plans and resiliency requirements. And, there
should be an annual documented test evidencing
the vendor was able to successful restore business
operations within the plan’s defined timeframes.
It is also highly desirable to have a written plan
in place to activate in the event you must quickly
replace or supplement a mission critical vendor.
PROTOCOLS FOR ADDRESSING
PROBLEMS AND TERMINATING
Prompt action is mandatory when vendors
are out of compliance. In addition to the fact that
the CFPB and state regulators expect prompt
action as soon as any problems are identified,
the reputational risk to your business can be very
Depending on the severity of the problem,
lenders should have protocols in place for
addressing the concern with the vendor and
requiring a written response to document their
file. Remediation may also be required, as would
be the case with a cybersecurity data breach or
instances of inappropriate charges to a consumer.
Recent news stories have been replete with
incidents where the business underwent an
incident and was unprepared with a thoughtful
process on how deal with consumer-facing issues.
Think about the recent airline incidents and how
reputational risks could have been mitigated.
In most cases, lenders will ask vendors to
update policies and procedures to close any
identified gaps, provide additional training, or
otherwise make changes that mitigate the chance
of encountering noncompliance in the future.
However, if appropriate, be prepared to terminate
vendor relationships and self-report the incident to
federal and/or state regulatory agencies. (Again,
herein lies the importance of having a written back-up plan in the event a mission critical vendor must
A COMPREHENSIVE, COMPLIANT
VENDOR MANAGEMENT PROGRAM
IS SIMPLY GOOD BUSINESS
Companies of all sizes can create well-
established and documented vendor management
programs by combining in-house expertise
and ownership with technology solutions and
resources, such as software and web-based portal
An effective vendor management program is
not only about meeting regulatory requirements.
If critical vendors cannot meet service level
agreements or do not operate in a compliant
manner, they can create operational risk—and
even reputational risk—to a lending organization.
In today’s business world, managing such risks is
needed for basic survival.
I would take this concept a step farther and
say thorough vendor management programs
drive better vendor performance. Better vendor
performance creates efficiencies that can
position lenders to operate more profitably, grow
originations and servicing portfolios, or attain a
long list of other business goals.
Allow me to close with a final thought. Any
discussion of vendor management would be
incomplete without acknowledgement of the
fact that closing agents are considered critical
vendors. These vendors handle NPI data and
receive large sums of wired mortgage proceeds,
yet many lenders have performed little, if any, due
diligence on these firms. What’s more, neither
the Closing Protection Letter (CPL) nor the typical
Errors & Omissions insurance policy cover privacy
violations. I look forward to providing an in-depth
look at managing closing agent counterparty
risk in a future issue of Mortgage Compliance
Regina M. Lowrie is a recognized national leader
and authority in the mortgage and lending industry
and is founder, president, and CEO of RML
Advisors, LLC. She can be reached at RLowrie@