Question

What are the amendments to the Safeguards Rule, do they apply to my company, and when do they go into effect?

Answer

The Safeguards Rule requires financial institutions (including mortgage lenders and brokers) to develop, implement, and maintain an information security program to protect customer financial information. In October 2021, the Federal Trade Commission (FTC) approved amendments to the Safeguards Rule in order to ensure the Rule keeps pace with current technology and addresses current risks.

The amendments require financial institutions to maintain a more detailed and comprehensive information security program. The amendments also provide greater clarity including specificity in regard to elements required for an information security program and additional definitions of terms like “multi-factor authentication,” “penetration testing,” and “security event”.

While some provisions went into effect in January 2022, other sections of the rule were set to go into effect on December 9, 2022. The FTC recently voted to extend the December 2022 effective date to June 9, 2023. The provisions of the updated rule specifically affected by the six-month extension include:

  1. designating a “qualified individual” to oversee the information security program and reporting to the Board in writing on the program at least annually;

  2. developing a written risk assessment that includes:

    1. criteria for the evaluation and categorization of identified security risks or threats;

    2. criteria for the assessment of the confidentiality, integrity, and availability of information, including the adequacy of the existing controls in the context of the identified risks or threats; and

    3. requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks;

  3. limiting and monitoring who can access sensitive customer information through various safeguards;

  4. encrypting all sensitive information held or transmitted;

  5. training security personnel;

  6. developing an incident response plan;

  7. periodically assessing the security practices of service providers; and

  8. implementing multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Despite the six-month extension, companies should not delay in addressing the new requirements as they will take time to develop and implement.

The FTC published a guide, FTC Safeguards Rule: What Your Business Needs to Know, which is a useful resource for complying with the Safeguards Rule.

Question

Are business purpose loans reported on the Mortgage Call Reports (MCR) and/or the HMDA LAR?

Answer

Business purpose loans are clearly excluded from the MCRs based upon the MCR definition of an application:

An application is an oral or written request for an extension of credit encumbering a 1- 4 family residential property. Exclude any commercial/business/investment purpose encumbrances from reporting. Include inquiries or Pre-Qualification requests that result in denial of credit. The application date used is either (1.)The date on the initial 1003 with the borrower’s signature; (2) The date of an oral request for extension of credit, with deference to the initial 1003; (3) Inquiries and Pre-Qualification requests, if declined, should use the denial date.

For HMDA purposes, an exclusion exists for loans that are primarily for business or commercial purposes unless the loan is also a home purchase loan, home improvement loan, or refinancing – in which case, it should be reported on the HMDA LAR.

1003.3(c)(10): The requirements of this part do not apply to: (10) A closed-end mortgage loan or open-end line of credit that is or will be made primarily for a business or commercial purpose, unless the closed-end mortgage loan or open-end line of credit is a home improvement loan under § 1003.2(i),a home purchase loan under § 1003.2(j),or a refinancing under § 1003.2(p);

Home Purchase Loan a closed-end mortgage loan or an open-end line of credit that is for the purpose, in whole or part, of purchasing a dwelling. 12 CFR 1003.2(j)

Home Improvement Loan a closed-end mortgage loan or an open-end line of credit that is for the purpose, in whole or part, of repairing, rehabilitating, remodeling, or improving a dwelling or the real property on which the dwelling is located. 12 CFR 1003.2(i)

Refinancing a closed-end mortgage loan or an open-end line of credit in which a new dwelling-secured debt obligation satisfies and replaces an existing dwelling secured debt obligation by the same borrower. 12 CFR 1003.2(p)