From Appraisers to Algorithms: How Lenders Can Strengthen Vendor Monitoring

Monica Bolin is Manager, Enterprise Risk Management at Ncontracts

Third-party vendors touch nearly every aspect of a lender’s business — from appraisal services and loan origination to marketing and fraud prevention services. These relationships drive efficiency and growth, but they also introduce significant, evolving risks. That’s why ongoing vendor monitoring is essential.

But which partners qualify as vendors? What does meaningful oversight look like? And how do you ensure you’re mitigating risks rather than just documenting them? Let’s explore the answers to these questions.

Who Qualifies as a Vendor?

Lenders rely on many vendors throughout the lending lifecycle. Understanding these relationships — and the risks they pose — is crucial to effective monitoring.

• Appraisers provide property valuations that inform loan decisions, making their accuracy, independence, and timeliness critical to fair lending and underwriting quality.

• Credit reporting and data vendors provide credit scores, consumer data, and predictive analytics that directly shape credit decisions, risk assessments, and pricing—making data integrity and accuracy critical.

• Marketing and outreach partners support customer acquisition, lead generation, and retention, but they must be monitored to ensure fair, compliant communications.

• Loan Origination Systems (LOS) handle application processing, underwriting, and loan closings. These services often include AI-driven automation, fraud detection, or decision-support tools, increasing both efficiency and risk.

• Insurance vendors provide property, casualty, errors and omissions (E&O), cyber, or borrower-related coverage, helping lenders mitigate risk and maintain operational continuity.

• Cybersecurity services protect IT infrastructure, sensitive data, and cloud systems, which are critical as lenders increasingly rely on digital tools, including online applications.

• AI-enabled service providers span underwriting, fraud detection, marketing, risk analytics, and other functions. They require monitoring for model accuracy, bias, explainability, and data governance.

What the Regulators Say

Federal regulators, including the Office of the Comptroller of the Currency (OCC), the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC), emphasize due diligence, ongoing risk-based oversight, and accountability for critical vendors. State-level regulations, such as the NYDFS Cybersecurity Regulation, underscore the need for continuous monitoring of vendors that handle sensitive financial data.

The Interagency Guidance on Third-Party Relationships: Risk Management spells out five steps in its lifecycle for effectively managing third parties:

• Planning: Understand the strategic purpose of business arrangements, ensure alignment with company goals, and assess potential implications to the organization before entering vendor relationships.

• Due diligence and selection: Assess each potential vendor’s stability to ensure they can perform the activity as expected.

• Contract negotiation: Establish clear performance, security, responsibilities, and liability terms.

• Ongoing monitoring: Continuously validate vendor compliance and performance.

• Termination: Maintain clear processes for ending relationships when needed.

What Vendor Monitoring Means for Lenders

The Interagency Guidance’s vendor management lifecycle serves as a foundational framework, but vendor monitoring requires more than checking boxes. As relationships evolve and become more complex and technology-driven, effective oversight must adapt. Critical elements of a robust vendor-monitoring program include:

• Continuous, risk-based oversight: Critical vendors — such as those providing appraisals, credit data, loan origination, insurance, or cybersecurity — require ongoing evaluation.

• Dynamic risk classification: Not all vendors pose the same risk. Those with access to consumer personal data should be prioritized, along with those influencing credit decisions or loan processing.

• Multi-dimensional monitoring: Track financial health, regulatory compliance, information security, performance against service level agreements (SLAs), and AI-specific risk factors where machine learning tools are involved.

• Governance and remediation: Monitoring should lead to action — mitigation, contract negotiation, or vendor replacement.

AI Raises the Bar for Vendor Oversight

AI adds additional complexity to vendor monitoring. While fair lending has not been a primary focus of federal enforcement actions recently, last year Massachusetts’ Attorney General announced a $2.5 million settlement with a lender for violations related to AI-driven underwriting, among other issues.

Decisions made by AI-driven tools — such as underwriting, credit approvals, and fraud alerts — can be opaque even to their creators. Their black-box nature introduces compliance and reputational risk.

Other AI considerations include:

• Data governance and quality: AI relies on large, often sensitive datasets. Lenders must assess how their vendors collect, store, and process data, especially for credit reporting, appraisals, or marketing analytics.

• Concentration risk: Widespread adoption of a single AI platform across lenders can create systemic risk. If the vendor is breached, multiple lenders and other FIs can be impacted.

• Cybersecurity and operational resilience: AI tools are subject to cyber threats, cloud outages, and supply-chain risks. Lenders inherit these vulnerabilities when vendors are integral to loan origination, underwriting, or fraud detection.

• Regulatory exposure: Agencies expect transparency, model validation, data privacy, and human oversight for AI in lending. Vendor monitoring must incorporate these standards.

AI doesn’t reduce vendor risk — it magnifies it. Traditional third-party risk management (TPRM) practices, including ongoing monitoring, must be expanded to address these new areas.

Turning Oversight into Action: Next Steps for Lenders

Embed vendor monitoring principles into clear, repeatable practices — especially for vendors that directly influence credit decisions, data accuracy, and operational resilience.

• Revisit your vendor ecosystem. Map vendors across each lending lifecycle stage, including appraisers, credit bureaus, marketing partners, loan application and underwriting platforms, LOS platforms, insurers, cybersecurity firms, and AI-enabled tools. Flag those that handle sensitive data or are embedded in core operations.

• Apply risk tiering. Appraisers, credit data vendors, LOS platforms, and AI-driven underwriting tools directly affect underwriting quality, fair lending, operational continuity, and compliance, and they may use or hold consumer private information. Classify these as high- or critical-risk with enhanced monitoring requirements.

• Expand monitoring beyond traditional metrics. Add AI-specific and data-centric controls: data governance, model explainability, validation practices, and bias monitoring for credit and analytics vendors; algorithmic targeting and consumer protection oversight for marketing vendors; and continuous controls testing and incident-response readiness for cybersecurity vendors.

• Strengthen contractual protections. Define performance standards, data protection requirements, audit rights, breach notification timelines, and subcontractor controls. For AI-enabled vendors and LOS platforms, add model governance, transparency expectations, and accountability for errors affecting credit decisions.

• Centralize monitoring and reporting. Centralized TPRM platforms enable continuous monitoring and create defensible documentation for audits and examinations. According to the Ncontracts 2026 Future of Compliance Survey, financial institutions that rely on spreadsheets and email report seven times more examiner questions and concerns than their automated peers.

• Coordinate oversight. Credit, compliance, risk, operations, IT, information security, and internal audit must all play defined roles — particularly for AI-driven tools spanning underwriting, fraud detection, and marketing.

Final Thoughts

The vendor landscape is growing more complex. AI adoption is accelerating and data dependencies are expanding. Lenders who treat vendor monitoring as an annual exercise rather than an ongoing discipline risk falling behind.

When done right, vendor monitoring goes beyond risk mitigation — it drives responsible innovation while strengthening operational resilience.

(Views expressed in this article do not necessarily reflect policies of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA NewsLink welcomes submissions from member firms. Inquiries can be sent to Editor Michael Tucker or Editorial Manager Anneliese Mahoney.)