As a title agent, are you obligated to ensure your service providers are in compliance? And if so, how?
The Gramm-Leach-Bliley Act (GLBA), enacted in 1999 (codified as amended at 15 U.S.C Chapter 94: Privacy), establishes basic privacy standards for “financial institutions,” which includes not only lenders, but also title insurers, title agents and settlement/escrow agents.
The CFPB expects lenders to oversee their service providers to make sure that they are in compliance with the law to protect consumer interests; this was expressed in CFPB Bulletin 2012-03, published April 13, 2012. This duty extends to title agents and settlement service providers.
While title agents and settlement service providers are third-party vendors to lenders, those who provide services to title agents and settlement service providers are fourth-party vendors to lenders. The requirement to evaluate, review, and monitor qualifications and performance extends as far down the service chain as necessary to make sure that everyone is in compliance with the rules protecting customers.
So what can you do as a title agent to make sure that your vendors are in compliance?
- You can make sure that your vendors are contractually aware of their responsibilities. There are some great sample provisions regarding “rights and responsibilities” and “confidentiality and security,” in the FDIC’s Financial Institution Letters, Guidance for Managing Third-Party Risk, which you may choose to include in your vendor contracts.
- You can establish good vendor selection and management practices:
- Designate someone within your company to provide oversight as the “vendor manager.”
- Perform background and reference checks.
- Provide due diligence questionnaires and checklists.
- Implement non-disclosure agreements.
- Train vendors on their consumer protection obligations.
- Monitor and score performance, and provide feedback; sight visits can be particularly useful.
- Provide a communication matrix or plan, and include provisions for reporting in the event of a perceived security threat or security breach.
This information is not legal, business or financial advice. It is intended only to be helpful to you and to increase awareness. There may be many ways to approach this issue, and it is always best to consult with legal counsel and subject matter experts to develop a plan that is right for you.