Hi, I'm Nicole, your friendly regulatory compliance counsel. Ncontracts asked me to do a brief video series on Fannie Mae's requirements for business continuity, audit and management controls, and management of vendors and other third-party service providers.

This video explains the consequences of failing a Fannie Mae audit for BCP, vendor management, and audit controls.

So, let's bring this mini-series to a close. You may be thinking this is a lot of good information, but are there really any consequences that need to be worried about if my BCP and disaster recovery plans, audits and control processes, and vendors oversight are not up to snuff?

Well, here's the list of consequences. We mentioned this briefly, but you could be looking at receiving an unsatisfactory final review rating. As Fannie Mae calls you up to be audited, if you don't have these BCP plans, disaster recovery procedures, internal audit procedures in place, and vendor oversight in place. So, that's the first consequence is that unsatisfactory final review. You don't want to get that. It's a big hassle. But hopefully if you were to get that, you'll be able to remediate.

But if you're not able to remediate the terms in a timely, you know, period for Fannie Mae, you could look at getting suspended, taken off of the Fannie Mae approved seller servicer list. I mean that can get you in some hot water with your clients, with consumers who Fannie Mae loans you are managing. So getting that unsatisfactory rating is the first thing you want to avoid so that it doesn't go downhill from there.

Three, you may be looking at having to pay penalties to Fannie Mae if that disruption causes Fannie Mae any financial loss.

Four, you may be looking at reputational harm to your company. I mean, if it gets out that you were suspended, taken off of the Fannie Mae approved list, that doesn't look too good for your company.

Five, you may be looking at increased legal risks and even litigation if your BCP internal audit or vendor failures cause harm to consumers.

And six, besides litigation, which I think is the worst consequence of a BCP failure — disaster recovery failure, lack of audit and controls, and a lack of vendor oversight — would be the worst consequence to me.

So, they wanted me to tell a few personal horror stories of consequences I've seen happen being a litigation attorney in my past life. And I thought about it, and, well… I won’t tell you any personal stories, I will tell you that I've heard through the grapevine of organizations that face litigation from consumers due to lack of vendor oversight and vendor data breaches that cause consumer harm.

Also, I've heard several organizations that face litigation from clients due to loss of loan funds because improper vendor oversight and not being prepared when their vendors closed their doors.

So, these are, you know, some pretty tough consequences besides just getting a dinged unsatisfactory rating from Fannie Mae — looking at possible litigation if you don't have these plans in place. So I won't name any names, but if you want to know who I've heard this for, just call me, no, just kidding. I won't name any names

In summary. I hope this little mini-series has made a small impact on those of you who may be smaller institutions that have not established formal BCP and disaster recovery procedures, audit and controls, and vendor oversight policies and procedures. And even for those larger institutions that may need help just assessing your current controls and procedures, just know we're here to help you at Ncontracts, and feel free to reach out to us with your inquiries anytime, have a good day. And I hope you enjoyed this Ncontracts mini-series.