Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Non-Compliant to Audit Request - Report to Investors?

    This message was posted by a user wishing to remain anonymous
    Posted 20 days ago
    This message was posted by a user wishing to remain anonymous

    We have a few vendors, including some of our default legal law firms who continue to not effectively complete our annual due diligence. We have been seriously discussing our obligations to inform our investors when these deficiencies or non-compliance arise however, are concerned about possible retaliation from our vendors resulting in a reduction in their service performance. 

    What are others doing in this area?

    Do you report default legal law firms who perform GSE related work but fail to meet servicer selection guidelines to the respective investors?  Any feedback from GSE or Law Firm on this? 

    Do you have any experience with being "forced" to use 3rd parties as a result of an investor requirement, such as a specific overall allowable reporting portal?  We have issues getting effective due diligence as well as User Access management controls which often result in an audit finding. 

    Appreciate any information from others perspectives on this and how you have handled those hard to get due diligence request. 



  • 2.  RE: Non-Compliant to Audit Request - Report to Investors?

    This message was posted by a user wishing to remain anonymous
    Posted 20 days ago
    This message was posted by a user wishing to remain anonymous

    Answer depends upon a series of items not mentioned in the question; will try to address the more common issues.

    Law firms: Typically answer what they answer. They tend to respond with "attorney client privilege doctrine precludes disclosure" and a SIG or equivalent report. That tends to be generally acceptable to all. No way to force them to do otherwise unless Legal supports their termination for failure to comply. (Good luck.)

    Obligations to investors: Are you a public company or a private company? Public company disclosure depends on materiality of the issue; suggest raising with your legal department. Private company disclosure depends upon contractual obligations to your investors. Again, worth a stroll to your legal department.

    Law Firm Meeting Servicer Obligations: Not sure the question is clear enough. A law firm typically doesn't serve as a classic "servicer" of loans (which GSE implies). Servicers collect and track payments. Seems odd to have a law firm undertaking that responsibility. If the law firm is reviewing your company's template loan documents, that review likely must meet GSE requirements, but I'm uncertain how that fits into information security. That particular oversight task should fall to your company's legal department.

    Investor Forced Vendors: The Investors' money; their choices. If your company has accepted their money, and the conditions of its delivery, that result seems inexorable. If issues arise, those issues should be simplified, escalated to the right person with the Investor contact, and things sort out from a business perspective. All you can do is raise the issues with the decision makers.

    Ultimately, it sounds like you're at a small shop that isn't following all the protocols that you would prefer. Seems like you might want to assess your own risks and make your own business decisions.




  • 3.  RE: Non-Compliant to Audit Request - Report to Investors?

    This message was posted by a user wishing to remain anonymous
    Posted 16 days ago
    This message was posted by a user wishing to remain anonymous

    Thank you for taking time to respond.  

    We are a private financial institution, however we understand our Regulatory/Servicing Guidelines to be clear on how we are to monitor our vendors performance and as needed report accordingly.  

    Our concern is regarding any backlash from the vendor should we report them and their non-compliance to our oversight/audit program.  

    Thoughts?

    Do we take the risk to remain compliant ourselves with our regulatory obligations and run the risk of our vendors retaliating and providing us subpar service?  Should we take the risk and potentially prepare for a worse case scenario where they being performing poorly and we have to terminate?  Replacing a operationally significantly impactful vendor can be burdensome and costly. 




  • 4.  RE: Non-Compliant to Audit Request - Report to Investors?

    This message was posted by a user wishing to remain anonymous
    Posted 16 days ago
    This message was posted by a user wishing to remain anonymous

    A series of rhetorical questions:

    Which is more costly: Backlash from the vendor or a regulatory event that potentially could become public (or intentionally be made public by the regulatory authority, depending upon their perception of the issue)?

    That said: Are you in position to assess the regulator's perception of your oversight of the vendors? (Reports of their inspections (examinations), their conversations during inspections, etc. If so, you're also in position to relay those thoughts to the law firms. In this instance, you're a messenger, not the "instigator". )

    Which leads to:

    Have you had remedial (friendly) discussions (at any level of pushback) with the "offending" law firms? Meaning: Are they at least aware of your firm's dissatisfaction – and has that been communicated to them by the business people that own that relationship? Have you documented these discussions internally?

    While there are business politics to delivering these messages (professional, right timing, tone, tenor, right messenger), an important part of vendor management is managing expectations. The vendor has to know they're not meeting expectations.

    If the messages have been delivered, at and by the appropriate level of seniority, then you're back to the original question, which is a business decision that needs to be made by very senior people.

    Personally, I'd rather go through the costly transition – which frankly seems like it, by design, could be handled in stages – than have a regulatory issue.

    These considerations are separate from the "notify" investors considerations. The same train of thought applies, though - not handling these issues or communicating them always will prove more costly to your company than raising them. 

    Best of luck.




  • 5.  RE: Non-Compliant to Audit Request - Report to Investors?

    This message was posted by a user wishing to remain anonymous
    Posted 16 days ago
    This message was posted by a user wishing to remain anonymous

    Thank you again.

    Yes, those are great questions and have been on our minds for sometime.  

    Our Default Management (FC, BK, & REO Leaders) and Vendor Management team work very closely to effectively performance monitor and escalate concerns to offending firms in a timely and appropriate manner in conjunction with our contractual agreement. 

    It has, however, been a long time internal discussion to better understand that next level, reporting systemic or significant failures in performance or due diligence to the GSEs. 

    You have certainly provided us additional considerations and perspectives. It really comes down to an organizations' risk appetite however I appreciate the ThinkTank as a space to dialogue and gather these types of perspectives from others.   As a risk analyst having more perspective and understanding typically leads to the best outcome for those involved. 




  • 6.  RE: Non-Compliant to Audit Request - Report to Investors?

    This message was posted by a user wishing to remain anonymous
    Posted 19 days ago
    This message was posted by a user wishing to remain anonymous

    Hello- 

    I am responding as a regulated entity. First and foremost, the GSE's mandate that all firms get reviewed for each state they handle for you, annually. So a firm who refuses to comply with your (assuming reasonable) due diligence request is putting themselves at risk as they sign a limited retention agreement with the GSEs and my bank will not use a firm that is not GSE approved with a limited retention agreement in place. But before I even go there, I have a legal services agreement in place with each firm who is handling our work that outlines our right to audit requirements. So when I firm refuses I point out that they are in breach of contract and try to work with them on possibly extending the deadline for response. However I also explain that their refusal puts us in jeopardy of being in violation of GSE requirements and as such I will be forced to notify the GSE of this. The firms generally will comply because if they don't, the GSE can revoke their retention agreements and the firm will experience a significant drop in referrals. I also make sure I am dealing with a partner when the firm refuses to comply. Any firm that gives us a hard time will eventually be replaced by a firm who wants the work and is willing to comply with the GSE minimum requirements. 




  • 7.  RE: Non-Compliant to Audit Request - Report to Investors?

    This message was posted by a user wishing to remain anonymous
    Posted 16 days ago
    This message was posted by a user wishing to remain anonymous

    Thank you, 

    We do have very explicit Retention Agreements for our GSE counsels, however, it still seems as we complete their Due Diligence reviews, thay have difficulty providing us effective documentation for our assessment to meet our interpretation of the Minimum Firm Requirements as noted within the GSE guidance.  

    We have been "coaching" them each year in hopes they enhance their policies and procedures. 

    Have you had to report any firms to GSE for non-compliance or for systemic issues related to their risk assessment results?  

    Thanks