We believe that the appropriate level of due diligence depends on the services these title companies are providing to your bank. For example, a title company providing lender’s title insurance or escrow services to your bank may present a higher degree of risk (and consequently require a more extensive review) than a title company that simply assists you in facilitating loan closings by preparing documents and helping complete paperwork.
The Federal Reserve (your primary federal regulator) provides general guidance on conducting due diligence and selecting service providers in its “Guidance on Managing Outsourcing Risk,” which defines “service provider” broadly to include “all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.” We believe this guidance would apply to the title companies that your bank works with, since the written proposals are establishing contractual obligations for your bank and the title companies, and they are providing business functions in the form of title insurance, escrow, and loan closing services.
The guidance states that “[a] financial institution should conduct an evaluation of and perform the necessary due diligence for a prospective service provider prior to engaging the service provider” and that the “depth and formality of the due diligence performed will vary depending on the scope, complexity, and importance of the planned outsourcing arrangement, the financial institution’s familiarity with prospective service providers, and the reputation and industry standing of the service provider.” It states that the “overall due diligence process includes a review of the service provider with regard to: 1. Business background, reputation, and strategy; 2. Financial performance and condition; and 3. Operations and internal controls.”
Additionally, an article from the Federal Reserve Bank of Philadelphia’s Consumer Compliance Outlook states that due diligence for third-party service providers should include obtaining references (particularly from other financial institutions), reviewing audited financial statements, ensuring the service provider has data back-up systems, continuity and contingency plans, and proper management information systems, and researching background, qualifications, and reputations of the service provider’s principals and their overall reputation, including lawsuits filed against them. Again, the relevance of this guidance will depend on the specific circumstances of each transaction and the kind of services provided—as noted in the article, third-party risks are heightened when a vendor interacts with your customers directly.
We note that the OCC, Federal Reserve, and FDIC have proposed interagency guidance on managing risks associated with third-party relationships that covers due diligence and third-party selection. When finalized, the proposed guidance would replace each agency’s existing guidance on this topic, including the Federal Reserve’s “Guidance on Managing Outsourcing Risk.” The proposed guidance contains several updates (such as specific guidance on due diligence for fintech companies) while also incorporating the principle that your bank’s “degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship.”
For resources related to our guidance, please see:
- Federal Reserve, Guidance on Managing Outsourcing Risk, I. Purpose, page 1 (revised February 26, 2021) (“For purposes of this guidance, ‘service providers’ is broadly defined to include all entities that have entered into a contractual relationship with a financial institution to provide business functions or activities.”)
- Federal Reserve, Guidance on Managing Outsourcing Risk, II. Risks from the Use of Service Providers, page 1 (revised February 26, 2021) (“The use of service providers to perform operational functions presents various risks to financial institutions. Some risks are inherent to the outsourced activity itself, whereas others are introduced with the involvement of a service provider.”)
- Federal Reserve, Guidance on Managing Outsourcing Risk, B. Due Diligence and Selection of Service Providers, page 4 (revised February 26, 2021) (“A financial institution should conduct an evaluation of and perform the necessary due diligence for a prospective service provider prior to engaging the service provider. The depth and formality of the due diligence performed will vary depending on the scope, complexity, and importance of the planned outsourcing arrangement, the financial institution’s familiarity with prospective service providers, and the reputation and industry standing of the service provider. Throughout the due diligence process, financial institution technical experts and key stakeholders should be engaged in the review and approval process as needed. The overall due diligence process includes a review of the service provider with regard to:
1) Business background, reputation and strategy;
2) Financial performance and condition; and
3) Operations and internal controls.”)
- Federal Reserve, Guidance on Managing Outsourcing Risk, 1. Business Background, Reputation and Strategy, page 4 (revised February 26, 2021) (“Financial institutions should review a prospective service provider’s status in the industry and corporate history and qualifications; review the background and reputation of the service provider and its principals; and ensure that the service provider has an appropriate background check program for its employees. . . . “)
- Federal Reserve, Guidance on Managing Outsourcing Risk, 2. Financial Performance and Condition, page 4 (revised February 26, 2021) (“Financial institutions should review the financial condition of the service provider and its closely-related affiliates. The financial review may include . . . .”)
- Federal Reserve, Guidance on Managing Outsourcing Risk, 3. Operations and Internal Controls, page 5 (revised February 26, 2021) (“Financial institutions are responsible for ensuring that services provided by service providers comply with applicable laws and regulations and are consistent with safe-and-sound banking practices. Financial institutions should evaluate the adequacy of standards, policies, and procedures. Depending on the characteristics of the outsourced activity, some or all of the following may need to be reviewed: . . . .”)
- FRB Philadelphia: Consumer Compliance Outlook: Vendor Risk Management — Compliance Considerations (4Q 2012) (“Several best practices can reduce the risk of violations from vendor relationships. These include: . . . Due diligence. Before selecting a vendor, bankers should conduct due diligence, which includes obtaining references, particularly from other financial institutions. In addition, the vendor’s audited financial statements should be reviewed. Also, ensuring that the vendor has data back-up systems, continuity and contingency plans, and proper management information systems is also an important step. Finally, researching the background, qualifications, and reputations of the vendor’s principals and the vendor’s overall reputation, including lawsuits filed against it, should be part of the due diligence.”)
- FRB Philadelphia: Consumer Compliance Outlook: Vendor Risk Management — Compliance Considerations (4Q 2012) (“Third parties present a broad range of risks . . . These risks are heightened when a vendor operates directly between the bank and its customers.”)
- Proposed Interagency Guidance on Third-Party Relationships: Risk Management, 86 Fed. Reg. 38182, 38189, (July 19, 2021) (“Conducting due diligence on third parties before selecting and entering into contracts or relationships is an important risk management activity. . . . The degree of due diligence should be commensurate with the level of risk and complexity of each third-party relationship.”)