Recent CFPB Enforcement Action Highlights Importance of Third-Party Service Provider Oversight
One of my favorite law school professors used to tell her students to study the footnotes in Supreme Court opinions to understand the limitations of the Court’s decisions and predict emerging legal issues. I analyze enforcement activity by The Consumer Financial Protection Bureau (CFPB) in the same light because the Bureau often uses its enforcement arm to send a message to its regulated industries about its current supervision and enforcement priorities.
A recent CFPB final judgment and order (Order) against “repeat offender” Portfolio Recovery Associates (PRA), one of the nation’s largest debt buyers, serves as a prime example. The Order imposed $24 million in penalties and refunds on PRA on top of a $27 million Consent Decree entered into in 2015.
Their Shortcomings Are Your Responsibility
The CFPB’s scrutiny of PRA’s alleged mishandling of credit reporting disputes has received a lot of attention, and rightfully so. But the more interesting aspect of the Order may be that the CFPB held (and will continue to hold) PRA responsible for its alleged failure to adequately oversee and address transgressions by its outside law firms because the law firms miscalculated the statute of limitations (SOL) and filed a small number of cases (characterized as “dozens” by the CFPB) after the expiration of the SOL. The CFPB used these miscalculations to impose very specific third-party service provider oversight requirements on PRA as outlined in Paragraph 15(f) of the Order:
- Prior to entering into a contract with a service provider, PRA must ensure that they can perform their obligations in compliance with the PRA’s policies and procedures, its contract with PRA, and all other applicable Federal consumer financial laws;
- For new and renewed contracts, PRA must obtain a written contract with the service provider that sets forth the responsibilities of each party, including:
- The service provider’s specific performance responsibilities and duty to maintain adequate internal controls.
- The service provider’s duty to provide adequate training on compliance with PRA’s relevant policies and procedures, its contract with PRA, and all other applicable Federal consumer financial laws.
- The service provider’s duty to alert PRA whenever a consumer submits a dispute or asserts a defense to a debt collection lawsuit or arbitration.
- PRA’s authority to conduct periodic reviews of the service provider’s controls, performance, and information systems related to debt collection on behalf of PRA.
- PRA’s right to terminate the contract if the service provider fails to comply with the terms specified in the contract.
- PRA must conduct a periodic review of the service provider’s controls, performance, and information systems related to debt collections.
Elements of Effective and Compliant Third-Party Oversight
These requirements should look familiar as they largely mirror the compliance guidance the CFPB offered in 2016. Given the complexity of calculating the applicable SOL and the minuscule percentage of cases found to have been filed after the expiration of the SOL, the CFPB’s decision to include the third-party oversight requirements in the Order illustrates its renewed focus on penalizing financial services companies that lack an effective compliance management system (CMS) that includes a robust third-party oversight program.
This means it’s time for financial service companies to ensure they have an effective and comprehensive internal compliance program that holistically examines and audits their products and services, furnishing of information to the credit reporting agencies (CRA), consumer disputes whether received directly from a consumer, CRA, or third-party service provider, and all dispute resolution practices, policies, and procedures. This includes consistently tracking, analyzing, and addressing disputes by the type of dispute, the product or service being disputed, and their frequency to spot trends, identify root causes, and fix problems to minimize compliance risks and potential liability.
However, the inquiry does not end here for companies that use third-party service providers. A properly functioning CMS must have equally strong, vigilant, and institutionalized compliance oversight of third-party service providers. That oversight usually starts with placing your service vendors in appropriate oversight tiers depending on the sensitivity and risk associated with their work (e.g., consumer-facing vendors and those that store and maintain personally identifiable information would be on a higher tier than lower profile vendors).
In addition to ensuring that the oversight includes satisfying the requirements in Paragraph 15(f) of the Order, it’s absolutely critical that you track and continuously analyze in real time the complaints you receive about the service provider or discover from your audits in the same manner you analyze complaints about your financial product or the conduct of your own employees. Keeping a watchful eye on your service providers’ conduct as part of their “scorecard” should allow you to mitigate issues before they become systemic and know when to terminate the relationship.
The bottom line is that debt purchasers, mortgage servicers, and similarly situated companies cannot take a “set it and forget it” approach with third-party service providers. A failure to proactively and systematically oversee their efforts is an open invitation for regulators to come knocking.
Maddin Hauser regularly works with clients in the financial services industry to develop and implement comprehensive internal and third-party compliance programs. If you would like to discuss your company’s compliance concerns, please contact Rob Horwitz at Maddin Hauser. Rob is scheduled to speak on a panel that covers the evolving debt collection landscape, including recent CFPB developments, during the 2023 Mortgage Bankers Association Legal Issues and Regulatory Conference.