Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB Announces Healthcare Credit Card Enforcement Action Over Deferred-Interest Financing


    On December 10, the CFPB released a consent order with a federal savings association, pursuant to which the bank will refund approximately $34 million to more than one million credit card holders who were enrolled in deferred-interest financing for healthcare services. The order does not include a civil penalty. The deferred-interest action is the first public action taken by the CFPB since it promised to scrutinize such products in its October credit card report.

    The product at issue typically is offered by healthcare providers who offer personal lines of credit for healthcare services, including medical, dental, cosmetic, vision, and veterinary care. The CFPB alleges that the bank failed to sufficiently train healthcare providers to deliver material information about deferred-interest promotional periods associated with the credit cards, which led to consumers being misled during the enrollment process.  The CFPB further claimed that healthcare providers improperly completed applications and submitted them on behalf of consumers, failed to provide consumers with copies of the credit card agreement, and, where disclosures were provided, those disclosures failed to adequately explain the deferred-interest promotion.

    In addition to consumer redress, the order mandates certain terms of the bank’s contracts with medical providers offering the healthcare credit card. For example, the bank must incorporate specific “transparency principles” into its agreements with healthcare providers, and the contracts must prohibit certain charges. The bank also must enhance disclosures provided with the card application and billing statements, and improve training for healthcare providers offering the card. In addition, the order details consumer complaint resolution requirements, and prohibits certain incentive arrangements and paid endorsements. To date, the CFPB has not released the attachments to the consent order, which include, among other things, the transparency principles and disclosures.

    The New York Attorney General entered into a similar agreement with the bank earlier this year. Under that agreement, the bank was likewise required to add a set of transparency principles to provider contracts to ensure that card terms were described accurately and to revise promotional interest rate options and other disclosures to better inform consumers’ use of the card.

    Credit Cards CFPB Vendors Enforcement

  • Special Alert: Federal Reserve Board Guidance on Managing Outsourcing Risks Mirrors Recent OCC Guidance

    Consumer Finance

    On December 5, 2013, the Federal Reserve Board (FRB or the Fed) issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk  (FRB Guidance).  The FRB Guidance sets forth risks arising out of the use of service providers and the regulatory expectations relating to risk management programs. It is substantially similar to OCC Bulletin 2013-29, which the Office of the Comptroller of the Currency (OCC) issued on October 30, 2013.

    The FRB Guidance supplements existing guidance relating to risks presented by Technology Service Providers (TSPs) to reach service providers that perform a wide range of business functions, including, among other things, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing.

    While a complete roadmap of the FRB Guidance would be largely duplicative of our recent Special Alert relating to the OCC Bulletin 2013-29, key supervisory and enforcement themes emerge from a comparison of the two guidance documents.  Like the OCC, the Fed signals broadly that failure to effectively manage the use of third-party service providers could “expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation.” The Fed also emphasizes the responsibility of the Board of Directors and senior management to provide for the effective management of third-party relationships and activities.  It enumerates virtually the same risk categories as the OCC, including compliance, concentration, reputational, operational, country, and legal risks, though its discussion of those risks is slightly less comprehensive.

    The FRB Guidance makes clear that service provider risk management programs should focus on outsourced activities that are most impactful to the institution’s financial condition, are critical to ongoing operations, involve sensitive customer information, new products or services, or pose material compliance risk. While the elements comprising the service provider risk management program will vary with the nature of the financial institution’s outsourced activities, the Fed’s view is that effective programs usually will include the following:

    • Risk assessments: Institutions should evaluate the implications of performing an activity in-house versus having the activity performed by a service provider and also consider whether outsourcing an activity is consistent with the strategic direction and overall business strategy of the organization. This section of the FRB Guidance closely aligns with the section titled “Planning” in OCC Bulletin 2013-29.
    • Due diligence and selection of service providers: Institutions should address the depth and formality of due diligence of prospective service providers consistent with the scope, complexity, and importance of the planned outsourcing arrangement. The Fed emphasizes processes designed to diligence a potential service provider’s (i) business background, reputation, and strategy; (ii) financial performance and condition; and (iii) operations and internal controls. This section is less detailed, but nonetheless consistent with the section titled “Due Diligence and Third-Party Selection” in OCC Bulletin 2013-29.
    • Contract provisions and considerations: Service provider contracts should cover certain topics, including, but not limited to: (i) the scope of services covered; (ii) cost and compensation; (iii) right to audit; (iv) performance standards; (v) confidentiality and security of information; (vi) indemnification; (vii) default and termination; (viii) limits on liability; (ix) customer complaints; (x) business resumption and contingency plan of the service provider; and (xi) use of subcontractors. The key provisions noted generally mirror the “Contract Negotiation” section of OCC Bulletin 2013-29.
    • Incentive compensation review: Institutions should establish an effective process to review and approve any incentive compensation arrangements that may be embedded in service provider contracts to avoid encouraging “imprudent” risk-taking. While OCC Bulletin 2013-29 does not break out incentive compensation as a separate program feature (it is included among factors to be considered in due diligence and selection), it does identify the need for banks to review whether fee structure and incentives would create burdensome upfront fees or result in inappropriate risk-taking by the third party or the bank.
    • Oversight and monitoring of service providers: Institutions should set forth the processes for measuring performance against contractually-required service levels and key the frequency of performance reviews to the risk profile of the service provider. This section of the FRB Guidance, consistent with the “Ongoing Monitoring” section of OCC Bulletin 2013-29, also recommends the creation of escalation protocols for underperforming service providers and monitoring of service provider financial condition and internal controls, which may also trigger escalation if the service provider’s financial viability or adequacy of its control environment are compromised during the course of the relationship.
    • Business continuity and contingency plans: Institutions should develop plans that focus on critical services and consider alternative arrangements in the event of an interruption. The Fed specifically notes that financial institutions should: (i) ensure that a disaster recovery and business continuity plan exists with regard to the contracted services and products; (ii) assess the adequacy and effectiveness of a service provider’s disaster recovery and business continuity plan and its alignment to their own plan; (iii) document the roles and responsibilities for maintaining and testing the service provider’s business continuity and contingency plans; (iv) test the service provider’s business continuity and contingency plans on a periodic basis to ensure adequacy and effectiveness; and (v) maintain an exit strategy, including a pool of comparable service providers. Notably, OCC Bulletin 2013-29 addresses business continuity and contingency plans under third-party risk management, rather than as separate program features.

    Finally, the FRB Guidance notes a number of “additional risk considerations” not singled out by OCC Bulletin 2013-29, which cover: (i) confidentiality of Suspicious Activity Report (SAR) reporting functions; (ii) compliance by foreign-based service providers with U.S. laws, regulations, and regulatory guidance; (iii) prohibitions against outsourcing internal audit functions in violation of Sarbanes-Oxley; and (iv) alignment of outsourced model risk management with existing Fed Guidance on Model Risk Management (SR 11-7).

    Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.


    Federal Reserve OCC Bank Compliance Vendors Bank Supervision

  • Special Alert: OCC Updates Third-Party Risk Management Guidance

    Consumer Finance

    On October 30, the OCC issued Bulletin 2013-29 to update guidance relating to third-party risk management. The Bulletin, which rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. It is substantially more prescriptive than CFPB Bulletin 2012-3, and incorporates third-party relationship management principles underlying recent OCC enforcement actions.

    The Bulletin warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.”  It outlines a “life cycle” approach and provides detailed descriptions of steps that a bank should consider taking at five important stages:

    Planning: A third party relationship should begin with an internal assessment of risks relating to third parties in general, and to the intended third party in particular. Such planning should focus on both the potential impact to the bank and the bank’s customers, as well as potential security, regulatory, and legal ramifications.

    Due Diligence and Third Party Selection: The Bulletin requires that the bank conduct an adequate due diligence review of the third party prior to entering a contract. Proper due diligence includes a thorough evaluation of all potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. In particular, banks should look to external organizations such as trade associations, the Better Business Bureau, the FTC, and state regulators when performing diligence on consumer-facing third parties. While prior Bulletin 2001-47 contained a list of potential items for due diligence review, Bulletin 2013-29 describes them in more detail and adds to the specific areas that due diligence should focus on, including:

    • Legal and regulatory compliance: The bank should “evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes and controls to enable the bank to remain compliant with domestic and international laws and regulations;”
    • Fee structure and incentives: The bank should determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank;
    • Risk management systems: The bank should have adequate policies, procedures, and internal controls, as well as processes to escalate, remediate, and hold management accountable for audit and independent testing reviews;
    • Human resource management: The bank should review the third party’s training program and processes to hold employees accountable for compliance with policies and procedures; and
    • Conflicting contractual arrangements: The bank should check a third-party vendor’s contractual arrangements with other third parties, which may indemnify the vendor and may therefore expose the bank to additional risk.

    Contract Negotiation:  All relationships should be documented by a written contract that clearly defines the responsibilities of both the bank and the third party. Among other things, the contract should provide for performance benchmarks, information retention, the right to perform an audit, and OCC supervision. Bulletin 2013-29 expands upon Bulletin 2001-47 with respect to the following areas:

    • Legal and regulatory compliance: Contracts should require compliance with applicable laws and regulations, including GLBA, BSA/AML, OFAC, and fair lending, as well as other consumer protection laws and regulations;
    • Audits and remediation: Contracts should provide for the bank’s right to conduct audits and periodic regulatory compliance reviews, and to require remediation of issues identified;
    • Indemnification: Contracts should include indemnification as appropriate for noncompliance with applicable law, and for failure to obtain any necessary intellectual property licenses;
    • Consumer complaints: The bank should specifically require the third party to submit “sufficient, timely, and usable information on consumer complaints to enable the bank to analyze customer complaint activity and trends for risk management purposes;” and
    • Subcontractor management: The bank should incorporate provisions specific to the third party’s own use of subcontractors, including obligations to report on conformance with performance measures and compliance with laws and regulations, and should reserve the right to terminate the contract if the subcontractors do not meet the third party’s obligations to the bank.

    Ongoing Monitoring: The bank should dedicate sufficient staff to monitor the third party’s activities throughout the relationship as it may change over time. Bulletin 2013-29 expands upon Bulletin 2001-47 in the following notable ways:

    • Legal and regulatory compliance: The bank should monitor third-party vendors for compliance with all applicable laws and regulations;
    • Early identification of issues: The bank should consider whether the third party has the ability to effectively manage risk by self-identifying and addressing issues;
    • Subcontractor management:  The bank should continuously monitor a third-party vendor’s reliance on or exposure to subcontractors and perform ongoing monitoring and testing of subcontractors; and
    • Consumer complaints: The bank should monitor the “volume, nature, and trends” of consumer complaints relating to the actions of third-party vendors, particularly those that may indicate compliance or risk management deficiencies.

    Termination: The Bulletin specifies for the first time a termination “stage” in the third-party relationship management life cycle. Banks should develop a contingency plan for the end of the relationship, either through the normal course or in response to default. The contingency plan may transfer functions to a different third party or in-house.

    The Bulletin defines as “critical” any activities involving significant bank functions (payments, clearing, settlements, and contingency planning); significant shared services (information technology); or other activities that (i) could cause a bank to face significant risk as a result of third-party failures, (ii) could have significant customer impacts, (iii) involve relationships that require significant investments in resources to implement and manage, and (iv) could have a major impact on bank operations if an alternate third party is required or if the outsourced activity must be brought in-house.

    These “critical” activities should be the focus of special, enhanced risk management processes. Specifically, the bank should conduct more extensive due diligence on the front end, provide summaries of due diligence to the board of directors, ensure that the board of directors reviews and approves third-party contracts, engage in more comprehensive ongoing monitoring of the third party’s performance and financial condition (including, potentially, a look comparable to the analysis the bank would perform when extending credit), ensure that the board of directors reviews the results of ongoing monitoring, and periodically arrange for independent testing of the bank’s risk controls.

    Finally, the Bulletin sets forth obligations and responsibilities relating to third-party relationships from the bank employees who manage them to the board of directors, including retention of due diligence results, findings, and recommendations, as well as regular reports to the board and senior management relating to the bank’s overall risk management process.

    Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.


    OCC Bank Compliance Vendors Agency Rule-Making & Guidance

  • California Cautions Lenders Regarding Vendor Vetting and Management

    Consumer Finance

    On December 5, the California Department of Corporations issued Bulletin No: 001-12 to caution lenders and other institutions about the vetting and management of third-party service providers. The bulletin explains that in response to guidance from the CFPB earlier this year regarding supervision of vendors, third-party risk management companies have emerged to pre-screen potential vendors for bank and nonbank financial service providers.  The bulletin generally advises lenders to be cautious about delegating vendor vetting to third-parties and mindful of their ultimate responsibilities for such vendors. The bulletin specifically (i) reminds escrow agents of the prohibition in California Financial Code section 17420 against the payment of referral fees for soliciting escrow accounts, (ii) advises lenders that mandating the use of a particular service provider on a third-party risk management company’s list, or prohibiting the use of a service provider not appearing on such list, may be violating the California Buyer’s Choice Act, and (iii) highlights potential RESPA violations and unfair business practices.

    CFPB Vendors

  • Security at Financial Institution Service Provider Scrutinized by Regulators


    Recently, Fidelity National Information Services, Inc. (FIS), a company providing payment processing and other services to banks and other financial institutions, reportedly was the subject of a critical assessment by the FDIC. The FDIC report comes in the aftermath of a 2011 security breach at the company and a subsequent examination by the FDIC, OCC, and the Federal Reserve Bank of Atlanta. According to the report, the FDIC demanded that FIS immediately address eight issues, including risk management and information security issues. The FDIC allegedly also stated that actions taken by the company to date were insufficient given the regulatory concerns and weaknesses identified by the FDIC. The NCUA received the FDIC report and forwarded to credit unions with an advisory note to use the report in managing vendor relations with FIS. The report on FIS comes as regulators are placing enhanced scrutiny on financial institutions’ relationships with third party service providers. In April, the CFPB issued Bulletin 2012-03, providing guidance to regulated entities on the oversight of business relationships with service providers. The CFPB bulletin states that “[t]he CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships” and lists specific minimum steps that should be a part of service provider oversight.

    FDIC CFPB Vendors Privacy/Cyber Risk & Data Security