Who’s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management

2015 LBA Bank Counsel Conference

Marx Sterbcow, Managing Attorney, Sterbcow Law Group

The Bureau’s Scrutiny of Vendor Management

“Vendor Management is not new. It is straightforward, not complicated and fundamental, so doit. Don’t ignore this. It isn’t going away.”Calvin Hagins, CFPB Program Manager at the MBA RegulatoryCompliance Conference, May 2014

WHO ARE SECONDARY MARKET INVESTORS

Pension Funds

Hedge Funds

Governments

Financial institutions who extend credit to other banks

Banks who purchase Residential Mortgage Backed Securities from other Banks/Lenders.

DON’T BLAME YOUR LENDER/BANK

Lenders follow the Secondary Market Investors requirements

“He who holds the money makes the rules”

Regulations caused investors to push new restrictions

Restoring Secondary Market Investor confidence led to new regulations.

Why does the Secondary Market Care?

Secondary Market purchases pools of RMBS

Investors of Mortgage Backed Securities are now liable for all aspects of the origination.

Shielding liability from “assignments” is dead.

Secondary Market wants defect-free originated mortgages.

Why does the Secondary Market Care?

Purchase to RMBS to make money not lose it

Any mortgage defect can lower the value of their security!

Illegal kickback arrangement between settlement service providers in the origination can spoil the entire pool of RMBS

Avoid the Scratch and Dent Sale

Who are is the Secondary Market Scared of?

YOU!

Your Vendors

Your Vendor’s Vendors.

Audit, monitor, and oversee all of your Vendors.

“The bigger you are the more compliant you need to be!”

The bigger your vendor is the more scrutiny you need to impose.

Who are 3rd‐4th party vendors?

• Technology services• Audit• Loan Review• Mortgage Brokers• Outside Legal Counsel• Website hosting

providers• Marketing Companies• Title Agents

• Title Underwriters• Real Estate Brokers• Real Estate Agents• Abstractors• Escrow Companies• Notaries• Marketing Companies• Banks (i.e. your accts)• Cleaning Companies

So Who Cares?

The CFPB, OCC, FFIEC and FDIC expect supervised banks and non-banks to have an effective process for managing risks of service provider relationships.

The regulators will apply these expectations consistently regardless of whether it is the supervised bank or non-bank that has the direct relationship.

So What Gives Them Heartburn?

• Inadequate due diligence• Inadequate risk assessment• Underestimating costs• Inadequate oversight and risk management• Flawed contracts• Lack of contingency or termination plans• Illegal marketing and advertising practices

SUMMARY OF FEDERAL LAWS AND REGULATIONS IMPOSING LIABILITY ON LENDERS FOR ACTS OF THIRD PARTY SERVICE PROVIDERS

• 2010 Wall Street Reform and Consumer Protection Act • OCC, FDIC, NCUA, Federal Reserve, FFIEC, FTC ‐ Gramm 

Leach Bliley Act • Consumer Financial Protection Bureau (CFPB) • CFPB’s eight rules and their effective dates • CFPB 2012‐03 Bulletin regarding due diligence • Lender due diligence expectations • ALTA “best practices”, self‐assessment guides and 

certification

CFPB BULLETIN 2012-03 - APRIL 13, 2012

Provides that lenders may be held legally responsible for the actions or inactions of their service providers where consumers are harmed as a result of the service provider failing to comply with consumer financial law. 

To “limit the potential” for such responsibility, lenders “should take steps” to ensure no unwarranted risks are posed to consumers by their service providers. 

THE FIVE STEPS 1. “Conducting thorough due diligence to verify that the service provider

understands and is capable of complying with federal consumer financial law;

2. Requesting and reviewing the service provider’s policies, procedures, internalcontrols, and training manuals to ensure that the service provider conductsappropriate training and oversight of employees or agents that have consumercontact or compliance responsibilities;

3. Including in the contract with the service provider clear expectations aboutcompliance, as well as appropriate and enforceable consequences forviolating compliance-related responsibilities, including engaging in unfair,deceptive, or abusive acts or practices;

4. Establishing internal controls and ongoing monitoring to determine whetherthe service provider is complying with federal consumer financial law;

5. Taking prompt action to address fully any problems identified through themonitoring process, including terminating the relationship where appropriate.”

Key Compliance Recommendations  • SSAE 16 (SOC 1) Type 2 Certification

– Verifies that a service organization has been through an in‐depth audit of its internal controls for financial reporting. 

– Assesses controls at service organizations that are relevant to user entities’ internal control over financial reporting.  Snapshot of date specific time. 

• SSAE 16 (SOC 2) Type 2 Certification– Verifies that a service organization has pass an in‐depth audit of its security, availability, processing integrity, confidentiality, and privacy.  Period of Time 

Key Compliance Recommendations  • ISO 270002 Certification

– Verifies that a service organization has been through an extremely in‐depth audit of its internal informational security controls for financial . 

• ALTA Best Practices 2.0 (CPA Certification)– Verifies that a service organization has passed the 7 basic guidelines for sound business practices.

NOT ALL CERTIFICATIONS ARE CREATED EQUALLY!!!

THE TIER SYSTEM EXPLAINED

TIER 1 VENDOR—presents highest level of soundness, security, and safety to financial institution.  Unlimited # of transactions.

TIER 2 VENDOR—presents moderate level of soundness, security, & safety.  Limited # of transactions.

TIER 3 VENDOR—presents low level of soundness, security, & safety.  Capped at very small # of transactions or eliminated completely.

MORE LENDER DUE DILIGENCE OF VENDORS 

• Lender Audits – On‐site Visits “Trust, but verify” ‐ Facilities, Data Security, Employee Interviews 

• Internal and External ‐ Process Reviews & Audits 

• Information Technology‐ Administrative, Technical & Physical Safeguards 

Technology Service Providers Audits  Service Organization Control (SOC) Reports Master Service Agreements  General Closing Instructions  Performance and Metrics Evaluations Corporate Policies and Procedures  State and Federal Rules and Regulations  Consumer Financial Law  Information Security Audits 

SOUND VENDOR MANAGEMENT PRACTICES Sourcing, Evaluating, Qualifying and Selection

• Use of non‐disclosure agreements (NDAs) 

• Due diligence considerations 

• Defining roles and responsibilities 

• Process mapping 

• Reference checks – existing customers and trade references 

• Other sources for vendor information – e.g. Google, Yelp, BBB 

• Service Level Agreements (SLAs)

• Training Vendors – transfer of knowledge

• Scorecards

• Consumer Complaint Resolution System

What’s A Settlement Agent To Do?

• What are their 3th party providers’ GLBA Privacy Procedures and do they need to provide a Privacy Notice? Do you have a copy of it?

• What are their Information Security Procedures? Do you have a copy of those written procedures?

Insurance and Fidelity

• What is the nature of their requirements at law as to liability and E&O insurance? Do they meet them?

• Even if no legal requirement as to insurance or bonds what do you need to assure your security and that of your customers and their customers?

Insurance and Fidelity

• Maintain copies of all insurance, fidelity and surety requirements. Be sure they are current.

• Are the dollar amounts of coverage sufficient?• Does the insurance include insurance as to NPI

breeches? Employee theft of NPI? Are you named as an insured?

• Reputational Risk Policy?• Social Engineering Policy?

Financial Resources

• Gather financial statements annually for privately held 4th party vendors. If not available obtain FCRA disclosures to run credit.

• Does your 4th party provider run FCRAs on their employees?

• Does your 4th party provider run criminal & civil litigation background checks regularly?

References and licenses

• When considering a new 4th party vendor get references from existing customers including bank references.

• Maintain copies of all required licenses and be sure they are current.

• Always review 3rd, 4th, & 5th party websites & Facebook pages for RESPA, UDAAP, and Fair Lending issues.

Social Media Policy

• What is the social media policy of your 4th

party vendor? Do they monitor the social media use of their staff? Limit or control any use of referring you in any advertising or social media.

• Be aware of regulatory social media compliance such as that of the FFIEC and be sure your 4th party vendors are aware of it.

Social Media Policy

• Does they utilize social media management scanning tools?

• Does the 4th party have outside legal counsel review their online advertising and marketing?

• Prohibit pictures and names of consumers from being displayed online.

Disaster Recovery Policy

• What is their Disaster Recovery Policy? Are they truly capable of following it? Maintain current copies of their policy.

• How does their Disaster Recovery Policy integrate with yours? Can their be mutual assistance in case of a disaster?

Data Security

• To what NPI do your counter party providers have access? Is it required or can it be limited?

• Does the counter party provider have encrypted e-mail if the nature of their services require it?

• What is their password policy for employees?• Do they have an SSAE SOC 1 or 2

Certification or a PCI Certification?

Office Security

• What is the 4th party’s “clean desk” policy? Are devices password protected and are they locked down at night?

• Do they maintain your data on their servers and what is the security of them? What do they do with old hard drives of computers and copiers?

More office security

• How are paper files secured that leave your office?

• What is the security policy as to those files by your counter party provider?

• Do your counter party providers have secure office entry points?

Premises Security

• Can you see through windows? Are windowsblacked out on the 1st floor? Is privacy glassincorporated into the office?

• Do they have security cameras inside &outside of their operation? FOBs/Cardscanners/ID Badges used?

• Visitor management system in place.

Notary Policy• Notaries should be part of and signatories to your office Anti-

Fraud Policy.

• Notaries should be required to maintain journals for every actperformed on your behalf. Each document should be listedseparately in the journal.

• Maintain copies of current licenses, required bonds andinsurance.

• Have written copies of the notaries’ policies as to security ofstamps and seals.

Hire A Vendor Manager

• Designate a Vendor Manager who isresponsible for maintenance and retention ofall written counter party provider policies aswell as all reports, journals and otherdocuments.

• They should have clear written directions oftheir responsibilities.

Uncle Sam wants you!

• Your Bank customers are required to have a full understanding and supporting documentation as to your 3rd-4th party provider policies.

• The liabilities lie not just with regulators but with investors and seekers of private causes of action.

Get Stronger Not Weaker

Vendor requirements will get more complex.

Secondary Market is forcing lenders to focus on compliance as the primary relationship driver.

Aspire to be a Tier 1 Vendor not a Tier 2 or 3.

Gain weight on the Bank’s compliance scale. 

QUESTIONS

Marx Sterbcow JD LLMSterbcow Law Groupmarx@sterbcowlaw.comWebsite:  www.respaattorneys.comRESPA Blog:  www.respalawyer.com