Hi, I'm Nicole, your friendly regulatory compliance counsel. Ncontracts asked me to do a brief video series on Fannie Mae's requirements for business continuity, audit and management controls, and management of vendors and other third-party service providers.

This video explains what Fannie Mae requires in regards to the management of vendors. 

Last, but definitely not least, what does Fannie Mae require in regards to management of vendors and other third party service providers? Fannie Mae requires and states that they require this in their seller and the servicer guides that lenders must have written procedures for the approval and management of vendors and other third-party service providers. And that it is critical that third-party relationships are managed in accordance with internal policies related to strategic reputational, operational, transactional, credit, and management compliance risks.

 In its recently released lists of self-assessments, Fannie Mae even reminds sellers and sellers and servicers that they remain fully responsible to Fannie Mae for functions that are outsourced to third-parties. A seller must have effective written policies and procedures for approval and management of third-party originators and must satisfy itself that all TPO’s produce quality loans. There are approximately 13 required items Fannie Mae includes for vendor oversight just for TPO’s, such as developing approval process and controls for TPO’s like mortgage brokers and correspondence, including reviews of recent financial statements, current licenses, receiving resumes of principal officers, conducting annual reviews of TPO’s financial statements, ensuring post-closing quality control processes of TPO’s. Review cycles must be structured to ensure that transactional or originated by each TPO’s are reviewed at least once annually.

 Fannie Mae also stresses the importance of complete vendor oversight in three required items. Processes and procedures for the approval of vendors and other third-party service providers — and this is for all vendors across the board, especially for those high risk vendors. You have to show processes and procedures for the management of vendors and other third-party service providers.

 So, you got to show that you have procedures in place for getting new vendors approved that are going to be working on Fannie Mae files, and procedures in place for your continual management of those vendors.

So, you need to seek reputable vendors. Ensure all your vendors have the appropriate IT security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT security is. Have in place a vendor self-assessment checklist that includes the following: processes and procedures for the approval of vendors and other third-party service providers. Processes and procedures for management of vendors and other third-party service providers include a process to determine the potential risks using the third-party, a process for selecting and approving third-parties, pre-contract due diligence, a process to monitor the performance and termination if needed of a third-party, a process for completing an annual review of a third-party, approval and oversight procedures to ensure requirements are in alignment with business needs and risks management standards. They require a centralized operating model for third-party oversight and internal staff with the expertise to perform oversight over these vendors.

A third-party risk scorecard is also required, and that scorecard should include strategic risk components, reputational risk components, third-party relationship that results in dissatisfied customers (you need to show that there's a component for that), operational risk components, transactional risk components, credit risk of the third-party component, and last but not least, compliant risks from violation of laws, rules, or regulations for the vendor.

Common findings Fannie Mae has cited during audit reviews are that the seller/servicer does not have a comprehensive written procedure for third-party management. That the seller/servicer does not properly monitor third-party relationship. That the seller/servicer does not have a process in place to confirm that vendors’ activities related to origination of loans delivered to Fannie Mae does not appear on FHFA suspended count party program lists.