Regulatory

Liability for fourth-party vendors

How far down does the rabbit hole go?

Lenders will be held accountable for the actions of the third-party service providers they select. Will they be held responsible for the actions of fourth-party service providers — couriers, telecom providers and even cleaning services — as well?

It has been over a year since the Consumer Financial Protection Bureau made it clear by way of CFPB Bulletin 2012-03 (April 13, 2012) that mortgage lenders would be held responsible for the actions of their service providers. 

Although the CFPB conceded that the use of service providers is often an “appropriate business decision” and that supervised banks and nonbanks may outsource certain functions to service providers due to “resource constraints, use service providers to develop and market additional products or services or rely on expertise of service providers that would not otherwise be available without significant investment,” those lenders could nonetheless be held accountable for any consumer-related transgressions committed by the service providers they choose.

Since the issuance of the CFPB bulletin the industry, in many ways, has turned its attention to seemingly more pressing compliance matters such as QM/ATR or loan officer compensation, but the potential remains for an audited lender to pay a significant price should its practices for vendor selection and management be lacking.

Much has been written about the best ways to go about vetting and monitoring one’s direct service providers, such as title insurance underwriters, title agents, settlement service providers and the like. But what about the “fourth-party” service provider? 

Most, if not all, third-party providers routinely rely upon vendors themselves. To what degree is the lender responsible for their actions? At what point does the comprehensive become the ridiculous, or even the impossible? At this time, we don’t have a lot of guidance. So let’s consider what we do know and chart the best course of action until we know more.

LENDER LIABILITY FOR ACTS OF THIRD-PARTY — AND BY EXTENSION FOURTH-PARTY, SERVICE PROVIDERS.

Admittedly, we have very little guidance as to where the line is drawn regarding actions by fourth-party service providers for which the lender can be held responsible. We do, however, know very well that the CFPB will go as far as necessary to protect the consumer.

The Dodd-Frank Act, from which the CFPB derives its authority, allows the bureau to regulate any “consumer financial product or service” provided by any covered person. The statute mentions several specific activities qualifying as financial products or services, from the obvious — extending credit, taking deposits — to the less-than-obvious, including processing payments online. 

Authors Valerie Hletko and Sarah Hager, in a recent Lexus-Nexus research bulletin, also point out that there’s wiggle room in the statute which allows the CFPB to expand its reach, in the form of a general authority to regulate products or services “entered into or conducted as a subterfuge to evade consumer financial law or permissible for a bank or financial holding company to offer or provide and has or likely will have a material impact on consumers.”  1

Considering these facts, a case can be made that the CFPB could hold a lender responsible for the actions of independent closing agents, appraisers and title or appraisal software providers — especially those developing systems that process sensitive financial data or store it. But how far down the line does the accountability go? 

Does a courier transporting closing documents put the lender in jeopardy? What about the telecommunications or Internet provider, the systems provided which may be used to store or transmit such financial information? What about the office cleaning service or contractors maintaining the facility of a title or closing firm, who could potentially access consumer-oriented information?

Because we have little specific guidance as to where that “bright line” of liability lies, we have to dig a bit further. Hletko and Hager do an excellent job revisiting the legislative history of the Dodd-Frank Act:

“While the legislative history is both minimal and understated, it suggests two things:

1. Congress did not intend to make business-to-business relationships a principal focus of the bureau.

2. The intent of the focus by the supervisory authority over service providers is to be the financial product or service contracted out."

This would suggest that the bureau’s reach, when it comes to the financial transaction, could be very broad indeed. Based upon these clues, it becomes apparent that the lender’s efforts must begin with vetting its third-party service providers, and how those providers go about vetting and monitoring the vendors they select.

We are already seeing lenders of all sizes beef up their vetting programs by requiring responses to ever-more detailed compliance questionnaires, conducting extensive on-site compliance audits, expanding the depth and breadth of background checks and requesting an almost unlimited amount of written documentation and proof of compliance-related practices.

This heightened scrutiny seems to be required of existing and new, potential service providers. We’re also seeing a tremendous reduction in the number of service providers used by each lender. 

Based on what we know about the extent of liability, it will be important for lenders to question and investigate their service providers’ own vetting and vendor-selection processes. 

In all likelihood, a lender will want to see that its title insurance underwriter, title agent, settlement service provider, appraisal management companies and the like are asking similar questions, using similar written policies and procedures and requesting similar financial and operational documentation in their own vendor management endeavors. 

Questions such as, “What companies are your outsource service providers using currently? What do you know about them? Is this documented?” and perhaps most importantly, “How well are you monitoring them and how often are they reporting back to you?”

ONGOING MONITORING AND POLICY

It’s one thing to craft a detailed, written set of policies and procedures to ensure that a third- or fourth-party service provider is minding consumer protection law. It’s quite another to prove that the lender and its third-party providers are minding the store after the compliance framework is put in place. 

The CFPB’s emphasis on consumer complaint resolution processes gives us some clue into the bureau’s thinking on the matter. So, just as many lenders are utilizing the CFPB’s own five-step outline to measure their vetting and monitoring processes, those same service providers should be doing the same when they outsource. In the CFPB’s own words:

“The CFPB recommends that supervised financial institutions take steps to ensure that business arrangements with service providers do not present unwarranted risks to consumers. These steps include:

Conducting thorough due diligence to verify that the service provider understands and is capable of complying with the law;

Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;

Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities;

Establishing internal controls and on-going monitoring to determine whether the service provider is complying with the law; and

Taking prompt action to address fully any problems identified through the monitoring process.” 2

So what does this mean, in terms of practical application? Here’s what we’re seeing right now as lenders, and their service providers, build vetting/monitoring checklists:

Has the provider undergone a compliance assessment, preferably at the hands of a qualified, third-party (CPA, law firm, compliance consultant)?

Is that provider making use of a robust compliance management system?

Are all policies and procedures thoroughly documented, and do they match up to the typical elements of a CFPB audit?

Is the provider able to provide clear documentation of its readiness and risk management procedures for the purposes of due diligence?

Again, there appears to be no clear, comprehensive outline or manual as to just how far a lender must go to ensure its third- or even fourth-party service provider is not systematically violating consumer protection law. 

It is an incredibly daunting, if not impossible, task to achieve 100% risk mitigation. As we await further clarification — hopefully not in the form of corrective or disciplinary action — it seems clear that we must start with the stated intention of the CFPB: make a thorough and good-faith effort to ensure that the consumer is being protected at all points of the transaction.

In the evolving world of new regulations affecting mortgage finance the linkage between lender, third-party service provider and now fourth-party service provider seems evident. How far can the review, evaluation and qualification of vendors reach? 

The answer is — as far as necessary for lenders to ensure everyone in the service chain adheres to consumer finance laws and rules protecting consumers. 

Footnotes:

“Which One of Us Is the Service Provider? The Dodd-Frank Act’s Infinite Loop of Oversight,” Valerie Hletko and Sarah Hager, Lexus-Nexus Emerging Issues Analysis, Research Solutions, August, 2013.

Consumer Financial Protection Bureau press release, April 13, 2012.

Most Popular Articles

3d rendering of a row of luxury townhouses along a street

Log In

Forgot Password?

Don't have an account? Please