Over the last few years, GSE’s, the CFPB and the OCC have issued new vendor management requirements placing increased scrutiny on how banks and nonbanks are managing third-party risk.
It is clear that the regulators and government agencies expect more oversight.
In the servicing business, it has always been critical to have a strong vendor management and oversight program for any outsourced functions or third-party services purchased on the behalf of others. However, depending on the function or company size, the focus may have been more on performance management and less on due diligence and vendor risk.
According to a bulletin published last year by the CFPB, the bureau wants to ensure that consumers are protected from irresponsible service providers and that servicers are contracting with ethical third parties. The CFPB expects banks and nonbanks to have an effective process in place to manage the risk of outsourcing. Specifically, a supervised entity, at minimum, must thoroughly review the service provider’s policy and procedures, internal controls and training materials.
Both Freddie Mac and Fannie Mae have published new rules requiring servicers to change the way they manage and leverage attorneys for default and bankruptcy work, and have created specific requirements for diligence and approval. As a result, servicers have developed a new process to approve, manage and audit their legal networks. Traditionally, the servicers had to use the counsel approved by the GSEs. This new rule has placed a significant amount of vendor management expertise back on the servicers.
The OCC consent order specifically mandates certain vendor management requirements and timelines associated with implementing appropriate third-party oversight. The OCC is especially concerned about record management as well as monitoring how the third parties comply with the law.
With this additional scrutiny, guidance and regulation coming from many different supervisory bodies, a servicer has more complexity than ever to deal with and implement during this time of reform.
A servicer is typically both a service provider as well as a responsible party engaging other service providers. The downstream vendors may also have a network of partners they use to perform the services purchased. Naturally, there is a great amount of risk involved. To properly address the requirements in today’s environment and to ensure risks are mitigated and performance is maximized, there are a few suggestions that can assist in the tedious process.
Download Our Complimentary eBook:
Is having multiple third party vendors worth the risk?
First, a servicer should provide the appropriate level of transparency to its clients. A servicer in today’s world should provide integrated tools and technology as well as options for a more thorough oversight into its activities. This may require pushing data through new interfaces as well as engaging outside third-party experts to conduct occasional reviews and detailed analyses.
Secondly, a servicer must have a strong internal vendor management program to ensure any service provider they engage with is not causing harm to consumers and is managing any operational and performance risks. This structure may include many components, depending on the size and complexity of your organization, including:
- Vendor management office and executive oversight
- Continuous improvement resources and process implementation team
- Outside surveillance and audit support
- Internal QA audits and compliance resources
- Additional operational resources
- New technology and tools
- Robust scorecard capabilities
- Change management team and process
Servicers must have multiple controls and check points for successful vendor management today and cannot rely on a single data point or person/function to manage all third parties. These components do cost money and will only continue to increase the cost of servicing over time. However, during a time when a servicer has to manage more change and requirements than ever before, the risks of not having the appropriate oversight level are much too high.
Remember: COMPLIANCE = POLICIES + PROCEDURES + ACTUAL PRACTICES