CFPB Vendor Compliance Management

by

When it comes to CFPB vendor compliance, companies must “oversee” their vendors “in a manner that ensures compliance with Federal consumer financial law…The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis,” according to the Consumer Financial Protection Bureau’s CFPB Bulletin 2012-3.

An effective risk management strategy includes the assessment and monitoring of vendor compliance in accordance with your company’s formally written policies and procedures. Today’s compliance program certainly involves an ongoing struggle in organizing vendor responses, while monitoring and tracking reoccurring events and supporting documents.

In the past, managing vendor compliance contractually was adequate. Compliance risk and responsibility was effectively transferred to the service provider, and by doing so, compliance activity was kept at arm’s length. Today, the CFPB expects you to “oversee [your] business relationships with service providers in a manner that ensures compliance with Federal consumer financial law…” In other words, a full chain of custody is now necessary to ensure full compliance. In order for this to happen, an “effective process” must be in place. Simply put, you now have to check and validate they are actually doing what they say they do.

Who Is Responsible for What?

According to the CFPB, if you have “any person (e.g., service provider) that produces a material service to a covered person (i.e., you) in connection with the offering or provision by such covered person of a consumer financial product or service” then you are responsible for their compliance to all relevant CFPB requirements. This means the service provider is also responsible to the CFPB and no one gets a free pass.

Managing CFPB Vendor Compliance

When it comes to vendor management, there are two things you should be thinking about; you are both the auditor and the audited. When managing your own vendors, what are the necessary components of a Vendor Compliance Management Program?

What Do You Need?

  • List of policies and procedures
    • You will most likely have a policy that requires third parties to conduct compliance training and monitor employees who have consumer contact (UDAAP, FDCPA)
  • List of third parties to include activities performed
    • Do you maintain a list of your service providers that are involved in debt collection? Which of your vendors are consumer facing? Which of your vendors are storing or receiving consumer information?
  • Contracts with third parties
    • Ensure your contracts have clear definition of what your expectations are regarding compliance with federal consumer financial protection law. Does it include consequences for violations?
  • Evidence of due diligence
    • Your policies and procedures say you require all vendors to perform training, but what evidence are you gathering that show you are proving this?

Your Vendor Compliance Management Program is a piece of your overall Compliance Management System, which encourages you to collect information and documents you may need easy access to in order to demonstrate your compliance to the CFPB directly, or to one of your clients. The CFPB clearly dictates what you should be doing to manage your vendors.

Where Do You Start?

You know what you should be doing to demonstrate that you are monitoring your vendors, but how do you get the ball rolling and get the process going?

The best place to start is by performing a Risk Assessment for all third parties involved in the debt collection process. A Risk Assessment will help dictate the following:

  • Develop/enhance policies and procedures
    • What needs to be developed that is missing? What are you already doing that you need to enhance?
  • Continuous monitoring
    • How will you monitor to ensure your vendors compliance?
  • Remediation
    • What are you going to do to remediate issues if any are found? Will this mean possible termination of a vendor relationship if the risk is not worth it?

How Much Evidence Is Enough?

What information should you be gathering from your third parties to prove that you’re doing your due diligence and effectively monitoring them for compliance?

  • Vendor Policies and Procedures
    • Regulatory compliance & CMS overview
    • Compliance training
    • Consumer complaints
    • Information security posture
  • Types of Evidence
    • Training logs
    • Call recordings
    • Third party security reports
    • Performance reports
    • Audited financials

KirkpatrickPrice utilizes a unique online portal that is uniquely equipped to help you manage your own vendors. The Online Audit Manager is a tool designed to save you time by simplifying the vendor compliance management process, allowing you to:

  • Customize audit questions based on a number of compliance frameworks (SSAE 16, SOC 2, PCI DSS, FISMA, ISO 27001, HIPAA, CFPB, and more)
  • Track vendor progress and set deadlines
  • Approve, deny, or request further information per item
  • Establish reoccurring events based on the information you wish to receive annually, quarterly, monthly, etc.
  • Upload and attach files in support of the question or reoccurring event such as insurance certificates, licensing information, call recordings, policies and procedures, etc.
  • Utilize your own compliance staff to review the audit findings or let us do the work for you, online or onsite

Are you interested in learning more about this tool? Contact me at s.morris@kirkpatrickprice for a free demonstration.

 

Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.