Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Mortgage Subservicer Vendor Oversight Best Practices

5 min read
Featured Image

Mortgage subservicers offer a unique challenge to third-party risk management. Unlike many fulfilment services engaged in the origination process, a subservicer interacts with the consumer for essentially the life of the loan or at least until run off occurs, be in from a home sale or a refinance transaction. 

Reminder, we’re talking about the vendors that service the loan, not the generic terminology for fourth parties.

Subservicers in Third-Party Risk Management

There is motivation for the subservicer to retain the borrower since the act of servicing a mortgage account can generate upwards of 50% of the total income for the owner of the asset.

At the very basic level, a subservicer may be classified as a third or fourth-party vendor.  The fourth party vendor classification is triggered if the subservicer is retained to manage a portfolio by a master servicer. We know that both the CFPB and OCC have made it quite clear regarding oversight responsibilities.

Because of the extensive amount of interaction that a subservicer may have with a consumer, there is in equal weight a tremendous amount of regulatory compliance requirements attached to this vendor type.

Focus on the Basics, Then Dig in Deeper to Mechanics of Subservicing

The oversight of a subservicer will require collaboration across multiple business channels. Because of the complexity of this vendor type, relying on a check box mentality of some basic questions which may seem reasonable for other vendor types will not make the grade.

If your vendor oversight department doesn’t have specific experience in this vendor category, then caution should be taken. The next steps you take could define if you have adequately performed the required oversight by both regulators and the GSE’s.

6 Subservice Vendor Oversight Best Practices

  1. Monthly Ongoing Monitoring: Consumers make their payments monthly; therefore, it makes sense that performance oversight reflects this practice. Set up a monthly call to review loan onboarding processes: Were there any hiccups or consumer complaints submitted either to the sub-servicer or the lender directly?

    These responsibilities will typically fall under the line of business but a regular monthly recap meeting between the internal servicing department, compliance, risk and vendor oversight will result in a very healthy and productive ongoing monitoring program. In addition to the monthly practices, I also recommend having a quarterly recap. This report should be submitted to the board so that all parties are aware that this highly regulated and most critical vendor is performing within SLA requirements.
  2. Annual Oversight: You should do annual assessments, an internal effort which can be assisted by the outsourced function. Subservicers are extremely experienced in holding annual assessments for their clients.

    The level of due diligence may vary based on the maturity of the internal oversight program or by the performance, or lack of, by the subservicer. Either way, sending an oversight team which lacks the servicing knowledge and regulatory compliance requirements will not garner much beneficial oversight other than perhaps the advantage that the lender went onsite. 

    Best practices here would be to build a multi-faceted team of different experience specific to the vendor type. Key players should include senior management employees who have extensive servicing knowledge along with compliance personnel and representation from third party risk. 
  3. Appropriate Items Covered in a Review. There is a lot of prep work involved in reviews. Prior to visiting the vendor onsite, you should request copies of policy and procedures (P&P). If your organization has agreed with the service provider on 'Agreed Upon Policies' as part of your contract negotiations, then you should review all this material in advance and then test against it when onsite.
  4. Know Physical Security. You have reviewed the P&P; now is the time to test. Review security and confirm if onsite data storage areas have increased levels of security. Video cameras are typically in servicing organizations but be mindful of where they are focused.

    If the subservicer receives checks as opposed to electronic payments, take a look if this area is monitored. Visitor and guest policy application should be tested by tailgating.  Most firms will have a clear desk and clear screen policy, however, take a walk on the floor and do a visual inspection. You may be in for a surprise of what you will find.
  5. Stay Up to Date on Regulatory Compliance. The CFPB has extensive guidelines regarding servicing operations with the utmost attention aimed at protecting the consumer.

    Areas such as escrow analysis, periodic statements, single point of contact and force placed insurance are all areas which need to be reviewed. This is not an extensive list by any means, so take the time to map out each regulatory compliance requirement and link it to the associated operational procedure.

    The task is then to review documentation which proves the vendor is complying. Much of this type of oversight review can be performed offsite since even with a two day schedule, the time can go by quickly.
  6. Don’t forget the basics:
    • Perform a financial analysis, is the servicer financially stable?
    • Business continuity
    • Disaster recovery
    • Hours of service. Can the servicer support a nationwide customer base?
    • Expertise with certain loan types, slow pay, non-performing assets
    • Location, if offshore - what level of oversight is performed on offshore operations
    • Retention model - ease of use
    • Internal vendor management framework.

The oversight of subservicer isn’t strictly limited to the regulatory or investor requirement. The servicer is an extension of your operation. Selecting the right subservicing operation can have an immediate impact on how your reputation is perceived. When a consumer calls into their loan servicer, the consumer will relate this experience to the lender they originated the loan with. Reputational risk, therefore, does present itself as a valid area of concern.

For more information on subservicing oversight, please review the following links:

Download our guide to help manage your fourth parties.


Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo