Editor’s note: this feature originally appeared in the March issue of DS News, out now.
In the past decade, decreasing volumes on both the servicer and attorney side have forced companies to tighten their belts to remain profitable. One area of particular concern for both parties is the attorney audit. Law firm audits cost servicers millions of dollars annually while the firms spend tens of thousands of dollars per audit in employee time. On top of this, attorneys spend numerous hours filling out audit questionnaires, while managers are taken from their daily duties to sit in on each individual audit. The irony is that the bulk of the information requested is the same, so why hasn’t the industry been able to come up with a universal solution? It turns out the answer is already here.
The Universal Problem
When the Consumer Financial Protection Bureau (CFPB) was created, the Bureau instituted the audit, in part, to resolve the issue of potential attorney malfeasance. Issues such as robo-signing, impossibly shortened timelines, and a failure to comply with federal statutes, such as the Servicemembers Civil Relief Act, indicated that some borrowers were being foreclosed upon in inappropriate ways. Since the work was being done on behalf of the default servicing community, servicers were called upon to provide the oversight of third-party vendors.
Immediately, companies scrambled to come up with new protocols to ensure their counsel were utilizing entirely compliant processes.
While talk immediately began of a universal protocol, in order to move quickly, each servicer began establishing its own requirements, as well as establishing staff that would perform onsite audits.
With no prior guide, auditors and compliance staff undertook developing questionnaires and audit protocol based upon their individual interpretation of the rules. Accordingly, there were discrepancies from servicer to servicer. Further, the fact that audit and compliance teams needed to be established, created a situation where management-level staff had to be taken away from their primary tasks, leaving particular duties unfulfilled.
“Often times, a different set of standards based not on need but on preference cause confusion for creditors, servicers, vendors, and anyone else involved in the practice of default services,” said Jim Bonner, Senior Partner at Brock & Scott PLLC.
While profitability has been shrinking for most, the nonrecoverable expense of attorney audits has only heightened this situation. The cost per attorney audit averages between $8,000 and $12,000, causing many servicers to look for new ways to save money. On the law-firm end, costs can range between $10,000 and $40,000 in productivity per audit.
To mitigate this, the use of larger, multistate law firms has become the norm, even where such firms have longer timelines or diminished customer service. When the GSEs began requiring servicers to use at least two approved firms per state, the thought was that work would be spread around, giving smaller firms an opportunity to compete. It also helped alleviate the risk of “putting all of your eggs in one basket.” Sadly for the industry, the opposite has happened. Numerous small firms have closed, left the industry, or been bought for pennies on the dollar. Small firms frequently cannot afford to absorb the cost of audits, or the extreme level of associated compliance, without sufficient volume to help defray the costs.
Consolidation of default work into fewer mega firms carries its own unwanted risk. The abrupt closing of Butler & Hosch P.A. and Zucker, Goldberg and Ackerman LLC sent shock waves through the industry. That is on top of the mid-crisis closing of numerous firms caught robo-signing (or other alleged misdeeds), resulting in over 100,000 files being transferred to other firms at tremendous expense to servicers and the GSEs alike, which in turn spun off the rules regarding the use of multiple firms. The recent mega firm closings appear to be more management-oriented, but the financial risk is still very real. This is not to say that such firms need to be avoided, or that smaller firms are always preferable, but such issues should be considered. How then should the industry balance such risk against exorbitant costs? The simple answer: consolidating audit and compliance oversight into a common, “universal” platform.
A potential solution to some of the most common problems involves creating a uniform standard as to what is measured during an audit. Identification of core requirements will promote efficiency, decrease costs, and help identify the root cause of problems facing vendors and servicers alike. Similar to the information technology industry standards like ISO 27001 or a SSAE18, standardizing the scope of audits will streamline the focus on what issues they are facing while also allowing servicers to focus on requirements required by various investors.
“If a vendor receives 10 scorecards from 10 clients and each scorecard reports something different, then the vendor is required to implement 10 versions of processing a file. This will decrease the efficiency of the employees within the vendor, cause potential risks from processing a file incorrectly, and ultimately increase the cost of processing the files. However, if vendors were graded only on a uniform set of standards, then efficiency increases, audit results will likely be more positive, and identifying weaknesses (or strengths) of the vendor is streamlined. Additionally, with uniform standards, the back-and-forth and argumentative approach to non-uniform metrics are eliminated. Rather, a vendor and servicer will know exactly what is expected,” said Bonner.
While an extensive debate has been going on for many years regarding what should or should not be included in all attorney audits, the benefits are obvious.
In the two years that I have been working on this subject, several things have become clear. The first is that the use of outside CPA/auditors is somewhat counterproductive because they have no knowledge of the foreclosure process. This is especially true because each of the 50
states is unique, leaving an outsider with no specific knowledge of what they are auditing. The second is the fear by some servicing staff that the use of outside companies may cost them their job. Certainly, at the manager level, that could never be true since the Office of the Comptroller of the Currency (OCC) and CFPB specifically require servicer oversight of its thirdparty vendors. In other words, managers will always be protected as their role in monitoring the data and making firm-by-firm decisions still lies solely with them.
The third issue comes from my direct observations while establishing the first universal audit prototype for U.S. Default Management. When comparing the questionnaires of three different servicers, I noted that 90 percent of the audit questions used by each were the same, even if they used different words. The remaining 10 percent were unique questions to each individual servicer. While my original thought was to use one base questionnaire and have the answers mapped to an individual servicer’s version, I realized that each servicer was better off with all of the information in their possession. Imagine a CFPB auditor asking for information that other servicers have, but you do not. A company would look very silly when they are the only one lacking that particular set of data. Why not just include everything that everyone wants? That is exactly what U.S Default Management has done, not just with the questionnaire, but also with the entire audit process. Granted, if a client is adamant about excluding certain information, we can certainly set that up in the system, but do you want to be the executive that makes that decision?
For those who are concerned about the use of a standardized audit, or the use of third-party audit providers, the OCC issued a frequently asked questions (FAQ) communication on June 7, 2017, which has a very positive impact for the success and implementation of law firm standardization. This FAQ is a supplement to OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” that was issued on Oct. 30, 2013. The FAQ covers 14 questions of which three specifically address standardization, the outsourcing of audits and collaboration in those audits. In summary, the OCC has conveyed three critical clarifications of their third-party service provider oversight requirements relating to attorney audits:
- Banks may take advantage of various tools designed to help them evaluate the controls of third-party service providers. In general, these types of tools offer standardized approaches to perform due diligence and ongoing monitoring of third-party service providers by having participating third parties complete common security, privacy and business resiliency control assessment questionnaires.
- Banks may outsource some or all aspects of their compliance management systems to third parties, so long as banks monitor and ensure that third parties comply with current and subsequent changes to consumer laws and regulations.
- When multiple banks use the same third-party service providers they can collaborate to meet expectations for managing third-party relationships.
As it turns out, there are companies that have been aiding the servicing side for the past few years. Some perform audits, on a client-by-client basis, and others, such as Decision Ready Solutions and Vendor Risk, provide technology that aid servicers in performing and maintaining audit-related data. While such services do not appear to include a universal audit, they do help consolidate and standardize the data that has been accumulated from each law firm, based on an individual servicers needs.
U.S. Default Management has taken a different approach. “Instead of hoping everyone would agree on a common questionnaire, we simply combined all of them and created our own ‘universal audit,’” says Dawn Alli, VP of Operations. “We have spent a lot of time developing cutting edge technology, which provides complete transparency for both servicers and attorney firms. We can add questions or processes within 24 hours, which also allows us to slash the cost of the entire process. The more servicers that jump on board with us, the more affordable the process can become because we can spread the overall costs amongst all of our clients.”
While the direction of the CFPB may be wavering, attorney audits will remain a mandatory facet of default servicing. Backing off such oversight leaves companies incredibly vulnerable in the event of future attorney misconduct or financial misstep. Maintaining oversight of both process and financial conditions of default attorney firms is the only way to shield a servicer from public, governmental, and legal exposure down the road. Even if the CFPB backs off its rules, competent servicers will not back off of third-party vendor oversight. With greater efficiencies at our fingertips, it is time to implement a standardized initiative. Whether one utilizes an out-sourcing company to cut costs or keeps the operation in-house, the “universal audit” is an undertaking that should be performed by every default servicer.