Vendor Management for Banks and Credit Unions
Your financial institution is a valuable member of the business community, but staying relevant means relying on hundreds of vendors who provide products and services. Unfortunately, these third-party relationships can create significant risk. Proper vendor management reduces risk posed by third-parties and positions your financial institution for success.
Vendor management is the process by which an organization’s third and fourth-party vendor contracts, expectations and business dealings are organized within a single system, making it easy to find, report on and edit vendor agreements. Read the blog post.
Mergers and Acquisitions and the Critical Role of Vendor Management
Blindsided: How to Respond when a Vendor Gets Hacked
Regulation 1024.38 General servicing policies, procedures, and requirements
This regulation states that FI’s must maintain “policies and procedures that are reasonably designed to achieve the objectives set forth in paragraph (b) of this section”. In paragraph “b” details are provided for the policies and procedures that must be in place to include what they must address.
The requirements of Policies and Procedures address “Facilitating oversight of, and compliance by, service providers”. The following are the aspects that these Policies and Procedures must satisfy.
(i)Provide appropriate servicer personnel with access to accurate and current documents and information reflecting actions performed by service providers;
(ii) Facilitate periodic reviews of service providers, including by providing appropriate servicer personnel with documents and information necessary to audit compliance by service providers with the servicer’s contractual obligations and applicable law; and
(iii) Facilitate the sharing of accurate and current information regarding the status of any evaluation of a borrower’s loss mitigation application and the status of any foreclosure proceeding among appropriate servicer personnel, including any personnel assigned to a borrower’s mortgage loan account as described in §1024.40, and appropriate service provider personnel, including service provider personnel responsible for handling foreclosure proceedings
Regulation 1007.104 Policies and Procedures
This regulation states that FIs that “employs one or more mortgage loan originators must adopt and follow written policies and procedures designed to assure compliance”.
“Establish procedures designed to ensure that any third party with which the covered financial institution has arrangements related to mortgage loan origination has policies and procedures to comply with the S.A.F.E. Act, including appropriate licensing and/or registration of individuals acting as mortgage loan originators.”
Regulation 233.5 Policies and procedures required
This regulation states that “participants in designated payment systems shall establish and implement written policies and procedures reasonably designed to identify and block or otherwise prevent or prohibit restricted transactions”.
233.5(b) states that a participant in a designated payment system shall be considered to be in compliance if the organization complies with written policies and procedures that identify and block restricted transactions or otherwise prevent or prohibit acceptance of products or services of the designated payment system or participant in connection with restricted transactions.
The relation to vendor management can be found under 233.5(c).
Under this regulation a participant in a designated payment system may rely on a written statement or notice by the operator of the designated payment system that states:
“that the operator has designed or structured the system’s policies and procedures for identifying and blocking or otherwise preventing or prohibiting restricted transactions to comply with the requirements of this part as conclusive evidence that the system’s policies and procedures comply with the requirements of this part, unless the participant is notified otherwise by its Federal functional regulator or, in the case of participants that are not directly supervised by a Federal functional regulator, the Federal Trade Commission.”
The relation to vendor management can be found under III. Specific Components of Policies and Procedures – (f)
“Providing for appropriate and effective oversight of relevant service providers whose activities may affect the accuracy or integrity of information about consumers furnished to consumer reporting agencies to ensure compliance with the policies and procedures.”
Regulation 717.90 Duties Regarding the detection, prevention and mitigation of identity theft
This Regulation requires FIs to establish an ID Theft Prevention Program. Program requirements are provided in detail and include that a written program be developed and implemented, designed to “detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account”. Elements of the program are provided as well as requirements for the administration of the program.
The relation to vendor management can be found under 717.90(e)(4)
“Exercise appropriate and effective oversight of service provider arrangements.”
The relation to vendor management can be found under Appendix J(c) – Oversight of service provider arrangements.
“Whenever a federal credit union engages a service provider to perform an activity in connection with one or more covered accounts the federal credit union should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a federal credit union could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities, and either report the Red Flags to the federal credit union, or to take appropriate steps to prevent or mitigate identity theft.”
12 CFR – OCC Part 34 / FDIC Part 365 / FRB part 208
These Regulations set forth standards for real estate-related lending and associated activities.
Most financial Institutions (FIs) outsource all or certain aspects of the lending process to third parties. The decision to outsource surely included the decision to apply due diligence ensuring that any such relationships would not bring greater risk to the FI from a Compliance, Reputation, Strategic or even a Credit Risk perspective. Because of the importance of due diligence as a mitigating control to the inherent risk in these third-party relationships the FI relies on its strong Vendor Management Program to ensure that the vetting, selection and ongoing monitoring of third party relationships is conducted consistently and appropriately.
Real Estate Lending and Appraisals regulations cover many elements of lending. I will be drawing attention to a few of these aspects and will explain how these requirements associate or intertwine with Vendor Management.
34.43 addresses appraisals. When they are required and at one level (State or licensed appraisal or evaluation). Any use of a third party should include assurance that appraisal services are compliant with Federal regulation as well as the FIs Lending Policy and any other Appraisal related doctrine such as Procedures and/or memos.
34.62(b) requires that FI’s adopt and maintain “written policies that establish appropriate limits and standards for extensions of credit that are secured by liens on or interests in real estate, or that are made for the purpose of financing permanent improvements to real estate”. Of course, it is also required that these be board approved annually.
34.62(b) – provides details of the required topics to be addressed in the FI’s lending Policies and Procedures. What meant most to me from the standpoint of what must be considered when outsourcing any aspect of lending was the requirements set forth in 34.62(b)(2)(I through iv). Provided below with relevancy to vendor management narrative following.
34.62(b)(2) The lending policies must establish: (i) Loan portfolio diversification standards; (ii) Prudent underwriting standards, including loan-to-value limits, that are clear and measurable; (iii) Loan administration procedures for the bank’s real estate portfolio; and (iv) Documentation, approval, and reporting requirements to monitor compliance with the bank’s real estate lending policies.
From a vendor management point of view, it seems clear to me that prudent action for the FI would be to review their loan policy during the vetting stage of a third party to perform or assist in lending activities.
- Vetting (through RFP) should include questions or statements related to specifics of the FIs Lending Policy. Specifications may include LTV requirements to be included as a parameter set within a LOS or other similar application, Loan servicing requirements etc.
- Contract review should include identification of specific requirements per the FIs Lending Policies (and procedures). Does the agreement specifically address those requirements included within your Policy? If those requirements are not met what is the recourse? Is a process in place where the third party assesses their work from a compliance perspective? Does this review include verification that standards in your agreement were upheld? Will the third party be providing this report to you once completed? Will the third party provide any applicable response in an event there were findings in those reviews? Is there a requirement for content within the management response (what actions will be taken, who is responsible, when it is expected to be completed)?
Does the contract address the actions that will be taken if errors are found related to non-compliance (compliance with law, compliance with the FI Policy, compliance with agreement/contract)?
Ongoing due diligence of the third party providing lending services should include a comparison of completed loans to assure compliance first to Policy but always of course including Compliance with Federal and State Regulations.
Nvendor is a complete vendor management software and services solution that helps manage third-party risk impacts on your organization. Our systematic approach uncovers opportunities to reduce internal costs, decrease external costs, and most importantly, to discern and alleviate your risk.