It's Time to Update your Third-Party Risk Audits to Match the CFPB's Expectations

In the past several months, the CFPB has made three separate updates to its exam procedures.  With each update comes additional requirements for creditors auditing their third-party collection agencies.  

As a creditor using third-party debt collection agencies, you are expected to update your process for auditing your agencies to accommodate the CFPB’s updated expectations.  At a minimum, you should be reviewing your audit processes annually to ensure you are accounting for these new sections.  Depending on the update, you will need to ask your third-party collection agencies for different documentation or proof that they have the proper processes, security, or even software in place to cover the new expectations.   You may also need to request updated policies and procedures from your agencies.  

Institutions are expected to manage relationships with service providers to ensure that service providers effectively manage compliance with Federal consumer financial laws applicable to the product or service being provided.

The quote above from the CFPB’s IT Risk Management Update is clear as a bell – creditors are responsible for managing their third-party collection agencies.  So, let’s briefly review each of the new updates and discuss what you, as a creditor using third-party debt collection agencies, should be doing now:

September 2021: IT Risk Management Updates

The full text of the CFPB’s IT Risk Management Updates can be found here.  

For a deeper dive into this particular update, you can link to our blog “Don’t Forget to Update Your Risk Management Framework for the CFPB’s IT Exam Procedures”.  But as a summary – the updates for IT Risk Management include four (4) modules: 

1. Board Management and Oversight: Ensuring your agencies have proper board management and oversight into their compliance programs, but also ensuring your company has the same oversight, not just to your compliance program, but also to the management of your third-party vendors. 
2. Compliance Programs: Your third-party vendors should have a solid compliance program, and the IT surrounding it should be solid.  At a minimum, their compliance program should include: 
• Policies & Procedures
• Training
• Monitoring/Audit
• Consumer Complaint Response
3. Service Provider Oversight: While the CFPB acknowledges third-party service providers may be a necessary part of doing business, they also state that engaging with a service provider does not negate the institution’s responsibility to comply with Federal consumer financial laws.  Service providers must be familiar with any legal requirements applicable to the products being offered and must have processes in place to ensure consumer protection. Dodd-Frank places legal responsibility not only with the service provider but also with the institution for unfair, deceptive, or abusive acts and practices (UDAAP) if there is consumer harm caused by the institution’s vendors.
4. Violations of Law and Consumer Harm - Throughout the exam process, the examiner will be looking for violations of law and consumer harm.  If a violation is found, the examiner will determine if the institution’s CMS identified the violation, and if so, what remediation resulted.  
   
   

March 2022: Debt Collection Exam Procedure Updates

The full text of the CFPB’s Debt Collection Exam Procedure Updates can be found here. 

This March 2022 update addressed changes and additional exam procedures that were brought on by the enactment of Regulation F on November 30, 2021.  While the modules below are aimed at third-party debt collection agencies, they are also good items to include in regular audits of your agencies.  The agencies are responsible for ensuring these processes are in place, but you are responsible for ensuring you are working with a compliant agency that will limit consumer harm.  The new procedures include seven (7) modules: 

1. Entity Business Model: Assesses whether the entity is a ‘debt collector’ under the FDCPA and therefore subject to Regulation F. Also evaluates vendor relationships, internal controls, and related account management issues. 
2. Communications in Connection with Debt Collection: Addresses FDPA and UDAAP issues that may arise when entities communicate or attempt to communicate with consumers or third parties as part of their debt collection activities.  The CFPB will review documents, recordings, and notes made during calls. 
3. Information Sharing, Privacy, and Interactions with Consumer Reporting Agencies: Addresses specific requirements related to information sharing, privacy, and interactions with consumer reporting agencies under the GLBA and Regulation P, the FCRA and Regulation V, and the FDCPA and Regulation F. 
4. Validation Notice, Consumer FDCPA Disputes and Complaints and Ceasing Communications: Addresses consumer inquiries, complaints, and FDCPA disputes as well as the debt verification obligations imposed by the FDCPA (where applicable). 
5. Payment Processing and Account Maintenance: Addresses how consumers’ payments are applied to their accounts and other account maintenance issues, including those associated with electronic fund transfers. 
6. Equal Credit Opportunity Act: Defines when an entity is a ‘creditor’ and therefore subject to the requirements of ECOA and Regulation B. 
7. Litigation Practices, Administrative Wage Garnishment and Repossessions, and Time-Barred Debt: Addresses collection actions in court and potential risks to consumers that may arise in this context.  Also addresses repossession and collection of debt that is beyond the applicable statute of limitations for a collection lawsuit. 

March 2022: UDAAP Exam Manual Updates

The full text of the UDAAP Exam Manual Updates can be found here. 

Per the CFPB’s press release, “The CFPB will examine for discrimination in all consumer finance markets, including credit, servicing, collections, consumer reporting, payments, remittances, and deposits. CFPB examiners will require supervised companies to show their processes for assessing risks and discriminatory outcomes, including documentation of customer demographics and the impact of products and fees on different demographic groups”.

The CFPB’s examination procedures on UDAAP provide general guidance on: 

• Defining the principles of unfairness, deception, and abuse in the context of offering and providing consumer financial products and services. 
• Assessing the risk that an institution’s practices may be unfair, deceptive, or abusive. 
• Identifying unfair, deceptive, or abusive acts or practices
• Understanding the interplay between unfair, deceptive, or abusive acts or practices and other consumer protection and anti-discrimination statutes. 

Since the CFPB specifically calls out collections, they will likely be looking at that from multiple angles.  First to ensure there is no discrimination when forwarding an account to a third-party collection agency, but also to ensure the agency is treating accounts equally and not discriminating in their own collection practices.  

As the CFPB continues to review its examination procedures, additional sections may be added to specifically call attention to areas that could cause consumer harm.  We anticipate the next update will likely have something to do with credit bureau reporting, specifically for those who report medical debt.  

The best place to find out about the CFPB’s updates is directly on their website www.consumerfinance.gov, and more specifically their Press Release Page. 

NeuAnalytics is the industry leader in operational risk and compliance management. Our solutions provide the world’s leading creditors with comprehensive business intelligence while continuously monitoring for compliance.

The NeuAnalytics Compliance Management System allows your staff to holistically manage compliance, down to the individual consumer level. It is a powerful set of tools for determining if vendors are acting on your behalf in compliance with the, at times, an overwhelming multitude of federal, state, and local consumer protection regulations.

With NeuAnalytics, you can avoid compliance-related fines and penalties that can result in reputational damage to your brand.

To learn more about how NeuAnalytics provides creditors compliance and auditing automation, visit us at www.neuanalytics.com.