theMReport.com Your trusted source for mortgage banking news
Originally appeared in print edition of TheMReport magazine.
The heightened regulatory environment has forced lenders to ensure they are working with the right team.
By Tim Cox, Senior Manager of National Programs, Lenders One Mortgage Cooperative
While the old adage that there is nothing new under the sun may be true for lenders who need to vet and manage vendors, there has not been anything quite like the scrutiny we see on those processes today. Government-produced bulletins on the subject have been out for more than a decade, but new guidance from the Consumer Financial Protection Bureau (CFPB) coupled with the potential financial and operational penalties have ushered in a new era of heightened awareness.
Until recently, vendor management guidance focused mostly on the safety and soundness of an institution. Regulators have since clarified that requirements established by the FDIC Bulletin FIL-44-2008, which provided guidance for managing third-party risk within national banks, were not enough to protect consumers. Updated regulations from the FDIC, the Federal Financial Institutions Examination Council (FFIEC), and Fannie Mae include guides on how to manage third-party relationships. In April 2012, the CFPB weighed in and published a three-page service provider guidance, which is driving significant operational adjustments within the industry.
Vendors and lenders are both working hard to interpret and implement policies and procedures based on the guidance provided. Because of their size and limited internal resources, small to mid-size community lenders face challenges that big banks and institutions do not.
Vendor-Assisted Compliance
Atlanta-based consumer, commercial, and workforce information solutions provider Equifax and other vendors have experienced a rush for information and assistance from independent lenders since July.
“Lenders are looking to their vendor partners for direction,” said Michael Kuentz, SVP of Verification Services at Equifax. “Therefore, it is the vendors’ responsibility to apply the rules and develop tools that will help lenders, as well as ensure that the word is out that they have done so. This is an opportunity for vendors to have a strong voice, because lenders need direction to navigate the new policy and procedures.”
This sort of behavior is not new to the mortgage industry. Kuentz says it reminds him of other regulatory changes, which tends to reveal three types of lenders: those that will be ahead of the curve and do whatever they can to ensure they are compliant, those that will wait and see what effect the changes will have on the industry, and those that will wait and see and just resolve to pay the financial penalty if there is one.
St. Louis-based Altisource Fulfillment Operations (AFO) has also seen similar adaptation patterns among its clients. “The progression of lenders working through the requirements is fairly typical,” commented Debora Aydelotte, president of AFO.
“We have always provided clients with information regarding to licensing and certifications, as an example. However, within the last few months, demand has increased for our advisory services as well as for our internal compliance policies from both existing and new clients on our correspondent, quality control, and underwriting service platforms.”
Aydelotte notes that both originators and servicers should do a bit of legwork before approaching each vendor and prepare a standard requirements list of due-diligence items, such as financial statements, compliance, and corporate ethics policies and system security assessment information. For vendors considered tier 1 (critical to business performance and continuity), an onsite due-diligence visit should be scheduled and will be welcomed by the vendor. Lastly, she recommends that a solid vendor governance protocol needs to be in place and shared with each vendor so that expectations are clear and ongoing performance can be monitored.
Adjusting Internal Controls and Processes
Brentwood, Tennessee-based lender Churchill Mortgage started preparing for the effects of the CFPB vendor management rule by reviewing existing vendors, identifying common criteria, and building a vendor review strategy based on guidelines and internal practices. This is an approach that has been encouraged by Lenders One, of which Churchill is a member.
As a mid-sized independent mortgage lender, Churchill created a position specifically to meet the guidelines of the bulletin released by the CFPB. Then the lender considered how each of its vendors would present operational, compliance, and reputational risks and ranked them in tiers. According to Erin Stryker, compliance analyst and vendor manager, vendors that posed the greatest operational risk or high direct consumer contact risk (such as loan origination systems and document providers) are considered by Churchill as tier 1.
Tier 2 service providers are considered to have moderate effect on an organization’s operations and may have indirect contact with customers. The tier 3 vendors may provide services, such as the snack or vending machines, for example, and do have not contact with customers, posing no immediate effect on operations.
After identifying the vendors by tier, Churchill identified and requested documents for tier 1 and tier 2 vendors that could substantiate their culture, environment, and stability. These factors point to the responsibility vendors place in their own performance and consumer interactions, according to Stryker. Some of the information Churchill requests includes:
- Number of locations and the functions performed at each
- Any pending litigation
- Financials (at least liability and asset ratios)
- Procedures for tracking and resolving consumer complaints—a direct request from the CFPB
- Copies of security protocols for offsite employees, social media guidelines, and diversity statements/training requirements, as well as hiring policies and employee handbooks—to shed light on culture and ethics with specific attention to customer data privacy.
Adherence to federal regulations that vendors may be required to abide by, such as Gramm Leach Bliley and Fair Lending Policies for working with, and managing, subcontractors.
During onsite visits, Churchill delves further into operational processes, including security measures, such as shredding capabilities, server room access, and visitor policies. At that time, vendors are also asked for feedback on Churchill as a client. Maintaining a two-way dialogue is important, Stryker added: “This shows that Churchill is dedicated to doing all it can to maintain a solid relationship and transparency as we work with our vendors to adhere to regulations.”
Churchill completes and shares a scorecard after each site visit, which checklists key items, quantifies the effectiveness of the relationship, and records any compliance or operational risk(s). Stryker says it is important to involve leadership in other departments, based on who touches the vendor relationship, in order to most efficiently develop any necessary solutions noted on the scorecards.
Stryker stresses that Churchill management is keenly aware of smaller vendors’ challenges to comply with the new CFPB rule. Smaller organizations, like smaller lenders, may take a bit more time to respond because of fewer compliance resources. She expects that in time vendors may start organizing general information packages for lenders to help start the vetting process.
The fact that small and large vendors are inundated with requests from lenders who often want different information, as both Kuentz and Aydelotte mention, is something lenders should keep in mind. “Being specific about the information required and providing an adequate timeline for response is important,” Aydelotte said. “Just as there is no one interpretation of the guidelines, there also is no common checklist on hand. We have developed a standard process for this and for due-diligence site visits; however, we tailor both to meet the needs of each request.”
Churchill’s process takes approximately 60 days, and moving forward, the firm plans to stagger reviews in order to accomplish an annual review for each vendor partner. While Stryker takes the lead, she enlists assistance from three to six other employees, mostly from operations and IT, as needed. She points out that while vetting vendors was once driven from the departmental standpoint before the CFPB guidance, now Churchill and other lenders are creating designated positions and working groups to drive the process.
Reality Check
Despite the vagueness of the CFPB guidance, service providers and lenders are developing plans to meet the rule’s requirements. Lenders, such as Churchill, have approached the vendor vetting process by identifying a project leader and putting a manageable process and collaborative resources in place in order to meet the requirements without being overwhelmed. Vendors have prepared materials and site visit protocols and can provide information and suggestions for vendor management to lender clients, helping to add value to their relationships.
Keuntz offers a reminder that there can be more than just the costly fines motivating lenders to be compliant with the CFPB rule: The possibility of a negative public image that comes with noncompliance can be even more costly in the long run.
“While no one knows what the financial expense will be, most of our clients do understand there is a greater cost in being labeled as noncompliant,” he said.
Vendor vetting and management is not new, but under the watchful eyes of agencies such as the CFPB, the fact is that it is requiring more attention on the part of lenders and vendors to ensure compliance.
Approaches from the vendor side may be different from the approach of the lender, but the results should be the same: a plan that includes communication and input from both parties to ensure full compliance and ultimately protect the consumer.
