Article Details

CFPB Examination of Third Parties—Am I Still My Vendor's Keeper? - Steven W. Pearlman, April A. Breslaw, and Agnes Bundy Scanlan

Mortgage Operations and Compliance Industry Insights
August 2017
Steven W. Pearlman, April A. Breslaw, and Agnes Bundy Scanlan

Regulators continue to revise their approach to the oversight of banks’ technology vendors and other third-party service providers, to align with the rapidly changing financial services industry and the growth of regulatory technology (RegTech) solutions for managing compliance risk. As a first step, the Consumer Financial Protection Bureau (CFPB) and other regulators have been reemphasizing financial institutions’ responsibility to oversee compliance of the vendors and advanced technologies on which they increasingly rely. These expectations are explored in detail in the recent Treliant Industry Advisory: Regulators Escalate Calls for Third-Party Oversight. The second shoe recently dropped, as the CFPB shared its development of a pilot Service Provider Examination (SPE) Program, through which the bureau is directly supervising vendors providing technological support to facilitate compliance. Because oversight of the mortgage industry is a CFPB priority, the bureau’s examination program encompasses direct CFPB supervision of key mortgage industry vendors. These likely include makers of mortgage Loan Origination Systems (LOS) and mortgage servicing systems. Carrying out these examinations will position the bureau closer to the root cause of a significant source of risk to consumers and the financial institutions that serve them. But what does this new development mean for financial institutions?

The CFPB’s SPE Program could lead many to wonder whether their institution’s oversight of consumer risk should change. To answer this question, we need to review what we know about the new CFPB program and to understand a financial institution’s responsibilities for third-party supervision and consumer protection.

Interpreting the CFPB’s Intent
The CFPB addressed the significant role that vendors play in financial services in the April 2017 edition of its Supervisory Highlights publication, underscoring “the potential risks to consumers posed by large service providers which provide technological support to facilitate compliance with consumer financial law, including software packages, electronic system platforms, and other types of technology tools.” Further, the bureau announced that it was conducting “baseline reviews of some service providers” and “focusing on service providers that directly affect the mortgage originations and servicing market.”

While the CFPB did not specify the type of mortgage vendors it is focusing on, we can make an educated guess by understanding the CFPB worldview. The guidance the bureau provides in its supervisory manual on examination scheduling for non-depository consumer financial services companies likely provides insight into how the CFPB will choose which vendors to examine. In this context, the bureau has explained that the non-depository institutions “will be identified for examination on the basis of risks to consumers, including consideration of the company’s asset size, volume of consumer financial transactions, extent of state oversight, and other factors determined relevant by CFPB.” The bureau has further explained that it considers “risks inherent to the supervised entity’s operations and offering of financial consumer products within that market,” specifically noting the risks to consumers in business-to- business transactions, which would presumably include financial institutions’ relationships with vendors. Through its examination activities, collaboration with other regulators, and interactions with the industry, the CFPB has access to information about the compliance risks posed by key mortgage vendors. We expect that the bureau would use this information to set its examination priorities. In addition, the CFPB’s risk analysis would almost certainly include an analysis of complaints. The bureau has traditionally focused on consumer complaints. But as the SPE Program matures, the CFPB might also consider complaints about consumer compliance issues raised by financial institutions using these vendors. As a result, the bureau could potentially play a significant role in situations where multiple institutions are struggling with the same vendor.

So, which vendors might the CFPB examine in the mortgage industry? The bureau’s Supervisory Highlights references “large service providers which provide technical support to facilitate compliance with Federal consumer law, including software packages, electronic system platforms, and other types of technical tools.” Applying this description to mortgage origination and servicing, we imagine that the CFPB might review the following types of vendors:

magnifying glass over groups affected by CFPB Third Party Reviews

The CFPB has also provided some hints about the possible nature of its examinations. First, the bureau presented a clear description of the risk from vendors that it is likely to monitor through examination, when explaining that “compliance risks in an entire market may be heightened when regulatory compliance is not considered and integrated throughout the development lifecycle, change and configuration of these compliance systems.” Second, the CFPB described its baseline reviews as including learning about vendors’ Compliance Management Systems (CMS). Given the CFPB’s long term focus on CMS, it is also likely to scrutinize third-party arrangements in which a vendor operates a CMS for a bank or other lender. This would be consistent with the CFPB’s articulated standards for CMSs that financial institutions operate themselves (CFPB Supervision and Examination Manual v.2 2012, Compliance Management Review). Regardless of how responsibilities are divided, we expect such examinations to focus on how a CMS mitigates the risk that a firm is not giving appropriate attention to consumer or regulatory compliance or not integrating those requirements into its tools.

Setting Financial Institution Expectations

So what does this tell us about financial institutions’ oversight of vendors providing compliance technology and services? First, we do not expect the SPE Program to relieve a financial institution of its obligation to oversee its vendors as the CFPB has been clear that outsourcing does not relieve a financial institution of its compliance obligations. The bureau reiterated this perspective in announcing the SPE Program, when stating that it would continue to evaluate institutions’ oversight of their vendors in CMS reviews. And, the CFPB has joined with the other agencies in the Federal Financial Institutions Examination Council (FFIEC) in revising the consumer compliance rating system to explicitly consider the quality of a company’s third-party oversight as ratings are assigned.

We do believe that the CFPB has provided some guidance on how an institution should exercise its oversight responsibility. Consistent with this guidance, we recommend that an institution’s oversight program include a CMS review of vendors that provide technology to support compliance. Such a review should include an analysis of how the vendor’s CMS manages regulatory changes throughout the entire lifecycle of the compliance system so as to minimize the risk of consumer harm. In addition, while conducting the CMS review, an institution should also ensure that whatever CMS framework it uses, that framework can be mapped to the CMS expectations of the CFPB. As vendors face their own CFPB examinations, they may become more attuned to these expectations.

The Final Analysis
Overall, the news is mixed. On the one hand, you are still your vendor’s keeper and you should make certain that you are considering your vendor’s CMS program. On the other hand, you now have an ally in the CFPB in overseeing third-party consumer protection—and could possibly leverage that ally to resolve vendor issues you have been struggling to address.

View as PDF

Agnes Bundy Scanlan
Agnes Bundy Scanlan, a Senior Advisor with Treliant Risk Advisors, has a long and distinguished career in global regulation, risk management, and compliance. Her experience includes the creation, development, and execution of numerous global compliance programs for some of the country’s largest financial institutions. 
April A. Breslaw
April Breslaw is a Senior Advisor with Treliant Risk Advisors. She has held multiple leadership positions at federal financial regulatory agencies, including Deputy Assistant Director, Office of Supervision Policy, at the Consumer Financial Protection Bureau (CFPB), which she joined as it was being built in 2010.