Regulatory Blue Pencil: CFPB Guidance, Enforcement Actions Signal Expanding Focus on Vendor Management

Bloomberg BNA
18 minute read | April.07.2015

In April 2012, the Consumer Protection Financial Bureau (the ‘‘CFPB’’ or ‘‘Bureau’’) issued Bulletin 2012-03 (the ‘‘Service Provider Bulletin’’), a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial institutions. In the three years hence, the Bureau has often referenced the Servicer Provider Bulletin in subsequent guidance and enforcement actions, but has not provided much in the way of detailed requirements for managing service providers similar to those established by other prudential regulators for their respective supervised entities. Despite the absence of strong guideposts, the CFPB has nonetheless sent unmistakable signals to highlight conduct which fails to meet the Bureau’s expectations on a variety of vendor relationship issues.

The latest addition to the CFPB’s loosely-sewn patchwork of vendor management guidance is Compliance Bulletin 2015-01 (the ‘‘CSI Bulletin’’), which, among other directives, puts CFPB-supervised entities on notice that they may not invoke nondisclosure agreements to avoid complying with requests from the Bureau to produce a third party’s confidential information. To drive home the point, the CSI Bulletin states: ‘‘Failure to provide information required by the CFPB is a violation of law for which the CFPB will pursue all available remedies.’’

Originally published in Bloomberg BNA; reprinted with permission