Quality control audit firms play an important role in the review function of loan files. This requirement is performed at the pre-funding and post funding stage of the loan origination process. Understanding the dynamics and risks will help a vendor management team perform a thorough review of this kind of vendor service.
Let's go through what you need to know to do proper oversight on these type of vendors.
Understanding the Requirement Helps to Understand the Vendor Function
It’s hard to believe that the FNMA LQI requirements were published in 2010. In the 7 years, since, research has shown that post closing quality control audit vendors seem to fly under the radar when it comes to vendor oversight.
If that is the case in your organization, now may be a good time to re-assess your oversight approach to this vendor.
What are pre and post closing audit reviews and why should vendor management be concerned?
Historically, post closing quality control audits have been around for more than 30 years in the lending industry. During the midst of the financial crisis in 2008, Fannie Mae looked at ways where they could help mitigate risk with the goal of limiting defaults and re-purchase risk.
With the housing crisis fresh in everyone’s minds, it was a worthy goal and added an extra compliance layer to what was to become an increasingly cumbersome loan production experience.
As part of the guidance from FNMA, lenders could legitimately outsource their quality control processes but would be held fully accountable for the work performed by their quality control vendor.
Think: You can outsource the function, but not the risk. That's a vendor management or risk professional's daily mantra!
The selling guide was later updated to require the lender to “establish a process to review the quality control vendor's work product, policies and procedures." Sounds like a vendor oversight opportunity to me!
What’s involved in audit reviews?
For a quality control vendor to perform an audit and satisfy either the pre or post funding requirements, they require these items:
- Access to the loan application and all relevant supporting documentation - this equates to a large amount of NPPI data (Non-Public Personal Information)
- Access to the complete financial profile of the consumer
- Social security numbers
- Employment history
- Marital status
- Credit history - including debts and account numbers
- A copy of driver’s license
For a would-be hacker, this is a data-filled field of dreams.
Next, the quality control vendor...
- Details the loan quality of the loan package. Meaning, they are verifying the data points and documentation and checking against the underwriting guidelines to ensure the consumer qualified correctly. It's their primary function.
- Verifies defects, such as misrepresentation, inaccurate data or inadequate documentation. Part of this process may involve engagement with fourth parties.
For the lender's vendor management department, an added scope is to review the quality control vendor's own vendor management program. This could be a potential red flag if the quality control vendor doesn't consider vendor management a priority.
Other Parties Involved In the Process
As mentioned above, the quality control vendor will probably be working with several fourth parties to validate the loan file. All of which will be given NPPI data or other sensitive information. These fourth parties include:
- Credit Reporting Firms – These are used for re-pulling credit on the loan file to establish if any new debt was acquired either before or shortly after loan closing.
- Appraisal Management Companies - They perform a field review on the lender supplied appraisal report. This is used as part of the collateral review to determine if the appraisal valuation was deemed accurate and is a factor in determining the loan to value ratio. Important to remember that the AMC outsources the assignment to a fee appraiser.
- Verification Firms – These range from 4506T, employment and bank account verification vendors.
From what we've discussed so far, the NPPI has now potentially been shared with up to 6 entities thereby increasing your inherent and residual risk by a multiple of each entity's operational standards.
18 Key Due Diligence Questions
The following is a list of key questions to be aware of either during the pre-due diligence phase or during the annual assessment.
1. Who will have access to the NPPI data?
2. Where will they access it from?
3. Does the auditor work remotely or in the bricks and mortar vendor location?
4. How robust is cybersecurity?
5. Where will the data be stored?
6. How long would the vendor store data for and how do they electronically destroy records?
7. Does the quality control vendor operate in a paperless environment or do auditors print out documents for review? If so, is a shred service used? And are documents shredded on or offsite?
8. Are there controls in place to limit staff from accessing borrower info after a completed report has been issued back to the lender?
9. Does the quality control vendor have a vendor management department with policies and procedures supporting the oversight requirements of their third parties?
10. What are the qualifications and subject matter expertise of the vendor’s quality control auditors?
11. Does the vendor have a robust set of policy and procedures surrounding their operation? This should include, staff qualifications, training, compliance management, background checks, physical and information security.
12. Have any breaches occurred impacting the operation or borrowers NPPI? If so, who was notified and when? Were corrective actions documented and implemented to ensure this didn’t occur again in the future?
13. Is the quality control vendor willing to share their internal vendor audits of the third parties which access the lender's information?
14. Will the quality control vendor share their third party vendor list so the lender can check against their own vendors and ensure they are not appearing on an internal DNU (Do Not Use) list?
15. How does the vendor keep up to date with industry regulatory compliance changes?
16. Is the quality control set of questions updated on hot topics which FNMA publishes? For example, defect category reports from FNMA.
17. Has the vendor provided evidence of performing within the agreed upon SLA’s documented in the contract? For example, Fannie Mae requires that a completed summary report be made available to senior management no later than 30 days after the audits have been completed.
18. Is this being monitored at the line of business level or within the lender's vendor management department?
2 Additional Tips
- Quality control audits are performed at the loan level so a best practice to really help manage the performance is ongoing monitoring. This can be performed by the line of business usually/hopefully with some input from internal vendor management. The emphasis will be on findings and their accuracy along with reported turn times in according with the contractual and FNMA SLA requirements.
- Know if the vendor is located on or off shore.
This All Will Help Make Better Informed Decisions
By better understanding the requirements, function and players involved in a lender's quality control process, vendor management can apply the relevant oversight experience and alert senior management to potential risks. In turn, this allows senior leadership to make better informed decisions.
The key is to engage early in communication with the lines of business and your internal customers. Being able to advise from a risk perspective and share your accumulated business intelligence will prove profitable for vendor management and internal perception as well as showcase your expertise in managing external vendors.
To read up on proper vendor oversight of a contract mortgage underwriter, download this infographic.