This is a bit of a lengthy answer. However, I hope it will be helpful. The LSP selection should reflect not only the experience the firm has but also that their culture is compatible with your organization; those steps are usually outside the scope of Third-Party Risk Management. However full due diligence is required for Lender Servicer providers
The security and confidentiality of lender and borrower information are critically important. So as you would for any third-party provider with customer information, you should review their Information Security Program, Information Security Policies, and Business Continuity and Disaster Recovery Plans. Make sure that they have Third-Party Testing including SOC Audit and Network Vulnerability Assessments (with Penetration Testing), and a Regulatory Oversight Plan.
Because Lender Service Providers provide services to insured depository institution clients, they may be subject to oversight under the Bank Service Company Act. For these LSPs, an IT examination is conducted by Federal Banking Regulators following Federal Financial Institutions Examination Council (FFIEC) guidelines.
Review the financial strength of the LSP with a focus on continuity and sustainability. The financial review should include at least the following areas: Profitability – Review the P&L or tax returns of the LSP for the past several years. Insurance Coverage – Review the insurance coverages of the LSP with particular focus on the amount of Professional Liability/E&O insurance and the AM Best rating of the carrier. A well-structured risk management program would require $3.75 million of coverage (equal to the maximum guarantee amount of a standard 7(a) loan) from an "A" rated carrier. And Liquidity – Ensure the LSP has adequate liquidity to manage its business properly.
The LSP must have proven and documented processes for all areas of its business. Processes and controls should include the following functions: Strategy, Preapproval, Application Packaging, Loan Closing, Servicing, Documentation. Additionally, each process must include defined and implemented controls that mitigate risk across the entire system to ensure minimal residual risk. The LSP should clearly define expected timelines for each of the functions.
I hope this answer is helpful, but I would love to hear from other members who have any advice.