Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

Vendor Oversight Practices For Post Closing Quality Control Audit Vendors

5 min read
Featured Image

Quality control audit firms play an important role in the review function of loan files. This requirement is performed at the pre-funding and post funding stage of the loan origination process. Understanding the dynamics and risks will help a vendor management team perform a thorough review of this kind of vendor service.

Let's go through what you need to know to do proper oversight on these type of vendors. 

Understanding the Requirement Helps to Understand the Vendor Function

It’s hard to believe that the FNMA LQI requirements were published in 2010. In the 7 years, since, research has shown that post closing quality control audit vendors seem to fly under the radar when it comes to vendor oversight.

If that is the case in your organization, now may be a good time to re-assess your oversight approach to this vendor.

What are pre and post closing audit reviews and why should vendor management be concerned?

Historically, post closing quality control audits have been around for more than 30 years in the lending industry. During the midst of the financial crisis in 2008, Fannie Mae looked at ways where they could help mitigate risk with the goal of limiting defaults and re-purchase risk.

With the housing crisis fresh in everyone’s minds, it was a worthy goal and added an extra compliance layer to what was to become an increasingly cumbersome loan production experience.

As part of the guidance from FNMA, lenders could legitimately outsource their quality control processes but would be held fully accountable for the work performed by their quality control vendor.

Think: You can outsource the function, but not the risk. That's a vendor management or risk professional's daily mantra!

The selling guide was later updated to require the lender to “establish a process to review the quality control vendor's work product, policies and procedures." Sounds like a vendor oversight opportunity to me!

What’s involved in audit reviews?

For a quality control vendor to perform an audit and satisfy either the pre or post funding requirements, they require these items:

  1. Access to the loan application and all relevant supporting documentation - this equates to a large amount of NPPI data (Non-Public Personal Information)
  2. Access to the complete financial profile of the consumer
  3. Social security numbers
  4. Employment history
  5. Marital status
  6. Credit history - including debts and account numbers
  7. A copy of driver’s license

For a would-be hacker, this is a data-filled field of dreams.

Next, the quality control vendor...

  1. Details the loan quality of the loan package. Meaning, they are verifying the data points and documentation and checking against the underwriting guidelines to ensure the consumer qualified correctly. It's their primary function.
  2. Verifies defects, such as misrepresentation, inaccurate data or inadequate documentation. Part of this process may involve engagement with fourth parties.


For the lender's vendor management department, an added scope is to review the quality control vendor's own vendor management program. This could be a potential red flag if the quality control vendor doesn't consider vendor management a priority.

Other Parties Involved In the Process

As mentioned above, the quality control vendor will probably be working with several fourth parties to validate the loan file. All of which will be given NPPI data or other sensitive information. These fourth parties include:

  • Credit Reporting Firms – These are used for re-pulling credit on the loan file to establish if any new debt was acquired either before or shortly after loan closing.

  • Appraisal Management Companies - They perform a field review on the lender supplied appraisal report. This is used as part of the collateral review to determine if the appraisal valuation was deemed accurate and is a factor in determining the loan to value ratio. Important to remember that the AMC outsources the assignment to a fee appraiser.

  • Verification Firms – These range from 4506T, employment and bank account verification vendors.

From what we've discussed so far, the NPPI has now potentially been shared with up to 6 entities thereby increasing your inherent and residual risk by a multiple of each entity's operational standards.

18 Key Due Diligence Questions  

The following is a list of key questions to be aware of either during the pre-due diligence phase or during the annual assessment. 

Data:

1. Who will have access to the NPPI data?

2. Where will they access it from?

3. Does the auditor work remotely or in the bricks and mortar vendor location?

Cybersecurity:

4. How robust is cybersecurity?

5. Where will the data be stored?

6. How long would the vendor store data for and how do they electronically destroy records?

Environment:

7. Does the quality control vendor operate in a paperless environment or do auditors print out documents for review? If so, is a shred service used? And are documents shredded on or offsite?

8. Are there controls in place to limit staff from accessing borrower info after a completed report has been issued back to the lender?

9. Does the quality control vendor have a vendor management department with policies and procedures supporting the oversight requirements of their third parties?

10. What are the qualifications and subject matter expertise of the vendor’s quality control auditors?

11. Does the vendor have a robust set of policy and procedures surrounding their operation? This should include, staff qualifications, training, compliance management, background checks, physical and information security.

Security:

12. Have any breaches occurred impacting the operation or borrowers NPPI? If so, who was notified and when? Were corrective actions documented and implemented to ensure this didn’t occur again in the future?

13. Is the quality control vendor willing to share their internal vendor audits of the third parties which access the lender's information?

14. Will the quality control vendor share their third party vendor list so the lender can check against their own vendors and ensure they are not appearing on an internal DNU (Do Not Use) list?

Performance: 

15. How does the vendor keep up to date with industry regulatory compliance changes?

16. Is the quality control set of questions updated on hot topics which FNMA publishes? For example, defect category reports from FNMA.

17. Has the vendor provided evidence of performing within the agreed upon SLA’s documented in the contract? For example, Fannie Mae requires that a completed summary report be made available to senior management no later than 30 days after the audits have been completed.

18. Is this being monitored at the line of business level or within the lender's vendor management department?

2 Additional Tips

  • Quality control audits are performed at the loan level so a best practice to really help manage the performance is ongoing monitoring. This can be performed by the line of business usually/hopefully with some input from internal vendor management. The emphasis will be on findings and their accuracy along with reported turn times in according with the contractual and FNMA SLA requirements.

  • Know if the vendor is located on or off shore.


This All Will Help Make Better Informed Decisions

By better understanding the requirements, function and players involved in a lender's quality control process, vendor management can apply the relevant oversight experience and alert senior management to potential risks. In turn, this allows senior leadership to make better informed decisions.

The key is to engage early in communication with the lines of business and your internal customers. Being able to advise from a risk perspective and share your accumulated business intelligence will prove profitable for vendor management and internal perception as well as showcase your expertise in managing external vendors.

To read up on proper vendor oversight of a contract mortgage underwriter, download this infographic

Download Now

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo