On December 1, 2014, the Federal Housing Finance Agency (FHFA) released a new advisory bulletin with significant implications for "all entities that sell single-family mortgage loans to [Fannie Mae or Freddie Mac] or perform single-family mortgage loan servicing [for those entities]." Entities that meet this "Seller/Servicer" definition will need to carefully review the expectations articulated in Oversight of Single-Family Seller/Servicer Relationships (AB 2014-07) and be prepared for enhanced review and auditing by Fannie Mae and Freddie Mac (collectively referred to in AB 2014-07 as the "Enterprises").

The concept of vendor risk management is hardly new to the financial services industry. Foundational risk management documents have been in existence for decades. Notable historic guidance includes OCC 2001-47 (Nov. 1, 2001), OCC Advisory Letter AL 2000-9, FDIC Financial Institution Letter FIL-44-2008 (June 6, 2008), and the Federal Reserve Bank of New York's October 1999 Report entitled Outsourcing Financial Services Activities: Industry Practices to Mitigate Risk. Indeed, those reading the passage in AB 2014-07, "The use of a third party does not relieve the Enterprise's board of directors and senior management of their respective responsibilities to oversee and manage the risks that arise out of the Enterprise's Seller/Servicer relationships," may recognize a similar passage from FIL-44-2008, "The use of third parties in no way diminishes the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws, regulations, and internal policies."

The increased focus on the myriad risks associated with vendor relationships in the single-family residential loan market has resulted in an abundance of new and sometimes bewildering guidance from a variety of regulators, agencies, and state governments. Consider the following examples from the past few years: Fannie Mae Servicing Guide Announcement SVC-2012-22 (Nov. 9, 2012), Freddie Mac Bulletin Number: 2012-25 (Nov. 9, 2012), OCC 2013-29 (Oct. 30, 2013), OCC 2011-29 (June 30, 2011), CFPB Bulletin 2012-03 (Apr. 13, 2012), FRB SR 13-19 and CA 13-21 (Dec. 5, 2013), FRB SR 13-1 and CA 13-1 (Jan. 23, 2013), FRB SR 11-7 (Apr. 4, 2011), and even regulations promulgated by the Massachusetts Division of Banks and Loan Agencies. These have been busy times for those Seller/Servicer employees tasked with vendor management responsibilities.

Given the surplus of guidance, it is not surprising that FHFA has stated its expectation that the Enterprises "assess financial, operational, legal, compliance, and reputation risks associated with its single-family Seller/Servicer counterparties and . . . take appropriate action to mitigate those risks or reduce the Enterprise's exposure." At the core of these expectations are two of the components of traditional vendor management programs: risk assessment and remediation. FHFA further instructs the Enterprises to implement these expectations through a robust program: "each Enterprise should implement a board-approved risk management framework that specifically includes risk-based oversight of single-family Seller/Servicers."

Vendor management includes what is often described as a "risk management life cycle." In fact, an actual chart demonstrating this cycle was included in OCC 2013-29. This cyclical framework is echoed in the FHFA release, which cites, "due diligence and selection, contract negotiation, ongoing monitoring (including performance review and issue resolution), and termination." In every sense, the assessment, identification, and resolution of potential vendor issues must occur from the cradle to the grave of the vendor relationship. Accordingly, FHFA expects Seller/Servicers, because of the "unique risks" they pose, to be subject to risk management oversight by the Enterprises at all times. It is always important to remember that, implicit in all vendor management programs—including FHFA's—is the assumption that risk can only be "managed" and never truly "eliminated." A degree of risk is inherently created every time any functionality is outsourced by one entity to another.

The first integral component of AB 2014-07 is a thorough due diligence review. Seller/Servicers seeking to enter into a new contractual relationship with the Enterprises should expect to undergo an initial review that focuses on three discrete categories of risk factors: (1) financial risk factors, (2) operational risk factors, and (3) legal, compliance, and reputational risk factors. AB 2014-07 provides numerous specific examples of data points related to each category. Examples include:

  • Current and prospective resources and capacity regarding staffing, facilities, technology infrastructure, and any sub-servicing arrangements
  • Organizational structure, complexity, and ownership, including affiliates
  • Key personnel, principals, and controlling shareholders, including information from background checks, when appropriate
  • Reliance on, exposure to, and performance of sub-servicers; location of sub-servicers; and the Seller/Servicer's ongoing monitoring program and quality-control testing of sub-servicers
  • Seller/Servicer oversight of third-party service providers (e.g., mortgage brokers, appraisers) contractually obligated to the Seller/Servicer, not the Enterprise

Because FHFA's guidance may well become the accepted industry norm, all Seller/Servicers—regardless of their relationship status with the Enterprises—are advised to carefully review all risk factors and ensure the implementation of appropriate processes, policies, procedures, and infrastructure.

A second integral component of AB 2014-07 is that the Enterprises develop and implement "risk-based procedures that require updating information obtained during the approval process and performing subsequent analysis to evaluate changes in a Seller/Servicer's risk." The frequency and extent of vendor oversight is necessarily dependent upon the level of risk associated with the vendor. As AB 2014-07 states, "Enterprise policy regarding the scope and frequency of ongoing monitoring activities should be commensurate with the risk associated with the particular Seller/Servicer."

The analysis performed by the Enterprises regarding this risk-based monitoring should be "documented." The use of the word "documented" is critical because it touches upon an essential element of risk management: that the vendor management process must be documented to allow a clear line of sight to all risk-assessment and evaluative activities. If it isn't in writing, it doesn't exist is the unspoken motto of many a vendor manager.

What will the periodic oversight entail? Initially, it will require updating the data points developed to assess the risks associated with the Seller/Servicer. However, it will take into account a number of additional factors set forth in AB 2014-07, including:

  • Record of compliance with Seller/Servicer guides and other contractual terms, including compliance with laws and regulations, based on Enterprise compliance and quality control reviews
  • Results of fraud and data integrity reviews
  • Volume, type, and pattern of Seller/Servicer guide waivers considering documented justification for waivers, and results of ongoing performance reviews of loans with waivers relative to justification and expectations
  • Sufficiency and timeliness of performance data to evaluate the quality and effectiveness of Seller/Servicer processes for actual and projected volumes
  • Accuracy and completeness of loan recordkeeping, including loan data systems and loan documentation, throughout the life of the loan

Again, all Seller/Servicers should evaluate their level of compliance with each of these factors in order to ensure their fulfillment of the requirements.

Of course, in order to be truly effective, any vendor management program must include clearly articulated consequences for a vendor's failure to receive a satisfactory review "grade." AB 2014-07 is no exception:

[T]he policies should address the remediation of deficiencies or weaknesses identified in performance criteria or risk areas, as appropriate. The policies should also include standards for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer, including, for example, against a Seller/Servicer that fails to meet an Enterprise's standards of performance or that poses reputation risk because of noncompliance with applicable laws and regulations or unsound business practices.

In other words, if a Seller/Servicer fails to remediate unsatisfactory practices identified by the Enterprise, then that Seller/Servicer may be terminated.

Given the range of vendor management expectations currently imposed on Seller/Servicers, the conceptual framework established in AB 2014-07 should not be unfamiliar to many already working in the vendor management field. However, as Fannie Mae and Freddie Mac move forward to implement AB 2014-07, those vendor managers will likely find themselves on the receiving end of the vendor management process. The seemingly endless chain of vendors overseeing vendors overseeing vendors—while perhaps verging on farce—may call to mind the passage from the Roman poet Juvenal, which is often loosely translated as "Who will watch the watchers?"

Bottom line: Rather than waiting to respond to Fannie Mae and Freddie Mac's program demands, Seller/Servicers should commence building an infrastructure with controls and processes designed to provide the documentation the Enterprises will inevitably expect to see.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.