New Rules of Consumer Protection: Six Steps for Banks to Manage Third-Party Compliance Risk and Avoid the Fate of Capital One
Sarkar, Richik, Risk Management
For more than a decade, regulators have been reminding banks of their responsibility to ensure that third-party service providers comply with federal laws. Last July, that message got louder when the Consumer Financial Protection Bureau (CFPB) announced the results of its first public enforcement action: a consent order under which Capital One agreed to refund at least $140 million to two million customers and pay $25 million to the agency's Civil Penalty Fund.
According to the bureau, Capital One violated the Dodd-Frank Act by failing to implement a compliance program effective enough to prevent its third-party call centers from engaging in deceptive practices. But even before Capital One, regulatory agencies were announcing that they would begin to enforce federal consumer financial law to the fullest extent of their authority.
One reason for this has been a general increase in the world's focus on consumer protection since the mortgage crisis, but it is also a response by regulators who have watched an industry outsource more of its core operations. In the past, banks and other financial services firms relied on outside companies mainly for peripheral services like printing, record storage and transaction processing. But in recent years, cost advantages have driven them to delegate other important functions. Many companies now depend on third parties to prepare mandatory disclosures, conduct compliance reviews and sell products to consumers.
Moreover, financial services firms now routinely contract outside companies to market new services that these institutions did not develop internally, such as investment and insurance options. More than ever, third parties are performing more-regulated functions, and firms must be cognizant of the compliance risks involved. And there are a lot of them.
Every segment of the financial sector is subject to the oversight of myriad regulatory authorities. Some are public agencies, and others are private organizations, such as the Financial Industry Regulatory Authority and the national securities exchanges. Dodd-Frank created the newest of these regulatory bodies, the CFPB, and charged the agency with enforcing the whole of federal consumer financial law, deriving from no fewer than 19 different legislative acts.
To nobody's surprise, this has led to confusion. So in an effort to minimize inconsistency, the CFPB entered into memoranda of understanding with other governmental entities, including the Federal Trade Commission and the Department of Justice, to coordinate their enforcement efforts.
Fortunately for financial-sector companies, a number of governmental entities, including the FDIC, the Federal Reserve Bank of New York and the CFPB, have offered guidance that should help banks maintain oversight of their third-party service providers. These recommendations generally propose a four-phase process involving due diligence, policy examination, contract review and control creation.
As part of the Capital One consent order, the company agreed to implement a compliance plan within these guidelines, but financial services organizations need not wait for a CFPB enforcement action. In addition to considering the consent order and referring to the bureau's "Supervision and Examination Manual," organizations can create a process to monitor this risk by following these six steps.
1. Develop an Understanding of Federal Consumer Financial Law
Without a thorough knowledge of the laws and regulations that apply to the work that third parties perform, banks and other financial services firms cannot hope to control their third-party compliance risk. The breadth of federal consumer financial law can be overwhelming, but, given the CFPB's mandate and its enforcement priorities, financial services organizations should certainly understand the operation of key statutory provisions.
The key areas to examine are Dodd-Frank's Section 1031 (which prohibits unfair, deceptive or abusive practices in connection with consumer transactions for financial products and services), and Section 5 of the Federal Trade Commission Act (which prohibits unfair and deceptive practices more generally). …