MQMR, a CMC Preferred Partner, guides mortgage lenders
through the complex regulatory environment.

CMC Patrons receive a 10% discount on MQMR's compliance, internal audit & advisory services as well as a 20% discount on Vendor Management software fees.

MQMR’s goal in every review is to elevate performance and promote accountability.

Vendor Management

HQ Vendor Management (HQVM) supports lenders in meeting their third party oversight requirements.

Servicing QC and Subservicer Oversight

Subsequent QC, LLC (“SQC”) is an audit solution that focuses exclusively on managing servicing risk through servicing quality control, subservicer audits, and servicing operational due diligence.

Compliance Support

MQMR assists lenders in developing, building, and maintaining a comprehensive compliance management system, including but not limited to AML audits, LO Comp review, advertising/marketing reviews, compliance audits, and developing policies & procedures.

Internal Audit

MQMR conducts internal audits to identify credit, regulatory, operational, financial, and reputational risks, and ensure seller/servicers are meeting their GSE internal audit requirements.

Frequently Asked Questions

1What is Internal Audit and is it a requirement for mortgage lender?
A: Internal Audit is a function within an organization that independently evaluates the risks to the organization and the control environment that is in place. Typically, Internal Audit reports directly to the Board of Directors or Senior Management and is separate from all other departments to ensure that the evaluation remains independent.

Internal Audit is required if you are approved or seeking approval from any of the GSEs, and it is also becoming a requirement for some states. A common deficiency in a Fannie Mae or Freddie Mac review is an inadequate or non-existent internal audit program.

Entities approved or seeking to become approved with the GSEs must have, at a minimum, the following three items:

i. Risk Assessment - an assessment that evaluates the various risks of an organization, which may include, but is not limited to, reputational risk, compliance risk, fraud, etc.; and takes into consideration various factors such as past audit results, regulatory requirements, potential for fraud, experience of personnel, growth trends, and date of the last internal audit.
ii. Policies and Procedures - an Internal Audit Policy and Procedure charter should be approved by the Board of Directors and put into place.
iii. Audit Plan - a minimum 12-month audit plan should be developed which outlines ongoing audits to be performed. The audit plan should identify low, moderate, and high-risk areas, and the timeline for auditing those areas.

2What is the difference between QC and Internal Audit?
A: A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in either their origination or servicing functions. A QC audit looks at the end product, regardless if the process is credit or compliance focused. Generally, you find that QC audits, which are basic forms of transactional testing, are narrower in scope than Internal Audits, which tend to be broader in scope. Internal Audits identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. When Internal Auditors test controls in a process, they are not necessarily looking at the end product like a QC audit, but rather looking at the controls within a process to ensure the end product is attained and all investor guidelines, laws and regulations and industry best practices are followed.
3Are both banks and nonbanks required to perform an independent audit of their anti-money laundering (“AML”) program? What are the requirements for such audit?
A: Yes, the Bank Secrecy Act (“BSA”) requires all residential mortgage lenders and originators to perform an independent review or audit of their AML program. Although the BSA does not specifically set forth the time frame for performing such testing, the Federal Financial Institutions Examination Council (“FFIEC”) indicated that sound practice is for an entity to perform an independent audit of its AML program at least every 12-18 months, commensurate with the entity’s risk profile.

Testing must be performed by both an independent and qualified party. While this does not mean the audit cannot be performed by an employee, the individual or individuals completing the audit must be fully familiar with AML requirements and cannot be involved in any of the AML functions of the Company. As such, the Company designated AML Officer would be unable to perform the audit. For this reason, many entities engage outside service providers to perform independent audits of their AML program.

Whoever performs the review should report directly to the entity’s Board of Directors or Executive Management. Testing should cover all of the entity’s activities and the results should be sufficiently detailed to assist the Board of Directors and/or Executive Management in identifying areas of weakness so that improvements may be made and additional controls may be established. Among other items, the Company’s written policies and procedures should be reviewed as well as the qualifications of the AML Officer and the Company’s training materials and attendance logs.

In recent years, state regulators have commenced examining the AML programs of their supervised entities more closely. In particular, many states now require entities to produce AML policies and procedures, as well as AML risk assessments and independent AML audit results as part of examinations. Failure to maintain these documents can oftentimes result in an adverse finding. Some states also maintain their own money laundering regulations, such as California, Florida, New Jersey, and Texas.

Most recently, on June 30, 2016, New York State’s Department of Financial Services (“NYADFS”) issued a final Anti-Terrorism Transaction Monitoring and Filtering Program regulation. The new regulation, which goes into effect January 1, 2017, requires regulated institutions (banks, check cashers and money transmitters) to maintain a Transaction Monitoring Program that monitors transactions for potential BSA/AML violations and Suspicious Activity Reporting. The regulated entities will have to annually submit a board resolution or senior officer compliance finding to the NYSDFS confirming the steps taken to ascertain compliance with this regulation. Nonbank mortgage lenders and originators are not currently covered by this regulation.

4As a Master servicer, am I required to perform loan level QC on my portfolio?
A: Yes, A lender must ensure that its sub-servicer is compliant with RESPA, TILA, investor guidelines, CFPB guidelines, FDCPA, UDAAP, and other state and federal laws and regulations. Fannie Mae and Freddie Mac require that all servicers have QC procedures in place but the decision on how to implement the QC procedures is left to the lender. FHA guidelines are much more explicit. Prior to being replaced by the HUD 4000.1 Handbook in September 2015, HUD Chapter 7-10 (page 13) outlined the servicing QC requirements for the various AOIs (areas of interest) that master servicers were required to audit on an ongoing basis. Loans selected for servicing reviews must be reviewed within 60 days from the end of the month in which the loan was selected.
5As a master servicer, am I required to perform an onsite review of my subservicer?
A: Yes. The CFPB, OCC, FDIC and GSEs require lenders to perform oversight on their vendors. As a master servicer, your subservicer should be considered a high-risk vendor and it is a best practice to perform on-site assessments on an annual basis. Operational assessments allow the master servicer to ensure that the subservicer has the proper written policies and procedures and internal controls to ensure the subservicer is complying with the various federal and state laws. In the event the master servicer does not have the servicing and vendor management subject matter experts to perform ongoing reviews, it is a best practice to outsource the oversight to third parties that do have the expertise.
6As a lender, am I required to audit my Document Custodian on a regular basis?
A: Yes, a lender should review a document custodian from a vendor management risk stand point. In addition, Ginnie Mae is explicit in its requirements for each issuer to review their Document Custodians. The Ginnie Mae MBS Guide (Chapter 6, 2000.04 Rev-2 CHG-20) requires an onsite Document Custodian audit by a seller-servicer at least annually if more than one Document Custodian is utilized. All Document Custodians must be audited within a three-year cycle. The review must be comprehensive because the Document Custodian is essentially a vendor of the pool issuer. When conducting an audit, at a minimum, the following areas should be addressed:

i. Deficiencies are identified and appropriately mitigated;
ii. Management and staff possess adequate knowledge to perform in a custodial capacity;
iii. The Document Custodian has established controls, policies and procedures;
iv. The Document Custodian meets the minimum requirements as determined by GNMA;
v. The Document Custodian is issuing Final Pool Certifications in a timely manner as required by GNMA;
vi. Recorded modified documents and reinstated loans have had documents inserted into the pool or removed from the pool; and
vii. A loan-level review from a selection of pools is conducted. Files must be reviewed to ensure that the collateral file is intact and contains all the necessary original documents and endorsements.

For most lenders, these areas are not a key area of expertise; therefore, outsourcing to third parties that have the expertise is a common practice. External auditors can be an effective way to ensure the Document Custodian is compliant with Ginnie Mae guidelines.

Case Studies & Testimonials



"We needed a solution, searched the market, and found that MQMR provided a robust platform, truly understood counterparty risk, and was willing to accommodate our needs. We are overly satisfied with MQMR and look forward to further refinement to our vendor management program."

- Jim Svinth, EVP of Enterprise Risk Management at LoanDepot


Case Study #1

Problem Statement: Lender-Placed Insurance caused a borrower’s PITI payment to double. To compound the problem, the borrower’s primary language is Spanish therefore the Lender-Placed Insurance letters (which were in English) went unanswered. The increase in the borrower’s PITI caused the borrower to default on the loan.

Approach: SQC identified the loan through a Customer Service audit. A review of the customer service call prompted an expanded review of the circumstances which lead to the Lender-Placed Insurance.

Results: The review of the Lender-Placed Insurance circumstances allowed SQC to create a “Red Flag” memo explaining the timeline of events and the circumstances that lead to the doubling of the borrower’s PITI to the client. The client was able to intervene with their Sub Servicer, obtain a less expensive hazard insurance policy for the borrower, which resulted in halting a foreclosure.

Criteria and Performance: This loan highlights SQC’s multidisciplinary approach. The loan was originally reviewed under an unrelated Area of Interest (Customer Service) but still identified Lender Placed Insurance defects. The Customer Service call was related to why the borrower’s payment increased. This prompted SQC auditors to review additional aspects of the loan which revealed a large increase in the borrower’s PITI. All SQC auditors are cross-trained on all AOIs. This additional experience allowed the SQC auditors to identify a problem in servicing that did not match any traditional servicing area, as no specific servicing guideline or compliance guideline was violated.


Collaborative Webinars


The Depth of Vendor Management

CMC and MQMR collaborated on a November, 2016 webinar discussing best practices of vendor management and third-party oversight.

Listen to Webinar Recording>>

Learn More About Our Partnership

CMC provides exclusive offerings and value-added services to mortgage lenders nationwide. Therefore, we work together with MQMR to bring tangible benefits to CMC’s cooperative membership. Our alliance with MQMR provides Patrons with a myriad of mortgage solutions, and supports CMC’s ongoing commitment to continue partnering with highly respected companies.

Have questions? Contact us for more details and information about CMC Patron pricing.

Andy Rucks

Vendor Relations Manager
T: 904.404.3557     M: 904.293.7350