Third Party Vendor Risk: Not All Vendors are the Same

February 21, 2018

When the CFPB issued Bulletin 2102-3, forever changing the way that banks and lenders nationwide look at third party relationships, they offered only a bare outline of detail regarding what that risk management should include.  The general directive included: risk evaluation, ongoing monitoring, and verification of internal controls. Since then lenders have tended to interpret these requirements in ways that reflect their own risk appetite and compliance culture.  Some seek to merely “check the box,” while others are intent on crossing every “t” and dotting every “i.”

Clearly not all vendors are alike, and while there has not been any written guidance on the matter, comments from the CFPB seem to imply that a company should address the risk of a third party vendor in relation to the level of potential harm they might cause to a consumer.  Therefore it is logical to assume that there is a qualitative measurement of risk that a lender can perform and thereby place third parties in different risk buckets, applying different risk management standards to each bucket in relation to the risk level associated with the activity.  For example a vendor who has no access to a lender’s consumer data and records should obviously be evaluated differently than one who did.

The highest risks are generally third parties who have access to consumer data as well as those who interact directly with consumers in the loan process.  This group should include IT consultants, appraisers, mortgage brokers, and settlement agents, among others.  The lowest risks should include very large, well-capitalized and highly managed entities such as investors, national title underwriters, and large accounting firms.   Space does not permit me to expound further and discuss all the different risk levels and groups however it is worth noting that our research makes it clear to us that settlement agents are the highest risk third party vendor a lender will encounter.  The reasons for this are logical and easy to enumerate.

Settlement professionals, including attorneys, escrow agents, title closers, notaries and others who handle funds disbursement and documents at a closing, have access to more sensitive data and documents than anyone else, while also having access to the mortgage proceeds. This places them in perhaps the most critical, and therefor the highest risk area in the loan process.  The fact that most lenders have fraud technology which helps them identify bad actors and other risk factors at the front end of the manufacturing process (origination, processing and underwriting) and rarely any type of tool at the back end (closing and post-closing) makes the vetting and monitoring of settlement agents perhaps the highest priority for any lender today.

Need more proof?  An independent study conducted by FinCEN, the Financial Crimes Enforcement Network, which is the official repository for industry SARS filings, found that over the past five years escrow and settlement services are the largest and fastest growing areas of mortgage fraud.  Given the fact that the industry has embraced complex and effective front end fraud deterrence and prevention tools for years but is only now beginning to embrace closing and settlement fraud programs, the report is not surprising.  However the good news remains the continued progression towards widespread settlement agent vetting, monitoring and reporting that is currently transforming the settlement industry.  It is weeding out bad actors, encouraging best practices, and providing lenders with critical data to help them make better choices for closing services. Everyone wins in the end: lenders, agents and consumers.




Share this post

Recent Posts

February 9, 2023

Why Compliance And Fraud Prevention Are Critical For Mortgage Lenders Right Now

January 25, 2023

NCUA Releases 2023 Guidelines for Credit Unions on Fraud Prevention, Cybersecurity and Consumer Protection

January 17, 2023

Protect Yourself From Fraud

Leave a Reply

Your email address will not be published. Required fields are marked *

                          Privacy Policy