Michael Steer & Erin Harris: Accelerated Digital Mortgage Tech Strategies Must Also Include Sound Vendor Management
Michael Steer (MSteer@MQMResearch.com) is President of Mortgage Quality Management and Research LLC (MQMR), Sherman Oaks, Calif., a provider of audit, risk and compliance services for the mortgage industry. Erin Harris (EHarris@MQMResearch.com) serves as Quality Assurance Manager with MQMR.
When the world went into lockdown in March, two things happened in the mortgage industry in quick succession: companies scrambled to transition their employees and operations to a “work from home” environment; and lenders significantly ramped up their interest in digital mortgage adoption. Employees may have already begun to return to the office, but this has not stopped lenders from continuing the push for digital mortgage technology with an eye towards rapid technology deployment. Adherence to vendor management best practices needs to remain top of mind for lenders even when accelerating their digital mortgage tech selection and deployment process. Compliance with regulatory requirements and proper risk mitigation are not steps to be overlooked.
As lenders consider new vendors to support digital mortgage efforts such as eSign, eClose, eNote, eVault, remote online notarization and more, it may be tempting to bypass standard vetting and due diligence processes in favor of faster implementation. However, it is imperative that lenders maintain proper and strenuous vetting procedures, as many digital mortgage platforms constitute mission-critical (or Tier 1/High Risk, in vendor management parlance) systems within the scope of operations. Furthermore, these systems often have access to and/or utilize borrower’s non-public, personal information, and with fraud on the rise, lenders can ill afford to cut corners with the security of their borrowers’ information.
Best practices for vetting a vendor can vary based on an organization’s structure and needs, as well as the risk tier of the vendor being evaluated. Generally, Tier 1 vendors are often categorized as those considered critical to your operations, may not be easily replaceable and/or have access to NPPI or other confidential or proprietary information. Tier 2 vendors are those considered moderately critical to your operations and/or maintain company confidential or proprietary information, while Tier 3 vendors are vendors who are considered “least risky.” A lender’s vetting best practices should be directly tied to the vendor management best practices; after all, the initial vetting procedure is simply a precursor to on-going vendor oversight. Despite the differences in best practices for each tier, some will remain the same across the board. These include due diligence questionnaires, contract/performance reviews and IT assessments.
While it must be acknowledged that social distancing guidelines and related directives may impact both the vetting process as well as vendor management activities, this does not mean vendor management should be ignored or delayed. Instead, these functions should be adjusted to account for current conditions, including maintaining social distancing guidelines or employees on either the lender or the vendor side transitioning to working from home on a full-time basis.
Due Diligence Questionnaires
Creating due diligence questionnaires is essential in the effort to collect information necessary to determine the vendor’s residual risk exposure. The content of these questionnaires will likely vary by tier, but their existence and usefulness will not. Once these questionnaires have been completed by the vendors, it is necessary to review the information provided and determine if the documentation is sufficient. These questionnaires will need to be updated to account for COVID-19 guidelines and policies. Questions about enhancements or changes to business operations and communications with business partners in the event of an unpredicted or unprecedented event like a pandemic will need to be incorporated.
Contracts exist to establish both a working relationship as well as outline the lender and vendor responsibility parameters. A thorough contract review process will ensure all parties are fully aware of the contract terms as well as their obligations. This may also provide a sense of security should business operations need to be adjusted in the face of an unpredictable event and/or exiting the relationship.
When evaluating potential vendors, lenders also need to set expectations with the vendor for conducting periodic and on-going performance reviews to ensure the vendor continues to meet the terms of the established service level agreement (SLA) or in the event of an incident. For lenders considering an expanded relationship with current vendors for digital mortgage services/technology, existing contracts and previous performance review results should still be evaluated to determine if the vendor is adequately meeting their obligations and what elements of the contract/review will need to be adjusted moving forward.
Performing on-site inspections is an integral part of vendor management and especially critical in regards to Tier 1 vendors as this provide the opportunity to assess a vendor’s adherence to its own policies and procedures as well as physically view and confirm their practices. The biggest challenge for vendor management with regards to COVID-19 will be the ability to perform on-site inspections. In lieu of on-site inspections, lenders may want to conduct a video interview and walkthrough (assuming the vendor has returned to its physical locations) while making a plan for an on-site inspection when conditions improve. It is important to remember that these regulations will not be an excuse for compliance violations and that there are ways to conduct this portion of the vendor management process remotely.
IT assessments are a critical component of both the vetting process and vendor management. A lender’s vetting best practices should always include a careful examination of information security, including how the vendors protect NPPI, what the recovery time is and how the vendor tests its system to ensure viability. It is also necessary to involve a lender’s IT department in the review of due diligence documents related to the vendor’s IT department, as the mortgage origination process is highly specialized. The lender’s IT department is in a unique position to assess the vendor’s internal controls and protocols and whether they can cover the risk to which the lender is exposed as a result of working with that vendor. For digital mortgage-specific systems, extra attention should be dedicated to how data is kept safe and secure.
One indicator of a successful business has always been the ability to adapt to meet the needs of the consumer. Today, one of the most pressing needs many borrowers have is the ability to complete their mortgage transaction as digitally as possible. As lenders rush to implement technology that was previously thought of as “nice to have” but is now essential, it is imperative to maintain proper vetting and vendor management policies and procedures. The world may have changed, but regulations – at least in regards to vendor management – have not.
(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at email@example.com; or Michael Tucker, editorial manager, at firstname.lastname@example.org.)