We try to handle repo agents similarly to how we handle appraisers. If they are independent and contract with us directly, we capture them as vendors but with limited due diligence requirements. If they come through a third party service provider, we capture the third party service provider as the vendor and would consider any contractors that come through that services to be our 4th party service provider.
We found that we were losing some of the operational efficiencies we had hoped to gained in moving to a third party provider if we also tracked and risk reviewed any contractors that come through that relationship as vendors. Instead we decided to focus on the third party provider, add extra due diligence to understand their vetting practice and due diligence requirements as well as any QA they might be providing. We also ask the business unit to audit the reports and work that some through the 3rd party service provider periodically for independent QA.
In addition, working with our workout team we developed an exclusion to TPRM policy as follows:
- Services contracted with or through a law enforcement agency (local, state or federal) such as US Marshalls or Sheriff's Department are excluded from the vendor management procedures. Examples of contracted services might include, but are not limited to, serving and enforcing court orders or repossessing collateral.
Thanks,
Shelly
------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------
Original Message:
Sent: 11-02-2021 04:08 PM
From: Melissa Madigan
Subject: Repossession Agents
Our collections department has a few one-off vendors that they utilize as repo agents that have not been vetted through our vendor management office. The department's focus is getting the collateral back, not getting the agent to sign documentation or provide proof of security measures. We do have a contract & have vetted the due diligence documentation of the software database in which all the repo information goes into & is then sent to the repo agent. The software company (in this case Recovery Database Network) has security measures that they require of all the agents that use the site. The vendor owner feels that the security measures required by the software database should meet the requirements and we should not need to have individual contracts and vendor vetting for each repo agent that might be used.
How are other institutions handling repo agents in their vendor management programs?
Thank you