Over the last several years, vendor oversight and management have been top-of-mind among the mortgage industry’s regulatory bodies. While focus is no longer on the risk that vendors present to the well-being of a supervised financial institution, the Accounting Standards professionals have increased the focus of all firms with certified financial statements on considering the impact of critical vendors on financial statements and operations through the publication of SSAE 18. It’s no longer a requirement to just make certain that critical vendors have satisfactory SOC 1 or 2 reports, but those reports now must include the vendor’s critical vendors.
This is all the result of a greater awareness of cybersecurity, and particularly how virtually every organization is dependent upon Internet-based communication and exchange of data. And, if that’s not getting your attention, every regulator is now more intensely focused on the interests of consumers and the risk a vendor might pose to a mortgage lender’s customers.
Compliance with state and federal regulations in place for supervised banks and nonbank financial institutions now also includes meeting the Consumer Financial Protection Bureau’s (CFPB) vendor oversight requirements, which are designed to “protect the interest of consumers and avoid consumer harm.”
The consequences of noncompliance are no trifling matter. The CFPB’s enforcement authority in this regard was established in 2012. Along with other state and federal regulators, the CFPB can and already have exercised their enforcement abilities, including mandating that a company augment or improve the vendor management program; levying financial penalties; and bringing formal enforcement actions or consent orders against lender and/or vendors.
What’s more, since virtually every lender is required to provide certified and audited financials, the possible impact of vendors and how the vendors manage their vendors, can have a material effect on the lender’s financial statements.
In short, it is imperative that lenders understand the risk that their vendors create and reasonably assure that vendors are necessarily compliant. The very existence of your business may depend upon it.
Recent rulemaking adds another layer of complexity
As noted above, the SSAE 18 rule, which went into effective May 1, 2017, sets many new standards for addressing counterparty vendor risk. Among those standards: SSAE 18 requires that controls be implemented at the service organization (a vendor) that monitors the effectiveness of controls at subservice organizations (a vendor’s critical vendors). Subservice organizations must now be monitored on an ongoing basis using the methods outlined in SSAE 18.
In other words, lenders must concern themselves with managing their critical vendors, and lenders must make sure their vendors have management programs in place to monitor the third-parties that provide critical services so that: (1) the lender’s operational or financial statement risk are not subject to undue risk from unacceptable performance; and (2) data security risk is minimized.
Many of the concepts reviewed in the following discussion of vendor risk assessment, due diligence, ongoing monitoring, and more, have applications for both critical vendors and a vendor’s critical vendors.
Assigning an owner to vendor risk assessment is imperative
There are many vendor management checklists, software, and other tools that help lenders assess risk and follow required practices. Many of these are top-quality resources that provide excellent support, but I whole heartedly assert that these current tools are not enough.
It is imperative to assign ownership of vendor management and risk assessment to a mortgage compliance or other seasoned professional within your organization. Only an in-house owner of vendor management and oversight can ask and fully ascertain the answer to the ultimate question: What risks does this vendor pose to my company and my customers?
Small and mid-sized lenders may hesitate to incur the cost associated with an in-house owner of vendor management. Given the consequences of mismanagement mentioned early, these concerns may well be a case of “pennywise, but pound foolish.”
Vendor risk segmentation is the first order of business
Since the potential for harm is obviously not the same for all types of vendors, an in-house mortgage compliance professional’s first order of business is to conduct risk segmentation, assessing each vendor based on whether the service provided: 1) is customer facing; 2) involves handling of customers’ non-public private information (NPI) or other highly confidential data; and/or 3) is considered a “mission critical activity.”
Assigning to each vendor a risk profile using a three-tiered ranking system allows for an initial risk assessment upon which to build a cascading model of oversight.
- Tier 1 – High Risk. This segment encompasses vendors that provide critical services, have access to highly sensitive information, or provide a concentration of services.
- Tier 2 – Moderate Risk. This segment includes vendors frequently used but not critical to continued functioning of the lender’s business. Vendors in this group may have access to NPI or other confidential information.
- Tier 3 – Low Risk. This includes non-critical vendors who do not pose a data or direct consumer risk.
The reasons for determining each vendor’s risk tier must be documented. Once determinations are made a cascading model of oversight is applied.
Due diligence, establish controls and ongoing monitoring
Once the risks to the lender are assessed and documented, appropriate due diligence is conducted as outlined in a lender’s internal policies and procedures. Among the other actions that need to be taken by the in-house owner and their team are:
- Understanding the background of the vendor and its principal officers. The first order of vendor assessment is to understand the vendor’s background and its principal officers. After all, the prior conduct and accomplishments of the vendor’s management are excellent indicators of future and ethical management actions.
- Securing appropriate information and documents from the vendor. For example, verify evidence the vendor has all necessary licenses and adequate insurance coverage to conduct the activity. Where necessary, a review of financial statements to ensure they have appropriate net worth and liquidity may be prudent.
- Reviewing critical vendor policies and procedures, along with the vendor’s internal controls. Policies and procedures should demonstrate that the vendor has a clear understanding of the rules and regulations governing the service(s) they are performing. Depending on the risk rating, a vendor should have policies and procedures that adequately address: information security, privacy, business continuity, resiliency, training of employees, and meeting performance standards and benchmarks. Much of the operational policies and procedures are tested in a SOC report.
- Ensuring that contracts for Tier 1 (High) and Tier 2 (Moderate) risk vendors clearly and thoroughly state the expectations for performance standards and compliance with applicable laws and regulations. Every lender regulator has established a generally common set of guidelines for vendor contracts. These are particularly important for any high-risk relationship.
Once these elements are addressed, controls and a protocol for monitoring vendors must be established and implemented.
To monitor vendor performance, many companies have developed vendor report cards to easily track performance. These report cards are issued in conjunction with periodic independent reviews and can reflect an array of elements, including results of audits of actual performance to contractual or internal benchmarks and documentation of customer complaints regarding the vendor. (A documented incident reporting system with appropriate issue escalation to executive management is highly recommended.)
Report cards can also be used to request updated documentation, such as insurance certificates, financial statements and licenses.
When working with our clients, I also strongly encourage lenders to periodically conduct independent reviews of Tier 1 (High) risk vendors to make certain the vendor meets business continuity standards, including disaster recovery plans and resiliency requirements. And, there should be an annual documented test evidencing the vendor was able to successful restore business operations within the plan’s defined timeframes. It is also highly desirable to have a written plan in place to activate in the event you must quickly replace or supplement a mission critical vendor.
Protocols for addressing problems and terminating relationships
Prompt action is mandatory when vendors are out of compliance. In addition to the fact that the CFPB and state regulators expect prompt action as soon as any problems are identified, the reputational risk to your business can be very costly.
Depending on the severity of the problem, lenders should have protocols in place for addressing the concern with the vendor and requiring a written response to document their file. Remediation may also be required, as would be the case with a cybersecurity data breach or instances of inappropriate charges to a consumer. Recent news stories have been replete with incidents where the business underwent an incident and was unprepared with a thoughtful process on how deal with consumer-facing issues. Think about the recent airline incidents and how reputational risks could have been mitigated.
In most cases, lenders will ask vendors to update policies and procedures to close any identified gaps, provide additional training, or otherwise make changes that mitigate the chance of encountering noncompliance in the future. However, if appropriate, be prepared to terminate vendor relationships and self-report the incident to federal and/or state regulatory agencies. (Again, herein lies the importance of having a written back-up plan in the event a mission critical vendor must be terminated.)
A comprehensive, compliant vendor management program is simply good business
Companies of all sizes can create well-established and documented vendor management programs by combining in-house expertise and ownership with technology solutions and resources, such as software and web-based portal support systems.
An effective vendor management program is not only about meeting regulatory requirements. If critical vendors cannot meet service level agreements or do not operate in a compliant manner, they can create operational risk—and even reputational risk—to a lending organization. In today’s business world, managing such risks is needed for basic survival.
I would take this concept a step farther and say thorough vendor management programs drive better vendor performance. Better vendor performance creates efficiencies that can position lenders to operate more profitably, grow originations and servicing portfolios, or attain a long list of other business goals.
Allow me to close with a final thought. Any discussion of vendor management would be incomplete without acknowledgement of the fact that closing agents are considered critical vendors. These vendors handle NPI data and receive large sums of wired mortgage proceeds, yet many lenders have performed little, if any, due diligence on these firms. What’s more, neither the Closing Protection Letter (CPL) nor the typical Errors & Omissions insurance policy cover privacy violations. I look forward to providing an in-depth look at managing closing agent counterparty risk in a future issue of Mortgage Compliance Magazine.
Regina M. Lowrie is a recognized national leader and authority in the mortgage and lending industry and is founder, president, and CEO of RML Advisors, LLC. She can be reached at RLowrie@RMLAdvisors.com.