Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management

Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management 2015 LBA Bank Counsel Conference Marx Sterbcow, Managing Attorney, Sterbcow Law Group

The Bureau s Scrutiny of Vendor Management Vendor Management is not new. It is straight forward, not complicated and fundamental, so do it. Don t ignore this. It isn t going away. Calvin Hagins, CFPB Program Manager at the MBA Regulatory Compliance Conference, May 2014

WHO ARE SECONDARY MARKET INVESTORS Pension Funds Hedge Funds Governments Financial institutions who extend credit to other banks Banks who purchase Residential Mortgage Backed Securities from other Banks/Lenders.

DON T BLAME YOUR LENDER/BANK Lenders follow the Secondary Market Investors requirements He who holds the money makes the rules Regulations caused investors to push new restrictions Restoring Secondary Market Investor confidence led to new regulations.

Why does the Secondary Market Care? Secondary Market purchases pools of RMBS Investors of Mortgage Backed Securities are now liable for all aspects of the origination. Shielding liability from assignments is dead. Secondary Market wants defect-free originated mortgages.

Why does the Secondary Market Care? Purchase to RMBS to make money not lose it Any mortgage defect can lower the value of their security! Illegal kickback arrangement between settlement service providers in the origination can spoil the entire pool of RMBS Avoid the Scratch and Dent Sale

Who are is the Secondary Market Scared of? YOU! Your Vendors Your Vendor s Vendors. Audit, monitor, and oversee all of your Vendors. The bigger you are the more compliant you need to be! The bigger your vendor is the more scrutiny you need to impose.

Who are 3 rd 4 th party vendors? Technology services Audit Loan Review Mortgage Brokers Outside Legal Counsel Website hosting providers Marketing Companies Title Agents Title Underwriters Real Estate Brokers Real Estate Agents Abstractors Escrow Companies Notaries Marketing Companies Banks (i.e. your accts) Cleaning Companies

So Who Cares? The CFPB, OCC, FFIEC and FDIC expect supervised banks and non-banks to have an effective process for managing risks of service provider relationships. The regulators will apply these expectations consistently regardless of whether it is the supervised bank or non-bank that has the direct relationship.

So What Gives Them Heartburn? Inadequate due diligence Inadequate risk assessment Underestimating costs Inadequate oversight and risk management Flawed contracts Lack of contingency or termination plans Illegal marketing and advertising practices

SUMMARY OF FEDERAL LAWS AND REGULATIONS IMPOSING LIABILITY ON LENDERS FOR ACTS OF THIRD PARTY SERVICE PROVIDERS 2010 Wall Street Reform and Consumer Protection Act OCC, FDIC, NCUA, Federal Reserve, FFIEC, FTC Gramm Leach Bliley Act Consumer Financial Protection Bureau (CFPB) CFPB s eight rules and their effective dates CFPB 2012 03 Bulletin regarding due diligence Lender due diligence expectations ALTA best practices, self assessment guides and certification

CFPB BULLETIN 2012-03 - APRIL 13, 2012 Provides that lenders may be held legally responsible for the actions or inactions of their service providers where consumers are harmed as a result of the service provider failing to comply with consumer financial law. To limit the potential for such responsibility, lenders should take steps to ensure no unwarranted risks are posed to consumers by their service providers.

THE FIVE STEPS 1. Conducting thorough due diligence to verify that the service provider understands and is capable of complying with federal consumer financial law; 2. Requesting and reviewing the service provider s policies, procedures, internal controls, and training manuals to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities; 3. Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices; 4. Establishing internal controls and ongoing monitoring to determine whether the service provider is complying with federal consumer financial law; 5. Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate.

Key Compliance Recommendations SSAE 16 (SOC 1) Type 2 Certification Verifies that a service organization has been through an in depth audit of its internal controls for financial reporting. Assesses controls at service organizations that are relevant to user entities internal control over financial reporting. Snapshot of date specific time. SSAE 16 (SOC 2) Type 2 Certification Verifies that a service organization has pass an indepth audit of its security, availability, processing integrity, confidentiality, and privacy. Period of Time

Key Compliance Recommendations ISO 270002 Certification Verifies that a service organization has been through an extremely in depth audit of its internal informational security controls for financial. ALTA Best Practices 2.0 (CPA Certification) Verifies that a service organization has passed the 7 basic guidelines for sound business practices. NOT ALL CERTIFICATIONS ARE CREATED EQUALLY!!!

THE TIER SYSTEM EXPLAINED TIER 1 VENDOR presents highest level of soundness, security, and safety to financial institution. Unlimited # of transactions. TIER 2 VENDOR presents moderate level of soundness, security, & safety. Limited # of transactions. TIER 3 VENDOR presents low level of soundness, security, & safety. Capped at very small # of transactions or eliminated completely.

MORE LENDER DUE DILIGENCE OF VENDORS Lender Audits On site Visits Trust, but verify Facilities, Data Security, Employee Interviews Internal and External Process Reviews & Audits Information Technology Administrative, Technical & Physical Safeguards Technology Service Providers Audits Service Organization Control (SOC) Reports Master Service Agreements General Closing Instructions Performance and Metrics Evaluations Corporate Policies and Procedures State and Federal Rules and Regulations Consumer Financial Law Information Security Audits

SOUND VENDOR MANAGEMENT PRACTICES Sourcing, Evaluating, Qualifying and Selection Use of non disclosure agreements (NDAs) Due diligence considerations Defining roles and responsibilities Process mapping Reference checks existing customers and trade references Other sources for vendor information e.g. Google, Yelp, BBB Service Level Agreements (SLAs) Training Vendors transfer of knowledge Scorecards Consumer Complaint Resolution System

What s A Settlement Agent To Do? What are their 3 th party providers GLBA Privacy Procedures and do they need to provide a Privacy Notice? Do you have a copy of it? What are their Information Security Procedures? Do you have a copy of those written procedures?

Insurance and Fidelity What is the nature of their requirements at law as to liability and E&O insurance? Do they meet them? Even if no legal requirement as to insurance or bonds what do you need to assure your security and that of your customers and their customers?

Insurance and Fidelity Maintain copies of all insurance, fidelity and surety requirements. Be sure they are current. Are the dollar amounts of coverage sufficient? Does the insurance include insurance as to NPI breeches? Employee theft of NPI? Are you named as an insured? Reputational Risk Policy? Social Engineering Policy?

Financial Resources Gather financial statements annually for privately held 4 th party vendors. If not available obtain FCRA disclosures to run credit. Does your 4 th party provider run FCRAs on their employees? Does your 4 th party provider run criminal & civil litigation background checks regularly?

References and licenses When considering a new 4 th party vendor get references from existing customers including bank references. Maintain copies of all required licenses and be sure they are current. Always review 3 rd, 4 th, & 5 th party websites & Facebook pages for RESPA, UDAAP, and Fair Lending issues.

Social Media Policy What is the social media policy of your 4 th party vendor? Do they monitor the social media use of their staff? Limit or control any use of referring you in any advertising or social media. Be aware of regulatory social media compliance such as that of the FFIEC and be sure your 4 th party vendors are aware of it.

Social Media Policy Does they utilize social media management scanning tools? Does the 4 th party have outside legal counsel review their online advertising and marketing? Prohibit pictures and names of consumers from being displayed online.

Disaster Recovery Policy What is their Disaster Recovery Policy? Are they truly capable of following it? Maintain current copies of their policy. How does their Disaster Recovery Policy integrate with yours? Can their be mutual assistance in case of a disaster?

Data Security To what NPI do your counter party providers have access? Is it required or can it be limited? Does the counter party provider have encrypted e-mail if the nature of their services require it? What is their password policy for employees? Do they have an SSAE SOC 1 or 2 Certification or a PCI Certification?

Office Security What is the 4 th party s clean desk policy? Are devices password protected and are they locked down at night? Do they maintain your data on their servers and what is the security of them? What do they do with old hard drives of computers and copiers?

More office security How are paper files secured that leave your office? What is the security policy as to those files by your counter party provider? Do your counter party providers have secure office entry points?

Premises Security Can you see through windows? Are windows blacked out on the 1 st floor? Is privacy glass incorporated into the office? Do they have security cameras inside & outside of their operation? FOBs/Card scanners/id Badges used? Visitor management system in place.

Notary Policy Notaries should be part of and signatories to your office Anti- Fraud Policy. Notaries should be required to maintain journals for every act performed on your behalf. Each document should be listed separately in the journal. Maintain copies of current licenses, required bonds and insurance. Have written copies of the notaries policies as to security of stamps and seals.

Hire A Vendor Manager Designate a Vendor Manager who is responsible for maintenance and retention of all written counter party provider policies as well as all reports, journals and other documents. They should have clear written directions of their responsibilities.

Uncle Sam wants you! Your Bank customers are required to have a full understanding and supporting documentation as to your 3 rd -4 th party provider policies. The liabilities lie not just with regulators but with investors and seekers of private causes of action.

Get Stronger Not Weaker Vendor requirements will get more complex. Secondary Market is forcing lenders to focus on compliance as the primary relationship driver. Aspire to be a Tier 1 Vendor not a Tier 2 or 3. Gain weight on the Bank s compliance scale.

QUESTIONS Marx Sterbcow JD LLM Sterbcow Law Group marx@sterbcowlaw.com Website: www.respaattorneys.com RESPA Blog: www.respalawyer.com