On October 26, the CFPB reissued its guidance on service providers in the Federal Register. The previously issued guidance was titled “CFPB Bulletin 2012-03: Service Providers.” It is now titled “Compliance Bulletin and Policy Guidance 2016-02” (Service Provider Bulletin).

The Bureau explains that the amendment “is needed to clarify that supervised entities have flexibility [in their risk management program for service providers] and to allow appropriate risk management.” The amended language is as follows:

“The Bureau expects that the depth and formality of the entity’s risk management program for service providers may vary depending upon the service being performed-its size, scope, complexity, importance and potential for consumer harm – and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. While due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable, as discussed above.”

The phrase “as discussed above” refers to the section of the Service Provider Bulletin that indicates that the CFPB will examine not only supervised entities, but their service providers as well. And if the Bureau finds that the service provider is not complying with Federal consumer financial laws when interacting with the supervised entity’s customers, the Bureau may hold both entities accountable.

While past CFPB Bulletins have been published in the Federal Register, it appears that the Bureau did not publish CFPB Bulletin 2012-03 when it was originally issued. Accordingly, the Service Provider Bulletin contains a section on regulatory requirements stating that the “Compliance Bulletin and Policy Guidance is a non-binding general statement of policy articulating considerations relevant to the Bureau’s exercise of its supervisory and enforcement authority.” As such, the Service Provider Bulletin is exempt from notice and comment rulemaking requirements under the Administrative Procedure Act.