Monday, June 26, 2017

Third-Party Relationships: Compliance Risk

Managing Director
Lenders Compliance Group

I am often asked if there are significant compliance risks involving third parties in mortgage banking. The answer is: without a doubt! In providing some insight, I will just mention three of the many types of third parties that pose such risks: mortgage brokers, mortgage lenders, and mortgage servicers.

Let’s be clear at the outset: managing third-party risk is critical for providers of consumer financial products and services. This is because financial institutions (“FI”) can be and often are themselves held liable for the practices of third parties acting on their behalf. Where there is contact with the public by third parties, directly or indirectly, on behalf of the FI the risk is substantively greater. From the point of view of technological factors, service providers may be integrated into an FI’s business operations. As such, this can lead to enforcement actions in which certain violations of consumer protection laws are alleged against the service provider and the FI itself!

It is the case that regulators have affirmed their intention to hold companies strictly liable for conduct of their agents. The legal principal invoked is usually the theory of “vicarious liability.” Just a few years ago, in October 2015, the Department of Housing and Urban Development (“HUD”) proposed rules to formally codify third-party liability standards under the Fair Housing Act, including strict vicarious liability for acts of an institution’s agents, as well as direct liability for negligently failing to correct and end discriminatory practices by those agents.[i]

Consider the risk posed by mortgage brokers. For many years, an area that has seen a lot of fair lending enforcement and class action litigation has been the wholesale mortgage lending industry. Since mortgage lenders close loans originated by independent mortgage brokers, regulators and private litigants have brought enforcement actions and lawsuits alleging that lenders have failed to monitor and control discretionary mortgage broker pricing and product selection practices. In these cases, it has been alleged, under the disparate impact theory, that the mortgage lenders have violated the Equal Credit Opportunity Act (ECOA) due to pricing disparities disfavoring racial and ethnic minorities.

In fact, since 2010 there have been several Department of Justice (DOJ) and Consumer Financial Protection Bureau (CFPB) enforcement actions, as well as lawsuits filed by cities, against wholesale mortgage lenders under this theory.[ii]

Most of the mortgage pricing fair lending enforcement actions to date have focused on conduct that predates April 2011, when regulations by the Federal Reserve on loan originator compensation first took effect. I have written extensively on the features of the loan originator compensation requirements that went into effect on April 6, 2011, if you are interested in reading more about these rules.[iii] The loan originator compensation regulations prohibit compensation to mortgage loan originators based on, among other things, discretionary loan pricing or product steering by a broker based on a financial incentive to a product not in the consumer’s interest.[iv]

Although these changes in the law have reduced pricing’s influence on fair lending risk, they have certainly not eliminated the risk entirely. For instance, in December 2015, the DOJ brought an enforcement action against Sage Bank in Massachusetts relating to disparities in revenue earned on retail mortgage loans to minority borrowers compared to that on mortgage loans to non-minority borrowers. What is notable about this action is that it was the first pricing discrimination enforcement action that focused on loans made after the loan originator compensation rules took effect in 2011. Obviously, it demonstrated that regulators are continuing to focus on mortgage pricing discrimination issues.

But fair lending is not the only compliance risk associated with wholesale lending. Other risks include Unfair, Deceptive, or Abusive Acts or Practices (referred to collectively, “UDAAP”) and related areas. In fact, the CFPB issued guidance on UDAAP in its Supervision and Examination Manual of October 2012.[v] With the benefit of time, litigation, guidance, and examinations, among other things, we can say that these risks arise because mortgage brokers play a key role in marketing, discussing product benefits and terms with applicants and guiding their product choices, providing disclosures, completing applications, and gathering documentation in support of the loan applications. It stands to prudent reasoning that, in addition to fair lending, oversight of an FI’s mortgage broker network is critical for mitigating UDAAP risk and managing other compliance requirements.

When we move from a consideration of risks associated with mortgage brokers to those posed by mortgage lenders the risk profile is neither better nor worse, but, as the saying goes, it is different. Much risk tends to congregate around fair lending in secondary market transactions. For instance, in the case Adkins v. Morgan Stanley, plaintiffs alleged that the policies and procedures of Morgan Stanley, which had purchased loans from subprime loan originator New Century Mortgage Company, had created a disparate impact on African-American borrowers. If as alleged, this would be a violation of the Fair Housing Act (FHA), ECOA, and state law.[vi] Although the court dismissed the ECOA claims as time-barred, it allowed the FHA claims to proceed, holding that plaintiffs’ allegations were sufficient to state a claim of disparate impact discrimination. In the ruling, the court stated that the FHA expressly applies to secondary market purchasing of mortgage loans. It further emphasized allegations relating to Morgan Stanley’s warehouse lending commitments, on-site due diligence of New Century loans, demand for loans with alleged “high-risk” features, and instructions to originate no-documentation loans when it appeared that the applicant could not afford the loan. In its conclusion, the court noted that the evidence was sufficient to support claims that Morgan Stanley’s policies “set the terms and conditions on which it would purchase loans from New Century” and that these terms and conditions had resulted in a disparate impact when they caused New Century to issue toxic loans to the plaintiffs.

In the case In re Johnson, a Chapter 13 debtor alleged that a loan originator had targeted minority borrowers for predatory loans, and that the purchasers and assignees “were involved in this enterprise of selling toxic loans and targeting vulnerable minorities” because the loans were originated with securitization as the ultimate goal.[vii] Although the court dismissed the complaints on the ground that the plaintiff had not alleged sufficient facts to support the claims, it did not summarily reject the proposition that a secondary market purchaser could be held liable under ECOA or the FHA.[viii]

My point is that fair lending scrutiny of not only mortgage lenders, but also their investors, will likely increase in the coming years as new Home Mortgage Disclosure Act (HMDA) reporting requirements, finalized in October 2015, will provide greater insight into the role of investors in the loan origination process.

A very brief tour of the data collection being required in Regulation C, HMDA’s implementing regulation, will suffice to prove my prediction. When the new HMDA rule becomes effective in 2018, loan originators will be required to report Universal Loan Identifiers that will help regulators track the life cycle of a loan among HMDA-reporting institutions (including investors that report HMDA data). In addition, originators will be required to identify the Automated Underwriting System (“AUS”) and results thereof when the originator uses an AUS developed by securitizers, federal government insurer, or federal government guarantor in the origination of the loan.[ix] [x]

But fair lending is but one of several salient risks associated with loan originations. Go back to November 2015 and you will find guidance to supervised institutions that was issued by the Federal Deposit Insurance Corporation (FDIC). The guidance involved safety-and-soundness requirements and consumer compliance risks associated with purchased loans and loan participations.[xi] In this guidance, the FDIC cautioned that “over-reliance on lead institutions” has, in some instances, caused significant credit losses and contributed to bank failures, and that “it is evident that financial institutions have not thoroughly analyzed the potential risks arising from third-party arrangements.” Consequently, the FDIC advised institutions to underwrite and administer loan purchases “in the same diligent manner as if they were being directly originated by the purchasing institution.” It asserted that a supervised FI should perform due diligence prior to entering into and during the course of TPO relationships, such review to include an evaluation of the TPO’s compliance with consumer protection laws.

The third TPO category to be considered is the mortgage servicer – and I will include the subject of Real Estate Owned (“REO”) concerns thereunder. Permit me to take you back to the 2008 financial crisis for some historical perspective. In the wake of this financial crisis, regulators increased their scrutiny of mortgage servicers and the way they manage third parties that handle loan modifications and foreclosures.

Of importance, note the enforcement actions that were taken in April 2011 against 14 bank mortgage servicers for allegedly deficient practices. These actions were brought by the Office of the Comptroller of the Currency (OCC), the FDIC, Office of Thrift Supervision (OTS), and the Federal Reserve System (Federal Reserve), which took enforcement actions against 14 bank mortgage servicers for allegedly deficient practices.[xii] Then in February 2012, federal agencies and the attorneys general of 49 states entered into what is known as the National Mortgage Settlement with the five largest mortgage servicers.[xiii] This was the largest consumer financial protection settlement ever! It required more than $25 billion in financial relief to borrowers. Following this settlement, on December 19, 2013, the CFPB and state attorneys general entered into a similar agreement with Ocwen, a large non-bank mortgage servicer.[xiv] This action resulted in Ocwen agreeing to fund $2 billion in principal reduction to eligible borrowers and refund $125 million to certain borrowers whose homes were foreclosed.

What do these enforcement actions have in common? Surely one commonality was that the regulators alleged deficiencies in the management of vendors and other third parties, such as attorneys, that were involved in the foreclosure process. Regulators alleged that servicers “generally did not properly structure, carefully conduct, or prudently manage their third-party vendor relationships with outside law firms and other third-party foreclosure services providers,” resulting in “increased reputational, legal, and financial risks to the servicers.”[xv]

Remember the “robo-signing” of affidavits and other documents? Those “robo-signing” procedures – if you want to call them ‘procedures’ - were the kind of allegations swirling around mortgage servicers and their service providers at the time. These ‘procedures’ were really just a robotic process of the mass production of false and forged execution of mortgage assignments, satisfactions, affidavits, and other legal documents related to mortgage foreclosures and legal matters being created by persons without knowledge of the facts being attested to, including accusations of notary fraud wherein the notaries pre- and/or post-notarized the affidavits and signatures of so-called robo-signers. “Robo-signing” amounted to no more than submitting affidavits and other documents in foreclosure proceedings without verifying the information contained in these forms.[xvi]

There has been no abating in the CFPB’s continued interest in regulating mortgage servicing. It has issued rules that took effect in 2014 to implement broad mortgage servicing reforms pursuant to provisions in the Dodd-Frank Act, covering topics such as enhanced periodic disclosures, lender-placed insurance, payment posting, and loss mitigation.[xvii]

With respect to REOs, the conduct of service providers has also triggered numerous complaints regarding marketing of residential properties acquired by a mortgage lender or mortgage servicer after foreclosure. One organization, the National Fair Housing Alliance (“NFHA”) has filed complaints with HUD against eight banks or property maintenance vendors, alleging that REO properties in non-minority areas were marketed and maintained materially better than REO properties in predominantly minority areas. One of these cases resulted in a public Conciliation Agreement.[xviii] Mortgage servicers often hire vendors to perform the maintenance and marketing of the properties, so the complaints have focused directly on vendor oversight and the alleged failure to ensure that vendors provide consistent services regardless of the racial or ethnic composition of the neighborhood.

What can be done to reduce the compliance risk posed by third parties?

I suggest the following 8-part strategy for evaluating third party risk. It is the kind of approach that my firm takes all the time in its audit and review processes with clients, whether our guidance is project-based or in the context of an on-going monthly relationship.

1)      Due Diligence
2)      Contract Review
3)      Policies and Procedures
4)      Compensation
5)      Risk Assessments
6)      Monitoring
7)      Training
8)      Remediation

1.       Due Diligence
The vetting process should include searching public information and conducting background checks on the third party and/or its principals, and inquiring about prior litigation and regulatory proceedings against the third party. In addition to the initial vetting, financial institutions could conduct periodic reviews or re-certification of the third party. Our affiliate, Vendors Compliance Group,[xix] conducts just such a review, not a mere compilation, but actual due diligence.
2.       Contracts
Written agreements should specify compliance expectations and set in place mechanisms to monitor and enforce those expectations. Contracts should have strong provisions, especially those related to allowing for auditing and inspection of the service provider. Furthermore, contracts should also specify how the service provider will handle, respond to, and report consumer complaints.

3.       Policies and Procedures
The policies and procedures, and even service level agreements (if needed), should comply with the standards and expectations of the applicable supervising agencies.

4.       Compensation
UDAAP and fair lending risk are directly and indirectly related to third-party compensation policies, as compensation tied to discretionary decision-making can present elevated fair lending risk. With respect to mortgage brokers, mortgage lenders, and mortgage servicers, these institutions should review third-party compensation policies to ensure compliance with the CFPB’s loan originator compensation rules, as well as compliance with the RESPA Section 8 prohibition on kickbacks and unearned fees. Be mindful of any relevant metrics associated with quality control and compliance-based assessments, where such are used as a component of compensation, such as in sales.

5.       Risk Assessments
Our firm often conducts risk assessments for departments and functions, but we also recommend conducting risk assessments of third-parties – most especially those third-parties that interact directly with consumers. The FI’s ability to control those consumer communications is critical to mitigating the potential for consumer harm based on conduct by a third party.

6.       Monitoring
Monitoring for fair lending should be an internal mandate for FIs, irrespective of a supervising agencies rules. Institutions should consider regular monitoring and oversight of vendors, including fair lending monitoring where appropriate. Wholesale mortgage lenders should also consider monitoring their mortgage broker for potential disparities on a prohibited basis. In addition to statistical monitoring, audits, mystery shopping, customer surveys, and other evaluations may also help FI’s assess the performance of service providers.

7.       Training
Financial institutions must provide to, or validate compliance training for, third parties, especially those entities that interact directly with the public, in general, and consumers, in particular. Given the extraordinary risk associated with fair lending, third parties should be given, or obtain training, on fair lending laws and UDAAP compliance. If third parties are involved in managing and marketing REOs, training on fair housing should be considered.

8.       Remediation
Fair lending remediation programs must include counseling or training, enhanced scrutiny of contracts, careful review of loan originations, and termination where unexplained disparities are noted.

My list is really a sort of extrapolation of what Federal banking regulators such as the OCC and Federal Reserve have promulgated for many years. The agencies have issued extensive guidance on third-party oversight and closely supervised such relationships. For instance, on October 30, 2013, the OCC substantially reworked its guidance for overseeing third-party relationships.[xx] This guidance from the OCC is one of the most comprehensive, bank regulatory guidances available on third-party risk management.[xxi]

In the foregoing issuance, the OCC’s expectations were expressed in the following requirements:

1.       Planning
Develop a plan to manage the third-party relationship before consummating the relationship.

2.       Due diligence and Third-party Selection
Include strategies and goals, legal and regulatory compliance, financial condition, and business experience and reputation, derived internally or from a risk management firm, such as Vendors Compliance Group.[xxii]

3.       Contract Negotiations
Cover nature and scope, but also define performance metrics and benchmarks, the right to audit and require remediation, responsibilities for compliance with applicable laws and regulations, cost and compensation, indemnification, insurance, default and termination, and customer complaints.

4.       Ongoing Monitoring
Determine quality and sustainability of the third-party’s controls and compliance with legal and regulatory requirements. Pay attention to volume, nature, and trends of consumer complaints and the third-party’s ability to appropriately remediate customer complaints.”

5.       Termination
Termination should be efficient and not disruptive to safety and soundness. Consider a contingency plan to transition the subject services to another service provider, or bring the activity in-house, or discontinue the activity altogether.

6.       Oversight and Accountability
Chain of command access to information involving third-party relationships, where the decision tree contains feedback from, and accountability to, the Board of Directors, Senior Management, and other employees.

7.       Documentation and Reporting
Periodic reporting on new information or risks associated with third-party relationships, such reporting to be derived internally or from a risk management firm.

8.       Independent Reviews
Regularly scheduled, independent reviews of the third-party risk management processes to determine if those processes align with a financial institution’s strategy and risk profile, derived internally or from a risk management firm

Third-parties have considerable impact on a financial institution’s safety and soundness. Critical activities, such as functions like payments, clearing, settlements, custody, and certain services, such as information technology, and many other activities, may cause significant risk or consumer impact. While wanting to offer the consumer the best quality service, financial institutions must realize that third-parties also pose one of the most significant areas of exposure to compliance risk.

[i]  80 Fed. Reg. 63,720 (Oct. 21, 2015)
[ii] Here are just a few. Joint Motion for Entry of Consent Order, United States & Consumer Financial Protection Bureau v. Provident Funding Assocs., L.P., No. 3:15-cv-02373 (N.D. Cal. May 28, 2015); Consumer Financial Protection Bureau & United States v. National City Bank, No. 2:13-cv-01817 (W.D. Pa. Dec. 23, 2013); United States v. Wells Fargo Bank, NA, No. 1:12-cv-01150 (D.D.C. July 12, 2012); Consent Order, United States v. Countrywide Financial Corp., No. 2:11-cv-10540-PSG-AJW (C.D. Cal. Dec. 28, 2011); Consent Order, United States v. AIG Federal Savings Bank, No. 1:10-cv-00178-JJF (D. Del. Mar. 19, 2010); City of Miami v. Bank of Am. Corp., No. 1:13-cv-24506-WPD, 2014 WL 3362348 (S.D. Fla. July 9, 2014), affirmed in part, revised in part, 800 F.3d 1262 (11th Cir. 2015).
[iii] To read some of the articles, visit the Articles section at
[iv] 12 C.F.R. § 1026.36(d), (e) (Regulation Z, the implementing regulation of the Truth in Lending Act, rules regarding loan originator compensation and steering incentives); 15 U.S.C. § 1639b(c) (Dodd-Frank Act mortgage anti-steering provisions)
[v] Unfair, Deceptive, or Abusive Acts or Practices, in Version 2, Consumer Financial Protection Bureau, in CFPB Supervision and Examination Manual, October 2012
[vi] No. 12-cv-7667 (HB), 2013 WL 3835198, S.D.N.Y. July 25, 2013
[vii] No. 09-49420, 2014 WL 4197001 Bankruptcy E.D.N.Y. Aug. 22, 2014
[viii] See Johnson v. Wells Fargo Bank, N.A., No. 14-MC-1100 (RRM), 2015 U.S. Dist., LEXIS 28046, E.D.N.Y. Mar. 6, 2015
[ix] Home Mortgage Disclosure Act (Regulation C), 80 Fed. Reg. 66,128-01, 66,174, October 28, 2015
[x] Idem at 66,337
[xi] FIL-49-2015, Advisory on Effective Risk Management Practices for Purchased Loans and Purchased Loan Participations, FDIC, November 6, 2015
[xii] See Interagency Review of Foreclosure Policies and Practices (2011), Federal Reserve System, OCC and OTS. The Office of Thrift Supervision merged with the Office of the Comptroller of the Currency on July 21, 2011.
[xiii] DOJ, Federal Government and State Attorneys General Reach $25 Billion Agreement with Five Largest Mortgage Servicers to Address Mortgage Loan Servicing and Foreclosure Abuses, Press Release, February 9, 2012
[xiv] Consent Judgment, Consumer Financial Protection Bureau v. Ocwen Financial Corp., No. 1:13-cv-02025-RMC, D.D.C. Feb. 26, 2014
[xv] Interagency Review, supra 12, at 9
[xvi] See Robo-signing Controversy, in 2010 United States Foreclosure Crisis, Wikipedia
[xvii] Mortgage Servicing Rules under the Real Estate Settlement Procedures Act (Regulation X), 12 C.F.R. Part 1024, 78 FR 10,696, February 14, 2013
[xviii] National Fair Housing Alliance and Wells Fargo Announce Collaboration to Rebuild Homeownership Opportunities in 19 Cities, Press Release, NFHA, June 6, 2013; see also U.S. Department of Housing and Urban Development and Urban Development Conciliation Agreement, No. 09-12-0708-8, National Fair Housing Alliance & Wells Fargo Bank, N.A., 2013
[xix] For more information, visit
[xx] Bulletin No. 2013-29, Third-Party Relationships, OCC, 2013. This and other such issuances can be found at the Presentations page of
[xxi] The Federal Reserve issued updated third-party oversight guidance addressing similar topics for supervised institutions in December 2013. See Guidance on Managing Outsourcing Risk, 2013, SR 13-19/CA 13-21. Also see the Presentations page at, where also is available CFPB - Bulletin 2012-03 - Service Providers, CFPB; Compliance Bulletin and Policy Guidance - 2016-02 - Services Providers; Compliance Bulletin and Policy Guidance 2016-02 - Service Providers - Questions and Answers, Vendors Compliance Group; Synopsis of Supplement to OCC Bulletin 2013-29; Frequently Asked Questions - "Third Party Relationships: Risk Management Guidance," Vendors Compliance Group
[xxii] Op. cit., 19