Federal Regulatory Update

Federal Regulatory Update

CFPB BULLETIN 2016-02 Effective October 31, 2016


The Consumer Financial Protection Bureau (“CFPB”) issued Bulletin 2016-02 on October 26, 2016, as a follow up to Bulletin 2012-03, which addressed guidance to service providers.  Bulletin 2016-02 is a non-binding general statement of policy articulating considerations relevant to the CFPB’s exercise of its supervisory and enforcement authority.  It is intended to clarify that supervised banks and nonbanks have flexibility in the depth and formality of their respective risk management programs related to service providers.


“Supervised banks and nonbanks” refers to entities supervised by the CFPB, including:

  • Large insured depository institutions, large insured credit unions, and their affiliates; and
  • Certain non-depository consumer financial services companies.


“Supervised service providers” refers to the following entities supervised by the CFPB:

  • Service providers to the supervised banks and nonbanks; and
  • Service providers to a substantial number of small insured depository institutions or small insured credit unions.


Supervised banks and nonbanks may choose to outsource certain functions to service providers:

  • Due to resource constraints;
  • To develop and market additional products or services; or
  • To rely on expertise that would not otherwise be available without significant investment.


When entering into a business relationship with a service provider, a supervised bank or nonbank is not absolved of responsibility for complying with federal consumer financial law; legal responsibility may lie with the supervised bank or nonbank, as well as with the supervised service provider.   The CFPB notes that consumers can be harmed by a service provider that:

  • Is unfamiliar with the legal requirements applicable to the products or services being offered;
  • Does not make efforts to implement those requirements carefully and effectively; or
  • That exhibits weak internal controls.


The CFPB has authority to examine and obtain reports from supervised banks and nonbanks to determine compliance with federal consumer financial law (including the prohibition on unfair, deceptive, or abusive acts or practices), as well as to exercise its enforcement authority when violations are identified.  The CFPB also has supervisory and enforcement authority over supervised service providers, including the authority to examine their operations on site.


The CFPB’s expectations for supervised banks and nonbanks are:

  • That they will have an effective process for managing the risks of supervised service provider relationships.; and
  • That the depth and formality of the risk management program for supervised service providers may vary depending upon the service being performed – its size, scope, complexity, importance and potential for consumer harm.


To limit the potential for statutory or regulatory violations and related consumer harm, supervised banks and nonbanks should take steps to ensure that their supervised service provider arrangements do not present unwarranted risks to consumers.  With regard to compliance with federal consumer financial law, these steps should include (but are not limited to):

  • Conducting due diligence to verify that the supervised service provider understands and is capable of complying;
  • Requesting and reviewing a supervised service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of its employees or agents;
  • Including in the supervised service provider contract the clear expectations about compliance, as well as identifying enforceable consequences for compliance violations (including the responsibility to not engage in unfair, deceptive, or abusive acts or practices);
  • Establishing internal controls and on-going monitoring to determine whether the supervised service provider is complying; and
  • Taking prompt action to address fully any problems identified through the monitoring process, including termination of the relationship, as appropriate.


Additional information can be found in the CFPB’s Supervision and Examination Manual:  Compliance Management Review and Unfair, Deceptive, and Abusive Acts or Practices (http://files.consumerfinance.gov/f/201210_cfpb_supervision-and-examination-manual-v2.pdf)