CFPB Considers Registration Rule for Nonbank Financial Institutions

The CFPB recently issued a Request for Information (RFI) seeking vendor feedback on the agency’s consideration of establishing a web-based system that would require nonbank financial institutions to register with the CFPB. The RFI outlines the potential registration system’s capabilities and services, noting that nonbank financial institutions would use it to “apply for, amend, update, or renew a registration online using a single set of uniform applications.” In addition to other data gathering components, the potential registration system may be used for the collection of financial, operational, and organizational structure data. Responses from technology system vendors were due on July 29, 2016, with a disclaimer that the RFI was not “to be construed as a commitment that the CFPB will propose a rulemaking on the registration of nonbank financial institutions or that the CFPB will propose any specific system requirements.”

LinkedInFacebookTwitterGoogle+Share

Vendor Management in 2015 and Beyond

Jon-Langlois caption ASValerie-Hletko caption 2With evolving regulatory expectations and increased enforcement exposure, financial institutions are under more scrutiny than ever. Nowhere is this more evident than in the management and oversight of service providers. When service providers are part of an institution’s business practice, understanding the expectations of regulators, investors, and counterparties for compliance with consumer financial laws is critical.

Jeff-Naimon caption AS Chris-Witeck caption ASCFPB Guidance

In 2012, the CFPB issued Bulletin 2012-03, which outlines the CFPB’s expectations regarding supervised institutions’ use of third party service providers. Banks and nonbanks alike are expected to maintain effective processes for managing the risks presented by service providers, including taking the following steps:

  • Conducting thorough due diligence of the service provider to ensure that the service provider understands and is capable of complying with federal consumer financial law
  • Reviewing the service provider’s policies, procedures, internal controls, and training materials
  • Including clear expectations in written contracts
  • Establishing internal controls and on-going monitoring procedures
  • Taking immediate action to address compliance issues

Implementing consistent risk-based procedures for monitoring third party service provider relationships is an extremely important aspect of meeting the CFPB’s expectations and mitigating risk to the institution. Read more…

LinkedInFacebookTwitterGoogle+Share

FFIEC Releases Revised Management Booklet with Emphasis on Sound IT Governance

On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”

LinkedInFacebookTwitterGoogle+Share

CFPB Reaches $700 Million Settlement to Resolve Credit Card Ancillary Products Investigation

On July 21, the CFPB announced a nearly $700 million settlement against a leading financial institution and its subsidiaries.  According to the consent order, the Bureau alleges that the entities engaged in deceptive marketing, billing, and collection practices related to various credit card ancillary products, including debt protection and credit monitoring services. Specifically, the Bureau alleges that the institution or its vendors marketing practices, consisting of telemarketing calls, online enrollment, point-of-sale application, and direct enrollment at retailers, mislead consumers into enrolling for certain ancillary products. The Bureau further alleges that, in some instances, telemarketers failed to accurately disclose the cost and fees associated with the ancillary products. With respect to the unfair billing allegations, the Bureau contends that the institution or its vendors improperly charged consumers, without authorization, for services that were not rendered, and failed to provide full product benefits of the services marketed to consumers. In addition, the Bureau alleges that the institution misrepresented payment fee information to consumers by failing to disclose the actual purpose of the fee associated with making payments by phone on delinquent credit card accounts. Under terms of the settlement, the institution and its subsidiaries agreed to (i) provide $479 million in consumer relief related to its marketing practices; (ii) pay roughly $220 million in restitution related to its payments collection practices and for consumers not receiving the full benefits of services promised; and (iii) pay a $35 million civil money penalty.

In a parallel enforcement action, the OCC imposed a separate $35 million civil money penalty against the institution for engaging in similar practices, and requires the institution to strengthen its oversight of third-party vendors and develop a comprehensive risk management program for ancillary products marketed or sold by the bank.

LinkedInFacebookTwitterGoogle+Share

CFPB Tackles Credit Card Vendors For Alleged Unfair Billing of Ancillary Products

Today, the CFPB filed proposed consent orders against two credit card add-on product vendors for allegedly billing consumers for credit monitoring and identity theft protection services they did not receive. Under the proposed consent orders, one vendor will provide nearly $7 million in restitution to the holders of approximately 73,000 accounts, and pay a $1.9 million civil money penalty. The other vendor will provide almost $55,000 in restitution to consumers who were incorrectly billed for identity theft or credit monitoring services, and pay a $1.2 million civil money penalty. The Bureau specifically noted that today’s announcement is the “first time the Bureau has brought actions directly against the companies” that market or administer ancillary products.

LinkedInFacebookTwitterGoogle+Share