Understand which vendors need extreme vetting per CFPB

Which vendors require due diligence, written contracts, and all the rest? 


CFPB-regulated institutions are required “to have an effective process for managing the risks of service provider relationships.”  See CFPB Bulletin 2016-02.  I know, I know, you’re thinking Cash me ousside, howbow dah? – but let’s be reasonable.As we depend heavily on 3rd parties, it’s important to understand who falls under this umbrella: settlement agents? LOS providers? call centers? VOE providers? mortgage brokers?  Keep in mind other regulators may have different expectations, but that understanding the CFPB’s approach is informative at worst.**Distinguish “service providers” as used by the Dodd-Frank Act and the CFPB from “significant” vendor relationships as used by the FDIC.**Let’s break this down and try to understand the framework for figuring out whether or not a vendor is a “service provider” that we really need to jump through all the hoops for.What is an “effective” Vendor Management Process?

This varies based on the size and complexity of the organization and service provided, but will always include the following steps for each service provider:

  1. Due diligence to ensure they are complying with consumer financial law
  2. Request and review policies, procedures, internal controls, and training records
  3. Have a written contract that sets both (1) clear expectations for compliance and (2) consequences for violating any such responsibilities.
  4. On-going monitoring of the service provider to test compliance
  5. Prompt action to fix any problems found

**You could add Board Oversight, an initial Risk Assessment, and having a Business Continuity/Contingency Plan in place as best practices

“Service Providers”: Defined

That looks like a LOT of work. Do we have to do this for every single 3rd party business relationship? No.

Settlement service providers are those that provide “a material service … in connection with the offering or provision … of a consumer financial product or service.” 

The term “service provider” includes companies that:

  • Participate in designing, operating, or maintaining the product/service; or
  • Process transactions relating to the product/service

The term does NOT include:

  • A company that solely provides general ministerial services
  • A company that provides advertising time or space
Company “Service provider” or no?
Settlement Agents who close mortgage loans Yes. Acting on the lender’s behalf, they are significantly involved in the mortgage closing.
Landscaping company that handles all branch locations. No. Their efforts, while substantial, have nothing to do with any financial products or services.
Your HVAC company (remember Target lost credit card information of millions of shoppers to hackers gaining access through a vendor repairing the air conditioning system) No. While an institution needs to protect against breaches, this is a vendor that is not providing a “material service” to any financial product or service. So while your HVAC company might need to agree to abide by your IT requirements, it would not have to submit its own policies/procedures on complying with federal consumer protection law.
Mortgage consulting company, that helps develop new products/services, performs monthly compliance audits, and quarterly board training on hot topics Yes. It’s not quite as clear cut, I suppose, but as described the company is helping with new product design and likely assisting with individual loan decisions while in process. I would consider this to be “material service”
A notary who notarized consumer loan documents as part of a consumer taking advantage of a loan or other financial product No. This is just ministerial support of the type that is generally provided to the business, not a material service.
Law firm or other company handling foreclosure proceedings Yes.
Vendors offering add-on products like identity protection Yes. This is an obvious one.
An automobile dealer signed up with an indirect loan program Yes.
Providers of outsourced bank compliance functions such as audits, fair lending reviews, and compliance monitoring activities. Yes. (Taken verbatim from Fed Reserve haha).
Google or other online advertisers Interesting! They should fall under the exception for advertisers (shown above) when they sell ad space, but they may get themselves into trouble with their new mortgage calculators and different tools, leading to the CFPB to classify them as service providers, “since it actually participates in the development of the online advertising by making suggestions to advertisers about key words, how to optimize the ad and search descriptions, etc” (article)


 Thank you to Ben Giumarra, Spillane Consulting Associates, Inc., a member of our Education Committee, who with the support of other experts at SCA have put together this newsletter.  RIMBA has received permission to forward this to RIMBA Members as a Value Added benefit.    

Leave a Reply