Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.



Non-Elective Vendor Oversight Responsibility

CPE Credit Eligible

Oversight requirements for non-elective vendors.

A non-elective vendor is one you don't have an active or direct relationship with, but your third party does - making them a risk to you and, therefore, requiring some oversight. Listen to this podcast to learn examples of these types of vendors, vendor oversight recommendations, how to vet, due diligence on them and more.

Available on
Listen-on-Apple-Podcasts-badge.jpg  google-play-badge 2.jpg


Podcast Transcript

steve greenfield chief risk officerHello everyone, and thank you for joining me today for our Third Party Thursday podcast. I’m Steve Greenfield, Director of Third-Party Risk here at VenminderToday's topic will be vendor oversight requirements on non-elective vendors.

This topic came about from a recent webinar I presented with National Mortgage News. It was actually a question which came out of the Q&A session which I thought everyone could benefit from. The goal for today is to address the oversight responsibility and also some best practices.

A non-elective vendor is a term given where your company doesn’t have an active relationship directly with the vendor being requested to be engaged with. In this example, that may be a consumer or perhaps an investor or mortgage aggregator. Certainly, we’ve seen mortgage aggregators require the certain use of vendors which will meet their requirement as part of your investor approval process.

Examples of these include quality control, fraud review, APR calculation name but a few. The use of these types of vendors may offer strategic advantages and help with rep and warrant relief from the investor since you are following their lead. It would be easy to state that no vendor due diligence is required on these vendors. But, my sense is that, ultimately, these vendors will be accessing your consumers' Non-Public Personal Information (NPPI). From personal experience, I have never been asked by an examiner to disregard any non-elective vendors outside of my regular vendor panel. Truth be told, the examiner doesn’t differentiate between the two. 

The second type of non-elective vendor which may come into play is when a consumer selects a vendor to be involved in the loan transaction. These are typically vendors such as closing agents or title companies and are usually either referred because they are a personal connection of the consumer or a referral from the realtor. In either case, there is a basic question to ask yourself as the lender: if this vendor fails to perform, commits fraud or suffers a data breach, who is at risk? 

Ultimately, the risk lands with you as the mortgage lender. So, while it would never be good business sense to ask the consumer to provide vetting information on their preferred vendor, it would be good practice to set the expectations directly with the selected vendor. At a minimum, you should collect license information, errors and omissions insurance. Check against the HUD exclusionary lists and OFAC.

Because this type of vendor is chosen at the transactional level, it's unlikely that much in the way of oversight will be performed by the second line of defense. Note that the first line (processing / underwriting / closing) may be involved and a standard practice will be to submit the preferred vendor into a fraud risk data check service.

There are a number of services available such as First Americans Fraud Guard, Data Verify Drive Report and LexisNexis. While I am not recommending any provider over the other, each will provide a level of insight to the vendor, should there be any red flag findings to be concerned about. If there are red flags, it's important that as a third-party risk management policy, you must create a framework in which the first line of defense can provide feedback and that you can take the necessary action.   Mortgage fraud still hasn’t subsided since the financial crisis, so third-party risk management can play an active role in identifying potential fraud rings where multiple parties or consumer selected vendors have a vested interest in the transaction.

I mentioned earlier the case for improved rep and warranty relief may be available to you from the use of the aggregator elected vendors. If we point back to the question regarding who is responsible for third-party risk management on non-elective vendors, it's worth noting that the Fannie Mae Day 1 initiative has a pre-approved and vetted list of vendors who provide services on verification of income, assets. And while rep and warranty relief is available for lenders who use Day 1 Certainty, Fannie Mae points out that vendor due diligence remains the responsibility of the lender based on their primary regulator's requirements.

This would seem to answer the question that third-party risk management is required to be performed by the lender regardless of who selects or approves a particular vendor service. The key thing to remember is that third-party oversight and vendor risk assessments on any vendor should be commensurate with the level of risk the use of the vendor presents. So in the case of the one off transactional vendor, you should hit the fundamentals but don’t go overboard.

Thanks again for tuning in, If you haven’t already done so, please subscribe to our Third Party Thursday podcast. I’ve been your host, Steve Greenfield. Until next time, Trust but Verify.


Subscribe to our Third Party Thursday Newsletter

Receive weekly third-party risk management news, resources, and more to your inbox.


New Call-to-action

Ready to Get Started?

Schedule a personalized solution demonstration to see how Venminder can transform your vendor risk management processes.

Request a Demo