1. What am I required to audit?
Audits are a requirement from state and federal regulators such as the Consumer Financial Protection Bureau (“CFPB”) and the Office of the Comptroller of the Currency (“OCC”) in an effort to better manage and lower risk. There are basically two aspects to the audit. The first is how the audited entity, such as an Appraisal Management Company (“AMC”), regulated bank, or mortgage originator, runs their company. The audit process can include a review of the ownership structure, operations, vendor management, HR, IT, vendor management, quality control, financial controls, data protection, physical security, etc. The second is to determine if the audited entity is meeting both their federal and state obligations including licensing, appraiser independence, etc. The audit may also review the existence and adequacy of the entity’s policies and procedures and their proper execution.
2. Are all audits the same?
Each lender is responsible for understanding their own regulatory requirements and constructing appropriate audit parameters for their Third Party Service Providers (“TPP” – i.e. AMCs, etc.). There is no specific “required template” so audits can and will vary. Depending on the lender’s risk parameters, audits may be more or less intensive. However, they all need to meet certain minimal requirements.
3. How does the audit process work?
Although each client directed audit can be different, there are standard components of the audit process. The client initially sends the third party service provider a template to be completed before an on-site visit. The template includes questions about all areas of the audited entity’s business. In addition, there is usually of list of documents, like the business’ Policies and Procedures that are required. An on-site visit is often required and can take anywhere from one day to one week or more. The audit typically includes verification of all data, processes and specific case evaluation. The on-site visit will often produce a need for follow up remediation activities. Thus, the audit process also helps the entity improve their business.
4. How often are audits done?
Since this is a relatively new process for TPP’s, it is not fully known. However, if we consider what has been occurring to Foreclosure Law Firms over the past three years, it is now typical for each client to have an annual audit. This had led many foreclosure law firms to either have a person or team in charge of compliance audits.
5. How can an AMC prepare for an audit?
Either through their own efforts or with the assistance of a knowledgeable and experienced outside consultant such as Arculis, the TPP must fully understand their responsibilities based upon lender specified requirements and applicable federal regulatory requirements. Then the TPP should examine its own policies, procedures, and related business activities “as if” they were the auditor and determine what needs to be changed, updated, or eliminated? The preparation for the audit will allow the TPP to look at their company in an objective and impartial manner.
6. As a vendor, I have not had a problem with regulators in the past. Why do I need to be concerned about it now?
First, it is important to understand the roles of the key players in the audit process. Federal examiners are required to periodically audit a regulated entity, such as a mortgage lender, for compliance with Federal consumer financial laws. Under these Federal consumer financial laws, the regulated entities are tasked with understanding and properly managing the risk associated with their Third Party Service Providers (“TPP”). The OCC in its Bulletin 2013-29, entitled “Third Party Relationships” defines those relationships as “any business arrangement between a bank and another entity, by contract or otherwise.” As such, certain compliance requirements for regulated entities now have an impact on that entity’s Third Party Service Providers.
7. Is there a penalty for not managing my Vendors?
The consequences of non-compliance can and will vary according to circumstances. On the regulated entity side, an example of such consequences can be found it the OCC’s Bulletin 2013-29, entitled “Third Party Relationships” where it states “the OCC will pursue appropriate corrective measures, including enforcement actions, to address violations of law and regulations or unsafe or unsound banking practices by the bank or its third party. The OCC has the authority to assess a bank a special examination or investigation fee when the OCC examines or investigates the activities of a third party for the bank.” From the Third Party Service Provider’s perspective, non-compliance can adversely affect your business relationship with your clients. In either instance, the consequences are real and can be substantial. Some examples of the kinds of compliance based actions being taken by the Consumer Financial Protection Bureau (“CFPB”) can be found at the following link: http://search.consumerfinance.gov/search?utf8=%E2%9C%93&sc=0&query=fines+mortgage+origination&m=&affiliate=cfpb&commit=Search
8. What is that you do differently than my own staff?
First, as a specialized consultant with a focus on regulatory compliance, it is our job to both understand your responsibilities and to effectively help you address any issues, questions or concerns identified with Third Party Relationship risk. This leaves your staff to do what you need them to do, assist you in running your business. Second, the nature of regulatory compliance as it applies to Third Party Relationships can be broad, technical, and ever-changing. We are your subject matter experts, when and where you need us.
9. What is the cost?
Arculis understands that flexibility is a requirement for today’s challenging business environment. Whether you are in need of hourly rates for exploratory discussions, daily rates for initial evaluations, packaged services for targeted goals, or an annual retainer model, we bring knowledge and expertise in flexible solutions.
10. How long does it take?
The length of time needed may depend on not only your own business goals and objectives but the business goals and regulatory compliance needs of your clients/vendors. Initial exploratory discussions can take as little as a couple of hours. Full audit preparation, audit activities/audit representation, and response and remediation management can take several days or more depending upon the complexity of the audit requirements and the scope of remediation activities. Through the entire process, we are committed to your satisfaction
11. How does your service guarantee insure that I won’t be penalized?
Our audit and review process will identify the areas that your entity may have exposure with CFPB, OCC TPP, and other state and federal regulatory requirements. We will provide a proposal as to what you need to implement to comply. If you adopt our recommendations and implement them effectively then we can offer a service warranty that protects you from certain remediation risk. It is unrealistic to expect an audit exam to be flawless. Every audit and auditor are unique. Based on our research and experience, examiners often find items they feel could be improved or completed in a more compliant manner. Our process identifies the areas of substantial risk and then works with you through the entire process. At the end of the day, satisfactory, documented compliance is our goal. Perfection remains a work in progress.