Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Third Party Loan Processing

    Posted 02-19-2021 09:52 AM
    I'm interested in seeing what type of due diligence and monitoring do other banks do for third party residential loan processing.

    Thanks.​


  • 2.  RE: Third Party Loan Processing

    Posted 02-19-2021 12:09 PM
    Are you referencing the HMDA evaluation, meaning you outsource someone to perform the HMDA reviews for you, OR, is this about evaluating the vendors that perform home assessments/inspections?


  • 3.  RE: Third Party Loan Processing

    Posted 02-19-2021 12:34 PM
    We contract with loan processors to process mortgage loans including preparing the documents, ordering appraisals and title work, and submitting the loan packet to a secondary market lender. I'm looking for the initial and ongoing due diligence to be done on the loan processor since this person is a vendor and not an employee.​


  • 4.  RE: Third Party Loan Processing

    Posted 02-19-2021 01:10 PM
    Thanks for the clarification.  I would think you would conduct your regular vendor risk assessment just as you would any other vendor.   I would say this would be your "initial" due diligence and I would go even further and say this vendor should certainly come out as a key vendor and depending on what you use as part of your evaluation I would think they would show up as a High risk vendor, simply due to how much regulatory scrutiny is behind this (HMDA).   In short, your company is taking on a lot of risk outsourcing this work.  Considering this, you'll want to take a close look at the contract where it deals with what happens if the regulatory body comes after you for poor LAR submissions. 

    Now to the other aspect you are inquiring about.   Ongoing due diligence.  In my opinion this is really outside of vendor management and more inline with an internal audit function.  Although they are a vendor, I would treat them as an extension of your company/team and thereby should be internally audited.  Okay, maybe you do, or maybe you don't have an internal audit function, but the point is, someone (an actual employee) should be conducting a 'sampling' test of this vendor performs.  Which would entail pulling a certain percentage of loans they processed and validating their work is spot on.  Any errors are brought to their attention for remediation and would also indicate that a larger sampling would be needed.   I assume the contract has sound SLA's in place which can be leveraged.  I'm guessing you may be asking, how large of a sample size should you take.   Not knowing your volume, I would probably start at 25% to see how it goes.  IF they are all clean for a few cycles, then you can probably back off on the sample size.   My experience is, you'll have no shortage of errors.  Processing loans and meeting all 110 HMDA points is challenging.  Then you have all the other stuff on top of that, flood zones, assessments and the like. 

    Hope this helps.


  • 5.  RE: Third Party Loan Processing

    Posted 02-19-2021 02:18 PM
    Thank you Carl. That's a lot of good information. I'll try incorporating your ideas into our processes.​


  • 6.  RE: Third Party Loan Processing

    This message was posted by a user wishing to remain anonymous
    Posted 02-19-2021 02:23 PM
    This message was posted by a user wishing to remain anonymous

    Are you having these 3rd party vendors perform the HMDA evaluations?   Or are you referring to items such as the assessors?


  • 7.  RE: Third Party Loan Processing

    Posted 02-19-2021 04:04 PM
    The loan processors are contracted to perform the processing on our secondary market loans. We don't have in-house loan processors for our secondary market loans. I was wondering how other banks handle this type of vendor.​


  • 8.  RE: Third Party Loan Processing

    Posted 29 days ago
    Hi Ashley,
    On a per loan processor basis, do you collect proof of cybersecurity, phishing and other types of awareness training for each loan processor on an annual basis as part of your due diligence?  

    I realize this is an older question, but have found the definition of "third party" vendor management is evolving at the state level during examinations and see multiple states, including NY (NY DFS), expanding the due diligence required to the individuals at the vendor that come in contact (i.e., processing) with the nonpublic information.

    For instance, if your firm uses a known third party for cybersecurity training, phishing awareness, HIPAA training (not related to mortgages, but affects other financial services firms like insurance) that provides certifications for your employees, this can help when loan processors act independently and don't provide you with evidence of a bona fide cybersecurity program and training certifications.

    For instance, you can see if your training vendor can give you an option to have your external loan processors take that course and provide you with the certification after completed annual training.  Companies like KnowBe4 and others have programs where you can arrange to have a third party participant complete and submit cybersecurity training certification PRIOR to access to your nonpublic information and information systems to protect the consumer information's integrity, confidentiality, privacy, security, etc.

    In related area, as an example, I know it is a common practice for anti-harassment training -- if someone misses a company training window, they are required to complete online training at New York City's site (https://www1.nyc.gov/site/cchr/law/sexual-harassment-training.page) or similar venues. 

    Best regards (Happy New Year)