Vendor Compliance Management Series: Where To Start?
There needs to be a full chain of custody as the CFPB expects you to “oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law….” For example, if you have “any person (i.e. service provider) that provides a material service to a covered person (i.e. you) in connection with the offering or provision by such covered person of a consumer financial product or service,” then you are responsible for their compliance to all relevant CFPB requirements. In essence, both parties are responsible for upholding the requirements of the CFPB.
For your vendor compliance management program to meet these requirements, it will need to include the following required components:
- Due diligence in vendor selection and onboarding
- Ongoing risk assessment
- Contractual requirements
- Audit plan
- List of third parties to include a description of services performed
- Third party contracts
- Statement or Work or Service Level Agreements
- Third parties’ SOC 1 reports, PCI RoC, etc.