KirkpatrickPrice
Innovation. Integrity. Delivered.
Vendor Compliance Management An effective risk management strategy includes the assessment and monitoring of vendor compliance with your company’s policies and procedures. Today’s compliance program involves an ongoing struggle organizing vendor responses utilizing spreadsheets and questionnaires while manually tracking reoccurring events and supporting documents. Where should you start? CFPB Bulletin 2012-3 states that companies must “oversee” their vendors “in a manner that ensures compliance with Federal consumer financial law…The CFPB’s exercise of its supervisory and enforcement authority will closely reflect this orientation and emphasis.” In the past Managing vendor compliance contractually used to be sufficient. Compliance risk and responsibility was transferred to the service provider, and through this process, compliance activity was kept at arm’s length. Now A full chain of custody is necessary to ensure full compliance. In order for this to happen, an “effective process” must be in place. The CFPB expects you to “oversee [your] business relationships with service providers in a manner that ensures compliance with Federal consumer financial law…” Who’s Responsible for What? If you have “any person (i.e. service provider) that produces a material service to a covered person (i.e. you) in connection with the offering or provision by such covered person of a consumer financial
Create Custom Questions
Map Questions with a Framework
Assign Questions to Vendors
Engage Specialists to Review
Produce Compliance Reports
Monitor Vendor Responses
(when necessary)
product or service” then you are responsible for their compliance to all relevant CFPB requirements. This means the service provider is also responsible to the CFPB and no one gets a free pass. What do you Need? • Policies and Procedures • List of third parties to include activities performed • Contracts with third parties • Evidence of due diligence Where do you Start? • Risk Assessment • Develop/enhance policies and procedures • Continuous monitoring • Remediation How Much Evidence is Enough? • Vendor policies and procedures: • Regulatory compliance and CMS overview • Compliance training • Consumer complaints • Information Security • Types of evidence • Training logs • Call recordings • Third party security reports • Performance reports • Audited financials
16057 W. Tampa Palms Blvd. | #134 | Tampa, FL 33647 | kirkpatrickprice.com | 800.770.2701