Due diligence is one of the most fundamental but also one of the most important practices in third party risk management. The very basic reality is there will be times when you learn something in doing your due diligence that may change the entire way in which you think about a company, perhaps even causing you to change your mind about engaging in the relationship.
Due Diligence Is Vital to a Successful Third-Party Risk Management Program
Collecting and reviewing due diligence can seem like a very daunting task but it’s one that reaps many benefits, including:
It protects your mortgage company from unnecessary and unwanted exposure to risk. This is important to both your institution and your customers.
Examiners will be satisfied as it’s a regulatory expectation. Regulatory guidance such as OCC Bulletin 2013-29, FDIC FIL 44-2008, and CFPB Bulletin 2012-03 place a strong emphasis on risk-based due diligence and the overall lifecycle of the third-party relationship. It’s highly encouraged to review these regulations when implementing a due diligence process at your institution.
Due diligence procedures also ensure you have set a standard for the minimum requirements to onboard a vendor, which helps set the tone across the institution regarding due diligence expectations. Your institution’s lines of defense will be able to work together more efficiently when they’re all on the same page.
Due diligence helps to inform all of your other third-party risk activities, particularly honing in on risks that must be addressed in the contract or through ongoing monitoring.
The 8 Vendor Due Diligence Best Practices for Your Mortgage Company
Here are 8 vendor due diligence best practices:
Gather the vendor list and perform standard due diligence on all vendors. Request a list from the Accounts Payable Department that you can compare to the vendor list you currently have on file to make sure you’re not overlooking any vendors. Once you have your vendor list ready to go, ensure the appropriate standard due diligence is accessible on each vendor (e.g. Tax ID, Business License, OFAC Check, Certificate of Good Standing). The standard due diligence requirements are dependent on your mortgage company’s policy; however, it’s always a best practice to have some documentation requirements, even on vendors that may pose very little risk to the institution.
Make sure the due diligence performed is tailored to the type of vendor and level of risk associated. In addition to the standard due diligence requests, you’ll want to include additional due diligence requirements based on the type of vendor it is and the vendor’s level of risk to the institution. Be sure to understand each vendor’s regulatory risk and business impact risk. The regulatory impact determines if the vendor is low, medium, or high risk. You should have a list of documentation requirements that is based on each risk level. The business impact will determine if the vendor is critical or non-critical to the institution. There may be additional documentation that needs to be maintained on each vendor dependent on the business impact as well, such as a detailed business continuity plan and results of any corresponding testing.
Due diligence should be completed during vendor selection prior to the contract being executed. It’s imperative to collect due diligence on a vendor before you contractually commit to their products or services. In fact, OCC Bulletin 2013-29, which is the gold standard in third party risk, includes due diligence and third-party selection as one of the lifecycle phases. Pre-contract due diligence in the vendor vetting process will prevent unwanted pitfalls and risk in selecting the wrong vendor, as well as allow you the opportunity to contractually commit them to provide any items they cannot release prior to an agreement being signed.
Due diligence should also be completed on an ongoing basis. Review and make updates periodically. Due diligence is not a one and done deal, and it is not a check-the-box item. Each due diligence document obtained should be reviewed by a qualified individual who can provide an accurate analysis. Depending on your program’s requirements, requests for updated due diligence updates should be made periodically in order to verify the vendor is still meeting expectations.
Always keep in mind the frequency of due diligence. Set reminders to reach out to the vendor for certain types of reports and make sure you’re making timely requests. For example, if the vendor is a public company, set an alert to check their website and gather financials as soon as they are released. Time due diligence to correspond with the most important time-sensitive materials, whether it’s financials or SOC report, etc.
Document all attempts to collect documentation from the vendors. It’s understood that you’re not always going to be able to collect all of the documentation being requested. In this case, it’s vital to document your method of reaching out and the date of each attempt. This is especially important so that you can show senior management, the board, and examiners. They’ll want to see you have a record of this and will appreciate the thoroughness.
Write out the steps in your vendor management program documentation. Make sure you’ve outlined the institution’s vendor due diligence requirements in your program. As changes are made or new guidance is released, be sure to update the documentation to reflect this. It’s important to keep the expectations consistent and current.
Include due diligence as part of your internal audit review of third-party risk management. It’s always prudent to identify problems or potential issues and address them proactively.
When you take the time and effort to properly perform due diligence on your vendors, it will positively impact your mortgage company. Initially, you’re guaranteeing that you’re selecting the vendor that best fits your institution’s needs. By continuing to perform the appropriate due diligence, you’re confirming that they are still the best fit. Finally, you’re gaining the utmost respect and trust from your customers as they can rely on your institution to provide great services and products because your third parties are doing so for you, which in turn is boosting your overall reputation.