Legal Counsel to theFinancial Services Industry
Regulatory Landscape in 2015: Vendor Management and Beyond
Jeffrey P. NaimonValerie L. HletkoJon D. Langlois
December 11, 2014
2
Presentation Overview
Evolving Regulatory Expectations Current Supervisory and Enforcement Environment Vendor Management Lessons
3
Evolving Regulatory Expectations
4
Evolving Regulatory Expectations
Financial institutions under more scrutiny than ever– Prudential regulators– CFPB– Investors and counterparties
Dodd-Frank Act and OCC Bulletin 2013-29—big third-party tent
– “[A]ny person that provides a material service to a covered person” and “any business arrangement between a bank and another entity,” respectively
– Generally applies to any service provider or third-party relationship involving a key company function, including appraisers and appraisal management companies, document and disclosure vendors, website and software vendors, payment processing, collections and foreclosure attorneys, loan brokers, and contract underwriters in correspondent relationships
5
Evolving Regulatory Expectations
Overall negative regulatory environment arising from financial crisis
– Regulators under fire for not being sufficiently tough on banks and other financial services providers
– Regulatory competition to prove that each regulator is being sufficiently tough
– One way to think about it – you are guilty until proven innocent and you have to prove that you have done all the things the regulators would have wanted you to do Document, document, document
6
Evolving Regulatory Expectations
Regulatory coalescence around vendor management– CFPB Bulletin 2012-03 (04/13/12)
Supervised banks and nonbanks must oversee service providers in a “manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm”
Focus is to avoid presenting “unwarranted risks to consumers”
– OCC Bulletin 2013-29 (10/30/13) Updates (and enhances) OCC Bulletin 2001-47 Failure to have in place effective risk management process commensurate with
risk and complexity of relationships “may be an unsafe and unsound banking practice”
– Federal Reserve Board SR Letter 13-19 (12/5/13) Largely consistent with OCC Bulletin 2013-29 Emphasizes responsibility of Board of Directors and senior management to
effectively manage third-party relationships
7
Evolving Regulatory Expectations
Who is a vendor?– Dodd-Frank Act: “Any person that provides a material service to a covered
person in connection with the offering or provision by such covered person of a consumer financial product or service”
– OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance: “Any business arrangement between a bank and another entity, by contract or otherwise”
– Generally applies to any third-party relationship where the third party is performing a key function for the company Appraisers and appraisal management companies Document and disclosure vendors Website and software vendors Payment processing Attorneys and other parties used for servicing, collection, loss mitigation or
foreclosure counsel Loan brokers and contract underwriters in correspondent relationships
– Includes contracts with affiliates
8
Current Supervisory and Enforcement Environment
9
Current Supervisory & Enforcement Environment
Examinations– Prudential regulators keenly focused on retained compliance
areas as “safety and soundness” issues Strict adherence to vendor management guidance
– CFPB establishing “compliance management systems” as primary compliance consideration Vendor management Complaint management Policies and procedures, training Oversight, monitoring, and testing
– Investors and counterparties requiring same
10
Current Supervisory & Enforcement Environment
Vendor management supervision– CFPB exams include vendor management-specific inquiries
Identify and describe all relationships Provide records evidencing selection, diligence, and oversight
– CFPB enforcement actions CFPB enforcement actions involve failure to adequately oversee vendor
performance CIDs can be issued to any person who has information, including third
parties over whom the CFPB does not have jurisdiction– Prudential regulator exams can include intense focus on oversight
of third parties Strict grading to guidance
– Many banks and nonbanks are also receiving informal supervisory guidance (matters requiring attention or examination findings) in this area
11
Current Supervisory & Enforcement Environment
Examination tips– Vendors vs. Any Third Party. Be prepared for examiners to expand from “vendors” who
provide goods and services to your company to any third party with which you do business– Complaints. Examiners will focus where there is an identified issue and expect to see sound
complaint management CFPB Supervision and Examination Manual: “Target Reviews will generally involve a single
entity and will focus on a particular situation such as a significant volume of particular customer complaints or a specific concern that has come to the CFPB’s attention.”
Conduct “root cause” analyses of complaints to show complete resolution (centralized, to the extent practicable, or written best practices across business lines if not)
Focus on complaints received about a vendor, or received by the vendor from a customer Regulator may require an entity to turn over copies of its consumer complaints – disorganized
or missing records can lead to unwanted delays, additional document requests, and/or frustration on the part of the regulator
– Critical Vendors. For critical vendors, especially consumer-facing, prepare a complete package efforts – starting from vendor selection through contracting and ongoing vendor oversight – to show strong management of the entire process
– Be Proactive. If you can identify gaps, better to start filling them now than waiting for regulatory criticism later
12
Current Supervisory & Enforcement Environment
CFPB Enforcement – responsible for conducting Bureau investigations and, when necessary, bringing enforcement actions
– Broader jurisdiction than Supervision– Authority to bring action against “any person,” regardless of size
and charter, that violates a Federal consumer financial law– Authority to investigate “any act or omission that, if proved,
would constitute a violation of any provision of Federal consumer financial law”
– Authority to obtain information from “any person” the Bureau has reason to believe is “in possession, custody, or control of any documentary material or tangible things, or may have any information, relevant to a violation”
13
Current Supervisory & Enforcement Environment
CFPB routes to Enforcement– Supervision can refer matters to Enforcement Division
Enforcement commences investigation Enforcement proceeds directly to request for consensual resolution or files complaint in
U.S. District Court
– Enforcement Division can be made aware of potential violations and commence an investigation Investigations can originate from a variety of sources, including consumer complaints,
investigations transferred from prudential banking regulators, state agency investigations, private litigation, or focus on particular industry, product, or practice
– Increasing interagency “collaboration” State Attorneys General State banking regulators Federal banking regulators FTC
14
Current Supervisory & Enforcement Environment
Recent enforcement actions resulting in consent orders center on third parties
– Credit card ancillary products (first in July 2012, most recent September 2014)
– Auto loans and ancillary products (June 2013)– Deferred interest financing for healthcare services (December
2013) Alleges violations of UDAAP and Reg Z, and that bank failed to
sufficiently train healthcare providers to deliver material information about deferred-interest promotional periods, which led to consumers being misled during enrollment process
OCC, FDIC, Fed orders and guidance relating to technology service providers, cyber risks
15
Current Supervisory & Enforcement Environment
Additional hot topics and trends– CFPB is pursuing an ambitious agenda across multiple
consumer financial product lines, but mortgage remains a core priority
– Areas of focus include: Servicing and servicing transfers Loan originator compensation Mini-correspondent lending RESPA
16
Vendor Management Lessons
17
Outsourcing Environment and Risks
Use of vendors presents various risks– Compliance risk – violations of applicable law– Reputation risk – risk to the company from negative public
perception – Strategic risk – risk from bad business decisions, including based
on entering a relationship without sufficient knowledge of the vendor – Transaction risk – problems arising from vendor’s service or product
delivery – Credit risk – risk that the vendor will fail to meet the terms of a
contract with the company– Operational risk – risk arising from inadequate or failed internal
processes, systems, or people, or from external events – Vendor concentration risk – risk when a company is too reliant on
one vendor
18
Risk Management Life Cycle
Five important stages of the “vendor risk management life cycle”
– Planning/risk assessment– Due diligence and selection– Contract negotiation and implementation– Ongoing relationship monitoring– Relationship termination
19
Lessons: Due Diligence & Third Party Selection
Areas for focus– Legal and regulatory compliance– Fee structure and incentives– Risk management systems
Depth of diligence review should be commensurate with identified and expected risks
– Onsite review– Discussions with management– Review of key corporate and operational information– Review of regulatory actions and complaints
Document internal assessment or risks relating to third parties in general, and intended third party in particular
20
Lessons:Contract Negotiation
Process for engaging counterparties significantly more formalized
– Mandatory: all relationships should be documented by a written contract clearly defining responsibilities of both parties
– Engage legal, compliance, and other necessary stakeholders prior to contract execution
– To the extent possible, develop a form contract to use with third party providers
21
Lessons:Contract Negotiation
Key aspects for contract– Legal and regulatory compliance must be a consideration– Consider how you will hold the third party accountable – SLAs,
termination rights, audit and remediation rights (reliance on reps and indemnification no longer sufficient)
– Consumer complaints – wherever possible (and where vendor is customer-facing), include process for receiving consumer complaints
– Subcontractor management Either become comfortable with process for oversight of third parties
or develop ability to oversee them yourself (directly or indirectly)
22
Best Practice Considerations
Roles and responsibilities – Board and senior management involvement is expected and
critical to success of vendor management program– Board can delegate duties, but remains primarily responsible– Senior management key to design, implementation, monitoring,
and enforcement of vendor program – Best practice is to establish one individual or team to manage
relationships with clear lines of authority– All relevant employees should be knowledgeable about the
vendor framework
23
Best Practice Considerations
Document efforts– Document oversight program and maintain adequate reports and
records Inventory of all vendor relationships and related contracts Due diligence results and findings Ongoing oversight reports Reporting to senior management and board
– Periodically report results of oversight activities to the Board or a designated committee
24
Contacts
Jeffrey P. NaimonPartner
Valerie L. HletkoPartner
Jon D. LangloisCounsel
BuckleySandler LLP1250 24th Street NW, Suite 700
Washington, DC 20037www.buckleysandler.comwww.infobytesblog.com