The following is a guest post from Shaun W. O’Neill, President and Chief Revenue Officer of Concord Servicing, LLC.
Fintechs committed to compliance in all forms — regulatory, customer communications, data security, and disaster recovery — will be well-positioned for positive future growth and reputation management.
A key, yet sometimes overlooked, part of the total picture is loan servicing compliance.
One area of concern, financial crime risk detection, is the subject of a recent LendIt and ComplyAdvantage report entitled, “Outsized Role of Compliance in Fintech Hypergrowth.”
While the focus was compliance to identify and thwart financial crime across the lending spectrum, everything related to compliance issues is addressed by the citation, “Concerningly, compliance investments in particular lag sexier investments in a platform or end-user experience. But underinvesting in compliance and risk has devastating effects… According to Compliance Week, in 2020, regulators handed out $2.2 billion in AML fines, up from $444 million in 2019. The first six months of 2021 reflected a similar trend, with $994 million in fines assessed over 17 actions…While agility and technology help deliver products with less overhead, these features can hamper operations. For example, digital banks “must show they’re compliant with all relevant regulations – even though they often operate with significantly smaller compliance teams.”
Underinvest at your own risk
As the report demonstrates, underinvesting in fintech compliance is a perilous path.
Given all that loan servicers can be responsible for, including regulatory compliance, collections-related customer-facing communications and protection, and security (data safeguarding and backups), it is vital to get it right in this arena.
While loan originators and capital providers may have initial contact or involvement with customers, loan servicers often develop the lion’s share of the customer relationship.
It’s also loan servicers responsible for protecting lenders, safeguarding documents and data, and providing timely, accurate reporting.
It’s a big job with many moving parts requiring constant diligence and reliability. Therefore, selecting a fintech loan servicer is best handled through in-depth questioning and verification of both capabilities and performance track record.
SOP in review
Following are compliance and security standard operating procedures to consider when vetting a loan servicer:
- Ensure a comprehensive plan to meet best practices in data and system security. All certification requirements must be checked regularly to ensure the latest standards are in place. Penetration testing by third-party vendors to audit all data and system security protocols are important to double-check to thwart financial crime referenced in the report.
- Redouble the commitment to security with an internal committee that regularly reviews and checks all risks and confirms a robust business continuity plan. For documentation, ask about how the loan servicer handled switching rapidly to working remotely because of the pandemic. Their business continuity plan and execution in highly stressful circumstances will provide valuable insight into how they perform on behalf of clients.
- Check out backup servicing capabilities and capacity. By definition, backup servicing kicks in when primary systems fail or are disrupted. Confirm that the servicer’s system and organization controls are up to speed. For example, do they operate under the American Institute of Certified Public Accountants (AICPA) SOC® 1 Type 2 auditing protocols and reporting—which covers internal controls in risk management, logical access, change management, data security, and data availability?
Backups imperative
Backup servicing should step in seamlessly if primary servicing fails—optimizing asset owner portfolio performance, maintaining efficient communications with client’s customers, and preparing to take over as primary servicer in an agreed-upon timeframe. As part of this process, full document custody, loan validation and auditing, and PCI/DSS compliant merchant account services and credit card processing capabilities will further cement security measures.
- Offer exemplary onboarding further to button-down security and regulation/compliance due diligence. According to the report, “Friction-free onboarding precedes rapid growth…According to the Financial Action Task Force (FATF), ‘inconsistent customer onboarding and due diligence obligations’ is the biggest factor contributing to increased costs and reduced speed.’ Large enterprises, in particular, noted the downside of burdensome onboarding…Rigor and speed are both embraced. Leading fintechs don’t swap onboarding speed for rigor. This is short-sighted – and may expose the company to regulatory and compliance issues. The pressure to speed up onboarding often leaves companies vulnerable to missing warning signs when approving account openings or transactions…Fragmented systems and platforms limit automated transaction monitoring and due diligence too.”
- Review regulatory and compliance due diligence at federal and state levels in detail. Client due diligence, paying full attention to client experiences that will dictate best practices, is a multipronged effort. Among a loan servicer’s ongoing efforts must be: Continuing education yearly—studying litigation trends, reviewing legislative sessions, and gathering intelligence and insights from multiple industry groups; tapping into the huge resource of collections and credit industry communities addressing affairs in Washington, DC; and staying up-to-date on the statuses of several hundred bills pending at state levels at any one time.
- Dot the compliance I’s and cross the T’s with loan servicers engaging in customer collections on behalf of clients. Depending on the scope of lender operations, this requires understanding complete federal and state-by-state constantly evolving regulations. The Consumer Financial Protection Bureau (CFPB) has broad authority to regulate the industry through policymaking, enforcement, and penalizing bad actors with significant fees. Clients deserve the know-how to do it right and get fresh perspectives on existing and prospective regulations. Substantial changes in the Fair Debt Collection Practices Act (FDCPA) protecting consumers from overly-aggressive debt collection require complete compliance.
- Ask for proof of a successful “trial by fire.” Documentation of current and complete regulatory and security compliance must be readily available for examination. Compliance and security are constantly changing arenas that mandate a complete understanding of processes and needed protections and the customized needs of clients. Even tried-and-true track records get tested mightily when an unpredictable catastrophic event such as a pandemic occurs. Continuity and ability to function in a rapidly changing world become front and center. Loan servicing companies must be ready to pivot very quickly in both collections and security compliance.
Loan servicing compliance warrants substantial mindshare and time, money, and resources investment.