ComplianceSeptember 16, 2019

Basic concepts for managing third-party risk

As published in National Mortgage Professional Magazine (September 2019 issue).

To survive and thrive in the mortgage business, leaders of high-performance financial services organizations know that lean operations and strategic partnerships are key to achieving production objectives while managing operating costs. However, identifying qualified third parties to support your business objectives can be a challenge. Moreover, maintaining sound, productive third-party relationships requires ongoing oversight and management of an array of risks inherent in these relationships.

Mortgage lending, like so many industries in today’s technology-based business environment, is largely built on partnerships with third parties that support many of the core activities and functions of the business. As a general matter, when core activities such as sales, underwriting, origination, closing, servicing, and collections are conducted by a third-party partner, the risks to the outsourcing institution are in direct proportion to the quality of the control environment established by the third party, and to the level of oversight and monitoring conducted to maintain awareness.   

Board members and senior management bear the ultimate responsibility for managing activities conducted through third-party relationships. Fulfillment of this responsibility requires proactive identification of, and ongoing oversight of risks arising from third-party relationships, i.e., the same as if the activity is performed in-house. However, what are some of the key risks and control considerations? 

Strategic risk

Strategic risk emerges where misalignment of goals between an institution and its third-party partners occurs. A common example of this would be in the instance where a third-party mortgage originator creates an incentive program resulting in the production of certain types of mortgage products, or creates a focus in particular markets but does not achieve the lending goals of the partner institution. Not only is this a critical misalignment of goals, but it could produce an unfavorable outcome from a fair lending or Community Reinvestment Act perspective. 

Sales and production dashboards can be established to provide an ongoing information feed to monitor what loans are being made and where. In addition, it is always prudent to reserve the right to review and approve marketing initiatives and planned campaigns with third-party partners, as well as maintain ongoing awareness of incentives plans established to drive sales activities.

Operational risk

Losses and violations resulting from inadequate or failed internal processes, poorly trained employees, inadequately developed systems, and external events such as natural disasters are all operational risks that can result in transactional failures. Only through regular, onsite visits and interactions is it possible to stay current on a partner’s operational control environment.  Yet, too often mistakes and transactional failures are either identified through customer complaints or captured through detective monitoring activities—and addressed as a back-end remediation or corrective action measure.

Given the proliferation of financial technology, artificial intelligence, use of alternative data, and the ability to interact with consumers in large volumes and at high velocity, transaction risk can be considerable. Where large volumes of loans are originated involving multiple third parties, automated convergence of multiple data streams from varied sources, coding errors, or a system failure could result in considerable damage and potential consumer harm. This dynamic is particularly prevalent where newly developed products go to market in the absence of comprehensive compliance and quality control testing. Online application platforms, as well as automated origination workflows and underwriting processes, can serve as key controls if properly built and correctly implemented. However, financial commitments that drive aggressive development deadlines can in some cases result in problems down the road. 

The competitive focus in the mortgage industry is on speed of application, model-driven decisions, lean origination workflows, and agility of delivery largely to a generation of consumers raised on technology. With so much of the mortgage industry focusing on tech solutions and speed of delivery, it is vital to also maintain focus on core risk management fundamentals for ensuring compliance with applicable laws, regulations, and principles of safety and soundness.

Tracking the progress status of every application has always been important. However, with technology now populating and assimilating so much of the documentation, humans should still monitor to ensure the process is fulfilling the mission. Application processes and protocols designed to automatically transfer and populate an applicant’s bank information, credit report data, property data, and to automatically conduct customer background checks can, and do, malfunction.

Vigilance is, as it has always been, critical to maintaining the flow of pipeline activity and for identifying process irregularities. Failure in any input or application interface may result in an incorrectly coded, declined or cancelled application that otherwise could proceed to an approved credit decision and be funded. The key to managing operational risk is to establish well-defined workflow processes and effective status tracking of application, underwriting, and processing activities. 

Credit risk

Credit risk considers the ability of a company to meet the terms of the relationship agreement. When conducting due diligence on a potential third-party originator, regulated institutions should analyze controls established to ensure quality. Regulatory guidance is clear in cautioning that due diligence should result in an anticipated understanding of the credit quality of loans originated and preliminary knowledge of the volume of repurchase loans, if any. Knowing this prior to entering a third-party lending arrangement is the best credit risk management defense and serves to build productive relationships that are based on safe and sound lending practices.

Compliance and reputation risk

Compliance risk in the context of third-party mortgage origination relationships can extend to a range of requirements including fair lending; fair credit reporting; consumer financial privacy; Unfair, Deceptive or Abusive Acts or Practices; and the Bank Secrecy Act—just to name a few.  Regulatory guidance reminds that compliance risk and consumer harm can increase relative to the inherent risk of the product and the level of involvement by third-parties throughout the lifecycle of the relationship. 

Failure to comply with laws and regulations can put any lender on the fast track to regulatory enforcement, fines, and remediation actions—or worse—potentially making reputation-damaging headlines. For example, that same incentive program that results in the production of certain types of mortgage products may not be appropriate for a particular group of borrowers, potentially resulting in reputational harm.  Thus, maintaining a clear line of sight into the compliance management practices of third-party partners is critically important for preemptively managing compliance issues before they escalate and potentially result in reputational and/or financial damage.

Regulators expect the boards and management of financial institutions to maintain ongoing oversight of third-party relationship risk. Periodic, risk-based targeted review in combination with over-arching Compliance Management System (“CMS”) reviews of third parties provide critical insights for maintaining ongoing awareness of the adequacy of a partner’s overall compliance management framework. 

Always keep in mind that third-party oversight requires in-depth analysis not only of a third party, but in some cases the fourth and fifth parties that come with a complex partnership that deliver solutions for application, underwriting, processing, pipeline management, decision technologies, and funding processes. Full awareness of all parties involved effectively establishes the pedigree of the relationship from a legal, compliance, and risk management perspective. This approach can be particularly helpful should issues arise over time that require a thorough tracing and understanding of root cause of a transactional failure in the context of a complex relationship.

Ongoing third-party risk management

Building and maintaining successful partnerships with third parties is a direct reflection of the quality of the third-party management programs and disciplines established to “appropriately assess, measure, monitor, and control the risks” associated with third-party relationships. The FDIC’s Examination Guidance for Third-Party Lending and other regulatory guidance with respect to third-party relationship management emphasize that the fundamental elements of an effective third-party risk management program are:

  • Risk Assessment.  Risk assessments provide data essential to informing the initial decision whether to establish a third-party relationship. While much of the focus is on the initial assessment of risk, over time relationships that go forward should be monitored for any changes in operations to determine the continued effectiveness of the control environment.
  • Due Diligence.  Due diligence is an invaluable opportunity to get to know as much as possible about a prospective third-party partner. This process entails reviewing a third party’s governance documentation; financial condition; experience and background information on the management team; and any other management information that will be critical to the ongoing success of the relationships.
  • Contract.  Contracts establishing the relationship and the rights and responsibilities of the parties should address provisions outlined in regulatory guidance for third-party relationship management.
  • Oversight.  Periodic, independent reviews of third-party relationships should be appropriately scoped and conducted with a frequency that directly relates to the risk profile of the third-party partner. The findings generated through these review activities should be reported upward to the board and executive management.
  • Termination.  Third-party relationships terminate for various reasons, including expiration or satisfaction of the contract; decision to seek an alternate third party; decision to bring the activity in-house or discontinue altogether; and for breach of contract.

The dynamics of establishing and managing third-party relationships require dedicated resources, similar to managing a direct line of business. An effective third-party management program is essential to supporting successful third-party relationships


FIL-50-2016, Proposed Guidance for Third-Party Lending; OCC Bulletin 2013-29, Third-Party Relationships; OCC Bulletin 2017-21, Third-Party Relationships, Frequently Asked Questions to Supplement OCC Bulletin 2013-29; FIL-44-2008, Guidance for Managing Third-Party Risk; NCUA Supervisory Letter No. 07-01, Evaluating Third-Party Relationships; FFIEC IT Examination Handbook, Business Continuity Planning, Appendix J, Strengthening the Resilience of Outsourced Technology Services.

Thomas Grundy
Senior Director, U. S. Advisory Services
With over 33 years of experience Thomas leverages his experience advising compliance and risk management executives on solutions to effectively manage risk in a complex and rapidly changing regulatory environment.