Privacy & Information Security Law Blog

Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) published a Bulletin signaling its intent to regulate and exercise enforcement authority over service providers to financial institutions. Pursuant to Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act and its implementing regulation, Regulation P, the CFPB has authority over certain large banks, credit unions and other consumer financial services companies. The Bulletin notes that the CFPB’s goal is to ensure compliance with “[f]ederal consumer financial law,” which includes the Gramm-Leach-Bliley Act and its implementing regulations, the Privacy Rule and the Safeguards Rule.

The Bulletin recommends that financial institutions take the following steps to ensure their service providers comply with the law:

• Conduct due diligence to ensure that the service provider understands and will comply with the relevant laws;
• Request and review the service provider’s policies and procedures to ensure that the service provider’s employees are properly trained and supervised;
• Set forth contractual provisions that address the service provider’s compliance responsibilities and the consequences of noncompliance;
• Establish internal controls and monitor the service provider’s compliance with the law; and
• Act promptly to remediate any problems that are discovered through the monitoring process.

In the press release accompanying the Bulletin, CFPB Director Richard Cordray noted that “Consumers must not be hurt by unfair, deceptive, or abusive practices of service providers. Banks and nonbanks must manage these relationships carefully and can be held accountable if they break the law.”