I understand mortgage servicers need to perform Servicing Quality Control (QC) reviews on the FNMA, FHLMC, and GNMA loans that they, or their sub-servicer, service, but are mortgage servicers also required to perform Servicing QC on portfolio loans?


Yes.  The Consumer Financial Protection Bureau (CFPB) describes the management and audit functions it expects of mortgage servicers.  These management and audit functions apply to portfolio loans.  Residential mortgage servicers must ensure that the loans in their portfolio are serviced compliantly, without creating undue risks of harm to consumers.  The CFPB’s Compliance Management Review (CMR) Examination Procedures specifically provide the following:

“To maintain legal compliance, an institution must develop and maintain a sound compliance management system (CMS) that is integrated into the overall framework for product design, delivery, and administration across their entire product and service lifecycle. Ultimately, compliance should be part of the day-to-day responsibilities of management and the employees of a supervised entity; issues should be self-identified; and corrective action should be initiated by the entity.”

Additionally, part of what the CFPB requires for an effective compliance management system (CMS) is monitoring and/or audit.  The CFPB indicated that examiners should evaluate monitoring and audit programs to ensure they are commensurate with an institution’s size, complexity, and risk profile. 

Thus, although mortgage servicers may maintain some deference with regard to their portfolio loan servicing QC function, the requirement to maintain compliance certainly extends to servicing of these loans.  The expectation is that a servicer will both (i) identify issues and (ii) implement corrective action measures.  If servicers are not performing QC or loan file auditing on portfolio loans, they may not adequately identify and correct issues, which may result in harm to consumers.


The upcoming Christmas Day and New Year’s Day holidays both fall on a Sunday. How are the LE, CD and rescission timelines treated?


Since Christmas Day and New Year’s Day both fall on a Sunday, the “observed” holiday will be the Monday immediately after each holiday.

This “observed” day (Monday) is included in the CD and rescission timelines.

The Precise Definition of a Business Day defined in §1026.2(a)(6), Official Interpretation #2 means all calendar days except Sundays and the 6 floating and 5 fixed legal holidays (New Year’s Day 1/1, Martin Luther King Jr.’s Birthday, Washington’s Birthday, Memorial Day, Juneteenth 6/19, Independence Day 7/4, Labor Day, Columbus Day, Veterans Day 11/11, Thanksgiving Day and Christmas Day 12/25).

  • This rule applies to the delivery timelines of the Closing Disclosure and Right to Cancel.

The “observed” day (Monday) is excluded from the LE timeline IF your company is not open for business on the “observed” day (Monday).

The General Definition of a Business Day defined in §1026.2(a)(6) is “any day on which the creditor’s offices are open to conduct substantially all of its business functions”. 

  • This rule applies to the delivery timelines for the LE and any revised LE.
Federal Holidays


Is it true New York amended its Community Reinvestment Act (CRA) to cover non-bank mortgage lenders and, if so, what does this mean?


Yes, effective November 1, 2022, New York amended its Community Reinvestment Act (CRA) to cover non-bank mortgage lenders licensed as Mortgage Bankers in NY.  NY’s Department of Financial Services (DFS) explained that “[t]he CRA is a law intended to encourage covered institutions to meet the credit needs of their whole communities including through the [DFS’s] evaluation of their lending activities.”  

The amendment requires that DFS take into consideration and assess the record of performance of the mortgage lender in helping to meet the needs of its entire community, including low and moderate income neighborhoods, whenever it reviews a license application, change of control, or any other application or notice the Superintendent determines to be applicable.

In completing the assessment, DFS will consider the mortgage lender’s:

  • VOOR filing data;
  • Activities conducted to ascertain the credit needs of the mortgage lender’s community, including the extent of its efforts to communicate with members of its community regarding the services it provides;
  • Marketing and special programs offered to make members of the community aware of the mortgage lender’s services;
  • Participation in community outreach, community development or redevelopment, and educational programs;
  • Participation by the mortgage lender’s Board of Directors, Advisory Committee, Managing Members or Executive Management or equivalent body or person, in formulating the mortgage lender’s policies and reviewing its performance;
  • Any practices intended to discourage application for types of credit offered by the mortgage lender;
  • The geographic distribution of the mortgage lender’s credit extensions, credit applications, and credit denials;
  • Evidence of prohibited discriminatory or other illegal credit practices;
  • The mortgage lender’s record of opening and closing offices and providing services at offices;
  • Participation in governmentally-insured, guaranteed or subsidized loan programs for housing;
  • The mortgage lender’s ability to meet various community credit needs based on its financial condition, size, legal impediments, local economic condition and other factors; and
  • Other factors that, in the judgment of the Superintendent, reasonably bear upon the extent to which a mortgage lender is helping to meet the credit needs of its entire community.

Results of the DFS’ assessment may be the basis for denying an application or amendment request.  The assessment may also be made available to the public upon request.

In addition to New York, Massachusetts and Illinois also apply CRA-type laws to non-depository mortgage lenders.


What is an Address Confidentiality Program (ACP) and why is it important to both the origination and servicing divisions of mortgage companies and financial institutions?


States created ACPs to protect victims of stalking, domestic violence, sexual assault, human trafficking, and other crimes from being located by individuals who intend to cause them harm. ACP programs conceal a participant’s real address by providing a mail forwarding service and giving participants a legal substitute address to use in place of their actual, physical address. Further, ACPs prohibit those with knowledge of a victim’s location information from disclosing it to other parties.

Originating lenders and servicers must develop policies and procedures addressing ACPs to ensure compliance.  Generally, lenders and servicers must know the physical address of their customers as part of their customer identification program (CIP).  However, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) issued guidance explaining that it understands the need to protect victim anonymity in these circumstances. In an effort to support state ACP requirements, FinCEN authorized the following exception:

A customer who participates in a state-created ACP shall be treated as not having a residential or business street address and a secretary of state, or other state entity serving as a designated agent of the customer consistent with the terms of the ACP, will act as another contact individual for the purpose of complying with FinCEN’s rules. Therefore, a should collect the street address of the ACP sponsoring agency for purposes of meeting its CIP address requirement.

Investors and agencies, such as Fannie Mae and Freddie Mac, have also published guidance with regard to ACPs.   

Fannie Mae directs sellers/servicers to comply with all applicable requirements of state ACPs and for loans in which a borrower is enrolled in a state ACP:

  • Include both a property address and a legal substitute mailing address at loan delivery;
  • Report Special Feature Code (SFC 877) when delivering a loan to Fannie Mae;
  • For loans serviced, complete Fannie Mae’s post-purchase adjustment process within 5 days of receiving notification that a borrower enrolled in, or unenrolled in, one of these programs, and
  • Provide notice of program enrollment and the borrower’s mailing address to any transferee servicer upon the transfer of servicing rights.

Freddie Mac directs sellers to comply with all applicable federal and state laws related to ACPs and

  • Within 5 business days after the funding date for of any mortgage for which the borrower is a participant in an ACP, email the following information to
    • Freddie Mac Loan Number
    • Borrower Name
    • Borrower ACP Mailing Address (including, when applicable, any lot number or required uniquely identifiable number)

Freddie Mac’s delivery instructions for ULDD Data Point Borrower Mail To Address Same As Property Indicator (Sort ID 572) indicate that “false” should be selected when the mailing address is not the same as the mortgaged premises and to add a reference to the notification requirement.


What is the Beneficial Ownership Information Reporting Rule and how does it affect my business?


On September 29, 2022, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a final rule establishing a beneficial ownership information reporting requirement.  FinCEN designed the rule to help stop criminal actors, such as money launderers and fraudsters, from using anonymous shell companies to hide illicit funds. 

Under the rule, which goes into effect on January 1, 2024, most corporations, limited liability companies, and other entities that are created (domestic companies) or registered to do business in the U.S. (foreign companies) will have to report information about their beneficial owners and company applicants to FinCEN.  Some types of legal entities, including certain trusts, are exempt from reporting.

The rule includes the following important definitions:

  • Beneficial Owner = any individual who, directly or indirectly, either (i) exercises substantial control over a reporting company, or (ii) owns or controls at least 25% of the ownership interests of a reporting company.
    • The final rule provides a detailed definition of “substantial control” and includes those serving as a senior officer and/or having substantial influence (directly or indirectly) over the important decisions of the company.
  • Company Applicants = (i) the individual who directly files the document that creates the entity, or in the case of a foreign reporting company, the document that first registers the entity to do business in the U.S., and (ii) the individual who is primarily responsible for directing or controlling the filing of the relevant document by another.

The rule requires entities to report the following information about each company applicant if created/registered after January 1, 2024 and all beneficial owners regardless of when created/registered:

  1. Name;
  2. Birthdate;
  3. Address; and
  4. Unique identifying number and issuing jurisdiction from an acceptable identification document (and the image of such document). 


Below are timing requirements for reporting:

Timing Requirements

FinCEN advised that well in advance of the effective date, it will publish in the Federal Register for public comment the reporting forms that entities will use to comply with these reporting requirements.


With more and more states permitting permanent remote work, what are some best practices mortgage lenders should implement?


There are several best practices mortgage lenders should implement to compliantly permit employees to work remotely.  These include, but are not necessarily limited to:

  1. Ensuring the remote work location meets specific state requirements
    • Many states require the remote work location to be the loan originator’s residence and not a commercial space or a space leased by the Company.
  1. Maintaining a list of all remote work locations
    • Many states require and will likely request this list as part of examinations.
  1. Developing and adhering to a supervision plan for overseeing remote employees
    • States require lenders to develop written policies and procedures surrounding remote work. Policies and procedures should address, at a minimum, (i) acceptable remote work locations, (ii) information security and privacy requirements, (iii) training, and (iv) employee oversight and supervision methods, such as through meetings, compliance audits/inspections, and quality control reviews.
  1. Ensuring proper security protocols
    • States prohibit employees from maintaining customer records or documents at remote work locations.
    • Lenders must ensure equipment used at remote work locations and network access meet industry standards and specific state requirements.
  1. Training remote employees on permissible and impermissible activities
    • Employees must understand that they cannot meet with consumers at remote office locations or hold the locations out to the public through signage, advertising, business cards, or otherwise.
    • Employees must understand that customer records and other company data should not be stored at the remote office location.
  1. Monitoring
    • Licensees must ensure compliance with statutory requirements either through physical inspections or other forms of review and testing.


Does an approved mortgage lender need to report a loss in the Company’s net worth to Fannie Mae and/or HUD?


Yes, Fannie Mae and HUD require approved licensees to report the failure to maintain minimum financial requirements, such as net worth, minimum capital and minimum liquidity.

On August 1, 2022, Fannie Mae issued a Seller/Servicer Eligibility Reminder reminding approved Seller/Servicers of these requirements, which are detailed in Selling Guide A4-1-01. If a Seller/Servicer experiences a material decline in lender adjusted net worth, a decline in profitability, or a default under various obligations, Fannie Mae may declare a breach of the Lender Contract.  Typically, a decline is material if Lender Adjusted Net Worth declines by more than 25% over a quarterly reporting period or by more than 40% over two consecutive quarterly reporting periods.  A decline in profitability is four or more consecutive quarterly losses accompanied by a decline in Lender Adjusted Net Worth of 30% or more during the same period.  Fannie Mae advised seller/servicers to be especially mindful of the requirements measured by percentage decline, as they commonly are breached in adverse market environments.  Seller/Servicers should notify Fannie Mae of any anticipated breaches to eligibility requirements as soon as possible by emailing their assigned account team.

Additionally, HUD’s Handbook 4000.1(A)(7)(g) and (h) specify if at any time a Mortgagee’s adjusted net worth or liquidity falls below the required minimum, the Mortgagee must submit a Notice of Material Event to FHA within 30 business days of the deficiency. The Mortgagee must submit a Corrective Action Plan that outlines the steps taken to mitigate the deficiency and includes relevant information, such as contributions and efforts made to obtain additional capital.

HUD also requires reporting of operating losses of 20% or greater of a licensee’s net worth.  To report the loss, a licensee must file a Notice of Material Event within 30 business days of the end of each fiscal quarter in which a Mortgagee experiences the loss. Following the initial notification, the Mortgagee must submit financial statements every quarter until it shows an operating profit for two consecutive quarters, or until it submits its financial reports as part of its recertification, whichever period is longer.


What is the Supplemental Consumer Information Form, when will it be required, and how does it relate to a lender collecting information about an applicant’s language preference during the loan origination process?


The Supplemental Consumer Information Form (“SCIF”) will be required as part of the application process for loans that will be sold to Fannie Mae and Freddie Mac. The purpose of the SCIF is to collect information about the consumer’s language preference and any homebuyer education or housing counseling that the consumer completed in the prior 12 months. Language preference choices on the form include: English, Chinese, Korean, Spanish, Tagalog, Vietnamese, or Other.  Responses by consumers to the preferred language question will be voluntary.  However, lenders will need to report any data collected from the SCIF to the appropriate agency (Fannie Mae or Freddie Mac) purchasing the loan.

Lenders must begin utilizing the SCIF and implement the reporting requirements for loans with application dates on or after March 1, 2023.

In July 2022, the Federal Housing Finance Agency, Fannie Mae, and Freddie Mac added the updated SCIF (Fannie Mae/Freddie Mac 1103) to the Mortgage Translations website. The form is available in English, Spanish, traditional Chinese, Vietnamese, Korean, and Tagalog.


With recent enforcement actions and the near certainty of more to come in the area of fair lending, what are THREE WAYS MORTGAGE BROKERS AND LENDERS CAN MITIGATE FAIR LENDING RISK?


In October 2021, the U.S. Department of Justice announced an initiative for combatting redlining. Redlining is a discriminatory practice that involves withholding services to potential consumers who reside in neighborhoods with significant numbers of minorities. The CFPB has also issued recent advisories and enforcement actions, and, in March 2022, made changes to its supervisory operations to further target unfair discrimination in consumer finance.

Bottom line: Mortgage brokers and lenders must make fair lending a priority. There are numerous actions mortgage companies can take to prevent discrimination and mitigate redlining and other fair lending concerns. Here are three to consider immediately:

  1. Training – training employees to understand fair lending issues and concerns is critical. Training should include real-world examples so that employees recognize both outright discriminatory practices, as well as seemingly benign actions that may have unforeseen discriminatory effects. Fair lending training must be ongoing and should take into account current trends and issues, as well as highlight potential penalties for non-compliance, which can be severe.

  1. Marketing – in addition to training, mortgage brokers and lenders must actively review marketing material and strategies to ensure that (i) all types of consumers are adequately represented, and (ii) the Company is actually marketing to majority-minority neighborhoods (areas where one or more racial, ethnic, and/or religious minorities make up the majority of the local population). Branch locations, lead letter zip codes, and other locations of marketing efforts should all be considered. New, additional outreach efforts may involve conducting homebuyer education classes in underserved markets and participating in community-based events and opportunities.

  1. Responsibility/Accountability – appointing a Diversity Officer and/ or maintaining a Fair Lending Committee helps to ensure fair lending remains a top priority. This individual/committee can help develop and implement a business strategy that focuses on community outreach in minority areas, and also keep the company focused and educated on fair lending concerns.

Lastly, a mortgage lender’s HMDA data provides a wealth of information related to fair lending activity. It should be assessed and evaluated regularly to help identify fair lending risk.


How can Internal Audit help a mortgage lender comply with the HMDA?


One objective of internal audit is to make sure that lenders have a compliant and robust fair lending program in place, which includes complete and accurate HMDA reporting. Internal auditors can review both a lender’s policies and procedures, as well as HMDA data for accuracy and completeness. An internal auditor’s assessment will include, but may not be limited to, a review of the following:

  • The process for analyzing and reporting HMDA data;

  • HMDA data integrity;

  • Actions taken as a result of findings; and

  • How policies and procedures are updated to address any process failures and inefficiencies.


Did Georgia recently amend its requirements with regard to background checks and its prohibition against employing felons?


Yes. Georgia recently revised its statute governing mortgage lenders and brokers to narrow the scope of the prohibition against employing felons. Previously, Georgia prohibited licensees from employing any individual with a felony conviction regardless of whether the individual worked in or on Georgia loans and regardless of the date of the conviction. The amendment revised language in the statute from “employee” to “covered employee,” which is defined as an employee of a mortgage lender or mortgage broker who is involved in residential mortgage loan related activities for property located in Georgia and includes, but is not limited to, a mortgage loan originator, processor, or underwriter, or other employees who has access to residential mortgage loan origination, processing or underwriting information. As such, Georgia no longer prohibits a licensee from employing a felon who is not involved in Georgia loans and does not have access to residential mortgage loan origination, processing or underwriting information.

Directors, officers, partners, owners, individuals that direct the affairs or establish policy for the licensee, as well as employees with access to loan origination, processing or underwriting information, are still subject to the felony prohibition. Thus, the felony prohibition remains broad.

Notably, with the revised definition of “covered employee,” Georgia now requires licensees to obtain background checks through the Georgia Crime Information Center (GCIC) on all employees involved in Georgia residential mortgage loan related activities, including but not limited to mortgage loan originators, processors, and underwriters, as well as other employees with access to residential mortgage loan origination, processing or underwriting information. The GCIC background check is no longer only applicable to employees that work in Georgia and enter, delete, or verify information on mortgage loan application forms/documents. Georgia licensees must review to ensure they are in compliance with this requirement or obtain the required background checks promptly.


What were some recent enforcement issues pertinent to mortgage lenders as set forth in the CFPB’s Spring 2022 Supervisory Highlights?


The CFPB detailed that they assessed the mortgage origination operations of several supervised entities for compliance with applicable federal consumer financial laws and found numerous violations of Regulation Z. Two of those violations are set forth below.

Compensating loan originators differently based on product type

In the preamble to the 2013 Loan Originator Final Rule, the CFPB explained that it is not permissible to differentiate compensation based on credit product type since products are simply a bundle of particular terms. Examiners found that certain lenders’ loan originator compensation agreements provided for higher loan originator compensation where Fannie Mae conforming fixed rate loans surpassed a designated threshold percentage of the total loans closed by the loan originator. The CFPB determined that paying higher commissions under these circumstances constitutes paying compensation based on credit product type, which, in turn, violates the Loan Originator Rule.

Insufficient documentation for changed circumstance

The CFPB noted that Regulation Z requires a creditor to provide the consumer with good faith estimates on the Loan Estimate for certain transactions. The closing cost estimates are generally considered to be in good faith if the amount paid by or imposed on the consumer does not exceed the amount originally disclosed. A creditor is permitted to use a revised estimate of a charge instead of the estimate of the charge originally disclosed to reset tolerances when there is a valid changed circumstance permitted by Regulation Z that resulted in the increased costs. One such valid changed circumstance is where the consumer requests revisions to the credit terms. For a creditor to successfully reset tolerances as permitted by Regulation Z, it must, among other things, maintain documentation explaining the reason for revision. Examiners found that certain lenders failed to retain sufficient documentation to establish the validity of the changed circumstance. Specifically, the lenders disclosed an appraisal fee on initial Loan Estimates and subsequently disclosed appraisal rush fees, in higher amounts, on revised Loan Estimates. The lenders claimed the consumers requested the rush appraisals. However, in each instance, the lender failed to maintain sufficient documentation evidencing the consumer’s request; in fact, the documentation maintained reflected that either the appraisal management company notified the lenders that a rush appraisal would be needed or the lenders’ loan officers requested the rush appraisal.


How does the recently enacted California Fair Appraisal Act (AB 948) affect mortgage lenders and when is it effective?


AB 948 became effective on January 1, 2022 and added several requirements to the California Business and Professions Code, including but not limited to:

  • Requiring that the Bureau of Real Estate Appraisers (the “Bureau”) to (a) add a check box to its complaint form for complainants to indicate whether they believe their appraisal was below market value, and (b)collect and compile demographic information regarding complainants;

  • Requiring that any prospective licensee complete at least one hour of instruction in “cultural competency”; and

  • Prohibiting licenses from basing their analysis or opinion of market value of a home on certain enumerated protected bases (including race or “any other basis prohibited by the federal Fair Housing Act”).

Further, AB 948 requires that every real property purchase contract for the sale of residential real property signed after July 1, 2022, contain the below prescribed notice (in no less than 8-point font) and that such notice also be provided to applicants by the lender with the Loan Estimate when refinancing a first lien purchase money loan on residential real property. The notice, among other things, states that any appraisal of the property must be unbiased, objective and not influenced by improper considerations.


Any appraisal of the property is required to be unbiased, objective, and not influenced by improper or illegal considerations, including, but not limited to, any of the following: race, color, religion (including religious dress, grooming practices, or both), gender (including, but not limited to, pregnancy, childbirth, breastfeeding, and related conditions, and gender identity and gender expression), sexual orientation, marital status, medical condition, military or veteran status, national origin (including language use and possession of a driver’s license issued to persons unable to provide their presence in the United States is authorized under federal law), source of income, ancestry, disability (mental and physical, including, but not limited to, HIV/AIDS status, cancer diagnosis, and genetic characteristics), genetic information, or age. If a buyer or seller believes that the appraisal has been influenced by any of the above factors, the seller or buyer can report this information to the lender or mortgage broker that retained the appraiser and may also file a complaint with the Bureau of Real Estate Appraisers at or call (916) 552-9000 for further information on how to file a complaint.”


Does FHA require specific training of a Company’s QC staff as part of its QC Plan?


Yes. A HUD approved mortgagee is responsible for ensuring that all QC staff are current on the FHA requirements for the FHA Loan Administration practices for which the Mortgagee is responsible.

In particular, HUD’s Handbook 4000.1(V)(A)(2)(b) specifies as follows:

The Mortgagee must ensure that its QC Plan provides for the following required reviews.

  • The Mortgagee must train all staff involved in FHA Loan Administration and QC processes to ensure that staff know all current FHA requirements for the FHA Loan Administration practices for which the Mortgagee is responsible.

  • The Mortgagee must maintain a list of all training provided to staff. For each training, the Mortgagee must include a summary of the content covered.

Additionally, the Mortgagee must provide all Loan Administration and QC staff with access to current FHA guidance including Handbooks, Mortgagee Letters (ML), Title I Letters (TI), Frequently Asked Questions (FAQ), and other guidance issued by FHA. The Mortgagee must confirm that all Loan Administration and QC staff have access to the internet or to hard copies of current FHA guidance.


We recently received a consent order as a result of a routine state examination. Do we need to report this state sanction to HUD?


Yes. HUD requires the timely notification of state sanctions and the Mortgagee Review Board took numerous administrative actions against mortgagees in 2021 for a HUD approved mortgagees’ failure to notify HUD of state sanctions. Note, reporting is required even if the state sanction is publicly set forth on the NMLS Consumer Access website. The relevant HUD guideline is set forth below:

HUD’s Handbook 4000.1 (I. Doing Business with FHA, A. FHA Lenders and Mortgagees, 7. Post-Approval Changes, u. Unresolved Findings or Sanctions) specifies that the Mortgagee must ensure that its home office and each branch office have all licenses, registrations, or approvals required for the types of Mortgagee functions or activities performed by such office for the jurisdiction in which that office is located. A Mortgagee that has been refused a state license or been sanctioned by any state in which it will originate FHA Mortgages must disclose the circumstances of the refusal or Sanction and the resolution to FHA.


What is Internal Audit and is it a requirement for mortgage lenders?


Internal Audit is a function that independently evaluates the risks to the organization and the control environment that is in place. Typically, Internal Audit reports directly to the Board of Directors or Senior Management and is separate from all other departments to ensure that the evaluation remains independent.

Internal Audit is required if you are approved or seeking approval from any of the GSEs, and it is also becoming a requirement for some states. A common deficiency in a Fannie Mae or Freddie Mac review is an inadequate or non-existent internal audit program.

Entities approved or seeking to become approved with the GSEs must have, at a minimum, the following three items:

1. Risk Assessment – an assessment that evaluates the various risks of an organization, which may include, but is not limited to, reputational risk, compliance risk, fraud, etc.; and takes into consideration various factors such as past audit results, regulatory requirements, potential for fraud, experience of personnel, growth trends, and date of the last internal audit.

2. Policies and Procedures – an Internal Audit Policy and Procedure charter should be approved by the Board of Directors and put into place.

3. Audit Plan – a minimum 12-month audit plan should be developed which outlines ongoing audits to be performed. The audit plan should identify low, moderate, and high-risk areas, and the timeline for auditing those areas.

For more information, check out Fannie Mae’s Seller/Servicer Risk Self-Assessment for Internal Audit about tips, recommendations, and requirements that every Seller/Servicer should have in place as part of its internal audit program or download MQMR’s Lenders Guide to Internal Audit.


What are a few vital IT Security controls that a mortgage lender should implement and perform an internal audit to test the controls are functioning properly?


Now, more than ever, the prevention of data breaches and data loss is vital to any organization. From the all-too-common grasp of ransomware (when a hacker encrypts a company’s business data for a monetary ransom), to the lack of appropriate IT controls and vendors, business critical data is clearly susceptible to risk.

To best avoid exposing a company’s critical business data to risks, start with implementing these important prevention steps:

  • Up-to-date and Reputable Anti-Malware Software

    • Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.

    • All assets should be remotely monitorable and regularly scanned for malware

  • Install the Latest Operating System Updates

    • Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets.

    • Ensure that patch management for all assets can be remotely monitored, so that any assets without patches can be identified and addressed

  • Clean Desk Policies

    • Ensure that staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks.

    • If employees choose (or are allowed) to print materials for use in their home office, said materials must be secured and/or destroyed in accordance with established company guidelines to protect company data and/or any PII, NPI contained within those materials.

  • Off-site Data Redundancy

    • Ensure that critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site.

  • Change Management

    • Ensure that all production assets have the necessary change management tickets and approvals for any reboots, patching, upgrades, changes, or replacements.

  • Create and Update Policies and Procedures

    • Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when it comes to recovering from a disaster or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.

    • Be sure to communicate any updates made to these documents as it relates to a remote work environment to employees, especially those that impact day-to-day operations, and provide additional training when and where necessary. Simply posting updated copies of these materials to a company intranet is not enough to ensure these materials have been received and understood.

  • Seek Reputable Vendors

    • Ensure all your vendors have the appropriate IT Security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.

  • Assets

    • Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.

    • Force password changes at a frequent basis (minimum every 90 days).

    • Force lock computers when idle for a certain time period.

    • Remove local admin rights so that employees cannot install software without IT staff intervention.

    • Implement two-factor authentication.

    • Use encryption for in transit and at rest.

  • Train Staff

    • Train staff on the importance of phishing, ransomware, and IT security awareness. Basics, such as locking the computer when away, not leaving laptops in plain view in a parked car, and propping doors that may invite unsupervised visitors, are just a few commonsense reminders to train staff.

    • Keep employees informed of new discoveries and helpful awareness tactics, including the prevalence of scams related to COVID-19 or recent headline news.

    • For lenders and title/settlement providers, reinforce adherence to standard wire transfer protocols to protect against fraud.

One can never be too secure but starting with the short list above is a great step in the right direction.


What type of data analysis should a mortgage lender perform when evaluating fair lending?


The following is a summary of the type of analysis a mortgage lender should perform:

Analyze lending applications and loan parameters for signs of discrepancies in any of the following areas:

  • Loan Approvals/Denials

  • Loan Pricing (Fees and Interest Rate)

  • Loan Program offerings and guidelines

Data analysis should first be performed for an organization’s portfolio as a whole. Basic data that can be found on a company’s Home Mortgage Disclosure Act (HMDA) Loan Application Register (LAR) Summary sheet can begin to tell a story. For example, you will learn the following:

  • What percentage of applications do you receive from each racial, ethnic, gender and age group? Are the percentages what you would expect based on the jurisdictions where you lend, and the population demographics in those jurisdictions?

  • Is there a particular group that performs worse than other groups, in terms of applications received, applications approved or denied, and loan pricing? If so, are there opportunities that present themselves to increase the applications coming in from that particular group, which could lead to more funded loans?

In addition to analyzing data from an overall portfolio perspective, a company should break down its data to the following levels:

  • Purchase loans vs. refinance transactions

  • Conventional loans vs. Government Loans

  • By Channel (retail vs. wholesale vs. correspondent, as applicable)

  • Geographic area (by region or state)

  • By Branch Office, as applicable

  • By broker, as applicable

If statistically significant disparities are uncovered for one or more protected classes, perform regression analysis to account for credit factors, such as the following:

  • FICO Score

  • Loan-to-Value Ratio (LTV)

  • Debt-to-Income Ratio (DTI)

If the regression analysis does not explain all of the statistically significant disparities that exist, identify matched pairs for comparative file review. A matched pair would be two customers, with similar credit profiles, who applied for loans in the same state, for approximately the same loan amount, where both customers should, based on their credit, be approved. And yet, a majority group customer was approved, and the minority group customer was denied. The goal of the comparative file review would be to explain why the majority group customer was approved, and the minority group customer was denied. If a legitimate, non-discriminatory reason can be found, that should be documented. If not, feedback should be provided to the appropriate staff, and the company should consider whether changes to policies and procedures may be needed to mitigate fair lending risk.


As a mortgage lender, what are some common Fair Lending practices that should be put in place?


Below are three practices a mortgage lender should put in place when it comes to Fair Lending compliance:

  1. Implement a comprehensive Fair Lending Program, including each of the following elements:

    1. Implement an enterprise-wide Fair Lending Policy/Program, and update it annually, or more often as needed

    2. Designating a Fair Lending Officer for the organization

    3. Creating a Fair Lending Committee, with representatives from Executive Management and/or the Board of Directors. The Committee would address items such as:

      1. Status and results of company-wide Fair Lending training

      2. Review Fair Lending data analysis reports to ensure all applicants are being treated fairly

      3. Monitoring transactions for potential Fair Lending issues

      4. Performing Quarterly Fair Lending Data Analysis

      5. Develop and memorialize remediation plan(s) if fair lending assessments/reviews indicate a protected class has been adversely treated, including updating policies, procedures and/or internal controls

      6. Consumer complaints and/or litigation that involve allegations of discrimination

  2. Require Annual Fair Lending Training for all Employees, both at the time of hire and on an at least an annual basis

    1. Status and results of company-wide Fair Lending training

  1. Review of marketing initiatives and materials from all mediums, to ensure that applicants from all racial, ethnic, gender and age groups are encouraged to apply for credit


At times, lenders make exceptions to their established credit standards (i.e. lower a rate or fee to match a competitor’s offer and thereby retain the consumer).  Is it possible that fair lending risks arise as a result of a lender engaging in this type of activity?


Yes.  Although reducing a rate to meet the competition’s offer is permissible, it is important that these types of decisions are based on a legitimate business justification and that the lender maintains adequate documentation and oversight to avoid increasing fair lending risk. This would include those situations where the lender grants a pricing exception, as well as those situations where they deny a pricing exception.

A lender needs to have firm procedures with regard to pricing exception requests and handle such requests accordingly. The CFPB discussed this issue in its Supervisory Highlights several years ago.  Specifically, the CFPB stated:

“A lender may promote the availability of credit by providing credit to an applicant based on a lawful exception to the lender’s credit standards when exceptions practices are complemented by an appropriate system of fair lending compliance management. A strong compliance management system can also mitigate fair lending risk related to credit exceptions by adequately documenting the basis for the credit exception, monitoring and tracking exceptions activity, and controlling any resulting fair lending risk.”

Thus, any lender who makes exceptions to their credit standards should:

  1. Memorialize written policies and procedures for pricing exceptions (when allowed) and how they must be documented.

  2. Monitor and Audit to make sure these policies are followed.

  3. Train staff on the policies (not just basic fair lending training).

  4. Include pricing exceptions in the Fair Lending Analysis a lender performs to ensure there are no patterns of disparity.

Fair lending risk is not just limited to pricing exceptions, but also lender fee reductions, discretionary lender credits, and waivers of lock extension fees.  A lender should track all requests for these exceptions/reductions/credits and memorialize whether they are granted or denied.  This information will be invaluable if a lender needs to justify pricing discrepancies to a regulator down the road.


Are the pre-funding and post-closing Quality Control (QC) audits a mortgage lender performs sufficient to satisfy Fannie Mae’s Internal Audit (IA) requirement?


No, the QC audits and IA are separate Fannie Mae requirements.

Fannie Mae (as well as Freddie Mac, FHA, VA, etc.) require a lender to implement a QC program that identifies credit and/or regulatory issues in its origination and servicing functions. A QC audit generally reviews the end product, regardless of whether the process is credit or compliance focused. QC audits, which are a form of transactional testing, are narrower in scope than Internal Audits.

With Internal Audit, the focus is not necessarily on the end product, but rather the adequacy, soundness, and effectiveness of internal controls within a lender’s processes to ensure that the lender attains the end result sought while complying with applicable investor guidelines, laws and regulations and industry best practices.

As outlined in Fannie Mae’s Beyond the Guide, “an appropriate IA program should at a minimum include the following key elements: 

• An independent reporting structure with direct report to senior management and/or the board of directors. There should be no shared reporting lines within the QC functional areas to be reviewed by the internal audit function.

• A risk assessment methodology used to identify the operational areas and functions to be audited and the frequency of those audits. The risk assessment is generally completed annually by the internal audit department to identify the scope of the review and apply risk rating to the areas to be reviewed. The risk assessment generally identifies the frequency of reviews based on the risk rating applied to the areas listed.

• Documented policies and procedures to detail the internal audit review processes, govern reporting to senior management, and address the remediation of findings.

• A departmental and functional audit schedule for a minimum 12-month period. The schedule should identify the areas subject to review during the current period and align with the risk assessment.”

The number of audits and frequency should be commensurate with the size and complexity of the organization but generally a single, non-continuous internal audit is not acceptable.


Are banks and nonbanks required to perform an independent audit of their anti-money laundering (“AML”) program? What are the requirements for such audit?


Yes, the Bank Secrecy Act (“BSA”) requires all residential mortgage lenders and originators to perform an independent review or audit of their AML program. Although the BSA does not specifically set forth the time frame for performing such testing, the Federal Financial Institutions Examination Council (“FFIEC”) indicated that sound practice is for an entity to perform an independent audit of its AML program at least every 12-18 months, commensurate with the entity’s risk profile.

Both an independent and qualified party must perform testing. While this does not mean an employee cannot perform the audit, the individual or individuals completing the audit must be fully familiar with AML requirements and cannot be involved in any of the AML functions of the Company. As such, the Company designated AML Officer would be unable to perform the audit. For this reason, many entities engage outside service providers to perform independent audits of their AML program.

Whoever performs the review should report directly to the entity’s Board of Directors or Executive Management. Testing should cover all of the entity’s activities, and the results should be sufficiently detailed to assist the Board of Directors and/or Executive Management in identifying areas of weakness so that improvements may be made and additional controls may be established. Among other items, the Company’s written policies and procedures should be reviewed, and the qualifications of the AML Officer and the Company’s training materials and attendance logs.

In recent years, state regulators have commenced examining the AML programs of their supervised entities more closely. In particular, many states now require entities to produce AML policies and procedures and AML risk assessments, and independent AML audit results as part of examinations. Failure to maintain these documents can often result in an adverse finding. In addition, some states also maintain their money laundering regulations, such as California, Florida, Hawaii, New Jersey, and Texas.