Skip to main content

< See All Blogs

How to Manage Your Mortgage Subservicing Risk

  • 3 min read
  • David J. Miller, Jr.

Banks and credit unions rely on third-party vendors to increase operational efficiencies and leverage outside expertise. These benefits, however, must be weighed against the legal, reputational, and financial risks that can arise if service providers neglect their due diligence responsibilities. 

The best way to control mortgage subservicing risk is to choose bank subservicers, because they are heavily regulated and subject to continual external examination and internal control procedures.

External Oversight

  • OCC Safety and Soundness. The Office of the Comptroller of the Currency (OCC) conducts regular Safety and Soundness, Compliance, and IT Audit reviews of all OCC-regulated bank subservicers (including Cenlar). These year-round audits include thorough examinations of financial condition, adherence to compliance regulations and security and soundness of IT operations.
  • Uniform Single Attestation Program (USAP)/FDIC Improvement Act (FDICIA) and Regulation AB. Each year, as part of an annual financial review engagement with an outside independent accountant, a Uniform Single Attestation Program is performed. The testing and report follow the parameters specified by the Uniform Single Attestation Program for Mortgage Bankers, the Federal Deposit Insurance Corporation Improvement Act (FDICIA) and Regulation AB.
  • FFIEC Service Provider. Service providers for financial institutions, such as bank subservicers, are examined on a regular basis. The results of the exam are distributed to the FDIC, OCC, and NCUA.
  • Rating Agencies. Bank subservicers are periodically examined by Standard & Poor’s and Fitch. The resulting reports are made available to various regulatory authorities.

Regulatory Capital Requirements
Bank subservicers are subject to minimum regulatory capital requirements, thereby providing a financial cushion to protect against excess leverage and default risk. The rules require maintaining adequate capital levels across several regulatory capital categories, including common equity Tier 1 (CET1), Tier 1, total risk-based capital (Total RBC) and leverage. CET1, Tier 1 and Total RBC are evaluated in relation to risk-weighted assets (RWA).

Internal Controls
Bank subservicer roles and responsibilities generally are assigned across three lines of defense in alignment with industry standards. In addition, bank subservicers often possess highly respected and influential compliance functions charged with implementing regulatory requirements. This encompasses regulatory change management, periodic assessments and testing, and BSA/AML compliance. Risk and Control Self-Assessment reviews are conducted on an annual basis, and include process mapping, risk identification and measurement, and control identification and assessment.

  • Employee compliance training. Risk management is considered the responsibility of every employee. Mandatory and ongoing compliance training courses are required for all employees. 
  • Third-party service providers. Bank subservicers subject external vendors to the same risk management, security, and other policies that are required internally. 

FDIC Protection for Custodial Funds
GSE servicing guidelines, as well as pooling and servicing agreements for private asset and security accounts, require mortgage-related funds to be held in custody at an FDIC depository institution. This requirement protects mortgage principal and interest payable to the servicer and tax and insurance payments received from the borrower.

How Cenlar Stacks Up
Cenlar FSB is an operating subsidiary of Cenlar Capital Corporation, a privately held (employee-owned), federally chartered savings bank. As a regulated banking entity, Cenlar is a well-capitalized bank, with high liquidity, a strong balance sheet and low-risk asset portfolio. Our Tier 1 capital ratio is over 9 percent. In addition, we provide clients with an Oversight Guide each year—available via CenAccess—that explains our internal control procedures and outlines best practices for monitoring our performance.

David J. Miller, Jr.
Executive Vice President, Business Development, Cenlar 
Executive Committee

See All Blogs