The concept that lenders and mortgage servicers are responsible for the actions of their subcontractors isn’t new, but it is front-and-center like never before.
Last year’s Consumer Financial Protection Bureau’s enforcement action against Capitol One for the actions of one of its third-party vendors brought renewed attention on an issue that also gained attention after a 2011 federal consent order against 14 of the country’s largest mortgage servicers and in last year’s nationwide attorneys general settlement with mortgage servicers over foreclosure abuses.
Should anyone have any doubt, the Consumer Financial Protection Bureau issued a bulletin last year that plainly states that banks and nonbanks supervised by the CFPB are expected to oversee their relationships with service providers in a manner that ensures compliance with federal consumer financial law and protects consumers.
“It starts off with understanding the risks for each type of service provider,” said Christopher Willis, an attorney specializing in mortgage issues at law firm Ballard Spahr. “Some service providers are higher or lower risk, and you have to think about how each service provider might commit a compliance violation.”
A subservicer, for example, would fall into a high-risk category because it is literally reaching out to the borrower with one-on-one conversations and has a high-level of interaction with consumers. Another service provider might only print and mail out correspondence with no direct contact with consumers. Such a provider would be considered lower risk.
Willis said a lender’s or servicer’s level of oversight should be tailored to the type of service provided and the related risk level.
Due diligence, he said, is key. The service provider should be examined to determine that it’s trustworthy, hasn’t gotten into trouble in the past, is financially stable and has all appropriate licenses.
When drawing up a contract, the regulated entity must ensure it addresses compliance. Wording should be tailored to what specific activities the vendor is doing and
should include provisions for the lender or servicer to obtain critical information related to compliance.
For example, that might include requiring the vendor to report consumer complaints or government investigations to the lender/servicer.
Willis recommends using a commonsense approach in the ongoing monitoring of service providers. That means ensuring the vendor is doing what it should be doing were it an internal part of the company that hired it. Monitoring should include documentation that can be shown to a regulator, should one ask for it.
HISTORICAL BACKGROUND
Federal regulators have been talking about this concept of responsibility for third-party vendors as far back as 2001 when the Office of the Comptroller of the Currency made pronouncements about it. The Federal Deposit Insurance Corp. also has compelled banks to oversee their vendors. In 2008, the FDIC took enforcement action against two banks and a credit card company and settled with a third bank, deeming the banks responsible for deceptive marketing of a subprime credit card program handled by a vendor.
The case involved CompuCredit Corp. of Georgia, First Bank of Wilmington, Del., and First Bank & Trust of Brookings, S.D. A third bank, Columbus Bank and Trust of Columbus, Ga., settled with the FDIC.
“An institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling risks arising from such relationships, to the same extent as if the activity were handled within the institution,” an FDIC board member said at the time.
The CFPB issued a bulletin in April 2012 that sets out its expectations that supervised entities will conduct their business relationships with service providers in a manner that ensures compliance with federal consumer law. The CFPB said it expects lenders and mortgage servicers to have an effective process to manage the risks of their third-party vendors. Regulated entities should be prepared to show they are meeting the bulletin’s requirements if they are audited by the CFPB, industry experts said.
One need only look at the civil penalties assessed against Capital One to know the bureau means business.
The credit card company paid $210 million to the CFPB and its regulator, the OCC, to settle charges of unfair and deceptive marketing by one of its service providers. The highly publicized July 2012 case was the first and only enforcement action brought by the CFPB to date.
Through the supervision process, CFPB’s examiners discovered Capital One’s call-center vendors engaged in deceptive tactics to sell the company’s credit card add-on products.
COMPLIANCE METRICS
The CFPB lays out five steps for its supervised entities to be in compliance with their third-party vendors:
- Conducting due diligence of the service provider.
- Requesting/reviewing policies and procedures.
- Having a contract that spells out expectations and enforceable consequences for violating compliance-related responsibilities.
- Establishing internal controls and monitoring.
- Taking prompt action to address any problems identified through the monitoring process, up to and including termination of the contract, if warranted.
“It’s a big subject of discussion with my clients because a lot of people are putting a lot of emphasis on it,” said Willis, the Ballard Spahr attorney.
Third-party vetting applies to any entity that is supervised by the CFPB. That includes large bank and nonbank lenders and mortgage servicers; student loan lenders; payday lenders; credit reporting agencies; debt collectors, debt buyers; and debt collection law firms.
Service providers — those receiving the vetting — include firms that provide a material service to the financial services firm. In the case of mortgage lenders and servicers, that would include appraisal management firms, title agents, subservicers and property preservation firms. Excluded are companies that provide general business support such as those that provide computer networks or copiers/printers for the office, or companies like HousingWire that provide space for advertisements from regulated financial entities.
“Some lenders, particularly banks in the mortgage area, had already significantly stepped up their vendor oversight programs, over the past several years,” Willis said. “They may still be improving those today, but it is not a massive change to what they were doing last year.”
“On the nonbank side, there are people at different points on the spectrum. Some people didn’t have a well-developed vendor management or vendor oversight program so for them it is new and they have to build it from scratch,” he said. “And it’s a pretty major revolution in the way they are dealing with service providers.”
FORMS OF VETTING
The demand for vetting has spawned a cottage industry of firms who provide vetting services. These firms range from startups focused only on third-party vetting to existing consultancies, law firms and accountant firms that are
offering vetting as a service to their existing clients or expanding their client base by offering third-party
vetting services.
Some companies have the inhouse resources to do their own vetting, which might be preferred because they maintain complete control over the process. But if
they don’t have those resources, then they must outsource the responsibility.
“We have some clients that have us assisting them,” Willis said. “In other instances, I have actually helped clients put together their own internal audit process. I’ve done training sessions for their auditors who are going to go out and visit the service providers. A lot of the work we are doing is equipping our clients to do it internally rather than forever being dependent on an outside source, but people are doing both.”
The consequences of not complying with the CFPB requirements could be severe. The bureau may hold the institution, itself, liable for the actions of its service providers as it did in the case of Capitol One.
“The prospect of that occurring becomes much more likely if you have inadequate oversight of the service provider,” Willis said.
Bill Garland, executive vice president at mortgage technology firm Decision Ready, said the vetting and monitoring is a cost of doing business in today’s environment.
“You need to be able to display that you have institutionalized this activity into your operation,” he said. While line managers in the past may have handled third-party relationships, that isn’t the case any longer. Now companies hire people whose job is to specifically manage third-party service providers to ensure they are compliant.
“You have to invest in people, technology and time to actively engage and manage these relationships. It is no longer just incidental to the business,” Garland said.
Decision Ready, because it is a technology provider, doesn’t fall into the definition of a service provider. Instead, it provides cloud-based technology services to the industry. It also offers a software product, Connect, that is focused on managing third-party relationships.
“There is a high level of connectivity, hence the name, between the servicer, and say, outside counsel so that as regulations change, the system provides a capability to communicate from the servicer to outside counsel — communicate any investor specific or regulatory specific instructions,” Garland said. “The system delivers that communication to specific parties in the law firm so it isn’t a general broadcast. Depending on the topic … it provides some level of certification that a message was received, read and implemented. That would be part of the ongoing review process to ensure that there is compliance.”
To show compliance with the CFPB directive, lenders and mortgage servicers need to step up what they’ve done
in the past.
“You need to be dynamically managing the relationship on a regular basis,” Garland said. “I think the due diligence aspect is pretty engrained in the industry, but once the provider was approved, how much revisiting and reevaluation of the performance was done on a go-forward basis? That’s where you need to kick up the focus.”
Loren Morris, general counsel and chief compliance officer at Retreat Capital Management, is handling compliance from the view of the service provider.
Retreat Capital, which provides component servicing among other services in the default space, fits into the definition of a third-party service provider.
It has been in a position of being vetted by regulated
entities, Morris said.
The mortgage industry has, for years, used third-party providers for capacity and expertise. Regulators, such as the CFPB, have recognized that it’s a necessary component of the industry, Morris said. Consistency in how the industry reviews service providers, down to specific guidelines to address
specific activities should provide added integrity to the process, he said.
“The industry, both the servicers and the service providers welcome the concept of a consistent approach and the more consistency and integrity that comes to it, the
more that it serves the industry and serves the
consumer,” he said.
In the title agent business, the American Land Title Association established a set of best practices for the vetting of title agents. But even more could be done by other mortgage industry associations to standardize vetting processes and subsequent monitoring of service providers, said Patrick Stone, CEO of Williston Financial Group, the parent company of WFG National Title Insurance Group.
Many lenders don’t understand the process that title underwriters go through to vet a title agent, he said.
“When you sit down and explain the level of detail that goes into vetting an agent and signing an agent to write your policies as an underwriter, they are impressed with how thoughtful and thorough the process is,” Stone said.
WFG’s vetting process of title agents includes reviewing financials, fidelity and surety bond coverage, agency history, qualifications, licenses, work history, criminal/civil backgrounds, accounting/escrow processes, references and organizational structure.
While the industry has been focused for years on vetting of agents with a robust examination, Stone said lenders rightfully wonder about ongoing monitoring to ensure agents remain compliant with consumer finance law. That is a potential weakness in the title agency/underwriting business, he said.
“Most of the underwriters do a good job and are fairly consistent in the content of their approval process,” Stone said. “I think the biggest problem is the ongoing re-verification, or the annual review or audit. The industry has never been in a position to economically audit its agents on an annual basis and that is problematic. That is something we will have to figure out.”
Willis said the wider mortgage industry will reward those companies who have put into place a robust compliance management process due to the increased attention on third-party vetting.
“It is going to create market pressure to favor those who have taken compliance seriously,” he said, “and who can demonstrate in a documented way that they have done so.”