Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

Morning All, 

We are re-evaluating our Initial Due Diligence and Ongoing Monitoring efforts as it relates to the title companies used during the loan origination process.  I am interested to hear from financial institutions or originating lenders related to their DD/OGM efforts for title production, settlement and remittance service providers.  

Currently, we are use a 3^rd party for facilitate our initial assessments that provides:  

• Loan closing certification product that confirms valid title commitments, vendor compliance to state laws and registration of parties with necessary state corporate registrar (OCC, FDIC, CFPB, State Dept. of Insurance / Finance), confirmation of good standing with title insurers as well as recourse back to the insuring entities who have contractual obligations to the lender.
• Service confirms good settlement and title parties on every loan as well as title commitments / policies issued by bona-fide entities approved by title insurers.
• Confirm wire accounts are held by the intended licensed party
• A transaction level wire fraud prevention tool for banks, realtors, lenders / real estate investors, warehouse banks / disbursement parties and for consumers who are making down payments.

From an OGM perspective we developed a specialty questionnaire based on the Alta Best Practices that we send to active title companies each year.  

Thinking about the proposed risk at its highest level, the Title Companies could pose risk to a clear and marketable title, however that risk would be indemnified by an effective CPL.  Other risk could include the potential for Wire Fraud, here we have a process where any changes to wire instructions require VM to review and approve. 

What does your organization see as an acceptable level of DD/OGM for these types of Services?

Do you consider the total number of closings performed by the vendor over a period of time?

 

I look forward to your feedback or insights.

Hi there,

First, I want to mention that your organization has done a great job building a risk identification and management framework for your title companies. And the Alta Best Practices guide is an excellent resource to draw from.

While it may be layered into your fraud protection or other assessments, it is unclear if you are identifying and assessing information security risks (cyber risk). Privacy risk is another important consideration. Third-party risk management practices are also very important, you should know how the title company vets and monitors its vendors. Including those risks in your assessment is a good idea if you don't already. Those are my thoughts, but I would love to hear from other members too.

Thanks,
Hilary

Morning and thank you Hilary, 

That is my concern, have we over built our program around the title service industry?  I have heard that other organizations do not include them in their risk monitoring programs at all.  

If you consider the choice to use the title company is based upon borrower shopping, then the lenders risk comes with ensuring the clear and marketable title at loan origination to avoid any title defects or repurchases.  To what extent would you consider information security and privacy concerns for title companies?  

From what I have seen in my years in this role, we have had very few 5 or less title companies who have had, or at least reported a security incident to impact our services.  When those arise, we work diligently to review them against our info sec resources and vulnerability tools to help them enhance their cyber posture for the future. 

We have also done some work with our larger title companies who are also the primary national underwriters.  We evaluate their agent programs in an effort to understand those requirements to become and remain an active agent for a specific UW.  This give us additional ease for those agents confirmed in those respective network having to meet the UW program requirements to be able to issue title policies. 

We have considered a loan closing risk threshold, stating if the title company does not close more than 25 loans in an 18 month period they are not considered significant risk for inclusion in our risk oversight program.  

Still looking for more insight on what others in the lending space consider for their title companies.

Best Regards, 
Rachel

------------------------------
Rachel Kenyon
Division Third Party Risk Management Senior Analyst
CRVPM IV
------------------------------

Original Message:
Sent: 12-07-2022 09:14 AM
From: Hilary Jewhurst
Subject: Title Companies - DD Commensurate to the level of Service risk?

Hi there,

First, I want to mention that your organization has done a great job building a risk identification and management framework for your title companies. And the Alta Best Practices guide is an excellent resource to draw from.

While it may be layered into your fraud protection or other assessments, it is unclear if you are identifying and assessing information security risks (cyber risk). Privacy risk is another important consideration. Third-party risk management practices are also very important, you should know how the title company vets and monitors its vendors. Including those risks in your assessment is a good idea if you don't already. Those are my thoughts, but I would love to hear from other members too.

Thanks,
Hilary