Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Vendors Selling MRS

    This message was posted by a user wishing to remain anonymous
    Posted 02-09-2022 05:07 PM
    This message was posted by a user wishing to remain anonymous

    As a financial institution who acquires Mortgage Servicing Rights from various entities such as another financial institution or a secondary marketing resource, do you consider these entities contracted under a Flow Servicing Rights Purchase and Sale Agreement to fall under your Third Party Risk Program?

    If so, given that some of these are competitor financial institutions, what level of due diligence would you request?

    Asking due to a recent incident where the entity we acquired an MSR was breached and the consumer data potentially compromised.  

    I appreciate you thoughts and insight into this situation.


  • 2.  RE: Vendors Selling MRS

    Posted 02-17-2022 05:38 PM

    Hello,

    While this seems like a complicated question, the answer is somewhat straightforward. Those entities from whom you acquire the MSRs are your third parties. They are responsible for the products and services they offer your organization. You must ensure that those organizations meet your third-party risk management requirements by adequately vetting and managing their subcontractors.

    All financial services organizations should understand and appreciate the necessity of due diligence. And while it is understood that these organizations may be competitors, it is reasonable for you to confirm their control environment. If there is any friction for these requests, I suggested ensuring your NDA’s address the need to review documents for due diligence. I also suggest that you remain open to redacted documents or alternative due diligence methods. Most importantly, please pay attention to their third-party risk management policies and practices.

    Those are my thoughts, but I would love to hear from other members.