Newsroom

April 13, 2012 – Depository institutions' and non-depository institutions' responsibilities with respect to third-party providers are outlined in a bulletin issued Thursday by the Consumer Financial Protection Bureau.

Bulletin 2012-03 addresses depository institutions' consumer compliance responsibilities when institutions contract with third parties to help carry out certain functions, such as marketing of services and products or providing expertise. The three-page document provides an overview of the CFPB's role, which, under the Dodd-Frank Act, includes authority to examine the operations of supervised service providers on site.

Supervised service providers, the bulletin notes, includes those used by CFPB-supervised depository institutions – the CFPB supervises those with more than $10 billion in assets – and service providers to a substantial number of small institutions, including small, insured credit unions.

Some steps the bureau recommends for ensuring third-party service provider comply with federal consumer protection rules include:

• conducting thorough due diligence to verify that the provider understands and is capable of comply with federal consumer financial protection law;
• requesting and reviewing the provider's policies, procedures, internal controls and training materials to ensure the provider conducts appropriate training and oversight of employees or agents;
• including clear expectations about compliance in the contract with the service provider;
• establishing internal controls and ongoing monitoring for compliance; and
• taking prompt action – terminating the relationship, if needed – to address problems identified through the monitoring process.

The bulletin can be downloaded from the CFPB website.