Consumer Compliance Outlook: Second Issue 2019

Vendor Management Considerations for Flood Insurance Requirements*

By Danielle Martinage, Examiner, Federal Reserve Bank of Boston

Violations of the flood insurance provisions of Regulation H are among the most common compliance violations cited during Federal Reserve examinations.1 Banks are responsible for complying with the flood insurance provisions of Regulation H, but they often outsource essential functions of flood insurance responsibilities because of the complex regulatory requirements. Vendors can provide a cost-effective way for banks to utilize a third party’s knowledge and expertise. However, banks should understand the legal, operational, and reputational risks associated with these relationships because banks are ultimately responsible for complying with applicable laws and regulations. It is, therefore, important for banks to carefully manage their third-party vendors.2


This article discusses specific provisions of federal flood insurance requirements affecting loan origination and servicing as well as the potential risks vendors pose in these areas and sound practices to mitigate these risks. Specifically, this article reviews requirements, for commercial loans, that the contents of a building located in a special flood hazard area (SFHA) be adequately insured when both the building and the contents secure the loan. The article next examines using vendors to help comply with the requirement that a lender or servicer notify borrowers when a policy lapses or has insufficient coverage. Finally, it reviews the use of vendors for initial and life-of-loan flood insurance determinations.

Commercial Contents

Violations can occur when a bank engages vendors that lack awareness or understanding of the regulatory requirements for flood insurance. Failing to monitor the work performed by the vendor can exacerbate this risk.

Regulation H, 12 C.F.R. 208.25(c)(1), provides in relevant part that “[a] member bank shall not make, increase, extend, or renew any designated loan unless the building or mobile home and any personal property securing the loan is covered by flood insurance for the term of the loan.” The current limits under the National Flood Insurance Program (NFIP) are $500,000 for nonresidential structures and $500,000 for contents located in nonresidential structures.

According to Question 39 of the Interagency Questions and Answers Regarding Flood Insurance, “flood insurance is required for a building located in the [SFHA] and any contents stored in that building.”3 More specifically, contents coverage is required when the institution has a security interest in the building and its contents and when the contents are within a building located in an SFHA. Therefore, for buildings located within an SFHA, flood insurance on the contents of the building is required if the security instrument lists the building and its contents as security for the loan. The type of instrument used to secure the collateral (for example, a mortgage or a security agreement) does not determine if flood insurance is required. Instead, any instrument creating a security interest triggers flood insurance requirements. Similarly, the lien on the property does not need to be legally perfected for the flood insurance requirements to apply. The purpose of the lien also does not matter. Whether the security interest is taken as the primary source of collateral or as an abundance of caution, the flood insurance requirements are the same.

Outside attorneys providing settlement services for commercial transactions are considered vendors; they represent an out-sourced function of the bank. In some cases, settlement attorneys are responsible for drafting, or have license to alter, the security instrument. The bank’s failure to oversee this function increases the risk of violations. For example, although a bank may intend to secure the loan with real estate only, the institution’s settlement attorney may include language in the security instrument that references the institution’s security interest in “all inventory” or “all business assets.” This broad language can create a security interest in the building’s contents, triggering the requirement to obtain contents coverage. If the bank is unaware of this provision in the security agreement, the loan could close without the required flood insurance covering the contents. Further, if the bank fails to effectively monitor its portfolio of loans secured by property located in an SFHA, the contents may remain underinsured for an extended period. It is, therefore, important for the lender to carefully communicate with its outside counsel concerning the scope of the security agreement.

Force-Placed Coverage

Banks often use third parties to monitor loans secured by property with flood insurance, including tracking policy expirations, notifying borrowers when coverage will lapse, and force placing coverage, if necessary. One common violation noted during consumer compliance examinations is the third party’s failure to send a timely notice to the borrower that flood insurance coverage has lapsed. This practice may expose the bank to regulatory risk for failure to provide the required force placement notice.

Regulation H, 12 C.F.R. 208.25(g)(1), provides that, if a member bank, or a servicer acting on the bank’s behalf, determines that a “designated” loan (that is, a loan secured by a building or mobile home located in an SFHA for which flood insurance is available) does not have coverage or has an insufficient amount of coverage, the bank or its servicer must notify the borrower to obtain the required amount of flood insurance. If the borrower fails to do this within 45 days after the notice is sent, the bank or servicer must force place the insurance. The bank or its servicer may charge the borrower for the cost of premiums and fees incurred in purchasing the insurance. The Biggert–Waters Flood Insurance Reform Act of 2012 permits banks to begin charging for premiums or fees incurred for coverage beginning on the date on which the flood insurance coverage lapsed or did not provide a sufficient amount of coverage.4

Some banks rely on vendors to track policy expirations, provide the notice that the borrower must obtain flood insurance, and force place insurance, if necessary.

As a courtesy, some vendors send notices in advance of a policy expiring to remind the borrower to renew the policy. While this is a permissible practice, a bank or its servicer is still obligated to notify borrowers to obtain coverage once it learns that a policy lapsed or the amount of coverage is insufficient.

Policies issued under the NFIP provide a 30-day grace period during which an expired policy remains in effect, provided the policyholder renews the policy within 30 days of the policy expiration date.5 A vendor’s failure to notify the borrower of a lapsed policy increases the risk the borrower will be unable to renew the NFIP policy within the 30-day grace period, potentially leading to an extended period in which the property is uninsured or to the borrower paying a higher premium for a more costly force-placed insurance policy.

Initial Flood Insurance Determination and Life-of-Loan Monitoring

Some banks rely on vendors at loan origination to determine if a property securing the loan is located in an SFHA and to monitor if the Federal Emergency Management Agency (FEMA) changes the flood insurance rate maps for the property during the life of the loan.

Flood insurance regulations require that when a lender makes, increases, extends, or renews a designated loan, the borrower must purchase flood insurance in the required amount.6 If a bank relies on a vendor to determine whether flood insurance is required and the vendor erroneously determines it is not, the bank could originate a loan requiring flood insurance for which it failed to require the borrower to have insurance. Not only is this failure to require flood insurance a violation of Regulation H, but, in the event of a flood, the bank’s collateral could be damaged or destroyed, and the loss would not be covered by flood insurance.

Similarly, the National Flood Insurance Act directs FEMA to update flood maps every five years to reflect current conditions.7 If a lender hires a life-of-loan vendor to monitor whether a property securing a loan is later remapped into an SFHA and the vendor communicates the map change to the lender, the lender is required to ensure that flood insurance is obtained in accordance with the regulation. If the lender or its servicer fails to act on the vendor’s notification, the bank faces another violation of Regulation H. Once a lender learns that a designated loan lacks sufficient flood insurance, it must send a notice to the borrower to obtain insurance and force-place insurance within 45 days of notification, if necessary.8

Sound Practices

While institutions may rely on outside vendors, an institution is ultimately responsible for ensuring that outsourced activities are conducted in a safe and sound manner and comply with applicable laws and regulations. Therefore, institutions should adopt risk management processes commensurate with the scope and nature of their third-party relationships. The following are some practices that institutions may consider adopting to mitigate the risks associated with vendor management:

  1. Perform a risk assessment of the activity that will be outsourced, which should be updated periodically. Supervision and Regulation (SR) Letter 13-19/Consumer Affairs (CA) CA Letter 13-21 recommend determining if outsourcing is consistent with the business strategy of the organization. If so, management should consider:
    • The benefits and risks of outsourcing the activity as well as the risk of using a vendor;
    • Whether qualified vendors are available to perform the service, and
    • Whether the institution has the ability and expertise to oversee the relationship.
  2. Conduct due diligence. Vet the vendor properly to ensure that a qualified vendor is selected. Comprehensive research on the third-party vendor should include a review of its:
    • Business background, reputation, and strategy,
    • Financial performance and condition, and
    • Operations and internal controls.
  3. Include performance expectations in the service contract. A contract memorializes the parties’ obligations. Clearly setting forth performance expectations will help avoid misunderstandings.
  4. Conduct oversight and monitoring of third-party vendors to ensure they are operating effectively and in accordance with bank policies and regulatory requirements. The oversight process, including the level and frequency of management reporting, should be risk focused.

Specific issues or questions regarding flood insurance should be discussed with your primary regulator.

* This article previously appeared in the January 2019 issue of FedLinks: Connecting Policy with Practice, a Federal Reserve publication.


1 The federal agencies’ implementing regulations for the Flood Disaster Protection Act of 1973 are found at 12 C.F.R. 208.25 (Regulation H) for institutions supervised by the Federal Reserve Board (Board), 12 C.F.R. part 22 for institutions supervised by the Office of the Comptroller of the Currency, 12 C.F.R. part 339 for institutions supervised by the Federal Deposit Insurance Corporation, 12 C.F.R. part 614 (subpart S) for institutions supervised by the Farm Credit Administration, and 12 C.F.R. part 760 for institutions supervised by the National Credit Union Administration. This article refers to the flood insurance requirements of the Board’s Regulation H, but the other agencies’ regulations are substantially similar.

2 The Federal Reserve Board has issued guidance on managing vendor risk for the institutions it supervises. See Consumer Affairs Letter 13- 21, “Guidance on Managing Outsourcing Risk” (December 5, 2013), available at

3 See “Interagency Questions and Answers Regarding Flood Insurance,” 74 Fed. Reg. 35914 (July 21, 2009).

4 See 42 U.S.C. 4012A(e)(2); 12 C.F.R. 208.25(g)(1).

5 See

6 See 12 C.F.R. 208.25(c).

7 See 42 U.S.C. 4101(e).

8 See 12 C.F.R. 208.25(c)(1).