In general, the third party maintains the documentation (for example, flood policy renewal docs, force placement letters, etc.). Management will, on a monthly basis, receive reports and perform a spot check on a sample of loans for oversight (requesting documentation as needed). Compliance (2nd line of defense) performs quarterly testing of compliance with the FDPA and also selects a sample of loans and requests documentation from the third party to verify compliance (for example, policy renewals, force placement letters, force placed policies, refunds, etc.). Internal Audit performs an audit on an annual basis as well. During the audit, besides ensuring our oversight processes (1st and 2nd lines of defense) are in place, we also perform our own independent substantive testing for compliance (selecting samples, requesting documentation from the third party) and also obtain the third party's procedures, verify they have a training program in place, etc.
_________________________
* My opinion is not necessarily that of my employer.