On April 13, 2012, the Consumer Financial Protection Bureau (“CFPB”) issued a bulletin advising of its expectations for oversight of business relationships with service providers, as defined in Section 1002(26) of the Dodd-Frank Act.  Banks and non-banks often hire service providers to handle customer service issues, operate call centers, handle data, and process credit cards.  The CFPB advised that it expects banks and non-banks to “have an effective process for managing the risks of service provider relationships.”  The following steps were advised: 

• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial protection laws;
• Requesting and reviewing the service provider’s policies and procedures, training procedures, and internal controls to ensure there is proper internal oversight of its employees and agents;
• Clearly setting forth expectations for the service provider regarding compliance and consequences and penalties for non-compliance;
• Establishing internal controls by banks and non-banks to monitor the service provider to ensure compliance; and
• Taking prompt action in the event of non-compliance by the service provider.

Any agreements with a service provider should be carefully reviewed to ensure that banks and non-banks can hold the service provider accountable for its non-compliance, as well as to indemnify the bank or non-bank for the service provider’s misdeeds.