Talk of eliminating the Consumer Financial Protection Bureau’s (CFPB) supervisory authority granted by the Dodd-Frank Act remains just that for the time-being. That means when the bureau says it is implementing a program to supervise service providers directly, it’s best for companies to take note.
The bureau did just that in the April edition of its Supervisory Highlights, stating: “Because a single service provider might affect consumer risk at many institutions, the CFPB has begun to develop and implement a program to supervise these service providers directly. Direct examination of key service providers will provide the CFPB the opportunity to monitor and potentially reduce risks to consumers at their source.”
To this point, service providers have been subject to CFPB enforcement and investigation requests because they are service providers to lenders. However, this shift by the CFPB would for the first time allow the bureau to provide ongoing, on-site supervision of service providers in the mortgage market.
“In its initial work, the CFPB is conducting baseline reviews of some service providers to learn about the structure of these companies, their operations, their compliance systems, and their CMS (compliance management systems),” the bureau said in the Supervisory Highlights report. “In more targeted work, the CFPB is focusing on service providers that directly affect the mortgage origination and servicing markets. The CFPB will shape its future service provider supervisory activities based on what it learns through its initial work.”
Maria Moskver is the general counsel and enterprise compliance officer at LenderLive, which operates in two categories, both as a licensed entity and a service provider specializing in mortgage fulfillment, title and settlement, critical borrower communications and other loan cycle functions. This affords Moskver a uniquely well-rounded perspective on compliance, which she shared with Dodd Frank Update. Specifically, she addressed the bureau’s intention to start supervising third-party vendors.
Dropping hints
“The bureau has long taken an interest in the role service providers play in the financial services industry,” Moskver said. “In 2012, the bureau published a bulletin which outlined its expectations for financial institutions in monitoring their vendors. That bulletin was recently re-issued by the bureau, highlighting its continued importance."
Speaking in reference to Cordray’s speeches, Moskver said, “Director Cordray has also been very outspoken about his concern that vendors are a weak link in the compliance chain.” Specifically, she noted the 2015 address at the Mortgage Bankers Association annual convention in which Cordray spoke about the important role played by service providers in the industry.
In that speech, he discussed how “disturbed” he was by reports of the amount of difficulty vendors were causing with the implementation of the new TRID requirements. He sent a shot across the bow of service providers by stating that federal and state financial regulators may “need to devote greater attention to the unsatisfactory performance of these vendors and how they are affecting the financial marketplace.”
“The enforcement actions that have come out recently also are indicative of the bureau’s intent to regulate that space because service providers are so critical in the financial services industry,” Moskver said. “It goes to the intent of the bureau’s main focus, which is protecting consumers.”
Data security may be one of the most important compliance challenges vendors will need to address as the industry enters an era of direct CFPB supervision, Moskver said. She noted how important it is for companies, even those not considered “covered entities,” to have a compliance management system that accounts for data security issues, as well as an incident response plan.
Supervisory learning curve
Because most service providers never have been subject to direct supervision from a regulator, many companies will have to learn how CFPB examinations might differ from those conducted by their clients.
Zoot Enterprises, which provides clients solutions for advanced origination, client acquisition and credit-decisioning, has been in business for more than 25 years, yet is still among the long list of companies that soon could face its first examination from a regulator. However, as Zoot Vice President of Sales and Marketing Travis Tuss told Dodd Frank Update, the company is no stranger to having to provide the types of information regulators may be looking for during such an examination, noting that clients generally audit its operations at least once, annually.
“Each of those audits is very thorough and in-depth, and they take time to prove to our clients that their assets are safe here,” Tuss said. “In relation to an audit by the CFPB, specifically, we would take that very seriously, as have really all of our banks and I’d leave it at that for now. I don’t think there would be a lot of difference (from client audits). They would still be seeking to study and verify the same information, I think.”
Zoot typically completes an audit for any one of its clients on any given week. On top of that, Zoot also conducts its own audits in-house and publishes the results.
Positive thinking
Tuss, whose company has not been subject to direct supervision from a regulator in the past, said it definitely could benefit from more guidance about what the bureau might want to explore or verify during an examination. He added that such guidance could be useful in accommodating regulators throughout the audit process to ensure efficiency and usefulness.
Moskver said that as part of its next steps in implementing its third-party oversight plan, the bureau likely will publish such guidance materials to establish a common compliance standard.
“If they are planning to supervise them directly, they will publish an examination manual for service providers,” she said. “They’ll provide the framework that’s needed. The hope in the industry is that the bureau will move away from regulation by enforcement a little bit more towards regulatory guidance.”
Moskver noted that many in the industry long have objected that the CFPB’s guidance in service provider bulletins is too vague.
“I actually think it’s probably a beneficial thing for the industry because, up until now, there’s been really no uniform assessment for service providers,” Moskver said. “And, going forward there will be a baseline standard that everyone will have to meet. From a data security perspective, we’ve already seen that, both at the federal and state level. The bureau may follow guidelines that are already in existence, such as the Cybersecurity Framework published by the National Institution of Standards and Technology (NIST) and the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool, and those that some states, most notably New York, have put in place to build their cybersecurity framework.”
What to be ready for
Moskver noted that system failures and cybersecurity issues have been cited in multiple enforcement actions, which the bureau tends to refer to when talking about requirements for the companies it supervises. Many such issues can be traced back to third-party companies used by financial institutions named in CFPB complaints. Reports from such enforcement actions, as well as the bureau’s Supervisory Highlights, might be the best resources for service providers looking to avoid compliance pitfalls – much the way financial institutions have done since the bureau’s creation – as well as Cordray’s speeches.
“Cordray’s speeches contain good information if you can read in between the lines about service providers and what they expect,” she said. “Even just keeping an eye on the bureau’s latest engagement between the bureau and innovators to improve their financial services market, ‘Project Catalyst,’ and what they are doing there will most likely produce some best practices too.”
But, won’t the CFPB lose its supervisory authority soon?
As far as the prospect of the bureau losing its supervisory authority because of potential legislative changes to the Dodd-Frank Act, Moskver advises against betting that such a change will occur in the immediate future, if at all.
“I don’t think everything is going to get deregulated,” she said. “If somehow Dodd-Frank was completely rolled back, it would take considerable time. Also, the states have already started to step in to fill any regulatory void that exists. Compliance is a key component of this industry, and it was missing before, so there is a baseline that should exist for the industry. I think, at some point, it was over-regulated as a reaction to the housing crisis. But for now, we are in a state where we can go in and assess whether this is how we want to proceed going forward.”