Putting the Management Back in Vendor Management

Panelists: Calvin Hagins, CFPB Ken Markison, MBA Jonathan McKernan, Wilmer Hale Dan Mugge, CoreLogic

Moderator: Brian O’Reilly The Collingwood Group, LLC

February 20, 2014

2

The New Landscape: Increasing Regulatory Scrutiny

• Vendor management practices have recently been subject to increased

regulatory scrutiny.

• Banking regulators issued new guidance in 2012 and 2013.

• Recent enforcement actions have targeted vendor management

deficiencies.

• Possible drivers of increased scrutiny

• Shift in supervisory focus to operational risks: operational risks increase

when a vendor is involved in bank operations.

• Evolving nature of outsourcing relationships: increased reliance on cloud

computing and other technology service providers that present greater

operational risks.

• Some areas of focus:

• Data security

• Consumer protection compliance

3

Regulatory Guidance

• OCC

• OCC Bulletin 2013-29: Third-Party Relationships

• OCC Bulletin 2002-16: Foreign-Based Third-Party Service Providers

• FDIC

• FIL-44-2008: Guidance for Managing Third-Party Risk

• FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing

Information Documents

• Federal Reserve

• SR 13-19: Guidance on Managing Outsourcing Risk

• SR 00-4 (SUP): Outsourcing of Information Technology and Transaction

Processing

• CFPB

• CFPB Bulletin 2012-03: Service Providers

4

Regulatory Guidance (cont.)

• FFIEC

• IT Examination Booklet on the Supervision of Technology Service

Providers (Oct. 2012)

• Guidance for examiners and banks on supervising TSPs.

• Uniform Rating System for Information Technology (URSIT).

• Exam Booklet on Outsourcing Technology Services Risk (Jun. 2004)

• Risk Management of Outsourced Technology Services (Nov. 2000)

• Administrative Guidelines – Implementation of Interagency Programs for

the Supervision of Technology Service Providers (Oct. 2012)

5

Enforcement Activity

• Several consent orders targeted alleged telemarketing sales tactics and/or

billing issues by vendors involved in credit card add-ons.

• Amex: $16.2 million in penalties, $59.9 million in customer redress

• JPMorgan: $60 million in penalties, $309 million in customer redress.

• Discover: $14 million in penalties, $200 million in customer redress.

• Capital One: $60 million in penalties, $150 million in customer redress.

• Amex 2012 consent orders targeted alleged deceptive and other unlawful

credit card practices arising out of oversight of affiliated service providers.

• $27.5 million in penalties and $85 million in customer redress.

• First Bank of Delaware consent order targeted alleged AML violations arising

out of inadequate oversight of vendor payment processors.

• $15 million in civil money penalties, $500,000 in customer redress, and

loss of charter.

• Mortgage foreclosure orders

6

Mortgage Foreclosure Orders

• Consent orders with servicers targeted unsafe and unsound practices related

to servicing and foreclosure processing.

• Many of the deficiencies in foreclosure processing were by vendors acting on

behalf of the banks, in particular by foreclosure attorneys.

• Among other things, vendor management deficiencies included:

• Insufficient policies and procedures governing the selection, management

and termination of the law firms facilitating foreclosures;

• Absence of formal contracts with the law firms;

• Inadequate oversight of law firms; and

• Failures to retain originals or copies of documents maintained by

foreclosure attorneys.

• Regulators even took enforcement action directly against vendors – LPS and

MERS – under the Bank Service Company Act.

7

General Regulatory Expectations

• Banking regulators generally expect that a bank will ensure that each vendor:

• does not present a safety and soundness risk; and

• complies with applicable law when acting on behalf of the bank.

• Vendor management is risk-based: a bank should take appropriate risk

management steps to identify, assess, monitor and control vendor risks.

• Risk management steps include: (i) a risk assessment; (ii) due diligence; (iii) an

appropriate vendor contract; (iv) monitoring of vendor’s performance and

financial condition; and (v) contingency planning.

• OCC also identifies several additional “phases” of the “continuous life

cycle” that include “oversight and accountability,” “documentation and

reporting” and “independent reviews.”

• No “one size fits all” approach: tailored to a vendor’s risk profile.

• Expectations apply not just to vendors, but to all third-party relationships.

• Includes “other business arrangements where the bank has an ongoing

relationship,” e.g. joint ventures and affiliate relationships. OCC Bulletin.

8

CFPB Requirements

CFPB Bulletin 2012-03 requires

• Due diligence to verify service provider understands and is capable of

complying with Federal consumer financial law;

• Requesting and reviewing service provider’s policies, procedures, internal

controls, and training materials to ensure service provider conducts

appropriate training and oversight of employees or agents having consumer

contact or compliance responsibilities;

• Including in contract with service provider clear expectations about

compliance, as well as appropriate and enforceable consequences for

violating any compliance-related responsibilities, including engaging in unfair,

deceptive, or abusive acts or practices;

• Establishing internal controls and on-going monitoring to determine

whether service provider is complying with Federal consumer financial law; and

• Taking prompt action to address fully any problems identified through

monitoring process, including terminating relationship where appropriate.

9

The Paradigm Has Shifted

• CFPB regulated entities

are expected to carry out

consumer protection

responsibilities including

vendor management.

T

h

e

P

a

r

a

d

i

g

m

s

h

i

f

t

e

d

o

f

a

v

a

r

i

e

t

y

o

f

r

e

a

s

o

n

s

10

Industry Challenges

Important consumer protection objectives of policy are understood but

there are legitimate concerns. For all regulated entities challenges

include:

1. Uncertainty about expectations

Which service providers are covered?

Some are obvious?

Independent entities?

2. Managing risks

How much is enough?

How much is too much?

3. Managing costs

Due diligence, changes to practices, establishing controls,

monitoring, etc. all have costs.

4. For independent mortgage bankers and many servicers requirements

for vendor management on this scale are new.

11

Industry Costs Are Ultimately Consumers’

Retail Production Expenses ($ per Loan)

12

Direct Cost to Service ($/loan)

Source: MBA’s Servicing Operations Study

* Excludes corporate administration costs, unreimbursed FC and REO costs, and compensatory fees. Fully loaded

servicing operations costs were $312 per loan for prime servicers and $687 per loan for specialty servicers.

55 58 89 96 121 164 217 191 325 412 392 535

2007 2008 2009 2010 2011 2012

Prime Servicers Specialty Servicers

13

Managing Challenges

• Regulatory concerns beyond vendor management requirements make

vendor control imperative

• Servicing imperatives

• RESPA tolerances and RESPA TILA integration

• Data security issues

• Affiliations are one way to manage but QM points and fees calculation

has made these difficult at least for “third party charges”

• Path-

• Policies and procedures that guide due diligence – Compliance

Essentials

• New agreements

• Monitoring and scrutiny

Vendor Risk Management

Presented by: Dan Mugge Vice President, Technology Solutions Asset Management & Processing Solutions

15

Vendor Risk Management Framework

First it should be part of larger Enterprise Governance

Risk and Compliance Program…

Second it should consider numerous risk types…

Third, it should be based on five main pillars:

1. Due Diligence & Vendor Selection

2. Risk Assessment

3. Contract Management

4. Monitoring and Oversight

5. Exit Plan

Strategy

Governance

Risk Compliance

Co

mp

lian

ce

Rep

uta

tio

nal

Op

era

tio

nal

Fin

an

cia

l S

tab

ilit

y

Info

rmati

on

Secu

rity

Bu

sin

ess C

on

tin

uit

y

Oth

ers

…

Ultimately the lender is responsible for compliance but remember that

one size does not fit all…

16

Enterprise Governance, Risk & Compliance (GRC) Framework

Governance

Enterprise Risk Management

(ERM)

Compliance Management

Issues Management

• Establishes corporate oversight and

organizational strategy, goals, objectives, risk

appetite, and compliance expectations

• Identifies and assesses risks that , should they

occur, may affect the ability of the organization

to achieve its goals and objectives

• Ensures organization operates in accordance

with laws, regulations, industry standards,

internal policies and processes, contracts and

other commitments

Corporate Strategy, Goals, Objectives

• Risk Appetite Statement

• Enterprise Laws, Regs, Policies, Standards,

Contracts

Examples of Artifacts Purpose

• Enterprise Risk Assessment

• ERM Process

• Risk Scan Form and Process

• Risk Action Plans

• Annual Compliance Plan & Assessment

• Compliance Process

• Legal and Regulatory Inventory

• Compliance reports

• Issue Identification Form

• Issues Management Process

• Issues Reporting

• Provides formal mechanism for tracking,

escalating, reporting and resolving all

organizational issues (e.g., non-compliance,

complaints, IT gaps, etc.

You must have your house in order

17

Vendor Risk Management Program

Vendor Risk Management

•Old World Order

•New World Order

1. Due Diligence &

Vendor Selection

• Price

• Performance

• Expertise

• Consumer Impact

• GRC Maturity

• Policies & Procedures

• Fiscal Health

• Business Model

• Lawsuits/Complaints

• Training Programs

2. Contract Management

• Performance Penalties

• Compliance Expectations

• Enforceable Consequences

3. Risk Assessment

• Operational

• Information Security

• Business Resiliency

• Consumer Risk

• Compliance Risk

• Financial Risk

• Reputational Risk

4. Monitoring and Oversight

• Spend

• Transactional Performance

• Critical Quality Indicators

• Key Risk Indicators

• Key Performance Indicators

• Corrective Action Plans

5. Exit Plan

• Loosely follow exit terms

• Documented for critical vendors

• Transfer phase identified

Third parties can provide staffing, services and expertise

but do not assume ultimate responsibility for compliance

18

Pitfalls

• Inadequate understanding internally

and externally of expectations

• Broader range of risks not

considered

• Lack of expertise within the

institution on what the vendor

actually does

• Approaching without a continuous

improvement mindset

• Accountability not clearly defined

• Lack of investment in mock or

internal audits

• Training and communication not

funded

• Information to support the program

and survive an audit was not

considered and/or defined

A holistic and sustainable

approach can help identify and

manage risk

19

Be Prepared: Check and Check Twice

COMPLIANCE

What measurements are possible,

practicable and meaningful?

Are you effectively communicating

expectations?

STRATEGY

What is your supplier adoption

strategy?

Is there alignment to corporate

strategies?

Do you have exit strategies?

GOVERNANCE

Do you have VRM policies and

procedures?

Are your contractual terms aligned to

risks?

RISK

Can you determine your vendor risk?

Does your vendor have operational

policies and procedures?

Does your vendor have VRM policies

and procedures?