(go to previous page) (go to next page)
Every vendor with whom you do business must be monitored. If your organization retains servicing this would include, for example: law firms and trustees; property-preservation companies and property-management companies; loss-mitigation and loan-modification entities; and management-information systems. Your organization also must manage its Mortgage Electronic Registration Systems activities, credit reporting, 1099 forms, mortgage insurers, communications and, finally, disclosure and sub-servicer arrangements. Even brokers within an organization should support this extent of monitoring, if only because their clients likely monitor such things on their own end.
Your organization also should be certain that its monitoring protocol is being documented. The OCC has set forth guidelines on how to manage third-party risk in its 2001-47 bulletin (sctsm.in/OCC). Although this provides some quality guidance, it doesn’t provide specific instructions and does not address the new law-firm certification process. Regardless, your organization still is obligated to set monitoring standards. In setting these standards, it’s a good idea to know your vendors’ businesses and to work with them in setting realistic audit parameters.
When should you monitor?
Your organization should manage and monitor its third-party vendors from the time you start doing business with them to the time they stop the assignment. Further, you should establish a monitoring protocol for the third party that allows them to know what to expect.
There are two philosophies in dealing with third-party management: timeline management and risk-based management. These should be used in tandem with each other.
Timeline management focuses on the timing around key events such as selection, approval or negotiation of the vendor. This also is impacted by deadlines set by an organization’s investors, its board of directors and its audit department.
Risk management focuses on determining where your organization’s processes may fail and what to do when something goes wrong. When utilizing this approach, your company should identify potential triggering events and stay up-to-date on regulatory and legal changes. The risk model requires that you actively monitor your operations, aggressively respond to any issues, rapidly escalate the issues internally and efficiently resolve problems when they occur. You should determine which events are critical, when the vendor is required to contact you and when you should contact affected clients.
It’s a good idea to prioritize events; after all, some occurrences may require instant communication, while others may permit waiting a few days. Regardless, your organization and its clients should set up a protocol for how to correct a problem if one arises.
Auditing and assessing
One of your organization’s most significant goals should be gleaning the best understanding of its vendors’ operations. Your company may consider on-site audits by internal departments or consider retaining outside auditors. Whether handled internally or externally, you still may decide to involve the internal audit department, enterprise risk-management department or the relevant business unit that deals with the third party.
Another approach to assessment would be for the vendor to monitor its own operations using your guidelines and report their findings back to you. Many of your clients may require that you perform a self-assessment and report back to them, as well. To facilitate this process, you should designate employees or an outside firm to conduct this self-monitoring.
Finally, make sure that your business takes steps to document its short-term compliance plan, long-term monitoring program and ongoing compliance program. This documentation should take the form of written procedures and written records. Also be sure to review your findings before any report is published.
A related issue is again considering how you can preserve the attorney- client privilege as a way to manage your risk. To preserve this privilege, your organization should hire outside counsel to direct and supervise compliance reviews. This is especially important if your company has never conducted a compliance review, if you suspect there are compliance problems, or if you anticipate civil litigation or a government enforcement action.
• • •
There certainly are many aspects to third-party management — too many to summarize in a single article. Each organization will work differently when it comes to how it manages risk, as well as the types of risks to which it’s exposed. In the end, however, the success of your efforts will be driven by your organization’s dedication to good management and quality business practices. In undertaking your third-party monitoring and management, the cost of failure will be high. That noted, the rewards of proper management will be high, as well, with your organization being healthier, more compliant and more efficient as a result.
Kristina D. Maritczak is the head of the mortgage regulatory and compliance group for Palmer, Lombardi & Donohue LLP.
Reach her at firstname.lastname@example.org or (213) 929-2348. Frederick A. Haist is in Palmer, Lombardi & Donohue’s financial services litigation group. Reach him at email@example.com or (213) 688-0430. Michelle Canter of Lotstein Legal contributed to this article.
Page: 1 2 Previous