Regulatory Blue Pencil: CFPB Guidance, Enforcement Actions Signal Expanding Focus on Vendor Management
Elizabeth McGinn & Moorari Shah
April 7, 2015
In April 2012, the Consumer Protection Financial Bureau (the ‘‘CFPB’’ or ‘‘Bureau’’) issued Bulletin 2012-03 (the ‘‘Service Provider Bulletin’’), a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial institutions. In the three years hence, the Bureau has often referenced the Servicer Provider Bulletin in subsequent guidance and enforcement actions, but has not provided much in the way of detailed requirements for managing service providers similar to those established by other prudential regulators for their respective supervised entities. Despite the absence of strong guideposts, the CFPB has nonetheless sent unmistakable signals to highlight conduct which fails to meet the Bureau’s expectations on a variety of vendor relationship issues.
The latest addition to the CFPB’s loosely-sewn patchwork of vendor management guidance is Compliance Bulletin 2015-01 (the ‘‘CSI Bulletin’’), which, among other directives, puts CFPB-supervised entities on notice that they may not invoke nondisclosure agreements to avoid complying with requests from the Bureau to produce a third party’s confidential information. To drive home the point, the CSI Bulletin states: ‘‘Failure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies.’’
Originally published in BloombergBNA; reprinted with permission.