The CFPB and Your Service Provider Relationships
Finding good strategic partners and vendors by mortgage lenders is not just sound business strategy anymore but the law.
As transaction volumes have fluctuated dramatically over the past decade from a high of $2.8 trillion in 2006 to last year barely hitting $1.2 trillion, mortgage lenders have increased their reliance on third-party service providers and outsourcing firms to manage volume ebb and flows. During the massive regulatory reform in 2009, lawmakers recognized the growing trend of using service providers to assist in consumer transactions and gave the CFPB ability to supervise bank and nonbank service providers through Dodd-Frank legislation. Earlier this year the CFPB released a memorandum (CFPB Bulletin 2012-03) on the subject of service providers and indicated they “will exercise the full extent of its supervision over supervised service providers.”
Now that the election is behind us and any reasonable thought of Dodd-Frank repeal is gone, lenders need to get ready for 2013 implementation of CFPB rule-making. And ensuring they are working with credible and regulatory compliant service providers need to be near the top of the list. In order to ensure that any CFPB examination of a bank or nonbank’s outsourcing processes has a positive outcome, lenders need to take vendor management to a whole new level.
A sound vendor management process should include the following:
- Thorough due-diligence of the vendor’s understanding and capabilities to comply with consumer protection laws. This should include a review of the service provider’s policies, procedures, hiring practices, training documentation, internal controls, system safeguards, and disaster recovery plans.
- Lenders who outsource processes that include supplying customer data to its vendors (such as loan fulfillment and QC) need to fully understand the IT environment that is in place. Lenders should look to a vendor’s compliance to SSAE 16 standards (formerly SAS 70) to help understand system management, intruder protection and controls to ensure customer information is not exposed. Ask for the SSAE 16 audit report from your vendor’s independent auditors.
- Ensure the service provider has internal resources that are responsible for understanding regulatory compliance and how to implement adherence to new regulations, laws and investor guidelines.
- Conduct background checks on the company through resources like the BBB, LexisNexis and D&B. Ask for the vendor’s client list and do reference checks on varied customer types. Use the Internet to search for information and see what people are saying on business networking sites such as LinkedIn.
- Visit the facility where the service provider is conducting business. Seeing the vendor’s operation in action can speak volumes to whether they actually are following their documented process and procedures.
Most of these vendor management processes have been in place at the largest financial institutions well before the CFPB’s creation and those big players should already be in good shape. Smaller institutions, credit unions and independent mortgage bankers may not be used to the level of vendor due diligence that is required. However, a reputable service provider that has dealt with a variety of financial institutions will be able to help a smaller lender by providing the necessary documentation in advance so their customer can be proactive and respond quickly to a CFPB examination or investor audit.