(270) 506-5140 CONTACT US
Due Diligence

10 Best Practices for Lead Generation Vendor Oversight

Nov 7, 2017 by Venminder Experts

Many states require lead generators to hold a mortgage broker license in some shape or form on the NMLS (Nationwide Multistate Licensing System/Nationwide Mortgage Licensing System and Registry). A financial institution which relies heavily on purchasing these leads to keep their mortgage loan officers (MLO) working a full pipeline should be aware of the potential increased regulatory compliance risk.

One of the first items that a lender should vet out prior to ever purchasing a lead is to make sure the lead generator has a strong compliance management system. We'll cover other best practices that you need to know as well. 

First, let's touch on how lead generators relate to regulation and violations.

Regulation and Lead Generator Cases

The CFPB has made it clear that false advertising, misleading statements are all potential UDAAP violations just waiting to happen. And this isn’t just a warning, there have been several cases where lead generation companies have been fined hundreds of thousands of dollars.

The statutory and regulatory risk is a real clear and present danger to every financial institution which leverages this type of third party.

If in doubt, seek an attorney for expert counsel requiring the actual state requirements and the subsequent interpretation of such laws. Our focus here is to lay out best practices which can be used to vet lead generators from an initial vetting perspective and the annual oversight function.

10 Best Practices for Oversight of Lead Generators

  1. Know your vendor: Understanding what the lead generator actually does is key in determining the level of oversight. Is the lead firm purely online with minimal interaction with a potential consumer? Or is the lead generator making outbound calls based on a database or trigger list?

  2. Check that they have a compliance management system: Can the vendor demonstrate they have a clear understanding of federal consumer protection laws? If the vendor doesn’t employ a chief compliance officer, what are the systems in place to keep up with a robust and changing regulatory framework?

  3. Ensure your vendor has no major complaints against them: Check the CFPB consumer complaint database and the Better Business Bureau - both sites will provide information regarding complaints and will show if the vendor has responded. This is an easy search which you can run by company name.
    • Review the information as best as possible.
    • While this is an external review of the vendor reputation that the public can see, it's also important to pivot back to an internal review and determine if and how the vendor manages consumer complaints.
    • Where possible, request to see not only the complaint policy but also the actual complaint outcomes.
    • This may be limited to complaints which are specific to your organization and that of your own clients who may have come through the vendor portal initially. Look for patterns and address of what, if any, remediation results are in place. Are there any patterns of improvement? If not, why not?

  4. Research litigation and regulatory fines: A simple online search of the vendor litigation or levied fines will further highlight any perceived red flags. In fact, regulatory issues can also be found on NMLS.

  5. Review controls: Undoubtedly, this is one of the most difficult pieces of information to gather. While policies and procedures (P&P) demonstrate the company guidelines and operational best practices, requesting documentation which demonstrate adherence to the P&P can be more challenging to come by. Either through contract strength or sheer relationship management, it's important that the vendor manager explain this requirement to their potential vendor partner.

    Items to look out for include:
    • Copies of scripts used when speaking with consumers
    • Privacy statements and disclosures - Provide evidence that the lead is either exclusive to you, the purchaser, and if not, was the consumer aware that the lead would be sold to multiple lenders?
    • Training logs - An example might be to request the training log of an account manager who works on your corporate account. Has Bob the account manager completed his GLBA training in 2017? If not, why not? After all, the Training P&P states that training is conducted quarterly.
    • Quality assurance results
    • Board meeting minutes as evidence of annual policies being reviewed and approved
    • Compliance tracking. Review how updates are maintained and subsequently implemented
    • If calls are recorded, evidence of a consumer interaction and checked against the script is a great way to prove that the vendor is following their own guidance

  6. Have transparency: It's key when it comes to interacting with a lead generator. Concerns include:
    • Are appropriate privacy and permission controls in place? For the unassuming consumer, a sleek website may appear to be an online mortgage application. It's important that the consumer be made aware that Company X is not a mortgage broker or lender and merely facilitates the initial introduction.
    • In turn, based on the state regulation it is required to hold a NMLS broker license.  Risks here include the concern that the consumer must be made aware that whatever level of data is collected, it will, as part of the process be shared with third parties. 
    • Read the small print.

  7. Ensure state licensing: 
    • As a financial institution, if you purchase leads from a lead generator who isn't licensed in the specific state, you may have unknowingly created a regulatory compliance issue for your company.
    • This is a compliance headache for your internal organization and has the potential to bloom into a much larger issue. Imagine a lender who has unwittingly purchased thousands of leads in an unlicensed state?
    • It isn’t a stretch to imagine that the CFPB would highlight your own internal compliance management system weaknesses and, invariably, could also link an equally poor vendor oversight program for failure to monitor and review the lead generators internal policies and controls.
    • Capturing each specific NMLS and license expiration date and creating your own internal control of requesting updated information can really help offset this risk. The key first action is verifying the state level licensing requirement.

  8. Review the vendor's advertising: Lead generation is a prominent online activity, and while it isn’t limited to just mortgage transactions, time should be dedicated to reviewing the lead generation website. I highly recommend that the vendor manager request a list of all third party partnerships which promote the lead generator.

    In an ideal world, NMLS info is highlighted, privacy and disclosure language are included and the website is devoid of misleading advertising. Misleading advertising is of common interest to the Fair Trade Commission (FTC). Falling foul of the CFPB and the FTC is a double whammy and should be avoided at all costs. UDAAP never gets good press!

  9. Be aware of the data collection practices: It’s important to remember that basic information will be required to create a lead. However, vendor management should clarify exactly what information is collected to assume that the lead generator hasn’t moved from a lead generator role to that of a collector of NPI data or originator.

    The role of the lead generator is not to issue or infer any kind of pre-approval. If the company has been overly enthusiastic about the data it collects, it may have crossed the line and now be in breach of fair lending regulations. Don’t take their word for it. Test out the lead generator website and check off the information required to submit an inquiry. A word of warning - your phone and email may very likely blow up within minutes of hitting enter! Creating a dedicated secret shopper email account and dedicated phone line for the follow up calls will alleviate the follow up activity which will follow.

  10. Audit: All vendor contracts should be reviewed. A robust assessment will require any vendor to share information which it may not commonly provide. Vendors may want to hide behind blanket statements such as proprietary and confidential. In fairness, this may be applicable in situations regarding certain aspects of data security.

    However, based on the regulatory compliance risks associated with these highly visible vendors, that access to key documentation is a necessity to fully assess the inherent and residual risk of this vendor type. If the vendor is reluctant to share regulatory compliance information and supporting control data, then this could indicate a red flag to consider.

Apply Oversight to Lead Generators Equally and Specific to Function

Lead generators provide a valuable service to many financial institutions for many forms of financial transaction types. It's important that the oversight applied is equal and specific to the function and the subsequent risks which this vendor type present.

A lead generator may be the first official interaction with your consumer. Making sure the consumer is not harmed in any way during this early step of the origination process should be a key focus and concern to ensure the vendor and the financial institution is in full compliance with federal consumer lending laws. 

To learn about proper oversight of a contract mortgage underwriter, download our infographic.

Download Now

Venminder Experts

Written by Venminder Experts

Venminder has a team of third-party risk experts who provide advice, analysis and services to thousands of individuals in the financial services industry.

Follow Venminder Experts

Subscribe to the Venminder Blog