to-pay-85-million-refund-to-consumers-harmed-by-illegal-credit-card-practices/.
Discover Bank
In September 2012, the CFPB and the FDIC jointly announced an enforcement action against Discover Bank (Discover). This enforcement action came as a result of a joint investigation in which the regulators identified unsafe and unsound banking practices and unlawful deceptive telemarketing and sales tactics used by Discover. Discover contracted with vendors to conduct outbound sales calls. The role of Discover’s vendors seemed to be one contributing factor. Among other things, this enforcement action requires Discover to refund a total of $200 million to about 3.5 million consumers, pay an aggregate penalty of $14 million, and implement a training and compliance program to monitor all vendors. The full text of the CFPB and FDIC Consent Order is available at http://www.consumerfinance.gov/pressreleases/discover-consent-order/.
The CFPB’s explicit advisory bulletin, the FFIEC’s supervision guidance, and the prominence of issues related to the management of vendor relationships in several recent enforcement actions highlight the increased focus on vendor management and the heightened need for banks to exercise diligence in monitoring such relationships and supervising the actions of their vendors. Failure to do so leaves institutions at risk of adverse regulatory findings and costly penalties.