I am finalizing my due diligence and contract review for a mortgage firm to originate our mortgages for us and grant us first right of refusal.
I have language in the agreement that requires them to follow all applicable rules and regulations. It dawned on me that I might want to see their SAFE Act audit results every year so I inserted language that they need to provide the report to me annually upon my request. They are balking and want to see specific language that NCUA requires me to do this. NCUA guidance (as far as I can find) really only says we need to have appropriate controls in place.
Does anyone have a similar arrangement in place? Can anyone suggest contract language that might be more acceptable? Can anyone point me to more specific NCUA or FFIEC language I can use to bolster my argument? Thanks in advance.
Try the vendor management perspective: (https://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/risk-management/service-provider-selection/due-diligence.aspx)
A financial institution should perform due diligence on the service provider's response to an RFP as well as the service provider itself. Due diligence should serve as a verification and analysis tool, providing assurance that the service provider meets the institution's needs. Due diligence should confirm and assess the following information regarding the service provider:
•Existence and corporate history;
•Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate;
•Other companies using similar services from the provider that may be contacted for reference;
•Financial status, including reviews of audited financial statements;
•Strategy and reputation;
•Service delivery capability, status, and effectiveness;
•Technology and systems architecture;
•Internal controls environment, security history, and audit coverage;
•Legal and regulatory compliance including any complaints, litigation, or regulatory actions;
•Reliance on and success in dealing with third party service providers;
•Insurance coverage; and
•Ability to meet disaster recovery and business continuity requirements.
I believe if you perform what Heather put forth you should be good. I wouldn't worry about 3rd party employee
SAFE Act information. That is for the company to police. I would make sure the 3rd party has a valid NMLS number
May I ask who you went with ?? I have just started this research to find outsourcing mortgages based on our current pipeline.
- I'm not sure if this will help since I don't think that audit results would ever be published, but there is a lot of NMLS information about your vendor available at https://www.nmlsconsumeraccess.org/.
Does the contract already have a clause regarding SSAE 18 or any other similar reports? For me, that would suffice if I could validate that they maintain the NMLS numbers of their employees through the public site.