Outsourcing used to be a way to move liabilities away from a company, but the Consumer Financial Protection Bureau has taken steps to ensure that, for auto lenders, this is no longer true.
As the CFPB prepares to extend its authority to nonbank lenders, concern over vendor management is running at a high level – and with good reason. CFPB enforcement actions against lenders cast a long dark shadow over the Auto Finance Compliance Summit in May.
Monitoring dealers is a given for lenders, but third-party vendors deserve the same attention. Of the $1.56 billion in consent orders issued by the CFPB, three-quarters were related to service providers, according to Michael Mallow, partner & chair of consumer protection defense at Loeb & Loeb LLP.
An auto finance executive, speaking off the record, estimated total CFPB consent orders at nearly twice that number, $3 billion.
While dealers are expressly excluded from the CFPB’s definition of “covered persons” – that is, any person or entity that offers or provides a “consumer financial product or service” – service providers are included.
This does not mean lenders are insulated from risk if service providers are targeted by regulators, however. “Lenders can be held responsible for independent third party vendors by the CFPB,” said Mallow. The “mutuality” of companies, or the intertwining of their businesses, is used by the CFPB as a means to share culpability in cases of wrongdoing, according to Michael Thurman, partner at Thurman Legal in Los Angeles.
The CFPB Bulletin number 2012-03, posted April 12, 2012, says that banks and nonbanks under CFPB supervision must manage the risks of service provider relationships. Lenders must verify that service providers understand and are capable of complying with Federal consumer financial laws; they must review service providers’ policies, procedures, internal controls, and training materials; and they must take steps to ensure service providers conduct appropriate training and oversight of employees and agents.
Contracts with service providers should include clear expectations about the service provider’s compliance requirements, and make clear that there will be consequences for all regulatory violations, according to the CFPB.
Mallow outlined three stages of the lender-vendor relationship: entering the relationship, managing the relationship once it’s started, and resolving problems when (not if) they occur. Different vendor entities carry different degrees of risk. Collections, for example, is a high risk activity because it involves thousands of human interactions. “When you have two humans talking on the phone, anything can happen,” said Chris Willis, partner at Ballard Spahr LLP .
Before entering the vendor relationship, the lender must carefully consider the risks of outsourcing, Mallow said. How critical are the activities? Do they need to be outsourced? How will the outsourced activity be managed? Lenders must also take steps to ensure the vendor can provide the services they are being contracted to provide, and comply with relevant regulations while doing so. Service providers should have manuals explaining how their employees comply with CFPB guidance and regulations.
Mark Edelman, consumer financial services attorney with McGlinchey Stafford PLLC, took it one step further, saying that lenders should perform background checks on all vendor employees to assess the risk of a partnership.
Once the vendor has been thoroughly vetted and the relationship has begun, sufficient staff and resources must be devoted to monitoring the vendor. The minimum size of a well-functioning compliance department, according to Willis, is about five members. Larger nonbank lenders such as Nissan Motor Acceptance Corp. have departments of twelve to fifteen people, while banks will already devote considerable resources to compliance and therefore field larger units.
Lenders should make periodic onsite visits to vendors, Mallow said. Senior management should be involved in all decisions regarding critical business operations that concern third-party vendors, and perhaps most importantly, every step of the relationship should be documented.
The CFPB is a complaint-driven organization, Thurman said, so the first thing to keep an eye on to be alert to potential trouble is the bureau’s own publicly accessible database of complaints.