[Federal Register Volume 81, Number 207 (Wednesday, October 26, 2016)]
[Notices]
[Pages 74410-74412]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-25856]


=======================================================================
-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION


Compliance Bulletin and Policy Guidance; 2016-02, Service 
Providers

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Compliance bulletin and policy guidance.

-----------------------------------------------------------------------

SUMMARY: The Bureau is reissuing its guidance on service providers, 
formerly titled CFPB Bulletin 2012-03, Service Providers to clarify 
that the depth and formality of the risk management program for service 
providers may vary depending upon the service being performed--its 
size, scope, complexity, importance and potential for consumer harm--
and the performance of the service provider in carrying out its 
activities in compliance with Federal consumer financial laws and 
regulations. This amendment is needed to clarify that supervised 
entities have flexibility and to allow appropriate risk management.

DATES: The Bureau released this Compliance Bulletin and Policy Guidance 
on its Web site on October 31, 2016.

FOR FURTHER INFORMATION CONTACT: Suzanne McQueen, Attorney Adviser, 
Office of Supervision Policy, 1700 G Street NW., 20552, 202-435-7439.

SUPPLEMENTARY INFORMATION:

[[Page 74411]]

1. Compliance Bulletin and Policy Guidance 2016-02, Service Providers

    The Consumer Financial Protection Bureau (CFPB) expects supervised 
banks and nonbanks to oversee their business relationships with service 
providers in a manner that ensures compliance with Federal consumer 
financial law, which is designed to protect the interests of consumers 
and avoid consumer harm. The CFPB's exercise of its supervisory and 
enforcement authority will closely reflect this orientation and 
emphasis.
    This Bulletin uses the following terms:
    Supervised banks and nonbanks refers to the following entities 
supervised by the CFPB:
     Large insured depository institutions, large insured 
credit unions, and their affiliates (12 U.S.C. 5515); and
     Certain non-depository consumer financial services 
companies (12 U.S.C. 5514).
    Supervised service providers refers to the following entities 
supervised by the CFPB:
     Service providers to supervised banks and nonbanks (12 
U.S.C. 5515, 5514); and
     Service providers to a substantial number of small insured 
depository institutions or small insured credit unions (12 U.S.C. 
5516).
    Service provider is generally defined in section 1002(26) of the 
Dodd-Frank Act as ``any person that provides a material service to a 
covered person in connection with the offering or provision by such 
covered person of a consumer financial product or service.'' (12 U.S.C. 
5481(26)). A service provider may or may not be affiliated with the 
person to which it provides services.
    Federal consumer financial law is defined in section 1002(14) of 
the Dodd-Frank Act (12 U.S.C. 5481(14)).

A. Service Provider Relationships

    The CFPB recognizes that the use of service providers is often an 
appropriate business decision for supervised banks and nonbanks. 
Supervised banks and nonbanks may outsource certain functions to 
service providers due to resource constraints, use service providers to 
develop and market additional products or services, or rely on 
expertise from service providers that would not otherwise be available 
without significant investment.
    However, the mere fact that a supervised bank or nonbank enters 
into a business relationship with a service provider does not absolve 
the supervised bank or nonbank of responsibility for complying with 
Federal consumer financial law to avoid consumer harm. A service 
provider that is unfamiliar with the legal requirements applicable to 
the products or services being offered, or that does not make efforts 
to implement those requirements carefully and effectively, or that 
exhibits weak internal controls, can harm consumers and create 
potential liabilities for both the service provider and the entity with 
which it has a business relationship. Depending on the circumstances, 
legal responsibility may lie with the supervised bank or nonbank as 
well as with the supervised service provider.

B. The CFPB's Supervisory Authority Over Service Providers

    Title X authorizes the CFPB to examine and obtain reports from 
supervised banks and nonbanks for compliance with Federal consumer 
financial law and for other related purposes and also to exercise its 
enforcement authority when violations of the law are identified. Title 
X also grants the CFPB supervisory and enforcement authority over 
supervised service providers, which includes the authority to examine 
the operations of service providers on site.\1\ The CFPB will exercise 
the full extent of its supervision authority over supervised service 
providers, including its authority to examine for compliance with Title 
X's prohibition on unfair, deceptive, or abusive acts or practices. The 
CFPB will also exercise its enforcement authority against supervised 
service providers as appropriate.\2\
---------------------------------------------------------------------------

    \1\ See, e.g., subsections 1024(e), 1025(d), and 1026(e), and 
sections 1053 and 1054 of the Dodd-Frank Act, 12 U.S.C. 5514(e), 
5515(d), 5516(e), 5563, and 5564.
    \2\ See 12 U.S.C. 5531(a), 5536.
---------------------------------------------------------------------------

C. The CFPB's Expectations

    The CFPB expects supervised banks and nonbanks to have an effective 
process for managing the risks of service provider relationships. The 
CFPB will apply these expectations consistently, regardless of whether 
it is a supervised bank or nonbank that has the relationship with a 
service provider.
    The Bureau expects that the depth and formality of the entity's 
risk management program for service providers may vary depending upon 
the service being performed--its size, scope, complexity, importance 
and potential for consumer harm--and the performance of the service 
provider in carrying out its activities in compliance with Federal 
consumer financial laws and regulations. While due diligence does not 
provide a shield against liability for actions by the service provider, 
it could help reduce the risk that the service provider will commit 
violations for which the supervised bank or nonbank may be liable, as 
discussed above.
    To limit the potential for statutory or regulatory violations and 
related consumer harm, supervised banks and nonbanks should take steps 
to ensure that their business arrangements with service providers do 
not present unwarranted risks to consumers. These steps should include, 
but are not limited to:
     Conducting thorough due diligence to verify that the 
service provider understands and is capable of complying with Federal 
consumer financial law;
     Requesting and reviewing the service provider's policies, 
procedures, internal controls, and training materials to ensure that 
the service provider conducts appropriate training and oversight of 
employees or agents that have consumer contact or compliance 
responsibilities;
     Including in the contract with the service provider clear 
expectations about compliance, as well as appropriate and enforceable 
consequences for violating any compliance-related responsibilities, 
including engaging in unfair, deceptive, or abusive acts or practices;
     Establishing internal controls and on-going monitoring to 
determine whether the service provider is complying with Federal 
consumer financial law; and
     Taking prompt action to address fully any problems 
identified through the monitoring process, including terminating the 
relationship where appropriate.
    For more information pertaining to the responsibilities of a 
supervised bank or nonbank that has business arrangements with service 
providers, please review the CFPB's Supervision and Examination Manual: 
Compliance Management Review and Unfair, Deceptive, and Abusive Acts or 
Practices.\3\
---------------------------------------------------------------------------

    \3\ http://files.consumerfinance.gov/f/201210_cfpb_supervision-and-examination-manual-v2.pdf at 34 (Compliance Management Review) 
and 174 (Unfair, Deceptive, and Abusive Acts or Practices).
---------------------------------------------------------------------------

2. Regulatory Requirements

    This Compliance Bulletin and Policy Guidance is a non-binding 
general statement of policy articulating considerations relevant to the 
Bureau's exercise of its supervisory and enforcement authority. It is 
therefore exempt from notice and comment

[[Page 74412]]

rulemaking requirements under the Administrative Procedure Act pursuant 
to 5 U.S.C. 553(b). Because no notice of proposed rulemaking is 
required, the Regulatory Flexibility Act does not require an initial or 
final regulatory flexibility analysis. 5 U.S.C. 603(a), 604(a). The 
Bureau has determined that this Compliance Bulletin and Policy Guidance 
does not impose any new or revise any existing recordkeeping, 
reporting, or disclosure requirements on covered entities or members of 
the public that would be collections of information requiring OMB 
approval under the Paperwork Reduction Act, 44 U.S.C. 3501, et seq.

    Dated: October 19, 2016.
Richard Cordray,
Director, Bureau of Consumer Financial Protection.
[FR Doc. 2016-25856 Filed 10-25-16; 8:45 am]
 BILLING CODE 4810-AM-P