Regulators Re-Focus on Third Party Service Providers

May 22, 2012 at 2:16 pm Leave a comment

Regulators are putting supervised institutions on alert that they will be examined on their oversight and control of all third party service providers. While supervised institutions have traditionally been expected to oversee their third party service providers, these obligations were expanded by Dodd-Frank, and many supervised institutions are not doing enough.

On April 16, 2012, the Consumer Financial Protection Bureau (CFPB) issued a bulletin (the CFPB Bulletin) reminding supervised institutions of their obligations and responsibilities over third party service providers. A copy is available at:

The CFPB Bulletin emphasizes that the supervised institution is primarily liable for compliance with with applicable law and that engaging a third party service provider does not absolve the supervised institution from liability. The supervised institution is expected to manage the risk of engaging third party service providers by conducting thorough due diligence, reviewing the third party service provider’s policies and procedures and ensuring it is adequately training and overseeing those persons that have consumer contact or compliance responsibilities, including clear expectations in the written contract, establishing internal controls to ensure the third party service provider is complying with applicable law, and taking prompt action to address issues discovered during the monitoring process, including terminating the relationship. For a more specific understanding of the CFPB’s expectations, supervised institutions are directed to review the CFPB’s Supervision and Examination Manual: Compliance Management Review and Unfair, Deceptive, and Abusive Acts or Practices, available at:

In addition, on May 2, 2012, the Board of Governors of the Federal Reserve System (the FRB) held a live webinar titled “Vendor Risk Management-Compliance Considerations” that further emphasized oversight and control of third party service providers. Copies of the slides and a recording of the webinar is available at:

In the webinar, the FRB emphasized that supervised institutions were expected to oversee third party service providers as they would any other division of their own institution. The FRB recognized that use of third party service providers is common to reduce costs, enhance performance, obtain access to specific expertise, and increase product offerings, but that use of them creates reputational, operational, transactional, credit, and compliance risk for the institution that must be adequately managed. The FRB highlighted common compliance issues such as over reliance on third parties, failure to understand and retain knowledgeable staff to understand and monitor risks, failure to monitor the third party service provider, failure to provide the third party service provider enough information necessary to perform, and failure to verify that third party service provider’s activities comply with applicable law. The FRB concluded by outlining best practices for use of third party services providers:

  • Thorough due diligence prior to selecting a third party service provider (including references from other supervised institutions doing business with the third party service provider, financial information, and the background of third party principals)
  • Preparing a detailed risk assessment and instituting processes and procedures to minimize those risks
  • Ensuring the contract with the third party service provider includes expectations concerning compliance with consumer protection laws and regulations

-Specific terms to reduce risk should be included based on the supervised institution’s detailed risk assessment

-Ability to receive proof of compliance (including audit rights and monitoring of the third party service provider and any of its vendors)

  • Implementing a comprehensive monitoring program (frequency and depth based on the risk assessment, but noting that all third party service providers require some level of monitoring)
  • Implementing training for those conducting monitoring to ensure they understand risks and receive regulatory updates
  • Tracking consumer complaints
  • Ensuring the board of directors receives due diligence regarding the third party service provider, monitors reports, and training in order to properly oversee risks (the board must be active in these risk decisions)

What this means for you: Supervised institutions should immediately look at relationships with its third party service providers and assess risks, evaluate existing contracts, and institute internal policies and procedures to move toward compliance.

Please note that this e-alert is for informational purposes only. The information contained herein is provided only as a service to the public, and is not legal advice or a substitute for legal counsel, nor does it constitute advertising or a solicitation.

Entry filed under: Uncategorized. Tags: , , , .

Fiduciary Duty Ruling Highlights Importance of Non-compete Agreements Federal Banking Agencies Announce Reopening of Comment Period on Margin and Capital Requirements for Swap Dealers et al.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Enter your email address to follow this blog and receive notifications of new posts by email.

Produced & Maintained By

Stinson Leonard Street Logo


A legal resource for Banking & Financial Services


%d bloggers like this: