On January 24, 2017 the OCC shared the OCC Bulletin 2017-7 (examination procedures to supplement OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,”) to promote “consistency” in the examination guidelines and goals of the OCC of the covered national banks and federal savings associations. These guidelines are designed to help examiners focus and apply consistent measurement across any framework in place for third party oversight by institutions and the key is to have a “best in class” risk management system and framework for identified and appropriate risks. FundingShield has been deploying vendor & third party service provider (“TPSP”) oversight, management, compliance & audit tools for clients and our conversations in these deployments center on frameworks for best practices of this oversight. We share some of the data points from our discussions with clients drawn from McKinsey and the major audit and advisory firms who have developed a thoughtful approach . We are happy to dive deeper and discuss our services in depth.
McKinsey issued a working paper on managing third party risk in the changed regulatory environment discussing “Tradition Programs” in risk management versus the paper’s focus, “Best in class programs based on (then, 2013) recent regulatory requirements.” We look at this paper and other advisory firms analysis on developing a robust and relevant risk system for TPSPs keeping in mind that many in the mortgage space tend to focus on consumer facing vendors or third parties who manage consumer data. There is a lack of focus on active, tracked and auditable oversight of settlement parties who handle the principal balance of funds where FundingShield has a heightened focus.
Almost all mortgage lenders, servicers, advisory firms, title co’s and even tech solution providers have key vendor and third party relationships that are mission critical to perform their service and generate high quality products. Beyond the regulatory driven requirement for having risk management to oversee third parties it is essential for any mortgage lender (bank or non-bank) to create an easy to use risk management approach around third parties to:
· take inventory of third parties
· understand contractual agreements as well as the break points
· assign basic requirements to play and actively monitor these for compliance – such as insurance, licensing, clearing background checks
· create defensible diligence points (for business security and from a regulatory perspective) that are vital for a subset of a firm’s vendors.
The issue is scoping, determining level of risk posed by a vendor, the level of data and information a vendor obtains and also their ability to perform business critical functions in changing environments and then setting the requirements for appropriate oversight in an easy to use system (in house or off the shelf) that has audit & compliance focus to reduce ops risk.
OCC – The OCC supplemental examination procedures provide a good starting point to scope the risk posed by third parties to banks at a high level, most of which apply to the mortgage space. By answering questions surrounding risks associated with the bank’s third-party relationships, one can begin to see the thought process of the examination per the OCC’s objectives shedding light on some questions risk managers should be asking themselves, such as:
Does the bank have a full inventory of its third-party relationships, including:
- Services provided by or to affiliates and subsidiaries?
- Are services provided by or to other banks? What are the arrangements with financial market utilities?
- Debt originators (e.g., mortgage or auto dealers) and debt collectors?
- Mortgage government-sponsored entities (e.g., Fannie Mae and Freddie Mac)?
- Critical application software providers?
- Entities that support the bank’s human resource functions, such as payroll or benefits administration?
- Attorneys, appraisers, and consultants?
- Entities with whom the bank engages in referral arrangements?
- Entities to which the bank has delegated fiduciary activities?
McKinsey – Many papers and write-ups on this subject (including the major US audit firms E&Y/PWC and regulators) are highly focused on consumer facing vendors and TPSPs entities only. A risk regime based on CFPB driven consumer focus is a good start but a solid risk management protocol should include enhanced monitoring on TPSPs that could have potential harm to the lender itself such as settlement agents and attorneys who handle lenders funds. See below from McKinsey’s paper that despite being written years ago still hits the points being referenced by regulators and top risk managers:
A best in class vendor & third party risk management system should include the following which FundingShield incorporates into all of its current products and services for its clients, the system should:
- Be “Supplemented with compliance and QC metrics to ensure monitoring of risks in addition to performance”
- Include the “Involvement of independent teams in oversight activities”
- Contain details of escalated incidents to ensure transparency with risk management.
- Leverage technology tools should be used to act as comprehensive source of third party performance and risk based data to clearly record and articulate to risk management.
- Be supplemented by humans for escalation and workout of key issues. Contact us to discuss this further!
FundingShield is a leading software enabled services company and the only provider of active loan level diligence for closings to the residential mortgage industry. The Company’s array of services provides active verification and validation at the loan level for mortgage closings and detailed analysis of the documentation used. Our products & services include:
- Verification and validation services at the loan level of closing documents for lenders, insurers and title companies
- Confirmation of title insurance coverage for lenders backed by FundingShield’s GUARDIAN CERTIFICATE
- Automated audit compliance management systems for 3rd party service providers of lenders, title & state agencies & appraisers.
- Pre/Post close QC QA and audit preparation.
- Cyber security, IT Theft, online brand reputation monitoring and brand protection, 24/7/365 tracking of key property, personnel & vendors with threat reporting automation leveraging millions of public data points.
- Specialized underwriting services to insurance companies and lenders as well as closing process audit reviews.
For more information on FundingShield, to schedule a WebEx demo or to see what other services we provide the residential mortgage industry please email Sales@FundingShield.com or call (949) 706-7888