On Friday, the Consumer Financial Protection Bureau (“CFPB”) issued a bulletin requiring supervised banks and nonbanks to “oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law.” The federal banking regulators separately require regulated institutions to manage risk exposure incurred from outsourced relationships in its contracts with its service providers. Commenting on this Bulletin 2012-03, CFPB Director Richard Cordray emphasized that: “Banks and nonbanks must manage these [service provider] relationships carefully and can be held accountable if [service providers] break the law.” Supervised nonbanks include certain non-depository consumer financial services companies.
Heightened Regulatory Scrutiny of Service Provider Contracts Generally
Examiner scrutiny of financial institution service provider contracts has increased dramatically in the past few years or so due, in large part, to the banking crisis and exponential rise in data security breaches. The federal banking regulators require institutions to manage risk exposure incurred from outsourced relationships in its contracts with its service providers. The focus has traditionally been directed at risks posed to the institution. Recently, increased consideration of the risk of loss to customers (particularly consumers) has been emphasized.
Regulatory requirements provide for certain risks to be addressed by service provider contract. Deficiencies in contract terms may form the basis of regulatory scrutiny and action, even when the contract is fully-performing and no contract or security breach has occurred.
Bank service provider contract management has been driven primarily by safety and soundness concerns, as expressed in the framework of the Federal Financial Institutions Examination Council (the “FFIEC”) “Risk Management of Outsourced Technology Services” dated November 28, 2000.
Subsequently-enacted regulations imposed additional requirements for specific types of contracts, without regard to whether or not outsourced technology is involved. Such regulations include those issued under the Sarbanes-Oxley Act of 2002 (regarding outsourcing of internal IT audit), the Gramm-Leach-Bliley Act of 1999 (regarding sharing of consumer information and customer information safeguards), and The Fair and Accurate Transactions Act of 2003 (regarding disposal of consumer report information).
Recent litigation between financial institutions and service providers highlights the critical need for clear and comprehensive terms governing (1) the parties’ intellectual property rights and remedies, including indemnification for third party claims regarding service provider systems and deliverables, and (2) data security and privacy requirements, including risk management and compliance, audit, monitoring, and prompt return of data to the institution in a form usable by the institution without regard to sums claimed due under the contract by the service provider.
CFPB Supervision and Enforcement of Service Provider Compliance
The CFPB’s "Supervision and Examination Manual: Compliance Management Review" provides generally that supervised institutions are required to manage service provider relationships to ensure service provider compliance with federal consumer financial laws applicable to the underlying product or service. That Manual specifically requires the institution to vet the service provider’s policies and procedures for compliance with “legal obligations applicable to the product or service” offered by the institution. The CFPB’s Examination Procedures for Unfair, Deceptive and Abusive Acts or Practices (“UDAAP”) requires examination of the institution’s monitoring of service providers to ensure that the service providers do not engage in UDAAP.
CFPB Bulletin 2012-03 goes further in detailing the institution’s specific responsibilities in managing service provider risk, including the following steps:
- Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law;
- Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
- Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices;
- Establishing internal controls and on-going monitoring to determine whether the service provider is complying with federal consumer financial law; and
- Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.
Existing Service Provider Contract Requirements
The FFIEC Guidance focused directly on financial institution technology contracts; its framework, however, acts as an effective guide for review of non-technology contracts as well. The FFIEC Guidance provides that a general preliminary assessment of the service provider contract should include (as applicable):
- Scope of service (and change control mechanisms) and specifications and performance standards for deliverables and services (including service levels)
- Security and confidentiality of protected information and systems
- Operational controls to ensure legal and contractual compliance
- Internal and external audit of service provider facilities and practices (including, if applicable, SSAE 16 auditing)
- Reporting for fee or other purposes
- Sub-contracting and multiple service-provider relationships (including permissibility, process, and requiring compliance with the contract)
- Fees and costs included in scope
- Ownership and licenses of the parties’ respective intellectual property
- Disaster recovery service and back-up plans (and coordination of service provider’s plans with the institution’s plans)
- Term and termination for convenience or cause (and method of unwind or transition)
- Dispute resolution, whether by the parties or using a third party (and including specific mechanisms for escalation)
- Indemnification for breach, compliance violations, and intellectual property claims and insurance requirements, as needed
- Limits of liability and disclaimers of warranties
The key under the Guidance is to measure the mission critical nature of the product or service, assess the general and specific risks to the financial institution, and define the above terms by contract in a complete and objective manner consistent with the safety and soundness of the institution. Primary risks to the institution include legal or compliance risk, reputational risk, and transactional or operational risk. The first eight factors are intended to clearly delineate the rights and responsibilities of the parties and to facilitate the institution’s ability to monitor the service provider. The last five factors are intended to allow the institution to mitigate and recover its losses in the event of compliance failure or breach.
In addition, the financial institution should review any specific laws that may apply to the relationship to determine whether or not there are any direct or indirect requirements regarding the type of contract or service provider at issue. Assessment of the risks posed by the arrangement to the institution’s customers should also be addressed.
Recently, the Federal Reserve has also stressed the importance of the following additional contract terms (which are consistent with the FFIEC Guidance): incentives to align the interests of the institution and the service provider; human resource issues (such as hiring and personnel practices); and mechanisms for handling customer complaints.
Industry standards and guidance are instructive in the risk management assessment and service provider contract function, both in the context of evaluating a specific type of service provider relationship and in identifying how legal and commercial reasonableness requirements and standards are met by the institution’s peers. The Financial Services Roundtable offers comprehensive practical guidance in this regard through its various publications and white papers. The BITS Framework for Managing Technology Risk for Service Provider Relationships is widely used and includes specific methods of assessing risk and addressing it in the service provider contract.
Regulatory service provider contact requirements focus on risk to the supervised institution and, more recently, on risk to the institution’s customers. Contract terms (and performance) are subject to examination by the supervised institution’s federal financial regulator and, if consumer products or services are involved, by the CFPB.
Early efforts by the institution to thoroughly review and negotiate service provider contracts should result in earlier detection of risks and failures to perform and stronger mitigation and remediation options for the institution. At a minimum, the identification of risks not directly addressed by contract affords the institution the opportunity to monitor such risks and minimize such risks (to the extent possible) externally.