How much do you think it would cost a mortgage servicer to conduct vendor due diligence and monitoring to ensure it’s properly managing customer documents? You may not know the exact figure, but I can tell you how much it costs when a mortgage servicer doesn’t bother to do it.
It’s $200,000 in penalties and at least $36,500 in restitution.
That’s how much the Consumer Financial Protection Board is getting from a settlement with mortgage servicer BSI Financial Services in Irving, Texas, according to a May consent order.
The CFPB says that from September 2012 through July 2014, BSI outsourced the job of determining borrower’s property tax and homeowner’s insurance premiums to a third-party vendor but lacked the policies and procedures necessary to conduct adequate periodic reviews of the vendor and its data. As a result, BSI didn’t create escrow accounts for some borrowers and in several cases failed to pay property taxes and insurance premiums on time, violating RESPA and Reg X. Meanwhile, borrowers were forced to pay late fees and in some cases were responsible for covering damage when homeowner’s insurance policies unknowingly lapsed.
Preventing Consent Orders with a Strong CMS
As part of the consent order, the CFPB says BSI must update its compliance management system (CMS) to ensure it’s able to uncover errors, including those committed by third-party service providers. Proscribed steps include:
- Monitoring and supervision of third-party vendors
- Policies and procedures for investigating and correcting consumer complaints of errors made by third parties
- Assessing data and documents risk, including those held or managed by third parties
- Regular auditing/monitoring of mitigating controls for ensuring vendor compliance
- Structuring contracts with IT vendors so they address compliance and system availability
Vendor management is a critical element of both risk and compliance management, which all fall under the umbrella of enterprise risk management (ERM). Failing to engage in appropriate third-party vendor planning, due diligence, contract negotiations, and ongoing monitoring can result in bad press, large fines, and a regulatory headache.
Sure, you may end up with a nice document outlining the flaws in your vendor management program and what needs to be done to correct them, but it’s a lot cheaper to conduct an audit and manage your own findings. When a regulator writes that document in a consent order, it comes at a high cost.