Many mortgage companies use third-party vendors as a wise extension of their operation
to lower costs and manage variable staffing plans. The vendor relationship, which allows
lenders to serve more customers and still retain quality processes, is a smart choice
for businesses poised to grow and those that need to augment their staff with specific
competencies that they don’t possess internally. additionally, vendor relationships can be
useful to lenders that are looking to tighten their belts and contain costs.
The cFPB believes that consumers are disadvantaged by their inability to select specific
service providers if and when their financial institutions choose to use third-party services.
as a result, the cFPB holds financial institutions accountable for regulatory violations
regardless of whether or not a service is performed internally or through a vendor. In
holding institutions responsible in this regard, the bureau hopes to avoid unfair, deceptive or abusive practices.
Before this regulatory guidance, third-party due diligence and vendor-management
oversight varied greatly, and for some lenders, related policies and practices did not even
exist. regulatory fines and civil penalties totaling in the hundreds of millions of dollars
— partly related to third-party performance — have brought the need for vendor over-
sight to the forefront of the mortgage industry’s attention. In the past year, the cFPB
has bolstered its army of regulators that audit financial institutions, arming these regu-
lators with the authority to impose civil penalties, restitution and cease-and-desist orders.
If they hope to avoid improper actions by their third-party service providers, mortgage
banks and lenders must develop solid vendor-management policies and processes. In order
to adequately manage these third-party relationships, financial institutions should imple-
ment a proper due-diligence program to confirm that a third-party service provider under-
stands and adheres to regulatory requirements.
remember: Financial institutions are responsible for reviewing their third-party service
provider’s policies and internal controls to ensure compliance. In addition, institutions must
review vendors’ training plans and materials to confirm that adequate plans are in place and
are being followed, particularly for those employees in consumer-contact positions or in posi-
tions for which the work impacts the consumer’s experience.
When it comes to vendor management, these aren’t the only topics mortgage companies
must bear in mind, however. If your organization is still getting its ducks in a row, what other
factors should you consider?
In addition to third-party service provider due-diligence efforts, mortgage banks and lenders
must establish a vendor-monitoring plan designed to periodically review a vendor’s compliance with regulatory requirements, and they must develop an action plan to correct issues and
mitigate risks if infractions are discovered during the third-party monitoring process. Banks
and lenders also should focus on the high technical risk of vendor systems. a complete monitoring and testing of loan systems is critical to check for updated regulatory controls.
Financial institutions using a third party’s software to generate loan disclosures, for instance, should identify that the vendor is managing required system updates for federal and
state laws to ensure that required changes are reflected in system controls. Proper management and monitoring of a vendor’s technical controls and system updates can be critical in
preventing fines and penalties.
Failure to follow the cFPB’s vendor-management requirements for due diligence and oversight may present unintentional risk to consumers and result in fines and civil penalties, as
evidenced by the vendor-related penalties already levied by the cFPB. For instance, in a consent order involving vendor management and unfair and deceptive acts related to add-on
products, the cFPB recently mandated an action plan to develop a certain financial institution’s third-party service provider policies to ensure that add-on products sold by the bank
and through its vendors complied with consumer financial laws.
More specifically, this mandate required the bank in question to analyze its vendors prior
to entering into a contract with them, specifying that this analysis must investigate a vendor’s
ability to conduct marketing, sales, delivery, servicing and fulfillment activities in compliance
with pertinent federal laws and the bank’s own policies and procedures. When it came to the
contract between the bank in question and its vendors, the cFPB asked that both new and
renewed contracts specify the responsibilities of each party. The cFPB outlined four responsibilities that these contracts had to address:
1. “The vendor’s specific performance responsibilities and duty to maintain adequate
internal controls over the marketing, sales, delivery, servicing, and fulfillment of services
for the Products;
2. “The vendor’s responsibilities and duty to provide adequate training on applicable Federal
consumer financial law and the Bank’s policies and procedures to all Vendor employees or
agents engaged in the marketing, sales, delivery, servicing, and fulfillment of services for
3. “granting the Bank the authority to conduct periodic onsite reviews of the Vendor’s
controls, performance, and information systems as they relate to the marketing, sales,
delivery, servicing, and fulfillment of services for the Product(s); and
continued on page 52 »
« BEAS T continued from page 43
Lisa M. Weaver is senior vice president of ISGN and heads
up the company’s Professional Services Practice, which
includes compliance Solutions and is responsible for
growth through alliances and innovation. reach her at