Mortgage Companies Face Unique TPRM Challenges in Vendor-Heavy Landscape

Rafael DeLeon is Senior Vice President of Industry Engagement for Ncontracts

Across the mortgage industry, third-party relationships have become a business necessity. They’re also a potential minefield of regulatory scrutiny and cybersecurity threats.

Mortgage companies know this and are actively navigating an increasingly complex vendor management landscape, often with limited resources.

For many, third-party risk management (TPRM) has become a balancing act: maintaining robust oversight while operating with lean teams. In fact, according to our most recent survey, a striking 73% of financial institutions have just two or fewer full-time employees managing vendor risk, despite more than half overseeing more than 300 vendors.

At the same time, pressure to enhance TPRM programs continues to mount from regulators and auditors. Despite the regulatory uncertainty ushered in by a new administration, nearly half of all institutions cite external oversight as the primary driver behind TPRM improvements. This isn’t surprising given the mortgage industry’s heavy reliance on technology vendors, loan origination systems, and service providers – all of which create potential points of vulnerability.

There is also a growing sentiment that vendor management isn’t just about regulatory checkbox-checking – it’s about creating tangible business value. According to one lender we surveyed, “ensuring our vendors are compliant and provide organization for contract management” is a critical benefit of TPRM. Another institution cited that a “dedicated TPRM team decreases TPRM-related work from business and makes their daily work much easier.”  

But there are other benefits.

Cybersecurity: The Clear and Present Danger

Perhaps most alarming from our survey is that nearly half (49%) of financial institutions experienced a third-party cyber incident in the past year. These incidents didn’t just create technical headaches – they threatened mortgage operations at a fundamental level.

For mortgage companies specifically, vendor cyber incidents created business disruptions that risked delaying loan closings, implementing operational workarounds, and pulling valuable resources away from strategic work. The survey found that recovery timelines varied significantly, with some companies taking more than 90 days to fully recover from vendor-related cyber incidents.

Mike Fratantoni, MBA’s Chief Economist and Senior Vice President of Research, also points to this increasing risk in a recent MBA report, stating “cybersecurity threats represent one of the most significant operational risks facing mortgage companies today, particularly as they increasingly rely on third-party technologies throughout the origination and servicing process.”

However, the risks extend beyond cybersecurity.

The AI Revolution: New Tools, New Risks

As artificial intelligence reshapes mortgage lending – from automated underwriting to customer service chatbots – our survey reveals growing concern about vendor use of AI technologies. Indeed, AI ranks as the second-biggest TPRM risk heading into 2025, highlighting the industry’s uncertainty about this powerful but sometimes poorly understood technology.

Larger institutions are leading the way in formalizing AI oversight. Nearly 60% of institutions with more than $10 billion in assets incorporate AI-usage terms into vendor contracts, compared to just 28% of smaller organizations. This disparity suggests that many mortgage lenders may be unprepared for the AI revolution transforming their vendor ecosystem.

Building a More Resilient TPRM Program

For mortgage companies looking to strengthen their vendor risk management, several best practices should be considered:

• Adopt a hybrid operating model: Rather than centralizing all TPRM functions or distributing them throughout the organization, create a dedicated team that oversees the framework while empowering vendor owners to handle day-to-day monitoring.

• Implement service-level risk ratings: Assign risk ratings at the product or service level instead of broadly categorizing vendors. This ensures more precise assessment since different offerings from the same vendor can carry varying risk levels.

• Leverage technology: With 85% of financial institutions now using dedicated TPRM software platforms or modules within enterprise risk management systems, spreadsheet-based approaches are becoming increasingly obsolete – and risky. Not surprisingly, manual methods were strongly associated with regulatory and audit findings.

• Proactively address AI risks: Formalize vendor AI oversight through contractual language, documentation requirements, and specific questionnaires rather than relying on verbal assurances.

The Bottom Line

For mortgage companies, third-party risk management isn’t just about compliance – it’s about building business resilience in an increasingly digital and interconnected industry. Those that transform their TPRM programs from compliance obligations into strategic advantages will be best positioned to navigate the evolving landscape of vendor relationships, cybersecurity threats, and AI implementation.

As mortgage processes continue their digital transformation, the risks associated with third-party relationships will only grow more complex. Now is the time to assess whether your TPRM program is positioned for long-term success in this challenging environment.

(Views expressed in this article do not necessarily reflect policies of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes submissions from member firms. Inquiries can be sent to Editor Michael Tucker or Editorial Manager Anneliese Mahoney.)