by Regina Lowrie & Brideen Gallagher

“You can’t be serious!  I’m just a small mortgage banker, and here’s yet another cost I have to absorb in order to do business. Why is this applicable to me?” This exasperation was a common theme heard a few days ago in discussing vendor management at a gathering of mortgage bankers.  

Surprisingly, the answer is relatively simple. One just needs to look at the history behind the creation of the Consumer Financial Protection Bureau (CFPB) and the focus by government to implement regulations that protect the consumer. The myriad of additional regulations covering all forms of credit, real estate, and other financial and financial-related markets have been imposed to protect the consumer in the aftermath of the credit crisis. Title X of the Consumer Financial Protection Act of 2010 created the CFPB and authorized it to have broad direct supervision and enforcement authority over both lenders and supervised service providers.   The CFPB, Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA) and even the GSEs (government-sponsored enterprises) have included vendor oversight  (or third party risk assessment) as a requirement in an institution’s risk management framework. As a result, lenders are struggling with understanding their responsibilities for oversight of vendors who provide services to them.

Obviously, it is far easier and more efficient for regulators to hold the lender accountable to ensure the consumer is fairly treated than for regulators to endeavor to manage more than a million vendors. Thus, under the provisions of CFPB Bulletin 2012-03, it is the lender’s responsibility to oversee every vendor “in a manner that ensures compliance with the Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm.”

For lenders considering their approach to vendor management, it is helpful to start with defining the roles of senior management and the board of directors. Generally, the board is responsible to oversee development and adherence to business policy. The board and senior management must recognize that third-party vendor relationships present potential risks that need to be managed on an ongoing basis, beginning with a sound due diligence process at initial vendor selection and continuing with on-going reviews of all such relationships. Certainly, the level or extent of risk varies with each vendor relationship. Understanding and managing how the vendor may expose the lender to operational, privacy, and reputation risks are the most critical elements for lenders to address.

Elements of a Compliant Vendor Management ProgramFortunately, implementing and managing a vendor management program can be reasonably and expeditiously accomplished with end-to-end solutions currently available in the market. Based on CFPB requirements, a compliant program needs to include the following elements:

1. Designation of a Program Owner. The company needs to designate someone in the organization who “owns” vendor management, including approval of vendors and ensuring compliance with the company’s approved policies and procedures. Lenders can no longer have a decentralized approach to engaging vendors where each manager makes individual decisions that are often based solely on relationships and not necessarily on all risk elements to the business or its customers.
2. A set of comprehensive policies and procedures. The company should develop written policies and procedures to establish business methods and provide a solid framework for operations. These policies and procedures also provide the framework for ensuring the company operates in compliance with regulatory requirements and for the board/CEO to hold staff accountable for the company’s performance. A compliant vendor management infrastructure will provide for board oversight and management control of all vendors; however, not every vendor requires the same level of due diligence. For example, the singular vendor who provides a critical business function, such as your network and computer systems, creates more risk for the company than the marketing firm that handles your advertising. A risk-based approach creates efficiency and better efficacy in the vendor management process by requiring more diligence and effort be devoted to higher-risk vendors than moderate- and low-risk vendors.

Key elements of compliant vendor management policies include requiring the vendor provide qualifications about the vendor’s experience, evidence of adequate insurance, references, and certification of the vendor’s compliance with applicable laws and regulations. In addition to the items listed above, information about a vendor’s internet connectivity and security, physical access, network access, software development management, disaster recovery, termination provisions, training programs, and performance benchmarks should also be obtained from each vendor.

1. A sound methodology to risk rate vendors. When considering your company’s vendor population, it is critical to create a list of all vendors, including appraisers, closing agents, and escrow agents as well as providers of document management services, phone systems, and even office supplies. As stated previously, the vendor management program should differentiate the diligence and documentation requirements among high-, moderate- and low-risk vendors. This risk-based approach plays an important role in efficiently allocating risk management resources where the higher risk exists while still maintaining compliant oversight of low risk vendors.

In evaluating vendor risk, lenders should consider the following factors in assigning vendors into high, moderate or low categories:  

1. Mission critical – Does the vendor provide mission critical services? Mission critical functions can be classified as those that if the vendor cannot perform (and perform according to specified performance standards), the impact on the lender’s business would be catastrophic and/or consumers might be injured or incur additional costs.   Another related test for a mission critical function is that the vendor is unique and cannot be easily or quickly replaced. 
2. NPI Data (Non-public information) – Does the vendor provide or receive NPI? If so, they represent a higher level of risk.  Closing agents need to be included in the list of vendors that receive NPI and should be designated as high-risk. 
3. Frequently used – While the vendor may not be unique, it may be so frequently engaged that frequency should be considered in the risk rating.
4. A clearly-defined and managed process to obtain vendor information and supporting documentation. This can also be stated as ‘trust, but verify.’ Ideally, the process should include following elements (note this list is not exhaustive but illustrative):
5. Develop a questionnaire to assist the lender in designating the risk tier of each vendor (high, moderate, low).
6. Ask questions related to the vendor’s compliance – for example, how does the document shredder comply with National Association for Information Destruction (NAID) standards and what was the date of their last certification?
7. If the vendor provides technical services or utilizes technology, document what controls are in place to assure the integrity, security and delivery of the technology.
8. Request, where applicable, the vendor’s SSAE 16 report and review the results.
9. If the vendor provides a financial or hedging model, assess and test the efficacy of the model.
10. A process to review and determine if the information and documentation obtained meets your company’s vendor management policy requirements. Regulators will look for tangible evidence on how the lender uses the information to make an engagement/hire decision and monitor on-going performance. The vendor management program must be more robust than just collecting information and sticking it in a file.
11. A review of the vendor’s service contract. The company should have counsel look at all high-risk vendor service contracts to verify compliance with applicable laws and regulations (e.g. right to audit and remediation, indemnification, dispute resolution, customer complaints, etc.) as well as the company’s business requirements. Special focus should be placed on evaluating how a vendor utilizes and monitors subcontractors. Vendors are responsible for the performance of any subcontractors they hire, so the vendor must have policies and procedures to monitor this. If the vendor provides technical services, then the review should validate that the contract covers all applicable requirements related to information technology and security.
12. A complete vendor monitoring process. This includes establishing appropriate incident logs and performance benchmarks for high-risk vendors as well as mandating that vendor information and documentation remain properly updated.

Closing AgentsEscrow agents, title insurance companies, and closing agents, including duly licensed closing attorneys, are unique vendors performing specialized loan closing/settlement services on behalf of a lender and borrowers. Lenders typically approve such closing agents to conduct loan transactions on their behalf subject to an Insured Loan Closing Protection Letter (where such letters are permitted by applicable law) and/or evidence of current in-force professional liability insurance. Financial statements, business continuity, resiliency, and other vendor requirements are generally waived for this unique class of vendors because they are duly licensed by the state in which they conduct business.  However, closing agents are now required by the American Land Title Association (ALTA) to follow a series of established Best Practices. Consequently, it is prudent for lenders to require this class of vendor to provide some certification and/or proof of compliance with these Best Practices.

EnforcementCosts for non-compliance with vendor management requirements can be substantial.   Some examples:

• JP Morgan Chase: In September 2013, the CFPB ordered Chase Bank USA, N.A. and JP Morgan Chase Bank, N.A. to issue refunds to borrowers for illegal credit card practices.  As part of the order, Chase was required to strengthen its third-party vendor management program.  Total financial penalty totaled $309 million.
• Ocwen Financial Corporation: In December 2014, the New York Department of Financial Services entered into a Consent Order with Ocwen.  While the Order focused extensively on the firm’s servicing practices, it also addressed improper relationships with related vendors.  Total financial penalty amounted to $150 million.
• U.S. Bank: In September 2014, the CFPB ordered U.S. bank to pay $48 million in refunds to customers for illegally billing consumers for services not received related to a contract with a third party to provide identity protections and credit monitoring services.  While the CFPB had no finding of intent by U.S. Bank, it found that U.S. Bank failed to adequately monitor its third-party service provider.

In addition to the financial risks, publication of these enforcement actions can create reputational risk for your organization. These are yet more reasons to make an investment in creating and implementing a robust vendor management program.

So what do I do next?Regulators are extremely focused on vendor management and will continue to issue enforcement orders against companies for identified violations. As we have discussed, lenders and companies of all sizes should have a well-established and documented Vendor Management or Third-Party Risk Assessment Program.  It is important to note that a compliant, comprehensive program is significantly more complex than simply utilizing a vendor approval checklist.  Based on our experience, a risk-based approach is often the most cost effective and streamlined solution.  All vendors, no matter their size or risk rating, should be subject to your Vendor Management Program.  And based on the ramifications of non-compliance, an ounce of prevention is much less costly than a pound of cure.

By Gary Acosta

Prospect Mortgage and Wells Fargo, and most recently, PHH, have announced decisions to abandon the practice of using marketing services agreements. These companies should only be the first wave: it is time for the practice of MSAs to end once and for all.

By eliminating MSAs, regulators can help reduce the cost of mortgage originations without causing further restrictions to credit availability. In other words, there is zero downside, particularly for consumers.

These arrangements have been common between lenders and referral sources, such as real estate brokers and builders, for years. In simple terms, an MSA is a contract whereby a lender or other service provider will compensate brokers and builders for marketing their services to clients' agents and sales professionals.

This could include advertising and "desk rentals," where the provider has a physical presence in the client's office. There has always been a fine line between legal MSA arrangements and the payment of referral fees or "kickbacks," which are illegal according to the Real Estate Settlement Procedures Act.


Where that line actually resides is a matter of interpretation of RESPA's guidelines, but common sense makes it clear that compensation paid directly to a referral source is a form of kickback no matter how we dress it up with more flattering terms.

Few argue that the practice of MSAs has any real consumer benefit. At best, they add unnecessary cost to the origination process, which, of course, is ultimately paid by the consumer.

At worst, they can lead to the nefarious practice of steering consumers to loan products that have excessive fees or harmful terms. The latter is more common in minority neighborhoods, where homebuyers are often more vulnerable to steering.

Anybody with practical knowledge in the business will tell you that the application of MSAs varies from company to company. There are companies that try and stay within the guidelines and there are plenty of companies that blatantly cross the line by paying excessive fees or by tying the compensation to production or profitability targets. While there have been some recent actions by the Consumer Financial Protection Bureau, enforcement of MSA violations have historically been few and far between.

Several reputable mortgage companies I have spoken with have uniformly told me that while they don't like the practice of MSAs, they do them because not participating would put their loan originators at a competitive disadvantage.

These companies also all agree that the practice of MSAs is rife with abuses and that companies that exploit the rules make it harder for the companies that try to do it within the spirit of the regulations.

The lenders I spoke with generally just want an even playing field with their competition, an environment that is driven by quality service and competitive pricing, and not by who is willing to pay the most in MSA fees.

This is not a small problem; the payment of kickbacks is one of the less-frequently discussed causes of the foreclosure crises.

Real estate agents and brokers are critical, trusted advisors to their clients, especially for minority and first-time buyers. At the same time, brokers are struggling more than ever to create profitable businesses.

Providing ancillary services for their clients such as mortgage originations, escrow services and title insurance can substantially add to the bottom line. Brokerages that are willing and able to make the necessary investments should be allowed to participate in these fees by providing legitimate services for which they deserve fair compensation.

Nobody in the real estate and mortgage industries wants to see more regulation. However, eliminating MSAs is the right thing to do and is one of the current industry practices that I truly believe few will miss.

Gary Acosta is the co-founder and CEO of the National Association of Hispanic Real Estate Professionals and currently serves on the consumer advisory board of the Consumer Financial Protection Bureau.