Choose the right vendor
EDITOR'S NOTE: Elise Oberliesen is a freelance writer.
Financial institutions and other mortgage lenders need to ensure their technology is up-to-date to protect against data breaches and avoid regulatory violations. This is not only true of the company’s internal operations, but also for any outside technology vendors they employ.
During a speech at the Mortgage Bankers Association’s Annual Convention in October 2015, Consumer Financial Protection Bureau Director Richard Cordray warned that both bank and nonbank lenders can be held accountable if they violate the law due to their vendors’ mistakes or compliance failures. During the initial rollout of TRID rules in the fall of 2015, Cordray said he was disturbed by reports of some technology vendors not being able to update their software and systems in a timely manner. “Some vendors performed poorly in getting their work done in a timely manner, and they unfairly put many of you on the spot with changes at the last minute or even past the due date,” he said during the MBA speech. “It may well be that all of the financial regulators, including the consumer bureau, need to devote greater attention to the unsatisfactory performance of these vendors and how they are affecting the financial marketplace.”
If regulators find fault with a financial institution’s lending practices or with one of their software or other third-party vendors, the CFPB has many enforcement tools at its disposal, many of which can be punitive, according to Mick Kless, CEO of the Compliance Education Institute, an education and training company focused on providing specialized vendor management education and tools to the financial services industry. “Usually when the CFPB gets involved and you’re talking about lenders and [third-party] vendors, and there’s an enforcement action involved, it usually involves fines,” Kless said. When third-party vendors make mistakes, from security breaches, to having no disaster recovery plan for lost data, the culpability ultimately falls on the lender, even though both parties share responsibility, according to Kless. Therefore, Kless said mortgage lenders must be careful to choose vendors capable of supporting their needs, both financially and operationally. “You don’t want to contract with a vendor and a month later they’re out of business and you now have a business continuity issue where you can’t deliver the services,” Kless said. From an operational standpoint, third-party vendors need to be able to show that they have “functions and controls in place” to protect the company from major disruptions, and “if there are disruptions that the impact is minimized to the lender or bank and the consumer,” he said.
Potential enforcement
Protecting assets
How do lenders know they are working with trained and competent third-party software vendors? To answer that question, Kless said banks need to practice “proper due diligence.” That includes creating a vetting process that ensures the selection pool has competent vendors who are properly trained and understand lending regulations. Third-party vendors with previous or pending litigation could raise potential red flags, Kless said. In cases where there’s no hard legal trail to follow, there are other ways to investigate, but it may involve some digging. Public records often can provide answers. “You will see if there were any complaints by the attorney general, or the Better Business Bureau, so you need to do your research,” he said. Vendors with few success stories to tout may be another possible indicator their competencies and service delivery aren’t up to par, Kless said. Kless said financial institutions should ask several questions when choosing third-party technology or software vendors, such as: Are you their first client? Does the vendor create multiple layers of security? What steps does the vendor take to protect sensitive data? What kind of encryption protocols are in place to protect the customer? What controls are in place to prevent data breaches? When shoppingfor third-party vendors, financial institutions always should conduct a thorough background check and get legal counsel involved early in contract negotiations, Kless said.
10 reasons why financial institutions need to have a strong vendor management program.
Read More
Unfair, Deceptive, or Abusive Acts or Practices is a regulation established by the Dodd-Frank Wall Street Reform and Consumer Protection Act to protect consumers from unfair or deceptive business acts or practices. Mortgage lenders and debt collectors who violate these regulations are subject to audits and potential legal penalties. This means banks and nonbanks are not off the hook when they outsource to a third party who acts on their behalf and engages in predatory lending practices, Kless said. In 2012, for example, under an enforcement action issued by CFPB, Capital One bank was required to pay back roughly $140 million to 2 million customers after it was found the lender used a call center vendor that misled consumers, used deceptive practices and omitted disclosure terms. The CFPB exercised its authority under UDAAP.
While banks are investing billions of dollars to improve their overall security capabilities, they need to prioritize their spending and protect what matters most — the data itself.”
— Grant Shirk, senior director of product marketing at Vera, a California-based data security company
Consumer protection
Financial institutions can be held responsible for vendor tech failures
© 2017 OnCourse Learning Corp. All rights reserved
Contact Us
20225 Water Tower Blvd. Brookfield, WI 53045
By Elise Oberliesen
More inside this guide
Prevent cyberattacks
Banks must take proactive steps to stay ahead of cybercriminals
Phishing for trouble
Hackers use phishing emails to steal data, penetrate networks
Banks face new cyber regs
New cybersecurity standards could affect large financial institutions
Leading the way
New York establishes first-of-its-kind cybersecurity standards
What you need to know
Ways financial institutions can identify and respond to cyberthreats
Email fraud and cybercrime
Tips to identify red flags and respond to email and cyberthreats
Understand the threats
Learn ways financial institutions can mitigate cyber risks
Reduce cyber risk
OnCourse Learning webinar focuses on cybersecurity issues
Choose the right vendor
Financial institutions can be held responsible for vendor tech failures
Become cyber secure
OnCourse Learning offers cybersecurity training to meet your needs
Take cybersecurity seriously
Guide helps financial institutions identify cyberthreats
Beware of ransomware
Cyberattacks involving ransomware are a growing concern
Stop the bad actors
Terrorists and other groups threaten the financial system
Credit unions raise the bar
Agency creates cybersecurity assessments for credit unions
Cyber preparedness
Why cybersecurity should be a top priority for your financial institution
Increase cyber awareness
Federal and state agencies offer many cyber resources
Protect online payments
Agency warns of cyberthreats to bank payment networks
Training in the cyber age
Preparation is better than remediation when it comes to cybersecurity
How to Navigate
How to Navigate
Move forward or backward between articles by clicking the arrows.
Click or tap to bring up the Table of Contents.
Share articles by clicking on one of the social media icons in the upper right corner of the page.
Use your mouse wheel, keyboard arrow keys, or scroll bar to move up and down in an article.