NYDFS’s New (and Expanded) Servicer Vendor Management ExpectationsOriginally proposed by the New York Department of Financial Services (NYDFS) in 2019 and constituting what the Mortgage Bankers Association has described as “the first major update to Part 419 since its adoption almost 10 years ago,” the new Part 419 of Title 3 of NYDFS regulations covers a range of significant issues impacting the servicing community. These changes include Section 419.11, which imposes significant vendor management expectations on financial services companies servicing borrowers located in the state of New York. With an effective date of June 15, 2020, time is of the essence for servicers to ensure their vendor management programs and processes meet NYDFS expectations.


Over the past decade, most financial service companies have comprehensively overhauled their enterprise vendor management programs to conform with federal regulatory expectations, such as those promulgated by the Office of the Comptroller of the Currency, the Bureau of Consumer Financial Protection (CFPB), and the Federal Deposit Insurance Corporation. As federal regulators have adopted a somewhat less aggressive approach under the current administration, state regulators, particularly NYDFS, have moved to fill the vacuum. While Section 419.11 incorporates aspects of existing federal regulatory guidance, it also includes elements likely not already incorporated into existing servicer vendor management programs. As such, bank counsel as well as impacted subject matter experts within the organization, such as enterprise risk management groups and servicing teams on the business side, must develop and implement a holistic internal review program. Perhaps equally importantly, the organization must preserve appropriate supporting documentation in preparation for the inevitable NYDFS requests for information.


Part 419 is intentionally designed to have extremely broad applicability and defines a “servicer” as “a person engaging in the servicing of mortgage loans in this State whether or not registered or required to be registered pursuant to paragraph (b-1) of subdivision two of Banking Law section 590.”  The definition of “servicing mortgage loans” is similarly broad and encompasses traditional mortgage servicing activity, reverse mortgage servicers, and entities that directly or indirectly hold mortgage serving rights.

Specific NYDFS Vendor Oversight Expectations

At the outset, it is important for a scoping purpose to understand the nature of the vendors NYDFS expects to be covered under Part 419. Section 419.1 defines “third-party provider” as “any person or entity retained by or on behalf of the servicer, including, but not limited to, foreclosure firms, law firms, foreclosure trustees, and other agents, independent contractors, subsidiaries and affiliates, that provides insurance, foreclosure, bankruptcy, mortgage servicing, including loss mitigation, or other products or services, in connection with the servicing of a mortgage loan.”  This is a very broad definition that, as discussed below, occasionally appears to run counter to some of the granular requirements of Part 419.11, which seem designed to apply specifically to legal services provided by traditional default firms.

Part 419.11 opens with the mandate that regulated entities must “adopt and maintain policies and procedures to oversee and manage third-party providers” in accordance with Part 419. Accordingly, even before the subpart numbering begins, regulated entities have their first process-based takeaway: The regulated entity should review each specific, individual mandate in Part 419 and confirm that it is expressly covered in an applicable policy and procedure. This chart or other tracking document should be separately maintained by the regulated entity in case it needs to be provided or used as a roadmap in discussions with NYDFS.

419.11(a) – Subsection (a) itemizes the basic components NYDFS expects to see in an effective oversight program: “qualifications, expertise, capacity, reputation, complaints, information systems, document custody practices, quality assurance plans, financial viability, and compliance with licensing requirements and applicable rules and regulations.” The good news is that each of these elements likely is already covered under vendor management programs designed to satisfy existing federal regulatory requirements.

419.11(b) – An additional component of the 419.11 vendor oversight program is furnished in subsection (b), which states “[a] servicer shall require third-party providers to comply with a servicer’s applicable policies and procedures and applicable New York and federal laws and rules.” There are two elements to this expectation. First, the “shall require” requirement is likely addressed through contractual provisions in the underlying contract between the regulated entity and the vendor. Second, the regulated entity vendor management program will need to include validation of this contractual provision. Again, however, this likely is already part of the regulated entity’s vendor management program.

419.11(c) – It is a foundational principle of financial services vendor management that a regulated entity does not evade liability merely by outsourcing a function to a vendor. Subsection (c) then serves only as a reminder for those regulated entities that might have felt any inclination to forget that rule: “A servicer utilizing third-party providers shall remain responsible for all actions taken by the third-party providers.”

419.11(d) – One of the most significant elements of 491.11 is the disclosure requirement in subsection (d): “A servicer shall clearly and conspicuously disclose to borrowers if it utilizes a third-party provider and shall clearly and conspicuously disclose to borrowers that the servicer remains responsible for all actions taken by third-party providers.” Here is the first provision in 419.11 that may well touch on a gap that currently is not covered by most regulated entity vendor management programs. Unlike the previous subsections discussed, this is not an oversight expectation, but an affirmative disclosure expectation. There is little guidance as of yet on how and where these disclosures must be made, but servicers must act proactively and aggressively to develop a strategy that not only makes these disclosures, but also makes them “clearly and conspicuously.” Note that regulated entities also will be working to make the separate Affiliated Relationship Disclosure under 491.13(a), if applicable, which may be folded into the 491.11(d) disclosure.

419.11(e) – NYDFS further injects itself into the vendor management process in 419.11(e) where it not only identifies the expected frequency of vendor reviews (not less than annually), but also six specific components that must be included in the vendor due diligence. Note that some of the elements set forth, such as preparation of foreclosure and bankruptcy documents (subsection (e)(1)), original document practices (subsection (e)(4)) and sanctions and disciplinary actions (subsection (e)(6)), seem designed with law firms in mind and may not be applicable to more traditional, non-legal vendors. Regardless, those regulated entities with programs that allow for 18-, 24- or 36-month review cycles for low-risk vendors will need to reassess and recalibrate those schedules in order to meet the NYDFS yearly review cycle expectation.

In terms of who performs the review, subsection (e) makes clear that the review may not be performed by representatives of the business: “The review shall be conducted by servicer employees who are separate and independent of employees who prepare foreclosure or bankruptcy affidavits, sworn documents, declarations, or other foreclosure or bankruptcy documents.” While the wording of subsection (e) is somewhat awkward (again it seems to focus on law firms as vendors), the call for independence is not a new requirement; OCC 2013-29, for example, included a requirement for “independent reviews.” Most larger regulated entities will already have their vendor oversight programs performed by independent risk management personnel but, where an entity does not have such a group, it either will need to create one or hire an independent vendor, such as outside counsel, to perform the necessary work.

419.11(f) – Establishment of appropriate and effective lines of communication is captured in the two elements of subsection (f). The first requires the regulated entity to communicate appropriate point of contact information to all its vendors so that they “have appropriate and reliable contact information for servicer employees who possess information relevant to the services provided by the third-party provider.” The second sentence is specifically aimed at law firms and requires regulated entities to “ensure foreclosure and bankruptcy counsel have an appropriate servicer contact to assist in legal proceedings and to facilitate loss mitigation questions on behalf of a borrower.” The creation and maintenance of escalation contacts is not new and, again, this should be an area already covered by regulated entities. However, this provides an opportunity for regulated entities to ensure all contacts are current and properly documented.

419.11(g) – Another precept of effective vendor management is that issues identified during oversight activities be remediated and, where appropriate, that action be taken against the vendor up to and including termination of the vendor. This expectation is captured in subsection (g), which states simply “A servicer shall take appropriate remedial steps if a servicer identifies any problems through the review required by subdivision (e) of this section or otherwise, including terminating its relationship with a third-party provider.” Again, this should already be part of the vendor management program of the regulated entity and should not require significant structure revision of the existing program.

419.11(h) – Finally, subsection (h) returns to the issue of interactions with and oversight of counsel and “those with the authority to fully dispose of the case concerning foreclosure proceedings.” The policies to be developed by the regulated entity must address three points identified by NYDFS. Specifically, they must (1) address “how notice will be provided to foreclosure attorneys and trustees regarding a borrower’s status for consideration of a loss mitigation option and whether the borrower is being evaluated for, or is currently in, a trial or permanent modification;” (2) “ensure that its foreclosure attorneys comply with the requirements of New York Civil Practice Law and Rules Section 3408 with regard to mandatory settlement conferences in residential foreclosure actions;” and (3) “ensure that its foreclosure attorneys comply with all applicable legal requirements including all relevant Administrative Orders of the Chief Administrative Judge of the Courts of New York.” For those regulated entities that manage law firms in a workstream outside of their traditional enterprise risk management programs, the personnel involved in that workstream will need to ensure their program also meets NYDFS requirements.


Any financial services company that believes it is subject to the requirements of Part 419 should ensure that an appropriate working group has been created to review the applicable vendor management requirements of 419.11. Institutional change, particularly at the enterprise vendor management level, does not occur immediately. It will take time to identify the relevant internal stakeholders, review the specific requirements of 419.11, determine the policy, procedure, or operating tool gaps that need to be filled, develop the measures necessary to fill those gaps, and then obtain all necessary operational approvals to implement those measures. With 419.11 now effective, NYDFS is empowered to audit and inspect regulated entities to ensure compliance with existing federal regulatory requirements. Servicers that have not yet finalized their approach to 419.11 are encouraged to do so as soon as possible.