You can be a rock star when it comes to making sure your company’s internal operations are compliant with every regulation from the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the Consumer Financial Protection Bureau. You can make smart investments in training and technology to ensure that your employees are informed and careful and their actions are compliant and auditable. You can do all of these things and more to create a thriving lending or servicing business, and still get tripped up by your third-party vendors. For many companies doing everything else right, these third-party relationships represent their greatest risk.
Regulators have been warning lenders and servicers to pay attention to vendor relationships for years.
An American Bankers Association article from 2013 stated: “Most importantly, the use of vendors does not shield financial institutions from responsibility for vendors’ actions. To the contrary, financial institutions are solely responsible to regulators for vendors’ actions to the same extent as if the actions were taken by the institutions themselves…vendor-related enforcement actions serve as a warning that the CFPB is vigilant in its investigation of vendors for compliance with federal and state consumer financial laws and is ready and willing to hold financial institutions accountable for improper actions by themselves or their vendors.”
In 2014, the Comptroller of the Currency, Thomas Curry, outlined the extent of the problem of overseeing third-party vendors in a speech to the Independent Community Bankers of America: “You have to assess not only the vendor; you may also have to assess the vendor’s relationships. Some of these third parties have connections to other institutions and servicers.
“Each new relationship and connection provides potential access points to all of the connected networks, thereby introducing more complexity as well as new and different weaknesses into the system,” Curry said.
And in 2015, CFPB Director Richard Cordray addressed the topic in the context of TRID compliance at the Mortgage Bankers Association’s annual conference. Third-party vendors who delivered late TILA-RESPA Integrated Disclosure solutions found themselves in the bureau’s crosshairs.
“Quite frankly, I have been disturbed by reports I have been hearing about the vendors on whom so many of you rely,” Cordray told the MBA crowd.
“It may well be that all of the financial regulators, including the Consumer Bureau, need to devote greater attention to the unsatisfactory performance of these vendors and how they are affecting the financial marketplace,” Cordray said.
Unfortunately, examining third parties and their shortcomings leads regulators straight back to the lenders and servicers who are supposed to be managing them. And with the financial penalties for third-party violations so significant, that’s the last thing lenders and servicers need.
Consider these examples outlined in a report by Baker Tilly:
- A major bank used a vendor to offer identity protection products to customers, and that vendor was found to have violated CFPB and FTC acts. The bank entered a consent order that included improved oversight of its vendors, as well as $618 million in restitution and $80 million in civil penalties.
- Another financial institution outsourced its telemarketing, and violations by its vendor cost the bank restitution and $14 million in civil penalties.
- A credit card company used two vendors who were found to have violated several acts in separate incidents, costing the company $144.5 million in restitution and $43.7 million in civil penalties.
What areas of third-party management should you be most concerned about? Looking at recent regulator action, there are two trouble spots every financial institution should be concentrating on.
#1 CYBERSECURITY
A panel at the MBA’s mortgage servicing conference in February examined the data security threats servicers need to address and one glaring area of weakness was the way third-party vendor relationships put them at risk for security breaches. The panel was quick to identify one of the most active regulators in this regard: the New York Department of Financial Services.
“We talk to regulators every day and they have made very clear that they are looking at the security of these vendors,” said Richard Hill, vice president of industry technology at the MBA and moderator of the panel.
Indeed, the NYDFS caused ripples of anxiety last April when they made it known that one in three banks don’t even require their vendors to notify them of data security breaches, opening a potential “back door” into the banks’ systems. The report revealed the truth about what has been keeping executives up at night for years — many lenders have no effective system in place to monitor their vendors’ cybersecurity, nor any idea how to even start.
The panel’s discussion acknowledged the complexity of monitoring vendors at such a micro level when many servicers (and one assumes, lenders) have multiple vendors covering various systems. Even those who are being proactive with new vendors going forward still have to contend with a host of legacy vendors that are connected to their systems through various channels.
Reacting to the number of financial institutions that didn’t have an effective security strategy, the NYDFS issued a proposal in November 2015 that outlines steps for a rigorous cybersecurity framework. From that proposal:
“A company may have the most sophisticated cyber security protections in the industry, but if its third-party service providers have weak systems or controls, those protections will be ineffective… There is a demonstrated need for robust regulatory action in the cyber security space, and the department is now considering a new cyber security regulation for financial institutions.”
The NYDFS issued a set of guidelines that clearly lay the foundation for future cybersecurity regulation, including a requirement to develop policies and procedures that address vendor and third-party management. Within that area, the NYDFS outlines six specifics:
(1) the use of multi-factor authentication to limit access to sensitive data and systems;
(2) the use of encryption to protect sensitive data in transit and at rest;
(3) notice to be provided in the event of a cyber security incident;
(4) the indemnification of the entity in the event of a cyber security incident that results in loss;
(5) the ability of the entity or its agents to perform cyber security audits of the third party vendor; and
(6) representations and warranties by the third-party vendors concerning information security.
The guidelines also call for every financial company to designate a chief information security officer who would be required to submit annual reports to the NYDFS, and for companies to conduct annual penetration testing and quarterly vulnerability assessments.
These far-reaching recommendations won’t be easy, or inexpensive. But the alternative could be much worse. Even one cybersecurity breach could be catastrophic, not to mention the fines and penalties the regulators would add to the mix. Recognizing how seriously regulators are looking at cybersecurity, lenders and servicers need to move compliance on this one to the top of the list.
#2 MARKETING AND SOCIAL MEDIA
The risk of getting into trouble from your third-party vendors’ marketing and social media efforts has never been higher. The CFPB targeted marketing services agreements in 2015 and many big lenders decided to discontinue using MSAs as a result.
In July, Wells Fargo and Prospect Mortgage each announced decisions to discontinue MSAs.
Both pointed to recent interpretations of Real Estate Settlement Procedures Act requirements, with Prospect saying they introduce substantial uncertainty to the rules and requirements applicable to MSAs, and Wells Fargo explaining that the decision was the result of “increasing uncertainty surrounding regulatory oversight of these types of arrangements.”
Recently, the CFPB signaled that it is going to look even closer at MSAs.
In October 2015, the CFPB issued a compliance bulletin on MSAs, telling the mortgage industry that it had “grave concerns” about potential violations of RESPA presented by MSAs. It was the second such warning issued by the CFPB in the span of a few months.
After Wells Fargo and Prospect made their announcements, Samuel Gilford, spokesman for the CFPB, told HousingWire that Wells Fargo’s exit from MSAs was an “important step” toward ensuring compliance with RESPA, adding that the CFPB is “concerned” about the legal risk that MSAs carry for the industry.
Cordray later echoed those statements.
“We are deeply concerned about how marketing services agreements are undermining important consumer protections against kickbacks,” Cordray said. “Companies do not seem to be recognizing the extent of the risks posed by implementing and monitoring these agreements within the bounds of the law.”
Following the release of the CFPB’s bulletin, the MBA warned its members to take the CFPB’s bulletin seriously.
In a note sent to its members, the MBA said that it views the CFPB’s latest guidance on MSAs to be a “strong warning” that the industry needs to reconsider its usage of MSAs because the CFPB is closely monitoring the agreements.
“Coming as it does after enforcement and other actions by the CFPB on marketing services agreements, MBA believes that the (CPFB’s) bulletin is short on actual guidance, and can only be interpreted as a series of warnings to lenders against MSAs,” the MBA said.
“The bulletin is a clearly directed to mortgage lenders and warns of RESPA liability for involvement in MSAs,” the MBA said. “The bulletin and the press release accompanying it are replete with warnings.”
But it’s not just MSAs that can cause financial institutions trouble. The very nature of social media makes it hard for banks and others to implement policies around its various forms.
Steve Culp, senior managing director at Accenture Finance and Risk Services, outlined the problem in a white paper on managing social media risk and compliance.
“At issue here is the fact that traditional risk management policies and procedures were not designed for, quite literally, minute-by-minute monitoring of social media chatter to identify brand, strategy, compliance, legal and market risks,” Culp wrote.
And regulators have been increasingly concerned about these risks. The Federal Financial Institutions Examination Council, which represents the examination arm of the primary federal bank regulators, put out final guidance in 2014 on social media risk in three areas: compliance and legal risk, operational risk and reputation risk.
Andrea Lee Negroni, a regulatory attorney of counsel with BuckleySandler, summarized the regulatory stance on social media in a presentation to the MBA of Central Florida in 2014.
“The FFIEC expects every financial institution to create a risk management program that assesses and manages social media risks,” Negroni said. “These programs should include a clearly defined governance structure and provide for ongoing risk assessment. The programs should also include a due diligence process for selecting and managing third-party providers.”
Negroni said a social media risk management program should include:
- Employee training
- Social media monitoring
- Audit and compliance functions
- Parameters for evaluating achievement of objectives
These issues represent a virtual minefield for financial institutions. Some are addressing the risk through in-house employees, while others are outsourcing these functions, adding another layer of vendors and, possibly, risk. Unfortunately, either way the stakes for lenders and servicers are high.
“Unlike other retail businesses, banks confront mountains of compliance responsibilities and report to multiple regulators. They are justifiably concerned about how, whether and when to adapt their compliance efforts to an emerging medium whose future is unknown,” Negroni said.
“The FFIEC’s social media guidance is the tip of the regulatory iceberg. For the moment, banks are advised to follow existing transaction disclosure laws for communications on social media. But there are gaps in the guidance.”
The biggest risk when it comes to social media is also the hardest one to manage: the human element. As the Accenture white paper puts it, “One of the critical points to remember about risk management is that, in spite of the importance of governance, processes and technologies, much of risk management is still dependent on people, and therefore people’s behaviors must be managed.”
