Consumer Compliance Outlook: Fourth Quarter 2012

Vendor Risk Management — Compliance Considerations

By Cathryn Judd, Examiner, and Mark Jennings, Former Examiner, Federal Reserve Bank of San Francisco

On May 2, 2012, the Federal Reserve System hosted an Outlook Live webinar titled Vendor Risk Management — Compliance Considerations.1 The speakers addressed a number of compliance-related risks associated with using third-party service providers. This article reinforces the best practices discussed during the webinar and reviews the risks of using third-party vendors.


What Are Common Types of Third-Party Relationships?

Some common third-party relationships include:

What Are the Risks of Using Vendors?

Third parties present a broad range of risks, including:

These risks are heightened when a vendor operates directly between the bank and its customers. Vendors may be heavily involved in delivering products and services to an institution’s customers, but their actions or activities may not be adequately monitored. These risks have been manifested most significantly through deceptive vendor marketing, credit discrimination, data loss leading to privacy issues, and unfair or deceptive acts or practices (UDAP).

While vendors often provide value through their expertise and experience, the bank’s board and senior management are ultimately responsible for all aspects of the bank’s operations, including products and services provided by vendors. Accordingly, effective risk management is required to mitigate the risks associated with the loss of control and close oversight that often occurs with a vendor relationship. A good rule of thumb is to oversee vendors as you would any other department in your bank, regardless of the vendor’s reputation or apparent ability to comply with consumer protection laws and regulations.


Vendor risk management problems often involve one or more of the following issues:


An institution’s failure to maintain a strong vendor management program presents significant risks. Here are some examples noted during recent examinations.

Flood Insurance Monitoring

Banks often use vendors to ensure that all loans secured by properties located in special flood hazard areas have adequate flood insurance, that all insurance amounts are correct for the specific property covered, and that appropriate insurance coverage remains in effect during the life of such loans. A vendor’s error in calculating the amount of insurance required can result in significant flood insurance violations involving multiple properties and civil money penalties (CMPs). Under the Biggert-Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act),2 which was signed into law on July 6, 2012, CMPs against regulated lending institutions with a “pattern or practice” of violating certain flood insurance requirements were increased from $385 to $2,000 for each violation. In addition, the Biggert-Waters Act removed the $135,000 statutory cap on the amount of CMPs that may be assessed against an individual financial institution in a single calendar year. This change was effective on July 6, 2012.3

Loan Modifications

Given the complexity of loan modifications, vendors are often used to process loan modification requests under the Home Affordable Modification Program (HAMP). Vendors sometimes fail to process HAMP requests in accordance with their agreements with the bank. In other cases, vendors delay the processing of loan modifications by sending borrowers duplicate document requests, causing hardships for the borrowers. If bank management is not monitoring a vendor’s activity, it will not be aware of problems that may be occurring with the vendor.

The failure to monitor vendors has resulted in significant examination findings, including concerns that borrowers were treated unfairly by the vendor. In one case, bank management was required to conduct a file search and offer borrowers whose request had been incorrectly handled by the vendor the option of re-applying for a loan modification. The bank had to absorb the costs associated with the new application and make significant changes to its compliance program.

Credit Card Administration

Some banks hire vendors to administer and market credit card programs. In one case, a vendor was marketing a balance transfer credit card program as a way for bank customers to obtain a new credit card while paying down the balance on an existing one. However, the vendor did not properly disclose all of the fees connected to the product. Bank management was not monitoring or reviewing the vendor’s activities and did not identify the errors.

This action by the vendor ultimately resulted in a finding of deceptive marketing practices based, in part, on the vendor’s failure to correctly disclose fees. Violations of Regulation Z’s credit card requirements were also identified. In short, customers did not have all the information they needed about the product to make an informed decision and did not learn about certain features until after they had been assessed nonrefundable fees. Bank management assumed that the vendor was responsible for compliance because the vendor made the credit decisions and owned the credit card receivables. However, the bank’s name was on the credit cards, and under the agreement between the parties, the bank was deemed a creditor in the transaction. The bank was therefore accountable for the compliance violations, not to mention the reputation risk of having its name associated with a deceptive practice. It is also noteworthy that the Consumer Financial Protection Bureau undertook three enforcement actions against three major credit card issuers this year, all of which involved compliance issues with vendors hired by the card issuers. The enforcement orders contained specific provisions requiring the issuers to change their compliance management systems concerning oversight of vendors.4

Disclosure Software

Many banks use vendor software to generate consumer disclosures for various loan and deposit products. After amendments to disclosure regulations in the last several years, some vendors failed to update their software, resulting in various errors on disclosure forms. Problems of this nature occur when bank management relies solely on the vendor without conducting its own independent review of disclosure requirements to ensure that the required changes are implemented.

Revenue Enhancements

Examiners are increasingly seeing cases in which third parties offer “revenue enhancement” services. While these services may appear desirable, bank management should always conduct due diligence with every vendor prior to entering into a third-party relationship, develop a risk assessment of the proposed vendor processes, and understand the vendor activities. Bank management must fully consider the compliance implications associated with these new products and services. In addition to complying with the technical requirements of existing rules, bankers should be particularly mindful of the possibility of UDAP issues related to vendor products. Generally speaking, management should ensure that marketing materials and disclosures are accurate and provide information necessary for the customer to make an informed decision about the product or service and that there are viable options available to the consumer.


Several best practices can reduce the risk of violations from vendor relationships. These include:


Vendors provide value in the expertise and experience they offer; however, financial institutions must still maintain active oversight. It is important to remember that when a vendor performs a service or function, the institution bears ultimate responsibility for compliance. Because varying levels of risk remain with the institution that offers the product or service, a strong vendor risk management program is key to maintaining compliance and avoiding claims of improper treatment of bank customers. With good vendor management, banks can minimize the risk of less direct oversight or control and maximize the benefits gained through a well-managed vendor relationship. Specific issues about vendor risk management should be raised with your primary regulator.