Managing Vendors for Compliance Professionals

Ongoing oversight can include the following techniques, among others:

- Onsite reviews - Review of reports prepared by the vendor - Periodic meetings or calls with the vendor - Periodic transactional testing - Establishment of scorecards or other monitoring systems

The company should consider the following non-exclusive list of items when contracting with third parties:

- Scope of the arrangement - Performance, standards measures, measures of key performance indicators or benchmarks - Authorization to offer ancillary products and services - Duration, default, and termination - Cost, compensation, or fee structure - Ownership and licensing - Subcontracting - Insurance - Receipt, response, tracking, and prompt notification of customer complaints - Regulatory compliance and supervision - Responsibilities for providing and receiving information - Audit rights for the company and its regulators - Reporting - Custody and control of original records and their return to the company - Confidentiality and security of information - Business resumption and contingency plans - Appropriate representations, warranties, and covenants - Contractual remedies and limitations on liability - Dispute resolution - Other considerations based on the nature of the arrangement and complexity of the services

Typical Servicing Vendors

- Servicing software - Outsourced servicing vendor - Tax service vendor - Foreclosure software vendor - Foreclosure attorney vendor - Property inspector - Bi-weekly payment vendor - Vendors used to cross-sell (i.e., credit life insurance) - Outsourced lockbox or cashiering - Outsourced payoff - release of lien - Outsourced refi efforts - Outsourced collection efforts - Property preservation vendor - Lender-placed insurance vendor - Claims processing - Delinquency reporting - MSR valuations (data security) - Real estate agents

Typical Loan Production Vendors

- Settlement agent - Credit reporting vendor - Appraiser - Tax service provider - Flood certificate provider - Title insurer - Quality assurance outsource vendor - Private MI provider - Loan origination system vendor - Secondary marketing co-ops - Outsource secondary marketing provider - Third-party tax transcript providers - Employment verification services - Third-party doc prep - HMDA reporting - Vendors that provide red flags on borrowers - AVM vendors - Real estate sales agents

Debt Collection and Credit Reporting

Even under new leadership, the CFPB has made clear that it will be prioritizing enforcement related to violations of debt collection laws. As a result, in addition to ensuring that mortgage servicers are implementing adequate policies and procedures with respect to vendor oversight, federal agencies have also been attentive to debt collection and credit reporting practices. In November 2017, the CFPB took action against a service provider for software errors that led to incorrect consumer information about more than one million borrowers being sent to credit reporting agencies. The CFPB was particularly critical of the company for failing to notify all of its auto lender clients about known flaws in its software that led to the errors. The consent order required the company to pay a $1.1 million civil penalty, explain its mistakes to its lender clients, and fix its faulty software.

Cybersecurity

Some states have enacted laws establishing cybersecurity requirements for financial services companies. These laws may have an impact on third-party vendors.

termination

The OCC Bulletin also specifies a termination "stage" in the third-party relationship management lifecycle. Financial institutions should develop a contingency plan for the end of the relationship, either through the normal course or in response to default. The contingency plan may transfer functions to a different third party or in-house.

oversight and monitoring of service providers

They should set forth the processes for measuring performance against contractually-required service levels and key the frequency of performance reviews to the risk profile of the service provider. This section of the FRB Guidance, consistent with the "Ongoing Monitoring" section of OCC Bulletin 2013-29, also recommends the creation of escalation protocols for under-performing service providers and monitoring of service provider financial condition and internal controls, which may also trigger escalation if the service provider's financial viability or adequacy of its control environment are compromised during the course of the relationship.

Refers or brokers loan applicants to the company

While there are arguments that brokers are not vendors in the traditional sense, the CFPB has made it clear that it considers entities that broker or refer loans to be acting as agents of the lender. As a result, to reduce regulatory risk as much as possible, a company should treat persons or entities that refer or broker loans as third party vendors and maintain sufficient oversight and management of these relationships.

due diligence

includes a thorough evaluation of all potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. In particular, financial institutions should look to external organizations such as trade associations, the Better Business Bureau, the Federal Trade Commission (FTC), and state regulators when performing diligence on consumer-facing third parties.

The CFPB issued Compliance Bulletin and Policy Guidance 2016-02, Service Providers (October 31, 2016)

to clarify that supervised entities have flexibility in developing the depth and formality of the risk management program for service providers. In particular, supervised entities may take into account the service being performed - its size, scope, complexity, importance and potential for consumer harm - and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations.

litigation, enforcement, and complaints

- A schedule of all suits, actions, litigations, patent, trademark or trade name infringement proceedings, arbitrations, administrative proceedings, or other governmental investigations or inquiries, pending or threatened, which seek an injunction, seek a declaratory judgment, or involve a claim for relief providing a brief description of the parties and the nature of the proceeding - A summary of closed material litigation - Any consent decrees, judgments, other decrees or orders, settlement agreements or other agreements to which the vendor or any of its members, managers, officers, or directors is a party or is presently bound, requiring or prohibiting any future activities - List and copies of all notices, information requests, permits, licenses, approvals, and certificates of authority from foreign, federal, state, and local authorities held or required to be held by the vendor - If vendor has been terminated or suspended by any investor or agency for any reason in the past six years, an identification of the investor and a description of the reasons for the termination or suspension - Copies of all reports filed with, any correspondence with, and any transcripts of any significant proceedings before, any state or federal regulatory agencies in connection with the Vendor within the past five (5) years, including complaints or correspondence discussing actual or potential liabilities, requests for information, citations or notices of violation - All customer complaint files (including responses) for complaints received in the past three (3) years

This topic provides an overview of supervision and enforcement related to vendor management. It then looks at areas and issues regulators, particularly the CFPB, have focused on since the passage of the Dodd-Frank Act. Areas of focus include the following:

- Compliance management systems (CMS) - Service provider accountability for actions of customer - Cybersecurity - Unfair, Deceptive, and Abusive Acts and Practices (UDAAP) - Mortgage Servicing and Servicing Transfers - Loan Officers and Title Companies - Mortgage Advertising Companies and Marketing Services Agreements - Debt Collection and Credit Reporting

the CFPB provides that a supervised company should, at a minimum:

- Conduct thorough due diligence to verify that a service provider understands and is capable of complying with the law; - Request and review a service provider's policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities; - Include in the contract with a service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities; - Establish internal controls and on-going monitoring to determine whether a service provider is complying with the law; and - Take prompt action to address fully any problems identified through the monitoring process.

Examples

- In 2003, California was the first state to pass a data breach notification law that requires companies doing business in California to notify California residents of the breach. (All 50 states now have breach notification laws.) - In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents. - In 2016, New York ventured into new territory for state regulators, issuing a proposed rule establishing cybersecurity requirements for financial services companies. The New York regulations are considerably more prescriptive than legislation passed in other states. The regulations took effect March 1, 2017, but the NY DFS provided a two-year transitional period until March 1, 2019, by which time covered entities must have completed a thorough due diligence process on all third-party service providers. The New York regulation requires: - Implementation of a written cybersecurity policy and an incident response plan, both of which are to be overseen and enforced by a Chief Information Security Officer. - Annual penetration testing - Limited access to nonpublic information (i.e., only to those employees who require access to perform their duties) - Cybersecurity awareness training for all personnel - Stringent third-party oversight

business matters

- Organizational Chart - Copies and brief description of non-compete agreements relating to the vendor or its affiliates related to the services contemplated to be provided - Audited financial statements of the vendor for the past two (2) years - Record retention policy - Identify all other residential mortgage lenders and mortgage bankers for whom the vendor provides services similar to those contemplated to be provided - List of jurisdictions in which the vendor is qualified to do business, has applied for qualification to do business, has an office or employees, or is otherwise operating - Information security policy and procedures - Business continuity/disaster response plan - Quality control review plan - List and describe all key business technology requirements, platforms and software bought, used, or developed for the origination and processing functions - (If applicable) Provide an overview of customer web portal for loan origination and loan status - (If applicable) Provide a description/overview of telephony/IVR system for call routing and messaging

The vendor management framework is structured around five key pillars, which correspond to the "life cycle" approach presented in the OCC vendor management guidance:

- Planning and Risk Assessment - Due Diligence and Vendor Selection - Contract Negotiation and Implementation - Ongoing Monitoring - Remediation, Termination, and Transition

Critical activities, according to the OCC Bulletin, include any activities involving the following:

- Significant payment or banking functions (e.g., payments, clearing, settlements, custody) - Significant shared services or systems (e.g., IT) - Other activities that could do the following: - Cause a bank to face significant risk if the third party fails to meet expectations - Have significant customer impacts - Require significant investment in resources to implement the third-party relationship and manage the risk - Have a major impact on bank operations if the bank must find an alternate third party or if the outsourced activity must be brought in-house In general, customer-facing vendors, as well as those that store customer non-public personal information or provide mission-critical applications, such as core-processing systems and disaster recovery services, are prime candidates for identifying service providers that perform critical activities. Because critical activities could expose both financial institutions and consumers to significant risks, regulators expect financial institutions to conduct a higher level of due diligence before entering into such relationships, and to employ stricter oversight over the course of such relationships. These "critical" activities should be the focus of special, enhanced risk management processes. Specifically, the financial institution should conduct more extensive due diligence on the front end, provide summaries of due diligence to the Board, ensure that the Board reviews and approves third-party contracts, engage in more comprehensive ongoing monitoring of the third party's performance and financial condition (including, potentially, analysis comparable to that which the financial institution would perform when extending credit), ensure that the Board reviews the results of ongoing monitoring, and periodically arrange for independent testing of the financial institution's risk controls.

regulatory matters

- Summary QC results for past three (3) years, including error reports and remediation plans - Internal and outside audit reports addressing legal or compliance risks and any management responses to same for the past three (3) years. All internal audit or quality control reports on operations for the past three years - State fee matrices, as well as a list of all fees (if not included in the matrices) - Procedures for tracking changes in legal, regulatory, supervisory guidance and investor requirements, including procedures for implementing and testing changes - Description of use of affiliated settlement service providers - Complete set of all policies and procedures affecting the services provided. These can include, among other things, policies and procedures addressing the following: - Federal and state consumer credit laws (e.g., TILA, RESPA, ECOA, FCRA, UDAAP, etc.) - employee incentive compensation - AML/BSA compliance employee training - risk management - document collection and retention - third-party vendor oversight - compliance and law monitoring and implementation - entity and employee licensing - consumer privacy and data security - Training materials - Templates, questionnaires, checklists or other materials related to the selection and monitoring of third-party vendors, including any qualitative and quantitative measures used to assess performance and compliance with applicable legal requirements - Copies of consumer satisfaction surveys regarding activities (if available)

Some key takeaways from this case, which has overtones of the Department of Justice's Operation Chokepoint announced in 2013, include the following:

- The CFPB expects service providers to have their own strong compliance program capable of ensuring that the vendor is not assisting the financial institution in violating the law - The CFPB expects service providers to engage in some level of oversight and due diligence of their financial institution customers - The CFPB is increasingly holding service providers accountable for the actions of their financial institution customers

The company's due diligence process may include, but is not limited to, an evaluation of the following factors:

- The ability of the vendor to meet the company's needs for the life of the contract - The stability of the vendor, both financially and operationally - Whether the vendor has provided adequate representations about its activities and presented adequate reports and materials for the Company to evaluate - The vendor's experience in implementing and supporting the proposed activity The vendor's recognition of and sensitivity to the legal requirements applicable to the products or services it offers; - The business reputation of the vendor, including an evaluation of any peer referrals and any known complaints, past or pending litigation or government investigations - The vendor's staff levels, competence, qualifications, training, capacity, and workload balance - The vendor's internal control environment, including a review of SAS70/SSAE16 statements, policies, procedures, and training materials, to the extent available - The vendor's ability to meet the company's control requirements and quickly respond to performance issues - The vendor's ability to respond to service disruptions or disasters (including business continuity and disaster recovery plan test results) - Whether the vendor relies on subcontractors to perform services - Whether the vendor has appropriate insurance coverage

Factors to consider in an initial risk assessment may include the following:

- The company's experience with the product, service or vendor - The materiality of the risks involved in the arrangement - The company's existing ability to manage the risks - Whether the service provided by the vendor is one-time or ongoing - The centrality or significance of the service or product to the company's operations - The centrality or significance of the contract on the vendor's financial condition - Whether the vendor will directly offer products and services to customers in the name of the company or on the company's behalf - The nature of the activities that the vendor performs or will perform - The volume of activity or service that the vendor will perform - The availability of other parties to provide any particular function and the cost if it becomes necessary to change providers - An assessment of the potential contract obligations - The company's ability to assess or audit the vendor's activities on an ongoing basis - The vendor's access to sensitive company or customer informatio

Ongoing Monitoring

.The oversight of the vendor does not stop at contract formation. The company should conduct ongoing monitoring of the vendor based on the risk level and performance (including compliance with applicable laws) of the vendor. Monitoring can include a number of oversight activities, ranging from review of periodic reporting through regular onsite reviews of the vendor's operations, and should include a review of complaints received by the vendor about the company's products and services. On an ongoing basis, the company should review the operational and financial performance of vendors to ensure that the vendor meets and can continue to meet the terms and conditions of the third-party arrangement. The risk rating of the vendor aids in determining the necessary frequency and scope of the company's ongoing monitoring and assessment of a vendor's activities and performance. The frequency and scope of the monitoring and assessments may be adjusted by the company based upon the results of prior reviews of the vendor. At a minimum, the ongoing review should include monitoring the vendor's legal and regulatory compliance, contract compliance, appropriate information safeguard compliance, and the quality of its services and support. For vendors that are risk rated in the highest risk category, the review should be extended to include monitoring of the vendor's financial condition, its controls, its regulatory compliance, and its disaster recovery readiness.

In addition, several service providers were named as defendants in the case because, according to the CFPB, the illegal scheme depended upon the participation of the service providers. Specifically, the CFPB charged payment processors and a telephone broadcast provider hired by the debt collectors, because these service providers, in pertinent part,

1 "failed to conduct reasonable due diligence to detect unlawful conduct," which helped to facilitate millions of dollars in ill-gotten profits, and 2 transmitted robo-call messages created by the debt collectors that the service providers "knew or should have known...contributed to unlawful debt collection."

Under the revisions to Regulation X that took effect in January 2014, the CFPB may now cite an institution for failure to maintain policies and procedures reasonably designed to, among other things, facilitate:

1 ready access to accurate and current documents and information reflecting actions taken by service providers, and 2 periodic reviews of service providers.

acceptable outside resources to enhance bank risk mitigation capabilities

1. Banks may outsource some or all aspects of their compliance management systems, so long as they "monitor and ensure that third parties comply with current and subsequent changes to consumer laws and regulations." Examples in the bulletin include maintenance, monitoring, and data collection and management, but the bulleting warns that such outsourcing does not replace the need for compliance resources and a strong compliance management system. 2. Banks are encouraged - as part of their ongoing monitoring of third-party service providers - to request copies of regulatory examination reports of any supervised technology service providers with which a bank has an existing contract. 3. Banks may enter into service provider relationships to build out mobile payment capabilities and facilitate customer payments and transfers made using web applications and in various mobile payment environments. In this regard, the OCC expects banks to "work with mobile payment providers to establish processes for authenticating enrollment of customers' account information that the customers provide to the mobile payment providers." 4. Banks should consider requesting independent audit reports based on Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to determine the effectiveness of the controls the third party has implemented to monitor the controls of its own subcontractors.

The OCC issued Bulletin 2017-21 in June 2017 as a supplement to Bulletin 2013-29 to answer fourteen (14) frequently asked questions (FAQs).

1. Interpretations of Bulletin 2013-29's scope and content, including applicability to bank relationships with financial technology ("fintech") companies and marketplace lenders 2. Opportunities for banks to collaborate with each other to manage third-party relationship risks 3. Outside resources that banks may use to augment their third-party risk management capabilities

Compliance Management Systems (CMS)

A comprehensive CMS is an absolute necessity in today's regulatory environment for both supervised entities and their vendors. The CFPB, in particular, has indicated that all of its supervisory examinations will include at least some testing of an entity's CMS. A CMS provides the mechanism by which an entity: - Establishes its compliance responsibilities - Communicates those responsibilities to employees - Ensures that responsibilities for meeting legal requirements and internal policies are incorporated into business processes - Reviews its operations to ensure responsibilities are carried out and legal requirements are met - Takes corrective action and updates tools, systems, and materials as necessary A compliance management system includes the following: - The establishment of policies and procedures - Protocols for reporting compliance issues to the board and senior management - Training for employees related to compliance responsibilities - Processes for monitoring for violations - Reinforcement of the compliance culture through prompt corrective actions, fostered in part by regularly scheduled independent audits and accountability for process improvements based on repetitive customer complaints

Planning

A third-party relationship should begin with an internal assessment of risks relating to third parties in general, and to the intended third party in particular. Such planning should focus on both the potential impact to the financial institution and the financial institution's customers, as well as potential security, regulatory, and legal ramifications.

Subcontractors or "Fourth Parties"

Adding another layer, regulatory guidance on vendor management also cautions against the overuse of subcontractors, which some people have referred to as "fourth parties." In particular, subcontractor management is an area of regulatory focus, and the agencies expect supervised entities to monitor a service provider's reliance on or exposure to subcontractors. Service providers, such as appraisal management companies (AMCs), should be required to establish and maintain policies and procedures for oversight of their QC vendors. The AMCs should also be required to demonstrate that they complete adequate due diligence of the QC vendors engaged to support the financial institution, and that the AMC also regularly performs ongoing monitoring of QC vendors to ensure continued compliance.

Ongoing Monitoring

All contracts must be reviewed by the company on a periodic basis and the company should consider renegotiation if service levels do not meet expectations. As necessary and where appropriate, the company will provide its employees with additional assistance or training to have the necessary background to perform oversight functions. The company must document its oversight program and maintain adequate reports and records to enable regulatory examiners to effectively and fully review the activities performed by high-risk third parties. Results of oversight activities should be periodically reported to the Board or a designated committee.

contract

All relationships should be documented by a written contract that clearly defines the responsibilities of both the financial institution and the third party. Among other things, the contract should provide for performance benchmarks, legal and regulatory compliance responsibilities, audit rights, protocols for handling customer complaints, and oversight obligations related to subcontractors.

Contract Negotiation and Implementation

All vendor relationships must be codified in a written contract that clearly specify all relevant expectations, rights, responsibilities, and remedies of each party. The contract should secure the ability of the company and its regulators to review and audit the vendor when requested. The RM should review contract terms for all third-party arrangements in sufficient detail as required by the service performed and the level of risk. For significant or higher risk-ranked relationships, legal counsel should review the contract and incorporate such terms and conditions as required to meet the contents of the company vendor management policy.

Mortgage Servicing and Servicing Transfers

Amongst the most difficult adjustments companies have had to make in recent years has been related to increased oversight of mortgage servicers, which continues to consume considerable compliance resources and expense. In particular, regulators are focused on ensuring that servicers: 1 have instituted policies and procedures consistent with new regulations and guidance, and 2 comply with collections and credit reporting requirements.

Loan Officers and Title Companies

Another area of focus for the CFPB has been marketing services offered to loan officers by title companies in exchange for referrals. The CFPB has taken action against numerous loan officers for their alleged participation in steering title insurance and closing services to a title company in exchange for the loan officers' receipt of marketing services and cash from the title company. The consent orders resulting from these investigations have outlined RESPA violations, which prohibit the giving of a "fee, kickback, or thing of value" in exchange for a referral of business related to a real estate settlement service (12 U.S.C. § 2607(a)). In addition, the loan officers have been barred in several instances from the mortgage industry for a period of years, depending on the severity of their respective missteps. The potential for RESPA violations presents another compliance challenge for mortgage lenders to increase their oversight of not only third-party title companies, but also the lender's own loan officers that may be engaged, wittingly or unwittingly, in potentially illegal activity. In addition to enhanced RESPA training for loan officers and title company employees, mortgage lenders may need to increase their monitoring and auditing of interactions between loan officers and title companies to further mitigate the risk of RESPA violations.

Due Diligence and Vendor Selection

Based on the risk ranking of the vendor, the company must conduct pre-contract due diligence sufficient to verify the ability of the vendor to meet the needs of the company in a safe and compliant manner. The due diligence should inform the contractual provisions and the ongoing monitoring. The RM must ensure adequate due diligence of the vendor is conducted before entering into a contract or arrangement with the vendor. The extensiveness of the due diligence process is determined by the vendor's risk category. Vendors should be selected based solely on objective evaluation. The early involvement of the RM, as appropriate, ensures the use of appropriate selection criteria. Employees must not make any agreement with a vendor which places, or appears to place, the vendor in a position of advantage or disadvantage as to other third-party providers participating in the vendor selection process.

Employees

Each employee is responsible for understanding that reliance on vendor relationships can increase the company's risk profile. All company employees are responsible for responsibly interacting with vendors and following the requirements of the vendor management policy.

risks from the use of service providers

FRB cautions that failure to effectively manage the use of third-party service providers could "expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation." The Board identifies many of the same categories of risks that were noted by the OCC.

opportunities for collaboration

Fintech companies entering the mortgage space in recent years have identified a number of opportunities for collaboration that may positively influence the loan origination, servicing, and secondary market processes. The OCC's guidance in Bulletin 2017-21, though not specific to mortgage lending and servicing, is a reminder to the industry to ensure appropriate due diligence and oversight of these new third-party relationships with technology providers. That said, the OCC provides some insight as to how supervised banks can continue to meet regulatory expectations while taking advantage of the product enhancements fintechs offer. Several of the FAQs relate to collaboration among supervised entities to perform diligence and ongoing monitoring of third parties. While "user groups" and "buying clubs" are not new concepts in bank outsourcing and procurement operations, the OCC noted several ways in which banks may collaborate, including by: (i) pooling resources to perform due diligence, contract negotiation, and ongoing monitoring responsibilities; (ii) distributing costs across multiple banks; (iii) sharing third-party responses to common security, privacy, and business resiliency control assessment questionnaires; (iv) creating standardized contracts with common service providers to improve negotiating power; and (v) engaging in industry-wide information sharing arrangements to better understand cyber threats to their own institutions as well as to the third parties with whom they have relationships. However, the OCC emphasized that "each individual bank should have its own effective third-party risk management process tailored to each bank's specific needs." Included among these individual bank responsibilities are the following. 1, Defining the requirements for planning and termination (e.g., plans to manage the third-party service provider relationship and development of contingency plans in response to termination of service) 2. Integrating the use of product and delivery channels into the bank's strategic planning process and ensuring consistency with the bank's internal controls, corporate governance, business plan, and risk appetite 3. Benchmarking service provider performance against the contract or service-level agreement on an ongoing basis 4. Evaluating the third party's fee structure to determine if it creates incentives that encourage inappropriate risk taking 5. Monitoring the third party's services for compliance with applicable laws and regulations 6. Monitoring the third party's disaster recovery and business continuity time frames for resuming activities and recovering data for consistency with the bank's disaster recovery and business continuity plans

OCC Guidance Overview

Generally speaking, the OCC Bulletin provides the most comprehensive and granular detail with respect to all aspects of vendor management. In particular, the OCC Bulletin focuses on the risks associated with "critical activities," and many financial institutions find the OCC's guidance to be instructive when negotiating vendor contracts or designing a vendor oversight program, regardless of whether the entity falls under the supervisory authority of the OCC. In addition, on January 24, 2017, the OCC released Bulletin 2017-7, Supplemental Examination Procedures for Risk Management of Third-Party Relationships, providing further guideposts to national banks, federal savings associations and technology service providers in their collective efforts to comply with Bulletin 2013-29.

Supervisory Examinations and Enforcement Actions

Generally speaking, the primary federal regulator for a supervised institution also has the authority to enforce oversight of service providers through periodic supervisory examinations and ad hoc enforcement actions that may arise as a result of consumer complaints. In addition, these agencies may, in certain instances, have statutory authority to supervise service providers directly. The OCC, FRB, and the FDIC, for example, each have statutory authority to supervise certain third-party service providers that enter into contractual arrangements with regulated financial institutions. In addition, the CFPB and state regulators and attorneys general have explicit authority under the Dodd-Frank Act to supervise and bring enforcement actions against service providers that deliver material services to supervised banks or nonbanks in connection with the offering or provision by such supervised entities of a consumer financial product or service. Notably, state regulators and attorneys general must provide an advance notice of a complaint to be filed to the CFPB and the applicable prudential regulator when alleging a violation of the Dodd-Frank Act. The CFPB may intervene in the action as a party, but state attorneys general nonetheless have substantially the same ability to secure remedies under the Dodd-Frank Act as the CFPB, including civil money penalties of up to $1 million per day for knowing violations of the law.

Service Provider Accountability for Actions of Customer

In March 2015, the CFPB filed a lawsuit in the United States District Court for the Northern District of Georgia in connection with an allegedly illegal debt collection operation whereby a group of individuals and companies based in New York and Georgia attempted to collect debts that consumers did not owe or that collectors were not authorized to collect. Specifically, the collectors purportedly placed "robo-calls" to millions of consumers stating that the consumers had engaged in check fraud and threatening them with legal action if they did not provide payment information. The CFPB asserted that, as a result, the debt collectors received millions of dollars in profits from the targeted consumers.

Vendor Management Concerns

In terms of vendor management, a key takeaway from the CFPB's enforcement posture in these cases is that the CFPB expects mortgage lenders to take the same precautions with mortgage advertising companies as those required with any other service provider that interacts with customers, inclusive of appropriate due diligence and oversight. Treating mortgage advertising companies as service providers has taken some in the industry by surprise as such companies have generally been viewed as marketing partners rather than service providers for mortgage brokers and lenders, and often receive a marketing fee for any advertisement that yields a new origination. Note also that the general expansion of third parties that qualify as "service providers" under Dodd-Frank is in keeping with various CFPB enforcement actions taken against ancillary and add-on product providers in the credit card and auto finance industries. The CFPB continues to aggressively enforce these RESPA Section 8 Section 8RESPA Section 8 prohibits kickbacks and unearned fees. "Section 8" refers to its original citation in Public Law 93-533; it is codified in the U.S. Code as 12 U.S. Code § 2607. In Regulation X, the prohibition against kickbacks and unearned fees is covered in § 1024.14. violations for both payment and acceptance of allegedly illegal kickbacks for mortgage business referrals, consistently levying additional consent orders enforcing Section 8.

Board of Directors

Management of third-party vendor relationships is ultimately the responsibility of the company's board of directors (Board). While the Board can delegate day-to-day management to a key individual or individuals, the Board remains responsible for overseeing the company's program and process for managing vendors, for identifying and controlling the risks presented by vendor relationships, and for ensuring sufficient resources and staff is devoted to the vendor management process. The Board and senior management are ultimately responsible for identifying and controlling risks arising from vendor relationships to the same extent as if the services were handled within the Company. The Board should review this policy on an annual basis The Board may delegate day-to-day oversight of third-party arrangements and their associated risks to an employee or employees with subject matter experience to serve as a relationship manager for the third-party relationship ("RM"). This delegation does not diminish accountability by the Board for all third-party relationships.

Vendor Management Guidance

Starting with the broad trend in the 1960s and 1970s for banks to outsource their core systems to specialist technology firms rather than continuing to develop and maintain proprietary systems, management of third-party vendors (also referred to as service providers) has been an aspect of the regulatory oversight of financial institutions for decades. All federal financial institution regulators expect their supervised institutions to manage vendor relationships in a manner that ensures compliance with applicable laws and have issued some level of guidance to that end. This topic provides an overview of the regulatory environment surrounding vendor management, and then discusses the guidance positions of three regulatory agencies: the Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC), and Federal Reserve Board (FRB).

CFPB Guidance Overview

The CFPB expects that a company's vendor management program will "limit the potential for statutory or regulatory violations and related consumer harm" and ensure that such relationships do not present "unwarranted risks" to consumers. For nonbanks and CFPB-supervised banks, where vendor relationships were once primarily evaluated for their impact on safety and soundness of the financial institution, the examination of these arrangements now focuses heavily on whether the contracting parties are ensuring compliance with consumer protection laws. The CFPB Bulletin provides little in the way of detailed requirements for vendor engagements, but makes clear that it expects the company's board of directors ("Board") and senior management of each of its supervised institutions to ensure their companies have a strong vendor management process.

Mortgage Servicing and Servicing Transfers

The CFPB explained at the time it proposed § 1024.38(b)(3), that the new regulation was designed to address evaluations of mortgage servicer practices that had found that some major servicers ''did not properly structure, carefully conduct, or prudently manage their third-party vendor relationships," citing deficiencies in monitoring foreclosure law firms and default management service providers as key examples. The compliance burdens on servicers are also evident in CFPB guidance on mortgage servicing transfers. Bulletin 2014-01, Compliance Bulletin and Policy Guidance: Mortgage Servicing Transfers, was issued August 19, 2014, and outlines a number of CFPB expectations of servicers in connection with the transfer of mortgage servicing rights, including potentially preparing and submitting informational plans to the CFPB describing how the servicers will be managing the related risks to consumers. In this regard, a primary focus of Bulletin 2014-01 is signaling that the CFPB is committed to enforcing the new servicing transfer rules under RESPA, which requires servicers to, among other things, maintain policies and procedures that are reasonably designed to achieve the objectives of facilitating the transfer of information during mortgage servicing transfers and of properly evaluating loss mitigation applications.

Mortgage Advertising Companies and Marketing Services Agreements

The CFPB has also taken direct aim at deceptive mortgage advertisements, particularly those that imply an affiliation with programs offered by the U.S. government. In a number of enforcement actions, including a simultaneous announcement in February 2015 against three private mortgage lenders that sent mailings simulating notices from the U.S. government despite the fact that none of the companies had any connection to a government agency, the CFPB made note of the customary practice of mortgage brokers and mortgage lenders to hire marketing companies to produce advertisements for mortgage credit products. In some cases, the marketing companies are under common ownership with the mortgage lender, which raises the potential for RESPA referral and kick-back violations discussed above, as well as improper loan originator compensation rules.

CFPB Guidance Overview

The CFPB's examination manual provides consistent information regarding the CFPB's expectations for regulated entities such as mortgage lenders and servicers to oversee their service providers. The Compliance Management Review (CMR) section states that "[s]upervised entities are also expected to manage relationships with service providers to ensure that these providers effectively manage compliance with Federal consumer financial laws applicable to the product or service being provided." The CMR guidelines further note that, among other service provider-related issues, examiners should ensure that the Board and senior management have demonstrated clear expectations for compliance to service providers, and should review policies and procedures designed to ensure that the entity's service providers comply with legal obligations applicable to the product or service of the examined entity and the provider.

business continuity and contingency plans

The Fed specifically notes that financial institutions should do the following: 1. Ensure that a disaster recovery and business continuity plan exists with regard to the contracted services and products 2. Assess the adequacy and effectiveness of a service provider's disaster recovery and business continuity plan and its alignment to their own plan 3. Document the roles and responsibilities for maintaining and testing the service provider's business continuity and contingency plans 4. Test the service provider's business continuity and contingency plans on a periodic basis to ensure adequacy and effectiveness 5. Maintain an exit strategy, including a pool of comparable service providers

Relationship Manager

The business owner responsible for managing the third-party relationship acts as the relationship manager (RM) for that relationship. Among other responsibilities, the RM must understand the risks associated with the third-party relationship and maintain effective oversight and control over the vendor, advise business managers on existing vendor relationships, and assist in the creation of the vendor contract. The RM must ensure that adequate due diligence is conducted on the vendor prior to execution of the contract and must continue to provide effective oversight of the contractual relationship to control these risks. Where material concerns regarding the vendor's performance arise, the RM is expected immediately to report those concerns to the appropriate parties, including senior management, compliance, or legal counsel. The Board may also designate one individual to act as the RM for all third-party relationships. The RM manages the Company's relationships with vendors by performing, at a minimum, the following activities: - Maintain a current list of all third-party vendors - Maintain and make available the appropriate risk assessment, due diligence, and third-party review forms - Assign risk rating categories (e.g., High, Medium, or Low) to vendors based on the information provided by other employees and the vendor - Provide guidance to other employees on appropriate due diligence protocols based on the vendor's risk rating and affirm the decision - Provide adequate training to other employees on appropriate vendor management, including in conducting initial and ongoing diligence reviews - Ensure that all vendors undergo and satisfactorily complete a due diligence review process, and assist in reviewing and completing due diligence documentation - Schedule and execute onsite due diligence reviews when warranted - Monitor the expiration of due diligence documentation and communicate when new documentation is due - Where appropriate to the size and significance of the contract, coordinate with legal counsel to ensure that appropriate provisions setting forth the rights and obligations necessary to carry out the objectives of this Policy are included in vendor contracts - Subject the performance of vendors to ongoing monitoring and periodic assessments as necessary - Maintain business contingency and business continuity plans to address the continued availability and orderly transition of critical vendor services - Facilitate the review of customer complaints concerning vendors (both complaints received directly by the Company as well as complaints forwarded by vendors) - Conduct periodic risk assessments of the overall effectiveness of the Vendor Management Process control framework—including the performance of the RMs responsible for its execution - Prepare periodic updates on activities to the Board

Planning and Risk Assessment

The company should develop a methodology to assess the risks involved in entering into any arrangement with a third party, including, among other things, the condition, experience, and reputation of the vendor; the nature and necessity of the service or product; the volume of activity the vendor will perform; and the level of direct customer contact of the vendor. Each vendor should be assessed on a risk scale to identify the level and intensity of due diligence and ongoing monitoring necessary for that particular vendor. To that end, the following steps should be undertaken during the Planning and Risk Assessment phase. - Identify the services intended to be outsourced. - Identify potential vendors available to provide the services described. Include whether any potential vendors are already doing business with the company - Identify the company's need for the service or product, the benefits to the company of outsourcing the function rather than building the capability in-house, and the ability to effectively manage the risks related to the relationship. - Assign a risk rating to the vendor (High, Medium, Low). The more critical the risk, the more oversight should be performed. Include reasoning for rating. - Tailor risk rating to each outsourced activity to determine how inherently risky an activity may be - Obtain senior management approval of the risk assessment conclusions.

On-going Monitoring

The financial institution should dedicate sufficient staff to monitor the third party's activities throughout the relationship as it may change over time. Particular attention should be paid to the third-party vendors' ability to do the following: 1. Comply with legal and regulatory requirements 2. Self-identify and address issues quickly 3. Manage subcontractors effectively 4. Monitor and resolve consumer complaints in a manner that demonstrates the ability to analyze trends to avoid similar complaints in the future

Vendor Management Concerns

The oversight requirements could be read to require risk assessment and the establishment of cybersecurity standards for all third parties (and their vendors) with whom a covered entity transacts. The scope of this requirement could be interpreted to be proportionate to the amount of access the third party has to nonpublic information, but the regulation is not clear as written. Moreover, the third-party oversight requirements may cause friction between covered entities and their vendors through mandatory contractual requirements, including representations and warranties from the third-party service provider and the right to annual audit and review. In fact, in response to a frequently asked question, the NY DFS emphasized the importance of a thorough due diligence process in evaluating the cybersecurity practices of a third-party service providers, stating that "[c]overed [e]ntities must assess the risks each [third-party service provider] poses to their data and systems and effectively address those risks."

Vendor Management Regulatory Environment

The regulatory focus on vendor management has increased exponentially since the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) and the creation of the Consumer Financial Protection Bureau (CFPB). The CFPB announced its expectations for supervised banks and nonbanks involved in business relationships with service providers.

Remediation, Termination, and Transition

There are many reasons for terminating a service provider relationship, ranging from expiration of the term in the ordinary course, to termination for cause due to performance or compliance failures. A financial institution's senior management should ensure that relationships terminate in an efficient manner, whether the activities are transitioned to another third party or in-house, or discontinued. In the event of contract default or termination, the financial institution should have a plan to bring the service in-house if there are no alternate third parties.

Third-Party Relationship

This includes, among others, any third party that: - Provides technology services and software, including loan origination or loan servicing platforms, website providers - Develops, prepares, drafts or reviews disclosures or other loan documents - Conducts or oversees property valuations, including appraisers and appraisal management companies - Conducts loan closing functions on behalf of the company - Acts as a notary or signing agent for the company - Offers, solicits, or sells products to company customers through joint marketing relationships - Performs audits of the company - Provides back-office or clerical support - Supplies human resources administration - Conducts payment processing, bill payment, and funds transfers - Performs any loan servicing functions, including any aspect of default servicing such as collection, loan review, or asset management - Refers or brokers loan applicants to the company

Unfair, Deceptive, and Abusive Acts and Practices (UDAAP)

UDAAP risk may be heightened with the use of third parties, insomuch as service providers may: - Be positioned directly or indirectly between the supervised financial institution and customer, thereby creating oversight issues. - Be deeply involved in delivery of products and services to consumer, and generally uncontrolled by the financial institution. - Have unfettered access to the financial institution's customers, creating the potential for contact in violation of consumer protection laws. - Not be adequately monitored by the financial institution, creating operational and compliance risk.

Unfair, Deceptive, and Abusive Acts and Practices (UDAAP)

UDAAP, which the Dodd-Frank Act empowers both state and federal regulators to enforce, is generally dependent on the specific facts and circumstances. As a number of cases have shown, UDAAP is not always apparent and may involve common industry practices. In particular, the interactions of mortgage originators and advertisers with consumers which may increase the risks of UDAAP claims, as well as the marketing of ancillary products such as bi-weekly payment programs, have been a primary examination and enforcement focus of the CFPB. In addition, state attorneys general and regulators have brought similar claims under state consumer protection laws to seek recourse for unfair or deceptive practices by financial institutions and their service providers. To protect against the possibility of UDAAP claims or state-level equivalents, financial institutions, at a minimum, should evaluate whether - Marketing materials reflect the actual terms and conditions of the product; - Service provider compensation incentivizes consumer deception; - Marketing scripts are both accurate and clear, and followed by service providers; and - Service providers are employing a strong compliance management program.

incentive compensation

arrangements that may be embedded in service provider contracts to avoid encouraging "imprudent" risk-taking. While the OCC Bulletin does not break out incentive compensation as a separate program feature (it is included among factors to be considered in due diligence and selection), the OCC, consistent with the FRB Guidance, does identify the need for financial institutions to review whether fee structure and incentives would create burdensome upfront fees or result in inappropriate risk-taking by the third party or the financial institution.

due diligence of prospective service providers

consistent with the scope, complexity, and importance of the planned outsourcing arrangement. The Fed emphasizes processes designed to examine a potential service provider's: (i) business background, reputation, and strategy; (ii) financial performance and condition; and (iii) operations and internal controls. This section is less detailed, but nonetheless consistent with the section titled "Due Diligence and Third-Party Selection" in the OCC Bulletin.

contracts should cover certain topics, provisions and considerations

including, but not limited to the following: 1. Scope of services covered 2. Cost and compensation 3. Right to audit 4. Performance standards 5. Confidentiality and security of information 6. Indemnification 7. Limits on liability 8. Customer complaints 9. Business resumption and contingency plan of the service provider 10. Use of subcontractors The key provisions noted generally mirror the "Contract Negotiation" section of the OCC Bulletin.

Service Providers

is defined as any person that "provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service." See 12 U.S.C. § 5481(26).

responsibilities of the Board and senior management

of regulated financial institutions in establishing policies governing the use of service providers. Although the FRB Guidance is not as detailed as the OCC Bulletin with respect to specific roles and responsibilities of the financial institution's Board of Directors, senior management, and key employees, the FRB is aligned with the fundamental principle set forth by the OCC that each of these parties have "distinct but interrelated responsibilities to ensure that the relationships and activities are managed effectively." The FRB states that the policies and service provider risk management programs established by financial institutions must address the various stages of the vendor management oversight process, including risk assessments, due diligence, contract negotiation, ongoing monitoring of service providers, and business continuity and contingency planning.

the OCC Bulletin outlines a "life cycle" approach and provides detailed descriptions of steps that a financial institution should consider implementing at five important stages of the third-party relationships:

planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.

service provider risk management programs

should focus on outsourced activities that are most impactful to the institution's financial condition, are critical to ongoing operations, involve sensitive customer information, new products or services, or pose material compliance risk.

risk assessments

that evaluate the implications of performing an activity in-house versus having the activity performed by a service provider. They should also consider whether outsourcing an activity is consistent with the strategic direction and overall business strategy of the organization. This section of the FRB Guidance closely aligns with the section titled "Planning" in the OCC Bulletin.