by Regina Lowrie & Brideen Gallagher
“You can’t be serious! I’m just a small mortgage banker, and here’s yet another cost I have to absorb in order to do business. Why is this applicable to me?” This exasperation was a common theme heard a few days ago in discussing vendor management at a gathering of mortgage bankers.
Surprisingly, the answer is relatively simple. One just needs to look at the history behind the creation of the Consumer Financial Protection Bureau (CFPB) and the focus by government to implement regulations that protect the consumer. The myriad of additional regulations covering all forms of credit, real estate, and other financial and financial-related markets have been imposed to protect the consumer in the aftermath of the credit crisis. Title X of the Consumer Financial Protection Act of 2010 created the CFPB and authorized it to have broad direct supervision and enforcement authority over both lenders and supervised service providers. The CFPB, Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA) and even the GSEs (government-sponsored enterprises) have included vendor oversight (or third party risk assessment) as a requirement in an institution’s risk management framework. As a result, lenders are struggling with understanding their responsibilities for oversight of vendors who provide services to them.
Obviously, it is far easier and more efficient for regulators to hold the lender accountable to ensure the consumer is fairly treated than for regulators to endeavor to manage more than a million vendors. Thus, under the provisions of CFPB Bulletin 2012-03, it is the lender’s responsibility to oversee every vendor “in a manner that ensures compliance with the Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm.”
For lenders considering their approach to vendor management, it is helpful to start with defining the roles of senior management and the board of directors. Generally, the board is responsible to oversee development and adherence to business policy. The board and senior management must recognize that third-party vendor relationships present potential risks that need to be managed on an ongoing basis, beginning with a sound due diligence process at initial vendor selection and continuing with on-going reviews of all such relationships. Certainly, the level or extent of risk varies with each vendor relationship. Understanding and managing how the vendor may expose the lender to operational, privacy, and reputation risks are the most critical elements for lenders to address.
Elements of a Compliant Vendor Management ProgramFortunately, implementing and managing a vendor management program can be reasonably and expeditiously accomplished with end-to-end solutions currently available in the market. Based on CFPB requirements, a compliant program needs to include the following elements:
EnforcementCosts for non-compliance with vendor management requirements can be substantial. Some examples:
In addition to the financial risks, publication of these enforcement actions can create reputational risk for your organization. These are yet more reasons to make an investment in creating and implementing a robust vendor management program.
So what do I do next?Regulators are extremely focused on vendor management and will continue to issue enforcement orders against companies for identified violations. As we have discussed, lenders and companies of all sizes should have a well-established and documented Vendor Management or Third-Party Risk Assessment Program. It is important to note that a compliant, comprehensive program is significantly more complex than simply utilizing a vendor approval checklist. Based on our experience, a risk-based approach is often the most cost effective and streamlined solution. All vendors, no matter their size or risk rating, should be subject to your Vendor Management Program. And based on the ramifications of non-compliance, an ounce of prevention is much less costly than a pound of cure.
TMC - Chief Operating Officer