Knowing Your Vendor Is More Than Just Doing an Annual Risk Assessment

We’ve seen what we call the square peg syndrome. It’s the mindset that all vendors and the oversight required is the same. In some cases, that could be true, after all, a business continuity or disaster recovery plan is extremely important on a critical vendor.

However, the issue arises when the oversight activity skims the surface of the real nuts and bolts of a specific vendor operation. This is where the risk of the square peg and round hole becomes apparent.

Work Through Issues in Obtaining Information

A common issue in oversight practices is assuming that the vendor will have the standard information on hand or even cares about your long list of audit requirements. For example, the contractor who receives the lawn cutting order from a property preservation is extremely unlikely to have a SOC report.

Believe it or not, these vendors do receive such requests. For any property preservation lawn guy or gal out there, please send the name of the vendor manager. We’ll have a chat!

Think of your vendors individually and ask for documents/information that makes sense for them. And, if it’s a document that you really do need from them that they won’t give you, figure out other methods of obtaining the information.

CFPB Now Involved in Vendor Oversight

In 2017, the CFPB announced that they too would be reviewing vendor internal operations, adherence to policy and procedures. You can read more about this piece here.

It’s likely that the CFPB has the advantage with the army of compliance attorneys on hand to perform such oversight of vendors. And because of this, if you haven’t already familiarized yourself with the actual regulatory compliance requirements which your vendors must follow…the time is now.

Regulations Broken Down by Vendor Type 

Here’s a list of regulation notes to be aware of. Note that some regulations are broad and cross over multiple vendor services or products. Others may be vendor specific. 

•   FCRA - Fair Credit Reporting Act - The Fair Credit Reporting Act, 15 U.S.C. § 1681 (“FCRA”) is U.S. Federal Government legislation enacted to promote the accuracy, fairness and privacy of consumer information contained in the files of consumer reporting agencies.
  
  
• Credit Reporting Agencies should be encouraged to have an intense training and compliance program dedicated to the adherence of FCRA.
  
  
•   UDAAP – Unfair, Deceptive or Abusive Acts or Practices – UDAAP is a provision of Title X of the Dodd-Frank Act. This provision is broad in the sense that guidance is relatively vague and has been known to be used by the CFPB as explanation for non-compliance in enforcement actions. At a high level, its aim is to protect consumers from harm by unfair marketing, misleading representation and causing the consumer the inability to make informed decisions to the material risks, costs of the product or service. 

Recent enforcement actions for UDAAP violations include high-cost loans originated through a tribal lender, servicing misconduct and deceptive sales practices, deceptive debt collection, deceptive marketing, servicing errors, servicing misconduct, processing improper transactions and illegal collection of fees.  

• Regulators have levied many enforcement actions against organizations, resulting in multi-million-dollar settlements. The potential to suffer from reputational risk could be detrimental in your business operation and the financial impact on your consumer could be equally as severe.
   

• All vendor products and services who interact or offer financial services to the consumer are subject to UDAAP review. It’s imperative that oversight includes UDAAP complaints, enforcement actions and training and testing of UDAAP compliance is in place.
  
  

• AIR – Appraisal Independence Requirements – Often misinterpreted by lenders on how AIR applies, the Appraisal Independence Requirements (AIR) were developed by Fannie Mae, the Federal Housing Finance Agency (FHFA) and Freddie Mac. As of April 2017, only Fannie and Freddie have adopted the AIR regulations. It applies only to 1-4 residential units which are sold to Fannie or Freddie. Loans insured by VA or FHA do not fall under this regulation. 

While the regulation is aimed at limiting any undue pressure on appraisers and appraisal management companies (AMCs), it’s important that lenders understand the AIR rule and the oversight requirements. AMCs and independent fee appraisers must understand the importance of the AIR regulation and have policies and procedures in place to remain compliant. It’s worth mentioning that AIR can very easily be broken by lender in-house appraisal departments. It’s highly encouraged that executive risk managers perform AIR audits of their internal process.

Remember, not all vendors are created equal and the regulations covering vendor services do vary as we have demonstrated above. While this is not an exhaustive list of federal consumer regulatory compliance requirements, it should demonstrate that a good understanding of the regulations which dictate your vendor partners is key in ensuring that you’re performing an adequate oversight program.

See the due diligence items that are critical to perform for your vendors. Download our checklist.