Atttorney Scott Samlin once saw a vendor’s limousine pull up outside a mortgage company’s office and whisk away several employees to a hockey game.
“Pick your vendors because they’re better, faster, and cheaper—not because they can get you good tickets,” Samlin told mortgage executives recently. “If regulators feel like you’re letting third parties do things they shouldn’t, the fines are going to be hefty.”
Many organizations maintain strict gift policies, but Samlin’s caution is only the beginning of the vendor management challenge for the mortgage business. He and fellow speakers at a session at the Mortgage Bankers Association’s recent annual convention had a message for mortgage firms:
“Regulators view vendors as an extension of lenders, so you are responsible for their compliance and the security of the data you provide them.”
Handling this challenge requires many efforts, from spelling out vendor responsibilities to being sure that vendor relations have a “home” within your company to making sure that vendor policies and practices involving your company’s clients reflect your organization’s own.
Finding the regulatory lines
Samlin, partner at Alston & Bird LLP, said servicing regulations are now massive, with vendors under more scrutiny than ever; yet there are no specific instructions on how to handle those relationships. CFPB Bulletin 2012-03 addressing the topic was very short on detail, Samlin said.
“Your best starting place would be OCC Bulletin 2013-29,” Samlin advised. “That’s a much more detailed set of guidelines to evaluate different types of service providers.”
Making sure vendors follow through
Due diligence is necessary when selecting third-party providers, as well as continued oversight. Among Samlin’s recommendations:
1. Visit your vendor onsite.
“Make sure they’re shredding documents like they said they would, that they haven’t hired a temp who’s photocopying Social Security numbers, that their dumpster actually is secure,” he advised.
2. Track the licenses of people with whom you do business.
“If a mortgage broker sends you a loan, and they don’t have a license in that state, you need to know that.”
3. Check for litigation against any prospective vendors.
4. Monitor their calls.
“I can’t harp on this enough,” Samlin said. “Any vendor you have who can call consumers in your name, you’d better be able to monitor those calls. Be able to do it remotely. You have to be able to listen the same way the CFPB is listening.”
Put it in writing
Ravi Ramanathan, CEO of Decision Ready Solutions, said the most important part of overseeing vendor relationships is to document your actions.
“If you think their onsite security is weak, you have to show that you took action to make the process better,” advised Ramanathan. He recommended using electronic tracking to be sure your messages are received.
“It’s easy to send email to 500 closing agents, but you have to know they got it. It’s not enough to do the right thing,” said Ramanathan. “You have to be able to show you did the right thing.”
As president and CEO of RML Investments, Regina Lowrie advises clients to make sure their contracts with vendors are clear: How will they handle any breaches? What is their disaster recovery plan? What are their IT security policies?
Most crucial is how they handle customer complaints.
“CFPB is concerned about how subservicers treat your clients,” Lowrie said. “How they handle customer complaints is critical because CFPB holds you accountable.”
Lowrie said one of the biggest challenges she sees is that often there’s no one in a company who “owns” vendor management. Be sure you have a comprehensive list of your vendors, she said. Also be aware that some of your servicers may subcontract, and you’re responsible for the actions of those vendors as well.
“As master servicer it becomes difficult to keep an eye on that,” said Lowrie—but it’s necessary.
Bill Maguire, vice-president of Servicer Relationship Management at Freddie Mac, warned lenders to be sure third-party servicers “are financially and operationally sound. Throwing loans over the fence and saying, ‘The subservicer should do all the reporting’ isn’t enough. You have to always watch and monitor.”