When a mortgage lender outsources services to a vendor, whether it is for account management, mortgage application processing, software development or system management, the lender expects and relies on the vendor to manage related risks. Those risks may center around privacy and the protection of sensitive customer data (i.e. Social Security Numbers), unauthorized employee access, outside intrusions or hacking, assurance of fully functioning systems (in the event of natural disaster or corruption to software during development), and finally, data backup and business continuity.
Unfortunately, no single manual exists when it comes to ensuring vendors having all the right controls in place, or meeting regulators’ expectations. Though this brief column won’t be able to provide the full manual, we can certainly cover some essentials that lenders need to understand in regard to vendor assurance. Let us begin with how vendors can expose mortgage lenders to risks.
Lenders are ultimately responsible for ensuring that the external services procured do not have an adverse impact on their operations. As such, any impact arising from unmanaged risks can have a variety of negative consequences, including lost revenues, lawsuits, negative publicity and penalties for non-compliance.
How can lenders be assured that their vendors properly manage the risks associated with outsourced services? Lenders can request information regarding a vendor’s practices by asking vendors to complete and submit a Request for Information questionnaire (RFI), perform audits of their vendors themselves, and/or request independent audit reports such as the “SSAE 16” and “FISMA” compliance audits.
RFIs are inherently less reliable, since the vendors attest to their own internal controls without the verification of an independent party. Audits conducted by the lender or an independent third-party are more reliable, but can be expensive. In order to be strategic in their vendor assurance efforts, lenders should assess the potential risks and identify vendors to be audited. Those insights should then be used to determine the type and frequency of the audits required.
Some vendors may have previously participated in an independent audit and be able to furnish a recent audit report as an external source of validation. Lenders may be familiar with the term “SAS-70.” This term was replaced in 2011 with “Standards for Attestation Engagements No. 16,” or SSAE 16. SSAE 16 audits of service organizations exist in two forms: Type I provides limited assurance and is based on a single point in time, whereas Type II audits cover a range of time and provide the highest level of assurance that proper controls, procedures and process operating as management intends. Due to the increased regulatory oversight of the Sarbanes-Oxley Act, many lenders are taking the wise approach in requiring their vendors to demonstrate SSAE 16 compliance.
With an understanding of the risks and vendor assurance practices, lenders can protect their business against lost revenue, system downtime, security threats and other issues resulting from non-compliance. As a final word of caution, lenders should be careful not to “set and forget.” It’s important to routinely evaluate compliance needs and ensure that vendors continue to live up to expectations over the life of the business relationship.
Henry Bagdasarian is compliance and audit director at Veros Real Estate Solutions. For more information, call (714) 415-6300 or visit Veros.com.