The Consumer Financial Protection Bureau (CFPB or Bureau) continues to expand its gaze, announcing this past April that it has begun implementation of a program to directly supervise service providers of financial institutions, particularly those that cater to the mortgage industry. As regulatory signals go, this one should be relatively clear—federal examiners will be conducting regular onsite examinations of vendor operations to ensure compliance with federal consumer protection laws, and, in its own words, “the CFPB is focusing on service providers that directly affect mortgage origination and servicing markets.”
To be sure, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act)grants the CFPB the authority to examine bank and non-bank financial institutions and their “service providers.” Until recently, however, the Bureau has mainly focused its attention on supervision of financial institutions themselves, occasionally levying one-off fines against service providers lest anyone forget the range of CFPB’s statutory powers. Nonetheless, the CFPB’s focus on vendor management has been felt in all corners of the mortgage industry since the enactment of the Dodd-Frank Act in 2010. And as many companies have struggled to adjust to the Bureau’s regulatory expectations related to pre-contract vendor due diligence and post-contract vendor monitoring, equally affected have been the vendors themselves.
Specifically, despite a desire to provide valuable services, mortgage vendors have found it difficult to justify taking on additional compliance burdens in light of the costly consequences of missteps that can result from regulatory enforcement and consumer litigation initiated in recent years with alarming frequency against vendors and the financial institutions they serve. With the latest announcement by the CFPB to implement direct supervision of service providers, deeper consternation among vendors is certain. Against that backdrop, this article reviews the basic supervisory expectations applicable to financial institutions and their vendors and provides additional insight related to trends developing in recent CFPB examinations.
Like the other federal banking regulators, the CFPB has been cognizant of the important role that vendors play in financial services operations and sought to bring regulatory standards for vendor management to the non-bank sector. The CFPB issued Bulletin 2012-03 in April 2012, which has served as the primary guidance for supervised banks and nonbanks involved in business relationships with “service providers.” Since the issuance of the CFPB bulletin, the Bureau has sought to hold supervised institutions accountable for violations leading to alleged consumer harm, including when the alleged offenses were committed (or omitted) by service providers to the financial institution.
Collectively, the message from the CFPB and prudential banking regulators has been clear: Entering into outsourcing relationships does not release supervised institutions from their responsibilities to comply with applicable laws and regulations designed to protect (i) consumers from unwarranted harm, and (ii) financial markets from unsafe and unsound practices. In addition, regulators have held vendors liable for not actively addressing obvious compliance violations committed by financial institution customers. As a result, compliance for mortgage companies begins far in advance of any actual vendor engagement, as regulators expect companies to have well-established and meticulously observed policies and procedures that cover the following:
- Planning. A vendor relationship should begin with an internal assessment of risks. Such planning should focus on both the potential impact to the financial institution and the financial institution’s customers, as well as potential information security, regulatory, and legal ramifications.
- Due Diligence and Vendor Selection. Proper due diligence includes a thorough evaluation of potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. Many companies rightfully focus on independent audit reports such as SSAE-16s as part of their due diligence of potential vendor partners, but financial institutions should also look to external organizations such as trade associations, the Better Business Bureau, the Federal Trade Commission, and state regulators when performing diligence on consumer-facing third parties to determine their ability to comply with federal financial consumer protection laws.
- Contract Negotiation. All relationships should be documented by a written contract that clearly defines the compliance responsibilities of both the financial institution and the vendor. In addition, the contract should provide for performance benchmarks, audit rights, insurance requirements, protocols for handling customer complaints and data security breaches, and oversight rights and obligations related to subcontractors.
- Ongoing Monitoring. The financial institution should dedicate sufficient staff to monitor the vendor’s activities throughout the relationship as it may change over time. Particular attention should be paid to the vendors’ ability to (i) comply with legal and regulatory requirements, (ii) self-identify and address issues quickly, (iii) manage subcontractors effectively, and (iv) track, monitor, and resolve consumer complaints in a manner that demonstrates the ability to analyze trends to avoid similar complaints in the future.
- Remediation and Termination. Regulators also expect financial institutions to quickly address and remediate vendor issues. Moreover, a contingency plan should always be in place for the end of the relationship and put into effect either through the normal course or in response to a contractual breach. The contingency plan should contemplate the transfer of vendor functions to a different vendor or back in-house to the financial institution.
In addition, regulators have indicated that they will generally expect to see verifiable documentation and records showing that the company has followed such policies and procedures, as well as compliance training for everyone from the Board of Directors and senior management down to line-level employees with clear identification of compliance roles and responsibilities.
The Vendor Perspective
In light of the foregoing expectations placed on mortgage companies, vendors are routinely faced with due diligence requests from customers seeking to review, among other things, policies, procedures, internal controls, and training materials to determine whether the vendors operations comply with federal consumer financial laws. The intrusions can be disruptive to service delivery operations, and a number of vendors have sought a more rational approach, including developing standard due diligence packages, ongoing comprehensive compliance reports targeted to mortgage companies, and providing results of regular independent audit reports commissioned by vendors of their own services.
From a vendor’s perspective, there have historically been at least two common business-motivated reasons to proactively address the concerns of financial institution customers: (i) vendor management is expensive and time consuming for financial institutions, and compliance-oriented vendors that can help save their customers’ time and money have a competitive advantage in today’s marketplace; and (ii) planning ahead can reduce unexpected disruptions to vendor operations. Now however, with direct CFPB supervisory examinations looming for many vendors, having a compliance orientation is no longer just a competitive advantage, it has become a business necessity. Notwithstanding the burdens and anxiety that would be involved for a vendor which is subject to a direct CFPB examination, in the longer run it could be a competitive advantage, as potential customers would have the comfort of knowing that the vendor is supervised by the Bureau.
Increased Focus on Compliance Management Systems and Mortgage Servicing Platforms
A comprehensive Compliance Management System (CMS) is an absolute necessity in today’s regulatory environment for both supervised entities and their vendors, as the CFPB has indicated that all of its supervisory examinations will include at least some testing of an entity’s CMS. A CMS provides the mechanism by which an entity (i) establishes its compliance responsibilities, (ii) communicates those responsibilities to employees, (iii) ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes, (iv) reviews its operations to ensure responsibilities are carried out and legal requirements are met, and (v) takes corrective action and updates tools, systems, and materials as necessary. At its core, a robust CMS minimally includes:
- Policies and procedures;
- Protocols for reporting compliance issues to the board of directors and senior management;
- Training for employees related to compliance responsibilities;
- Processes for monitoring for violations; and
- Reinforcement of the compliance culture through prompt corrective actions, fostered in part by regularly scheduled independent audits and accountability for process improvements based on repetitive customer complaints.
In this regard, amongst the most difficult adjustments companies have had to make in recent years has been related to increased oversight of mortgage servicers, which continues to consume considerable compliance resources and expense. The CFPB released rules, effective January 10, 2014, to improve the information consumers receive from their servicers, to enhance the protections available to consumers to address servicer errors, and to establish baseline servicing requirements that provide additional protections for consumers who have fallen behind on their mortgage payments. Supervisory examinations of mortgage servicers now generally focus on reviewing for compliance with these servicing rules and for unfair, deceptive, and abusive acts or practices.
Now more than three years removed from their effective date, the Bureau has noted that servicing compliance is still lacking due in large part to “outdated and deficient servicing technology” developed in-house or provided by vendors whose “shortcomings are compounded by lack of proper training, testing, and auditing of technology-driven processes, particularly to handle more individualized situations related to delinquencies and loss mitigation processes.” Both mortgage servicers and the vendors they rely upon should expect continued focus in these areas by the CFPB.
In particular, regulators are focused on ensuring that servicers (i) have instituted policies and procedures consistent with new regulations and guidance, and (ii) comply with collections and credit reporting requirements: Under the revisions to Regulation X that took effect in January 2014, the CFPB may now cite an institution for failure to maintain policies and procedures reasonably designed to, among other things, facilitate (i) ready access to accurate and current documents and information reflecting actions taken by service providers, and (ii) periodic reviews of service providers. The CFPB explained at the time it proposed §1024.38(b)(3), that the new regulation was designed to address evaluations of mortgage servicer practices that had found that some major servicers ”did not properly structure, carefully conduct, or prudently manage their third-party vendor relationships.”
The CFPB has also reiterated its focus on evaluating mortgage industry compliance with the guidance issued on mortgage servicing transfers. Bulletin 2014-01, Compliance Bulletin and Policy Guidance: Mortgage Servicing Transfers, was issued August 19, 2014, and outlined a number of CFPB expectations of servicers in connection with the transfer of mortgage servicing rights, including potentially preparing and submitting informational plans to the CFPB describing how the servicers will be managing the related risks to consumers. In this regard, the CFPB has noted transferring loans during the loss mitigation process heightens risks to consumers, including the risk that documents and information might not be accurately transferred. Of course, if the new servicer is more likely to be able to assist the consumer with an alternative to foreclosure than the prior servicer, most delinquent consumers whose loans are transferred would gladly take that risk in return for the possibility of a better outcome.
The CFPB broke new ground this spring with its announcement to conduct supervisory examinations of certain key mortgage vendors. Although the Bureau has made clear that it will take a risk-based approach to focus on large vendors whose compliance failures could potentially impact large numbers of consumers, mortgage professionals should bear in mind a few key — and harsh — lessons learned during the course of the CFPB’s enforcement activities against service providers in recent years:
- Service providers must have their own strong compliance program capable of ensuring that the vendor is not inadvertently assisting its financial institution customers in violating the law;
- Service providers must engage in some level of oversight and due diligence of their financial institution customers; and
- The CFPB is increasingly holding service providers accountable for the actions of their financial institution customers.
In light of these expectations, mortgage companies and their vendors may be more inclined to find common ground to develop industry-wide compliance solutions in advance of future CFPB examinations that are becoming increasingly more invasive.
Jeffrey Naimon is a partner and Moorari Shah is a counsel in the Washington, D.C., and LA offices of Buckley Sandler LLP. They can be reached at JNaimon@BuckleySandler.com and MShah@BuckleySandler.com.
 See CFPB, Supervisory Highlights (Spring 2017) at p. 25.
 12 U.S.C. §§ 5514-5516. “Service Provider” is defined as any person that “provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” See 12 U.S.C. § 5481(26).
 For example, in one CFPB consent order, a payments vendor was held directly liable for alleged false representations regarding the data security provided to customers. See In the Matter of Dwolla, Inc., File No. 2016-CFPB-0007 (February 27, 2016). The vendor agreed to pay a $100,000 fine.
 The Office of the Comptroller of the Currency (“OCC”) and the Federal Reserve Board (“FRB” or the “Fed”) issued revised guidance on managing third party risk in late 2013. The OCC issued OCC Bulletin 2013-29 (“OCC Bulletin”) on October 30, 2013, and the Fed issued Supervision and Regulation Letter 13-19 on December 5, 2013, which attached the Fed’s Guidance on Managing Outsourcing Risk (“FRB Guidance”).
 See, e.g., CFPB v. Universal Debt & Payment Solutions LLC, No. 15-cv-0859 (N.D. Ga. March 26, 2015) (alleging for the first time a vendor’s “substantial assistance” in permitting its financial institution customer’s violations of law as the basis for enforcement); CFPB v. Genuine Title LLC, No. 15-cv-1235 (D. Md. April 29, 2015) (alleging certain service providers acted as conduits for illegal payments under a mortgage referral scheme that violated the Real Estate Settlement Procedures Act); CFPB v. Intersections Inc., No. 15-CV-0835 (E.D. Va. July 1, 2015) (alleging that a credit monitoring services provider to various banks provided substantial assistance to the unfair, deceptive and abusive acts and practices (“UDAAPs”) by instructing the banks to bill for services that were not received); CFPB. v. D&D Marketing, No. 15-cv-09692 (C.D. Cal. Dec. 17, 2015) (alleging that a lead broker company failed to properly vet the purchasers of its leads, thereby providing substantial assistance to UDAAPs committed by the purchasers of the leads).
 Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. As of May 1, 2017, SSAE No. 18 represents a new attestation standard that, among other things, will require more structured monitoring and auditing of subservicing organizations (i.e., subcontractors), many of whom indirectly provide services to mortgage companies.
 See, e.g., OCC Bulletin and FRB Guidance.
 See, e.g., CFPB, Supervisory Highlights (Spring 2014).
 See CFPB, Mortgage Servicing Highlights (June 2016).
 Id. at p. 3.
 See 12 C.F.R. § 1024.38(b)(3).
 See Mortgage Servicing Highlights, supra at FN 11, p.8 (noting that examiners still continue to find that servicers fail in some cases to send any loss mitigation acknowledgment notices due to platform malfunctions, including those provided and/or managed by third-party vendors. The CFPB has cited these servicers for violating Regulation X and directed the servicer(s) to fix and monitor the servicing platform for compliance weaknesses).
 Id. at p. 17 (acknowledging that the CFPB has observed more attention to pre-transfer planning by transferor and transferee servicers since 2014, but still continues to find that incompatibilities between servicer platforms has led, in part, to transferees failing to identify and honor in-place loss mitigation after receiving the loans.
 See supra at FN 7.