By Sarkar, Richik
Risk Management , Vol. 60, No. 2
Six Steps for Bdnhs to Manage Third-Party Compliance Risk and Avoid the Fate of Capital One
For more than i decade, regulators have been reminding banks of dicir rcsponsihihry lo ensure that third-party service providers comply with federal laws. Last July, that message got louder when rhc Consumer Financial Protection Bureau (CFPB) announced rhc results of its first public enforcement action: a consent order under which Capital One agretti to refund at least SI 40 million to two million customers and pay $25 milLion to the agency's Civil Penalty Fund.
According co the bureau. Capital One violated the Dodd-Frank Act by failing to implement a compliance program effective enough to prevent i? third-party call centers from engaging in deceptive practices- Bur even before Capital One. regulatory agencies were announcing that they would begin to enforce federal consumer financial law to the fullest ertcnt of their authority.
One reason for this has been a general increase in the world's focus on consumer protection since the mortgage crisis, but it is also a response by regulators who have watched an industry outsource more of its core operations. In the pasr, banks arid other financial services firms relied on outside companies mainly for peripheral services tike printing, record storage and transaction processing. But in recent years, cost advantages have driven them to delegate other important functions. Many companies now depend on third parties to prepare mandatory disclosures, conduci compliance reviews and «ell products to consumers.
Moreover, financial services firms now routinely contract outside companies to market new services that these institutions did not develop internally, such as investment and insurance options, More than ever, third parties are performing more-regulated functions, and firms must be cognizant of the compliance risks involved. And there are a loi of them.
Every segment of the financial sector it subject to the oversight of myriad regulatory authorities. Some are public agencies, and others are private organizations, such as the Financial Industry Regulatory Authority and the national securities exchanges. Dodd-Frank created che newest of these regulatory bodies, the CFPB, and charged the agency with enforcing the whole of federal consumer financial law, deriving from no fewer than 19 different legislative aus.
To nobody's surprise, this has led to confusion. So in an effort to minimize inconsistency, the CFPB entered into memoranda of understanding with other govcrnmenral entities, including the Federal Trade Commission and the Department of justice, to coordinate chcir enforcement efforts.
Fortunately for financial-sector companies, a number of governmental entities, including the FDIC the Federal Reserve Bank of New York and the CFPB. have offered guidance that should help banks maintain oversight of their third-parry service providers. These recommendations generally propose a four-phase piocess involving due diligence, policy examination, conrract review and control creation.
As part of the Capital One consent order, the company agreed to implement a compliance plan within these guidelines, but financial services organizations need not waic for a CE'PB enforcement action, In addition to considering the consent order and referring to the bureaus "Supervision and Examination Manual." organizations can create a process to monitor this risk by following these six steps.
1. Develop an Understanding of Federal Consumer Financial Law
Without a thorough knowledge of the laws and regulations ihar apply to the work that third patties perform, banks and other financial services firms cannot hope to control their third- party compliance risk. The b/eadtli of federal consume! financial law can be overwhelming, but, given the CFPB's mandate and its enforcement priorities, financial services organizations should certainly understand the operation of key statutory provisions. …