Whether you are a mortgage lender or a third-party software or technology vendor who provides services to banks or nonbanks, there is no hiding from the federal government when it comes to the ever-increasing lending regulations.
When Consumer Financial Protection Bureau Director Richard Cordray spoke at Mortgage Bankers Association’s Annual Convention last October, he addressed the important role third-party vendors play in the mortgage lending industry. But he warned that both bank and nonbank lenders can be held accountable if they violate the law because of mistakes or compliance failures of their vendors.
Referencing to the rollout of TILA-RESPA Integrated Disclosures (TRID) rules last fall, Cordray said during the speech: “I have been disturbed by reports I have been hearing about the vendors on whom so many of you rely. Some vendors performed poorly in getting their work done in a timely manner, and they unfairly put many of you on the spot with changes at the last minute or even past the due date. It may well be that all of the financial regulators, including the consumer bureau, need to devote greater attention to the unsatisfactory performance of these vendors and how they are affecting the financial marketplace.”
Knowing your responsibilities
If regulators find fault with a financial institution’s lending practices or that of one of their software or other third-party vendors, the CFPB has many enforcement tools at their disposal, many of which can be punitive, according to Mick Kless, CEO with Compliance Education Institute, an education and training company focused on providing specialized vendor management education and tools to the financial services industry.
“Usually when the CFPB gets involved and you’re talking about lenders and [third-party] vendors, and there’s an enforcement action involved, it usually involves fines,” Kless said.
When third-party vendors make mistakes, from security breaches, to having no disaster recovery plan for lost data, the culpability ultimately falls on the lender, even though both parties share responsibility, according to Kless.
Therefore, Kless said mortgage lenders must be careful to choose vendors capable of supporting their needs, both financially and operationally.
“You don’t want to contract with a vendor and a month later they’re out of business and you now have a business continuity issue where you can’t deliver the services,” Kless said.
From an operational standpoint, third-party vendors need to be able to show that they have “functions and controls in place” to protect the company from major disruptions, and “if there are disruptions that the impact is minimized to the lender or bank and the consumer,” he said.
Ramping up consumer protection
Unfair, Deceptive, or Abusive Acts or Practices is a regulation established by the Dodd-Frank Wall Street Reform and Consumer Protection Act with the primary purpose of protecting consumers from unfair or deceptive business acts or practices. Mortgage lenders and debt collectors who violate these regulations are subject to audits and potential legal penalties. That means banks and nonbanks are not off the hook when they outsource to a third party who acts on their behalf and engage in predatory lending practices, Kless said.
In 2012, for example, under an enforcement action issued by CFPB, Capital One bank was required to pay back roughly $140 million to roughly 2.5 million customers after it was found the lender used a call center vendor that misled consumers, used deceptive practices and omitted disclosure terms. The CFPB exercised its authority under UDAAP.
Protecting your assets
How do lenders know they are working with trained and competent third party software vendors?
To answer that question, banks need to practice “proper due diligence,” Kless said. That includes creating a vetting process that ensures the selection pool has competent vendors who are properly trained and understand lending regulations.
Third-party vendors with previous or pending litigation could raise potential red flags, Kless said. In cases where there’s no hard legal trail to follow, there are other ways to investigate, but it may involve some digging. Public records often can provide answers.
“You will see if there were any complaints by the attorney general, or the Better Business Bureau, so you need to do your research,” he said.
Vendors with few success stories to tout may be another possible indicator their competencies and service delivery aren’t up to par, Kless said.
Kless said financial institutions should ask several questions when choosing third party technology or software vendors, such as: Are you their first client? Does the vendor create multiple layers of security? What steps does the vendor take to protect sensitive data? What kind of encryption protocols are in place to protect the customer? What controls are in place to prevent data breaches?
When shopping around for third party vendors, financial institutions always should conduct a thorough background check and get legal counsel involved early in contract negotiations, Kless said.
Freelance writer Elise Oberliesen contributed to the writing and research of this article.