Legal Counsel to theFinancial Services Industry

Regulatory Landscape in 2015: Vendor Management and Beyond

Jeffrey P. NaimonValerie L. HletkoJon D. Langlois

December 11, 2014

2

Presentation Overview

Evolving Regulatory Expectations Current Supervisory and Enforcement Environment Vendor Management Lessons

3

Evolving Regulatory Expectations

4

Evolving Regulatory Expectations

Financial institutions under more scrutiny than ever– Prudential regulators– CFPB– Investors and counterparties

Dodd-Frank Act and OCC Bulletin 2013-29—big third-party tent

– “[A]ny person that provides a material service to a covered person” and “any business arrangement between a bank and another entity,” respectively

– Generally applies to any service provider or third-party relationship involving a key company function, including appraisers and appraisal management companies, document and disclosure vendors, website and software vendors, payment processing, collections and foreclosure attorneys, loan brokers, and contract underwriters in correspondent relationships

5

Evolving Regulatory Expectations

Overall negative regulatory environment arising from financial crisis

– Regulators under fire for not being sufficiently tough on banks and other financial services providers

– Regulatory competition to prove that each regulator is being sufficiently tough

– One way to think about it – you are guilty until proven innocent and you have to prove that you have done all the things the regulators would have wanted you to do Document, document, document

6

Evolving Regulatory Expectations

Regulatory coalescence around vendor management– CFPB Bulletin 2012-03 (04/13/12)

Supervised banks and nonbanks must oversee service providers in a “manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm”

Focus is to avoid presenting “unwarranted risks to consumers”

– OCC Bulletin 2013-29 (10/30/13) Updates (and enhances) OCC Bulletin 2001-47 Failure to have in place effective risk management process commensurate with

risk and complexity of relationships “may be an unsafe and unsound banking practice”

– Federal Reserve Board SR Letter 13-19 (12/5/13) Largely consistent with OCC Bulletin 2013-29 Emphasizes responsibility of Board of Directors and senior management to

effectively manage third-party relationships

7

Evolving Regulatory Expectations

Who is a vendor?– Dodd-Frank Act: “Any person that provides a material service to a covered

person in connection with the offering or provision by such covered person of a consumer financial product or service”

– OCC Bulletin 2013-29: Third-Party Relationships: Risk Management Guidance: “Any business arrangement between a bank and another entity, by contract or otherwise”

– Generally applies to any third-party relationship where the third party is performing a key function for the company Appraisers and appraisal management companies Document and disclosure vendors Website and software vendors Payment processing Attorneys and other parties used for servicing, collection, loss mitigation or

foreclosure counsel Loan brokers and contract underwriters in correspondent relationships

– Includes contracts with affiliates

8

Current Supervisory and Enforcement Environment

9

Current Supervisory & Enforcement Environment

Examinations– Prudential regulators keenly focused on retained compliance

areas as “safety and soundness” issues Strict adherence to vendor management guidance

– CFPB establishing “compliance management systems” as primary compliance consideration Vendor management Complaint management Policies and procedures, training Oversight, monitoring, and testing

– Investors and counterparties requiring same

10

Current Supervisory & Enforcement Environment

Vendor management supervision– CFPB exams include vendor management-specific inquiries

Identify and describe all relationships Provide records evidencing selection, diligence, and oversight

– CFPB enforcement actions CFPB enforcement actions involve failure to adequately oversee vendor

performance CIDs can be issued to any person who has information, including third

parties over whom the CFPB does not have jurisdiction– Prudential regulator exams can include intense focus on oversight

of third parties Strict grading to guidance

– Many banks and nonbanks are also receiving informal supervisory guidance (matters requiring attention or examination findings) in this area

11

Current Supervisory & Enforcement Environment

Examination tips– Vendors vs. Any Third Party. Be prepared for examiners to expand from “vendors” who

provide goods and services to your company to any third party with which you do business– Complaints. Examiners will focus where there is an identified issue and expect to see sound

complaint management CFPB Supervision and Examination Manual: “Target Reviews will generally involve a single

entity and will focus on a particular situation such as a significant volume of particular customer complaints or a specific concern that has come to the CFPB’s attention.”

Conduct “root cause” analyses of complaints to show complete resolution (centralized, to the extent practicable, or written best practices across business lines if not)

Focus on complaints received about a vendor, or received by the vendor from a customer Regulator may require an entity to turn over copies of its consumer complaints – disorganized

or missing records can lead to unwanted delays, additional document requests, and/or frustration on the part of the regulator

– Critical Vendors. For critical vendors, especially consumer-facing, prepare a complete package efforts – starting from vendor selection through contracting and ongoing vendor oversight – to show strong management of the entire process

– Be Proactive. If you can identify gaps, better to start filling them now than waiting for regulatory criticism later

12

Current Supervisory & Enforcement Environment

CFPB Enforcement – responsible for conducting Bureau investigations and, when necessary, bringing enforcement actions

– Broader jurisdiction than Supervision– Authority to bring action against “any person,” regardless of size

and charter, that violates a Federal consumer financial law– Authority to investigate “any act or omission that, if proved,

would constitute a violation of any provision of Federal consumer financial law”

– Authority to obtain information from “any person” the Bureau has reason to believe is “in possession, custody, or control of any documentary material or tangible things, or may have any information, relevant to a violation”

13

Current Supervisory & Enforcement Environment

CFPB routes to Enforcement– Supervision can refer matters to Enforcement Division

Enforcement commences investigation Enforcement proceeds directly to request for consensual resolution or files complaint in

U.S. District Court

– Enforcement Division can be made aware of potential violations and commence an investigation Investigations can originate from a variety of sources, including consumer complaints,

investigations transferred from prudential banking regulators, state agency investigations, private litigation, or focus on particular industry, product, or practice

– Increasing interagency “collaboration” State Attorneys General State banking regulators Federal banking regulators FTC

14

Current Supervisory & Enforcement Environment

Recent enforcement actions resulting in consent orders center on third parties

– Credit card ancillary products (first in July 2012, most recent September 2014)

– Auto loans and ancillary products (June 2013)– Deferred interest financing for healthcare services (December

2013) Alleges violations of UDAAP and Reg Z, and that bank failed to

sufficiently train healthcare providers to deliver material information about deferred-interest promotional periods, which led to consumers being misled during enrollment process

OCC, FDIC, Fed orders and guidance relating to technology service providers, cyber risks

15

Current Supervisory & Enforcement Environment

Additional hot topics and trends– CFPB is pursuing an ambitious agenda across multiple

consumer financial product lines, but mortgage remains a core priority

– Areas of focus include: Servicing and servicing transfers Loan originator compensation Mini-correspondent lending RESPA

16

Vendor Management Lessons

17

Outsourcing Environment and Risks

Use of vendors presents various risks– Compliance risk – violations of applicable law– Reputation risk – risk to the company from negative public

perception – Strategic risk – risk from bad business decisions, including based

on entering a relationship without sufficient knowledge of the vendor – Transaction risk – problems arising from vendor’s service or product

delivery – Credit risk – risk that the vendor will fail to meet the terms of a

contract with the company– Operational risk – risk arising from inadequate or failed internal

processes, systems, or people, or from external events – Vendor concentration risk – risk when a company is too reliant on

one vendor

18

Risk Management Life Cycle

Five important stages of the “vendor risk management life cycle”

– Planning/risk assessment– Due diligence and selection– Contract negotiation and implementation– Ongoing relationship monitoring– Relationship termination

19

Lessons: Due Diligence & Third Party Selection

Areas for focus– Legal and regulatory compliance– Fee structure and incentives– Risk management systems

Depth of diligence review should be commensurate with identified and expected risks

– Onsite review– Discussions with management– Review of key corporate and operational information– Review of regulatory actions and complaints

Document internal assessment or risks relating to third parties in general, and intended third party in particular

20

Lessons:Contract Negotiation

Process for engaging counterparties significantly more formalized

– Mandatory: all relationships should be documented by a written contract clearly defining responsibilities of both parties

– Engage legal, compliance, and other necessary stakeholders prior to contract execution

– To the extent possible, develop a form contract to use with third party providers

21

Lessons:Contract Negotiation

Key aspects for contract– Legal and regulatory compliance must be a consideration– Consider how you will hold the third party accountable – SLAs,

termination rights, audit and remediation rights (reliance on reps and indemnification no longer sufficient)

– Consumer complaints – wherever possible (and where vendor is customer-facing), include process for receiving consumer complaints

– Subcontractor management Either become comfortable with process for oversight of third parties

or develop ability to oversee them yourself (directly or indirectly)

22

Best Practice Considerations

Roles and responsibilities – Board and senior management involvement is expected and

critical to success of vendor management program– Board can delegate duties, but remains primarily responsible– Senior management key to design, implementation, monitoring,

and enforcement of vendor program – Best practice is to establish one individual or team to manage

relationships with clear lines of authority– All relevant employees should be knowledgeable about the

vendor framework

23

Best Practice Considerations

Document efforts– Document oversight program and maintain adequate reports and

records Inventory of all vendor relationships and related contracts Due diligence results and findings Ongoing oversight reports Reporting to senior management and board

– Periodically report results of oversight activities to the Board or a designated committee

24

Contacts

Jeffrey P. NaimonPartner

202.349.8030jnaimon@buckleysandler.com

Valerie L. HletkoPartner

202.349.8054vhletko@buckleysandler.com

Jon D. LangloisCounsel

202.349.8045jlanglois@buckleysandler.com

BuckleySandler LLP1250 24th Street NW, Suite 700

Washington, DC 20037www.buckleysandler.comwww.infobytesblog.com