Seven Steps to Effective Vendor Oversight, Primer

by Regina Lowrie & Brideen Gallagher

“You can’t be serious!  I’m just a small mortgage banker, and here’s yet another cost I have to absorb in order to do business. Why is this applicable to me?” This exasperation was a common theme heard a few days ago in discussing vendor management at a gathering of mortgage bankers.  

Surprisingly, the answer is relatively simple. One just needs to look at the history behind the creation of the Consumer Financial Protection Bureau (CFPB) and the focus by government to implement regulations that protect the consumer. The myriad of additional regulations covering all forms of credit, real estate, and other financial and financial-related markets have been imposed to protect the consumer in the aftermath of the credit crisis. Title X of the Consumer Financial Protection Act of 2010 created the CFPB and authorized it to have broad direct supervision and enforcement authority over both lenders and supervised service providers.   The CFPB, Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA) and even the GSEs (government-sponsored enterprises) have included vendor oversight  (or third party risk assessment) as a requirement in an institution’s risk management framework. As a result, lenders are struggling with understanding their responsibilities for oversight of vendors who provide services to them.

Obviously, it is far easier and more efficient for regulators to hold the lender accountable to ensure the consumer is fairly treated than for regulators to endeavor to manage more than a million vendors. Thus, under the provisions of CFPB Bulletin 2012-03, it is the lender’s responsibility to oversee every vendor “in a manner that ensures compliance with the Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm.”

For lenders considering their approach to vendor management, it is helpful to start with defining the roles of senior management and the board of directors. Generally, the board is responsible to oversee development and adherence to business policy. The board and senior management must recognize that third-party vendor relationships present potential risks that need to be managed on an ongoing basis, beginning with a sound due diligence process at initial vendor selection and continuing with on-going reviews of all such relationships. Certainly, the level or extent of risk varies with each vendor relationship. Understanding and managing how the vendor may expose the lender to operational, privacy, and reputation risks are the most critical elements for lenders to address.

Elements of a Compliant Vendor Management ProgramFortunately, implementing and managing a vendor management program can be reasonably and expeditiously accomplished with end-to-end solutions currently available in the market. Based on CFPB requirements, a compliant program needs to include the following elements:

1. Designation of a Program Owner. The company needs to designate someone in the organization who “owns” vendor management, including approval of vendors and ensuring compliance with the company’s approved policies and procedures. Lenders can no longer have a decentralized approach to engaging vendors where each manager makes individual decisions that are often based solely on relationships and not necessarily on all risk elements to the business or its customers.
2. A set of comprehensive policies and procedures. The company should develop written policies and procedures to establish business methods and provide a solid framework for operations. These policies and procedures also provide the framework for ensuring the company operates in compliance with regulatory requirements and for the board/CEO to hold staff accountable for the company’s performance. A compliant vendor management infrastructure will provide for board oversight and management control of all vendors; however, not every vendor requires the same level of due diligence. For example, the singular vendor who provides a critical business function, such as your network and computer systems, creates more risk for the company than the marketing firm that handles your advertising. A risk-based approach creates efficiency and better efficacy in the vendor management process by requiring more diligence and effort be devoted to higher-risk vendors than moderate- and low-risk vendors.

Key elements of compliant vendor management policies include requiring the vendor provide qualifications about the vendor’s experience, evidence of adequate insurance, references, and certification of the vendor’s compliance with applicable laws and regulations. In addition to the items listed above, information about a vendor’s internet connectivity and security, physical access, network access, software development management, disaster recovery, termination provisions, training programs, and performance benchmarks should also be obtained from each vendor.

1. A sound methodology to risk rate vendors. When considering your company’s vendor population, it is critical to create a list of all vendors, including appraisers, closing agents, and escrow agents as well as providers of document management services, phone systems, and even office supplies. As stated previously, the vendor management program should differentiate the diligence and documentation requirements among high-, moderate- and low-risk vendors. This risk-based approach plays an important role in efficiently allocating risk management resources where the higher risk exists while still maintaining compliant oversight of low risk vendors.

In evaluating vendor risk, lenders should consider the following factors in assigning vendors into high, moderate or low categories:  

1. Mission critical – Does the vendor provide mission critical services? Mission critical functions can be classified as those that if the vendor cannot perform (and perform according to specified performance standards), the impact on the lender’s business would be catastrophic and/or consumers might be injured or incur additional costs.   Another related test for a mission critical function is that the vendor is unique and cannot be easily or quickly replaced. 
2. NPI Data (Non-public information) – Does the vendor provide or receive NPI? If so, they represent a higher level of risk.  Closing agents need to be included in the list of vendors that receive NPI and should be designated as high-risk. 
3. Frequently used – While the vendor may not be unique, it may be so frequently engaged that frequency should be considered in the risk rating.
4. A clearly-defined and managed process to obtain vendor information and supporting documentation. This can also be stated as ‘trust, but verify.’ Ideally, the process should include following elements (note this list is not exhaustive but illustrative):
5. Develop a questionnaire to assist the lender in designating the risk tier of each vendor (high, moderate, low).
6. Ask questions related to the vendor’s compliance – for example, how does the document shredder comply with National Association for Information Destruction (NAID) standards and what was the date of their last certification?
7. If the vendor provides technical services or utilizes technology, document what controls are in place to assure the integrity, security and delivery of the technology.
8. Request, where applicable, the vendor’s SSAE 16 report and review the results.
9. If the vendor provides a financial or hedging model, assess and test the efficacy of the model.
10. A process to review and determine if the information and documentation obtained meets your company’s vendor management policy requirements. Regulators will look for tangible evidence on how the lender uses the information to make an engagement/hire decision and monitor on-going performance. The vendor management program must be more robust than just collecting information and sticking it in a file.
11. A review of the vendor’s service contract. The company should have counsel look at all high-risk vendor service contracts to verify compliance with applicable laws and regulations (e.g. right to audit and remediation, indemnification, dispute resolution, customer complaints, etc.) as well as the company’s business requirements. Special focus should be placed on evaluating how a vendor utilizes and monitors subcontractors. Vendors are responsible for the performance of any subcontractors they hire, so the vendor must have policies and procedures to monitor this. If the vendor provides technical services, then the review should validate that the contract covers all applicable requirements related to information technology and security.
12. A complete vendor monitoring process. This includes establishing appropriate incident logs and performance benchmarks for high-risk vendors as well as mandating that vendor information and documentation remain properly updated.

Closing AgentsEscrow agents, title insurance companies, and closing agents, including duly licensed closing attorneys, are unique vendors performing specialized loan closing/settlement services on behalf of a lender and borrowers. Lenders typically approve such closing agents to conduct loan transactions on their behalf subject to an Insured Loan Closing Protection Letter (where such letters are permitted by applicable law) and/or evidence of current in-force professional liability insurance. Financial statements, business continuity, resiliency, and other vendor requirements are generally waived for this unique class of vendors because they are duly licensed by the state in which they conduct business.  However, closing agents are now required by the American Land Title Association (ALTA) to follow a series of established Best Practices. Consequently, it is prudent for lenders to require this class of vendor to provide some certification and/or proof of compliance with these Best Practices.

EnforcementCosts for non-compliance with vendor management requirements can be substantial.   Some examples:

• JP Morgan Chase: In September 2013, the CFPB ordered Chase Bank USA, N.A. and JP Morgan Chase Bank, N.A. to issue refunds to borrowers for illegal credit card practices.  As part of the order, Chase was required to strengthen its third-party vendor management program.  Total financial penalty totaled $309 million.
• Ocwen Financial Corporation: In December 2014, the New York Department of Financial Services entered into a Consent Order with Ocwen.  While the Order focused extensively on the firm’s servicing practices, it also addressed improper relationships with related vendors.  Total financial penalty amounted to $150 million.
• U.S. Bank: In September 2014, the CFPB ordered U.S. bank to pay $48 million in refunds to customers for illegally billing consumers for services not received related to a contract with a third party to provide identity protections and credit monitoring services.  While the CFPB had no finding of intent by U.S. Bank, it found that U.S. Bank failed to adequately monitor its third-party service provider.

In addition to the financial risks, publication of these enforcement actions can create reputational risk for your organization. These are yet more reasons to make an investment in creating and implementing a robust vendor management program.

So what do I do next?Regulators are extremely focused on vendor management and will continue to issue enforcement orders against companies for identified violations. As we have discussed, lenders and companies of all sizes should have a well-established and documented Vendor Management or Third-Party Risk Assessment Program.  It is important to note that a compliant, comprehensive program is significantly more complex than simply utilizing a vendor approval checklist.  Based on our experience, a risk-based approach is often the most cost effective and streamlined solution.  All vendors, no matter their size or risk rating, should be subject to your Vendor Management Program.  And based on the ramifications of non-compliance, an ounce of prevention is much less costly than a pound of cure.