Third Party Risk Management: A Lender’s Guide for Compliance

Compliance is critical, and the details are anything but simple. Read about the intricacies of third-party compliance, with a focus on the CFPB’s expectations for financial institutions.

Across financial institutions, regulatory focus on third party risk management (TPRM) is intensifying. Headlines in both national and industry media spotlight extensive regulatory actions – from public orders and private consent orders to sweeping institution-specific exam findings. A recurring issue stands out: financial institutions often fail to oversee and monitor third-party compliance effectively. At Bridgeforce, we’ve observed that regulatory expectations are evolving, driven by enforcement actions that reflect a broad umbrella of published regulatory guidance.

Unpacking Regulatory Expectations

On the surface, regulator guidelines seem straightforward, as the following illustration indicates.

However, as with most compliance matters, the details are complex. This article dives into the nuances of ongoing monitoring, with a particular focus on the evolving expectations from the Consumer Financial Protection Bureau (CFPB).

Tailoring Third Party Risk Management for Compliance: Understanding Unique Regulatory Expectations for Lenders

In 2016, the CFPB amended its service provider policy guidance (Compliance Bulletin and Policy Guidance; 2016-02, Service Providers), which updated its 2012 bulletin (CFPB Bulletin 2012-03, Service Providers). This 2016 update clarified some expectations and doubled down on its authority.  Unchanged from the 2012 bulletin, the 2016 bulletin re-emphasizes the following expectations concerning service provider oversight and monitoring.

Key expectations include:

• Service Provider Due Diligence: Institutions must request and examine policies, procedures, internal controls and training materials from their service providers to ensure compliance.
• Ongoing Monitoring: Establishing internal controls and regularly monitoring service provider activities is crucial to ensure adherence to federal consumer financial laws.

As organizations grow larger and more complex, the CFPB raises the bar for scrutiny. Custom-designed control solutions are necessary because there is no “one size fits all” approach. Solutions are highly dependent on the CFPB’s assessment of the extent to which noncompliance negatively impacts consumers.

Evaluating Your Service Providers: Steps to Effective Oversight

While service providers customarily share policies, broad procedures, and training materials, difficulties frequently arise when it comes to disclosing internal controls. Even cooperative service providers often deliver only general controls documentation, avoiding detailed analytical scrutiny. They fear that clients might use the vendor information to bring services in-house. Despite this type of farcical response, service providers understand the ruse; this retort is camouflage.

If contracts do not meticulously detail requirements for procedure and controls provision (and most do not), you must establish your own internal controls and on-going monitoring systems—an area where the CFPB is highly focused. This puts a great deal of onus, and resource needs (both capital and labor), on you.

Building a Comprehensive Compliance Monitoring Framework

Designing and implementing robust controls to monitor third-party risk, especially for preventive and detective control measures, is a complex task that typically does not align with existing governance structures. To manage this effectively:

1. Separate Duties: Assign a dedicated team to service provider compliance management, separate from the day-to-day relationship “owner.” This ensures a clear focus on compliance without conflicts of interest.
2. Map Regulatory Requirements: When you have the appropriate team, start mapping regulatory applicability to the functions and processes being performed for you. Though time-consuming to map the detailed, componentized requirements, it equips you with where gaps or weaknesses exist in current controls.
3. Identify and Close Gaps: After evaluating existing controls, focus on identifying what you do and don’t have in place. Then, enhance areas that fall short of regulatory expectations. This step ensures that your institution can meet evolving compliance requirements.

Prioritizing: Conduct a Risk Assessment to Identify High-Risk Areas

Not all regulatory risks carry the same weight. Additionally, we’ve seen organizations that default to “everything is high inherent risk” end up missing a fundamental necessity. Prioritize high-risk areas first, using a risk control self-assessment framework. Understanding where the most significant risks lie helps create targeted solutions and provides insight into service provider compliance conformance. Define the framework and criteria for appropriate control design, coverage, and effectiveness. Triaging initial prioritized needs may lead to embarking upon manual control efforts that can later migrate to automated controls.

Examples of high-risk areas include:

1. Data Sharing and Monitoring: Partner with service providers to collect data for your own analysis. This may include call/interaction sampling and evidence-based data from service provider systems. Additionally, consideration should be given to assuming high-risk compliance responsibilities of service providers.
2. Complaint Reconciliation: Compare complaints received by your institution with those reported by the service provider (often your clients are unaware of outsourced activities). Routinely, Bridgeforce finds that the basic definition of what constitutes a complaint is misaligned between your policy/taxonomy and the service provider’s. We see this issue often but it’s difficult to resolve because service providers do not intake multiple clients’ unique complaint definitions. However, quality control efforts based on robust interaction sampling, especially using stratification techniques, will lead to addressable insights.

Enhancing Your Third-Party Compliance Framework

There are numerous ways to pursue and achieve continuous improvement over service provider monitoring. Here’s how to elevate your compliance efforts:

• Update Contract Language: Modify contracts to clearly outline procedures and control provision requirements.
• Improve Data Access: Develop API connections to gain direct access to service provider data of your clients and related compliance activities.
• Exercise Audit Rights: Use customary contractual audit rights to focus on high-risk compliance areas and associated controls within the service provider’s operations.

Ensure Compliance, Minimize Risk—Partner with Bridgeforce

For more than 24 years, Bridgeforce has actively partnered with financial institutions—ranging from global money centers to small financial institutions—helping them navigate the complexities of consumer compliance risk and third-party oversight. From strategic guidance to tactical execution, we offer customized solutions that address both immediate challenges and long-term goals. Our hands-on approach ensures that every recommendation is practical, actionable and measurable.

Whether you’re developing a comprehensive third party risk management framework or remediating exam findings, we bring a seasoned team to the table. As one client noted, “Bridgeforce is a different type of financial services consulting firm—experienced practitioners and problem solvers—not career consultants. They put clients’ objectives first and provide value added, sustainable solutions that are also achievable.”

Let Bridgeforce help you bridge the gap between compliance challenges and emerging opportunities, ensuring your organization is always ahead of the curve. Contact us.