Buzzworthy with Ann Fulmer: Minimzing Vendor Risk

(Ann Fulmer is President of Paladin Advisory Services LLC, Atlanta. She can be reached at AFulmer@PaladinAdvisoryServices.com. Roger Fendelman is Principal of Roger Fendelman Consulting Services Inc. He can be reached at Roger@FendelmanConsulting.com. This is a transcript of a semi-regular featured podcast at MBA Insights. To hear the podcast, click https://www.mba.org/publications/insights/insights-publication and visit the Buzzworthy story.)

ANN FULMER: With the cost to manufacture a mortgage at nearly $8,500, and with profits per loan decreasing, many lenders are turning to technology because it promises to increase efficiencies and lower costs. Lenders are also outsourcing some functions, such as vendor management and data acquisition.

One of the world’s largest technology providers has been in the news a lot lately–in part because of how it handled (or allegedly mishandled) the personal information of 50 million U.S. consumers.

As has been widely reported in the news, Facebook allowed an apparently qualified academic researcher to obtain consumer data. When Facebook found out the data had wrongfully been transferred to Cambridge Analytica for commercial purposes, and that 50 million consumers’ information had been used without their knowledge or consent, Facebook demanded that Cambridge delete the data…but it didn’t go back to Cambridge to very that the data had, in fact, been deleted.

And that got me thinking.

What are the chances that a vendor’s misbehavior could get a lender into trouble? Are there risks, which might not be recognized, that occur more often than we might expect? And does the standard due diligence process provide enough information for lenders to be able to accurately judge the risk posed by their vendors?

To answer these questions, and to give some practical advice on how to minimize vendor risk, I’ve brought along Roger Fendelman, with Fendelman Compliance Consulting Services. He is a nationally known regulatory compliance expert, and a former colleague of mine.

Roger, let’s start with how vendors manage their own risks. Have you seen problems in this area, and if yes, what kind of problems are you seeing?

ROGER FENDELMAN: Yes, Ann, I have and for many years. What it really comes down to is inadequate enterprise risk management functions and controls on the part of the vendors. Vendors may not really understand lender expectations around things like data security and other compliance related issues. The bottom line is that it puts lenders at risk at multiple levels–including data security breaches, of course–and also day-to-day problems that arise, including system crashes and downtime where the lender, as a result of the vendor’s crash, is not able to transact. And latent defects in the vendor’s software could be rendering incorrect decisioning, that the lender ultimately has to account for down the road.

FULMER: I’m not sure how a vendor’s failure to understand lender expectations poses a risk to the lender. Can you explain that a little more, please?

FENDELMAN: Yeah, sure. Let’s dig a little bit deeper: By and large, vendors have compliance management systems of some type that are adapted to what they do, and policies and procedures–and again, not quite the same as a lender’s policies and procedures–but they are adapted to the vendor’s daily business activities.

The problem there is they are not held to the same standard. And so they may just be documents in a file cabinet somewhere that aren’t being followed. And that’s the key–and it’s really twofold–it’s understanding whether the policies and procedures they have are current and reflect business activities. And number two, that the staff and employees are actually following them.

FULMER: Well, what about a SAS-70 or SOC audit? Don’t those prove that the vendor’s policies and procedures are up to snuff?

FENDELMAN: They do, but only to a certain extent, and they really focus on cyber security. And also, in large part, they can be a snapshot of a day and time. What I’m talking about goes a lot further:

There are other areas of business activities being performed daily by vendors that are not subject to a SOC-2 or SAS-70, and nobody’s really watching to see what’s happening. And for anybody who’s ever been in that environment, there’s a lot of “I’ll take your word for it,” when it comes to, for example, a developer who’s rewriting code for the software and [the] Q/A person who’s actually doing regression testing prior to the code release.

A perfect example of what I’m talking about: Let’s take a look back to last year, 2017, and the Equifax data breach that impacted–I think–was it 140 plus million Americans? And what happened there, in a nutshell for those of you that don’t remember, there was a third-party software patch that had been provided to Equifax. A manager or supervisor who got the patch emailed to his subordinate, and said, “Here, go ahead and install this.” Well that person didn’t get the email, or might have been on vacation for a week, so it never happened. That patch never got installed, and as a result, we had this massive hack. And not only was this something that didn’t happen, but it was a latent defect in their software for three to four months. Well that’s a clear example of a company’s failure of policies and procures, and their internal audit because I guarantee you that Equifax’s policies and procedures do not say “When you get these software patches, email them to your subordinate, say ‘get it done,’ and then walk away.” And also a failure of internal audit because an internal audit would have identified these types of issues.

FULMER: So you’ve raised some pretty serious questions here, and it sounds like a lot of those things could really get a lender in trouble. So what should lenders do to help mitigate these concerns?

FENDELMAN: Well, by and large, lenders already have their vendor management processes in place, but I think they need to go one step further. We already are classifying vendors as high risk, medium risk, low risk, and that of course should continue. And I’m talking about the high risk vendors here–you really have to dig deeper.

Typically, a lender will send out a 400-question questionnaire, say “fill this out, and let’s see a copy of your policies and procedures,” and then do a one-day on-site visit. That only gets you part of the way. And frankly, I think we all know that vendors are really adept at answering the questions in a way that’s going to satisfy a lender without really giving up too much of what’s really going on. What has to happen is there has to be more demand on the part of the lenders to go to the vendors and say, “Let’s have you really prove to us on a day-to-day basis that you have adequate policies and procedures, and that your staff is actually following the policies and procedures. So, let’s see your ongoing internal audits like we [lenders] do.”

FULMER: So basically, I think if I can sum it up, you’re saying you need to verify not only that there are policies and procedures in place, but that they are actually being followed. And I think that at the [Federal Financial Institutions Examination Council] website, there is some good guidance for the kind of questions you want to be asking.

And that’s all the time we have for today!

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at msorohan@mba.org; or Michael Tucker, editorial manager, at mtucker@mba.org.)