Third Party Risk Management Requirement Updates FAQ

Freddie Mac continually updates our Guide to address evolving risks in the mortgage and related industries. Ransomware and other cyber-attacks have been serious concerns in our industry. The updated requirements announced in Guide Bulletins 2021-31 and 2021-32 allow us to refine our management of risks associated with our Seller/Servicer relationships and transactions, and their relationships and transactions with their critical service providers.

This is any event or circumstance having a material adverse effect on (a) the Seller/Servicer’s ability to perform its obligations under the Purchase Documents, (b) Freddie Mac’s interests as an assignee, (c) a class or significant group of borrowers, and/or (d) Freddie Mac’s economic interests.

This is a change in the power, directly or indirectly, to direct or cause the direction of the management or policies of a Seller/Servicer, whether through ownership or transfer of securities, by contract or otherwise. A person is presumed to have such power if the person:

• Is Senior Management of the Seller/Servicer;
• Directly or indirectly has the right to vote a material portion of a class of a voting security of the company or has the power to sell or direct the sale of a material portion of a class of voting securities of the company; or
• In the case of a partnership, has the right to receive upon dissolution or has contributed a material portion of the capital of the partnership.

The new definition of “Change of Control” tracks and clarifies the existing provisions of Guide Section 2101.12 relating to changes in the control of a Seller/Servicer, and includes within it changes to the Seller/Servicer’s Senior Management, also a new defined term.

In the interest of removing any uncertainty over roles that may be part of senior management referenced in the Guide, and in Section 2101.12 in particular – we have defined Senior Management as:

A person who serves as one of the following positions for a Seller/Servicer:

• Owner;
• President;
• Vice President in charge of managing or overseeing any aspect of the Seller/Servicer’s Freddie Mac business;
• Chief Executive Officer (CEO);
• Chief Operating Officer (COO);
• Chief Financial Officer (CFO);
• Chief Information Officer (CIO), Chief Technology Officer (CTO), or Chief Information Security Officer (CISO);
• Chief Risk Officer (CRO);
• Corporate Secretary;
• General Counsel;
• Chairman or other member of the Board;
• General Partner; or
• Member or manager of an LLC

A third party (i.e., a Seller/Servicer counterparty such as a mortgage broker, correspondent, loan origination system vendor, contract underwriter, appraisal management company, data center, settlement agent, TPP (as defined in Section 1401.2), selling agent, servicing agent, document custodian, warehouse lender, outsourced vendor, mortgage insurer or reinsurer) that the Seller/Servicer engages to provide it with technology, origination, underwriting, processing, technical, interim financing, closing, loss mitigation, (re)insurance, servicing and other services and support that are generally designed to advance the Seller/Servicer’s origination and/or servicing of mortgages.

This term had been defined in substantially this manner in the Guide’s Master Systems License (Section 2401.1), and has been updated and moved to the Glossary, given its broader application throughout the Guide. As evidenced by the definition, a broad range of Seller/Servicer counterparties would fit within the definition of Related Third Party. Some examples of third-party organizations are:

Freddie Mac defines a Security Incident as an instance from which the circumstances and available information a reasonable information security professional could conclude that unauthorized acquisition of data or computing resources, or unauthorized access to data or computing resources or any other security incident that may compromise the security, confidentiality, availability, integrity, or privacy of Freddie Mac information.

Under new Section 1302.3(7)(a), a Seller/Servicer is required to pass through various new requirements of updated Section 1302.2, including Section 1302.2(c), which requires notification to Freddie Mac of any Security Incident.  Once the Related Third Party fulfills its notification obligations to the Seller/Servicer under such passed through provisions, then the Seller/Servicer is required to notify Freddie Mac of that Security Incident.

A Security Incident is defined broadly to trigger a notification requirement wherever there has been an incident involving Freddie Mac information.  Thus, it doesn’t matter whether Freddie Mac loans were involved, only that Freddie Mac information may have been compromised.

As with related requirements under Bulletins 2021-31 and 2021-32, this expansion of the third-party designation requirement is intended to help Freddie Mac manage risk by providing a contractual basis to enforce certain rights directly against the Related Third Party when a Seller/Servicer is unwilling or unable to do so.

This requirement is not new; rather, it represents a revision of the existing beneficiary designation requirements elsewhere in the Guide.  For example, Section 2401.1(e)(v) currently requires technology users to include certain licensing provisions in their agreement with Related Third Parties and to specifically designate Freddie Mac as a third-party beneficiary for purposes of enforcing such provisions. Additionally, Freddie Mac is a third-party beneficiary of subservicing agreements between Servicers and their servicing agents under Section 8102.1.

New Section 1302.3(8) broadens such existing requirements; however, the expansion only relates to agreements with Related Third Parties of which a breach may have a Material Adverse Effect.   Paragraph 7 also requires “any Related Third Party to (a) comply with requirements substantially similar to those imposed on Seller/Servicer under Section 1302.2 [Information Security requirements] and this Section 1302.3 [Business Continuity Planning] and (b) refrain from interfering with or impairing any obligations of Seller/Servicer to Freddie Mac under a Purchase Document of which any member of Senior Management of such Related Third Party has actual knowledge.”

New Section 1302.3(8) requires the Seller/Servicer to make its own determination as to whether a breach of any such provisions would result in a Material Adverse Effect.  Seller/Servicers are not required to designate Freddie Mac as a third party beneficiary of all agreements with its Related Third Parties– just those for which, in the Seller/Servicer’s own judgment, a breach of the provision identified in new Section 1302.3(7) would have a Material Adverse Effect.

After reviewing other mortgage industry best practices and commercially reasonable standards, we determined that it was necessary in the context of risk management. The increased notice and additional disclosure requirements are aimed at allowing sufficient time for Freddie Mac and the Seller/Servicer to engage in a dialogue and implement any needed risk mitigation strategies, so that the Seller/Servicer’s origination and/or servicing of loans will not be disrupted in the event of a conflict with a vendor or a significant adverse event. More importantly, the updated requirements help minimize any potential impact on borrowers.

No. Freddie Mac is not looking for a loophole to call Seller/Servicers in breach of their Purchase Documents. We are merely looking for greater transparency into certain events and changes that may have a Material Adverse Effect on Freddie Mac.

As required by new Section 1302.3(7)(b), going forward, Seller/Servicers must contractually bar their Related Third Parties from interfering with or impairing any obligations a Seller/Servicer has to Freddie Mac under a Purchase Document of which the Related Third Party’s Senior Management is aware (i.e., has actual knowledge).  This new requirement stems from a scenario in which a Related Third Party’s C-suite, knowing the Seller/Servicer’s obligations to Freddie Mac, took actions in its provision of services to the Seller/Servicer that would have seriously impeded the Seller/Servicer’s ability to fulfill its obligations to Freddie Mac.

As required by new Section 1302.3(7)(b), going forward, Seller/Servicers must contractually bar their Related Third Parties from interfering with or impairing any obligations a Seller/Servicer has to Freddie Mac under a Purchase Document of which the Related Third Party’s Senior Management is aware (i.e., has actual knowledge).  This new requirement stems from a scenario in which a Related Third Party’s C-suite, knowing the Seller/Servicer’s obligations to Freddie Mac, took actions in its provision of services to the Seller/Servicer that would have seriously impeded the Seller/Servicer’s ability to fulfill its obligations to Freddie Mac.

Freddie Mac is only required to be a designated third-party beneficiary in agreements with any Related Third Party in which a breach of certain information security, business continuity and non-interference requirements may have a Material Adverse Effect. 

For example, ABC Lending’s analysis may identify XYZ Technologies as one of their “Related Third Parties” since they provide ABC Lending with origination platform technology services generally designed to advance ABC Lending’s origination and/or servicing of mortgages.

ABC Lending is required to have information security and business continuity planning requirements in place with XYZ Technologies that are substantially similar to those by which ABC Lending is bound under Section 1302.2 and 1302.3 of the Guide; ABC Lending will likely already have such provisions in place with XYZ Technologies, particularly if the former is a regulated entity. 

In addition, ABC Lending must require XYZ Technologies to “refrain from interfering with or impairing any obligations of [ABC Lending] to Freddie Mac under a Purchase Document of which any member of Senior Management of [XYZ Technologies] has actual knowledge.”  If ABC Lending determines that a breach of any such requirements in its agreement with XYZ Technologies would have a “Material Adverse Effect,” then it must designate Freddie Mac as an express, intended third-party beneficiary in ABC Lending’s agreement with XYZ Technologies. 

Central to ABC Lending’s analysis is its assessment of whether a breach of such provisions would result in a Material Adverse Effect, i.e., whether such a breach would have “a material adverse effect on (a) [ABC Lending]’s ability to perform its obligations under the Purchase Documents, (b) Freddie Mac’s interests as an assignee, (c) a class or significant group of borrowers, and/or (d) Freddie Mac’s economic interests.” 

No. Under Section 2101.12(f)(2)(d), Seller/Servicers will be required to notify Freddie Mac of any change to its agreement with a Related Third Party that is likely to have a Material Adverse Effect, which is defined “as any event or circumstance having a material adverse effect on (a) the Seller/Servicer's ability to perform its obligations under the Purchase Documents, (b) Freddie Mac's interests as an assignee, (c) a class or significant group of Borrowers, and/or (d) Freddie Mac's economic interests.” Seller/Servicers will have to make a determination as to whether a change to its relationship with a particular Related Third Party is impactful enough (i.e., would likely have a Material Adverse Effect) that would require a notification to Freddie Mac.