Question

Is HUD no longer requiring branch office registrations to conduct FHA business?


Answer

Yes, effective March 4, 2024, HUD will be eliminating the current requirement for mortgagees and lenders to register branch offices where they conduct FHA Title I and/or Title II loan originations.  HUD explained that as the mortgage industry has evolved, it believes that requiring a mortgagee or lender to register all branches is an unnecessary administrative and cost impediment to program participation.

This final rule, Changes in Branch Office Registration Requirements, published in the Federal Register on February 2, 2024, revises 24 CFR 202.5(k) to give mortgagees and lenders the option to register all branch offices; and  makes fees applicable only to branch offices that mortgagees or lenders register, rather than applying fees to each branch authorized to originate FHA loans.   Branch offices not registered with HUD are not subject to branch registration fees and will be excluded from the HUD Lender List Search page.  

Removing the requirement to register branch offices will not affect HUD’s monitoring of lenders and mortgagees. HUD will continue to maintain oversight and risk management of lenders and mortgagees that remain responsible to FHA for the actions of its branch offices and employees. 


Question

Has Fannie Mae issued recent guidance related to appraiser identity theft?

Answer

Yes, in a recent Fraud Alert: Appraiser Identity Theft (January 2024), Fannie Mae identified a significant number of loans originated between 2021 and 2023, which involved appraisals completed by an unlicensed appraiser unlawfully using the identities of other actively licensed appraisers.

Fannie Mae provided lenders with the following red flags for this particular mortgage fraud scenario:

  • The unlicensed appraiser’s name and signature are not found in any capacity within the appraisals (or loan files).
  • The company name, phone number, and address listed under “contact information” on page six of Form 1004 will be different from that of the licensed appraiser.
  • Email contact information reflects a name other than the name of the appraiser who is listed as having performed the appraisal.
  • The signatures of the “victim” appraisers appear forged and/or cut and pasted to the identified appraisals.
  • Appraisal fees for the appraisals were paid with proceeds going directly to the mailing address of the unlicensed appraiser, not to the address of the purported appraisers.

Fannie Mae also advised lenders that they should do the following to help minimize the risk of appraiser identity theft:

  • Perform thorough due diligence when retaining services of appraisers and other outside vendors; and
  • Utilize all available public records and licensing agencies in determining the validity of third-party documentation (including addresses) within loan files.

Fannie Mae maintains a dedicated Mortgage Fraud Prevention webpage, which provides valuable resources including publicly available data on fraud trends and recent fraud alerts.  

 


Question

How important is it to evaluate the cybersecurity risk and protocols of our vendors?


Answer

In today’s environment, it is critical for mortgage companies and financial institutions to evaluate the cybersecurity risk and protocols of their vendors.  A significant number of the network intrusions and data breaches occurring today originate with a third party, including vendors.  Mortgage companies and financial institutions not only need to maintain adequate written third-party vendor management policies and procedures, but they must also perform a sufficient cybersecurity risk assessment of each vendor and ensure they conduct thorough due diligence of vendors deemed to be medium or high risk prior to on-boarding and on an ongoing basis.  Due diligence may include, but is not necessarily limited to:

  • Determining if the vendor maintains qualified information security personnel, internally or externally;
  • Identifying and evaluating controls implemented to protect confidential data and/or non-public personal information (i.e. password protocols, access management, multifactor authentication, network scanning, etc.);
  • Reviewing the vendor’s disaster recovery and incident management plans and related testing of such plans;
  • Reviewing security awareness training, including phishing exercises;
  • Reviewing external security audits performed (i.e. SOC, SSAE16, penetration tests, etc.); and
  • Determining whether the vendor utilizes subcontractors and, if so, whether confidential data and/or non-public personal information is shared with those subcontractors.

Failing to perform appropriate cybersecurity reviews of vendors opens a mortgage company and financial institution up to significant risk.

 


Question

Does a mortgage lender need to monitor their employees to ensure accurate HMDA data collection and reporting of demographic information (race, ethnicity, and sex)?


Answer

YES!  The regulatory requirement for lenders to collect demographic information dates back to 1977 and is used by regulators to help detect mortgage lending discrimination.  The Consumer Financial Protection Bureau (CFPB) and other federal regulators stress the importance of collecting accurate data for this reason.  Often mortgage lenders rely upon their employees to collect this data, but this is something which can result in severe monetary penalties for a mortgage lender.  

For example, in a recent Consent Order with Bank of America, the CFPB imposed a fine of $12 million.  The CFPB found that hundreds of Bank of America loan officers failed to ask mortgage applicants certain demographic questions as required under federal law, and then falsely reported that the applicants had chosen not to respond.  The CFPB indicated Bank of America failed to adequately oversee its mortgage loan officers in regard to collection of this data, which resulted in inaccurate and false reports.   

Unfortunately, this is a common theme in the mortgage industry.  Mortgage lenders must train their mortgage loan originators regarding the responsibility to request and collect demographic information from applicants.  For online applications, mortgage lenders must ensure their systems properly request and record this information as well.  Mortgage lenders must also review and audit the data collected to make sure it is accurate.  High percentages of “I do not wish to provide this information” from a particular mortgage loan originator may be a sign to a mortgage lender (and regulators) of inaccurate reporting and requires further investigation.

Appendix B to Part 1003 – Form and Instructions for Data Collection on Ethnicity , Race, and Sex is a useful tool for lenders.  It provides a sample data collection form and explains how to report demographic information based on the applicant’s responses and method of application.


Question

Are there any significant risks to a mortgage lender for offering pricing exceptions to an applicant in an effort to retain the customer?


Answer

Yes. 

In a previous AGMB FAQ, we addressed the risks posed to a lender when making a pricing exception.  We detailed how the CFPB outlined in a 2014 Supervisory Highlights that any lender who makes pricing exceptions to their credit standards should:

  • Memorialize written policies and procedures for pricing exceptions (when allowed) and how they must be documented.
  • Monitor and Audit to make sure these policies are followed.
  • Train staff on the policies (not just basic fair lending training).
  • Include pricing exceptions in the Fair Lending Analysis a lender performs to ensure there are no patterns of disparity.

The CFPB again raised concerns with pricing exception practices in their Supervisory Highlights published in the Fall 2021 Supervisory Highlights and Summer 2023 Supervisory Highlights, finding that mortgage lenders violated ECOA and Regulation B by discriminating in the incidence of granting pricing exceptions across a range of ECOA-protected characteristics, including race, national origin, sex, or age. 

Most recently, in December 2023, the CFPB issued a Matter Requiring Attention (MRA) notice to Wells Fargo regarding pricing exceptions (referenced by the CFPB as “loan discounts”).  The CFPB has previously explained that examiners use MRAs “to communicate specific goals to accomplish to address violations of law, risk of such violations, or compliance management deficiencies.”  It is not entirely clear whether the CFPB is investigating Wells Fargo for actual discrimination or found sloppy records, lack of written guidelines, poor oversight, or a combination of the foregoing.

Given the repeated warnings by the CFPB, mortgage lenders need to ensure their policies and procedures surrounding pricing exceptions are well-developed and equally applied.  Staff must be properly trained and a lender must monitor its process and procedures to ensure  fair treatment of applicants.  Fair lending and anti-discrimination are key areas of concern for the CFPB and other regulators.  In 2022, the CFPB carried out 32 fair lending investigations, more than doubling the number of probes it commenced in 2020.  Lenders should expect this number to continue to rise.