Scotsman Guide > Residential > March 2014 > Article

 Enter your e-mail address and password below.


Forgot your password? New User? Register Now.
   ARTICLE   |   From Scotsman Guide Residential Edition   |   March 2014

Conquering the Beast

Building an effective vendor-management system doesn’t have to be a terror

Conquering the Beast

This past year, mortgage banks and lenders focused their attention on making sense of the Consumer Financial Protection Bureau (CFPB) requirements that went into effect in January ’13. Even so, many mortgage companies still haven’t adequately prepared for the development of vendor-management controls and oversight, a sleeping giant that needs to be reckoned with as the CFPB throws its regulatory throttle into full gear.

Building and implementing a vendor-management system certainly can be a monster of a task, but with the right preparation and know how, mortgage companies nonetheless can construct effective systems and ensure their vendors’ full compliance with pertinent rules and regulations.

Many mortgage companies use third-party vendors as a wise extension of their operation to lower costs and manage variable staffing plans. The vendor relationship, which allows lenders to serve more customers and still retain quality processes, is a smart choice for businesses poised to grow and those that need to augment their staff with specific competencies that they don’t possess internally. Additionally, vendor relationships can be useful to lenders that are looking to tighten their belts and contain costs.

The CFPB believes that consumers are disadvantaged by their inability to select specific service providers if and when their financial institutions choose to use third-party services. As a result, the CFPB holds financial institutions accountable for regulatory violations regardless of whether or not a service is performed internally or through a vendor. In holding institutions responsible in this regard, the bureau hopes to avoid unfair, deceptive or abusive practices.

Before this regulatory guidance, third-party due diligence and vendor-management oversight varied greatly, and for some lenders, related policies and practices did not even exist. Regulatory fines and civil penalties totaling in the hundreds of millions of dollars — partly related to third-party performance — have brought the need for vendor oversight to the forefront of the mortgage industry’s attention. In the past year, the CFPB has bolstered its army of regulators that audit financial institutions, arming these regulators with the authority to impose civil penalties, restitution and cease-and-desist orders.

If they hope to avoid improper actions by their third-party service providers, mortgage banks and lenders must develop solid vendor-management policies and processes. In order to adequately manage these third-party relationships, financial institutions should implement a proper due-diligence program to confirm that a third-party service provider understands and adheres to regulatory requirements.

Remember: Financial institutions are responsible for reviewing their third-party service provider’s policies and internal controls to ensure compliance. In addition, institutions must review vendors’ training plans and materials to confirm that adequate plans are in place and are being followed, particularly for those employees in consumer-contact positions or in positions for which the work impacts the consumer’s experience.

When it comes to vendor management, these aren’t the only topics mortgage companies must bear in mind, however. If your organization is still getting its ducks in a row, what other factors should you consider?


In addition to third-party service provider due-diligence efforts, mortgage banks and lenders must establish a vendor-monitoring plan designed to periodically review a vendor’s compliance with regulatory requirements, and they must develop an action plan to correct issues and mitigate risks if infractions are discovered during the third-party monitoring process. Banks and lenders also should focus on the high technical risk of vendor systems. A complete monitoring and testing of loan systems is critical to check for updated regulatory controls.

Financial institutions using a third party’s software to generate loan disclosures, for instance, should identify that the vendor is managing required system updates for federal and state laws to ensure that required changes are reflected in system controls. Proper management and monitoring of a vendor’s technical controls and system updates can be critical in preventing fines and penalties.

Failure to follow the CFPB’s vendor-management requirements for due diligence and oversight may present unintentional risk to consumers and result in fines and civil penalties, as evidenced by the vendor-related penalties already levied by the CFPB. For instance, in a consent order involving vendor management and unfair and deceptive acts related to add-on products, the CFPB recently mandated an action plan to develop a certain financial institution’s third-party service provider policies to ensure that add-on products sold by the bank and through its vendors complied with consumer financial laws.

More specifically, this mandate required the bank in question to analyze its vendors prior to entering into a contract with them, specifying that this analysis must investigate a vendor’s ability to conduct marketing, sales, delivery, servicing and fulfillment activities in compliance with pertinent federal laws and the bank’s own policies and procedures. When it came to the contract between the bank in question and its vendors, the CFPB asked that both new and renewed contracts specify the responsibilities of each party. The CFPB outlined four responsibilities that these contracts had to address:

  1. “The Vendor’s specific performance responsibilities and duty to maintain adequate internal controls over the marketing, sales, delivery, servicing, and fulfillment of services for the Products;
  2. “The Vendor’s responsibilities and duty to provide adequate training on applicable Federal consumer financial law and the Bank’s policies and procedures to all Vendor employees or agents engaged in the marketing, sales, delivery, servicing, and fulfillment of services for the Product(s);
  3. “Granting the Bank the authority to conduct periodic onsite reviews of the Vendor’s controls, performance, and information systems as they relate to the marketing, sales, delivery, servicing, and fulfillment of services for the Product(s); and
  4. “The Bank’s right to terminate the contract if the Vendor materially fails to comply with the terms specified in the contract, including the terms required by this Paragraph.”

Taking action

If your bank or brokerage hopes to steer clear of a similar rebuke from the CFPB, your organization  should establish prudent and thorough third-party service provider due diligence and management policies and programs. There’s a number of areas where you should focus your efforts in this regard, but mortgage companies should work especially hard to do the following:

  • Confirm that your corporate policies are in place for governance regarding vendor management policies.
  • Develop governance and controls to establish pertinent metrics. Additionally, review your vendors’ metrics, as well as the structure and frequency of their performance reports.
  • Assess your vendor’s policies for safeguarding consumers’ personal information. This includes their adherence to the requirements of numerous laws and guidelines, including the Gramm-Leach-Bliley Act, the Equal Credit Opportunity Act, the Real Estate Settlement Procedures Act, the Truth in Lending Act, and the ability-to-repay rule.
  • Apply the requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act as required by the CFPB for property oversight of vendor management.
  • Implement a standard risk- assessment framework that stratifies vendors based on their risk to your organization.
  • Clearly establish an expectation with vendors that interviews and walkthroughs will be completed prior to an executed contract. Vendors also should expect ongoing oversight after the contract’s execution.
  • Require vendors to provide the right to audit them and their subcontractors.
  • Confirm a vendor’s ability to protect information, confidentiality and consumer security.
  • Clearly define default and termination policies in the event of a vendor poorly performing or failing to maintain compliance with regulatory requirements.
  • Verify that the vendor maintains the licenses required to perform the outsourced services.
  • Confirm that the vendor understands and is capable of complying with federal consumer financial law.
  • Validate that the vendor has policies, procedures, internal controls and training material to ensure that consumer contact is in compliance with federal consumer laws and regulations.
  • Verify that the vendor has an adequate business-continuity plan.
  • Confirm that controls are in place to handle consumer complaints according to regulatory requirements.
  • Verify that technology systems such as loan-origination and default-servicing systems have been updated to include current regulatory requirements.

•  •  •

As the year progresses, vendor compliance will undoubtedly remain a hot topic in the mortgage industry. Some organizations may struggle to stay on top of related rules and regulations, while others will forge ahead and rarely miss a beat. The banks and brokerages that have solid vendor-management controls and oversight in place can better equip themselves for a changing market and for continued success in the future. 


Fins A Lender Post a Loan
Residential Find a Lender Commercial Find a Lender
Scotsman Guide Digital Magazine

Related Articles



© 2019 Scotsman Guide Media. All Rights Reserved.  Terms of Use  |  Privacy Policy