On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled “Third-Party Security Assurance Guidance,” which is designed to help organizations and their business partners reduce payment data risk from third-party operations. In November 2013, the PCI SSC updated two data security standards. The first, PCI DSS, applies to entities involved in payment card processing—merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data, and the second, PA DSS, applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties. The new guidance supplements certain PCI DSS requirements related to when a merchant or entity shares cardholder data with a third-party service provider. Specifically, the supplemental guidance provides “practical recommendations” on how to: (i) conduct due diligence and risk assessment when engaging third-party service providers; (ii) implement a consistent process for engaging third-parties; (iii) develop appropriate agreements, policies, and procedures with third-party service providers; and (iv) implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.
On August 20, the CFPB announced a consent order with a Texas-based auto finance company to address alleged deficiencies in the finance company’s credit reporting practices. The company offers both direct and indirect financing of consumer auto purchases, and, according to the CFPB, specializes in lending to consumers with impaired credit profiles. In general, the CFPB took issue with the finance company’s alleged failure to implement policies and procedures regarding the accuracy and integrity of information furnished to consumer credit reporting agencies (CRAs) and alleged deceptive acts in the finance company’s representations regarding the accuracy of furnished information.
The CFPB’s action specifically alleged that the finance company violated the Fair Credit Reporting Act (FCRA) by providing inaccurate information to credit reporting agencies regarding how its borrowers were performing on their accounts, including by: (i) reporting inaccurate information about how much consumers were paying toward their debts; (ii) reporting inaccurate “dates of first delinquency,” which is the date on which a consumer first became late in paying back the loan; (iii) substantially inflating the number of delinquencies for some borrowers when it reported borrowers’ last 24 months of consecutive payment activity; (iv) informing CRAs that some of its borrowers had their vehicles repossessed, when in fact those individuals had voluntarily surrendered their vehicles back to the lienholder. The CFPB claims this activity took place over a three-year period, even after the company was made aware of the issue. The CFPB believes the company furnished incorrect information to the CRAs on as many as 118,855 accounts.
The consent order requires the company to pay a $2.75 million penalty to the CFPB. In addition, the finance company must: (i) review all previously reported accounts for inaccuracies and correct those accounts or delete the tradeline; (ii) arrange for consumers to obtain a free credit report; and (iii) inform all affected consumers of the inaccuracies, their right to a free consumer report, and how consumers may dispute inaccuracies. The order also directs the company to sufficiently provide the staffing, facilities, systems, and information necessary to timely and completely respond to consumer disputes in compliance with the FCRA.
On July 2, the Massachusetts Division of Banks published an industry letter regarding mortgage lenders’ obligation to timely fund and disburse mortgage proceeds and oversee internal and third-party compliance with that requirement. The letter advises lenders that numerous recent examinations have revealed issues with timely funding of loans by lenders and disbursement of funds by settlement agents. The letter reminds lenders that the state’s “Good Funds Law” requires a mortgage lender to disburse—in the form of a certified check, bank treasurer’s check, cashier’s check, or wire transfer—the full amount of the loan proceeds prior to recording the mortgage, and that failure to do so may be considered an unfair and deceptive practice. In addition, the letter advises lenders that (i) they must establish and implement policies and procedures to ensure that vendors distribute loan proceeds in the required timeframe, and (ii) internal compliance audits should include testing of the lender’s and any settlement agents’ settlement processes and procedures.
On July 1, the Federal Reserve Board announced a joint enforcement action with the Illinois Department of Financial and Professional Regulation against a state bank that allegedly failed to properly oversee a nonbank third-party provider of financial aid refund disbursement services. The consent order states that from May 2012 to August 2013, the bank opened over 430,000 deposit accounts in connection with the vendor’s debit card product for disbursement of financial aid to students. The agencies claim that during that time, the vendor misled students about the product, including by (i) omitting material information about how students could get their financial aid refund without having to open an account; (ii) omitting material information about the fees, features, and limitations of the product; (iii) omitting material information about the locations of ATMs where students could access their account without cost and the hours of availability of those ATMs; and (iv) prominently displaying the school logo, which may have erroneously implied that the school endorsed the product. The regulators ordered the bank to pay a total of $4.1 million in civil money penalties. In addition, the Federal Reserve is seeking restitution from the vendor, and, pursuant to the order against the bank, may require the bank to pay any amounts the vendor cannot pay in restitution to eligible students up to the lesser of $30 million or the total amount of restitution based on fees the vendor collected from May 2012 through June 2014. The consent order also requires the bank to submit for Federal Reserve approval a compliance risk management program in advance of entering into an agreement with a third party to solicit, market, or service a consumer deposit product on behalf of the bank.
On June 25, the OCC published its semiannual risk report, which provides an overview of the agency’s supervisory concerns for national banks and federal savings associations, including operational and compliance risks. As in prior reports and as Comptroller Curry has done in speeches over the past year, the report highlights cyber-threats and BSA/AML risks. The OCC believes cyber-threats continue to evolve and require heightened awareness and appropriate resources to identify and mitigate the associated risks. Specifically, the OCC is concerned that cyber-criminals will transition from disruptive attacks to attacks that are intended to cause destruction and corruption. Extending another recent OCC theme, the report notes that the number, nature, and complexity of both foreign and domestic third-party relationships continue to expand, resulting in increased system and process interconnectedness and additional vulnerability to cyber-threats. The report also states that BSA/AML risks “remain prevalent given changing methods of money laundering and growth in the volume and sophistication of electronic banking fraud.” The OCC adds that “BSA programs at some banks have failed to evolve or incorporate appropriate controls into new products and services,” and again cautions that a lack of resources and expertise devoted to BSA/AML risk management can compound these concerns. Finally, the OCC expressed concern that competitive pressures in the indirect auto market are leading to an erosion of underwriting standards. The OCC’s supervisory staff plans to review retail credit underwriting practices at banks, especially for indirect auto.
On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 7, the FDIC reissued, as attachments to FIL-13-2014, three technology outsourcing resources. The documents, which the FDIC describes as containing “practical ideas for banks to consider when they engage in technology outsourcing” are titled: (i) Effective Practices for Selecting a Service Provider; (ii) Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements; and (iii) Techniques for Managing Multiple Service Providers. The FDIC advises that the resources are informational only and do not substitute for official examination guidance. On April 10, the FDIC urged financial institutions to utilize existing resources to identify and help mitigate potential cyber-related risks. The FDIC advised institutions to ensure that their information security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify emerging cyber risks, including the following governmental resources: (i) the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT); (ii) U.S. Secret Service Electronic Crimes Task Force (ECTF); (iii) FBI InfraGard; (iv) financial services sector regional coalitions; and (v) Information Sharing and Analysis Centers (ISACs).
On March 4, Comptroller of the Currency Thomas Curry addressed the annual meeting of the Independent Community Bankers Association where he stressed the need for banks to effectively manage risk presented by the outsourcing of data security and information technology. The Comptroller explained that “[t]hird parties can be the weak link in [a bank’s] information systems security and resiliency; and especially where that third party is providing security services.” Referencing guidance the OCC issued last year, the Comptroller described the OCC’s due diligence expectations for banks’ third-party relationships as “substantial” and stressed that a bank’s due diligence needs to cover not only the vendor, but the vendor’s own third-party relationships. Mr. Curry also focused on other concerns he has about third-party relationships, including: (i) consolidation of service providers, which can increase the number of banks impacted when deficiencies occur at a single vendor; (ii) increased reliance by banks on foreign-based service providers; and (iii) third parties’ access to “large amounts of sensitive bank or customer data.”
On January 17, the OCC released a cease and desist order entered jointly by the OCC and the FDIC with two affiliated technology service providers that offer payment and other technology solutions for banks. Without describing the specific circumstances leading to the action, the order states that the regulators had reason to believe the service providers were operating without (i) an internal auditor or an integrated risk-focused audit program; (ii) a comprehensive due diligence program or formal policies to evaluate vendor risk; (iii) an enterprise-wide risk assessment; (iv) effective business continuity or disaster recovery planning; (v) procedures to identify software vulnerabilities; and (vi) an effective log review program to identify threats. The regulators did not assess a penalty, but will require the vendors to implement numerous risk management enhancements. Under the order, the technology service providers or their board must, among other things, (i) fill specific management positions; (ii) implement an audit program; (iii) conduct a security risk assessment; (iv) develop a vendor management program; (v) implement business continuity/disaster recovery plans; and (vi) submit quarterly progress reports to regulators and client banks.
Recently, the OCC released a formal agreement it entered with the FDIC, the Federal Reserve Bank of St. Louis, and a banking software company to resolve allegations of unsafe and unsound practices relating to the software company’s disaster recovery and business continuity planning and processes. The action reportedly resulted from the third-party service provider’s (TSP) delay in reestablishing full operations at a processing center in the wake of Hurricane Sandy. The agreement requires the TSP to continue to maintain a compliance committee, which must submit quarterly written reports to the TSP’s board. The agreement also details minimum requirements for (i) an enhanced disaster recovery and business continuity planning (DR/BCP) process; and (ii) a DR/BCP risk management program and audit process. The agreement also reaffirms the TSP board’s responsibility for proper and sound management of the TSP. The action demonstrates the OCC’s and other federal authorities’ continued focus on third-party service providers. While in this instance the regulators employed the Bank Services Company Act to directly address concerns about a TSP, recent Federal Reserve Board and OCC guidance also focuses on financial institutions’ responsibilities with regard to managing risks related to third parties’ disaster recovery and business continuity.
On December 10, the CFPB released a consent order with a federal savings association, pursuant to which the bank will refund approximately $34 million to more than one million credit card holders who were enrolled in deferred-interest financing for healthcare services. The order does not include a civil penalty. The deferred-interest action is the first public action taken by the CFPB since it promised to scrutinize such products in its October credit card report.
The product at issue typically is offered by healthcare providers who offer personal lines of credit for healthcare services, including medical, dental, cosmetic, vision, and veterinary care. The CFPB alleges that the bank failed to sufficiently train healthcare providers to deliver material information about deferred-interest promotional periods associated with the credit cards, which led to consumers being misled during the enrollment process. The CFPB further claimed that healthcare providers improperly completed applications and submitted them on behalf of consumers, failed to provide consumers with copies of the credit card agreement, and, where disclosures were provided, those disclosures failed to adequately explain the deferred-interest promotion.
In addition to consumer redress, the order mandates certain terms of the bank’s contracts with medical providers offering the healthcare credit card. For example, the bank must incorporate specific “transparency principles” into its agreements with healthcare providers, and the contracts must prohibit certain charges. The bank also must enhance disclosures provided with the card application and billing statements, and improve training for healthcare providers offering the card. In addition, the order details consumer complaint resolution requirements, and prohibits certain incentive arrangements and paid endorsements. To date, the CFPB has not released the attachments to the consent order, which include, among other things, the transparency principles and disclosures.
The New York Attorney General entered into a similar agreement with the bank earlier this year. Under that agreement, the bank was likewise required to add a set of transparency principles to provider contracts to ensure that card terms were described accurately and to revise promotional interest rate options and other disclosures to better inform consumers’ use of the card.
Special Alert: Federal Reserve Board Guidance on Managing Outsourcing Risks Mirrors Recent OCC Guidance
On December 5, 2013, the Federal Reserve Board (FRB or the Fed) issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk (FRB Guidance). The FRB Guidance sets forth risks arising out of the use of service providers and the regulatory expectations relating to risk management programs. It is substantially similar to OCC Bulletin 2013-29, which the Office of the Comptroller of the Currency (OCC) issued on October 30, 2013.
The FRB Guidance supplements existing guidance relating to risks presented by Technology Service Providers (TSPs) to reach service providers that perform a wide range of business functions, including, among other things, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing.
While a complete roadmap of the FRB Guidance would be largely duplicative of our recent Special Alert relating to the OCC Bulletin 2013-29, key supervisory and enforcement themes emerge from a comparison of the two guidance documents. Like the OCC, the Fed signals broadly that failure to effectively manage the use of third-party service providers could “expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation.” The Fed also emphasizes the responsibility of the Board of Directors and senior management to provide for the effective management of third-party relationships and activities. It enumerates virtually the same risk categories as the OCC, including compliance, concentration, reputational, operational, country, and legal risks, though its discussion of those risks is slightly less comprehensive.
The FRB Guidance makes clear that service provider risk management programs should focus on outsourced activities that are most impactful to the institution’s financial condition, are critical to ongoing operations, involve sensitive customer information, new products or services, or pose material compliance risk. While the elements comprising the service provider risk management program will vary with the nature of the financial institution’s outsourced activities, the Fed’s view is that effective programs usually will include the following: Read more…
On October 30, the OCC issued Bulletin 2013-29 to update guidance relating to third-party risk management. The Bulletin, which rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. It is substantially more prescriptive than CFPB Bulletin 2012-3, and incorporates third-party relationship management principles underlying recent OCC enforcement actions.
The Bulletin warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” It outlines a “life cycle” approach and provides detailed descriptions of steps that a bank should consider taking at five important stages: Read more…
The use of outside vendors by financial services companies is far from new, but the role of these service providers and the adequacy of their work have drawn increasing regulatory scrutiny over the past few years. Effective management and oversight of third-party service providers is key to minimizing the likelihood of derivative liability. Companies must use adequate due diligence to select and engage vendors, consistently monitor the quality of their work, and timely mitigate any problems identified.
Institutions using third-parties service providers should consider taking steps which include the following:
- Establishing written guidelines and clear criteria for the selection of service providers;
- Establishing detailed, written record-keeping protocols for work performed by service providers and monitoring adherence to their implementation;
- Establishing an appropriately robust quality assurance monitoring and testing program together with timely reporting;
- Conducting periodic on-site reviews of service providers for compliance including periodic review of the service provider’s policies, procedures, internal controls and training materials; and
- Carefully analyzing customer complaints related to service provider, in order to remediate any consumer harm and identify broader trends that may need to be addressed.
We encourage you to review some of our recent writing on issues relating to third-party service providers. In “Mortgage Crisis Triggers Stronger Focus on Vendors,” BuckleySandler attorneys Jonice Gray Tucker and Kendra Kinnaird discuss regulatory scrutiny on the use of vendors by mortgage servicers. Another recent article by Valerie Hletko and Sarah Hager provides an overview of supervisory issues related to third-party service providers post-enactment of the Dodd-Frank Act.