CFPB Promotes ‘Flexibility’ for Third-party Service Provider Oversight

November 3, 2016

Responding to a letter ALTA sent in May, the Consumer Financial Protection Bureau published a bulletin in the Federal Register explaining that a lender’s risk-management program for service providers may be scalable depending upon several factors.

The bureau said it issued the amendment to clarify that lenders have flexibility in deciding the appropriate course of action for managing risk. 

“The Bureau expects that the depth and formality of the entity's risk management program for service providers may vary depending upon the service being performed—its size, scope, complexity, importance and potential for consumer harm,” the CFPB said in the bulletin. “While due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable.”

ALTA had met with the CFPB on several occasions over the past four years and submitted letters asking the bureau to provide more guidance on the approach lenders should take when developing a compliance management program for service providers. This is the first time the CFPB has addressed the issue of scalability in a formal bulletin.

“Encouraging lenders to be flexible when developing a risk-management program for their service providers is a great step to balance the need for lenders to oversee third-party vendors and retain consumer choice in selecting service providers,” said Michelle Korsmo, ALTA’s chief executive officer. “While the CFPB said it expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships, consumer choice should be a factor in the manner a lender develops its vendor management programs and introducing the scalability concept protects the interests of consumers and avoids consumer harm. We hope the CFPB continues to provide more clarity on the collision between consumer choice and vendor management.”

To limit potential violations and related consumer harm, the CFPB said supervised banks and nonbanks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers.

These steps should include, but are not limited to:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law
  • Requesting and reviewing the service provider's policies, procedures, internal controls and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities
  • Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices
  • Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law
  • Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate

The CFPB said it will apply these expectations consistently, regardless of whether it is a supervised bank or nonbank that has the relationship with a service provider. ALTA’s Title Insurance and Settlement Company Best Practices provide a blueprint to help lenders satisfy their responsibility to manage third-party service providers.


Contact ALTA at 202-296-3671 or communications@alta.org.