Written by Christopher J. Willis and Mercedes Kelley Tunstall, as originally published in The Reverse Review.

A crucial element of managing any mortgage business is ensuring the stability and management of your vendors. The foreclosure crisis demonstrated to regulators that lack of sufficient vendor management by mortgage companies was a sizable contributing factor of the crisis. As a result, regulators have provided more guidance on proper vendor management activities and have indicated that supervision examinations will spend a significant amount of time reviewing each company’s vendor management processes and procedures. This article provides practical advice on how to meet regulatory expectations in choosing, vetting, contracting with and managing your vendors.

To RFP or Not to RFP
There is a significant regulatory upside to putting requests for proposals (RFPs) on services needed by your company out for bid. When looking at vendor selection through the regulatory lens, having written responses from prospective vendors is excellent documentation of the expectations of both parties from the start. In this case, it is crucial that the RFP ask the kinds of due diligence questions discussed below. In an RFP response, the answers to these questions may not provide sufficient detail for due diligence, but will provide enough detail for your company to better select a vendor that has practices in keeping with regulatory requirements.

Even if there is no RFP, it can be helpful to gauge the ability of the vendor to meet the regulatory requirements of your company by having them complete a questionnaire, or (at the very least) having them review a document explaining the due diligence process your company will follow in managing the relationship with the vendor.

Due Diligence
Your company should ask thorough questions and know enough about the vendor to confirm that it is able to meet all regulatory requirements that apply to the products or services being provided and that it has the processes and procedures necessary to continue to meet those requirements.

The due diligence process starts by looking at the products or services being provided by the vendor and determining what laws, regulations and company policies and procedures apply. For example, if a vendor is managing customer information on your behalf, then that vendor is subject to the Gramm-Leach-Bliley Act and its implementing regulations, including its data security provisions.

Once you have identified applicable law, provide to the vendor your policies and procedures related to such applicable law and ask the following questions:

-What policies and procedures does the vendor have in place regarding applicable law?

-Has the vendor reviewed your company’s policies and procedures regarding applicable law and can it confirm that it is able to comply?

-What systems will the vendor use to provide products and services?

-Will vendor employees ever interact with your company’s systems, visit your company’s facilities for work purposes or receive your customer information? If so, are the vendor’s employment and hiring policies consistent with your company’s policies?

Once you have received responses to these questions from your vendor, it is up to you to implement the appropriate controls and oversight to manage the vendor and any weaknesses the due diligence may have revealed. It is also important to make sure that you build in contractual protection.

The Contract: Compliance and Contingency Planning
After the due diligence process, the next critical task in vendor management is the contract. Here, there are two important considerations:

First, the contract must contain certain compliance-oriented provisions that the CFPB and other regulators will look for. But just as important are the provisions that will come into play in the event of a break-up in the relationship with a service provider, especially for compliance-related reasons.

From a compliance standpoint, the contract must go well beyond a simple requirement for the service provider to obey any applicable laws. Depending on the nature of the service being provided, the contract should contain the following provisions:

-A requirement that the service provider must maintain the appropriate licenses and provide evidence of the currency of its licenses to operate

-A term allowing for audits of the service provider’s operations, including on-site, document and system access

-“Enforceable consequences” for a compliance violation that is not appropriately remedied, such as the right to terminate the contract and/or be indemnified for the consequences of the violation

-A requirement that the service provider give prompt notice of the occurrence of certain compliance-related events, such as governmental investigations, litigation, or a disciplinary proceeding against it

-A mechanism for complaints received by the service provider to be communicated to the other party, either individually (in the case of certain types of complaints) or in the aggregate (to allow the detection of any trends in the complaints, a potential warning sign of underlying compliance issues)

Contractual relationships come to an end, sometimes because of a conflict between the parties. When a parting of ways comes about because the service provider is suspected of committing a compliance violation of some sort, it can create an uncomfortable position for the other party,

which can be caught between threats of litigation from the service provider and the reality that defending against those claims could create a public record of violations that may impact both parties. Several forward mortgage servicers and GSEs learned this lesson when a number of foreclosure law firms in Florida became the subject of governmental investigations.

When the servicers and GSEs terminated the law firms, litigation over allegedly unpaid legal fees ensued. That litigation could have been prevented, or the risks associated with it substantially lessened, by contracts with appropriate provisions to allocate the risks arising in a compliance-related termination of the relationship. So, although the regulators are giving a great deal of attention to contract provisions designed to promote compliance, it remains just as important for parties to plan for what happens if the relationship ends because of compliance issues.

Walking the Talk: The Audit Process
A sound contract is a necessary element to successful vendor oversight, but it must be followed by an audit and oversight function that is tailored to the risks of the particular service provider. An audit should test any consumer interactions for compliance problems, and should also assess the functioning of the service provider’s own quality control and self-monitoring processes. In this regard, service providers that pose higher compliance risks should receive more attention than lower-risk vendors. Collection-related vendors are likely to receive an especially high degree of scrutiny from the CFPB and other regulators, and so audit processes covering those service providers must be especially robust.

In today’s regulatory environment, managing vendors is a crucial part of your success in the mortgage business. Being able to demonstrate your company’s commitment to managing vendors through a strong due diligence process, solid contracting, and continuing and consistent auditing and oversight will mean easier examinations and interactions with regulators.