The CFPB has reissued its guidance on service providers which was formerly titled CFPB Bulletin 2012-03, and as published in the Federal Register on October 26, 2016, is now titled “Compliance Bulletin and Policy Guidance 2016-02.”
The reissued guidance includes an amendment that the CFPB described as “needed to clarify that supervised entities have flexibility [in their risk management program for service providers] and to allow appropriate risk management.” The amendment consists of the addition of the following language to the guidance:
The Bureau expects that the depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed-its size, scope, complexity, importance and potential for consumer harm – and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. While due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable, as discussed above.
(The words “as discussed above” in the added language refer to the section of the guidance that indicates a supervised bank or nonbank can also have liability for a service provider’s noncompliance.)
Although other CFPB Bulletins were published in the Federal Register, it appears that the CFPB did not previously publish Bulletin 2012-03 when it was issued. Accordingly, similar to other published bulletins, Compliance Bulletin and Policy Guidance 2016-02 contains a section on regulatory requirements stating that the Compliance Bulletin and Policy Guidance is exempt from notice and comment rulemaking requirements under the Administrative Procedure Act because it “is a non-binding general statement of policy articulating considerations relevant to the Bureau’s exercise of its supervisory and enforcement authority.”