Home / Daily Dose / The Five Pillars of Risk Management
Print This Post Print This Post

The Five Pillars of Risk Management

Editor's note: This select print feature is scheduled to appear in the July 2015 issue of DS News, available on July 1.

By Gene Collett

As a mortgage banker, originator or servicer, you may be thinking, “Can the Consumer Financial Protection Bureau (CFPB) interfere with my supplier and service provider relationships?” If you’re asking that question, it is useful to learn more about the CFPB’s vendor oversight expectations. Based on its Bulletin 2012-03, the CFPB expects that every financial institution will manage its service providers “to protect the interests of consumers and avoid consumer harm.” The CFPB’s measuring stick, so to speak, is calibrated based on federal consumer financial laws and regulations.

No regulatory authority prohibits the use of third-party providers. Such providers enable financial institutions (“FIs”) to leverage expertise and capabilities that otherwise would be unavailable. However, every examiner and auditor expects an FI – bank, non-bank or credit union – to retain responsibility for the treatment of its customers. This holds true for directly-contracted providers (e.g., default servicers), and even third parties engaged by a contracted entity (e.g., a property valuation expert hired by a service provider contracted by a bank). Hiring third parties never absolves an institution of its primary responsibilities to consumers.

Why does all of this matter in default servicing? If you are a third-party service provider, you are subject to CFPB oversight if the bureau supervises your client. If you engage a third-party service provider as a CFPB-supervised entity, the lack of absolution described above applies to you. Given this presence of the CFPB in your world, what are its expectations for any institution that engages a third-party servicer? The expectations fall info five categories:

1. Compliance Due Diligence
2. Assessment of Service Provider Oversight and Training
3. Contract Terms
4. Controls & Monitoring
5. Prompt Action to Address Issues

Due Diligence

Compliance due diligence means that an FI must assess each third party provider’s understanding of, and capability of complying with, federal consumer financial law. In assessing a service provider, a large mortgage FI should first determine whether the servicer already has clients with a similar number of loans, transactions and general workload. Given that expanded Regulation X requirements for mortgage servicing have been fully known for over two years, no FI wants to bring thousands of loans to a small servicer, nor be a service provider’s “beta test” for knowledge of the Equal Credit Opportunity Act, Truth In Lending Act, Real Estate Settlement Procedures Act, or Servicemembers Civil Relief Act.

If a default servicer has deep collections experience with credit card accounts, but no mortgage background, it would be unwise to give them immediate responsibility for a large volume of past-due mortgages. A gauge of any servicer’s compliance capability is its compliance staff. Is there a single compliance officer, a full compliance team, or a smaller team augmented by third-party compliance resources? Are compliance staff members available to meet with people from the FI prior to contract signing? Can the servicer provide a compliance department organization chart and reasonably detailed list of each person’s responsibilities? Complete, affirmative responses to such questions are positives.

One warning sign of a servicer’s inability to handle compliance matters is an account representative handling the vast majority of inquiries – limiting an FI’s contact with other servicing staff prior to contract signing. Others include a servicer’s lack of detailed information, coupled with responses such as, “Mr. Smith has been handling that for years,” “we’re a national service provider,” or “our audit department handles that.”

Oversight and Training

Assessing a provider’s management oversight and training is the most comprehensive of these five requirements. It is necessary both prior to contracting with the provider and over the life of the relationship. Even after a full, pre-contract evaluation, the FI will not have seen how the provider’s eloquently stated training program and controls are applied to its portfolio of assets. An FI’s review should include a review of third-party policies, procedures, training materials and records, internal controls, and other tools used for management oversight.

While training is complex in terms of topics, its assessment is not complicated. A strong training program at a service provider would include classification of employees into job roles, documented mandatory compliance (and other) training courses/topics for each job role, records of the previous year’s training completion-by-employee and each person’s training completed year-to-date, and documented methods for training course scheduling, assignment, reminders and confirmation of completion.

Indicators of strong service provider management oversight include reports on compliance factors such as percent of loss mitigation requests acknowledged in writing within five (5) days; timeliness in completing loan modification denial appeals (e.g., high, low and average number of days); and results of transaction testing for servicer responses to Notices of Error. Beyond reports, oversight indicators include procedures that vary in detail (i.e., greater levels of detail for complex and high-risk processes, such as mortgage loss mitigation); documents (e.g., policies, guidelines) that contain dated revision histories; and a documented process for handling regulatory changes.

Contract Terms

The CFPB also expects that contracts with service providers contain clear compliance expectations. This does not mean boilerplate verbiage along the lines of “service provider agrees to comply with all applicable laws and regulations.” Such text has been the long-standing approach to compliance inclusion in contracts – and it is now far from sufficient. Unfortunately, even with improved general awareness, compliance contract terms are perhaps the most misunderstood part of managing a service provider. This is due to the wide disparity in terms of background and experience of contract authors and reviewers at many FIs – generally, groups of procurement specialists and attorneys. These groups have deep expertise on internal policies, contract payment terms, and the law. However, these specialized draftsmen and overseers often lack a full understanding of: (a) the operational aspects of default servicing; (b) the criticality of compliance; (c) the complexity of applicable information technology systems; and (d) the most likely failure points that create consumer compliance issues. Such knowledge is essential in crafting a contract that includes comprehensive provisions and actionable key performance indicators (KPIs).

Contracts with adequate compliance provisions are usually the product of collaboration between a provider’s subject matter experts and its people with contract expertise (generally, attorneys and procurement specialists). KPIs for default servicing include timeliness reports (e.g., responses to Requests for Information, analysis of completed loss mitigation applications, and mailing of written Early Intervention Notices); results of appealed loan modification denials; and notification timing and quantity information for loans with recently force-placed insurance. In addition, each functional area at a service provider should be required to provide production and processing reports – with received, in-process, and completed volumes that reconcile.

Controls & Monitoring

While the previous three components focus on the service provider (e.g., service provider), the fourth is very challenging for most financial institutions. Specifically, each institution must create a comprehensive, long-term and effective program to manage each provider. The program must include both internal controls (e.g., reports, electronic queues) and on-going monitoring. The latter means on-going monitoring of the provider’s processes – to include transaction testing.

Internal controls at an FI are similar to those at a servicer, covering topics such as those described for KPIs, above. However, the FI has to add an extra layer of diligence. For example, an FI should reconcile information coming from different sources and/or KPIs. It can reconcile billing for print volumes (e.g., specific types of letters, periodic statements) with the number of loans serviced and volumes reported by the servicer. If a service provider is handling phone calls to past-due borrowers, the FI can review previous calls to borrowers who are at least 20 days past due. This would minimize the number of past-due borrowers who do not receive a good faith effort at live contact, from the service provider, as required by Regulation X, §1024.39. The transactions most easily tested by an FI are usually servicer mailings. For example, all loans over 45 days past due can usually be checked in the system of record, to confirm mailing of both the Early Intervention Notice and the Servicemembers Civil Relief Act (SCRA) Notice Disclosure. When the service provider reports a KPI for volume of loan modification denial appeals, the FI can request a sample of the appeals – then assess timeliness and accuracy.

Addressing Issues

Finally, after discharging all the steps above, due diligence is complete and functional controls and programs are in place at the institution and its providers! Addressing problems – timely, accurately and comprehensively – is arguably the most important component of the third-party servicer provider relationship. The greatest challenge lies in clear communication, from issue identification through resolution, to prevent assumptions that lead to neglected actions. Often, three steps can minimize the risk of missed actions: precise issue identification, clearly documented roles, and comprehensive status reporting. Once an incident with possible consumer harm occurs (e.g., borrower never received information about loss mitigation options), the FI and service provider must agree on a problem statement. The roles of key personnel must then be clearly documented though, in some institutions, one person could perform multiple roles. The roles typically include persons to: create an action plan; approve the action plan; ensure that all actions are taken and solutions implemented; confirm that the actions taken remediated the issue; and track the issue from definition to confirming resolution and effective action to prevent recurrence.

As a service provider, or an FI that uses one, what are the functional areas to which an organization should apply these five categories of regulatory expectations? This varies slightly based on the organization and its stage in the third-party vendor relationship. For both existing and potential relationships, it’s recommended that FIs and servicers focus first on creating a comprehensive, reliable framework for addressing default servicing errors or omissions. Such a framework, as previously described, will be useful because no relationship will be flawless, and both servicers and FIs will have to manage actions to resolve issues. For an FI with existing service provider(s), the next recommended priority is the creation of a formal servicer management program, with controls and on-going monitoring. Why? If an FI wants to discuss improvements with its service providers, it must be able to articulate both its expectations and how they fit into the FI’s long term goals.

For an FI considering first-time use of a service provider, its next priorities after establishment of a framework for error resolution ought to be compliance due diligence and assessment of servicer oversight and training. This effort will pay dividends with fewer issues in the long term, after the best servicer is selected. As a service provider, once a solid framework is in place for addressing default servicing errors, the next priority is to look inward – and make sure that the organization’s knowledge base of consumer financial law, management oversight of consumer compliance processes, and employee training can withstand the scrutiny of an FI’s due diligence and on-going monitoring and testing.

By using both CFPB Bulletin 2012-03 and the information above, both financial institution management and service provider site managers can improve their performance, minimize consumer compliance issues, and improve the results of regulatory examinations and inquiries.

 

About Author: Gene Collett, CRCM

Gene Collett is a Director in the Governance Risk and Compliance (EGRC) practice. He has more than 20 years of servicing, compliance, banking and operational experience in mortgage and consumer lending, correspondence, and deposit operations. His teams evaluate institutions and servicers for consumer compliance, vendor management, UDAAP risk, fair lending risk, and examination (e.g., CFPB, OCC) readiness. They also assist organizations in creating comprehensive compliance, training, and vendor management programs. His clients include mortgage companies, servicers, banks, and credit unions.
x

Check Also

Federal Reserve Holds Rates Steady Moving Into the New Year

The Federal Reserve’s Federal Open Market Committee again chose that no action is better than changing rates as the economy begins to stabilize.