The mortgage industry's plethora of new regulations has continued into the realm of third party vendors. Typically these parties have no direct oversight by regulators. Now the Consumer Financial Protection Bureau is on the record regarding lender responsibility over their vendors.
While vendors can provide expertise, allow for scalability and provide the most up-to-date methodologies and technologies, it is the responsibility of the supervising bank or non-bank to ensure that the vendor adheres to regulatory compliance requirements. Therefore, it is critical for those entities to have an effective vendor management plan to mitigate risk and comply with state, federal and local laws.
While the CFPB's April 2012 bulletin and the Office of the Comptroller of the Currency's October 2013-29 bulletin offers some guidance, there are still no solidified rules as to what constitutes the ideal vendor management program.
1. Initial Steps
When a lender enters into a business relationship with a service provider or third party, it is responsible for complying with laws aimed to avoid consumer harm. Lack of oversight of critical activities or shared services could cause the lender to face significant risk, have weighty customer impact, require substantial investment resources or have a major effect upon bank operations. The lender must determine the types of service providers it works with, each having a varied level of risk, and build an oversight structure around them.
The vendor management program should be proportionate to the degree of risk and complexity of the relationship with the overseen third parties. Such a program should initially identify key stakeholders, define roles and understand the amount of risk that corresponds with each vendor. A lender may have two or three vendor management program levels, depending on the level of risk posed by the vendor.
Likewise, the vendor should understand and have the capability, capital and commitment to successfully comply with requirements. The contract between the lender and the service provider must outline clear expectations about compliance and appropriate consequences for non-compliance.
In addition to contractual obligations, the lender should have a system in place to evaluate the vendor. The system should thoroughly review the vendor's policies, procedures, internal controls and training materials to verify that the third party conducts continuous oversight of employees and agents having consumer or compliance responsibilities.
Open and transparent communication between the parties is critical. With mutual cooperation between the parties, the lender and the vendor can have oversight, identify issues, and address potential regulatory and risk issues head-on, allowing timely execution of solutions.
2. Implementing an Effective Vendor Management Program
An effective program must allow for a consistent, sustainable plan, and should allow the flexibility to reduce or terminate services should the service provider fail to meet necessary standards of compliance. The program must set clear, definitive criteria regarding expectations of the vendor, including industry standards, regulatory minimums or specific deadlines.
The program's standards and measurements should have many elements of evaluations, including the status and changes to: business strategy, financial condition, insurance coverage, leadership and key personnel, level of customer satisfaction, and other contractual arrangements that could pose a conflict. Throughout the life cycle, the lender must properly document the vendor, including an inventory of all third party relationships, approved plans, due diligence results, executed contracts and regular risk management reports.
The lender's program should have quantifiable metrics and data evaluating each service provider and comparing groups. Metrics should be made anonymous when shared with vendors so that they understand how they are tracking against other service providers. Such tracking can identify vendors with higher risks resulting from poor performance, allowing the third-party to plan a remediation program.
If a vendor continuously performs poorly, there should be a formal rebuttal process in which the vendor may challenge deficiencies and offer a cure within specific time periods. If there is continuous performance below acceptable standards, without proper cure, the contract must allow for a termination of the vendor relationship.
The lender should have a process to periodically review its vendor management program, assessing its ability to oversee and manage relationships, as well as its process for identifying, assessing and reporting third party risks. It should also evaluate its process for responding to material breaches, ensuring proper staffing, identifying conflicts of interest, and appropriate remediation of deficiencies.
3. The Vendor Perspective
Third-party contractors experience both written and on-site audits which may involve executives, management and staff members. Notice of audits varies from 48 hours to two weeks, and audits can last for one to five days.
Ideally, a line of business leader spearheads the effort and has dedicated team members from various groups available for the audit. Vendors must comply with the lender's requests; there are very limited situations where a vendor may have an excuse for not providing requested information. Audits are most often a collaborative process between the lender and vendor that help identify deficiencies and correct issues.
Vendors should use a compliance tool that is able to provide the legal citation, reasoning, and exact place in the material that fulfills the requirement. The vendor's technology and compliance systems must pair well with the lender's technology, and there must be a fairly seamless process to reconcile the differences in each party's technological capabilities.
One example of the accomplishment of such a seamless pairing is the use of Digital Risk's TEGO, which is an overlay to clients' systems that allows for reporting and a clear audit trail. With such an effective compliance tool, a clear audit trail with every step of the process is explained logically and accurately. Effective technology enables the vendor to easily adjust and adapt to changing regulations and allows for a seamless updating of changes directly into the program.
The themes of an ideal vendor management program are quite clear: transparency, communication and cooperation. Additionally, the parties should have the ability to have the management, oversight and constant evaluation needed to maintain a consistent and reliable program which will ultimately reduce the risk exposure of both lender and vendor.