Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Appraisal Management Companies (AMC's)

    This message was posted by a user wishing to remain anonymous
    Posted 06-02-2021 11:36 AM
    This message was posted by a user wishing to remain anonymous

    Hello, 

    I am hoping to hear from my fellow Credit Unions (those in the $1B+ asset size) on my question below. 

    We are a credit union using AMC's that manage relationships with smaller appraisers for us. We have about 4 AMC's who in turn are managing many many smaller appraisers. We would like to hear from someone else in our industry, of a similar asset size, what kind of due diligence they are performing on their AMC's.

    Please include your industry and approximate size for our reference if possible.

    Thank you!


  • 2.  RE: Appraisal Management Companies (AMC's)

    Posted 06-08-2021 10:47 AM

    Hi there

    While I cannot speak for those at Credit Unions, I can provide some advice about your question.

    The NCUA guidance is somewhat dated, but in general, it resembles that of other regulatory bodies such as the FDIC. Here are the baseline recommendations for due diligence for your AMCs

    Company Information

    • Background check on principals
    • Company structure
    • Affiliates
    • Reputation check
    • Sanction check
    • References from another CU
    • Market position

    Legal and Compliance

    • Policies and procedures demonstrate a solid knowledge of laws and regulations and evidence that their employees are trained accordingly.
    • Policies and procedures related to third-party risk management
    • Litigation review for past 5 years including judgments, and any current and pending litigation
    • Appropriate licensing
    • Complaints management and inventory

    Financial

    • Audited financials
    • Financial health
    • Sources of income
    • Accounting methodologies and practices

    Information Security and Privacy

    • Independent Third-Party Audits (Soc2 Type 2)
    • Data protection (in motion or at rest)
    • PCI certification
    • Vulnerability testing
    • Storage method (server, cloud)
    • Data retention practices
    • Application Recovery Point Objectives/ Recovery Time Objectives Assessment
    • How data is used (accessed, processed, transmitted, stored)
    • Data backup
    • Encryption

    While that list is not exhaustive, it is an excellent place to start. I hope that this is helpful. I would love to hear from our Credit Union members to see what else they would include