InfoBytes Blog

Spotlight on Vendor Management: "Brother's Keeper" Enforcement Pattern Becoming the Norm

Two regulatory enforcement matters announced in April offer a view into the current mindset of regulators in the ever-evolving world of vendor management.  First, the Federal Communications Commission (FCC) announced a $25 million settlement with a telecommunications carrier related to the unauthorized release of personal information of more than a quarter-million customers.  The identified cause of the data breach were employees of the carrier’s service providers based in Mexico, Columbia, and the Philippines, who confessed to selling customer information to unauthorized third parties.  In holding the carrier responsible, the FCC issued its largest data security enforcement action to date.  Although severe in its punishment, the FCC action did not break new ground, as regulators have shown an increasing willingness in recent years to assess monetary penalties against supervised institutions for legal violations committed by vendors.

“This approach is entirely consistent with the FCC’s past enforcement actions related to data security breaches, as well as those of other regulatory bodies where consumer harm has resulted,” advises Elizabeth McGinn, Partner in the D.C. office of BuckleySandler.  “In the current environment, virtually every regulator has made accountability a fundamental axiom of its vendor management guidance.”   

In the second action, the Consumer Financial Protection Bureau (CFPB) announced that it had filed a lawsuit in the United States District Court for the Northern District of Georgia in connection with an allegedly illegal debt collection operation whereby a group of individuals and companies based in New York and Georgia attempted to collect debts that consumers did not owe or that collectors were not authorized to collect.  Specifically, the collectors allegedly placed “robo-calls” to millions of consumers stating that the consumers had engaged in check fraud and threatening them with legal action if they did not provide payment information. The CFPB asserts that, as a result, the debt collectors received millions of dollars in profits from the targeted consumers.

In addition, several service providers were named as defendants in the case because, according to the CFPB, the illegal scheme depended upon the participation of the service providers.  Specifically, the CFPB charged payment processors and a telephone broadcast provider hired by the debt collectors, because these service providers, in pertinent part, (i) “failed to conduct reasonable due diligence to detect unlawful conduct,” which helped to facilitate millions of dollars in ill-gotten profits, and (ii) transmitted robo-call messages created by the debt collectors that the service providers “knew or should have known … contributed to unlawful debt collection.”

“The CFPB is holding the vendors accountable in this case on the theory that the vendors had a duty to vet the business practices used by the debt collectors to determine if they were unfair or deceptive or violate the debt collections laws,” according to Moorari Shah, Counsel in BuckleySandler’s Los Angeles office. “Having to take responsibility for another entity’s wrongdoing is likely a wake-up call for many vendors, but the CFPB has now shown on several occasions that it intends to cast a wide net when it comes to protecting consumers from unwarranted harm, including over entities that may not have known they were subject to this type of supervision.”

The bottom line:  Compliance continues to be a significant outsourcing challenge for regulated institutions and their service providers.  Thorough due diligence and ongoing oversight are becoming an imperative to avoid guilt-by-association predicaments such as was the case in the recent FCC and CFPB actions.

McGinn and Shah suggest the following steps supervised institutions and service providers can take to adapt and comply with a rapidly changing regulatory and enforcement environment:

• Commit to developing or enhancing compliance management systems to:
  • Establish compliance responsibilities;
  • Communicate those responsibilities to employees;
  • Ensure that responsibilities for meeting legal requirements and internal policies are incorporated into business processes;
  • Review operations to ensure responsibilities are carried out and legal requirements are met; and
  • Take corrective action and update tools, systems, and materials;
• Review written policies and procedures including responsibilities for documenting compliance-related activities and regular reporting to senior management and the board of directors;
• Monitor training for service provider employees to ensure that contractual responsibilities align with operational realities, including procedures to identify legal and regulatory issues for escalation and resolution;
• Conduct regular on-site compliance audits of service provider operations, and proactively address issues discovered when reviewing service provider controls, performance, and information systems; and
• Dedicate sufficient resources and personnel to vendor management and compliance activities especially with respect to pre-contract due diligence and ongoing monitoring during the term of the contract.

As data security, privacy, and vendor management issues continue to intersect, there are a number of new focal points that will be particularly relevant to service providers. 

CFPB Vendors FCC Elizabeth McGinn

SEC Publishes Cybersecurity Guidance for Registered Investment Companies and Advisers

On April 30, the SEC’s Division of Investment Management issued IM Guidance Update No. 2015-02 which highlights measures that investment companies and advisers may wish to consider in addressing cybersecurity risks. The guidance urges firms to adopt a three-pronged approach including, among other things: Conducting a periodic assessment of (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. Second, creating a strategy designed to prevent, detect, and respond to cybersecurity threats, and third, implementing the strategy through written policies and procedures. The Division’s guidance also warned investment companies and advisers about third-party vendor agreements that could potentially lead to unauthorized access of investors’ information.

SEC Vendors Privacy/Cyber Risk & Data Security

CFPB Files Suit and Obtains Injunction Against Participants of Alleged Illegal Debt Collection Scheme

On April 8, the CFPB announced that it filed a lawsuit in the United States District Court for the Northern District of Georgia on March 26 against participants in an allegedly illegal debt collection operation, involving certain payment processors and a telephone broadcast service provider. The complaint alleges that several individuals and the companies they formed, based in New York and Georgia, attempted to collect debt that consumers did not owe or that the collectors were not authorized to collect. The complaint further alleges uses of  harassing and deceptive techniques in violation of the CFPA and FDCPA. Specifically, the collectors allegedly placed robo-calls through a telephone broadcast service provider, also named in the complaint, to millions of consumers stating that the consumers had engaged in check fraud and threatening them with legal action if they did not provide payment information. The CFPB asserts that as a result, the debt collectors received millions of dollars in profits from the targeted consumers. The complaint also names certain payment processors used by the collectors to process payments from consumers. The CFPB obtained a preliminary injunction to halt the debt collection activities and freeze the assets of all defendants named in the lawsuit. Consistent with prior enforcement actions and guidance, the CFPB’s complaint in this matter underscores the importance of exercising thorough due diligence and ongoing oversight of third parties engaged to provide material services in connection with the offering or provision of a consumer financial product or service.  For an in-depth analysis of the CFPB’s expanding scrutiny in this area, please see the recently published article Regulatory Blue Pencil: CFPB Guidance, Enforcement Actions Signal Expanding Focus on Vendor Management, authored by BuckleySandler Partner Elizabeth McGinn and Counsel Moorari Shah.

CFPB FDCPA Debt Collection Vendors

FCC Enters Into $25 Million Settlement Following Cell Phone Carrier Data Breach

On April 8, the Federal Communications Commission (FCC) announced a $25 million settlement with an international telecommunications carrier concerning the unauthorized release of the personal information of nearly 280,000 customers by certain employees. The alleged data breach took place over a 168-day period at carrier call centers in Mexico, Columbia, and the Philippines where employees of the carrier allegedly were paid by unauthorized third parties to disclose confidential customer information. The third parties appear to have sought the information to unlock and traffic stolen cell phones. The FCC Enforcement Bureau found that the data breach violated a carrier’s duty under Section 222 of the Communications Act and also constituted “an unjust and unreasonable practice” under Section 201. In addition to paying the $25 million civil money penalty, terms of the settlement require the carrier to (i) notify all affected customers and reimburse them for any subsequent credit monitoring services; and (ii) implement new internal policies to improve the carrier’s privacy and data security practices. For more information on the latest regulatory guidance on data security and evolving best practices, please visit the Privacy, Cyber Risk, and Data Security Resource Center.

Vendors FCC Enforcement

NYDFS Cyber Security Report Shows Vulnerabilities in Banks' Third-Party Vendors

On April 9, the NYDFS released a report finding potential cyber security vulnerabilities with banks’ third-party vendors, based on a survey of 40 banking organizations regarding the cyber security standards in place for their vendors. Notable findings from the report include (i) nearly one in three banks surveyed currently do not require third-party vendors to notify them in the event of an information security breach or other cyber security breach; (ii) less than half of the banks conduct any on-site security assessments of their third-party vendors; (iii) about one in five of the banks surveyed do not require third-party vendors to represent that they have established minimum information security requirements; (iv) only one-third of the banks require information security requirements to be extended to subcontractors of the third-party vendors; and (v) nearly half of the banks do not require a warranty of the integrity of the third-party vendor’s data or products. According to the press release, NYDFS plans to strengthen cyber security standards for banks’ third-party vendors through regulations, including addressing the representations and warranties banks receive about cyber security protections in place.

Vendors Privacy/Cyber Risk & Data Security NYDFS

Spotlight on Vendor Management: Interpreting CFPB Guidance and Enforcement Actions

In April 2012, the Consumer Protection Financial Bureau issued Bulletin 2012-03, a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial institutions. Since then, the Bureau has often referenced the Service Provider Bulletin in subsequent guidance and enforcement actions, but has not provided much in the way of detailed requirements for managing service providers. Despite the absence of strong guideposts, the CFPB has nonetheless sent unmistakable signals to highlight conduct which fails to meet the Bureau’s expectations on a variety of vendor relationship issues.

“The CFPB has voiced its dissatisfaction on a number of occasions with supervised entities that fail to perform adequate vendor oversight,” according to Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In particular, nonbanks and service providers that are still coming up-to-speed on federal agency supervision and enforcement have to be alert and aware of important trends in recent enforcement actions that challenge outdated notions of vendor management.”

McGinn notes that a pattern appears to be emerging regarding the Bureau’s preference for the inclusion of certain contractual language in vendor agreements. Confidentiality obligations, audit rights, training responsibilities, and remedies for contractual breaches are among the thornier terms and conditions that may need to be enhanced in light of these developing trends.

One of the ways to minimize the vendor management risks is to be proactive when performing due diligence of potential service providers. Thorough examination of a vendor’s policies, procedures, and practices as they relate to compliance with federal consumer financial law is often the most important preventative step that a regulated entity can take to ensure that outsourcing relationships do not expose the financial institution and its customers to costly regulatory risks and unwarranted harm. In addition, consistent, risk-based procedures for monitoring existing service provider relationships are critical to meeting the CFPB’s expectations.

“The notion that a CFPB-supervised entity can avoid liability by asserting that a service provider is responsible for legal violations that caused harm to customers has long been dispelled,” says Moorari Shah, Counsel in BuckleySandler’s Los Angeles office. “In fact, in many enforcement actions, the CFPB has gone so far as to prohibit the supervised entity from invoking indemnification rights or insurance coverage to satisfy civil money penalties assessed by the Bureau, even if the supervised entity has negotiated the right to do so in its contract with the service provider.”

In their recently published article, Regulatory Blue Pencil: CFPB Guidance, Enforcement Actions Signal Expanding Focus on Vendor Management, McGinn and Shah provide additional vendor management insight in light of the CFPB’s increased regulatory scrutiny in this area.

CFPB Vendors Elizabeth McGinn

Treasury Deputy Secretary Raskin Delivers Remarks On Cyber Security

On March 25, Department of the Treasury’s Deputy Secretary Raskin delivered remarks regarding the agency’s efforts to enhance cybersecurity as the number of cyber-attacks continue to increase. Raskin outlined three specific areas where financial institutions can better prepare for cyber threats and enhance “cyber resilience” in the event of a cyberattack: (i) increase information sharing among financial institutions, thereby making this a priority for the financial sector worldwide; (ii) ensure that safeguards are in place for all third-party vendors with access to the financial institution’s data and systems; and (iii) design a cyber-preparedness “playbook” that has a “detailed, documented plan so that the firm can react quickly to minimize internal and external damage, reduce recovery and time costs, and instill confidence in outside stakeholders and the public.”

Vendors Department of Treasury Privacy/Cyber Risk & Data Security

CFPB Announces Enforcement Action Against Telecommunications Company for Alleged Unauthorized Third-Party Charges

On December 17, the CFPB filed a complaint in the Southern District of New York against a telephone company for allegedly charging its customers tens of millions of dollars in unauthorized third-party charges. According to the CFPB’s press release, for roughly a decade the company “crammed” consumers’ wireless bills with illegal charges by outsourcing payment processing for digital purchases – such as apps, games, and movies – to vendors known as “billing aggregators.” The CFPB alleges that the company failed to properly monitor the aggregators’ billing of customers as a payment processor for the third parties, and violated Dodd-Frank and the CFPA by (i) allowing third party vendors to attach illegitimate charges to consumers’ bills; (ii) billing customers for the unauthorized charges without their consent; (iii) failing to heed red flags showing that the system “was a breeding ground for unauthorized charges”; and (iv) failing to respond to consumer complaints. The complaint seeks refunds for consumers and penalties.

CFPB Vendors Enforcement SDNY

CFPB Enforcement Action Targets Bank's Add-On Product Billing Practices

On September 24, the CFPB announced a consent order with a large national bank to address alleged unfair practices related to add-on identity theft protection products marketed by the bank and sold and administered by a third-party service provider to the bank’s customers from 2003–2012. Specifically, the CFPB alleged that customers were unfairly billed by the service provider for certain products that offered credit monitoring and credit report retrieval services without receiving the full benefit of the services. Customers who enrolled in these add-on identity theft products were required to provide sufficient written authorization and personal verification before the customers’ credit bureau reports could be accessed. However, according to the Bureau, in many instances time passed before a customer’s authorization was obtained or a customer’s authorization was never obtained. In other instances, the credit bureau could not match the customer’s identification information with its records. Although the bank’s vendor, rather than the bank itself, was directly responsible for selling and administering the products, the CFPB found that the bank’s compliance monitoring, service provider management, and quality assurance functions had failed to prevent, identify, and correct the unfair practices, resulting in substantial injury to more than 420,000 consumers. According to the CFPB’s order, this injury was not reasonably avoidable by consumers, and was not outweighed by any countervailing benefit to consumers or competition, and, therefore, the bank engaged in unfair practices.

The consent order requires the company to pay $47,900,000 in redress to compensate consumers injured by the alleged unfair billing practices, as well as a $5 million penalty to the CFPB. In addition, the consent order requires the bank to: (i) correct all unfair practices related to improper customer billing for add-on identity protection products and take numerous additional corrective actions to ensure that neither the bank nor its service providers or affiliates engage in such practices in the future; (ii) obtain CFPB non-objection prior to marketing, selling, or referring customers to identity protection products in the future; and (iii) review and, if necessary, revise the bank’s third-party risk management and responsible banking programs to ensure that, among other things, the bank conducts periodic onsite reviews of any add-on service provider’s controls, performance, and information systems. A separate OCC consent order also requires the bank to pay an additional $4 million civil money penalty to the OCC.

CFPB OCC Vendors Enforcement Ancillary Products

CFPB Enforcement Action Targets Auto Finance Company's Credit Reporting Practices

On August 20, the CFPB announced a consent order with a Texas-based auto finance company to address alleged deficiencies in the finance company’s credit reporting practices. The company offers both direct and indirect financing of consumer auto purchases, and, according to the CFPB, specializes in lending to consumers with impaired credit profiles. In general, the CFPB took issue with the finance company’s alleged failure to implement policies and procedures regarding the accuracy and integrity of information furnished to consumer credit reporting agencies (CRAs) and alleged deceptive acts in the finance company’s representations regarding the accuracy of furnished information.

The CFPB’s action specifically alleged that the finance company violated the Fair Credit Reporting Act (FCRA) by providing inaccurate information to credit reporting agencies regarding how its borrowers were performing on their accounts, including by: (i) reporting inaccurate information about how much consumers were paying toward their debts; (ii) reporting inaccurate “dates of first delinquency,” which is the date on which a consumer first became late in paying back the loan; (iii) substantially inflating the number of delinquencies for some borrowers when it reported borrowers’ last 24 months of consecutive payment activity; (iv) informing CRAs that some of its borrowers had their vehicles repossessed, when in fact those individuals had voluntarily surrendered their vehicles back to the lienholder. The CFPB claims this activity took place over a three-year period, even after the company was made aware of the issue. The CFPB believes the company furnished incorrect information to the CRAs on as many as 118,855 accounts.

The consent order requires the company to pay a $2.75 million penalty to the CFPB. In addition, the finance company must: (i) review all previously reported accounts for inaccuracies and correct those accounts or delete the tradeline; (ii) arrange for consumers to obtain a free credit report; and (iii) inform all affected consumers of the inaccuracies, their right to a free consumer report, and how consumers may dispute inaccuracies. The order also directs the company to sufficiently provide the staffing, facilities, systems, and information necessary to timely and completely respond to consumer disputes in compliance with the FCRA.

CFPB FCRA Auto Finance Vendors Enforcement