This past July marked the fifth anniversary of the creation of the Consumer Financial Protection Bureau (CFPB), a period marked by sweeping changes to the regulatory and administrative environment in which financial institutions in this country operate, not least in regard to their relationship with the third-party vendors that routinely aid them in providing financial products and services to consumers. Title X of the Dodd-Frank Act authorizes the CFPB to (a) obtain and examine reports from supervised banks and nonbanks for compliance with Federal consumer financial law "and for other related purposes," and to exercise enforcement authority when violations are identified; and (b) to exercise supervisory and enforcement authority over supervised service providers, including the authority to examine their operations on-site. The extent of this authority, however, has not yet been judicially determined, leaving supervised financial institutions to rely upon the pronouncements of the CFPB itself to ascertain the scope and requirements of its oversight.¹

What the CFPB Is Watching

When it comes to compliance standards, the CFPB's website states that its Supervision and Examination Manual (Manual) "is our guide for examiners to use in overseeing companies that provide consumer financial products and services. Our manual describes how the CFPB supervises and examines these providers and gives our examiners direction on how to determine if companies are complying with consumer financial protection laws." Under the CFPB's guidelines, all officers, employees and audit personnel should receive specific, comprehensive training that reinforces and helps implement written policies and procedures. This training must include requirements for compliance with Federal consumer financial laws,² including prohibitions against unlawful discrimination and unfair, deceptive, and abusive acts and practices. The training therefore cannot be limited to the board and management, but must be received by each person in the company, specifically tailored as appropriate to the function that they individually perform. Moreover, the training must be adaptive over time, revised to respond to new regulatory requirements, newly offered products or services, and new marketing or distribution channels.

Who The CFPB Is Watching

The CFPB has since extended this obligation to cover the conduct of third parties. In its April 13, 2012 bulletin, the CFPB stated that "[s]upervised banks and nonbanks are expected to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer law" and that "[d]epending on the circumstances, legal responsibility may lie with the supervised bank or nonbank, as well as with the supervised service provider." This obligation includes, but is not limited to:

• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law.
• Requesting and reviewing the service provider's policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
• Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive or abusive acts or practices (UDAAP).
• Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law.
• Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

Examples of how seriously the CFPB takes the forgoing obligation may be found in multiple enforcement actions taken in the past year. In In re U.S. Bank, N.A., the CFPB brought an action against U.S. Bank based upon the conduct of Affinion, a third party vendor. Specifically, U.S. Bank marketed identity protection products, including credit monitoring and credit retrieval services, and referred interested customers to Affinion, which offered for sale, sold and administered the products pursuant to agreements with U.S. Bank. The consent order found that U.S. Bank's customers who enrolled for the products were required to provide sufficient written authorization, as required by the FCRA, but found that in many cases some time passed before the written authorization was obtained, or the authorization was never obtained at all, or the authorization could not be processed by the credit reporting agencies because they were unable to match the customer's identification information with the agency's own records. As a result, customers were billed the full fee for the products even when they were not receiving all of the advertised benefits of the product. U.S. Bank itself was held liable because its service provider management and quality assurance procedures failed to prevent, identify, or correct the billing for services that were not provided. Consequently, in addition to being ordered to take corrective actions, including, but not limited to, regular on-site audits of Affinion, U.S. Bank was ordered to reserve approximately $48 million for restitution redress payments, and was fined a further $5 million.

In In re Guarantee Mortgage Corporation, GMC was found to be in violation of consumer financial laws for improperly compensating a third-party marketing firm based upon resulting loan originations. The consent order permanently enjoined GMC, its officers, agents, employees and attorneys from making or receiving compensation payments for loan originations in violation of TILA, and imposed a civil fine of $228,000.00.  More significantly, recognizing the insolvency of GMC, the order made the fine payable by the owners of GMC to the extent that the company itself could not pay the fine.

Finally, in In re Citibank, N.A., Citibank was found liable as a result of the conduct of Citicorp Credit Services, Inc. (USA) (CCSI). The consent order found that CCSI's misconduct had included (a) deceptive acts related to the marketing, sale and membership retention for credit card add-on products; (b) telemarketing of credit card add-on products, in violation of the Telemarketing Sales Rule;³ (c) improper billing and administration of the credit card add-on products; and (d) improper collection of delinquent accounts. In consequence, Citibank was ordered to deposit $700 million into a trust account for restitution to the injured consumers, and was fined a further $35 million.

Who You Need To Be Watching

As noted earlier, per the CFPB, the obligation extends to "service providers." The question, then, is who is a "service provider?" Under Dodd-Frank, a "service provider" is "any person that provides a material service to a covered person in connection with the offering or provision by such person of a consumer financial product or service, including a person that (i) participates in designing, operating or maintaining the consumer financial product or service; or (ii) processes transactions relating to the consumer financial product or service (other than knowingly or incidentally transmitting or processing financial data in a manner that such data is undifferentiated from other types of data of the same form as the person transmits or processes)." The statute exempts certain categories of persons providing space for advertisements or performing ministerial services of the type provided to business generally (like notaries). Yet essential terms and phrases (like "provides," "participates" and "processes") are not defined in Dodd-Frank, nor has the CFPB elected to clarify their meaning, leaving interpretation of whether someone qualifies as a service provider open to case-by-case analysis. However, in the mortgage servicing context, the CFPB defined the phrase "service provider personnel" in its April 13, 2012 memo to include personnel "responsible for handling foreclosure proceedings," allowing that foreclosure counsel would probably be included. And, as seen in the above enforcement actions, the term "service provider" clearly encompasses (a) identity protection vendors; (b) outside marketing firms; and (c) third-party providers of credit card add-on products

That said, the proper characterization of a number of important players is left in limbo. For example, in those instances where the involvement of a title company or an attorney is required by statute (like Texas home equity loans) or by best practices (like title insurance), does that third-party become a "participant" in the "operation" of the loan, and therefore a "service provider" for whom the lender may be held liable? Does the scope of the term extend to appraisers? To surveyors? To escrow agents? What about inspectors or property preservation firms? How about the issuers of force-placed insurance? All of the aforementioned are traditionally independent contractors over whom the lender or servicer exercises minimal control, yet each plays as much or more of a role in the origination or servicing of a loan than does foreclosure counsel, and might, "depending on the circumstances," be deemed to be a service provider.

What You Need To Be Doing

In light of the foregoing, best practice is to assume that, save and except for those that are expressly exempted, any person or entity that plays a role in the loan origination or servicing process may be deemed to be a service provider, and should be supervised as such. Consequently, vendor agreements should (a) contain or expressly incorporate written policies and procedures crafted to ensure vendor compliance with consumer financial protection laws and regulations; (b) establish a regular reporting procedure to document vendor compliance; and (c) provide for periodic auditing of the vendor to confirm compliance. Moreover, given that CFPB complaints and requests for information typically require a fairly quick turnaround, the financial institution should create and maintain an indexed, readily searchable archive that accurately documents (a) past and present vendor contracts; (b) vendor reporting; (c) audits of vendors; (d) communications, both written and oral, with vendors concerning compliance issues; (e) any internal communications concerning vendor management policies and compliance issues, including, but not limited to, minutes of any applicable executive committee or board of directors meetings; and (f) any corrective actions taken by or with respect to vendors found to be non-compliant. While the foregoing is no guarantee of safety, it would, in the event of a CFPB action, go a long way toward showing good faith on the part of the financial institution and provide the ability to respond timely and completely.

¹ See, e.g., State Nat'l Bank of Big Spring v. Lew, et al., No. 13-5247 (D.C.Cir. July 24, 2015) - held that regulated banks have standing to challenge the constitutionality of the CFPB, but remanded for additional briefing on the specific question of whether the CFPB is unconstitutional or not. Until that's decided, what the CFPB says, controls.

² The Manual enumerates the laws that financial institutions must comply with and that are therefore to be included in the training, which are (a) the Real Estate Settlement Procedures Act (RESPA), (b) the Truth-in-Lending Act (TILA), (c) the Electronic Funds Transfer Act (EFTA), (d) the Fair Debt Collection Practices Act (FDCPA), (e) the Homeowners Protection Act (HPA), (f) the Fair Credit Reporting Act (FCRA), (g) the Gramm-Leach-Bliley Act (GLBA), and (h) the Equal Credit Opportunity Act (ECOA).

³ 16 C.F.R. §§ 310.3(c), 310.4(a)(7).