The MBA Compliance Essentials Vendor Management Resource Guide™ is a part of the MBA Compliance Essentials Program, which includes deep-dive webinars and comprehensive resource guides to serve as base for the development of your company's policies and procedures in these important areas. This is only a sample purchase the full Resource Guide at www.campusmba.org
4. TABLE OF CONTENTS
Page 4
Introduction and Regulatory Overview
Page 7
Vendor Management Compliance Checklist
Page 11
Sample Vendor Due Diligence Request List
Page 13
Sample Vendor Contract Provisions
Page 15
Reference Materials
Page 21
g
Author Biographies and Information about the Firm
Page 22, Exhibit A
m
ba
ed
uc
at
io
n.
or
Form Vendor Management Policy
3
5. AUTHOR BIOGRAPHIES AND INFORMATION ABOUT THE FIRM
Jeffery P. Naimon is a partner in the Washington, DC office of BuckleySandler
LLP. Mr. Naimon has more than 20 years of experience assisting banks and
other financial services providers with regulatory, enforcement, transactional,
and litigation matters.
n.
or
g
Mr. Naimon provides regulatory and enforcement counseling on fair lending or
unfair, deceptive or abusive acts and practices (UDAAP) issues. He defends
banks and other financial services companies facing regulatory enforcement
matters before the Consumer Financial Protection Bureau (CFPB), the Office
of the Comptroller of the Currency (OCC), the Federal Deposit Insurance
Corporation (FDIC) and the Board of Governors of the Federal Reserve System (FRB), and state
banking and mortgage regulators. He also provides regulatory advice with a focus on consumer
operations, and assists in drafting legislative or regulatory advocacy papers.
io
Mr. Naimon also performs fair lending and other regulatory due diligence on acquisition targets
and outsourcing counterparties to mitigate and/or value possible risk involving loan portfolios or
other lending operations. He also assists companies with structuring acquisition and investment
transactions in the financial services arena to minimize the time necessary to close the
transaction, and assist in obtaining necessary change of control approvals.
uc
at
Mr. Naimon advises on the entire panoply of banking and consumer finance statutes, including
the Dodd-Frank Act, National Bank Act, Truth in Lending Act, Real Estate Settlement Procedures
Act, Servicemembers Civil Relief Act, Fair Credit Reporting Act, Equal Credit Opportunity Act,
Fair Housing Act, Fair Debt Collection Practices Act, the privacy provisions of the Gramm-LeachBliley Act, and state laws governing lending, servicing, collections and unfair and deceptive acts
and practices. He has assisted many servicers in the interpretation of the Fannie Mae/Freddie
Mac Uniform Security Instrument.
m
ba
ed
Mr. Naimon is the current co-chair of the Truth in Lending Subcommittee of the American Bar
Association’s Consumer Financial Services Committee and has authored numerous articles on
consumer financial services. Mr. Naimon received his J.D. from the University of Virginia School
of Law and his B.A. from Yale University (magna cum laude).
*
*
*
Chris Witeck is a partner of BuckleySandler LLP. His corporate practice
focuses on mergers and acquisitions, capital markets transactions (including
purchases and sales of mortgage loans and servicing rights), corporate
governance, securities regulation, corporate reorganizations, joint ventures,
and e-commerce and outsourcing agreements for financial services and other
business entities.
Mr. Witeck is a leading counselor to loan sellers on Regulation AB
requirements. His regulatory practice has focused on the Real Estate
Settlement Procedures Act and advising participants on affiliated business
arrangement transactions.
Prior to joining BuckleySandler, Mr. Witeck was an associate with Goodwin Procter. Before
attending law school, he worked at the U.S. Department of State.
Mr Witeck received his J.D. from Georgetown University in 1998 and his B.A. from the University
of Virginia in 1993.
4
6. *
*
*
Jon Langlois is counsel in the Washington, DC, office of BuckleySandler
LLP. Mr. Langlois works with all types of financial institutions and financial
services providers on regulatory compliance matters relating to consumer
lending and servicing activities. His practice includes a focus on mortgage
servicing activities, including assessment and advice on default servicing,
such as loss mitigation and foreclosure prevention. Representative tasks
include assessing and advising clients on:
g
n.
or
io
Servicing, default servicing and loss mitigation platforms, including HAMP, HAFA, and
other federal programs
Third party oversight/vendor management processes and programs
Compliance with federal and state requirements affecting lending and servicing activities,
including TILA, RESPA, SCRA, ECOA, HPA, and others
Dodd-Frank Act implementation and compliance
GSE and federal agency lending and servicing requirements (including Fannie Mae,
Freddie Mac, FHA, VA, and Ginnie Mae)
Appraisal and appraisal management concerns
Complex internal and external investigations and regulatory examinations, including with
the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency,
and other federal and state regulatory agencies
Entity-wide risk assessments and quality control reviews
Comprehensive surveys and reviews of state and federal laws and regulations
at
ed
uc
In addition to his regulatory practice, Mr. Langlois also advises clients on a variety of corporate
and transactional matters, including capital markets transactions, corporate governance, and
corporate organizations and reorganizations. These opportunities have included, among others,
due diligence reviews in corporate mergers, conducting corporate reorganizations, conversions,
and dissolutions, advising and managing entity licensing and state qualification efforts, drafting
and negotiating loan sales and sales of mortgage servicing rights, and drafting and negotiating
outsourcing transactions with third party service providers and other vendors.
m
ba
Mr. Langlois received his J.D. from the Georgetown University Law Center in 2005 and was
Senior Editor of the Georgetown Journal of Law and Public Policy. While in law school, Mr.
Langlois was a Legislative Analyst with Wilmer Cutler Pickering Hale and Dorr and a Government
Affairs Representative with the American Financial Services Association. He received his B.A.
from the University of Richmond in 1997.
*
*
*
As the financial services industry continues to face a once-in-ageneration overhaul, having the right legal counsel on your team
can mean the difference between business success or failure.
The attorneys at BuckleySandler LLP have decades of
experience representing banks, mortgage lenders and servicers,
credit card companies, insurance companies, securities firms
and other financial services companies in matters affecting their industry.
The attorneys at BuckleySandler are among the leading financial services law practitioners in the
country and have a track record of successfully assisting clients in enforcement, litigation,
regulatory, transactional, and public policy matters. Currently, the firm represents the top 10
5
7. largest banks in the United States, the top 10 mortgage servicing companies, nine of the top 10
mortgage lending companies, the top 10 credit card issuers, as well as many community banks
and non-bank financial services companies. In the past two decades, our attorneys have acted as
lead defense counsel in nearly 100 high-stakes class actions, represented our clients in a
multitude of state and federal enforcement proceedings, obtained favorable results in a number of
criminal proceedings and had a hand in commenting on or drafting a majority of the significant
laws that impact the financial services industry.
m
ba
ed
uc
at
io
n.
or
g
With more than 150 lawyers in Washington, New York, Los Angeles, and Orange
County focused on financial services law, BuckleySandler helps our clients turn
legal, regulatory and legislatives challenges into business opportunities.
6
8. MBA Compliance Essentials℠:
Vendor Management Resource Guide
INTRODUCTION & REGULATORY OVERVIEW
Financial companies like mortgage bankers often rely on third party vendors in the normal course of doing
business. Thoughtful utilization of vendors can provide great benefits for the company. For example,
vendors can help a company realize operational or financial efficiencies, focus finite internal resources on
core functions, bring in specialized expertise at a low cost, and increase availability or accelerate delivery
of products or services.
Along with the benefits, however, vendor relationships also introduce additional layers of risk and
complexity to a company’s operations. These risks are often categorized by regulators as follows:
Compliance risk is the risk arising from violations of applicable law or from nonconformance with
internal policies and procedures or ethical standards.
Reputation risk is the risk arising from negative public opinion. Reputation risks arise when the
vendor relationship does not meet the expectations of the company’s customers through poor
service, disruption of service, or violations of law, among other things. This risk can be especially
serious where the vendor offers products or services directly to the company’s customers.
Strategic risk is the risk arising from harmful business decisions or improper implementation of
business decisions. Strategic risks can arise when the company fails to perform an adequate risk
assessment, the company or vendor lacks sufficient knowledge about the other party’s products,
services or business lines, the vendor provides services inconsistent with the company’s goals
and objectives, or the vendor fails to provide the expected return on investment.
Transaction risk is the risk arising from problems with vendor’s service or product delivery. The
inability of a vendor to deliver or provide its products or services for any reason including, without
limitation, an error in the product, increases the company’s transaction risks.
Credit risk is the risk arising from a vendor’s failure to meet the terms of a contract with the
company. Third parties that conduct business with or on behalf of the company raise the credit
risk of the company. Improper oversight of such third parties can also result in substantial credit
risk.
Operational risk is the risk arising from inadequate or failed internal processes, systems, or
people, or from external events. Third parties increase the company’s overall operational
complexity, and therefore increase operational risk.
Vendor concentration risk is the risk arising when the company has too many contracts with
one particular vendor. The risk of overuse may result in a situation where the vendor may no
longer have the resources to efficiently and effectively comply with the terms and conditions of
the applicable contracts.
m
ba
ed
uc
at
io
n.
or
g
Regulatory Environment
Because of these risks, management of third party vendors has been an aspect of the regulatory
oversight of financial institutions for decades, starting with the broad trend in the 1960s and 1970s for
banks to outsource to specialist technology firms their core systems rather than continuing to develop and
maintain proprietary systems. All federal financial institution regulators expect their supervised institutions
to manage vendor relationships in a manner that ensures compliance with applicable law and have
issued some level of guidance to that end.
One notable piece of regulatory guidance was issued by the OCC in 2001 in Bulletin 2001-47 (the “OCC
Bulletin”). This guidance describes in some detail the expectations of the OCC of its member institutions
for managing risks arising from third party relationships. That guidance begins with the premise that the
board of directors and management of a company will be expected to properly oversee and manage third7
9. MBA Compliance Essentials℠:
Vendor Management Resource Guide
party relationships, and therefore should adopt a vendor risk management process. The OCC Bulletin
then states that its examiners would review the risks associated with the company’s material third-party
relationships and activities in conjunction with other bank risks. The OCC Bulletin then sets forth in some
detail the expected risk management process, which includes the four stages of vendor management that
help underpin the basis of what is proposed in this Resource Guide. The OCC guidance was extended
beyond national banks to also cover all federal savings associations in May 2012 upon the consolidation
of the OCC and OTS.
g
The FDIC issued similar guidance for its member institutions in 2008 pursuant to Financial Institution
Letter 44-2008 (the “Letter”). As the OCC did, the FDIC placed responsibility for vendor management
with the institution’s board of directors and senior management. The FDIC intended the Letter to assist
its institutions in managing “significant” third party relationships.1 In the Letter, the FDIC also identifies
and describes the same four key stages of the vendor management process. Finally, like the OCC, the
FDIC stated that it will review the financial institution’s risk management program and its third party
relationships “as a component of its normal examination process.”
n.
or
However, all of this guidance was issued under these prudential regulators’ authority to ensure the safety
and soundness of the financial institutions under their supervision. Although the prudential regulators
have had ongoing expectations that compliance with applicable law and regulation is one aspect of
vendor management by the banks subject to their authority (as part of safe and sound operation of the
banking institution), that one aspect did not take precedence over all other considerations.
at
io
Nevertheless, the regulatory focus on vendor management increased exponentially since the enactment
of the Dodd-Frank Wall Street Reform and Consumer Protection Act and the creation of the Consumer
Financial Protection Bureau (“CFPB”). With Bulletin 2012-03 (the “CFPB Bulletin”),2 the CFPB
announced its expectations for supervised banks and nonbanks involved in business relationships with
“service providers.”3
uc
Unlike the OCC and FDIC, however, the CFPB does isolate regulatory compliance as the overriding
concern for the vendor management process. Specifically, the CFPB clarifies that a company’s vendor
management program should aim to “limit the potential for statutory or regulatory violations and related
consumer harm” and to ensure that such relationships do not present “unwarranted risks” to consumers.
m
ba
ed
The CFPB’s examination manual provides consistent information regarding the CFPB’s expectations for
regulated entities such as mortgage lenders and servicers to oversee their service providers. The
Compliance Management Review (CMR) section states that “Supervised entities are also expected to
manage relationships with service providers to ensure that these providers effectively manage
compliance with Federal consumer financial laws applicable to the product or service being provided.”4
The CMR guidelines further note that, among other service provider-related issues, examiners should
ensure that the Board of Directors and senior management have demonstrated clear expectations for
compliance to service providers, and should review policies and procedures designed to ensure that the
entity’s service providers comply with legal obligations applicable to the product or service of the
examined entity and the provider.5 As a result, for nonbanks and CFPB supervised banks, where vendor
relationships were traditionally reviewed through a safety and soundness prism, these arrangements are
now examined through the magnifying glass of consumer protection.
1
The FDIC defined “significant” to include any new relationship, any instance where a new bank activity is being
implemented, where the relationship has a “material effect” on the institution’s revenue or expenses, where the third
party performs critical functions, or stores, accesses, transmits or performs transactions on sensitive customer
information, where the third party markets bank products or services, provides a product or service involving
subprime lending or card payment transactions, or poses risks that could significantly affect earnings or capital. FIL
44-2008, at 1.
2
CFPB Bulletin 2012-03 (Apr. 13, 2012).
3
“Service Provider” is defined as any person that “provides a material service to a covered person in connection with
the offering or provision by such covered person of a consumer financial product or service.” See 12 U.S.C. §
5481(26).
4
CFPB Examination Manual V.2 (October 2012) CMR-1.
5
CFPB Examination Manual V.2 (October 2012) CMR-3, 7.
8