CFPB Says Credit Unions Could Be Responsible for Third-party Actions

Last week, the Consumer Financial Protection Bureau (CFPB) issued a press release reminding its supervised financial institutions that they could be held responsible for the actions of third-party service providers with which they contract. The CFPB’s bulletin details its expectation that supervised financial institutions have an effective process for managing the risk of service provider relationships.

The agency suggested that financial institutions:

  • Conduct adequate due diligence
  • Review vendor policies, procedures, internal controls, and training materials to ensure they meet high standards
  • Inform third-party vendors of their expectations regarding compliance, and of the consequences of noncompliance
  • Establish internal controls and monitoring methods to determine vendor compliance
  • Quickly address any consumer issues that may arise due to vendor actions

While the CFPB does not directly supervise any credit unions headquartered in Washington or Oregon, the region’s regulators do look to the CFPB for guidance and direction in their supervisory efforts. Third-party due diligence and risk management is sure to be a hot topic in the upcoming year.


Questions? Contact the Compliance Hotline: 1.800.546.4465,

Posted in Compliance News, Industry Insight.