Risk from Vendor Errors Grows

BOSTON–As regulators, including the Consumer Financial Protection Bureau and Office of the Comptroller of the Currency, insist that lenders mitigate risks from their service providers, managing vendors becomes even more important, analysts said here at the Mortgage Bankers Association’s Annual Convention & Expo.

“The CFPB takes a broad view of what a ‘service provider’ is,” said Jeffrey Naimon, Partner with BuckleySander LLP, Washington, D.C. “They expect that you are making sure they are doing what they’re supposed to do correctly.”

Debbie Hoffman, Chief Legal Officer with Digital Risk, Orlando, Fla., noted that different regulators examine vendor management–sometimes called third-party risk management–differently. “The CFPB is fairly general; it focuses solely on consumer protection,” she said. “The OCC is the most detailed; it addresses both safety and soundness and consumer protection.”

Naimon said CFPB took its first data security-related enforcement action this year against online payment provider Dwolla, Des Moines, Iowa, for its claim that it protected consumer data from unauthorized access with “safe” and “secure” transactions. 

“But rather than setting ‘a new precedent for the payments industry’ as asserted, Dwolla’s data security practices in fact fell far short of its claims,” CFPB said. “Such deception about security and security practices is illegal.” 

Specifically, CFPB found that Dwolla misrepresented its data-security practices by falsely claiming its data security practices exceed industry security standards and falsely claiming that its information is “securely encrypted and stored.”

The CFPB did not find evidence of harm, but it imposed a $100,000 penalty on Dwolla, Naimon said. Dwolla also agreed to improve its data security practices.

“The takeaway [from the Dwolla case] is that failure to satisfy internal standards and ‘potential for harm’ led to real fines,” said Jeremy Potter, Associate Counsel with Quicken Loans, Detroit. In this case, Dwolla was not punished for actual harm done, he said. “They were sanctioned for the potential for harm.”

In another case, the CFPB ordered Santander Bank, Wilmington, Del., to pay $10 million for its vendor’s illegal overdraft service practices, Naimon said. “Santander’s service provider allegedly engaged in deceptive marketing to enroll customers into overdraft protection without consent,” he said, noting that the CFPB also barred the bank from using that vendor for any outbound telemarketing.

“CFPB focused on several Santander mistakes, including failure to monitor its vendor and ineffective compliance training,” Naimon said.

Mark Jones, Co-Founder of Amerifirst Financial Corp., Kalamazoo, Mich., said managing vendors can pose unique challenges for smaller institutions that might not have the resources to audit all of its service provider agreements. “Does your accounting department collect W-9s?,” he said. “Who provides approvals for use of vendors? Who signs the contracts? And who tracks contract expirations?.” 

Jones suggested that smaller lenders establish “levels of risk” for each type of vendor, including operational risk–whether the vendor is privy to personally identifiable information; transactional risk–if there is a substantial financial commitment to the vendor?; and credit risk–ensuring the vendor is financially stable. 

Disgruntled or disillusioned employees cause nearly half of all security incidents, Hoffman said: “What info are your vendors handling? W-2 forms, tax returns, pay stubs, recent bills, bank statements? All these must be treated confidentially. If your vendor is not trained on this, ultimately it’s your problem,” she said.

Hoffman recommended checking potential vendors out thoroughly. “Do a background check,” she said. “Do they have policies and procedures, do they have appropriate capital to implement proper security and is cyber security a top concern of management? Does the vendor utilize NIST or SSAE16 [Statement on Standards for Attestation Engagements, an auditing standard for service organizations] best practices? Do they have password and email safety awareness?”

Hoffman also suggested any vendor contracts include the right to audit upon breach and indemnification against security incidents. “You should be added as an additional insured on your vendor’s policy so you can make a claim directly,” she said.

Potter noted one key to minimizing vendor management risk is committing to a strategy, articulating it and following up on it. “The simple act of committing to a framework can make a big difference in this area,” he said.