Effective Date: August 2023
INTRODUCTION
THIRD-PARTY SERVICE PROVIDER RISK MANAGEMENT POLICY
Swell Energy Inc. (together with its affiliates, “Swell” or the “Company”) and its board of directors (“Board”) are committed to adhering to the highest standards in providing solar energy systems and related electricity, leasing, credit, and other services. To produce the highest quality product and customer service, Swell is committed to complying with all applicable federal and state consumer finance laws and regulations and regulatory guidance, including ensuring compliance when Swell uses third-party service providers.
SCOPE OF POLICY AND APPLICABILITY
This Policy applies to using third-party service providers to deliver, market or service the consumer credit products provided through Swell.
REGULATORY GUIDANCE OVERVIEW
The Consumer Financial Protection Bureau (“CFPB”) and the federal banking agencies have issued guidance for financial institutions and financial services companies on best practices for managing the risk of using third-party service providers (“TPSPs”) in delivering consumer financial products and services. In general, those agencies state that the Board and senior management are ultimately responsible for managing activities conducted through TPSPs, and identifying and controlling the risks arising from such relationships, just as if Swell handled the activity, and the regulatory guidance provides a framework to provide effective oversight and risk management of TPSPs.
This section provides an overview of regulatory guidance provided by the CFPB and Interagency Guidance issued by the federal banking agencies (including the FDIC) on expectations for TPSP risk management.
CFPB Guidance
The CFPB recognizes that using TPSPs is often an appropriate business decision for supervised banks and nonbanks. Companies may outsource certain functions to service providers due to resource constraints, use service providers to develop and market products or services, or rely on expertise from service providers that would only be available with significant investment. That a company enters into a business relationship with a service provider, however, does not absolve Swell from responsibility for complying with federal consumer financial protection laws and regulations to avoid consumer harm. Therefore, the CFPB expects supervised banks and nonbanks to have a process for managing TPSP relationship risks.
An effective compliance management system includes proper oversight of TPSPs directly interacting with consumers and/or customers or managing confidential financial customer data. CFPB-supervised companies are expected to provide oversight for their TPSPs to ensure they comply with federal consumer financial laws and regulations that are designed to protect consumers' interests and avoid consumer harm.
On October 31, 2016, the CFPB amended and reissued Bulletin 2016-02 on Service Providers (the “Bulletin”), which was originally issued as CFPB Bulletin 2012-03. In the Bulletin, the CFPB recognized the need for supervised entities to outsource functions to TPSPs, explained that the CFPB has supervisory, examination and enforcement authority over such TPSPs, and set forth, at a high level, the Bureau’s expectations as to how supervised entities should manage the risks of TPSP relationships. The Bulletin states that the CFPB will “exercise the full extent of its supervision authority” over supervised TPSPs, including its authority to examine for compliance with “UDAAP” laws prohibiting unfair, deceptive and abusive acts and practices. The Bulletin further states that the CFPB will exercise its enforcement authority against supervised TPSPs “as appropriate.”
The Bulletin explains that supervised entities need to ensure that their business arrangements with TPSPs do not present unwarranted risks to consumers. To limit the potential for statutory or regulatory violations and related consumer harm, regulated entities should take the following steps:
● Conduct thorough due diligence on each TPSP to verify that it understands and is capable of complying with federal consumer financial law;
● Request and review the TPSP’s policies, procedures, internal controls, and training materials to ensure that the TPSP conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities;
● Include in the contract with the TPSP clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive or abusive acts or practices;
● Establish internal controls and ongoing monitoring to determine whether the TPSP is complying with federal consumer financial law; and
● Take prompt action to address fully any problems identified through the monitoring process, including terminating the TPSP relationship where appropriate.
TPSP relationships are addressed throughout the CFPB’s Supervision and Examination Manual. The CFPB expects the Board and senior managers of Swell to demonstrate clear expectations about compliance to TPSPs; ensure that TPSPs with customer contact or compliance responsibilities are appropriately trained; address and resolve complaints regarding TPSPs; review the discipline policies and records of disciplinary actions of TPSPs; review how TPSPs compensate their employees; monitor TPSPs that market products to an entity’s customers for UDAAP violations; and ensure TPSPs adhere to the entity’s privacy policy.
Interagency Guidance
On June 6, 2023, the FDIC, Office of the Comptroller of the Currency (“OCC”), and Federal Reserve Board (“FRB”) (collectively, the “agencies”) issued Interagency Guidance on Third-Party Relationships: Risk Management, FIL-29-2023 (the “Interagency Guidance”). The Interagency Guidance provides sound principles that support a risk-based approach to third-party risk management that banking organizations should consider when developing and implementing risk management practices for third-party relationships.
The Interagency Guidance rescinds and replaces the FDIC’s Guidance for Managing Third-Party Risk issued in 2008. Furthermore, because the Interagency Guidance addresses all types of third-party relationships, including lending arrangements, the FDIC withdrew its 2016 Proposed Guidance.
The principles outlined in the Interagency Guidance are designed to support effective third-party risk management for all types of third-party relationships regardless of how they are structured. The Interagency Guidance is also intended to promote a consistent approach to supervision among the agencies. The Interagency Guidance is largely based on the OCC’s previous third-party risk management guidance, which was more prescriptive and detailed than the FDIC’s or FRB’s prior guidance.
The Interagency Guidance broadly defines third-party relationships to include “any business arrangement between a banking organization and another entity, by contract or otherwise,” and states that a third-party relationship may exist even in the absence of a contract or remuneration. Interagency Guidance notes that the term “business arrangement” is intended to be interpreted broadly and is synonymous with the term “third-party relationship.” Third-party relationships may include, but are not limited to, outsourced services, use of independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, joint ventures and bank partnerships with financial technology (fintech) companies.
The FRB has stated that the Interagency Guidance does not impose any new requirements on banking organizations. Instead, it is intended to assist banking organizations in identifying and managing risks associated with third-party relationships and in complying with applicable laws and regulations through detailed guidance and examples. The Interagency Guidance is meant to provide flexibility to banking organizations in tailoring and implementing third-party risk management practices commensurate with each bank’s size, complexity, risk profile and the nature of its third-party relationships.
The Interagency Guidance states that banking organizations’ use of third parties, especially those using new technologies, may present elevated risks to banking organizations and their customers, including operational, compliance, and strategic risks. Regardless of risk level, the Interagency Guidance notes that banking organizations are ultimately responsible for ensuring that any activities conducted through third parties occur soundly and safely following applicable laws and regulations, including those designed to protect consumers and address financial crimes.
The Interagency Guidance is organized into four parts:
● Risk Management
● Third-Party Relationship Life Cycle
● Governance
● Supervisory Reviews of Third-Party Relationships
A. Risk Management
The agencies acknowledge that not all third-party relationships present the same level of risk, so all such relationships do not require the same level or type of oversight or risk management approach. As part of sound risk management practices, each banking organization is responsible for analyzing the risks associated with each third-party relationship and tailoring its risk management processes to be commensurate with the bank’s size, complexity and risk profile, and the nature of the relationship.
Banking organizations are expected to engage in “more comprehensive and rigorous oversight of third-party relationships that support higher risk activities, including critical activities.” Critical activities include activities that could:
1.cause a banking organization to face significant risk if the third party fails to meet expectations: 1. have considerable customer impacts; or 2. have substantial impacts on the bank’s financial condition or operations.
Each banking organization is responsible for establishing a sound method for identifying critical activities and third-party relationships that support these critical activities.
The Interagency Guidance further describes key elements of risk management as:
● Maintaining a complete inventory of all third-party relationships and periodically conducting risk assessments for each relationship; and
● Applying a sound method to designate which activities or relationships require more comprehensive oversight.
B. Third-Party Relationship Life Cycle
The Interagency Guidance explains that effective third-party risk management generally consists of a five-stage life cycle:
● Planning for a relationship by evaluating and considering how to manage risks before entering into a third-party relationship
● Due diligence and third-party selection
● Contract negotiation
● Ongoing monitoring
● Termination
For each life cycle stage, the Interagency Guidance discusses a series of facts that a banking organization typically considers, depending on the degree of risk and complexity presented by the third-party relationship. The Interagency Guidance also notes the importance of involving staff with requisite knowledge and skills in each stage of the risk management life cycle and experts across disciplines such as legal counsel, compliance, risk, and technology. Banking organizations may also engage external support when helpful to supplement the qualifications and technical expertise of in-house staff.
C. Governance
The Interagency Guidance acknowledges that there are a variety of ways for banking organizations to structure their third-party risk management processes and thus does not prescribe how a bank should structure its third-party risk management governance process. Instead, the Interagency Guidance discusses three components of governance – oversight and accountability, independent reviews, and documentation and reporting – which serve as an overlay across the third-party relationship life cycle.
● Oversight and accountability: A banking organization’s board of directors is ultimately responsible for oversight of third-party risk management and holding management accountable. The board should provide clear guidance on acceptable risk appetite, approve appropriate policies and ensure that policies and procedures are established. Management is primarily responsible for developing and implementing appropriate policies, procedures and practices to manage third-party risk.
● Independent reviews: The Interagency Guidance underscores the importance of conducting periodic independent reviews to assess the adequacy of third-party risk management processes, and provides several factors considered in such reviews. In addition to reviewing the third party’s alignment with the bank’s business strategy, policies and procedures, the reviews should also assess adequacy of the design and operation of the bank’s own processes and controls.
● Documentation and reporting: The Interagency Guidance encourages banking organizations to maintain an inventory of all third-party relationships (and, as appropriate, related subcontractors) that clearly identifies relationships associated with higher-risk activities, including critical activities. The Interagency Guidance advises a banking organization to properly document and report on its third-party risk management processes and specific relationships throughout the life cycle. While documentation will vary based on the risk and complexity of third-party relationships, it may include items listed in the Interagency Guidance.
D. Supervisory Reviews of Third-Party Relationships
Each agency intends to review the banking organization’s risk management of third-party relationships as part of its standard supervisory process. The scope of the supervisory review will depend on the degree of risk and the complexity associated with the banking organization's activities and third-party relationships.
Examiners will conduct the following activities as part of their review:
● Assess the ability of the banking organization’s management team to oversee and manage third-party relationships;
● Assess the impact of third-party relationships on a banking association’s risk profile and key aspects of financial and operational performance, including compliance with applicable laws and regulations;
● Perform transactional testing or review the results of testing to evaluate activities performed by the third party and assess compliance with applicable laws and regulations;
● Highlight and discuss any material risks and deficiencies in the risk management process with senior management and the board;
● Review the banking organization’s plans for remediation of any deficiencies, particularly those associated with oversight of third parties involving critical activities; and
● Consider supervisory findings when assigning the components of ratings systems.
The Interagency Guidance clarifies that, when circumstances warrant, an agency may use its legal authority under the Bank Service Company Act to examine functions or operations that a third party performs on a banking organization’s behalf. Such examinations may evaluate the third party’s ability to fulfill its obligations in a safe and sound manner and comply with applicable laws and regulations, including those designed to protect customers and to provide fair access to financial services. If needed, the agency may pursue corrective measures against the third party.
In summary, the Interagency Guidance demonstrates the heightened scrutiny that the federal banking agencies are applying to third-party relationships, and bank partner programs in particular, as well as the potential vulnerabilities the agencies envision in banks managing those relationship risks. The Interagency Guidance will likely require banks to revisit existing risk management processes they apply to their partners throughout the third-party relationship life cycle and thoroughly document those processes or face regulatory criticism.
While Swell is not directly required to comply with the Interagency Guidance, its bank partners are, and thus Swell should seek to comply with it, as appropriate, to assist its bank partners with their compliance efforts.
THIRD-PARTY SERVICE PROVIDER OVERSIGHT AND RISK MANAGEMENT POLICY STATEMENT
The Board will provide oversight for all of Swell’s TPSPs, ensuring that a TPSP risk management program is developed and maintained, and holding management accountable. The Board will provide clear guidance to management on acceptable risk appetite, approve appropriate policies, and ensure that policies and procedures are established. Management is primarily responsible for developing and implementing appropriate policies, procedures and practices to properly manage third-party risk.
Appropriate oversight and management for Swell’s TPSPs, including subcontractors, will occur across the third-party relationship life cycle, which consists of the following stages:
● Planning for a third-party relationship;
● Due diligence and the TPSP selection process;
● Contract negotiation and entering into written agreements;
● Ongoing monitoring of TPSPs;
● Termination
Following sound risk management practices, Swell will maintain a complete inventory of all TPSPs that clearly identifies relationships associated with higher risk activities, including critical activities, and periodically conduct risk assessments for each relationship. Specifically, Swell will analyze the risks associated with each TPSP relationship and tailor its risk management processes to be commensurate with its size, complexity and risk profile, and the nature of the relationship. More comprehensive oversight will be provided for TPSPs that engage in higher risk activities, including critical activities. Swell will establish a sound methodology for identifying critical activities and third-party relationships that support such activities.
Swell recognizes that it must take steps to ensure that all of its TPSPs operate in a safe and sound manner and fully comply with applicable laws and regulations. To that end, Legal and Compliance, as well as other staff with appropriate knowledge and expertise (e.g., Risk and IT), should be involved in the planning process, due diligence and selection of each TPSP, contract negotiations, ongoing monitoring and auditing of all TPSPs, and the decision process to terminate a TPSP relationship. Legal and Compliance involvement is particularly necessary in the life cycle for any TPSPs that will receive confidential customer data or directly interact with consumers and customers (e.g., home improvement contractors or companies marketing products directly to customers, answering customer service calls or servicing and/or collecting customer loans).
Legal and Compliance should work with the leaders of each business unit that seeks to hire a TPSP to ensure that the following steps are taken:
1. Planning
Before the TPSP is hired, planning for the relationship should occur by evaluating and considering how to manage risks before entering into a third-party relationship.
2. Due Diligence
After appropriate TPSP candidates are identified, due diligence should be performed where the scope and depth of the diligence is consistent with the level of risk and complexity of the third-party relationship and the services to be performed by the TPSP. Due diligence should include assessing the TPSP’s ability to perform the activity as expected, adhere to Swell’s policies related to the activity, comply with all applicable laws and regulations, and conduct the activity in a safe and sound manner.
As part of this diligence effort, the following materials should be reviewed:
● The licenses required to engage in the activity to be performed.
● Complaints lodged against the TPSP by consumers.
● Lawsuits filed against the TPSP.
● Reports prepared by regulators who have audited the TPSP (if available under applicable law).
● Any “gripe” websites targeting the TPSP.
● Sample scripts and/or customer-facing documents.
● Compliance policies.
● Information on how TPSP employees are compensated (particularly when the TPSP is hired to market to customers and prospective customers).
The adequacy of the TPSP’s compliance resources (including its compliance staff) should also be considered.
As part of the due diligence process, Swell should either review the TPSP’s own policies, procedures and training materials or provide its own materials. These materials should demonstrate or produce an awareness of the federal consumer protection laws applicable to the TPSP’s business and an understanding of the TPSP’s responsibilities under these laws. Such policies, procedures, and training materials should also be reviewed after an event that may require their amendment (e.g., a change in the law, an enforcement action against a competitor or the discovery of significant compliance issues through monitoring or an audit). For contractors that do not have adequate policies and training materials, Swell may provide its own policies and training for adoption by the contractor.
3. Contract Negotiation and Written Agreements
Swell must understand the benefits and risks associated with engaging third parties, particularly before executing contracts involving higher-risk activities, including critical activities. As part of its oversight responsibilities, the Board should be aware of and, as appropriate, may approve or delegate approval of contracts involving higher-risk activities. Legal counsel should review any contract with a TPSP that concerns higher-risk or critical activities.
Swell should negotiate contract provisions that will facilitate oversight and effective risk management, and specify Swell’s expectations and obligations of the TPSP. The level of detail and comprehensiveness of contract provisions should be based on the risk and complexity posed by the particular TPSP.
The written agreement governing the relationship with the TPSP should address the nature and scope of the business arrangement (including the rights and responsibilities of each party); performance measures or benchmarks; responsibilities for providing, receiving and retaining information; the right of Swell to audit the TPSP and require remediation; the TPSP’s responsibility to comply with applicable laws and regulations (including consumer financial protection laws, as well as the right to monitor and be informed about the TPSP’s state of compliance); costs and compensation; ownership and licenses; confidentiality and integrity issues arising out of shared use of customer information, non-public information, and access to infrastructure (including disclosure of information security breaches or unauthorized intrusions); operational resilience and business continuity plans; indemnification and limits on liability; insurance; dispute resolution; how complaints and inquiries received by the TPSP from Swell’s customers should be properly handled; and default and termination.
In particular, the agreement between a critical or high-risk TPSP and Swell must give Swell broad supervision and monitoring rights, including the ability to require the TPSP to share documents and information bearing on the TPSP’s compliance with applicable federal and state law (e.g., policies and procedures, training materials, employee compensation, exam findings, inquiries by regulators or government officials, threatened lawsuits, internal audit findings). The agreement should also give Swell the right to demand from the TPSP all advertising and marketing materials and all cost, production and savings estimates. Also see Swell’s Advertising and Marketing Policy for additional marketing and advertising requirements applicable to Swell and TPSPs.
For TPSP relationships that involve subcontracting arrangements, Swell may wish to address when and how the TPSP should provide notification of its use, or intent to use, a subcontractor and whether specific subcontractors are prohibited. Another important consideration is whether the contract should prohibit assignment, transfer or subcontracting of the TPSP’s obligations to another entity without Swell’s consent. Where subcontracting is integral to the activity being performed, Swell should consider more detailed contractual obligations, such as reporting on the subcontractor’s conformance with performance measures, periodic audit results, and compliance with laws and regulations. Where appropriate, Swell may consider including a provision that states the TPSP’s liability for activities or actions by its subcontractors and which party is responsible for costs and resources required for any additional monitoring and management of subcontractors. Swell should also reserve the right to terminate the contract without penalty to Swell if the TPSP’s subcontracting arrangements do not comply with contractual obligations.
As relevant, contracts should stipulate that the performance of activities by TPSPs for Swell is subject to regulatory examination and oversight, including appropriate retention of, and access to, all relevant documentation and other materials. This type of provision will help ensure that a TPSP is aware of its role and the potential liability in its relationship with Swell.
4. Ongoing Monitoring
Swell will monitor TPSPs throughout the duration of a TPSP relationship, commensurate with the level of risk and complexity of the relationship and the activity performed by the TPSP. Ongoing monitoring may be conducted on a periodic or continuous basis, and more comprehensive or frequent monitoring may be appropriate when the TPSP supports higher-risk activities, including critical activities.
Monitoring activities may include:
In certain circumstances and based on risk, Swell may also directly test the TPSP’s controls.
Swell should monitor the TPSP’s activities for violations of consumer financial laws. This can be accomplished by remotely listening to calls or randomly reviewing customer communications; reviewing customer complaints related to the TPSP’s services; establishing “secret shopper” programs; reviewing any marketing materials generated by the TPSP and sent to Swell’s customers; and conducting compliance audits of the TPSP on a periodic basis.
For efficiency or to leverage specialized expertise, Swell may engage external resources to conduct monitoring or collaborate with an external party to perform ongoing monitoring. To support effective monitoring, Swell will dedicate sufficient staffing with the necessary expertise, authority, and accountability to perform a range of ongoing monitoring activities.
Swell should promptly act if Swell discovers, whether through Swell’s monitoring efforts or through disclosure by the TPSP, that the TPSP has violated consumer financial laws. Depending on the severity of the violation, how the TPSP responded when it first learned about the violation, how the violation affects Swell’s customers, the TPSP’s history of compliance, and the ability of Swell and TPSP to safeguard against similar future violations, Swell should consider terminating the TPSP or requiring the termination of TPSP employees who contributed to the violation.
Before any significant TPSP relationship is established, senior executive approval should be sought. Significant relationships involve those TPSPs that engage in direct customer contact, receipt of sensitive customer information and/or performance of critical activities. Compliance should keep a record of Swell’s most significant TPSP relationships, any due diligence summaries prepared on such TPSPs, Swell’s agreements with such TPSPs, any audit reports on such TPSPs, a record of any consumer or customer complaints about the TPSP and any written reports to the Board regarding TPSPs. At least annually, Compliance should report to the Board on Swell’s most significant TPSP relationships and the results of monitoring efforts by Swell and/or external parties.
Compliance should be notified immediately if monitoring efforts, customer complaints or audits reveal a material violation of law by the TPSP. If continuing or significant violations occur, Compliance should notify senior management and the Board to determine an appropriate response by Swell.
5. Termination
TPSP relationships may be terminated for various reasons, such as expiration or breach of the contract, the TPSP’s failure to comply with applicable laws and regulations, or a desire to seek an alternative TPSP, bring the activity in-house, or discontinue the activity. When this occurs, it is important for Swellmanagement to terminate the relationship efficiently, whether the activities are transitioned to another TPSP, brought in-house, or discontinued. Depending on the degree of risk and complexity of the TPSP relationship, Swell will consider the following factors to facilitate termination, among others:
● Options for an effective transition of services, such as an alternate TPSP to perform the activity;
● Relevant capabilities, resources, and the timeframe required to transition the activity to another TPSP or bring the activity in-house while managing legal, regulatory, customer, and other impacts that might arise;
● Costs and fees associated with termination;
● Managing risks associated with data retention and destruction, information system connections and access control or other control concerns that require additional risk management and monitoring after the end of the third-party relationship;
● Handling of joint intellectual property; and
● Managing risks to Swell, including any impact on customers, if the termination occurs because the TPSP did not meet expectations.
Additional Requirements Applicable to Contractors
This Policy applies fully to contractors seeking financing for their customers through Swell and its partner financial institutions. Because of the importance of these contractors to Swell’s success, and because of the large number of contractor relationships Swell may have over time, Swell believes that special consideration is warranted for contractors. Proper oversight and management of contractors installing solar energy systems is critical to Swell’s mission to assist consumers in obtaining clean, affordable power.
When contractors operate responsibly and capably, everyone profits. Conversely, when contractors fail to perform up to consumer expectations or contractual requirements or when they engage in unfair, deceptive or other unlawful acts and practices, consumers can be injured and Swell’s reputation can suffer. In addition, contractor misconduct, whether through affirmative misconduct or omissions, can also result in economic loss to Swell. That is because consumers whose expectations are not met are less likely to pay their loans. Moreover, when contractors refer consumers to Swell and its financial institution partners for loans, the Federal Trade Commission (“FTC”) “holder rule” provides that claims and defenses the consumer could assert against the contractor, as the seller of the solar energy systems financed through Swell, can be asserted against the holder of the loan agreement, not just against the contractor. The FTC expects Swell to play a proactive role in policing and preventing seller (that is, contractor) wrongdoing. So do other government authorities, including the CFPB and the federal bank regulatory agencies with jurisdiction over Swell’s financial institution partners.
Swell adopts a multi-pronged strategy to ensure proper functioning of its contractor network, involving
Vetting and Onboarding
The first step in assuring acceptable contractor performance is for Swell to undertake best efforts to ensure that Swell only does business with honest, competent and legally responsible contractors. To this end, Swell will conduct thorough due diligence on each contractor focusing on four categories: reputational risk, financial risk, operational risk, and compliance. Swell’s due diligence process starts with a standardized application and enrollment form addressing such matters as:
financial performance and strength,
period in operation,
current and past lawsuits and regulatory proceedings for the contractor and its principals (including officers, directors, managers, partners and substantial equity-holders),
Better Business Bureau (“BBB”) and other significant complaints,
licenses and bonds,
insurance,
BBB ratings,
references and
use of subcontractors.
Swell will require contractors to provide a completed enrollment form and questionnaire, together with organizational documents, financial statements, copies of required licenses and bonds, BBB and regulatory complaints and responses, and form work orders or home improvement contracts (“HICs”). Swell reviews D&B reports to understand the contractor’s financial strength, working capital management, as well as to identify any liens or filings that would encumber the contractors ability to make payments. Swell also will perform Google or similar searches on the contractor and/or its principals and review websites of government authorities that post complaints and/or enforcement actions concerning licensees.
Obtaining an acceptable level of assurance that a contractor’s HIC form complies with applicable law is particularly challenging, and requires an appropriate balance between compliance and competitive considerations, in particular the risk that contractors might view Swell’s process as unduly burdensome.
Swell’s legal and compliance team (potentially including outside counsel, as warranted) will review applicable state home improvement contracting laws to determine whether there exist specified notice or other requirements for HICs in the state. Given that Swell does not merely function as an intermediary between contractors and financing sources but also serves itself as a solar energy system installer, it has a considerable head-start in its knowledge of applicable contracting laws.
Legal and Compliance will develop a HIC checklist for each state, and onboarding personnel will determine whether each contractor’s standard HIC contains the necessary contract elements set forth on the checklist. When in doubt, onboarders will be required to raise their concerns with legal or compliance personnel. Where a variance is identified, the contractor will be required to modify its standard HIC to conform with the law. While this requirement could create friction with some installers, Swell will attempt to minimize this potential problem by presenting the HIC review as a “value-add” benefit of doing business with Swell. As an alternative to this process, Swell may make its own HIC form available to contractors for their own use—another value-add for contractor partners.
Contracting
Swell will require each contractor doing business with it to enter into an agreement with Swell. Standardized contract provisions will include representations and covenants about the accuracy of information provided to Swell, clear expectations concerning compliance with applicable laws and regulations, including consumer financial protection laws and regulations (including UDAAP and fair lending laws), workmanship, complaints and marketing, as well as provisions addressing the application and document execution process, compensation (e.g., contractor fees paid to Swell for arranging financing on specified terms), sharing of documents and information with Swell, audits by Swell, its financial institution partners and supervisory authorities, training, consequences of contractor wrongdoing, and other matters. Contractors will be required to certify that all HICs will be on forms previously vetted and approved by Swell or legal counsel. Swell will have no obligation to continue doing business with any contractor that fails to meet its standards.
Training
Swell will develop training materials for its own personnel and for contractors regarding the products and financing offered through Swell and related compliance obligations (such as giving consumers verbal notice of their right to cancel HICs and loan agreements and prohibitions on the use of marketing material that is not produced or approved by Swell). All contractor personnel who interface with the public will be required to take Company-produced compliance training as part of the onboarding process before submitting loan applications and to undertake further compliance training periodically thereafter as directed by Swell.
Monitoring
Swell will monitor the performance of contractors through multiple mechanisms, including phone calls to consumers designed to assess customer satisfaction and understanding of information provided by the contractor to the customer, as well as the contractor’s compliance with Swell’s requirements as set forth in the agreement between the parties and applicable Swell policies (shortly after HIC/loan origination and again after project completion); analysis of and follow-up on complaints received by contractors or Swell, including complaints submitted through the BBB and governmental authorities; and periodic updates of onboarding information received by Swell. As part of the project approval process, Swell personnel will also evaluate HICs on an ongoing basis for whether projects are reasonably sized and priced. Swell may undertake scheduled or ad hoc reviews of contractor compliance based on risk, with contractors generating frequent or serious complaints and/or considerable business for Swell receiving priority.
Disciplinary Measures
Swell will take appropriate corrective action when any contractor performance and/or compliance deficiencies are identified through its ongoing monitoring activities or are self-disclosed by the contractor. Thus, when concerns are detected, Swell will engage in enhanced monitoring, graduated warnings to contractors, and, where violations are sufficiently serious or continuing and/or insufficiently remedied, Swell will discontinue business with the contractor and will consider providing its own remediation to customers.
Contact Information
If you have any questions, comments, or concerns about this notice or our processing activities, or you would like to exercise your privacy rights, please submit a request at http://www.swellenergy.com/datarequest, email us at privacy@swellenergy.com, call 1-888-465-1784, or write to us at 1515 7th St. #049, Santa Monica, CA 90401.
Last Reviewed and Updated: September 8, 2023