In conducting due diligence on a supplier/vendor, at what point is the line drawn between accepting the way the supplier/vendor conducts themselves to prescribing how they should do it? By prescribing, are you accepting risk and liability unnecessarily?

As far as the regulator is concerned, the supervised entity has the liability and responsibility. Indemnification provisions within a contract – if you specifically direct your vendor to do something a certain way because you believe that is in compliance with an applicable law and it just turns out the regulator has a different view – at some point down the line it may be more difficult to invoke that indemnification provision if you’re the source of the [legal] interpretation. That’s certainly a risk and something you should take into account. But of all the risks at play here, I think that, if you see something in the way your vendor is handling whatever the task might be that you’re concerned creates a compliance issue, the obligation on you is to make sure it’s being done correctly. If that means you’re directing your vendor and taking on yourself the risk that you’re wrong, I think that’s what’s expected of you under all the guidance.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

When it comes to assessing the risk of a closing agent, would it make sense to have minimum standards? Also how would the regulator view a one person closing agent shop vs. a large closing agent handling closings in multiple states?

One of the ongoing concerns about all of the enhanced regulatory requirements is that they place a burden to the point of exclusion on smaller shops. You reach a point where there’s simply too much for one entity to do and while the Bureau has put in place certain limited carve outs (there are certain small creditor exemptions in the mortgage servicing and origination rules), the general requirement is that everyone is expected to follow the law and there are no exceptions for small guys, notwithstanding the fact that there is serious public debate about whether the problems in the mortgage industry and real estate industries were caused by the smaller actors. The amount of required oversight would depend on the volume that the one-person shop is handling. However, while it’s sort of silly for a one-person shop to have all of these policies and procedures, I think it’s going to be expected to have them if they’re closing a significant number of loans. They’re going to be expected to comply with the law like anyone else.

Answered By: Ben Olson

In regards to policies and procedures, related to compliance training, is a bank responsible to provide the training to the vendor, or is the bank responsible to understand the training the vendor gives to their employees?

I believe it’s the latter. It is not that the bank is responsible for getting into the business of training its vendors, although I think that’s certainly permissible. At the end of the day, the vendor training needs to be sufficient, just as the bank needs to train its own employees. It’s sufficient to review the vendor’s training of its own employees to ensure that it covers all the correct bases. I don’t see anything in the guidance requiring otherwise.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

What ramifications to vendor management do we see in regards to the Wells Fargo fine in the news recently?

The Wells Fargo and Chase actions generated a lot of attention. But in a way, they aren’t “new” news in the sense that RESPA Section 8 enforcement has been the Bureau’s focus. If you just look at the number of cases brought by the Bureau as a percentage of all its public cases, it’s close to a quarter of all their public enforcement actions. So the Bureau has been making enforcement in this area a priority.

Putting aside the particular facts of the Wells Fargo and Chase actions, I look at these as a reminder that regulators are going to be looking closely at all your relationships. Vendor management is one aspect of that but they are looking very much at compliance with specific consumer protection laws including the section 8 prohibitions on certain types of payments involving settlement services. What you need to know for all the people you are doing business with is whether your agreements with those individuals or entities are compliant with existing law and assuming they are, are you adhering to those agreements? Some of the other actions brought by the Bureau in this area have been very focused on whether the services that are called for in the agreement with the third party are actually being performed].

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

Are there examples of best practices in Vendor Risk Management that you can share with us?

Well, beyond what we’ve discussed in the context of this session, here are some broad examples: Complaints are one of the biggest points of emphasis, particularly for the Bureau, right now in examinations. Anybody who you allow to interact with your customers needs to be monitored.

You also need to be looking at their scripts. A lot of issues that were alleged in the ancillary product cases arose out of the fact that that the scripts were inadequate for collecting consent or they weren’t being followed. So if you have a vendor who is interacting with your customers over the phone, they should be doing their own monitoring but you should have the ability to also listen in to a sample of calls, so you can verify that the scripts you put the effort into reviewing for compliance with the law are in fact being followed and aren’t being undermined in the sales process.

Another recommendation for a best practice is having your shop in order. By that I mean knowing who all your relationships are with and having ready access to the agreements and other information about those relationships. When you’re disorganized, in my experience, the regulators just start to assume there is increased risk of non-compliance, whereas if everything is clean and organized and you can show you are hitting all of the expected marks, that allow them to check the box and move on. You can, by investing the effort up front, put yourself in a position to make the actual examinations that much smoother or – in the inevitable event that an issue does arise – to be able to demonstrate that you did everything you could up front to prevent it. That way, if it is necessary to remediate harm to a consumer, you can go ahead and do that but not be penalized by the regulator for a failure to prevent the action in advance.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

Is Vendor Management interaction (contract information, licenses, insurance documents billing etc.) subject to NPPI rules for lenders?

The NPPI rules are going to apply to your vendors handling of your information in the same way they would apply to you. The extent your vendors are collecting or using NPPI about your customers, then it needs to be subject to all the same controls and protections as if you were doing it yourself.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

How available does all this data have to be? Immediate reports to satisfy examinations’ requests or what are the different ways they can request information?

I have not seen an expectation of immediate availability unless it is true account level information. If you’ve outsourced some sort of servicing, for example, you are expected to have on demand access to how your customers are being serviced, but in most areas it is sufficient to have monthly, or even quarterly, or in some cases annually, access to the information through reports. The key though is that it is not enough to get the information; you have to be able to document that it is received, it is reviewed, and is acted on as appropriate. If these reports are coming in and they are just being stuck in a file unread, that presents a lot of risks because there may be things in those reports that you need to act on or there may be glaring holes in those reports that you need to spot and follow up on.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

Do criminal background checks need to be performed on all vendors, whether critical or non-critical?

The critical/non-critical distinction is not baked into all of this guidance as it is in other areas. What we really fall back on is what is the nature of the services being provided by the vendor and what background checks would be required if this was your employee performing this function in house. The person who delivers your printer paper, if they’re not being let into a part of the building where there is access to sensitive consumer information, they are not going to be subject to the same levels of scrutiny as if you are outsourcing payment processing or loan origination functions, where there is a real possibility of misuse of confidential information. There is no clear line. Try to follow this rule: If this is your employee would they need a criminal background check?

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

If our bank acts as a correspondent lender for residential mortgages, do we have to be concerned with vendor management since we only collect information from the buyer and do not work with any vendors?

That’s an interesting question. My first reaction is that it is unusual in my experience for a correspondent lender’s functions to be quite so limited. Obviously, if that really is the sole extent of the correspondent’s action, I would advise to take a look at the Bureau’s guidance on mini-correspondents and ensure you are on the right side of the line and that you are the lender and not functioning as the broker in the eyes of the law. [Note: The CFPB’s policy guidance on mini-correspondents is available at http://files.consumerfinance.gov/f/201407_cfpb_guidance_mini-correspondent-lenders.pdf.]

To answer more directly, when originating a mortgage you are going to have some interaction with venders such as appraisers and settlement agents. I have not come across an instance where the correspondent lender is that divorced from all the activities, but I want to know more about this situation. If it really was limited to that degree, I’d have some concerns about who truly is the lender here.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

How are the regulators viewing real world situations in which organizations that would like to terminate a contract with a vendor due to poor security practices but are unable to because of the iron clad contract signed with these large organizations where there may not be many alternatives to serve their customer base?

This has happened. There are no sort of public pronouncements by regulators on this sort of subject for reasons that make a fair degree of sense. If a contractual requirement was sufficient to overcome a regulatory expectation then everyone would put that in their contract. So the regulators are never going to admit that that is an acceptable outcome. [Note: The CFPB confirmed this position in its January 27, 2015 bulletin on the treatment of confidential supervisory information. See CFPB Bulletin 2015-1 (available at http://files.consumerfinance.gov/f/201501_cfpb_compliance-bulletin_treatment-of-confidential-supervisory-information.pdf).]

That said, I have personally had conversations and have seen this in other examinations where this has come up and the regulator did not take action. What was important in those cases was being able to document to the regulator that the supervised entity had done everything it could to bring the vendor in line. That doesn’t mean you actually have to sue your vendor if you believe they are not complying with the contract or the law. The Bureau’s basically said no to that question.

Now whether in this specific case the contract is really is all that iron clad isn’t clear. You’re going to want to be very sure of that and be very sure that you put the vendor on notice about the issue and that you requested that they remedy it. Essentially, I would just keep requesting over and over. The vendor may get sick of you, but it also sounds like they are not providing the level of service you need. The agreement doesn’t last forever so you’re going to have to start exploring as soon as possible ways to get yourself in a position where you’re working with a vendor who doesn’t raise these concerns.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

Is the lender required to provide a list of providers, i.e. title companies?

Yes, there is a requirement — as is the case today — to provide a list of settlement service providers. It’s an important point when you’re talking about the tolerances. The zero tolerance bucket applies to services where the borrower dictates both the service and the service provider. Those are zero tolerance fees. The 10% tolerance applies when you have a lender-required service but the borrower has the ability to choose the service provider. If the borrower actually does choose the service provider, then the fee for that service goes in the “no tolerance” bucket (in other words, the category of things to which tolerances do not apply).

So what distinguishes services the consumer can choose from services they cannot choose? Well, first you have to provide a list of settlement service providers for services the borrower can choose. There is a model form for this in the rule. It’s not fancy, but headings match the format of the Loan Estimate. With that form, you must identify at least one available provider for each service for which the borrower is permitted to shop. And you must allow the borrower to choose someone who is not on the list. If you give them a closed list — and by that I mean they can pick anybody they want as long as it’s somebody on your list — then that is not considered allowing them to shop and the zero tolerance rule still applies. Instead, you need to give them both the opportunity to choose somebody on your list, but also the opportunity to go out and choose somebody of their own, subject to reasonable requirements. For example, you can require appraisers be properly licensed and so on and so forth. But this requirement was designed to create an incentive to allow consumers to shop.

So yes, there is a requirement to provide a list of settlement service providers and the provision of that list is very important in terms of how you calculate your tolerances. You’re going to need to have names on hand to populate that list, track who was on the list that you provided to the borrower, and then track who they actually chose because that’s going to dictate which tolerance bucket the fee goes into.

Note: This transcript has been edited from the February 2015 TRID webinar for clarity and completeness.

Answered By: Ben Olson

What if it’s a purchase and the buyer doesn’t decide the service provider, i.e. the title company?

You have to have a title company and the creditor of course has to give the borrower the opportunity to choose that company. If the borrower does not choose, then presumably they’ve taken the creditors’ default option on the list of settlement service providers. If the consumer was not permitted to choose an unlisted title company, the title fees would be subject to zero tolerance assuming the creditor requires a title search and everything else to insure that it has good title.

However, before I set the world on fire, let me amend that to say that it depends on whether the creditor gave the borrower the opportunity to shop. So if the creditor gave the borrower the opportunity to shop for title services, which they are required to do, and to go off of the list of settlement service providers and the borrower simply failed to do so, that would be in the 10% bucket category, not zero percent tolerance. As long as the borrower is given the opportunity to shop off of the list, 10% tolerance applies.

Note: This transcript has been edited from the February 2015 TRID webinar for clarity and completeness.

Answered By: Ben Olson

Why can major lenders recommend at a corporate level, what title company to use, but loan officers can’t suggest different companies to borrowers?

The lenders at the corporate level have 3rd party vendor management oversight compliance concerns so presumably the title company they selected passed their compliance and audit requirements to be on their recommended list. Section 1026.19)(e)(1)(vi)(A) permits creditors to impose reasonable requirements regarding the qualifications of the provider (i.e. title company). For example, the creditor may require that a settlement agent chosen by the consumer must have a SSAE 16 SOC 1 Type 1 Certification from a qualified CPA firm. If a creditor does not permit a consumer to shop for purposes of 1026.19(e)(1)(vi) if the creditor requires the consumer to choose a provider from a list provided by the creditor. Section 1026.19(e)(1)(vi)(C) provides that the creditor must identify settlement service providers that are available to the consumer. A creditor does not comply with the identification requirement in § 1026.19(e)(1)(vi)(C) unless it provides sufficient information to allow the consumer to contact the provider, such as the name under which the provider does business and the provider’s address and telephone number. Similarly, a creditor does not comply with the availability requirement in § 1026.19(e)(1)(vi)(C) if it provides a written list consisting of only settlement service providers that are no longer in business or that do not provide services where the consumer or property is located.

In a wholesale transaction how can a lender validate when a third party originator has gathered 6 pieces of information that constitutes an application?

There is not really a way I can think of that you can go in on a case-by-case basis—if there is that would be great for you. But you should have at least some protocols in place for managing the third parties that you’re doing business with.

This transcript has been edited from the May 2015 round table discussion for clarity and completeness.

Answered By: Andy Arculin

What do you see as the biggest challenges for wholesale lenders in implementing TRID?

TRID presents a number of challenges to everyone: this rule really affects every party to a real estate transaction, from the mortgage broker to the real estate broker to the settlement agent to the creditor. That’s what makes TRID different than a lot of the other rules that the CFPB has issued. The Ability-to-Repay/QM rule is essentially a creditor rule. The loan originator rule is very focused on originators and how they are compensated. Servicing rule is focused on servicers. This rule basically affects everyone.

There is a range of challenges that go from technical details about populating the form to fundamental business process questions, which I think tend to be the most challenging operationally. These questions require lenders to rethink how to structure everything from application intake processes, to adapting to more complicated rules regarding tolerances, to new timing requirements for the LE and CD, and various other issues.

For wholesale lenders, what I think is the most challenging is the front end application intake to Loan Estimate stage. Instead of designing your own application intake process that you’re in control of, you can train your people around and you can very closely monitor, you are outsourcing that function to a third party. You will not be able to control the application flow on your own system; nor will you know exactly when the application has been submitted each time. You also won’t be generating the Loan Estimate yourself and making sure the estimates are good and reliable, based on the best information you have. Rather, for each application you’re going to be turning that over to third parties and different third parties at that. So the biggest challenge is how to manage that process. How to make sure that your third party LOs are taking applications in a manner that is acceptable to you, your investors, and to the regulators. How to make sure you know that they are actually complying with the timing requirements and producing the Loan Estimates on time, and that the estimates they are providing are good and based on the same information that you would use—because you’re ultimately going to have to honor the estimate they’ve given and will be liable for the disclosures that they’ve given.

Those are challenges, but there are different ways of dealing with them. One is to closely monitor who you’re doing business with. Another way is to mitigate your risk somewhat and take more of the responsibility yourself as the wholesaler. You could accomplish this by letting the broker take the application, but as soon as the broker has an application, sending it to you and generating your own Loan Estimate. That’s one approach some people in the industry are doing and there’s nothing wrong with that. But you basically need to have realtime information if that’s what you’re going to do, because you’re still going to be on that 3-day clock that starts when the broker has received the application. In other words, you still will need to produce an estimate within the same time frame that the broker would have, so any lag in information flow could be a challenge for you.

The alternative is allowing the broker to provide the Loan Estimate for you. The rule does allow some flexibility for brokers to just take applications and generate Loan Estimates without a specific creditor in mind and leave the creditor’s name blank. That’s something you can do, but again, there’s more risk on your end doing business that way because it’s harder to monitor whether or not the estimates were really made according to what estimates and terms you would use if you are just taking an estimate a broker provided that wasn’t even really done with you in mind.

There are different ways of attacking that issue but the biggest challenge is really getting from application to Loan Estimate in a compliant manner and making sure the estimates you’ve been given and running with are reliable and good.

This transcript has been edited from the May 2015 round table discussion for clarity and completeness.

Answered By: Andy Arculin

The new application definition eliminates some of the flexibility that wholesalers and the third party originators/brokers have today in determining when an application has been submitted. Are there still ways that information collection can be controlled?

Yes, there are, but there are some limitations. Recall the “catch-all” element, which exists under RESPA. This is basically anything else (in addition to the six elements) that the creditor requires to complete an application. This catch-all element is going to be gone on August 1st so the new definition for an application triggering the Loan Estimate is going to be six specific pieces of information: the consumer’s name, income, social security number (as the rule is written it says social security number for purposes of retaining a credit report), the property address, the estimated property value, and the estimated loan amount. Those are the six. That’s it and once those six elements have been submitted by the consumer for purposes of obtaining credit—meaning they’re not just on file somewhere, but the consumer has actually submitted them to a broker or a creditor for the purposes of getting an extension of credit—the application has been submitted and the clock is ticking.

However, the preamble sections on the new definition of application in the final rule (if you want a regulatory cite that’s section 2(a)(6) of Regulation Z) discuss at length the flexibility that creditors or brokers have in controlling or sequencing the collection of information. For example, the sixth element collected in a lot of cases is going to be something sensitive like the social security number, and may be saved for the end while other useful information or necessary information like date of birth and mailing address (which aren’t in the 6 elements), as well as information like the product type, can be captured first. The catch, however, is implied in the preamble and was clarified later by the CFPB’s webinar: the creditor or broker is not permitted to refuse to proceed with the application collection if the consumer has provided all six elements and wants to submit the application. There’s a reason for this. Despite all this talk about flexibility, which I think usually works because people want to get a loan and they will willingly give information as the information collection goes, one of the main policy objectives of the rule is making it easier and quicker for consumers to get estimates and shop between them. The Bureau felt strongly that removing the creditor-specific or “catchall” application element would mean that the consumers can get Loan Estimates from different creditors based on the same universe of information, and that would greatly facilitate shopping. That was the theory. This means sequencing is allowed, but in the CFPB’s view there is a caveat—and in your case, that is a caveat you are going to be entrusting to third party brokers.

As for what you need to do to make sure brokers are complying with the rule, section 19(e)(1) has a section titled “Mortgage Broker,” and makes clear what the minimum expectations are going to be: the creditor is expected to maintain communications with the brokers to ensure the broker’s acting in place of the creditor. In other words you do have responsibilities for making sure that the broker is doing this correctly. Policies and procedures will govern how information is collected, how scripts are designed, how people are trained if you’re doing face to face sales, and there’s also some specific guidance about online application systems as well if that’s the way your brokers are taking applications.

This transcript has been edited from the May 2015 round table discussion for clarity and completeness.

Answered By: Andy Arculin

The new rules require that a Loan Estimate is sent to the consumer no later than the third business day after the consumer’s application is received, regardless of whether a broker or lender takes that application. What options do wholesalers have for producing the Loan Estimate in this tight window, when a third-party loan originator is taking the application?

Wholesalers can do really one of two (or if you count blank Loan Estimates, three) things. One would be you trust the broker to generate the Loan Estimate on your behalf. And you make sure that they’re doing it in a manner that’s compliant with the rules and they’re also producing estimates that you’re going to be willing to guarantee. That’s one way to do it. Another way to do it, which I have heard, is having a tight enough information flow so when your broker takes an application, as soon as that application is completed, you know about it. And you’re producing the Loan Estimate, you—meaning the wholesaler—you’re producing the Loan Estimate in your own name, with your own estimates rather than trusting a broker to do that. That’s another option. If there’s any type of lag in information time that may cost you a day—remember you’re only going to have three business days, so you have a tighter window to do it. You can’t receive a package and then start your clock three from when you receive the package. It’s going to be three days from when the broker took the application. But if you have a way that your systems are synced up or your information is being shared, and you know exactly when that happens, another option you have is to produce the Loan Estimate yourself.

Answered By: Andy Arculin

Can you please reiterate that it is the settlement agent’s responsibility under TRID to provide the seller’s CD? As a lender this is so problematic that title companies and such do not, under their obligation under the rule.

Richard Horn: I was going to reiterate that, it is a requirement under the rule under 19(f)(4), for the settlement agent to provide the seller’s CD.

Brent Laliberte: I can tell you, we haven’t had any issues with that, that’s been going pretty smoothly, the bigger issue that we’ve had is, the Realtors are trying to get us to release that seller’s CD or that buyer’s CD to them, and that’s when we just tell them that’s obviously that’s a lender form, that we have no authority to release.

What we’ve been seeing lately is some kind of homebrewed authorizations, ‘Hey look, my client said it’s okay to give me this,’ look, that’s not good enough for me, I need to comply with the rule, I need to give it to the consumer, and if you want to get it from the consumer, you need to get it from the consumer, but absent written authorization from the lender allowing us to release the CD to the Realtor, we’re not even touching that, but getting it to the seller is not a problem for us.

Richard Horn: I’ll reiterate that this is why it’s so important for lenders, where they have the ability to do so, to really pay attention to the settlement agents that they are doing business with. Imposing some type of reasonable requirement, like, third party certification of compliance with ALTA’s best practices or other even more advanced certifications.

Because there is a great deal of potential liability with these TRID disclosures that actually could be caused by a settlement agent not complying with TRID, providing inaccurate information, or not following the closing instructions. Making sure that you are dealing with settlement agents that actually have the proper compliance management systems, and proper certifications, could be helpful in reducing the risk of that liability.

We have not heard anything from our regulator in our last exam regarding this issue, is this something that is more concentrated with certain regulators and/or geography or is this something we need to be concerned about as a small community bank?

This is something we hear a lot. Obviously, if your regulator has not raised this issue with you, that is a good thing. It is hopefully indicative of the fact that they don’t have a specific concern about your compliance management system in this area.

The difficulty with this is that you can’t wait until it becomes an issue because then it’s probably too late. We’re sensitive to the idea that resources are inherently limited and you want to focus your priorities accordingly. The guidance is out there and on its face it applies to everyone. Your regulator is unlikely, at least in my experience, to take as a response: “You haven’t raised this with us before.” You are expected to know both the law and the applicable supervisory guidance.

I guess what I’d have to say in response to that question is that past results are no indication of future returns. It may be that your regulator will never raise it, but chances are they will and you want to be prepared to respond if and when that happens.

Note: This transcript has been edited from the January 2015 vendor management webinar for clarity and completeness.

Answered By: Ben Olson

Got a question?
Ask the experts.

Your Name *

Your Email *

Your Question *