What are Fannie Mae’s new loan selection recommendations for a mortgage lender’s risk based monthly Pre-Funding Quality Control (QC) selections?


Fannie Mae recently enhanced its pre-funding quality control requirements.  Fannie Mae’s March 1, 2023 updates (D1-2-01, Lender Pre-funding Quality Control Review Process) introduced new recommendations for a lender’s monthly pre-funding QC loan selection criteria.

Fannie Mae requires that Pre-Funding QC reviews target areas that the lender identifies as having a higher potential for errors, misrepresentation, or fraud.  Fannie Mae sets forth the following targeted areas for a lender’s consideration in this regard.

  • Loans with characteristics or circumstances related to errors or defects identified in prior pre-funding and post-closing review results;
  • Loans with complex income calculations (for example, rental income, self-employed, and short history of receipt of income);
  • Loans requiring the use of non-standard processing or underwriting guidelines (for example, delayed financing, multiple financed properties, assets used as income, or manual reserve calculations);
  • Loans secured by properties located in areas with high delinquency rates or areas experiencing rapid increases or decreases in property values;
  • Loans with flags and messages that indicate potential overvaluation or appraisal quality issues on appraisals scored through Collateral Underwriter;
  • Loans with multiple layers of credit risk, such as high LTV ratios, low credit scores, or high DTI ratios;
  • Loans originated or processed through various business sources, a particular branch office, staff person, contractor, third-party originator, or appraiser;
  • Loans that test the effectiveness of action plan controls;
  • Loans originated or processed by newly hired loan officers, processors, appraisers, or other personnel or third parties involved in the loan origination process; and
  • Loans for which the feedback or results from third-party tools indicate potential areas of concern.

Please note that these are suggestions from Fannie Mae and not an exclusive list.


What are a mortgage lender’s responsibilities with regard to detecting and preventing appraisal discrimination?


Appraiser discrimination is a significant concern for mortgage lenders today.  In recent months, various agencies, including the CFPB and HUD, issued guidance and/or encouraged consumers to come forward to report incidents of suspected appraisal discrimination.  Further, alongside appraisers, mortgage lenders have been named as defendants in lawsuits alleging appraisal discrimination.


Although appraisers – and the appraisals they produce – must be independent, there are steps mortgage lenders can take to help detect and prevent appraisal discrimination and the risks associated therewith.  Below are some best practices mortgage lenders should consider implementing in this regard:


  • Train employees, particularly mortgage loan originators, to identify concerns and/or complaints surrounding appraisal discrimination and to promptly escalate them to management. Such training should be in addition to the general fair lending training periodically required of all employees.
  • Log all appraisal complaints and requests for reconsideration of value (including resolutions and results) and review periodically for concerning trends or patterns.
  • Ensure underwriters thoroughly review appraisal reports for discriminatory pictures and/or comments. This may include photographs of the applicant or inappropriate comments about the neighborhood.
  • Follow all agency guidelines with regard to appraisals and appraisal assessments.
  • Utilize web-based tools, such as Collateral Underwriter or Loan Collateral Advisor, as appropriate, to analyze appraisal reports.
  • Perform quality control or internal audits of appraisals that include comparing the assigned value against similar properties in the area. In the event of discrepancies in value, review the demographic information of the applicant for potential concerns.
  • Develop and implement written policies and procedures surrounding appraisals, including detailed reconsideration procedures. Applicants should be made aware that they may request reconsiderations of value (ROV).  ROV requests should be considered in all instances and a consistent process should be established and followed.  Lenders should maintain a log documenting the reason(s) for granting or rejecting the request.
  • Include appraisal issues, including discrimination, as a topic of discussion at Board, Risk Management, and/or Compliance committee meetings.


Fannie Mae recently updated the seller/servicer reporting requirements related to the Office of Foreign Assets Control (OFAC) regulations. What does the update entail and when does it take effect?


Fannie Mae updated OFAC reporting requirement to align with current reporting requirements for anti-money laundering (AML) violations. Updated reporting requirements are mandatory as of May 1, 2023.  Below are the reporting requirements with new requirements in bold:

A seller/servicer:

  • Must establish and maintain an effective OFAC compliance program;
  • Must report all instances of penalties (civil or criminal) or enforcement actions for compliance failures or violations related to OFAC requirements to Fannie Mae’s Ethics division;
  • May not deliver a loan to Fannie Mae if any borrower is on one of the sanctions lists maintained by OFAC; and
  • Must periodically screen the loans that it services for Fannie Mae against OFAC’s sanctions lists. If the servicer identifies a valid match, the servicer must
    • Notify Fannie Mae Ethics via email within 24 hours of blocking or rejecting a mortgage transaction, including in the notice the borrower’s name, Fannie Mae loan number, and a point of contact at the servicer. Upon receipt of the notice, a representative from Fannie Mae will contact the servicer to discuss the match and any potential next steps.
    • Take steps to ensure that any funds from the individual or entity on an OFAC sanctions list are blocked and segregated, including any escrow funds.
    • Take steps to ensure that all servicing activities on the loan cease. This includes, but is not limited to,
      • Remittance of P&I payments to Fannie Mae,
      • Payments to taxing authorities,
      • Payments to property and flood insurers,
      • Payments to mortgage insurers,
      • Collection activities, including performing property inspections,
      • Loss mitigation activities, and
      • Foreclosure


What are some useful resources and/or job aids mortgage lenders should share with their employees to assist in training on how to identify and prevent mortgage fraud?


It is critical for mortgage lenders to continuously train staff on detection and prevention of mortgage fraud. Employees should be familiar with the types of red flags they are likely to encounter when fulfilling their position responsibilities and understand that suspicion of mortgage fraud must always be reported to the Compliance Officer or other designated individual within the company.

There is a wealth of resources mortgage lenders can utilize to assist in training employees in this area. Two key resources include Fannie Mae and Freddie Mac. It would be considered a best practice recommendation for mortgage lenders to require employees to review and familiarize themselves with the following:

  • Fannie Mae Mortgage Fraud Prevention webpage – includes a fraud alerts section sharing potential and active mortgage fraud scenarios, as well as a common red flags list and fraud schemes section. The webpage also provides an explanation of Desktop Underwriter potential red flag messages and anti-fraud tutorials.
  • Freddie Mac Fraud Prevention webpage – includes a fraud prevention spotlight highlighting specific and current fraud scenarios, as well as a fraud prevention and best practices page.


How can a mortgage lender ensure it maintains an effective, independent oversight process for mortgage origination Quality Control (QC) in compliance with Fannie Mae requirements?


Fannie Mae’s December edition of Quality Insider focuses on the importance of maintaining clear QC independence and an effective internal audit process to ensure a robust QC program. Lenders that fail to maintain an effective QC program will be in breach of their contractual obligations with Fannie Mae.

Fannie Mae noted that during audits of approved seller/servicer QC programs, it commonly finds that lenders do not have a compliant process in place to audit their post-closing QC process. In fact, most commonly, Fannie Mae indicated it observes that a lender’s QC program:

  • Does not have an internal audit function;
  • Has an internal audit function but it is not independent of the business functions it reviews;
  • Does not have a comprehensive written plan to direct the internal audit process across all loan manufacturing and servicing business functions;
  • Has an internal audit program but has not initiated the internal audit process; and
  • Has not established an internal audit schedule to specify the areas of review and time frame in which they will be conducted.

Within the Quality Insider, Fannie Mae indicates that lenders should conduct an annual independent audit review of the QC process to maintain a robust risk management program and clearly define the scope of the audit process as well as the proposed schedule.

Lenders must have internal audit and management control procedures to evaluate and monitor the overall quality of its loan production. At a minimum, Fannie Mae requires:

  • The procedures must be independent of all key functions of the loan manufacturing process that they review, so that such procedures provide an objective and unbiased evaluation that adds value and improves the lender’s operations.
  • The lender’s lines of reporting must reflect the independence of the audit process at all levels, resulting in activities that are conducted in an unbiased manner and without quality compromises resulting from internal influences or conflicts of interest.
  • The audit function must not share any reporting lines with the functional areas that it reviews.
  • The audit function must report directly to the lender’s senior management and/or board of directors. The procedures must be consultative, so that they help the lender accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

For more information on the importance of maintaining an effective internal audit program of the QC functional area, please visit Fannie Mae’s fourth edition of the Quality Insider.


I heard that there are state privacy laws going into effect in 2023 in Colorado, Connecticut, Utah, and Virginia. What does this mean for mortgage lenders operating in these states?


Each state’s privacy statute exempts financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). As such, since mortgage lenders are subject to the GLBA, they are exempt. Below, please find reference to each applicable statutory exemption:

Colorado Consumer Privacy Act (CPA) – SB 190 § 6-1-1304(2)(j)(II)

This part 13 does not apply to: Collected, processed, sold, or disclosed pursuant to the federal “Gramm-Leach-Bliley Act” U.S.C. SEC. 6801 et seq., as amended and implanting regulations, if the collection, processing, sale or disclosure is in compliance with that law.

Connecticut Data Privacy Act (CTDPA) – SB 6 § 3(a)

The provisions of sections 1 to 178 11, inclusive, of this act do not apply to any: financial institution or data subject to Title V of 184 the Gramm-Leach-Bliley Act, 15 USC 6801 et seq.

Utah Consumer Privacy Act (UCPA) – SB 227 § 13-61-102(2)(k)

This chapter does not apply to a financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. Sec. 6801 et seq., and related regulations.

Virginia Consumer Data Protection Act (VCDPA) – § 59.1-576

This chapter shall not apply to any financial institution or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.).


As a residential mortgage lender and/or broker, what are my company’s Anti-Money Laundering (AML) training requirements?


The Bank Secrecy Act (BSA), which requires mortgage lenders and brokers to maintain an AML program, indicates that persons/entities subject to the BSA must:

[p]rovide for on-going training of appropriate persons concerning their responsibilities under the program. A loan or finance company may satisfy this requirement with respect to its employees, agents, and brokers by directly training such persons or verifying that such persons have received training by a competent third party with respect to the products and services offered by the loan or finance company.”

The Multistate Mortgage Committee Examination Manual – BSA/AML Program Examination Procedures (Exam Manual) provides insight on what state regulators will consider effective AML ongoing training for employees.  Specifically, the Exam Manual indicates:

Training should include all applicable regulatory requirements and the company’s BSA/AML Program policies, procedures, and controls. At a minimum, the training program must provide training for all personnel whose duties require knowledge of the BSA/AML Program. An effective training program should be tailored to the specific responsibilities of personnel. … Existing employees should receive training at least annually and new employees should receive appropriate training within a reasonable period after joining the company. The training program should reinforce the importance of the BSA/AML Program and ensure that all employees understand their role in maintaining an effective Program.

The Exam Manual also highlights the importance of adequate training for the AML Compliance Officer and for the Board of Directors and/or Executive Management in their leadership roles.

Although neither the BSA nor Exam Manual indicate a specific period of time in which employees must complete AML training after hire, best practice is for all employees to complete this training within 30 days of hire.  It is possible for any employee to encounter suspicious or illegal activity at any time.  Employees must understand their responsibilities under the AML program and how to handle and internally report/escalate suspicious situations. 

Mortgage lenders/brokers must also maintain adequate records of all AML training.  This includes, but is not limited to:

  • Training materials/content;
  • Testing materials and scores; and
  • Attendance records including relevant dates of training (i.e. assigned date, completed date, due date). 


If we issue preapprovals for TBD properties, are we required to report the preapproval on our HMDA LAR?


It depends. 

If a mortgage lender maintains a preapproval program under HMDA, the lender must report preapprovals that are (i) denied or (ii) approved but not accepted. 

A preapproval program for HMDA purposes involves requests for preapprovals for home purchase loans (other than open-end lines of credit, reverse mortgages, or loans secured by multifamily dwellings) whereby, after comprehensive analyses of applicants’ creditworthiness (including verification of income, resources, etc.), the lender issues written commitments valid for designated periods of time and up to specified loan amounts. The written commitments may not be subject to conditions other than the following:

(i) Conditions that require the identification of a suitable property;

(ii) Conditions that require that no material change has occurred in the applicant’s financial condition or creditworthiness prior to closing; and

(iii) Limited conditions, such as requiring acceptable title insurance binder or a certificate of clear termite inspection, that are not related to the financial condition or creditworthiness of the applicant that the financial institution ordinarily attaches to a traditional home mortgage application.  

If a mortgage lender does not regularly use the procedures outlined above and instead considers preapproval requests on an ad hoc basis, the lender would not have a HMDA preapproval program.

If required to report preapprovals, a mortgage lender should use the date the lender received the preapproval request or completed the application form as the application date.  A lender should be generally consistent in which method it uses.  For the final action take date, a mortgage lender should report the following for preapprovals:

  • Preapproval Approved But Not Accepted = any reasonable date, such as approval date, deadline for accepting offer, or date file was closed; and

  • Preapproval Denied = date preapproval request was denied or date notice sent to applicant.


What are the amendments to the Safeguards Rule, do they apply to my company, and when do they go into effect?


The Safeguards Rule requires financial institutions (including mortgage lenders and brokers) to develop, implement, and maintain an information security program to protect customer financial information. In October 2021, the Federal Trade Commission (FTC) approved amendments to the Safeguards Rule in order to ensure the Rule keeps pace with current technology and addresses current risks.

The amendments require financial institutions to maintain a more detailed and comprehensive information security program. The amendments also provide greater clarity including specificity in regard to elements required for an information security program and additional definitions of terms like “multi-factor authentication,” “penetration testing,” and “security event”.

While some provisions went into effect in January 2022, other sections of the rule were set to go into effect on December 9, 2022. The FTC recently voted to extend the December 2022 effective date to June 9, 2023. The provisions of the updated rule specifically affected by the six-month extension include:

  1. designating a “qualified individual” to oversee the information security program and reporting to the Board in writing on the program at least annually;

  2. developing a written risk assessment that includes:

    1. criteria for the evaluation and categorization of identified security risks or threats;

    2. criteria for the assessment of the confidentiality, integrity, and availability of information, including the adequacy of the existing controls in the context of the identified risks or threats; and

    3. requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks;

  3. limiting and monitoring who can access sensitive customer information through various safeguards;

  4. encrypting all sensitive information held or transmitted;

  5. training security personnel;

  6. developing an incident response plan;

  7. periodically assessing the security practices of service providers; and

  8. implementing multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Despite the six-month extension, companies should not delay in addressing the new requirements as they will take time to develop and implement.

The FTC published a guide, FTC Safeguards Rule: What Your Business Needs to Know, which is a useful resource for complying with the Safeguards Rule.


Are business purpose loans reported on the Mortgage Call Reports (MCR) and/or the HMDA LAR?


Business purpose loans are clearly excluded from the MCRs based upon the MCR definition of an application:

An application is an oral or written request for an extension of credit encumbering a 1- 4 family residential property. Exclude any commercial/business/investment purpose encumbrances from reporting. Include inquiries or Pre-Qualification requests that result in denial of credit. The application date used is either (1.)The date on the initial 1003 with the borrower’s signature; (2) The date of an oral request for extension of credit, with deference to the initial 1003; (3) Inquiries and Pre-Qualification requests, if declined, should use the denial date.

For HMDA purposes, an exclusion exists for loans that are primarily for business or commercial purposes unless the loan is also a home purchase loan, home improvement loan, or refinancing – in which case, it should be reported on the HMDA LAR.

1003.3(c)(10): The requirements of this part do not apply to: (10) A closed-end mortgage loan or open-end line of credit that is or will be made primarily for a business or commercial purpose, unless the closed-end mortgage loan or open-end line of credit is a home improvement loan under § 1003.2(i),a home purchase loan under § 1003.2(j),or a refinancing under § 1003.2(p);

Home Purchase Loan a closed-end mortgage loan or an open-end line of credit that is for the purpose, in whole or part, of purchasing a dwelling. 12 CFR 1003.2(j)

Home Improvement Loan a closed-end mortgage loan or an open-end line of credit that is for the purpose, in whole or part, of repairing, rehabilitating, remodeling, or improving a dwelling or the real property on which the dwelling is located. 12 CFR 1003.2(i)

Refinancing a closed-end mortgage loan or an open-end line of credit in which a new dwelling-secured debt obligation satisfies and replaces an existing dwelling secured debt obligation by the same borrower. 12 CFR 1003.2(p)

Pages: 1 2