The mortgage servicing business is fielding a spate of new rules and regulations. According to the Washington, D.C.-based law firm ""Davis Polk & Wardwell LLP"":http://www.davispolk.com/, which specializes in regulatory matters and other complex issues facing the financial services industry, there are 49 required rulemakings under the Dodd-Frank Act that address mortgage reforms and 63 related to consumer protection.[IMAGE]
The first big test of the servicing sector's preparedness and compliance with the new rules of the road comes January 10 with the implementation deadline for the Consumer Financial Protection Bureau's (CFPB) Ability-to-Repay rule, Qualified Mortgage definition, and new mortgage servicing standards related to foreclosure processing, borrower communication, and a number of other default-specific functions.
With the regulatory intervention the industry is experiencing today, there is an increased and immediate need for system controls, certification of compliance, and information management controls--for both servicers and their outsourcing partners. Equally as important is the ability to provide clear evidence demonstrating compliant operations and essential controls.
A number of companies have been providing the marketplace with this type of assurance for years now. ""ProVest LLC"":http://provest.us/ announced Thursday that it has received the Service Organization Control (SOC) Type 2 attestation for the fourth year in a row.
""This level of reporting sets ProVest apart from other service of process organizations,Ã¢â‚¬Â said Vic Draper, ProVest COO. Draper explained that the SOC Type 2 offers clients a Ã¢â‚¬Å“level of assurance that ProVest is in compliance with all applicable regulations.Ã¢â‚¬Â
The SOC Type 2 provides information on ProVestÃ¢â‚¬â„¢s controls over its systems relevant to _security_, _availability_, _processing integrity_, _confidentiality_, or _privacy_. These five disciplines are the Ã¢â‚¬Å“Trust Service PrinciplesÃ¢â‚¬Â on which SOC[COLUMN_BREAK]
2 is based, and each principle has predefined criteria that demonstrate adherence:
* *Security*: The system is protected, both logically and physically, against unauthorized access.
* *Availability*: The system is available for operation and use as committed or agreed to.
* *Processing Integrity*: System processing is complete, accurate, timely, and authorized.
* *Confidentiality*: Information that is designated Ã¢â‚¬Å“confidentialÃ¢â‚¬Â is protected as committed or agreed.
* *Privacy*: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entityÃ¢â‚¬â„¢s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
SOC 2 also requires a written statement of assertion and a description of the service organizationÃ¢â‚¬â„¢s system from management, which is said to be more comprehensive and detailed than previous audit standards that require a description of controls instead of the system itself, such as the Statement on Auditing Standards 70 (SAS 70).
Ã¢â‚¬Å“This acknowledgement affirms our commitment to providing a stable, sound, and secure environment through financial strength and investments in compliance, legal, audit, technology, and vendor management practices,"" Draper said.
Servicers and their partners--from valuation providers to foreclosure attorneys--are both service organizations themselves and outsource tasks to other service providers that collect, process, store, and dispose of information or handle business transactions on behalf of customers.
""SOC reports"":http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/pages/sorhome.aspx are designed to help service organizations build trust and confidence in their service delivery and controls over information and data with a report prepared by an independent certified public accounting firm.
The ""American Institute of Certified Public Accountants"":http://www.aicpa.org (AICPA) established the SOC Reports (Types 1-3) to effectively replace Standards for Attestation Engagements (SSAE) No. 16 (SSAE 16) and SAS 70 as the official auditing standard for service organizations to demonstrate they have adequate internal processes and controls in place.
Industry insiders say SOC 2, in particular, is gaining traction among technology-based service organizations. SOC 2 reports are utilized for reporting on controls by the growing list of IT-related organizations such as cloud computing, software as a service (SaaS), managed services, and data centers, among others.