Magazine article Mortgage Banking

Yes! That Is a Third Party-Now What?

Magazine article Mortgage Banking

Yes! That Is a Third Party-Now What?

Article excerpt

MORTGAGE LENDERS AND SERVICERS USE A LOT OF THIRD PARTIES to run their business. Just how many has become increasingly evident in recent times--and critical to regulatory compliance. The Consumer Financial Protection Bureau (CFPB), Office of the Comptroller of the Currency (OCC) and Federal Reserve have all ratcheted up expectations for third-party risk management since 2012.

Essentially, banks are now required to use a risk-based approach to managing third parties and, notably, retain the risk related to any outsourced product or service. Things have been further complicated by this year's Truth in Lending Act (TILA)-Real Estate Settlement Procedures Act (RESPA) Integrated Disclosure (TRID) requirements, which could involve title agencies and other third parties.

From internal affiliates to mom-and-pop collection outfits to behemoth international conglomerates--all are third parties. The total count can seem overwhelming, and so can the compliance obligations.

Before launching into an overly burdensome process--one that could conceivably escalate to panic levels--it would be wise to create a strategy and roadmap to keep from overreacting, while still keeping in compliance. The following 10 do's and don'ts should be considered in the development of any sound third-party risk management program.

Do: Have an inclusive definition of third parties and cast a broad net.

The regulatory definitions are very general. But while it may be tempting to shorten the list of third parties by having a very specific definition, this approach would most likely backfire under regulatory scrutiny.

Do: Have a process to keep your inventory of third parties up-to-date.

The initial data-gathering phase can be very time-consuming, involving line-of-business surveys, reviews of contract databases, audits of accounts-payable systems and other steps. Undoubtedly, the day after all that data is gathered and an initial list is compiled, it will become outdated. Third parties are constantly being on-boarded and terminated--and having their services expanded or reduced. Without a sustainable process, the program will soon become invalid.

Do: Have an experienced professional take a first cut at reviewing the inventory of third parties by category to quickly prioritize which groups to evaluate in what order.

A qualified individual can identify which product and service types are on the higher end of the risk spectrum. The roadmap should start with these. While other important and high-risk concerns could emerge in other categories, a quick triage will keep scarce resources focused on the most important categories. This approach also aligns with the risk-based approach regulators expect.

Do: Create a simple and consistent, yet effective, risk assessment to determine the baseline level of risk related to any third party.

Typical questions center on data protection, compliance with laws and regulations, performance of critical activities and customer interaction. The fewer the questions, the better. An objective method to rate risk based on the responses is highly recommended.

Do: Use technology to increase the efficiency and consistency of this potentially burdensome activity.

Don't simply automate the current manual process. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.