Banner Image

Bank of the Future

Vendor Risk Management in Mortgage Operations: Active Oversight Required

 
January 14, 2016

Policies and procedures for managing third-party vendor relationships changed dramatically when the Consumer Financial Protection Bureau (CFPB) came up with a series of regulations in April 2012, and the Office of the Comptroller of the Currency (OCC) followed with an update in October 2013. Both regulators emphasized the same core principles pertaining to the effective management of third-party vendors. While its been more than three years since the regulations came into effect, many banks still find it challenging to comply with these rules; some have even been fined for non-compliance.

It is important to understand the intent of these regulations and the consequences of non-compliance. Broadly, regulators require lenders to have policies and procedures in place for: (i) vendor management planning, (ii) standard guidelines for vendor selection, (iii) contract terms focused on data security and privacy, (iv) oversight mechanisms, (v) reporting, and (vi) periodic audit review plans.

In 2014, the CFPB fined a large regional bank for violation under Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) due to the failure in efficiently overseeing third-party activities. The bank had failed to maintain standard, service-level agreements for vendorsand was found to be lacking adequate monitoring and oversight capabilities. Another bank was ordered to pay USD 37.5 million in damages to mortgage consumers, for being negligent in handling mortgage modifications and providing incorrect information, which led many distressed borrowers into foreclosures. In this case, the lender had outsourced servicing operations to a third-party vendor.

The CFPB emphasizes the need to have a risk-scoring model for vendors and monitor their activities with periodic on-premise visits. The focus must be on critical activities related to higher vendor reliance that have a direct impact on borrowers, such as disclosure preparations and presentments requiring lenders to transmit critical borrower and account information to a third party. Lenders readiness for a regulatory examination with respect to data privacy and security standards also pave the way for a robust business and operations strategy.

Minesh Mudaliar is a Domain Consultant with the Mortgage practice of the Banking and Financial Services (BFS) business unit at Tata Consultancy Services (TCS). He has more than 12 years of experience in the mortgage space and was a retail banker before joining TCS. Having worked on various projects for North American banking players, Minesh has built a strong expertise in the US residential mortgage space and works closely with the various account teams for thought leadership and domain-related support.