Vendor Management
Practice Overview
Service providers often represent an essential area of risk management for financial services. Whether used to provide critical bank services, storage of consumer information, or any other regulated activities, vendor diligence and vigilance are — and will remain for the foreseeable future — a key area of regulatory focus.
Buckley assists clients in designing, implementing, and maintaining all critical areas of vendor management, seamlessly incorporating our extensive knowledge of consumer protection, consumer lending and servicing, debt collection, records management and retention, and all aspects of cybersecurity and privacy law with practical, business-conscious advice.
Our clients benefit from our broad compliance, enforcement, litigation, and transactional perspective, combined with our understanding of each stage of the third-party risk management life cycle. Importantly, we also strive to ensure that vendor management programs are fully integrated into our clients’ overall compliance management systems.
Our work in this area includes:
- Advising on compliance with statutory and regulatory requirements and expectations related to vendor oversight, including in connection with supervisory examinations
- Drafting and negotiating master services agreements, statements of work, servicing/subservicing agreements, joint marketing plans, third-party data-sharing arrangements, and other third-party relationships
- Performing targeted assessments of third parties and preparation of diligence reports and management recommendations commensurate with identified and expected risk, including the development of termination and transition processes
- Developing business-continuity plans in the event of vendor nonperformance due to unforeseen circumstances
- Designing protocols for proper documentation and evidentiary support of third-party risk management compliance throughout all processes
- Delivery of on-site and remote employee training programs
Articles
Jeffrey P. Naimon authored a Mortgage Compliance Magazine article, "Divide & Conquer"
The Consumer Financial Protection Bureau (CFPB or Bureau) continues to expand its gaze, announcing this past April that it has begun implementation of a program to directly supervise service providers of financial institutions, particularly those that cater to the mortgage industry. As regulatory...
ArticlesSpecial Alert: OCC Issues Supplement to Third-Party Oversight Guidance, Emphasizes Bank Responsibilities in Managing Risks in Fintech Relationships
On June 7, 2017, the Office of the Comptroller of the Currency (OCC) issued Bulletin 2017-21 as a supplement to Bulletin 2013-29 , the OCC’s 2013 risk management guidance related to third-party relationships. The OCC’s latest release answers 14 frequently asked questions (FAQs) and marks the second...
ArticlesSpecial Alert: Maryland Ruling Opens New Front in Battle Over Bank Partnership Model
On June 23, the Maryland Court of Appeals affirmed a lower court judgment holding that a non-bank entity assisting consumers obtain loans from an out-of-state bank and then repurchasing those loans days later qualifies as a “credit service business” under the Maryland Credit Services Business Act (...
ArticlesMortgage Industry Struggles to Avoid Vendor Management Land Mines
October 3, 2015, marked the official effective date of the long-anticipated, and widely dreaded, TILA-RESPA Integrated Disclosure (TRID) rule. Mortgage professionals have learned from a half-decade deluge of regulation that their TRID fate, along with almost every other aspect of the industry’s...
Articles"Key Points in the CFPB’s Outline of Proposed Rule for Third Party Debt Collectors" By Marshall T. Bell and Walter E. Zalenski (Consumer Finance Law Quarterly Report)
On July 28, 2016 the Bureau of Consumer Financial Protection (CFPB) announced that it is considering proposing a rule to “overhaul the debt collection market by capping collector contact attempts and by helping to ensure that companies collect the correct debt.” The CFPB released several related...
ArticlesVendor Management in 2015 and Beyond
With evolving regulatory expectations and increased enforcement exposure, financial institutions are under more scrutiny than ever. Nowhere is this more evident than in the management and oversight of service providers. When service providers are part of an institution’s business practice,...
ArticlesRegulators Turn Up Heat on Vendor Management
The vendor landscape for companies in the mortgage industry has shifted significantly in recent years. State and federal regulators have levied hefty and often unprecedented fines against a number of supervised institutions because of inadequate vendor-management policies and ineffective vendor...
ArticlesSpotlight on Vendor Management: "Brother's Keeper" Enforcement Pattern Becoming the Norm
Two regulatory enforcement matters announced in April offer a view into the current mindset of regulators in the ever-evolving world of vendor management. First, the Federal Communications Commission (FCC) announced a $25 million settlement with a telecommunications carrier related to the...
ArticlesSpotlight on Vendor Management: Interpreting CFPB Guidance and Enforcement Actions
In April 2012, the Consumer Protection Financial Bureau issued Bulletin 2012-03, a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial institutions. Since then, the Bureau has often referenced the...
ArticlesRegulatory Blue Pencil: CFPB Guidance, Enforcement Actions Signal Expanding Focus on Vendor Management
In April 2012, the Consumer Protection Financial Bureau (the ‘‘CFPB’’ or ‘‘Bureau’’) issued Bulletin 2012-03 (the ‘‘Service Provider Bulletin’’), a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial...
Articles
News & Blogs
OCC warns banks to “guard against complacency” in risk management
On June 14, the OCC released its Semiannual Risk Perspective for Spring 2023 , which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The agency reported that the overall strength of the federal banking...
InfoBytesAgencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here .)...
InfoBytesTreasury reports on risks to financial firms adopting cloud services
On February 8, the U.S. Treasury Department launched the interagency Cloud Services Steering Committee in an effort to improve regulatory and private sector cooperation and develop best practices for cloud-adoption frameworks and contracts. As part of the announcement, Treasury released a first-of-...
InfoBytesFTC settles with mortgage analytics company
On December 22, the FTC announced the final approval of a settlement with a mortgage industry data analytics firm (defendant) for allegedly failing to develop, implement, and maintain a comprehensive information security program and ensure third-party vendors are capable of implementing and...
InfoBytesOCC warns of key cybersecurity and climate-related banking risks
On December 6, the OCC reported in its Semiannual Risk Perspective for Fall 2021 the key issues facing national banks and federal savings associations and the effects of Covid-19 on the federal banking industry. The agency reported that although banks showed resilience in the current environment...
InfoBytesFINRA reminds firms of third-party supervisory obligations
On August 13, the Financial Industry Regulatory Authority (FINRA) reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. Regulatory Notice 21-29 reiterates that supervisory obligations under FINRA Rule 3110 extend to member firms’ outsourcing of...
InfoBytesNYDFS tells industry to tighten third-party risk management
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber...
InfoBytesFTC settles with mortgage analytics company over vendor oversight deficiencies
On December 15, the FTC announced a settlement with a Texas-based data mortgage analytics company (defendant), resolving allegations that the defendant violated the Gramm-Leach Bliley Act’s Safeguards Rule (Safeguards Rule) and the FTC Act by failing to ensure a third-party vendor hired to perform...
InfoBytesHUD issues mortgagee letter extending interim procedures relating to FHA Section 232 approved mortgages
On July 31, 2020, the U.S. Department of Housing and Urban Development issued Mortgagee Letter 2020-25 , which extends interim procedures regarding site access issues related to Section 232 mortgage insurance applications during the Covid-19 pandemic (previously covered here ). The guidance...
InfoBytesMaryland secretary of state provides updated guidance on remote notarizations
On July 31, the Maryland’s secretary of state provided updated guidance regarding the waived in-person notarization requirement as part of the state’s Covid-19 response (see here for previous coverage). The guidance provides requirements for performing remote notarizations, lists remote notary...
InfoBytes