In recent weeks we have seen a number of articles written about compliance, and about the risks of not following best practices and accepted audit and oversight guidance. Those articles point out, correctly, that the risk of noncompliance is significant, and that servicers are holding you accountable for your supply chain. As a result, there has been a flurry of activity across the industry to respond to new mandates and evolving third-party guidelines. Compliance is arguably more of an issue today than at any time in history.

In fact, an article that appeared in the March edition of this very publication, titled Highly scrutinized, touches upon those exact subjects. What that piece, and other recent pieces like it, fail to address, however, is that there is a fundamental contradiction simmering behind the surface storyline: the optics of industry compliance are not always in line with the mechanics of what is required to maintain truly effective oversight. The difficulty is in reconciling the push for more audits and stricter compliance standards and processes with a corresponding mandate to also become more diversified and to avoid putting too many servicing eggs in one vendor basket. This is more than just an inconvenience or a logistical challenge—this is an issue that gets to the heart of what constitutes truly effective and sustainable oversight.

From the audit/compliance perspective, no vendor is too small, and every vendor needs to be vetted. With every vendor you add to your network, the compliance risk goes up significantly. And because satisfying the robust compliance and oversight standards across larger numbers of firms will be difficult—and in some cases virtually impossible—the question then becomes: if all you have really done is to send and receive a questionnaire, are you truly mitigating your compliance risk or are you just checking boxes?

The bottom line is that vetting and auditing servicing vendors should facilitate—not hinder—risk mitigation, and ironing out the mechanics of how strong and sustainable oversight should function is an industry priority that deserves a thorough, thoughtful and engaged debate.

A new era

This discussion about what effective compliance looks like is particularly relevant today, with the industry preparing for a significant transition in attorney selection. Beginning on June 1st, both Fannie Mae and Freddie Mac are terminating their designated/retained counsel programs, and servicers will be able to select and “certify” their own attorneys, provided that they satisfy the new GSE guidelines that were issued last November.

The new GSE selection/approval process is already underway: servicers were allowed to start submitting completed law firm certification requests to Fannie and Freddie on March 1st, and new firm training is scheduled to begin shortly. The new selection criteria and retention process applies to all prospective attorney firms, including those firms currently in the retained attorney network. The GSEs will then review each individual application—of which there will be thousands—as each servicer must submit a certification request for each law firm (no one servicer can “piggyback” off another servicer certification request or submit multiple state packages).

Needless to say, in the absence of an umbrella organization(s) providing definitive guidance and oversight with regard to attorney designation/qualification, the details of how the vetting and auditing process will work—not just prior to June 1st, but also going forward—take on a heightened importance. While the processes in place for the initial application and selection are fairly straightforward, the standards and mandates regarding future monitoring and auditing oversight are less specific (and possibly more worrisome).

A looming problem?

While it is clear that some vendors have provided more robust compliance systems, it is equally obvious that, in some cases, infrastructure has been developed and put in place at a cost that outstrips the fees required to make this approach sustainable.

The good news is that some vendors have generally been responding positively to the constantly evolving standards and practices of the last few years, and the majority of responsive and responsible servicing organizations have gone out of their way to stay on the right side of the scrutiny equation. Well before the formal June 1st rollout of the new GSE regulatory requirements, proactive servicing professionals have been implementing a wide range of improved processes and technologies intended to make every aspect of default processing more efficient, transparent and audit-friendly. From sophisticated new systems and software to comprehensive disaster recovery and business continuity policies and procedures, the improvements have been noteworthy.

The not-so-good news is that some have, by necessity, made investments that surpass the existing fee structure, and in some cases may even be upside down. While vendors are making investments in compliance, they are not being reimbursed for these non-revenue generating investments. They are considered costs of doing business but are anything but routine or normal for traditional law firms.

With regard to vendor selection and oversight, some servicers have been handling it largely in-house, with increased involvement from global supply chain management that has brought a level of sophistication, uniformity and consistency to the vendor selection process. Others have called upon third-party auditing specialists that have also been very effective. For those servicing professionals that have committed themselves to the process, the results are still unclear. While the majority who have received qualification questionnaires and submitted to audits have thus far exceeded expectations and passed initial reviews with flying colors, the big question remains unanswered: are more referrals being generated, or is this simply a case of maintaining the workflow status quo?

A troubling contradiction

Establishing and maintaining these audit and oversight programs and processes requires a significant commitment in dollars, personnel, time and resources. Additionally, we have not yet seen any real movement on the servicer side in terms of moving toward a universal audit. As a result, we are no closer to a much-needed unification/simplification of the process, like SAS 70. In cases where third-party vendors have made strong contributions to audits and compliance, servicers’ commitment to those products and services remains an open question and a legitimate concern going forward.

The main issue confronting the industry is not so much the run-up to June 1st, but the continuation of effective auditing, monitoring and oversight on an ongoing basis. That is where the difficulty of reconciling the desire for less file concentration with any given firm with increased oversight, standards, and costs will likely present operational and financial challenges. The portion of the new Freddie Mac servicer guidelines entitled “Diversification of referrals” provides a good general sense of the diversification mandates written into the new GSE regulations. The relevant passage reads as follows:

The Servicer must diversify its referrals of Freddie Mac Default Legal Matters to an appropriate number of firms in each State to protect the interests of Freddie Mac and to mitigate the risks related to a high concentration of Freddie Mac files.

Even beyond the vague notion of what constitutes an “appropriate” number of firms, the primary concern here is that this codifies two conflicting priorities: less concentration, but with more intense auditing. The fact that the GSEs mandate identifying and vetting more firms arguably creates more risk: using more firms without robust oversight mechanisms in place is almost certainly riskier than relying on a solid core of a few trusted and well-vetted firms.

A streamlined solution

Fundamentally, the unavoidable conclusion is that best risk avoidance strategy is to rely upon a defined number of trusted firms and to audit them thoroughly and monitor them conscientiously.

Remember that every single file represents a compliance risk. Whether you are dealing with a firm who handles one file per month or a firm who handles 100 files per month, the risk is the same. Fundamentally, the central issue is not quantity or concentration—it is effective risk mitigation. It is simply not feasible to maintain the same level of quality control and oversight when work is spread out; it is much easier—not to mention more efficient and effective—to keep a watchful eye on a core group of professional partners.

Going forward, the way servicers can protect themselves is to select vendors properly, not to spread files around to a vague and arbitrarily designated number of firms. Fewer firms audited well create less risk for the entire chain, and is a model for effective and sustainable servicing oversight.