Question

What were some recent enforcement issues pertinent to mortgage lenders as set forth in the CFPB’s Spring 2022 Supervisory Highlights?

Answer

The CFPB detailed that they assessed the mortgage origination operations of several supervised entities for compliance with applicable federal consumer financial laws and found numerous violations of Regulation Z. Two of those violations are set forth below.

Compensating loan originators differently based on product type

In the preamble to the 2013 Loan Originator Final Rule, the CFPB explained that it is not permissible to differentiate compensation based on credit product type since products are simply a bundle of particular terms. Examiners found that certain lenders’ loan originator compensation agreements provided for higher loan originator compensation where Fannie Mae conforming fixed rate loans surpassed a designated threshold percentage of the total loans closed by the loan originator. The CFPB determined that paying higher commissions under these circumstances constitutes paying compensation based on credit product type, which, in turn, violates the Loan Originator Rule.

Insufficient documentation for changed circumstance

The CFPB noted that Regulation Z requires a creditor to provide the consumer with good faith estimates on the Loan Estimate for certain transactions. The closing cost estimates are generally considered to be in good faith if the amount paid by or imposed on the consumer does not exceed the amount originally disclosed. A creditor is permitted to use a revised estimate of a charge instead of the estimate of the charge originally disclosed to reset tolerances when there is a valid changed circumstance permitted by Regulation Z that resulted in the increased costs. One such valid changed circumstance is where the consumer requests revisions to the credit terms. For a creditor to successfully reset tolerances as permitted by Regulation Z, it must, among other things, maintain documentation explaining the reason for revision. Examiners found that certain lenders failed to retain sufficient documentation to establish the validity of the changed circumstance. Specifically, the lenders disclosed an appraisal fee on initial Loan Estimates and subsequently disclosed appraisal rush fees, in higher amounts, on revised Loan Estimates. The lenders claimed the consumers requested the rush appraisals. However, in each instance, the lender failed to maintain sufficient documentation evidencing the consumer’s request; in fact, the documentation maintained reflected that either the appraisal management company notified the lenders that a rush appraisal would be needed or the lenders’ loan officers requested the rush appraisal.

Question

How does the recently enacted California Fair Appraisal Act (AB 948) affect mortgage lenders and when is it effective?

Answer

AB 948 became effective on January 1, 2022 and added several requirements to the California Business and Professions Code, including but not limited to:

  • Requiring that the Bureau of Real Estate Appraisers (the “Bureau”) to (a) add a check box to its complaint form for complainants to indicate whether they believe their appraisal was below market value, and (b)collect and compile demographic information regarding complainants;

  • Requiring that any prospective licensee complete at least one hour of instruction in “cultural competency”; and

  • Prohibiting licenses from basing their analysis or opinion of market value of a home on certain enumerated protected bases (including race or “any other basis prohibited by the federal Fair Housing Act”).

Further, AB 948 requires that every real property purchase contract for the sale of residential real property signed after July 1, 2022, contain the below prescribed notice (in no less than 8-point font) and that such notice also be provided to applicants by the lender with the Loan Estimate when refinancing a first lien purchase money loan on residential real property. The notice, among other things, states that any appraisal of the property must be unbiased, objective and not influenced by improper considerations.

Notice

Any appraisal of the property is required to be unbiased, objective, and not influenced by improper or illegal considerations, including, but not limited to, any of the following: race, color, religion (including religious dress, grooming practices, or both), gender (including, but not limited to, pregnancy, childbirth, breastfeeding, and related conditions, and gender identity and gender expression), sexual orientation, marital status, medical condition, military or veteran status, national origin (including language use and possession of a driver’s license issued to persons unable to provide their presence in the United States is authorized under federal law), source of income, ancestry, disability (mental and physical, including, but not limited to, HIV/AIDS status, cancer diagnosis, and genetic characteristics), genetic information, or age. If a buyer or seller believes that the appraisal has been influenced by any of the above factors, the seller or buyer can report this information to the lender or mortgage broker that retained the appraiser and may also file a complaint with the Bureau of Real Estate Appraisers at https://www2.brea.ca.gov/complaint/ or call (916) 552-9000 for further information on how to file a complaint.”

Question

Does FHA require specific training of a Company’s QC staff as part of its QC Plan?

Answer

Yes. A HUD approved mortgagee is responsible for ensuring that all QC staff are current on the FHA requirements for the FHA Loan Administration practices for which the Mortgagee is responsible.

In particular, HUD’s Handbook 4000.1(V)(A)(2)(b) specifies as follows:

The Mortgagee must ensure that its QC Plan provides for the following required reviews.

  • The Mortgagee must train all staff involved in FHA Loan Administration and QC processes to ensure that staff know all current FHA requirements for the FHA Loan Administration practices for which the Mortgagee is responsible.

  • The Mortgagee must maintain a list of all training provided to staff. For each training, the Mortgagee must include a summary of the content covered.

Additionally, the Mortgagee must provide all Loan Administration and QC staff with access to current FHA guidance including Handbooks, Mortgagee Letters (ML), Title I Letters (TI), Frequently Asked Questions (FAQ), and other guidance issued by FHA. The Mortgagee must confirm that all Loan Administration and QC staff have access to the internet or to hard copies of current FHA guidance.

Question

We recently received a consent order as a result of a routine state examination. Do we need to report this state sanction to HUD?

Answer

Yes. HUD requires the timely notification of state sanctions and the Mortgagee Review Board took numerous administrative actions against mortgagees in 2021 for a HUD approved mortgagees’ failure to notify HUD of state sanctions. Note, reporting is required even if the state sanction is publicly set forth on the NMLS Consumer Access website. The relevant HUD guideline is set forth below:

HUD’s Handbook 4000.1 (I. Doing Business with FHA, A. FHA Lenders and Mortgagees, 7. Post-Approval Changes, u. Unresolved Findings or Sanctions) specifies that the Mortgagee must ensure that its home office and each branch office have all licenses, registrations, or approvals required for the types of Mortgagee functions or activities performed by such office for the jurisdiction in which that office is located. A Mortgagee that has been refused a state license or been sanctioned by any state in which it will originate FHA Mortgages must disclose the circumstances of the refusal or Sanction and the resolution to FHA.

Question

What is Internal Audit and is it a requirement for mortgage lenders?

Answer

Internal Audit is a function that independently evaluates the risks to the organization and the control environment that is in place. Typically, Internal Audit reports directly to the Board of Directors or Senior Management and is separate from all other departments to ensure that the evaluation remains independent.

Internal Audit is required if you are approved or seeking approval from any of the GSEs, and it is also becoming a requirement for some states. A common deficiency in a Fannie Mae or Freddie Mac review is an inadequate or non-existent internal audit program.

Entities approved or seeking to become approved with the GSEs must have, at a minimum, the following three items:

1. Risk Assessment – an assessment that evaluates the various risks of an organization, which may include, but is not limited to, reputational risk, compliance risk, fraud, etc.; and takes into consideration various factors such as past audit results, regulatory requirements, potential for fraud, experience of personnel, growth trends, and date of the last internal audit.

2. Policies and Procedures – an Internal Audit Policy and Procedure charter should be approved by the Board of Directors and put into place.

3. Audit Plan – a minimum 12-month audit plan should be developed which outlines ongoing audits to be performed. The audit plan should identify low, moderate, and high-risk areas, and the timeline for auditing those areas.

For more information, check out Fannie Mae’s Seller/Servicer Risk Self-Assessment for Internal Audit about tips, recommendations, and requirements that every Seller/Servicer should have in place as part of its internal audit program or download MQMR’s Lenders Guide to Internal Audit.

Question

What are a few vital IT Security controls that a mortgage lender should implement and perform an internal audit to test the controls are functioning properly?

Answer

Now, more than ever, the prevention of data breaches and data loss is vital to any organization. From the all-too-common grasp of ransomware (when a hacker encrypts a company’s business data for a monetary ransom), to the lack of appropriate IT controls and vendors, business critical data is clearly susceptible to risk.

To best avoid exposing a company’s critical business data to risks, start with implementing these important prevention steps:

  • Up-to-date and Reputable Anti-Malware Software

    • Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.

    • All assets should be remotely monitorable and regularly scanned for malware

  • Install the Latest Operating System Updates

    • Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets.

    • Ensure that patch management for all assets can be remotely monitored, so that any assets without patches can be identified and addressed

  • Clean Desk Policies

    • Ensure that staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks.

    • If employees choose (or are allowed) to print materials for use in their home office, said materials must be secured and/or destroyed in accordance with established company guidelines to protect company data and/or any PII, NPI contained within those materials.

  • Off-site Data Redundancy

    • Ensure that critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site.

  • Change Management

    • Ensure that all production assets have the necessary change management tickets and approvals for any reboots, patching, upgrades, changes, or replacements.

  • Create and Update Policies and Procedures

    • Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when it comes to recovering from a disaster or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.

    • Be sure to communicate any updates made to these documents as it relates to a remote work environment to employees, especially those that impact day-to-day operations, and provide additional training when and where necessary. Simply posting updated copies of these materials to a company intranet is not enough to ensure these materials have been received and understood.

  • Seek Reputable Vendors

    • Ensure all your vendors have the appropriate IT Security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.

  • Assets

    • Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.

    • Force password changes at a frequent basis (minimum every 90 days).

    • Force lock computers when idle for a certain time period.

    • Remove local admin rights so that employees cannot install software without IT staff intervention.

    • Implement two-factor authentication.

    • Use encryption for in transit and at rest.

  • Train Staff

    • Train staff on the importance of phishing, ransomware, and IT security awareness. Basics, such as locking the computer when away, not leaving laptops in plain view in a parked car, and propping doors that may invite unsupervised visitors, are just a few commonsense reminders to train staff.

    • Keep employees informed of new discoveries and helpful awareness tactics, including the prevalence of scams related to COVID-19 or recent headline news.

    • For lenders and title/settlement providers, reinforce adherence to standard wire transfer protocols to protect against fraud.

One can never be too secure but starting with the short list above is a great step in the right direction.

Question

What type of data analysis should a mortgage lender perform when evaluating fair lending?

Answer

The following is a summary of the type of analysis a mortgage lender should perform:

Analyze lending applications and loan parameters for signs of discrepancies in any of the following areas:

  • Loan Approvals/Denials

  • Loan Pricing (Fees and Interest Rate)

  • Loan Program offerings and guidelines

Data analysis should first be performed for an organization’s portfolio as a whole. Basic data that can be found on a company’s Home Mortgage Disclosure Act (HMDA) Loan Application Register (LAR) Summary sheet can begin to tell a story. For example, you will learn the following:

  • What percentage of applications do you receive from each racial, ethnic, gender and age group? Are the percentages what you would expect based on the jurisdictions where you lend, and the population demographics in those jurisdictions?

  • Is there a particular group that performs worse than other groups, in terms of applications received, applications approved or denied, and loan pricing? If so, are there opportunities that present themselves to increase the applications coming in from that particular group, which could lead to more funded loans?

In addition to analyzing data from an overall portfolio perspective, a company should break down its data to the following levels:

  • Purchase loans vs. refinance transactions

  • Conventional loans vs. Government Loans

  • By Channel (retail vs. wholesale vs. correspondent, as applicable)

  • Geographic area (by region or state)

  • By Branch Office, as applicable

  • By broker, as applicable

If statistically significant disparities are uncovered for one or more protected classes, perform regression analysis to account for credit factors, such as the following:

  • FICO Score

  • Loan-to-Value Ratio (LTV)

  • Debt-to-Income Ratio (DTI)

If the regression analysis does not explain all of the statistically significant disparities that exist, identify matched pairs for comparative file review. A matched pair would be two customers, with similar credit profiles, who applied for loans in the same state, for approximately the same loan amount, where both customers should, based on their credit, be approved. And yet, a majority group customer was approved, and the minority group customer was denied. The goal of the comparative file review would be to explain why the majority group customer was approved, and the minority group customer was denied. If a legitimate, non-discriminatory reason can be found, that should be documented. If not, feedback should be provided to the appropriate staff, and the company should consider whether changes to policies and procedures may be needed to mitigate fair lending risk.

Question

As a mortgage lender, what are some common Fair Lending practices that should be put in place?

Answer

Below are three practices a mortgage lender should put in place when it comes to Fair Lending compliance:

  1. Implement a comprehensive Fair Lending Program, including each of the following elements:

    1. Implement an enterprise-wide Fair Lending Policy/Program, and update it annually, or more often as needed

    2. Designating a Fair Lending Officer for the organization

    3. Creating a Fair Lending Committee, with representatives from Executive Management and/or the Board of Directors. The Committee would address items such as:

      1. Status and results of company-wide Fair Lending training

      2. Review Fair Lending data analysis reports to ensure all applicants are being treated fairly

      3. Monitoring transactions for potential Fair Lending issues

      4. Performing Quarterly Fair Lending Data Analysis

      5. Develop and memorialize remediation plan(s) if fair lending assessments/reviews indicate a protected class has been adversely treated, including updating policies, procedures and/or internal controls

      6. Consumer complaints and/or litigation that involve allegations of discrimination

  2. Require Annual Fair Lending Training for all Employees, both at the time of hire and on an at least an annual basis

    1. Status and results of company-wide Fair Lending training

  1. Review of marketing initiatives and materials from all mediums, to ensure that applicants from all racial, ethnic, gender and age groups are encouraged to apply for credit

Question

At times, lenders make exceptions to their established credit standards (i.e. lower a rate or fee to match a competitor’s offer and thereby retain the consumer).  Is it possible that fair lending risks arise as a result of a lender engaging in this type of activity?

Answer

Yes.  Although reducing a rate to meet the competition’s offer is permissible, it is important that these types of decisions are based on a legitimate business justification and that the lender maintains adequate documentation and oversight to avoid increasing fair lending risk. This would include those situations where the lender grants a pricing exception, as well as those situations where they deny a pricing exception.

A lender needs to have firm procedures with regard to pricing exception requests and handle such requests accordingly. The CFPB discussed this issue in its Supervisory Highlights several years ago.  Specifically, the CFPB stated:

“A lender may promote the availability of credit by providing credit to an applicant based on a lawful exception to the lender’s credit standards when exceptions practices are complemented by an appropriate system of fair lending compliance management. A strong compliance management system can also mitigate fair lending risk related to credit exceptions by adequately documenting the basis for the credit exception, monitoring and tracking exceptions activity, and controlling any resulting fair lending risk.”

Thus, any lender who makes exceptions to their credit standards should:

  1. Memorialize written policies and procedures for pricing exceptions (when allowed) and how they must be documented.

  2. Monitor and Audit to make sure these policies are followed.

  3. Train staff on the policies (not just basic fair lending training).

  4. Include pricing exceptions in the Fair Lending Analysis a lender performs to ensure there are no patterns of disparity.

Fair lending risk is not just limited to pricing exceptions, but also lender fee reductions, discretionary lender credits, and waivers of lock extension fees.  A lender should track all requests for these exceptions/reductions/credits and memorialize whether they are granted or denied.  This information will be invaluable if a lender needs to justify pricing discrepancies to a regulator down the road.

Question

Are the pre-funding and post-closing Quality Control (QC) audits a mortgage lender performs sufficient to satisfy Fannie Mae’s Internal Audit (IA) requirement?

Answer

No, the QC audits and IA are separate Fannie Mae requirements.

Fannie Mae (as well as Freddie Mac, FHA, VA, etc.) require a lender to implement a QC program that identifies credit and/or regulatory issues in its origination and servicing functions. A QC audit generally reviews the end product, regardless of whether the process is credit or compliance focused. QC audits, which are a form of transactional testing, are narrower in scope than Internal Audits.

With Internal Audit, the focus is not necessarily on the end product, but rather the adequacy, soundness, and effectiveness of internal controls within a lender’s processes to ensure that the lender attains the end result sought while complying with applicable investor guidelines, laws and regulations and industry best practices.

As outlined in Fannie Mae’s Beyond the Guide, “an appropriate IA program should at a minimum include the following key elements: 

• An independent reporting structure with direct report to senior management and/or the board of directors. There should be no shared reporting lines within the QC functional areas to be reviewed by the internal audit function.

• A risk assessment methodology used to identify the operational areas and functions to be audited and the frequency of those audits. The risk assessment is generally completed annually by the internal audit department to identify the scope of the review and apply risk rating to the areas to be reviewed. The risk assessment generally identifies the frequency of reviews based on the risk rating applied to the areas listed.

• Documented policies and procedures to detail the internal audit review processes, govern reporting to senior management, and address the remediation of findings.

• A departmental and functional audit schedule for a minimum 12-month period. The schedule should identify the areas subject to review during the current period and align with the risk assessment.”

The number of audits and frequency should be commensurate with the size and complexity of the organization but generally a single, non-continuous internal audit is not acceptable.

Question

Are banks and nonbanks required to perform an independent audit of their anti-money laundering (“AML”) program? What are the requirements for such audit?

Answer

Yes, the Bank Secrecy Act (“BSA”) requires all residential mortgage lenders and originators to perform an independent review or audit of their AML program. Although the BSA does not specifically set forth the time frame for performing such testing, the Federal Financial Institutions Examination Council (“FFIEC”) indicated that sound practice is for an entity to perform an independent audit of its AML program at least every 12-18 months, commensurate with the entity’s risk profile.

Both an independent and qualified party must perform testing. While this does not mean an employee cannot perform the audit, the individual or individuals completing the audit must be fully familiar with AML requirements and cannot be involved in any of the AML functions of the Company. As such, the Company designated AML Officer would be unable to perform the audit. For this reason, many entities engage outside service providers to perform independent audits of their AML program.

Whoever performs the review should report directly to the entity’s Board of Directors or Executive Management. Testing should cover all of the entity’s activities, and the results should be sufficiently detailed to assist the Board of Directors and/or Executive Management in identifying areas of weakness so that improvements may be made and additional controls may be established. Among other items, the Company’s written policies and procedures should be reviewed, and the qualifications of the AML Officer and the Company’s training materials and attendance logs.

In recent years, state regulators have commenced examining the AML programs of their supervised entities more closely. In particular, many states now require entities to produce AML policies and procedures and AML risk assessments, and independent AML audit results as part of examinations. Failure to maintain these documents can often result in an adverse finding. In addition, some states also maintain their money laundering regulations, such as California, Florida, Hawaii, New Jersey, and Texas.