On Friday, the Consumer Financial Protection Bureau (“CFPB”) issued a bulletin warning that it will seek to hold supervised banks and nonbanks liable for their vendors’ misconduct. Banks and nonbanks often hire service providers to process credit cards, handle data, operate call centers, or address customer service issues. The CFPB also emphasized that it has supervisory and enforcement authority over a “supervised service provider,” defined under Dodd-Frank as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service,” and could go after those entities directly.
The CFPB advises companies to take the following steps to ensure service providers’ compliance:
- Conduct thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
- Request and review the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- Include contract provisions establishing clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
- Establish internal controls and ongoing monitoring to determine whether the service provider is complying with federal consumer financial law; and
- Take prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
The Federal Trade Commission, Consumer Product Safety Commission, and other agencies have taken similar approaches, sometimes pushing the limits of their statutory authority. Although strong provisions in vendor contracts can provide some protections in a commercial dispute, companies should not ignore or blindly delegate other responsibilities and expect to rely on the contract to avoid regulatory scrutiny.