When it comes to compliance rules and regulations, things feel somewhat cloudy at times. There are many aspects to consider, and it’s easy to get lost, dazed, or confused…especially when it pertains to regulatory compliance. It’s no longer enough for banks and credit unions to have good working relationships with their third-party partners; financial institutions now have the same responsibilities for in-house and out-of-house services. And managing those third parties, in some cases, comes with risk. In fact, organizations have suffered a growing proportion of security incidents due to third-party vendors—up from 20 percent of the total in 2010 to 28 percent in 2012 and continuing to rise. So what does this mean? Evaluating (and in some cases reevaluating) relationships and implementing regulations for operations is key. The OCC has spoken, and it’s time to implement some best practices for third party compliance.
Evaluate third party vendors before working with them.
Start by compiling a comprehensive inventory of all third parties you have a relationship with. Then, create a vetting procedure that you put in place (and follow!) before agreeing to work with a third party. Include things like inherent risks, proper due diligence, roles and responsibilities, reporting for oversight, accountability, and monitoring, and independent reviews. Establish a system for evaluating your third party and make sure that it is followed each time you decide whether to work with a particular vendor. This will keep things consistent and transparent. In the beginning of a relationship, you may want to consider a quarterly review, and after the first year, transition to an annual review.
Have a framework for risk management.
When it comes to critical activities, the OCC expects even more oversight and management. Significant bank functions like payments, clearings, and settlements and shared services like information technology all require even deeper risk management. Interestingly, 73% of companies lack incident response processes. Establish your own system now. Your compliance management system should include:
- Developing a plan to manage the relationship
- Conducting a review of a potential third party
- Developing and negotiating contracts
- Maintaining ongoing monitoring once the contract is in place
- Developing a plan for termination
- Assigning clear roles for managing the third party relationships
- Reporting and documenting for every aspect of the relationship
- Conducting periodic reviews to make sure that the vendor aligns with strategies
Ongoing monitoring in appraisal reviews.
As always, it is important to first have a policy and process for monitoring your vendor and then follow your due diligence process. Even at MountainSeed, we have seen some of our community and regional bank clients perform reviews on a small sample of our files and then discuss the findings with our staff. This open line of communication continues to provide ongoing monitoring of the appraisal review or appraisal management vendor. Plan to review your third party appraisal panel, too. Continuing to monitor and refine your approved appraisal panel is integral to quality vendor management of your fee appraisal panel.
Understand who the vendor does professional work with.
It is important to realize that when you are selecting an appraisal management vendor as a community or regional bank that you not only understand who the vendor is, but also the professionals who are performing the appraisal review work. Many times residential appraisal management will companies try to perform commercial review work, and then the bank is disappointed in the relationship. To solve this problem, ask for some sample resumes of the commercial staff and be prepared to potentially switch vendors. Also, ask what percentage of their overall business is commercial vs. residential (hint: nearly 100% of AMC’s are only residential!) In addition to this, some AMCs have no way to stay up to date on new regulation and ensure that all their forms and processes are current. Look for AMCs that dedicate senior staff and legal teams that work to stay current on all new regulations and changes to USPAP and state licenses.
Understand the scope of work.
When developing the scope of work, items should include but not be limited to the format of the service, the function of the vendor, the use of the bank’s information, and how the vendor will protect data. Banks should also have a right to audit included in the contract for protection and ensured reporting.
Need more help discerning compliance rules and regulations? Let’s chat.