Vendor Liability and Management Managing Risk for Third Parties in the Financial Services Context April 45 2017 Stephen A Walsh Partner Adams and Reese LLP Rebecca E Kuehn Partner ID: 797055
Download The PPT/PDF document "28 th National Conference on Consumer F..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
28th National Conference on Consumer Finance Class Actions & Litigation
Vendor Liability and Management: Managing Risk for Third Parties in the Financial Services Context
April 4-5, 2017
Stephen A. Walsh
Partner
Adams and Reese LLP
Rebecca E. KuehnPartnerHudson Cook, LLP
Tweeting about this conference?
Slide2Why Do Financial Institutions Outsource?Enhance Services Performed In-HouseOffer Cost-Effective Wholesale Payment ServicesGain Expertise Without Significant Investment
Develop and Market Additional Products and ServicesCompete in Today’s MarketResource ConstraintsFulfill Customer Demands2
Slide3Services Typically Outsourced by FI Subprime lending programsCredit card programsPayday lending
Debit card programsReward programsDeposit takingOverdraft payment programsRefund anticipation loansAudit programsBroker-dealer relationshipsMortgage brokerage servicesAutomobile dealer relationshipsFlood determination servicesReverse mortgage programsFraud detection services
3
Slide4What Constitutes Significant TP Relationship? Relationship is new or involves new activities by FIHas material effect on FI’s revenues or expenses
TP stores, access, transmits, or performs transactions with sensitive customer informationTP performs critical functionsIncreases FI’s geographic marketPerforms a service involving lending or card payment transactionsPoses risks that could affect earnings, capital, or reputationProvides product or service that covers large number of consumersProvides product or service that implicates higher risk consumer protection regulationsInvolves deposit taking arrangementsMarkets products directly to FI customers that could pose risk of financial loss to individual
4
Slide5Who’s Watching?FEDFDICOCC CFBPState Agencies
/ Regulators5
Slide6Who else???Customers Potential customersCompetitors The industry
Employees
Slide7Reputational RiskFed defines reputational risk as “the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation, or revenue reduction.” (SR 95-51)
Key point: A FI’s reputation can be damaged regardless of whether the alleged events are true or not and whether an error / breach was committed by the FI or the FI’s vendor or third-party service provider.
Slide8Reputation and Risk“Risk comes from not knowing what you’re doing.”“It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”
Warren Buffet“You can’t build a reputation on what you are going to do.”Henry Ford
Slide9Big Picture: Types of RiskCompliance RiskStrategic RiskOperational RiskTransaction RiskCredit Risk
Country Risk
Slide10Other risks posed by third-party vendorsInformation / data security riskPhysical security risk Financial / fraud / theft risk
Employment risksProperty damage riskPersonal injury risk
Slide11Focus tends to be on Information SecurityBut there are other risks…For example, FIs as “employers” can be liable under Title VII of the Civil Rights Act of 1964 (prohibits discrimination on the basis of race, sex, color, religion, or national origin) for
harassment of the FI’s employees by a third party service provider.
Slide12Background Screening Class Action Settlements by Employers
January 2016 – Home Depot; $3M settlementdisclosure formMarch 2016 – Wells Fargo; $12M settlementpre-adverse action noticeMarch 2016 – Lowes; up to $22.5M settlement─
disclosure form
April 2016 – Census Bureau, $15M settlement─ discrimination based on criminal background check policyJune 2016 – Uber; $7.5M settlementpre-report authorization
Slide13How do we manage these risks? Have appropriate internal controls (EEO policies and procedures)Due diligence / on-going monitoring of TPSP (a/k/a “
constant due diligence”)-- Risk assessment: Will vendor be on-site? Will vendor’s employees interact with FI’s employees?Good contracts (follow through is critical)Require vendors to comply with site rules and code of conductRequire vendors to have appropriate EPL insurance which names FI as additional insuredRequire vendors to indemnify FI for any employment claims involving vendor personnel
Slide14CFPB – Authority Over Service ProvidersThe CFPB has direct authority over service providers to financial institutions
Title X grants the CFPB supervisory and enforcement authority over service providers which includes the authority to examine the operations of the service providers on site. 12 U.S.C. §5514(e), 5515(d), 5516(e), 5563 and 5564.Includes authority to ensure compliance with Title X’s prohibition against unfair, deceptive or abusive acts or practices.The CFPB’s jurisdiction includes both supervisory and enforcement authority
Slide15CFPB - Definition of Service ProvidersService provider is generally defined as “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service” (12 U.S.C. § 5481(26)).
Supervised service providers refer to the following:Service providers to supervised banks and nonbanks (12 U.S.C. §§ 5515, 5514).Service providers to a substantial number of small insured depository institutions or small insured credit unions (12 U.S.C. § 5516).
Slide16CFPB Service Provider GuidanceCFPB issues Bulletin 2012-03 in April
2012Bulletin 2012-03 was reissued as Compliance Bulletin and Policy Guidance 2016-02“The CFPB amended its guidance to clarify that supervised entities have flexibility and to allow appropriate risk management.”
Slide17CFPB Service Provider GuidanceThe CFPB expects financial institutions to:Conduct thorough due diligence
Review policies, procedures, internal controls and training materialsInclude clear compliance expectations and consequences in the contractEstablish ongoing monitoringTake prompt action to address problems
Slide18CFPB EnforcementSantander Bank (Jul. 14, 2016) - $10M civil money penalty assessed for overdraft enrollment practices
The CFPB alleged that the bank, from 2010 to 2014, used a telemarketer to deceptively market and enroll consumers in the bank’s overdraft service for ATM and one-time debit card transactions. The bank rewarded the telemarketer with a higher hourly rate when it hit specified sales targets.See http://www.consumerfinance.gov/about-us/newsroom/consumer-financial-protection-bureau-orders-santander-bank-pay-10-million-fine-illegal-overdraft-practices/.
Slide19CFPB EnforcementTexas-based First Investors Financial Services Corp., an auto-finance co., fined $2.75M by CFPB for knowingly providing inaccurate information to credit reporting agencies. (Aug. 2014)
First Investors failed to fix known flaws in a computer system that was providing inaccurate information to credit reporting agencies. This potentially harmed tens of thousands of its customers. CFPB: Companies cannot pass the buck by blaming a computer system or vendor for their mistakes.
Slide20When is a third party vendor not liable?Vendors may not owe a duty to their customers’ customersCFPB v. Intercept Corporation
– On March 17, 2017, the US District Court for the District of North Dakota dismissed a complaint without prejudice filed by the CFPB against Intercept, a payment processor for payday and title lenders and debt collectors, for failure to state a plausible claim under Fed. R. Civ. P. 12(b)(6).Intercept is a third party vendor to its customers - providing a “bridge” between its customers and the ACH and FRB payment systems.
Slide21A UDAAP Bridge Too Far?The CFPB asserted that payment processors have a duty to their customers’ customers (i.e., consumers) to be diligent in monitoring their customers for compliance with the law and to take action against - and presumably not process payments for -
their customers that are noncompliant. The CFPB alleged that certain “red flags” should have alerted Intercept of the shortcomings of some of its customers and that its failure to act, whether from negligence or willful blindness, amounted to assisting and facilitating the UDAAP violations of its customers. Even if the CFPB’s allegations were true, the court determined that the CFPB had not alleged how Intercept’s failure to act was unfair (UDAAP claims) or resulted in any injury to any consumer that was not outweighed by a benefit.
Slide22Vendor Management Meets Cybersecurity Soha Systems Survey on Third Party Risk Management (April 2016) – 63% of data breaches can be attributed directly or indirectly to a
third party vendor. See http://go.soha.io/hubfs/Survey_Reports/Soha_Systems_Third_Party_Advisory_Group_2016_IT_Survey_Report.pdf?t=1467123126371.
Slide23More on Cybersecurity RisksThe ABA Cybersecurity Legal Task Force has released a “Vendor Contracting Project: Cybersecurity Checklist”.
The checklist was designed as a way to manage cybersecurity risk when working with third party vendors – from vendor selection to contracting and vendor management.The task force acknowledged that cybersecurity provisions are not one-size-fits-all and should instead be informed by the parties’ assessment of risk and strategies to mitigate risk. As such, the checklist should be modified and supplemented, as needed to reflect the particular regulatory
requirements and business needs of the user.
See http://www.americanbar.org/content/dam/aba/images/law_national_security/Cybersecurity%20Task%20Force%20Vendor%20Contracting%20Checklist%20v%201%2010-17-2016%20cmb%20edits%20clean.pdf.
Slide24State Law, Vendors, and CybersecurityIllinois – Personal Information Protection Act, 815 ILCS 530/1 et seq.
Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In addition to providing such notification to the owner or licensee, the data collector shall cooperate with the owner or licensee in matters relating to the breach. That cooperation shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach. The data collector's cooperation shall not, however, be deemed to require either the disclosure of confidential business information or trade secrets or the notification of an Illinois resident who may have been affected by the breach.
Slide25Lawyers as VendorsIncreased focused on information security – vendor questionnaires, cybersecurity concerns, etc.
In March 2016, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain.In April 2016, large data breach involving law firm Mossack Fonesca in Panama. Millions of documents and terabytes of leaked data aired the (dirty) laundry of dozens of companies, celebrities and global leaders. In December 2016, court unsealed a proposed class action against Chicago
law firm, Johnson & Bell Ltd., accusing them of failing to protect client data
.
Slide26Lawyers as VendorsFIs requiring background checks on outside lawyers (and law firm personnel) as “institution-affiliated parties” under FDIC Act § 19.
Section 19 applies to any person who is convicted of or enters a “pretrial diversion” or similar program involving “any criminal offense involving dishonesty or a breach of trust or money laundering.”FDIC policy statement: “Under 12 U.S.C. 1813(u), independent contractors are institution-affiliated parties if they knowingly or recklessly participate in violations, unsafe or unsound practices or breaches of fiduciary duty which are likely to cause significant loss to, or a significant adverse effect on, an insured institution. In terms of participation, an independent contractor who influences or controls the management or affairs of the insured institution, would be covered by Section 19.”
Slide27ResourcesCFPB Service Provider Bulletin:
http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf CFPB Supervision & Examination Manual: http://www.consumerfinance.gov/guidance/supervision/manual/ CFPB Enforcement Actions:http://www.consumerfinance.gov/administrativeadjudication/
Slide28Resources
FDIC Third-Party Risk Guidance: http://www.fdic.gov/news/news/financial/2008/fil08044.html OCC Third Party Relationship Guidance: http://www.occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html