Tuesday, November 1, 2016
CFPB Clarifies ‘Flexibility’ in Third-Party Risk Management
The Consumer Financial Protection Bureau yesterday issued an update to its guidance on risk management for third-party service providers. The update is intended to clarify that entities supervised by the bureau have “flexibility” to “allow appropriate risk management” of these relationships. “Some entities may have interpreted the bureau’s 2012 bulletin to mean they had to use the same due diligence requirements for all service providers no matter the risk for consumer harm,” the bureau said in an issue of its Supervisory Highlights publication also released yesterday. “As a result, some small service providers have reported that entities have imposed the same due diligence requirements on them as for the largest service providers.” Instead, the new guidance indicates that the CFPB “expects that the depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed -- its size, scope, complexity, importance and potential for consumer harm -- and the performance of the service provider in carrying out its activities in compliance with federal consumer financial laws and regulations.” Read the guidance. Read Supervisory Highlights.