Third Party Vendor Management

  • Time to read 2 minutes

Federal and state regulators have determined that all lenders, including mortgage banks, credit unions and community banks should have a comprehensive outsourcing risk management process to govern their third-party vendor relationships. The process should include risk assessment, selection of third-party vendors, contract review, and monitoring of the performance of third-party vendors.

Lenders are required to evaluate and monitor settlement agents for risk to consumers to meet federal regulatory requirements governing all banks.  These directives, which were released between April 2012 and October 2013, govern OCC and FDIC regulated banks, non-bank entities (mortgage lenders) and credit unions.  Attorneys, title agents, escrow agents, notaries (and in effect anyone conducting closing functions or handling consumer personal information) must be checked for risk and monitored ongoing for changes in risk.  What follows is a brief summary of some of the regulations we must follow.


The CFPB issued a Bulletin in April 2012, updated in 2015 in which it stated that lenders are “expected to adopt written, comprehensive risk management policies for third party service providers, including closing agents, to protect consumers from harm for violations of federal financial laws, which include laws prohibiting mortgage fraud. Failure to comply may result in a lender being held jointly and severally liable with a third party for harm.”  CFPB Bulletin 2012-3, Bulletin 2015-1


The OCC requires banks to "properly oversee and manage third-party relationships...including a risk assessment...due diligence...written contracts...and ongoing oversight of third party activities." According to the guidance, effective risk management should include: Third party due diligence; Third party monitoring; and Independent reviews.” OCC-2001-47, November 2001; revised October 2013. The OCC has also published a diagram of expected vendor management responsibilities for banks:


OCC Risk Management Triangle


Fannie Mae’s guidelines to banks on “Preventing, Detecting & Reporting Mortgage Fraud,” states in part that mortgage lenders must “know [their] business partners...and consider using outside sources to…selectively choose closing attorneys and settlement agents…”   Fannie Mae Customer Education Group, Report of December 2005.

Prospective Seller/Servicers are required to submit “(a) Procedures for Approving and Managing Closing Agents, and (b) A Roster of Approved Closing Agents.” Seller/Servicer Application, Document Checklist Item 14-Closing, May 2012.


NCUA acknowledges that third-party relationships are essential but “… inadequately managed and controlled third-party relationships can result in unanticipated costs, legal disputes, and financial loss…” The agency does not want to “stifle the innovative use of third-party relationships to meet member needs and strategic objectives,” but wants to reemphasize that credit unions “clearly understand risks they are undertaking and balance and control those risks…” NCUA Guidance Letter 07-CU-13, December 2007.


HUD requires lenders to demonstrate that they have a written policy and procedures for managing closing agent risk, and to provide evidence that the policy is being managed and utilized in operations upon request and/or in the course of an audit. HUD-OIG Audit Procedures, 2013.


In the FDIC regulatory compliance manual, the agency details the procedural requirements regarding third party risk. The board of directors and senior management of an insured depository institution are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution. FDIC Compliance Manual VII-5.1, December 2012