We are having a hard time getting Title Companies to complete our Questionnaire and provide their Insurance Policy annually. There are no contracts between us, but we do list their company on our loan LE for the customer to choose a title company when doing a mortgage loan with us. Also, our vendor champions are giving push back agreeing with the title companies, stating they are not a vendor, stating they work with our client not us. After having a discussion with my team members, we are thinking that if we are the lender for OUR client and they choose to work with that title company we list for them to choose, then they are a vendor because we have to work together to close the loan, and they have sensitive information on our client. Any thoughts on this or anyone having or had similar issue(s)?
My organization did a few things to help with this process.
For initial reviews we review CPL & Wire using a 3rd Party. These are high volume reviews and high consumer impacting so time is of the essence however wire fraud is on the rise so our process is imperative to ensure the safety of our consumers funds and overall experience.
During ongoing monitoring we have 3 levels for our Title Companies:
Over all we have about 1700 title companies in our program and this grows monthly by 30-50 new title companies. The majority are complete thru the UWA level 1 reviews; of the remaining we have about 10-15 which have high enough concentration to require the option 3 a full best practice review and then about 250 that do not meet the material risk threshold for continuous monitoring.
This has been a project for several years to get our title companies, UWs and Board accepting of this process but we have seen a huge lift in our OGM requirements as well as improved customer experience and avoidance of wire fraud issues.
I hope this helps
We do not consider Title Companies as our vendors since we do not have a contractual relationship with them (our business relationship with them is through the directions and authorization of our borrower). The buyer and seller agree on the Title Company, they enter a contractual agreement with the Title Company, and they voluntary give their NPI to the Title Company (outside of the bank). However, in your situation, it sounds like your company actually provides selected Title Companies on your printed forms for your borrowers to select...implying that these are the Title Companies your company recommends or only the title companies your borrowers are allowed to do business with to obtain the loan. As such, the risk is not contractual but rather reputational and/or legal in nature should the title company printed on your form fails to perform or perpetuates fraud. Thus absolutely someone should be doing ongoing monitoring of these companies (but not necessarily Vendor Management).
You may want to reconsider the position that they are not your vendors. They are your vendors as your closing docs usually have a set of Lender's Instructions to the closing agent and usually, the closing agent is required to sign/acknowledge those instructions. The CFPB and FHLB have both opined that title companies and settlement agents are third party vendors and should be treated as such. They provide a service to/for your organization. When you provide a closing package that contains a URLA, you are providing the most private of information on a consumer. You are sending them hundreds of thousands of dollars and trusting them to pay off debts/title. You are relying on them to follow your instructions. They have to be licensed and is that license in good standing? If they are preparing a closing disclosure, are they doing it correctly?
Attached is an article and although it may seem dated...it should reinforce that the protocol to loop these entities into your vendor management program has been around for many, many years.
Vendor Management Risks and Controls - Poyner Spruill LLP
I think this situation is a prime example of where a lot of financial institutions were hoping that we'd get some more specifics in the interagency guidance on how to define a third party. Unfortunately, they continue to keep it loosely defined as a "business arrangement."
I also work for a bank, but I'm not aware of any assessments that we do on title companies. We have some companies that do title work, but; however, they provide other services for us and we're the ones sending them the data. We also have contracts with them, so I don't feel like it's an apples to apples comparison. Are you sending data directly to the title company that your customer chooses or does it all come through your customer? Either way, I think you're right to consider it in your program. If the title company has a major breach, the information of every single one of your customers that used them could be at risk, and it's inevitable that it'll fall back on the bank.
Are any of these companies receiving a significant volume of customers? If not, and they are each only getting a few customers a year, then maybe the risk isn't high enough to justify the need for a review. That would depend on your risk appetite and how you look at the risks.
Hopefully, some others have more direct experience with this specific situation and can provide you with some better advice. I'm curious to hear what you're able to get figured out. I feel like this is one of the 90/10 situations where 10% of your population seems to take up 90% of your time, or at least is the cause of 90% of your frustrations.