Saturday, August 24, 2019

How Much Is Enough Oversight?

By Steve Greenfield
August 1, 2017

Regulatory Oversight
Steve Greenfield
Consumer Financial Protection Bureau

Steve Greenfield is Director of Third-Party Risk with Venminder, Elizabethtown, Ky. He is an experienced vendor risk executive with more than 20 years of management experience in the financial services industry. He joined Venminder from loanDepot llc where he served as Director of Vendor Oversight for its retail division, Mortgage Master. He is a regular contributor to MBA Insights.

Steve GreenfieldWhile vendor risk management and compliance in general could be perceived as being a cost center for a financial institution, we often hear from clients who ask this one question which causes a pause: how much is enough oversight?

It's a valid question and deserves a thoughtful response. Here are a couple of approaches and scenarios.

Scenario 1
I'm a mortgage lender who was recently acquired by a bank. I'm regulated by the Consumer Financial Protection Bureau and my parent company follows Office of the Comptroller of the Currency guidance. How do I design my oversight program?

This is a great question and really hinges on the overall risk approach that both financial institutions are taking. Put simply, an approach that takes the best of both worlds offers the most balanced perspective. The examiner must consider best practices from both regulators. A word of caution though, they may be biased based on who they are representing.

It's worth noting that the CFPB guidance on third-party service providers is based on the original guidance set out by the OCC. The OCC guidance is considered the gold standard when it comes to vendor oversight practices. A best practice as you tackle the requirements is to identify key components of each regulatory guideline, then find the commonality and overlap and use those as what I call your foundation.

When a guideline from one agency seems more stringent than the other, then consider those something of a hot topic. Consider how they can be incorporated into your policy and procedures. If another area is discussed and is omitted from the other then perhaps these should be considered as the cherry. From a high-level view, this would appear to be a thoughtful and considerate approach to the vendor oversight requirements which would satisfy both agencies.

Scenario 2
Deregulation chatter is official, based on the political climate, Dodd-Frank is being rolled back. The CFPB may experience lack of funding, heck even the leadership is likely to change. Can't I just wait for the regulations to change and dodge the oversight bullet?

This may play out to become a reality. But here is the crux of the issue: if we have learned anything of the financial crisis of 2006-2008 is that consumers went through unprecedented levels of hardship, and in many cases, financial ruin.

If your organization is truly focused on customer service excellence and creating a customer for life culture, then why as an organization would corners be cut on areas which are instrumental to the lending process?

Questions to Consider
If regulations were to be rolled back pertaining to vendor oversight, would that mean:
--Risks to non-public personal information would diminish?
--Would service levels no longer matter?
--Cybersecurity risks cease?
--The financial viability of your vendor partners is no longer important?
--Does reputational risk, operational risk, financial risk all decrease simply because there is no regulation mandate in place?

So Where Does That Leave Vendor Oversight?
From this vantage point, vendor risk management has a legitimate role in adding value and minimizing risk for the organization. While regulations may come and go, the risks that we face today are unlikely to fade away.

Put simply, if a vendor serves as a key component of your operation then they are by all accounts an extension of your operation, meaning that it would be prudent to ensure that they operate and serve your clients as you would wish them to serve and fulfill their obligations in the same manner that your internal operations would serve your customer.

If we return to the original premise, what is enough oversight? The clearest and concise approach is to take the basics of oversight--initial due diligence, ongoing monitoring and annual assessments and scope out what is really important to review for each vendor (SOC, BCP, DR, financial, regulatory compliance).

In addition, vendor products and services vary. While one vendor may have access to NPPI but aren't consumer facing, others such as a mortgage servicer not only has access to client information, but is also directly interacting with them. Therefore, oversight should be tailored to address the risks and concerns of each vendor to the organization.

Adherence to oversight ultimately comes down to your organization's compliance culture. Am I doing this because I am mandated to or am I implementing these best practices to protect my consumer and the future longevity of my brand?

(Views expressed in this article do not necessarily reflect policy of the Mortgage Bankers Association, nor do they connote an MBA endorsement of a specific company, product or service. MBA Insights welcomes your submissions. Inquiries can be sent to Mike Sorohan, editor, at; or Michael Tucker, editorial manager, at

Share this article