MBA Compliance Essentials: Vendor Management Resource Guide

Vendor Management Resource Guide

Jeffrey P. Naimon Partner, BuckleySandler LLP

Christopher M. Witeck Partner, BuckleySandler LLP

Jon David Langlois Counsel, BuckleySandler LLP

MBA Compliance EssentialsSM

13597

mbaed

ucati

on.or

g

1

MORTGAGE BANKERS ASSOCIATION MBA COMPLIANCE ESSENTIALS

VENDOR MANAGEMENT RESOURCE GUIDE

mbaed

ucati

on.or

g

2

DISCLAIMER The information contained herein is for informational purposes only; do not constitute legal advice; and, do not necessarily reflect the opinions of BuckleySandler LLP or any of its attorneys or clients. These materials are not intended to create, and do not create, an attorney-client relationship between you and BuckleySandler LLP, or any of the presenters, and you should not act or rely on any information in these materials without consulting legal counsel. The information contained in these materials may or may not reflect the most current legal developments; accordingly, information in these materials is not promised or guaranteed to be correct or complete, and should not be considered an indication of future results. BuckleySandler LLP expressly disclaims all liability in respect to actions taken or not taken based on any or all the contents of these materials.  ©2013 BuckleySandler LLP                             Copying or other unauthorized redistribution of this publication — in whole or in part — violates U.S. copyright law. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the copyright owner. MBA is not responsible for the content of these materials

mbaed

ucati

on.or

g

3

TABLE OF CONTENTS

Author Biographies and Information about the Firm Page 4 Introduction and Regulatory Overview Page 7 Vendor Management Compliance Checklist Page 11 Sample Vendor Due Diligence Request List Page 13 Sample Vendor Contract Provisions Page 15 Reference Materials Page 21 Form Vendor Management Policy Page 22, Exhibit A

mbaed

ucati

on.or

g

4

AUTHOR BIOGRAPHIES AND INFORMATION ABOUT THE FIRM

Jeffery P. Naimon is a partner in the Washington, DC office of BuckleySandler LLP. Mr. Naimon has more than 20 years of experience assisting banks and other financial services providers with regulatory, enforcement, transactional, and litigation matters. Mr. Naimon provides regulatory and enforcement counseling on fair lending or unfair, deceptive or abusive acts and practices (UDAAP) issues. He defends banks and other financial services companies facing regulatory enforcement matters before the Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance

Corporation (FDIC) and the Board of Governors of the Federal Reserve System (FRB), and state banking and mortgage regulators. He also provides regulatory advice with a focus on consumer operations, and assists in drafting legislative or regulatory advocacy papers. Mr. Naimon also performs fair lending and other regulatory due diligence on acquisition targets and outsourcing counterparties to mitigate and/or value possible risk involving loan portfolios or other lending operations. He also assists companies with structuring acquisition and investment transactions in the financial services arena to minimize the time necessary to close the transaction, and assist in obtaining necessary change of control approvals. Mr. Naimon advises on the entire panoply of banking and consumer finance statutes, including the Dodd-Frank Act, National Bank Act, Truth in Lending Act, Real Estate Settlement Procedures Act, Servicemembers Civil Relief Act, Fair Credit Reporting Act, Equal Credit Opportunity Act, Fair Housing Act, Fair Debt Collection Practices Act, the privacy provisions of the Gramm-Leach- Bliley Act, and state laws governing lending, servicing, collections and unfair and deceptive acts and practices. He has assisted many servicers in the interpretation of the Fannie Mae/Freddie Mac Uniform Security Instrument. Mr. Naimon is the current co-chair of the Truth in Lending Subcommittee of the American Bar Association’s Consumer Financial Services Committee and has authored numerous articles on consumer financial services. Mr. Naimon received his J.D. from the University of Virginia School of Law and his B.A. from Yale University (magna cum laude).

* * *

Chris Witeck is a partner of BuckleySandler LLP. His corporate practice focuses on mergers and acquisitions, capital markets transactions (including purchases and sales of mortgage loans and servicing rights), corporate governance, securities regulation, corporate reorganizations, joint ventures, and e-commerce and outsourcing agreements for financial services and other business entities. Mr. Witeck is a leading counselor to loan sellers on Regulation AB requirements. His regulatory practice has focused on the Real Estate Settlement Procedures Act and advising participants on affiliated business

arrangement transactions. Prior to joining BuckleySandler, Mr. Witeck was an associate with Goodwin Procter. Before attending law school, he worked at the U.S. Department of State. Mr Witeck received his J.D. from Georgetown University in 1998 and his B.A. from the University of Virginia in 1993.

mbaed

ucati

on.or

g

5

* * *

Jon Langlois is counsel in the Washington, DC, office of BuckleySandler LLP. Mr. Langlois works with all types of financial institutions and financial services providers on regulatory compliance matters relating to consumer lending and servicing activities. His practice includes a focus on mortgage servicing activities, including assessment and advice on default servicing, such as loss mitigation and foreclosure prevention. Representative tasks include assessing and advising clients on:

Servicing, default servicing and loss mitigation platforms, including HAMP, HAFA, and other federal programs

Third party oversight/vendor management processes and programs Compliance with federal and state requirements affecting lending and servicing activities,

including TILA, RESPA, SCRA, ECOA, HPA, and others Dodd-Frank Act implementation and compliance GSE and federal agency lending and servicing requirements (including Fannie Mae,

Freddie Mac, FHA, VA, and Ginnie Mae) Appraisal and appraisal management concerns Complex internal and external investigations and regulatory examinations, including with

the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency, and other federal and state regulatory agencies

Entity-wide risk assessments and quality control reviews Comprehensive surveys and reviews of state and federal laws and regulations

In addition to his regulatory practice, Mr. Langlois also advises clients on a variety of corporate and transactional matters, including capital markets transactions, corporate governance, and corporate organizations and reorganizations. These opportunities have included, among others, due diligence reviews in corporate mergers, conducting corporate reorganizations, conversions, and dissolutions, advising and managing entity licensing and state qualification efforts, drafting and negotiating loan sales and sales of mortgage servicing rights, and drafting and negotiating outsourcing transactions with third party service providers and other vendors. Mr. Langlois received his J.D. from the Georgetown University Law Center in 2005 and was Senior Editor of the Georgetown Journal of Law and Public Policy. While in law school, Mr. Langlois was a Legislative Analyst with Wilmer Cutler Pickering Hale and Dorr and a Government Affairs Representative with the American Financial Services Association. He received his B.A. from the University of Richmond in 1997.

* * *

As the financial services industry continues to face a once-in-a-generation overhaul, having the right legal counsel on your team can mean the difference between business success or failure. The attorneys at BuckleySandler LLP have decades of experience representing banks, mortgage lenders and servicers, credit card companies, insurance companies, securities firms

and other financial services companies in matters affecting their industry. The attorneys at BuckleySandler are among the leading financial services law practitioners in the country and have a track record of successfully assisting clients in enforcement, litigation, regulatory, transactional, and public policy matters. Currently, the firm represents the top 10

mbaed

ucati

on.or

g

6

largest banks in the United States, the top 10 mortgage servicing companies, nine of the top 10 mortgage lending companies, the top 10 credit card issuers, as well as many community banks and non-bank financial services companies. In the past two decades, our attorneys have acted as lead defense counsel in nearly 100 high-stakes class actions, represented our clients in a multitude of state and federal enforcement proceedings, obtained favorable results in a number of criminal proceedings and had a hand in commenting on or drafting a majority of the significant laws that impact the financial services industry. With more than 150 lawyers in Washington, New York, Los Angeles, and Orange County focused on financial services law, BuckleySandler helps our clients turn legal, regulatory and legislatives challenges into business opportunities.

mbaed

ucati

on.or

g

MBA Compliance Essentials℠: Vendor Management Resource Guide

7

INTRODUCTION & REGULATORY OVERVIEW

Financial companies like mortgage bankers often rely on third party vendors in the normal course of doing business. Thoughtful utilization of vendors can provide great benefits for the company. For example, vendors can help a company realize operational or financial efficiencies, focus finite internal resources on core functions, bring in specialized expertise at a low cost, and increase availability or accelerate delivery of products or services.

Along with the benefits, however, vendor relationships also introduce additional layers of risk and complexity to a company’s operations. These risks are often categorized by regulators as follows:

Compliance risk is the risk arising from violations of applicable law or from nonconformance with internal policies and procedures or ethical standards.

Reputation risk is the risk arising from negative public opinion. Reputation risks arise when the vendor relationship does not meet the expectations of the company’s customers through poor service, disruption of service, or violations of law, among other things. This risk can be especially serious where the vendor offers products or services directly to the company’s customers.

Strategic risk is the risk arising from harmful business decisions or improper implementation of business decisions. Strategic risks can arise when the company fails to perform an adequate risk assessment, the company or vendor lacks sufficient knowledge about the other party’s products, services or business lines, the vendor provides services inconsistent with the company’s goals and objectives, or the vendor fails to provide the expected return on investment.

Transaction risk is the risk arising from problems with vendor’s service or product delivery. The inability of a vendor to deliver or provide its products or services for any reason including, without limitation, an error in the product, increases the company’s transaction risks.

Credit risk is the risk arising from a vendor’s failure to meet the terms of a contract with the company. Third parties that conduct business with or on behalf of the company raise the credit risk of the company. Improper oversight of such third parties can also result in substantial credit risk.

Operational risk is the risk arising from inadequate or failed internal processes, systems, or people, or from external events. Third parties increase the company’s overall operational complexity, and therefore increase operational risk.

Vendor concentration risk is the risk arising when the company has too many contracts with one particular vendor. The risk of overuse may result in a situation where the vendor may no longer have the resources to efficiently and effectively comply with the terms and conditions of the applicable contracts.

Regulatory Environment

Because of these risks, management of third party vendors has been an aspect of the regulatory oversight of financial institutions for decades, starting with the broad trend in the 1960s and 1970s for banks to outsource to specialist technology firms their core systems rather than continuing to develop and maintain proprietary systems. All federal financial institution regulators expect their supervised institutions to manage vendor relationships in a manner that ensures compliance with applicable law and have issued some level of guidance to that end.

One notable piece of regulatory guidance was issued by the OCC in 2001 in Bulletin 2001-47 (the “OCC Bulletin”). This guidance describes in some detail the expectations of the OCC of its member institutions for managing risks arising from third party relationships. That guidance begins with the premise that the board of directors and management of a company will be expected to properly oversee and manage third-

mbaed

ucati

on.or

g

MBA Compliance Essentials℠: Vendor Management Resource Guide

8

party relationships, and therefore should adopt a vendor risk management process. The OCC Bulletin then states that its examiners would review the risks associated with the company’s material third-party relationships and activities in conjunction with other bank risks. The OCC Bulletin then sets forth in some detail the expected risk management process, which includes the four stages of vendor management that help underpin the basis of what is proposed in this Resource Guide. The OCC guidance was extended beyond national banks to also cover all federal savings associations in May 2012 upon the consolidation of the OCC and OTS.

The FDIC issued similar guidance for its member institutions in 2008 pursuant to Financial Institution Letter 44-2008 (the “Letter”). As the OCC did, the FDIC placed responsibility for vendor management with the institution’s board of directors and senior management. The FDIC intended the Letter to assist its institutions in managing “significant” third party relationships.1 In the Letter, the FDIC also identifies and describes the same four key stages of the vendor management process. Finally, like the OCC, the FDIC stated that it will review the financial institution’s risk management program and its third party relationships “as a component of its normal examination process.”

However, all of this guidance was issued under these prudential regulators’ authority to ensure the safety and soundness of the financial institutions under their supervision. Although the prudential regulators have had ongoing expectations that compliance with applicable law and regulation is one aspect of vendor management by the banks subject to their authority (as part of safe and sound operation of the banking institution), that one aspect did not take precedence over all other considerations.

Nevertheless, the regulatory focus on vendor management increased exponentially since the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act and the creation of the Consumer Financial Protection Bureau (“CFPB”). With Bulletin 2012-03 (the “CFPB Bulletin”),2 the CFPB announced its expectations for supervised banks and nonbanks involved in business relationships with “service providers.”3

Unlike the OCC and FDIC, however, the CFPB does isolate regulatory compliance as the overriding concern for the vendor management process. Specifically, the CFPB clarifies that a company’s vendor management program should aim to “limit the potential for statutory or regulatory violations and related consumer harm” and to ensure that such relationships do not present “unwarranted risks” to consumers.

The CFPB’s examination manual provides consistent information regarding the CFPB’s expectations for regulated entities such as mortgage lenders and servicers to oversee their service providers. The Compliance Management Review (CMR) section states that “Supervised entities are also expected to manage relationships with service providers to ensure that these providers effectively manage compliance with Federal consumer financial laws applicable to the product or service being provided.”4 The CMR guidelines further note that, among other service provider-related issues, examiners should ensure that the Board of Directors and senior management have demonstrated clear expectations for compliance to service providers, and should review policies and procedures designed to ensure that the entity’s service providers comply with legal obligations applicable to the product or service of the examined entity and the provider.5 As a result, for nonbanks and CFPB supervised banks, where vendor relationships were traditionally reviewed through a safety and soundness prism, these arrangements are now examined through the magnifying glass of consumer protection.

1 The FDIC defined “significant” to include any new relationship, any instance where a new bank activity is being implemented, where the relationship has a “material effect” on the institution’s revenue or expenses, where the third party performs critical functions, or stores, accesses, transmits or performs transactions on sensitive customer information, where the third party markets bank products or services, provides a product or service involving subprime lending or card payment transactions, or poses risks that could significantly affect earnings or capital. FIL 44-2008, at 1. 2 CFPB Bulletin 2012-03 (Apr. 13, 2012). 3 “Service Provider” is defined as any person that “provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.” See 12 U.S.C. § 5481(26). 4 CFPB Examination Manual V.2 (October 2012) CMR-1. 5 CFPB Examination Manual V.2 (October 2012) CMR-3, 7.

mbaed

ucati

on.or

g