CFPB Updates Guidance on Lender Supervision of Third-Party “Service Providers”

Trading Risk ManagementOn October 19, 2016, the director of the Consumer Financial Protection Bureau (CFPB) issued a new bulletin entitled “Compliance Bulletin and Policy Guidance; 2016-02, Service Providers.”  This bulletin is significant for the title industry because it reissues guidance from Bulletin 2012-03, which made it clear that financial institutions are obligated to ensure their business arrangements with service providers do not present unwarranted risks to consumers.  The requirements identified in the 2012-03 Bulletin are restated, word for word, in this newest bulletin.  The CFPB has reminded financial institutions that they are required to take specific steps that include, but are not limited to:

  • Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law.
  • Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities.
  • Including in the contract with the service provider clear expectations regarding compliance, as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices.
  • Establishing internal controls and ongoing monitoring to determine whether the service provider is complying with federal consumer financial law.
  • Taking prompt action to address any problems identified through the monitoring process, including terminating the relationship where appropriate.

Read more

Preparing for the Proverbial Compliance Storm: There Should Be an App for That

storm400If only there was a “Best Practices” app to let us know when your lenders will require a Certification of Compliance.

With a “weather app” on your cellphone, rain should never come as a surprise.  One simply looks at the displayed radar images, clicks the “future” tab, and immediately sees where storms are headed and when they will arrive.  Although this is amazing technology, it has limits.  You can’t control when or where the rain hits, but you can at least be prepared when it arrives.

Unfortunately, we don’t always make use of these types of applications and often are caught unprepared by a downpour.  The same scenario can happen in the business world—absent an “app” to warn us of an impending storm, we must take advantage of all available information or otherwise face major disruptions in operations.

Read more

Think Your Organization Is Safe from Hefty Fines? Think Again

You may be fined, even if your data is never hacked

It generally is understood that if internal data is compromised and confidential customer data falls into the wrong hands, bad things will occur.  Most of us simply keep our fingers crossed and hope that a cyber-attack never occurs.  Unfortunately, a recent set of announced fines from the CFPB, SEC, and FTC reveals that even if you are “lucky enough” to avoid a data breach incident, you still may be in danger of incurring a serious fine.

FinedA blog written by the law firm Holland and Hart, LLP, “Waiting May Cost You: Sanctions for Inadequate Cybersecurity Practices May Be Imposed Before a Cyber Attack,” discusses three recent enforcement actions.  While none of the companies fined were in the title industry, all made mistakes similar to those I have observed title agencies make.

A $100,000 fine was levied in In the Matter of Dwolla, Inc.  As the consent order reveals, Dwolla openly represented to the public that use of its services was “safe and secure.”  However, when the CFPB evaluated Dwolla’s operations, it came to the opposite conclusion and found Dwolla had “failed to employ reasonable and appropriate measures to protect data obtained from consumers from unauthorized access.” Read more

What’s the Weakest Link in Your Privacy Program?

In recent blogs, I focused on the serious consequences that arise in the event of a data breach.  Those consequences involve timely breach notifications to all your customers, dealing with inevitable regulator investigation, litigation, and the possibility of substantial fines.  However, probably of most significance, is the reputational risk, as a data breach would decrease lender confidence in your ability to protect the non-public personal information (NPI) that they entrusted to your company.  The resulting havoc from a breach is such that a single data breach event would likely put many small title agencies out of business, which makes efforts to minimize a breach a high priority.  In this blog, I will focus on one low-cost way to avoid a significant risk of a breach.

Your policies and procedures must address three key areas of risk

Those who have started the process of compliance with Best Practices realize that you must begin with a set of written policies and procedures (P&P) that provide your staff guidance on the detailed steps they need to take, from the moment a file is opened to the point it is placed into storage.  In order to adequately complete this essential first step, your P&P manual thoroughly must address the handling of three specific types of risk:   (1) physical security (i.e., locks, customer escort, clean desk policies, etc.), (2) technical security (i.e., firewalls, encryption, use of long passwords, etc.) and (3) administrative security (i.e., providing direction regarding ongoing risk management procedures to your staff). Read more