Although many community banks and other financial institutions strategically outsource certain functions (mortgage servicing, credit card products, etc.) in order to offer additional services or control costs, regulators have increased their scrutiny of how institutions are managing these vendors and their practices. It is important for every institution to conduct a periodic review of its vendor relationships in order to understand risks and ensure that effective controls are in place.
Part of the recent focus on vendor management comes from the Consumer Financial Protection Bureau’s (“CFPB”) enforcement actions against several credit card issuers that highlighted problems with vendor management. In those matters, the financial institutions used vendors to offer and sell certain add-on products, primarily payment protection, to customers’ credit card accounts. The CFPB highlighted the vendor management issues and problems in its press releases, and the parties documented these problems in the final consent order. The financial institutions agreed to pay millions of dollars in penalties, in part for its lack of oversight with vendors.
Although it appears that a major impetus for these proceedings was simply that the CFPB did not perceive the payment protection products to be a good value to consumers, the CFPB’s focus on vendor management problems underscores the need for financial institutions to take a closer look at how it is mitigating these risks.
In areas such as mobile deposits, mortgage servicing, mortgage closing, underwriting, credit cards, and other areas that complement core banking services, community banks can use vendors to expand the availability and accelerate the delivery of services. Having good controls is the best practice to avoid regulators’ scrutiny of vendors engaged for these services. First, assess whether and how activities can be outsourced, including analyzing the risks associated with the specific activities. Second, conduct appropriate due diligence in selecting vendors, and ensure that outsourcing relationships are governed by written contracts. Engage counsel to look at the contractual provisions and controls if necessary. Third, ensure that vendors are actually abiding by the contracts and agreements, including periodic testing of controls integrated in the agreement. Finally, verify that service providers maintain confidential information.
As part of their focus on customer service, most community banks are already carefully managing vendor relationships. However, there is always room for improvement, and these recent decisions remind financial institutions of the need to review their vendor management practices. Contact regulatory counsel to assist with these issues and mitigating your institution’s risks.