Many retailers and OEMs have engaged banks to provide private-label credit to their individual and small-business customers, or have joined with banks in offering them cobranded general-purpose credit. Many other retailers/OEMs have yet to do so. Among the key issues that such an entity should weigh when considering such an initiative is the impact of engaging with an entity that is subject to a different regulatory regime and that likely has a completely different compliance culture.

The bank will be subject to regular examination and comprehensive regulation, including with respect to its engagement and supervision of third parties that assist it in selling its financial products and services and that constitute “service providers” with their own obligations under the CFPA.¹ (For example, Section 1036, proscribing unfair, deceptive and abusive acts and practices, applies to covered persons and service providers.) The bank will be responsible for risk management throughout the term of the lending credit program, and the retailer/OEM may be surprised at the level of formality and reporting expected by the bank’s supervisory agencies—previous PLA posts have discussed regulatory expectations in third party relationships including a recent post on OCC guidance which can be found here. Federal Reserve guidance released on December 5th can be found here.

The retailer/OEM will likely know little of bank regulation, may not be accustomed to regulatory examination or enforcement,² will be surprised and concerned that it could have direct exposure under the CFPA, and may be astonished to learn that—whereas it thought it would be the dominant partner in a relationship with the bank, since the retailer’s brand-equity is what would drive the acquisition of the new financial product or service—it is, from the perspective of the bank’s regulators, essentially a vendor of marketing services that the bank is expected to diligence and supervise closely. Further, the greater the retailer/OEM’s involvement in operating the prospective lending program, the more fully developed a compliance structure the bank will demand. For example, if the bank is in control of most program functions, the bank may only require (in addition to normal contract provisions including termination rights in the event of the retailer/OEM’s uncured breach) that the retailer/OEM take such actions as improving its recordkeeping, submitting to training by bank personnel (in fair lending, for example) and cooperating with audits by the bank’s regulator. The retailer/OEM may be able to push the cost of some or all of these activities back on the bank.

If, however, the retailer/OEM is directly responsible for credit decisioning, collections, and similar core program functions, the bank may expect, in addition to the foregoing, that the retailer will establish formal policies in many areas where it has not previously had them (truth in lending, anti-money laundering, etc.), as well as a compliance structure that includes a chief compliance officer and a committee of senior managers or directors to whom the chief compliance officer will report. The bank may also expect that these policies and structures, as well as the retailer/OEM’s performance of core program functions, will be subject to the bank’s monitoring and control.

This package of risks and obligations can prompt an alienating shock on the part of the retailer/OEM. The retailer/OEM’s consequent reluctance to undertake them may be further accentuated if the bank uses them as leverage in negotiating with the retailer, asserting, for example, that the bank’s demands are driven by regulatory obligations that the retailer doesn’t understand as well as the bank, that all the bank’s other partners have gotten comfortable with these requirements, and so on.

In these circumstances, the retailer/OEM needs advisors capable of evaluating the legitimacy of the bank’s demands, pushing back against the bank where appropriate, and helping establish the policies and structures that may ultimately be required. There is a market for such advice, including, for example, the organizations identified by Visa as “co-brand consultants”. We will offer further reports on this market as events warrant.

¹ While certain legislative history of and provisions in the CFPA indicate that the intent of the legislation was to give the CFPB authority comparable to the authority of Federal banking regulators under the Bank Service Company Act with respect to outsourced services, the CFPA’s definition of the term “service provider” is quite broad and appears to cover more than just entities providing outsourced services. The CFPB has construed very broadly its supervision authority over service providers.
² If the bank has total assets of more than $10 billion, the service provider will be subject to examination and enforcement by the CFPB. If the bank has total assets of $10 billion or less, then the service provider will be subject to examination and enforcement by the Bank’s prudential regulator, unless the service provider provides services to a substantial number of smaller banks or credit unions, in which case it will be subject to examination and enforcement by the CFPB.