Non-Elective Vendor Oversight Responsibility
Oversight requirements for non-elective vendors.
A non-elective vendor is one you don't have an active or direct relationship with, but your third party does - making them a risk to you and, therefore, requiring some oversight. Listen to this podcast to learn examples of these types of vendors, vendor oversight recommendations, how to vet, due diligence on them and more.
Hello everyone, and thank you for joining me today for our Third Party Thursday podcast. I’m Steve Greenfield, Director of Third-Party Risk here at Venminder. Today's topic will be vendor oversight requirements on non-elective vendors.
This topic came about from a recent webinar I presented with National Mortgage News. It was actually a question which came out of the Q&A session which I thought everyone could benefit from. The goal for today is to address the oversight responsibility and also some best practices.
A non-elective vendor is a term given where your company doesn’t have an active relationship directly with the vendor being requested to be engaged with. In this example, that may be a consumer or perhaps an investor or mortgage aggregator. Certainly, we’ve seen mortgage aggregators require the certain use of vendors which will meet their requirement as part of your investor approval process.
Examples of these include quality control, fraud review, APR calculation software...to name but a few. The use of these types of vendors may offer strategic advantages and help with rep and warrant relief from the investor since you are following their lead. It would be easy to state that no vendor due diligence is required on these vendors. But, my sense is that, ultimately, these vendors will be accessing your consumers' Non-Public Personal Information (NPPI). From personal experience, I have never been asked by an examiner to disregard any non-elective vendors outside of my regular vendor panel. Truth be told, the examiner doesn’t differentiate between the two.
The second type of non-elective vendor which may come into play is when a consumer selects a vendor to be involved in the loan transaction. These are typically vendors such as closing agents or title companies and are usually either referred because they are a personal connection of the consumer or a referral from the realtor. In either case, there is a basic question to ask yourself as the lender: if this vendor fails to perform, commits fraud or suffers a data breach, who is at risk?
Ultimately, the risk lands with you as the mortgage lender. So, while it would never be good business sense to ask the consumer to provide vetting information on their preferred vendor, it would be good practice to set the expectations directly with the selected vendor. At a minimum, you should collect license information, errors and omissions insurance. Check against the HUD exclusionary lists and OFAC.
Because this type of vendor is chosen at the transactional level, it's unlikely that much in the way of oversight will be performed by the second line of defense. Note that the first line (processing / underwriting / closing) may be involved and a standard practice will be to submit the preferred vendor into a fraud risk data check service.
There are a number of services available such as First Americans Fraud Guard, Data Verify Drive Report and LexisNexis. While I am not recommending any provider over the other, each will provide a level of insight to the vendor, should there be any red flag findings to be concerned about. If there are red flags, it's important that as a third-party risk management policy, you must create a framework in which the first line of defense can provide feedback and that you can take the necessary action. Mortgage fraud still hasn’t subsided since the financial crisis, so third-party risk management can play an active role in identifying potential fraud rings where multiple parties or consumer selected vendors have a vested interest in the transaction.
I mentioned earlier the case for improved rep and warranty relief may be available to you from the use of the aggregator elected vendors. If we point back to the question regarding who is responsible for third-party risk management on non-elective vendors, it's worth noting that the Fannie Mae Day 1 initiative has a pre-approved and vetted list of vendors who provide services on verification of income, assets. And while rep and warranty relief is available for lenders who use Day 1 Certainty, Fannie Mae points out that vendor due diligence remains the responsibility of the lender based on their primary regulator's requirements.
This would seem to answer the question that third-party risk management is required to be performed by the lender regardless of who selects or approves a particular vendor service. The key thing to remember is that third-party oversight and vendor risk assessments on any vendor should be commensurate with the level of risk the use of the vendor presents. So in the case of the one off transactional vendor, you should hit the fundamentals but don’t go overboard.
Thanks again for tuning in, If you haven’t already done so, please subscribe to our Third Party Thursday podcast. I’ve been your host, Steve Greenfield. Until next time, Trust but Verify.
Subscribe to our Third Party Thursday Newsletter
Receive weekly third-party risk management news, resources and more to your inbox.