Third Party Risk Management Requirement Updates FAQ
These FAQs are not intended to provide legal advice and should not be viewed as a substitute to what is stated in the Freddie Mac Single Family Seller/Servicer Guide. In the event of a conflict between the content of these FAQs and the Guide, the Guide shall remain the operative contract between Freddie Mac and each Seller/Servicer.
-
Why is Freddie Mac making changes to its risk management requirements including those involving Seller/Servicer 3rd parties?
Freddie Mac continually updates our Guide to address evolving risks in the mortgage and related industries. Ransomware and other cyber-attacks have been serious concerns in our industry. The updated requirements announced in Guide Bulletins 2021-31 and 2021-32 allow us to refine our management of risks associated with our Seller/Servicer relationships and transactions, and their relationships and transactions with their critical service providers.
-
What is a material adverse effect?
This is any event or circumstance having a material adverse effect on (a) the Seller/Servicer’s ability to perform its obligations under the Purchase Documents, (b) Freddie Mac’s interests as an assignee, (c) a class or significant group of borrowers, and/or (d) Freddie Mac’s economic interests.
This definition is purposefully designed to capture a broad range of circumstances impacting borrowers, our counterparties, and our economic interests. While the definition may appear to be circular, it intentionally reflects a well-established legal standard that guides circumstance-specific outcomes and is intended to convey that disclosure and other requirements only apply to mission-critical relationships with Related Third Parties. -
What is considered a Change of Control?
This is a change in the power, directly or indirectly, to direct or cause the direction of the management or policies of a Seller/Servicer, whether through ownership or transfer of securities, by contract or otherwise. A person is presumed to have such power if the person:
- Is Senior Management of the Seller/Servicer;
- Directly or indirectly has the right to vote a material portion of a class of a voting security of the company or has the power to sell or direct the sale of a material portion of a class of voting securities of the company; or
- In the case of a partnership, has the right to receive upon dissolution or has contributed a material portion of the capital of the partnership.
The new definition of “Change of Control” tracks and clarifies the existing provisions of Guide Section 2101.12 relating to changes in the control of a Seller/Servicer, and includes within it changes to the Seller/Servicer’s Senior Management, also a new defined term.
-
Who is Senior Management?
In the interest of removing any uncertainty over roles that may be part of senior management referenced in the Guide, and in Section 2101.12 in particular – we have defined Senior Management as:
A person who serves as one of the following positions for a Seller/Servicer:
- Owner;
- President;
- Vice President in charge of managing or overseeing any aspect of the Seller/Servicer’s Freddie Mac business;
- Chief Executive Officer (CEO);
- Chief Operating Officer (COO);
- Chief Financial Officer (CFO);
- Chief Information Officer (CIO), Chief Technology Officer (CTO), or Chief Information Security Officer (CISO);
- Chief Risk Officer (CRO);
- Corporate Secretary;
- General Counsel;
- Chairman or other member of the Board;
- General Partner; or
- Member or manager of an LLC
-
What are Related Third Parties?
A third party (i.e., a Seller/Servicer counterparty such as a mortgage broker, correspondent, loan origination system vendor, contract underwriter, appraisal management company, data center, settlement agent, TPP (as defined in Section 1401.2), selling agent, servicing agent, document custodian, warehouse lender, outsourced vendor, mortgage insurer or reinsurer) that the Seller/Servicer engages to provide it with technology, origination, underwriting, processing, technical, interim financing, closing, loss mitigation, (re)insurance, servicing and other services and support that are generally designed to advance the Seller/Servicer’s origination and/or servicing of mortgages.
This term had been defined in substantially this manner in the Guide’s Master Systems License (Section 2401.1), and has been updated and moved to the Glossary, given its broader application throughout the Guide. As evidenced by the definition, a broad range of Seller/Servicer counterparties would fit within the definition of Related Third Party. Some examples of third-party organizations are:
Technology providers/ servicing platforms Loss mitigation vendors Offshore providers Property preservation Insurance vendors Lockbox Life of Loan Flood Monitoring Custodian account vendor Cloud Service Compliance vendors Attorney Network -
What qualifies as a Security Incident?
Freddie Mac defines a Security Incident as an instance from which the circumstances and available information a reasonable information security professional could conclude that unauthorized acquisition of data or computing resources, or unauthorized access to data or computing resources or any other security incident that may compromise the security, confidentiality, availability, integrity, or privacy of Freddie Mac information.
-
If a Related Third Party notifies us of a Security Incident, are we obligated to notify Freddie Mac of that Security Incident?
Under new Section 1302.3(7)(a), a Seller/Servicer is required to pass through various new requirements of updated Section 1302.2, including Section 1302.2(c), which requires notification to Freddie Mac of any Security Incident. Once the Related Third Party fulfills its notification obligations to the Seller/Servicer under such passed through provisions, then the Seller/Servicer is required to notify Freddie Mac of that Security Incident.
A Security Incident occurs “[i]f a Seller/Servicer knows or believes or if, from the circumstances and available information a reasonable information security professional could conclude that, there has been any unauthorized acquisition of data or computing resources, or unauthorized access to data or computing resources or any other Security Incident that may compromise the security, confidentiality, availability, integrity, or privacy of Freddie Mac information…” -
Does it matter if the security incident only affects loans sold, or to be sold, to Freddie Mac?
A Security Incident is defined broadly to trigger a notification requirement wherever there has been an incident involving Freddie Mac information. Thus, it doesn’t matter whether Freddie Mac loans were involved, only that Freddie Mac information may have been compromised.
-
Why is Freddie Mac requiring us to name it as an intended third-party beneficiary in our agreements with Related Third Parties?
As with related requirements under Bulletins 2021-31 and 2021-32, this expansion of the third-party designation requirement is intended to help Freddie Mac manage risk by providing a contractual basis to enforce certain rights directly against the Related Third Party when a Seller/Servicer is unwilling or unable to do so.
This requirement is not new; rather, it represents a revision of the existing beneficiary designation requirements elsewhere in the Guide. For example, Section 2401.1(e)(v) currently requires technology users to include certain licensing provisions in their agreement with Related Third Parties and to specifically designate Freddie Mac as a third-party beneficiary for purposes of enforcing such provisions. Additionally, Freddie Mac is a third-party beneficiary of subservicing agreements between Servicers and their servicing agents under Section 8102.1.
New Section 1302.3(8) broadens such existing requirements; however, the expansion only relates to agreements with Related Third Parties of which a breach may have a Material Adverse Effect. Paragraph 7 also requires “any Related Third Party to (a) comply with requirements substantially similar to those imposed on Seller/Servicer under Section 1302.2 [Information Security requirements] and this Section 1302.3 [Business Continuity Planning] and (b) refrain from interfering with or impairing any obligations of Seller/Servicer to Freddie Mac under a Purchase Document of which any member of Senior Management of such Related Third Party has actual knowledge.”
New Section 1302.3(8) requires the Seller/Servicer to make its own determination as to whether a breach of any such provisions would result in a Material Adverse Effect. Seller/Servicers are not required to designate Freddie Mac as a third party beneficiary of all agreements with its Related Third Parties– just those for which, in the Seller/Servicer’s own judgment, a breach of the provision identified in new Section 1302.3(7) would have a Material Adverse Effect.
-
Why are greater notification timeframes and additional disclosure requirements being required?
After reviewing other mortgage industry best practices and commercially reasonable standards, we determined that it was necessary in the context of risk management. The increased notice and additional disclosure requirements are aimed at allowing sufficient time for Freddie Mac and the Seller/Servicer to engage in a dialogue and implement any needed risk mitigation strategies, so that the Seller/Servicer’s origination and/or servicing of loans will not be disrupted in the event of a conflict with a vendor or a significant adverse event. More importantly, the updated requirements help minimize any potential impact on borrowers.
For non-banks, state regulators require 60 days’ notice of certain changes in senior management. We thought it appropriate to align with these standards. -
If a member of the client’s Senior Management team only provides 3 weeks’ notice prior to leaving the company, will the Seller/Servicer be declared in default if it discloses the departure within a week of its receipt of notice?
No. Freddie Mac is not looking for a loophole to call Seller/Servicers in breach of their Purchase Documents. We are merely looking for greater transparency into certain events and changes that may have a Material Adverse Effect on Freddie Mac.
-
What is Freddie Mac’s objective with the new requirements for Seller/Servicers to require Related Third Parties to refrain from interfering with or impairing any obligations to Freddie Mac?
As required by new Section 1302.3(7)(b), going forward, Seller/Servicers must contractually bar their Related Third Parties from interfering with or impairing any obligations a Seller/Servicer has to Freddie Mac under a Purchase Document of which the Related Third Party’s Senior Management is aware (i.e., has actual knowledge). This new requirement stems from a scenario in which a Related Third Party’s C-suite, knowing the Seller/Servicer’s obligations to Freddie Mac, took actions in its provision of services to the Seller/Servicer that would have seriously impeded the Seller/Servicer’s ability to fulfill its obligations to Freddie Mac.
-
What language or change is sufficient to meet the requirement for Freddie Mac to be a designated beneficiary on certain contracts?
As required by new Section 1302.3(7)(b), going forward, Seller/Servicers must contractually bar their Related Third Parties from interfering with or impairing any obligations a Seller/Servicer has to Freddie Mac under a Purchase Document of which the Related Third Party’s Senior Management is aware (i.e., has actual knowledge). This new requirement stems from a scenario in which a Related Third Party’s C-suite, knowing the Seller/Servicer’s obligations to Freddie Mac, took actions in its provision of services to the Seller/Servicer that would have seriously impeded the Seller/Servicer’s ability to fulfill its obligations to Freddie Mac.
-
What is an example of how we might determine in which Related Third Party agreements we need to designate Freddie Mac as a third-party beneficiary?
Freddie Mac is only required to be a designated third-party beneficiary in agreements with any Related Third Party in which a breach of certain information security, business continuity and non-interference requirements may have a Material Adverse Effect.
For example, ABC Lending’s analysis may identify XYZ Technologies as one of their “Related Third Parties” since they provide ABC Lending with origination platform technology services generally designed to advance ABC Lending’s origination and/or servicing of mortgages.
ABC Lending is required to have information security and business continuity planning requirements in place with XYZ Technologies that are substantially similar to those by which ABC Lending is bound under Section 1302.2 and 1302.3 of the Guide; ABC Lending will likely already have such provisions in place with XYZ Technologies, particularly if the former is a regulated entity.
In addition, ABC Lending must require XYZ Technologies to “refrain from interfering with or impairing any obligations of [ABC Lending] to Freddie Mac under a Purchase Document of which any member of Senior Management of [XYZ Technologies] has actual knowledge.” If ABC Lending determines that a breach of any such requirements in its agreement with XYZ Technologies would have a “Material Adverse Effect,” then it must designate Freddie Mac as an express, intended third-party beneficiary in ABC Lending’s agreement with XYZ Technologies.
Central to ABC Lending’s analysis is its assessment of whether a breach of such provisions would result in a Material Adverse Effect, i.e., whether such a breach would have “a material adverse effect on (a) [ABC Lending]’s ability to perform its obligations under the Purchase Documents, (b) Freddie Mac’s interests as an assignee, (c) a class or significant group of borrowers, and/or (d) Freddie Mac’s economic interests.”
-
Do I have to provide Freddie Mac with notice of all changes to my Related Third Party relationships?
No. Under Section 2101.12(f)(2)(d), Seller/Servicers will be required to notify Freddie Mac of any change to its agreement with a Related Third Party that is likely to have a Material Adverse Effect, which is defined “as any event or circumstance having a material adverse effect on (a) the Seller/Servicer's ability to perform its obligations under the Purchase Documents, (b) Freddie Mac's interests as an assignee, (c) a class or significant group of Borrowers, and/or (d) Freddie Mac's economic interests.” Seller/Servicers will have to make a determination as to whether a change to its relationship with a particular Related Third Party is impactful enough (i.e., would likely have a Material Adverse Effect) that would require a notification to Freddie Mac.