MORTGAGE LENDERS AND SERVICERS USE A LOT OF THIRD PARTIES to run their business. Just how many has become increasingly evident in recent times--and critical to regulatory compliance. The Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC) and Federal Reserve have all ratcheted up expectations for third-party risk management since 2012.
Essentially, banks are now required to use a risk-based approach to managing third parties and, notably, retain the risk related to any outsourced product or service. Things have been further complicated by this year's Truth in Lending Act (TILA)-Real Estate Settlement Procedures Act (RESPA) Integrated Disclosure (TRID) requirements, which could involve title agencies and other third parties.
From internal affiliates to mom-and-pop collection outfits to behemoth international conglomerates--all are third parties. The total count can seem overwhelming, and so can the compliance obligations.
Before launching into an overly burdensome process--one that could conceivably escalate to panic levels--it would be wise to create a strategy and roadmap to keep from overreacting, while still keeping in compliance. The following 10 do's and don'ts should be considered in the development of any sound third-party risk management program.
Do: Have an inclusive definition of third parties and cast a broad net.
The regulatory definitions are very general. But while it may be tempting to shorten the list of third parties by having a very specific definition, this approach would most likely backfire under regulatory scrutiny.
Do: Have a process to keep your inventory of third parties up-to-date.
The initial data-gathering phase can be very time-consuming, involving line-of-business surveys, reviews of contract databases, audits of accounts-payable systems and other steps. Undoubtedly, the day after all that data is gathered and an initial list is compiled, it will become outdated. Third parties are constantly being on-boarded and terminated--and having their services expanded or reduced. Without a sustainable process, the program will soon become invalid.
Do: Have an experienced professional take a first cut at reviewing the inventory of third parties by category to quickly prioritize which groups to evaluate in what order.
A qualified individual can identify which product and service types are on the higher end of the risk spectrum. The roadmap should start with these. While other...