As a Fannie Mae Seller/Servicer, are we responsible for the actions of our third-party originators (i.e. brokers and correspondents)?

In a word, yes.

Third-party originations refers to the process of mortgage loans being completely or partially originated, processed, underwritten, packaged, funded, and/or closed by an entity other than the seller (or its parent, affiliate, or subsidiary) of the loan to Fannie Mae. This includes mortgage brokers and correspondent lenders, which are known as third-party originators (TPOs).

In its recently released list of Seller/Servicer Risk Self-Assessments, Fannie Mae reminds sellers that they remain fully responsible to Fannie Mae for functions that are outsourced to third parties. A seller must have effective written policies and procedures for the approval and management of TPOs and must satisfy itself that all TPOs produce quality loans. The 13 required items include:

  • Developing an approval process and controls for TPOs (mortgage brokers and correspondents) including reviews of recent financial statements, current licenses, resumes of principal officers and underwriting personnel, quality control procedures, background checks, and hiring practices;
  • Conducting an annual review of the TPO’s financial statements to determine that it is financially viable and capable of meeting its contract terms; and the oft-missed
  • Ensuring the post-closing quality control process includes a representative sample of the mortgage loans received from the TPO to ensure that those originations meet the lender’s standards for loan quality. Review cycles must be structured to ensure that transactions originated by each TPO are reviewed at least once annually.

What are some examples of quality control practices our company must have in place to comply with the Fannie Mae Selling Guide?

In its recently released list of Seller/Servicer Risk Self-Assessments, Fannie Mae included a quality control (QC) checklist that helps approved lenders ensure their QC meets the minimum requirements in the Fannie Mae Selling Guide.

This checklist includes sections on Governance/Authority, Defect Rate, Pre-funding QC, Post-Closing QC, Appraisals, Reporting, QC Vendor and Third-Party Originations.

We will detail one requirement below: “Defect Rate”.

Fannie Mae views defect rate as an effective way to establish loan quality targets to model the financial exposure created at a certain defect level. The concept of “zero defects” generally will be considered challenging to achieve, and Fannie Mae does not evaluate lenders by a zero-defect-rate standard. Instead, Fannie Mae expects lenders to set defect rate targets as reasonably low as possible based on a formal cost–benefit analysis of meeting that target and then demonstrate to Fannie Mae how they are managing loan quality to meet their established target.

In its Defect Rate checklist, Fannie Mae asks Seller/Servicers to affirm the following:

  • We have a target defect rate, at a minimum, for the highest severity level for our random, post-closing QC samples and documented rationale for establishing the target rate.
  • We review (at least annually*) our target defect rate to ensure it continues to meet our credit risk needs and is aligned with our loss reserves.
  • We understand the benefits and issues associated with:
    • Reporting a gross defect rate.
    • Reporting a net defect rate.
  • We have a set of standards for loan quality, including a methodology for categorizing loan defects based on severity; our highest level of severity is assigned to defect categories that result in the loan not being eligible as delivered to Fannie Mae.

As a Fannie Mae Seller/Servicer, why is vendor oversight important and what should it entail?

Fannie Mae requires its approved Seller/Servicers to have a vendor approval and management process. In addition, vendors and other third-party service providers deliver support for you and your clients and are, therefore, a representation of your brand.

Fannie Mae recently released several checklists as part of their Seller/Servicer Risk Self-Assessments, including one on Vendor and Third-Party Oversight. As a reminder of the importance of vendor oversight, Fannie Mae states, “It is critical that third-party relationships are managed in accordance with internal policies related to strategic, reputational, operational, transactional, credit, and compliance risks.”

It may be tempting to overlook the importance of vendor oversight since Fannie Mae’s checklist only includes 2 required items:

  • Processes and procedures for the approval of vendors and other third-party service providers.
  • Processes and procedures for the management of vendors and other third-party service providers.

However, those two items are pretty all-encompassing – not to mention the multitude of recommended checklist items Fannie Mae included to help lenders ensure their vendors and third-party service providers are staying compliant. Furthermore, Fannie Mae is not the only agency that requires lenders to conduct oversight of their vendors. The OCC, CFPB, FDIC, in addition to most state regulatory agencies, have issued regulations and/or guidance regarding vendor oversight and management, making this a mission-critical function for lenders to maintain compliance at all levels.

How do I know if my internal audit policies and procedures are meeting federal and agency requirements?

Fannie Mae recently released several checklists as part of their Seller/Servicer Risk Self-Assessments, and Internal Audit was one of the checklists that was included. Internal audits are an important risk mitigation tool that uncover operational inefficiencies and potential areas of risk within a lender’s organization. For that reason, it is important for seller/servicers to know that their Internal Audit policies and procedures satisfy federal and agency requirements and are effective for identifying risk.

According to Fannie Mae, the following is a list of requirements for an internal audit self-assessment checklist.

  • Internal Audit and management control policies and procedures are in place to evaluate and monitor the overall quality of loan production and the effectiveness of operations.
  • An internal audit process must be independent of all key functions of the loan manufacturing process and the servicing processes.
  • The internal audit function must report directly to the seller/servicer’s senior management and/or board of directors. Exceptions are permitted in situations in which the size of the seller/servicer’s organization is insufficient to support adequate resources to allow for separation of these functions. In those situations, the seller/servicer’s audit plan must include the rationale for the lack of separation, and the controls in place to mitigate the risks associated with the lack of separation of these functions.
  • The internal audit lines of reporting must reflect the independence of the audit process at all levels, resulting in activities that are conducted in an unbiased manner and without quality compromises resulting from internal influences and/or conflicts of interest.
  • The internal audit function must not share any reporting lines with the functional areas that it reviews.
  • Internal audit procedures must be consultative, so that they help the seller/servicer accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
  • Internal Audit Director/Manager is free from responsibility over any business units.

Fannie Mae also included several recommended checklist items for seller/servicers reviewing or implementing new internal audit policies and procedures. In addition to publishing a checklist for developing Internal Audit Policies and Procedures, Fannie Mae also regularly conducts reviews to evaluate compliance with its guidelines and to assess operational risk. The Risk Self-Assessment also included common findings when internal audit policies and procedures are reviewed by Fannie Mae, as well as a list of required documentation for MORA reviews.

If we utilize outsourced service providers, such as contract underwriters and processors, are we required to check them against exclusionary lists?

Checking a contract underwriter or processor against exclusionary lists is certainly a best practice. However, it may not always be feasible to do – particularly if the lender is not made aware of the individual contract underwriter’s/processor’s name by the third party service provider that employs them. Below is a summary of Agency guidelines on this issue.

  • Fannie Mae indicates in its Selling Guide Chapter A3-3 that effective management procedures for third-party originations1 include review of the third-party originator’s hiring procedure for checking all employees involved in the origination of loans (including application through closing) against: (i) the U.S. General Services Administration Excluded Parties List, (ii) the HUD Limited Denial of Participation (“LDP”) List, and (iii) the Federal Housing Finance Agency Suspended Counterparty Program List.

  • HUD indicates in its Handbook 4000.1, Chapter II, A, 1, iii that a mortgagee may not contract with entities or persons that are suspended, debarred, or otherwise excluded from participation in HUD programs, or under a LDP that excludes their participation in FHA programs. HUD requires a mortgagee to ensure that it does not engage any contractors to perform any function relating to the origination of an FHA-insured Mortgage. Further, HUD indicates a mortgagee must check the System for Award Management (SAM) ( and must follow appropriate procedures defined by that system to confirm eligibility for participation.2

  • Freddie Mac indicates in its Seller/Servicer Guide Chapter 3101 that sellers/servicers must use the Freddie Mac Exclusionary List (“Exclusionary List”) to screen parties involved in the origination of the mortgage prior to the sale of each mortgage to Freddie Mac. Freddie Mac also requires sellers/servicers to establish and maintain procedures to ensure they do not employ or contract with individuals or entities listed on FHFA’s Suspended Counterparty Program (“SCP”) list. If a party whose name is on the Exclusionary List or SCP list is the borrower or played a role in the origination of a mortgage or the underlying real estate transaction, the mortgage is not eligible for sale to Freddie Mac.

1 Fannie Mae defines third-party origination as any loan that is completely or partially originated, processed, underwritten, packaged, funded, or closed by an entity other than the seller (or its parent, affiliate or subsidiary) that sells the loan to Fannie Mae. Note, Fannie Mae advised that if a seller enters into a contract with a third party known for the quality of its underwriting (such as a mortgage insurer) to help the seller in underwriting its mortgage originations, the loans will not be considered third-party originations.

2 HUD permits a mortgagee to utilize contractors to perform administrative and clerical functions, such as typing of mortgage documents, mailing out and collecting verification forms, ordering credit reports, and/or preparing for endorsement and shipping Mortgages to investors. HUD prohibits the use of contract underwriters.


I’m approved with Fannie Mae. What are Fannie’s requirements in relation to internal audit and management control of the QC process?

According to the FNMA Selling Guide, the seller/servicer must have internal audit and management control procedures to evaluate and monitor the overall quality of its loan production and servicing processes, as applicable. At a minimum:

  • The procedures must be independent of all key functions of the loan manufacturing process and the servicing processes that they review, so that such procedures provide an objective and unbiased evaluation that adds value and improves the seller/servicer’s operations.

  • The seller/servicer’s lines of reporting must reflect the independence of the audit process at all levels, resulting in activities that are conducted in an unbiased manner and without quality compromises resulting from internal influences or conflicts of interest.

  • The audit function must not share any reporting lines with the functional areas that it reviews.

  • The audit function must report directly to the seller/servicer’s senior management and/or board of directors. Exceptions are permitted in situations in which the size of the seller/servicer’s organization is insufficient to support adequate resources to allow for separation of these functions. In those situations, the seller/servicer’s audit plan must include the rationale for the lack of separation, as well as the controls that have been established to mitigate the risks associated with the lack of separation of these functions.

  • The procedures must be consultative, so that they help the seller/servicer accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

The Selling Guide also states that the lender must ensure that assessments and conclusions are recorded and consistently applied. The lender must also distribute results of the QC audit to senior management and include in this report an affirmative statement that no influence from other business units or bias in the QC conclusions was apparent. Management must then distribute findings to the appropriate areas within the organization and an action plan must be established for remediation or changes to policies or processes, as appropriate. The lender must provide a copy of the QC audits and the audit of the QC process to Fannie Mae upon request.

Although not stated in the Selling Guide, the 2020 Fannie QC Self-Assessment document references a requirement that the QC internal audit be performed annually. Specifically, the document states: “our senior management – a CEO and Board of Directors as applicable – are accountable and actively involved in: … ensuring that an independent audit of the QC process is conducted and, if appropriate, establishing an action plan for remediation or policy/procedure changes identified from such an audit. Results of the annual QC audit include an affirmative statement that no influence from other business units or bias in the QC conclusions was apparent.” Recent FNMA MORA exam results indicate this is a current area of focus and that Fannie is enforcing the annual requirement based solely on the language noted in the Self-Assessment document.

Have regulators issued any recent or updated guidance on Anti Money Laundering (“AML”) enforcement actions?

Yes. On August 13th, Federal banking regulators clarified that they generally do not issue cease-and-desist orders for minor deficiencies in a bank’s anti-money-laundering program or isolated violations of Bank Secrecy Act rules. In a joint statement, the Federal Reserve, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency and National Credit Union Administration (individually, “Agency,” and collectively, the “Agencies”) updated their guidance on how they evaluate violations of AML rules. “Violations or deficiencies in an institution’s BSA/AML compliance program communicated to the institution in a report of examination or through other written means that are determined to be isolated or technical are generally not considered problems that would result in a mandatory cease and desist order,” the Agencies said.

The Agencies also listed four pillars for an institution’s AML compliance program. They include:

  • Internal controls for ongoing AML compliance,
  • Independent testing,
  • Designating individuals to coordinate AML compliance and
  • Proper training for personnel involved AML compliance.

Financial institutions’ AML compliance programs must also include customer identification programs that ensure firms “form a reasonable belief” that they know the identity of their customers.

The guidance highlighted scenarios in which Federal regulators will issue cease-and-desist orders for AML violations. Financial institutions that lack a “reasonably designed” AML program or do not address previously reported AML problems could face the threat of such an order. For example, an institution will be issued a cease-and-desist order if it has deficiencies in the required independent testing component of the AML compliance program that are combined with signs of highly suspicious activity. Additionally, an institution that fails to take any action in response to criticism from an exam regarding a failure to appoint a qualified and effective AML Compliance Officer would also likely receive a cease-and-desist order. However, the Federal regulators said they will not issue cease-and-desist orders unless deficiencies in an AML compliance program are “so severe or significant as to render the BSA/AML compliance program ineffective when viewed as a whole.” In cases where an institution fails to address a previously reported problem, the Agencies said they will not issue a cease-and-desist order “unless the problems subsequently found by the Agency are substantially the same as those previously reported to the institution.”

Other formal or informal enforcement actions could still be taken in lieu of cease-and-desist orders and will “depend on the severity of the concerns or deficiencies, the capability and cooperation of the institution’s management, and the Agency’s confidence that the institution’s management will take appropriate and timely corrective action.”

Does my organization need a Mortgage Electronic Registration Systems, Inc. (“MERS”) Policy and Procedure and, if so, what should it entail?

If your organization utilizes MERS it should maintain a written policy and procedure documenting your organization’s internal requirements regarding MERS. When creating and implementing such policy and procedure, lenders should consider, among other things:

  • MERS Administration
    • Roles and Responsibilities
    • Corporate Resolution and Quarterly Attestations
    • Deactivation of Mortgages from MERS
  • MERS Registration
  • Servicing
  • Corporate Resolution Management System (CRMS) Procedures
    • QC Process for reviewing actions taken by MERS Signing Officers
    • Signing Officers certification and eligibility requirements
    • Process for reporting instances of signings occurred by non-officers
    • Managing user information
    • Annual Recertification Process
  • MERS Oversight and Reconciliation Procedures
    • Monthly, if the Bank services 1,000 or more active registered loans as of March 31st of the current year;
    • Quarterly, if the Bank services under 1,000 active registered loans as of March 31st of the current year.
  • Quality Control / Quality Assurance
  • MERS Annual Report
  • Adoption of the Policy and Procedures
  • Revision History

To safeguard from potential compliance violations, lenders should aim to create comprehensive policies and procedures, distribute the policies and procedures to relevant staff and management, and properly and regularly train applicable employees and vendors on their responsibilities under such policies and procedures.

How stringent do my advertising and social media policies and procedures need to be?

The simple answer is very stringent. Advertising and social media are integral parts of a business strategy in 2020 and beyond, as is the need for clear and complete policies and procedures. Advertisements are a commercial message in any medium that promotes, directly or indirectly, a credit transaction. Advertising may include, but is not limited to, direct mailers, postcards, press releases, social media (both sites and posts), websites, posters, flyers, brochures, billboards, radio and/or television announcements, postings in periodicals, and/or telephone solicitations. Lenders must ensure that all advertisements be truthful and non-deceptive or misleading. Further, advertisements must contain all applicable, required disclosures.

When creating and implementing advertising and social media policies and procedures, lenders need to consider, among other things:

  • Federal guidelines

  • State-specific guidelines

  • Company-specific guidelines

  • Internal controls, including oversight & monitoring (both manually and automated)

  • Crisis management

  • Training

  • Record retention

  • Brand reputation

With regard to social media, a lender is not only responsible for what its corporate accounts indicate, but may also be held accountable for advertising content on its employees’ and vendors’ accounts. To safeguard from potential compliance violations, lenders should aim to create comprehensive policies and procedures, distribute the policies and procedures to all staff, and properly and regularly train employees and vendors on their responsibilities under such policies and procedures.

Does HUD’s requirement for Approved Mortgagees to periodically monitor its “affiliates” include vendors and other third parties?

Yes, the Chapter V.A.2.ii of the HUD Handbook 4000.1 (the “Handbook”) defines “affiliates” to include contractors, agents, vendors, sub-servicers, and sponsored third party originators (“TPOs”) who participate in FHA programs on behalf of the FHA-approved Mortgagee. This may include, but is not necessarily limited to, appraisers, appraisal management companies, closing/settlement agents, title insurance companies, and marketing companies producing FHA advertisements. The Handbook indicates a Mortgagee must ensure its “affiliates” are eligible and properly trained to participate in FHA programs and that they adhere to FHA requirements when performing activities related to the Mortgagee’s FHA business.

At a minimum, affiliate monitoring must ensure that affiliates are not ineligible from participating in FHA programs by reviewing affiliates against the (i) Excluded Parties List using the System for Award Management (SAM) website and (ii) the Limited Denial of Participation List. Further, on an at least semi-annual basis, an approved mortgagee must re-verify its affiliates’ compliance with all applicable laws related to licensing, qualification, eligibility, or approval to originate or subservice FHA mortgages. This may include, but is not necessarily limited to, reviewing a subservicer’s or TPO’s licenses in NMLS, reviewing State bar sites for closing attorneys, and checking State Department of Insurance websites for title insurance companies/agents. For affiliates that originate, underwrite or service loans on behalf of the mortgagee, the mortgagee must also perform loan-level quality control reviews. A mortgagee must document the methodology used to review its affiliates, the results of each review, and any corrective actions taken as a result of the review findings. Affiliate review requirements and the procedures adopted to monitor affiliates should also be documented in a mortgagee’s Quality Control Plan.

Must a lender separately disclose (or itemize) the Appraisal Management Company’s (“AMC”) fee from the actual appraisal fee on the Loan Estimate (“LE”) and Closing Disclosure (“CD”)?

Yes, the TILA-RESPA Integrated Disclosure Rule (“TRID”) and commentary thereto specifically use the appraisal fee and the AMC fee as examples of fees that should be itemized separately on the LE and CD:

  • Loan Estimate12 CFR Part 1026.37(f)(2) requires under the subheading “Services You Cannot Shop For” an itemization of each amount, and a subtotal of all such amounts, the consumer will pay for settlement services for which the consumer cannot shop and that are provided by persons other than the creditor or mortgage broker.

    • The Official Interpretation to this section specifically uses the appraisal fee and AMC fee as examples of the services and amounts to be disclosed pursuant to this section. Further, Supplement I to Section 37(f)(2) requires creditors to label loan costs using terminology that describes each item using clear and conspicuous language that describes the service or administrative function the charge pays for in a manner that is reasonably understood by consumers.

  • Closing Disclosure12 CFR Part 1026.38(f)(2) indicates that under the subheading “Services Borrower Did Not Shop For” a creditor must include an itemization of the services and corresponding costs for each of the settlement services required.

In addition, while “property appraisal fees” are specifically excluded from the definition of a “finance charge” under1026.4(c)(7)(iv), AMC fees do not have such an exclusion. Lumping these fees together will likely result in an overdisclosure or underdisclosure of the APR. State regulators review for this requirement as part of examination procedures. Failure to itemize these fees may result in monetary penalties against a creditor, as well as refunds to the borrower, which could include the entire amount of the AMC fee for each loan funded during an Examination period.

How does the OCC differentiate between “high risk” and “low risk” third-party relationships, and how does the risk management process differ between these two categories?

OCC Bulletin 2013-29 defines “high risk” third-party relationships as “critical activities include significant bank functions (e.g., payments, clearing, settlements, and custody) or significant shared services (e.g., information technology) or other activities that:

  • Could cause a bank to face significant risk if the third party fails to meet expectations;

  • Could have significant customer impacts;

  • Require significant investment in resources to implement the third-party relationship and manage the risk; and/or

  • Could have a major impact on bank operations if the bank needs to find an alternate third party or if the outsourced activity has to be brought in-house.”

However, delivery of services deemed “critical activities” does not automatically categorize the relationship as “high risk.” It is the responsibility of bank management to evaluate the level of risk and complexity of each of its third-party relationships on a continual basis and adjust its risk management practices for each relationship in accordance with this assessment.

While the OCC expects banks to perform due diligence and ongoing monitoring for all third-party relationships, the level of this review may differ between “high-risk” and “low-risk” third-party relationships. The OCC expects a more comprehensive and rigorous oversight and management protocol for high-risk relationships, which should include robust, comprehensive, and appropriately documented due diligence, as well as ongoing monitoring. For low-risk relationships, bank management should follow previously-established policies and procedures developed by its Board of Directors for due diligence and ongoing monitoring.

Has FHA issued any guidance with regard to quality control (QC) requirements for early payment defaults (EPDs) in light of the COVID-19 pandemic and increased EPDs nationwide?

Yes, FHA recently issued a temporary waiver of its loan-level QC requirements for EPDs. The waiver suspends a mortgage lender’s requirement to select and perform QC reviews of all EPDs for May, June, and July 2020 QC selections.

FHA explained that it observed a significant increase in EPDs nationwide and believes that they are likely caused by loss of employment and/or income due to the public health emergency, rather than a result of non-compliance with FHA Single Family origination and underwriting requirements. Additionally, FHA noted that the federal CARES Act authorizes forbearance relief regardless of delinquency status, which may also cause EPDs.

I heard that HUD recently cited some FHA Approved Mortgagees for the use of a Borrower’s Authorization form with an expiration date. Is this true?

Yes. HUD has cited many lenders recently for the Borrower Certification expiring ninety (90) days after its execution. HUD requires a Borrower’s Authorization for Use of Information Protected under the Privacy Act with the required FHA consent language, signed and dated as indicated in Chapter II A D 1 (a) of the HUD Handbook 4000.1. The HUD Handbook 4000.1 indicates the following:

Borrower’s Authorization for Use of Information Protected under the Privacy Act

  • Standard. The Mortgagee must obtain the Borrower’s consent for use of the Borrower’s information for any purpose relating to the origination, servicing, loss mitigation, and disposition of the Mortgage or Property securing the Mortgage, and relating to any insurance claim and ultimate resolution of such claims by the Mortgagee and FHA.

  • Required Documentation. The Mortgagee must obtain a signed statement from the Borrower that clearly expresses the Borrower’s consent for the use of the Borrower’s information as required above.

It appears to be HUD’s position that a Borrower’s Authorization form with a specific expiration date (i.e. 90 days) is not aligned with the intended use of the document, which should not have an expiration date. Rather, the required consent language must survive past the origination and closing of the loan.

When should a mortgage lender issue a Notice of Incomplete Application?

In order to comply with ECOA notification requirements, a mortgage lender must generally notify an applicant of action taken (i.e. denial, approval, etc.) within 30 days of receiving a completed application. If, however, the application is incomplete regarding matters that the applicant can complete, a mortgage lender has the option of providing a notice of incomplete application (“NOIA”) to the applicant rather than issuing a denial or providing a counteroffer. A mortgage lender must provide the NOIA to the applicant within 30 days of receiving the incomplete application.

The NOIA must be written and must include the following:

  • Specify the information needed from the applicant;

  • Designate a reasonable period of time for the applicant to provide the information; and

  • Inform the applicant that failure to provide the information requested will result in no further consideration being given to the application.

If the applicant does not respond to the NOIA within the time period provided, the mortgage lender may close the file for incompleteness and will have no further ECOA notification obligations. If the applicant supplies the requested information within the designated time period, the mortgage lender shall take action on the application and notify the applicant of action taken within 30 days of receiving the completed application. It is considered a best practice for a mortgage lender to set up a mechanism to monitor ECOA notification timeframes with the use of software automation, exception reporting, and/or pipeline monitoring.

I read something recently about how the Consumer Financial Protection Bureau (“CFPB”) intends to apply the “abusiveness” standard in supervision and enforcement matters. What’s changed?

The Dodd-Frank Act is the first Federal law to broadly prohibit “abusive” acts or practices in connection with the provision of consumer financial products or services. Uncertainty as to the scope and meaning of “abusiveness” creates challenges for covered persons in complying with the law.

On January 24, 2020 the CFPB issued a policy statement providing a framework on how it intends to apply the “abusiveness” standard in supervision and enforcement matters. The policy statement indicates that, effective immediately, the CFPB will apply the following principles during supervision and enforcement activities:

  • Focus on citing or challenging conduct as “abusive” only when the harm to the consumer outweighs the benefit.
  • Generally avoid “dual pleading” of “abusiveness” and “unfairness” or “deception” violations arising from all – or nearly all – the same facts in favor of alleging “stand alone” “abusiveness” violations that clearly demonstrate the nexus between cited facts and the CFPB’s legal analysis.
  • Seek monetary relief for “abusiveness” only when there has been a lack of a good faith effort to comply with the law, except the CFPB will continue to seek restitution for injured consumers regardless of whether a company acted in good faith or bad faith.

The CFPB’s policy statement left open the possibility of engaging in a future rulemaking to further define the “abusiveness” standard.

What should a mortgage company do if it issues initial disclosures electronically, but the applicant fails to e-consent and open the package by the 3rd business day following receipt of the application?

Mortgage companies must have consent from an applicant to issue initial disclosures electronically.  The Electronic Signatures in Global and National Commerce Act (“E-SIGN Act”) requires a consumer to confirm his/her consent electronically and in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent .

If a mortgage company issues initial disclosures to an applicant by email but the mortgage company failed to obtain the applicant’s consent to receive disclosures via email prior to delivering the disclosures, then the mortgage company does not comply with the Loan Estimate or Good Faith Estimate delivery requirements, unless the mortgage company also provides the initial disclosures in a different manner that complies with the three (3) business day requirement.  As such, it is imperative that mortgage companies carefully monitor this area.  Mortgage companies should consider providing e-consent requests prior to initial disclosure packages whenever possible.  Additionally, mortgage companies must ensure that by the end of the third day following receipt of an application that they issue initial disclosure packages by mail or in-person in the event an applicant fails to e-consent and view the disclosures.

Chapter 96- Electronic Signatures in Global and National Commerce Subchapter I- Electronic Records and Signatures in Commerce, 7001(c)(1)

Does the CFPB have specific requirements regarding the content included in notices of servicing transfers?

Yes. In Section § 1024.33, Paragraph 33(b)(4) the CFPB requirements state, “The notices of transfer shall include the following information:

  • The effective date of the transfer of servicing.
  • The name, address, and a collect call or toll-free telephone number for an employee or department of the transferee servicer that can be contacted by the borrower to obtain answers to servicing transfer inquiries.
  • The name, address, and a collect call or toll-free telephone number for an employee or department of the transferor servicer that can be contacted by the borrower to obtain answers to servicing transfer inquiries.
  • The date on which the transferor servicer will cease to accept payments relating to the loan and the date on which the transferee servicer will begin to accept such payments. These dates shall either be the same or consecutive days.
  • Whether the transfer will affect the terms or the continued availability of mortgage life or disability insurance, or any other type of optional insurance and any action the borrower must take to maintain such coverage; and
  • A statement that the transfer of servicing does not affect any term or condition of the mortgage loan other than terms directly related to the servicing of the loan.”

The full list of additional CFPB mortgage servicing transfers requirements are outlined in the Real Estate Settlement Procedures Act (Regulation X).

I am a real estate licensee and I have a few questions related to the Coronavirus (COVID-19) crisis. First, my license is due for renewal this month. Are extensions going to be granted due to the pandemic? Second, are there any updates with respect to filing for unemployment benefits?

Real Estate License Renewal Extensions

An Executive Order (“EO”) that was recently issued by Governor Cuomo extended the time to renew a real estate license as a result of the Coronavirus (COVID-19) crisis. According to the EO, a real estate licensee whose license is due for renewal between now and May 7, 2020 is permitted to renew their license by June 7, 2020. The EO can be viewed by clicking here.

Unemployment Benefits Updates

On April 20, 2020, the New York State Department of Labor (the “DOL”) announced the launch of a new streamlined application for unemployment benefits. Additionally, the DOL has been deploying over 3,100 representatives who are solely dedicated to assisting with unemployment benefit needs 7 days a week.

Prior to the launch of the new system, individuals had to apply for traditional unemployment insurance (“UI”) and be rejected before applying for Pandemic Unemployment Assistance (“PUA”). This step is no longer required. The new application allows individuals to simply fill out one form to collect the correct benefits, without having to call the DOL.

The best way to apply is online by visiting The application will determine which program (UI or PUA) you should apply for based on the responses you provide, and then prompt you to answer program-specific questions. The DOL will then process your application and a representative will contact you directly if any additional information is needed. There is no longer a need to call the DOL to complete your claim. The DOL has also indicated that you should turn off any call-blocking filters during this time, as representatives are calling from private/restricted numbers.

With respect to individuals who have already applied for PUA, the DOL has indicated that you can check the status of your claim online by logging into your account on the DOL website. If it is still pending, no action is required. DOL representatives are working to process claims as quickly as possible. If you have applied for traditional UI and your claim has been denied, you can fill out the PUA application using the link that is in your account mailbox. If there is no link in your account mailbox, you can fill out a new PUA application.

If you have previously filed for UI and are waiting to be denied or have been unable to file for PUA, you should log in to your account. The system is automatically directing such individuals to the PUA application when they log back in.

If you have successfully filed a claim for UI or PUA benefits, you must continue to certify your claim weekly. This should be done both while your claim is pending and once it has been approved, by visiting

You should expect to receive your first payment about 2-4 weeks after applying. It takes about 2-3 business days for a payment to appear in your bank account once it is released from the DOL system.

It is important to remember that all claims filed will be backdated to the date on which you became unemployed and if you are eligible, you will be paid for all benefits to which you are entitled.

With so many companies moving to a remote work environment due to COVID-19, what IT security controls should my organization implement to protect our data and our clients’/customers’ information?

Working from home or another remote location has become the new norm for many in our industry. Now, more than ever, the prevention of data breaches and data loss is vital to lending organizations. From the all-too-common grasp of ransomware (when a hacker encrypts your business data for a monetary ransom), to the lack of appropriate IT controls and vendors, business critical data is clearly susceptible to risk. To best avoid exposing your critical business data to risks in a remote work environment, start with implementing these important prevention steps:

  • Use Up-to-date and Reputable Enterprise Grade Anti-Malware Software
    • Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.
    • If employees are using their personal device for work, this software should be installed on those devices as well, and any pre-existing malware software on those personal devices should be disabled and/or removed to ensure the efficacy of company-approved anti-malware software.

  • Install the Latest Operating System Updates
    • Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets. Also, only use operating systems that receive security updates (ex. Windows 10 and above or MacOS Mojave and above).

  • Establish Secure Mechanisms for Accessing Company Data Remotely
    • Virtual Desktop Infrastructures provide the most secure means of providing remote access to company data, though remote desktop over a virtual private network is the next best option. Regardless of the method deployed, companies need to ensure their chosen remote access solution is SOC-1 compliant and utilizes at least 256-bit encryption or higher. Further, companies should also leverage cloud-based data repositories for storage, as these allow employees to access needed materials in a secure environment that backs up to redundant site – whether on-premises or in the cloud – to maintain data integrity.

  • Clean Desk Policies
    • Ensure that your staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks or, in this case, their dining room tables, home offices or other communal spaces.
    • If employees choose (or are allowed) to print materials for use in their home office, said materials must be secured and/or destroyed in accordance with established company guidelines to protect company data and/or any NPPI contained within those materials.

  • Off-site Data Redundancy
    • Ensure that your critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site owned by your organization.

  • Create and Update Policies and Procedures
    • Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when it comes to recovering from a disaster, or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.
    • Be sure to communicate any updates made to these documents as it relates to a remote work environment to employees, especially those that impact day-to-day operations, and provide additional training when and where necessary. Simply posting updated copies of these materials to a company intranet is not enough to ensure these materials have been received and understood.

  • Seek Reputable Vendors
    • Ensure all of your vendors have the appropriate IT Security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.

  • Assets
    • Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.
    • Force password changes at a frequent basis.
    • Force lock computers when idle for a certain time period.
    • Remove local admin rights so that employees cannot install software without express permission from IT staff.
    • Implement two-factor authentication.
    • Use encryption for in transit and at rest.

  • Train Staff
    • Train your staff on the importance of phishing, ransomware, and IT security awareness, with emphasis on these elements in a remote work environment. Basics, such as locking the computer when away or not leaving laptops in plain view, are just a few common sense reminders to train your team.
    • Keep employees informed of new discoveries and helpful awareness tactics, including the prevalence of scams related to COVID-19.
    • For lenders and title/settlement providers, reinforce adherence to standard wire transfer protocols to protect against fraud.

  • Internet Connections
    • When possible, have employees use a hard-wired ethernet connection to access the Internet.
    • If WiFi is the only option, make sure employees are using at least WPA-2 encryption and only using their 2.4 GHz network to ensure optimal security and latency.

  • Compliance
    • Many states have issued guidance on temporary remote work environments. The NMLS has begun tracking these changes as part of its COVID-19 resource page. The document, which is being updated on an on-going basis, can be found here.

You can never be too secure but starting with the short list above is a great step in the right direction.

Are states making any changes to their licensing requirements in the wake of COVID-19?

In recent days, many state agencies have issued communications/guidance to licensees regarding temporary changes or adjustments to licensing requirements in response to the COVID-19 situation. For example, some states are temporarily waiving requirements for licensed entities to have a physical office open to the public during posted business hours. Others have suspended requirements that would prevent licensed loan originators from working from home or out of another remote location. However, not all state agencies have made or communicated changes, and the changes that have been made vary from state to state and may be subject to change, depending on how the current situation unfolds.

To help lenders stay informed the NMLS has begun tracking these changes as part of its COVID-19 resource page. The document, which is being updated on an on-going basis, can be found here.

What questions should lenders ask their vendors to assess the potential impact of coronavirus on service level/operations?

With concerns surrounding COVID-19 (a.k.a. coronavirus) intensifying, many companies have instituted domestic travel bans, which could impact the delivery of some services to lenders, such as on-site audits. Companies are also preparing for the possibility that employees will need to work remotely in the event that mandatory quarantines are required to slow the spread of infection. To assess how the response to conronavirus could impact service levels, lenders should ak their vendors the following questions:   

  • What steps is your organization taking to monitor the situation?  
  • Where is your workforce located geographically, and how will the coronoavirus impact each of your locations?
  • Does your organization have a telecommute policy in place, and if so, what does it entail? If not, what procedures is your organization putting in place in the event that telecommuting becomes necessary? 
  • Do you anticipate disruption in your own supply chain? If yes, how will it impact your ability to provide uninterrupted support, services or products to us? 
  • Will government-imposed travel ban restrictions impede your ability to provide uniterrupted support, services or products to us? If yes, please provide an explanation.
  • How are you addressing key person dependencies in your organization, and is cross-training included in that plan?
  • What is your organization’s disaster recovery plan in regards to IT and network infrastructure?
  • Has your organization conducted a service level risk assessment, and if so, how are you assessing those risks?

For additional information on how organizations should respond internally to coronavirus concerns, visit

Did Texas amend its requirements with regard to pre-qualifications and pre-approvals?

Yes.  On November 1, 2019, the TX Finance Commission adopted amendments regarding its conditional pre-qualification and conditional loan approval forms.

The amendments are meant to clarify when to use the forms and to make the content of the forms more uniform.  Specifically, the amendments explain that there is no requirement to issue a written confirmation of conditional pre-qualification or conditional loan approval.  However, in the event a mortgage lender does issue such written notifications to a consumer, it must utilize the appropriate prescribed form or an alternate form that includes all of the information found on the prescribed form.  Further, with regard to the pre-qualification form, the amendments are also meant to help emphasize to mortgage applicants that the form is not a loan approval or commitment to lend.

The amendments and requirements to use the amended forms become effective May 1, 2020.

Updated Conditional Pre-Qualification Letter

Updated Conditional Approval Letter

As a residential mortgage servicer in New Jersey, what do I need to know about the Mortgage Servicing Licensing Act?

In a recent bulletin, the New Jersey Department of Banking and Insurance (the “Department”) provided guidance on the Mortgage Servicers Licensing Act (the “Act”), which became effective on July 28, 2019. The Act requires non-bank mortgage companies servicing residential mortgage loans secured by property in New Jersey to become licensed as mortgage servicers unless exempt. Notably, the Act exempts companies licensed as Residential Mortgage Lenders or Correspondent Residential Mortgage Lenders under the New Jersey Residential Mortgage Lending Act. However, such entities must maintain the supplemental surety bond, fidelity bond and errors & omissions insurance coverage applicable to mortgage servicing. Calculations for required insurance policy amounts are based on the dollar volume of New Jersey residential mortgages serviced.

The bulletin indicated that beginning January 13, 2020, mortgage servicers must submit license applications through the Nationwide Multistate Licensing System & Registry (“NMLS”). The Department plans to begin issuing mortgage servicer licenses on or after April 13, 2020. Entities currently conducting business as mortgage servicers in New Jersey will be permitted to continue to do so provided they submit a Mortgage Servicer License application by April 13th. Entities that are not currently operating as mortgage servicers in New Jersey, that have been denied licensure by the Department, or that fail to submit an application between January 13 and April 13, 2020 and are not otherwise exempt from licensure will be prohibited from acting as a mortgage servicer in New Jersey until the Department issues a Mortgage Servicer License to them.

Violators of the law will be subject to civil penalties of up to $25,000 and can be charged with a third-degree crime.

I read something recently about changes to New York regulations related to reverse mortgages issued under FHA’s HECM program. What are the changes?

On December 6, 2019, Assembly Bill 5626 was signed into law by the governor and is set to take effect on March 5, 2020 (the “Act”). The Act places additional requirements on lenders and/or servicers who offer and/or service reverse mortgages under FHA’s HECM program in New York.

Most importantly, in order to make a HECM in New York, in addition to a mortgage lenders license, you’ll need a separate approval. There is no “grandfather” provision in the Act for current HECM lenders. The Act also prohibits a lender from engaging in any unfair or deceptive practices in connection with the marketing or offering of a HECM loan. Specifically, a lender shall not: (a) use the words “public service announcement” in any mailing, advertisement or writing; (b) use the words “government insured” or other similar language representing that HECM loans are insured, supported, and sponsored by any governmental entity in any mailing, advertisement or writing; or (c) represent that any such HECM is anything other than a commercial product.

In addition, the Act:

  • Requires HECM lenders to provide supplemental consumer protection material (the content and form of which shall be specified by the Superintendent of Financial Services) with any HECM solicitation mailed to a physical address within New York.
  • Requires HECM lenders to provide each applicant or potential applicant the telephone number and website address provided by HUD for the purpose of acquiring HECM counseling.
  • Requires both the HECM lender and the borrower to be represented by an attorney at closing, and each party must have at least one attorney present to conduct the closing.
  • Requires HECM lenders to provide a notice of duty of the borrower to pay certain property related expenses when equity in the property is low or depleted.
  • Outlines various other servicing and foreclosure related requirements.

Noteworthy, compliance with the Act is a condition precedent to foreclosing on a HECM and the failure to comply is a “complete” defense to a foreclosure action.

There are many other requirements in the Act not discussed above. For a complete version of the Act, click here.

Does Georgia have specific requirements with regard to a mortgage loan originator (“MLO”) acting under Temporary Authority (“TA”)?

Yes, effective January 9, 2020 the Georgia Department of Banking and Finance (the “Department”) requires the following with regard to Temporary Authority: 

    • All advertisements mentioning a MLO’s ability to act as an MLO in GA must “clearly and conspicuously” disclose that the MLO is operating under Temporary Authority in the state, is not currently licensed in GA, and has a pending application with the Department, which may be granted or denied.


    • A MLO purporting to operate under the TA must indicate “TAO,” “temporary authority to operate,” or a substantially similar designation next to the signature line on any document, application, or disclosure signed by the MLO in connection with any residential mortgage loan application, including but not limited to the negotiation of terms or the offering of a loan.


    • Any MLO who qualifies to operate under TA must submit proof to the Department of enrollment in a class to satisfy GA’s MLO education requirements, as well as registering to take the test as required by O.C.G.A. § 7-1-1004(f). Such proof shall be submitted to the Department within thirty (30) days of receipt of the MLO’s application. 


    • Mortgage companies must maintain in their journal of mortgage loan transactions clear identification regarding when any MLO utilizes TA at any point in the application or loan process, as well as the final status of the MLO’s GA license application.


    • Requires mortgage lenders and brokers sponsoring MLOs operating under TA to provide a written disclosure in at least 10-point bold-faced type to an applicant on the date the applicant signs an application or any disclosure, whichever occurs first. The disclosure must be signed by the applicant and must include the following language:
“The Georgia Department of Banking and Finance requires that we inform you that our company is licensed but the mortgage loan originator responsible for your loan is not currently licensed by the Georgia Department of Banking and Finance. The mortgage loan originator has applied for a mortgage loan originator license with the Georgia Department of Banking and Finance. Federal law (

12 U.S.C. § 5117

) authorizes certain mortgage loan originators to operate on a temporary basis in the state of Georgia while their application is pending. The Georgia Department of Banking and Finance may grant or deny the license. Further, the Georgia Department of Banking and Finance may take administrative action against the mortgage loan originator that may prevent such individual from acting as a mortgage loan originator before your loan closes. In such case, our company could still act as your broker or lender.” 

This disclosure provision becomes effective April 1, 2020.