Dodd-Frank Financial Reform: New “Systemic Risks” for the BPO Industry
July 30, 2010 by Bierce & Kenerson, P.C.
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, H.R. 4173, signed by President Obama on July 21, 2010, invites a rethinking of the traditional outsourcing model in the financial services sector. The new law adopts new requirements to limit systemic financial risks. It calls for new regulations to delineate prohibited transactions and to implement new certain reporting and operational restrictions. The regulations apply to broker-dealers, banks dealing with hedge funds, commodity brokers, swap dealers and participants and credit rating agencies. It establishes a Bureau of Consumer Financial Protection to ensure compliance.
The traditional outsourcing model does not involve legal liability of service providers for legal wrongdoing by their enterprise customers. The Dodd-Frank law shifts the risk profile of service providers in the financial services sector. This could have a chilling effect on outsourcing for financial services companies and their external service providers.
Vicarious Liability for Service Providers. The Dodd-Frank law raises the standards for external service providers who support any regulated financial services.
o It imposes vicarious liability on any service provider processing consumer financial transactions as “aiders and abettors” for operational support in some cases.
o It encourages employees of shared service centers and outsourcers to file claims of violation so that they can reap a bounty in an enforcement case.
o It makes mere “recklessness” the equivalent of a “knowing” violation of:
o the Securities and Exchange Act of 1934, Dodd-Frank, Sec. 929O, amending 15 USc 78t(e);
o the Investment Company Act, Dodd-Frank, Sec. 929M, amending 15 USC 77o; and
o the Investment Advisers Act of 1940, Dodd-Frank, Sec. 929N, amending 15 USC 80b-9.
o It extends the extraterritorial jurisdiction of U.S. courts in enforcement of U.S. securities laws.
Whistleblowers Beyond Sarbanes-Oxley. The Sarbanes-Oxley Act of 2002 protects the employment of “whistleblowers” who report to governmental authorities the employer’s violations of the SOX law. Section 922 of the Dodd-Frank law extends protection of “whistleblowers” by appointing them as bounty hunters against securities law violations by banks, financial services companies, insurance companies (BFSI) and by others including credit rating agencies, investment advisers, investment companies (mutual funds), commodities future dealers and others.
The bounty would be manditorily paid, where the Securities and Exchange Commission (SEC) brings any administrative or judicial proceeding that results in monetary sanctions exceeding $1.0 million. 15 USC 78a, Sec. 21F, per Dodd-Frank, Sec. 922. Under future SEC regulations to be adopted, bounties will be awarded to individuals for “original information” not known to the SEC from any other source in an aggregate amount of between 10% and 30% of the total amount collected from SEC-imposed monetary sanctions on the wrongdoer. In deciding how much to award, the SEC must consider the significance of the information to the success of the SEC, the degree of assistance by the whistleblower and his or her “legal representative” and the “programmatic interest” of the SEC in deterring future violations of the securities laws.
The new statute explicitly promotes anonymous whistleblowing by contemplating a scenario where the whistleblower is represented by legal counsel. However, identification of the whistleblower is required, but only “prior to payment of the award.”
The statute extends the usual prohibitions against retaliation for initiating, testifying in or assisting in any judicial or administrative proceeding. Specifically, “no employer may discharge, demote, suspend, threaten, harass, directly or indirectly, or in any other manner, discriminate against a whistleblower” in terms of employment, by reason of the whistleblowing. The protection applies to any employer, even if the employer is not the violator of the Dodd-Frank law. This protection expires with a new statute of limitations of six years, but not more than ten years if the “materials facts” were not immediately discovered till later. The whistleblower is entitled to reinstatement of employment, 200% of back pay lost plus litigation costs including attorneys’ fees.
The bounty-hunting whistleblower is a new phenomenon. It invites anyone having insider knowledge, including those who process financial transactions under a confidentiality (non-disclosure) agreement, to breach the duty of confidentiality and pursue a bounty by reason of wrongdoing by the client enterprise.
This new law raises the risks for both outsourcers and captives that an employee might become embroiled in whistleblowing. It is not difficult to imagine that an outsourcer’s employee (or captive financial service center’s employee) might identify patterns of trading, and might indeed hear conversations in the course of transactions processing, that might provide evidence of breaches of the new Dodd-Frank restrictions and future SEC implementing regulations.
The bounty-hunting awards were payable for securities violations before the Dodd-Frank act became law. Dodd-Frank, Sec. 924(c).
Aiders and Abettors. The Dodd-Frank law also imposes penalties under the Investment Advisers Act of 1940 (IAA) for anyone who assists a securities violation by a registered investment adviser. Thus, anyone who “knowingly or recklessly has aided, abetted, counseled, commanded, induced or procured a violation of any provision” of the IAA shall be deemed in violation to the same extent as the direct violator. Dodd-Frank, Sec. 929N, amending 15 USC 80b-9, new Sect. 209.
Extraterritorial Jurisdiction of U.S. Courts. The Dodd-Frank law focused on international transactions that could result in violations of U.S. securities laws, even though the “bad acts” are conducted offshore. The new law clarifies and, some would say, extends, the statutory jurisdiction of U.S. federal District Courts to adjudicate any SEC enforcement proceeding alleging a violation of fraud to two international contexts that were somewhat controversial under existing judicial precedents:
o Conduct within the USA that constitutes significant steps in furtherance of the violation, even if the securities transactions occurs outside the USA and involves only foreign investors (i.e., domestic activities); and
o Conduct occurring outside the USA that has a foreseeable substantial effect within the USA (i.e., foreign activities).
In this case, the foreign activities of business intelligence, research, analytics, transaction processing and reporting, customer relationship management, and other tasks could have such a “foreseeable substantial effect.” Thus, foreign activities are thus subject to US judicial jurisdiction, and the foreign service providers engaged in supporting violations by US persons could be governed by US enforcement jurisdiction for direct wrongdoing, recklessness or “aiding and abetting.”
Shared Services Center or Outsourcer’s Risks under Consumer Financial Protection Laws. Outsourcing contracts allocate the risks and responsibilities for compliance with applicable laws. The Dodd-Frank law puts financial services outsourcing on the radar for possible direct enforcement action against the shared services center or outsourcer.
The Dodd-Frank law enumerates the consumer laws that are covered: These consist of:
(A) the Alternative Mortgage Transaction Parity Act of 1982 (12 U.S.C. 3801 et seq.);
(B) the Consumer Leasing Act of 1976 (15 U.S.C. 1667 et seq.);
(C) the Electronic Fund Transfer Act (15 U.S.C. 1693 et seq.), except with respect to section 920 of that Act;
(D) the Equal Credit Opportunity Act (15 U.S.C. 1691 et seq.);
(E) the Fair Credit Billing Act (15 U.S.C. 1666 et seq.);
(F) the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), except with respect to sections 615(e) and 628 of that Act (15 U.S.C. 1681m(e), 1681w);
(G) the Home Owners Protection Act of 1998 (12 U.S.C. 4901 et seq.);
(H) the Fair Debt Collection Practices Act (15 U.S.C. 1692 et seq.);
(I) subsections (b) through (f) of section 43 of the Federal Deposit Insurance Act (12 U.S.C. 1831t(c)-(f));
(J) sections 502 through 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802-6809) except for section 505 as it applies to section 501(b);
(K) the Home Mortgage Disclosure Act of 1975 (12 U.S.C. 2801 et seq.);
(L) the Home Ownership and Equity Protection Act of 1994 (15 U.S.C. 1601 note);
(M) the Real Estate Settlement Procedures Act of 1974 (12 U.S.C. 2601 et seq.);
(N) the S.A.F.E. Mortgage Licensing Act of 2008 (12 U.S.C. 5101 et seq.);
(O) the Truth in Lending Act (15 U.S.C. 1601 et seq.);
(P) the Truth in Savings Act (12 U.S.C. 4301 et seq.);
(Q) section 626 of the Omnibus Appropriations Act, 2009 (Public Law 111-8); and
(R) the Interstate Land Sales Full Disclosure Act (15 U.S.C. 1701).
BFSI outsourcers and shared services centers will be deemed to be providing regulated “financial products or services” if they provide any one or more of the following functions. (There are some exceptions, but for general discussion, the key elements can be summarized here.)
(i) extending credit and servicing loans, including acquiring, purchasing, selling, brokering, or other extensions of credit;
(ii) extending or brokering leases of personal or real property that are the functional equivalent of purchase finance arrangements
(iii) providing real estate settlement services (other than appraisals);
(iv) engaging in deposit-taking activities, transmitting or exchanging funds, or otherwise acting as a custodian of funds or any financial instrument for use by or on behalf of a consumer;
(v) selling, providing, or issuing stored value or payment instruments
(vi) providing check cashing, check collection, or check guaranty services;
(vii) providing payments or other financial data processing products or services to a consumer by any technological means, including processing or storing financial or banking data for any payment instrument, or through any payments systems or network used for processing payments data;
(viii) providing financial advisory to consumers on individual financial matters or relating to proprietary financial products, including–
(I) providing credit counseling to any consumer; and
(II) providing services to assist a consumer with debt management or debt settlement, modifying the terms of any extension of credit, or avoiding foreclosure;
(ix) for others, collecting, analyzing, maintaining, or providing consumer report information or other account information, including information relating to the credit history of consumers, used or expected to be used in connection with any decision regarding the offering or provision of a consumer financial product or service.
Conclusion. The Dodd-Frank law requires further regulations, which could be retroactive.
1. Expanding Scope of Vicarious Liability. Service providers and shared service centers face new risks of direct and vicarious liability for performing certain covered financial service activities. As a matter of policy, the Dodd-Frank act raises the policy question whether, in future laws and regulations, service providers be exposed to more scenarios of vicarious liability.
2. Living in a Climate Protecting Whistleblowers. Whistleblower laws already protect persons who report violations of tax laws and securities laws. The Dodd-Frank act expands the concept of whistleblowers as tools for law enforcement.
o Employment Law. The Dodd-Frank law pushes the boundaries in the field of employer-employee relations. Every employer now has a duty to avoid discrimination against its employees who become whistleblowers as private spies for governmental enforcement of violations of law. Service providers cannot simply adopt a policy of prohibiting whistleblowing. Rather, they now have to define their policies, procedures and contractual risk management in cases where their customers are potentially violating the laws.
o Contractual Design and Risk Allocation. What should a service provider do if an employee poses questions about a financial service company’s operational compliance with Dodd-Frank? Should the service provider encourage the employee to be a whistleblower?
o Relationship Governance. Can the provider deal with the problem through the existing “relationship governance” framework? What are the possible outcomes and costs of dealing with a “whistleblowing” situation in business process management?
o Termination Management. Does the provider have any contractual rights or remedies to terminate the relationship? What process should be initiated before any such right becomes enforceable? Who pays for transition costs in case of termination for alleged breach by the customer of laws that could inveigle the service provider as an “aider and abettor”?
3. The Service Provider’s Price for Moving up the Value Chain. Today, service providers are moving up the value chain by providing end-to-end transaction processing across business functions that are increasingly regulated. Service providers’ business intelligence (BI), deductive and predictive analytics, knowledge-process outsourcing (KPO), legal process outsourcing (LPO) and core finance and accounting functions. In this context, service providers need to put “aiding and abetting” and whistleblower management on their radar for risk assessment, policy development and actions to mitigate risks. This will require investment in compliance analytics, workflow definition and contractual reallocation of risk.
4. Insurance. The increased risk profile for servicing the back-office needs of the BFSI market exposes service providers (and their directors and officers) to significant financial liability. Typically, insurance products are developed to spread risks to cover losses from the rare occasion of catastrophic liability. It is time for risk managers to discuss this issue with their legal counsel, insurance brokers and insurance carriers.
Accordingly, in the consumer financial services sector (and other consumer sectors), it is time for reassessment of the business models for outsourcing and shared services. Redesign of the business models will reflect these pinpoint areas of primary legal risks, identify possible avenues for eliminating or mitigating those risks, and redesign the services and contractual risk allocations.
For further discussion of this article, contact William Bierce in New York.
Financial Services Outsourcing: New Roles and Risks under a Consumer Financial Protection Agency
May 18, 2010 by Bierce & Kenerson, P.C.
The financial services industry is facing major regulatory changes following the global sub-prime credit crisis and ensuing recovery plans. These changes will have a major impact on outsourcers that deal with consumer financial information or in back-office support for financial investment transactions that are deemed unfair, deceptive or abusive. The adoption of a new Consumer Financial Protection Agency Act would have a significant negative impact on the risks and costs of outsourcing of IT and business process functions by companies that deal with consumers. It would invite a new view of risk allocation between enterprise customers and independent contractors as outsourcers, increasing the costs of doing business by putting the service provider into a new role of whistleblower. It remains to be seen whether the analysis of public policy in this arena will spill over into other industries and other types of outsourcing.
Draft Consumer Financial Protection Agency Act
As of mid-May 2010, the U.S. Congress was considering possible enactment of financial regulatory reform. Among the proposals is the draft “Consumer Financial Protection Agency Act,” as inserted into another draft law, H.R. 4173, “Wall Street Reform and Consumer Protection Act of 2009,” referred to Senate committee after being enacted by the House. This consumer protection bill was originally H.R. 3126, 111th Cong., 1s Sess.; H. Rept. No. 111-367 (Dec. 9, 2009) (“Draft CFPAA”). As the dissenting Republicans observed in that December 2009 House report:
- Rather than address the failure of banking regulations related to consumer protection and the failure of the States to police activities under their purview (e.g., mortgage brokers and real estate agents), the proposed legislation to create the CFPA seeks to consolidate the consumer protection jurisdiction of all banking regulators into one new agency and regulate many new activities and persons that largely are unrelated to the financial markets or the crisis of 2008. (Dissenting views).
General Scope. If enacted, this proposed reform would transfer enforcement of consumer financial protection laws from various existing agencies (including the SEC). The new commission would regulate:
- (1) brokers and dealers registered under the Securities Exchange Act of 1934;
(2) investment advisers under the Investment Advisers Act of 1940;
(3) investment companies (mutual funds) under the Investment Company Act of 1940;
(4) national securities exchanges under the ‘34 Act;
(5) a transfer agent under the ’34 Act;
(6) clearing corporations under the ’34 Act;
(7) municipal securities dealers and self-regulatory organizations registered with the SEC;
(8) national securities exchanges and the Municipal Securities Rulemaking Board.
Regulation of “Financial Activity.” Under H.R. 4173, Sec. 4002 (19) (A), the term `financial activity’ means any of many activities. (The list is long, so we have put it in a separate document.) 1
Liability of “Covered Persons” and “Related Persons.” Under the proposed law, a “covered person” subject to regulation would include “any person who engages directly or indirectly in a financial activity, in connection with the provision of a consumer financial product or service.” This definition is so broad, and governmental involvement in financial operations so extensive, the draft specifically excludes the Secretary, the Department of the Treasury, any agency or bureau under the jurisdiction of the Secretary (H.R. 4173, Sec. 4002 (9)(A)(B)), or any federal tax collector.
Vicarious Liability on Certain “Consultants” and “Independent Contractors.” The proposed law would treat “related persons” in the same manner, and impose the same punishments, as for “covered persons.” By adopting a sweeping definition of “covered person” and an equally sweeping definition of “related person,” the proposed law puts outsourcers at risk of direct liability and for merely doing the tasks assigned under a Master Services Agreement in the ordinary course of business. There would be a distinction between consultants and service providers. A “related person” would include either:
- a “consultant” that, in the view of the new Consumer Financial Protection Commission determines (whether by regulation or on a case-by-case basis), “materially participates in the conduct of the affairs of such covered person” (H.R. 4173, Sec. 4002 (33)(A)(ii)); or
- “any independent contractor (including any attorney, appraiser, or accountant), with respect to such covered person, who knowingly or recklessly participates in any–(I) violation of any law or regulation; or (II) breach of fiduciary duty.” ( H.R. 4173, Sec. 4002 (33)(A)(iii)).
Liability of Outsourcers for “Unfair, Deceptive or Abusive Acts or Practices.” The proposed Consumer Financial Protection Agency Act would not require “related persons” to register with the commission. However, they would be liable for “unfair, deceptive or abusive act or practice in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.” (H.R. 4173, Sec. 4301(a)). The proposed law would impose federal criminal liability on anyone (including outsourcers as “related persons”) if they are shown to “knowingly or recklessly provide substantial assistance to another person in violation” of the new statute and regulations on “unfair, deceptive or abusive acts or practices.” “Related persons” would be “deemed to be in violation of that section to the same extent as the person to whom such assistance is provided.” (H.R. 4173, Sec. 4308(3)).
Outsourced Business Functions that Would be Exempt. The draft law would exclude certain functions that are typically outsourced from the scope of “financial activity “ that would be regulated.
- “Financial data processing” would be excluded from the definition of “financial activity.” H.R. 4371, Sec. 4002(19)(A)(xi). However, even assuming that the mechanical conditions of processing were satisfied under this exclusion, there remains a subjective standard that could ensnare the outsourcer in an ITO or BPO context: Does the outsourcer provide “a material service to any covered person in connection with the provision of a consumer financial product or service.” (H.R. 4173, Sec. 4002 (19)(A)(xi)(II)(cc))
- Providing certain “information products or services” that are “incidental and complementary” to any activity that the new commission defines as a “financial activity” would be excluded. (H.R. 4173, Sec. 4002 (19)(A)(xvi)(I)(bb)) Specifically, there would be no regulation of such ITO or BPO services that are for identity authentication, fraud or identify theft detection, prevention, or investigation; document retrieval or delivery services; public records information retrieval; or for anti-money laundering activities. That exposes BPO providers of other business functions, such as mortgage and credit card origination, credit verification, and virtually everything else that is not clearly excluded by the draft law.
Neither of these exclusions addresses the growing use by the financial services industry of third party ITO, BPO and LPO services for labor-intensive or labor-value services. This draft law could bring vicarious liability for providers of such services as due diligence for investment banking and finance usually has some consumer financial impact, either in the design of analytics, the design and structuring of financial products or services, document review in an acquisition, divestiture or financing (where “consumers” might be investors in one of the deal participants).
Outsourcers as Auditors and Whistleblowers: The “Knowing or Reckless” Standard of Care for Outsourcers. The draft law would cover independent contractors providing services in support of “financial activity,” but only if their conduct were “knowing” or “reckless.” This standard could establish vicarious liability when the outsourcer “knew” that its actions would be unfair, deceptive or abusive, or because the outsourcer failed to become informed on the legality of its support for its financial institution customer’s unfair, deceptive or abusive practices. In effect, the consultants and outsourcers (other than data transmitters) are enlisted as surrogate auditors and whistleblowers with a duty to cease rendering their services if they “knowingly” or “reckless” participate in their customer’s unfair, deceptive or abusive practices.
Additional Costs of Outsourcing. This role would be a new one. It would entail additional costs of legal reviews and audits by the service provider’s own independent regulatory experts (more lawyers and accountants) and additional premiums for new “directors and officers” liability insurance (if indeed such insurance would cover such vicarious liability). It would add hidden costs on the outsourcer that would have be added to the service charges in order to segregate service costs from legal compliance costs.
Additional Risks of Termination. Under these circumstances, regulated financial institutions and financial service enterprises would face the risk that a whisteblowing outsourcer could unilaterally terminate an ITO or BPO services agreement. Lawyers would argue about the conditions and consequences of when an outsourcer could do so. Relationship governance would involve a new discussion about illegality.
- Service providers would want the right to terminate if, in their good faith opinion, the enterprise customer was engaged in any violation of this draft law or its regulations.
- Financial services enterprises would want a slower trigger. One can imagine a series of steps that delay termination, with notices, opportunity to cure, maybe an independent legal opinion as a letter of comfort (thus escaping “recklessness” as a risk but not necessarily escaping “knowingly” risk).
Due Diligence Process. If this draft law is enacted, it would force service providers to clients engaged in any “financial activity” to conduct due diligence into the legality of the proposed customer’s business practices for the protection of consumers’ financial rights. Such an investigation would normally include questions about existing and future practices as well as information on the actions or recommendations of incumbent service providers who might have sought termination to avoid vicarious liability.
Adverse Impact on Business Process Transformation, Process Change and Operational Innovation. The draft law would impose direct liability on “consultants” who “materially participate” in a financial business. The concepts of “materiality” and “participation” are so broad that any outsourcer who administers any of the “affairs” of its enterprise customer will be treated as such a “consultant” if the outsourcer proposes changes in the “covered person’s” business. This would stifle any proposals by outsourcers for business process transformation, even simple process changes, since the outsourcer might no longer be treated under the “independent contractor” standard of knowing or reckless violation or breach of fiduciary duty.
Spill Over to Other Industries and Outsourcing Services. For perhaps the first time, the draft CFPAA raises the specter of service providers worrying about the risk of vicarious liability because they support a criminal enterprise. “Aider and abettor” liability exists already in relation to the sale or distribution of “securities.” The question now is whether service providers should change their current practices and contract risk allocation in light of such a specter. Informed executives will get more information as this political process unfolds.