Third-party vendor management compliance practices simply cannot fall short of CFPB expectations. Third-party vendors used to be satisfactory if they met performance and budget targets. This changed years ago with regulatory guidance that mandated that lenders should manage third-party vendors as internal operations. This includes regulatory oversight as well as performance.
As lenders, you are on the hook for any errors or harm to consumers created by your vendors. The only way to reduce this risk is to have an active and operating vendor management program.
Your third-party vendor management compliance program needs to ensure ongoing adherence to applicable federal and state laws and must protect consumer interests. Remember that both you and your vendor have one main common interest: your customer.
A comprehensive third-party vendor management program consists of several key components. When you implement and maintain a program with the four elements listed below, you’ll reduce third-party risk from initial vendor selection to ongoing oversight.
Regulators have defined different types of third-party risk. These are Strategic, Compliance, Reputation, Operational, Transaction, and Credit risk. Basically, you need a risk evaluation process to ensure that the proposed relationship type is consistent with your strategic planning and overall business strategy.
The Risk Assessment also allows you to demonstrate your internal knowledge of the practices and controls required to manage the proposed type of third-party vendor. Additionally, it ensures an understanding of the risks and rewards of using this type of third-party vendor and should drive the level of Due Diligence resources required along with the Minimum Standards Document.
A robust scorecard-driven due diligence process includes examination of all information available by a centralized team (e.g., Legal, Compliance, Vendor Management, Risk, etc.). It also includes support from key business line stakeholders. Due Diligence includes analysis of the following:
Establish standard contract materials for consistent handling and expectations for vendors and service providers. Include master service agreements (MSA) and/or statement of work (SOW) templates to provide clear expectations and responsibilities for each service provider.
Elements in MSAs or SOWs:
Also, incorporating specific service level agreements based on the vendor type allows for enforceable consequences including compliance and/or performance-based termination. Contract terms should be primarily standardized across business lines in the MSA with room for flexibility and more specific details in the SOW.
Comprehensive monitoring within your third-party vendor management compliance program ensures adherence to regulatory compliance and customer experience standards. Make sure to perform quarterly reviews with a scorecard that is risk-based. Programs include frequent account reconciliations, targeted transaction testing, and process reviews for identification of issues and assignment of action plans as needed.
Use recertification processes to ensure that active vendors continue to meet defined standards. Define enforceable consequences, including a termination protocol, for applicable situations.
Implementing a vendor management program with the key components outlined above can be challenging. Lenders can miss opportunities to protect themselves, their vendors and their customers. When you follow these best practices, you will mitigate your risk.
Lenders must manage third-party vendors to a defined set of criteria and ratings. Not doing this results in inconsistent treatment of vendors and unnecessary risk. Establish the criteria and review with each vendor so that each is aware of how they are being rated. Your goal: no surprises or claims of biased treatment.
Vendors must be an extension of you. So, expectations for vendors should be the same as internal teams. Vendors should prove they are complying, just like your internal teams do. As the lender, it’s your responsibility to prove third-party vendor compliance with regulatory requirements. You should do this through reporting, account reviews, and/or review of controls and results.
Vendors must send all applicable complaints from your customers they are servicing. During vendor oversight routines, you should confirm proper tracking and make sure that all complaints are sent to you for review. That way, tracking complaint volume and benchmarking it against other vendors you use provides a natural “Champion / Challenger” insight. Consequently, this will show the volume of complaints from vendor to vendor. Plus, you’ll notice if you aren’t receiving all complaints.
Expectations have changed a lot over the last five years. So, lenders should review any processes that are still in place from before that time to make sure that they’re compliant and performing as expected. Some processes may still be valid and aligned to current requirements. Invalid processes need updating.
Where possible, having more than one third-party vendor supporting your work is good if the right measurements of success are in place. Vendors will compete to make sure they are staying at the top and limit the risk of losing business. Make sure there’s a proper blend of quality, performance and control metrics in place. Not having the proper balance could reward the wrong behavior.
Document, Document, Document. It’s critical to be able to show evidence of oversight completion and trending of results. This gives lenders insight into potential risk and enables action earlier. Most importantly, it provides regulators with the transparency they are looking for when you use vendors for a service.
If you’ve loosened vender requirements, or haven’t looked at your vendor management processes recently, you could be failing to protect yourself—and your customers—from risk.
Make sure you’re following the four key areas of a vendor management program outlined above. And consider our best practices because we’ve seen them result in successful partnerships.
If you don’t know if you have a strict program in place, contact us for an evaluation. Then, we’ll provide you with an assessment, a gap analysis and a prioritized road map to get you on the right track.