We recently received a consent order as a result of a routine state examination.  Do we need to report this to HUD?


Yes.  HUD requires the timely notification of state sanctions. HUD’s Mortgage Review Board took numerous administrative actions against mortgagees in recent years for a failure to notify HUD of state sanctions.  Note, reporting is required even if the state sanction is publicly set forth on the NMLS Consumer Access website.  The current version of the HUD’s Handbook 4000.1 indicates:

A Mortgagee must submit a Notice of Material Event to FHA and provide relevant documentation if it or any officer, partner, director, principal, manager, supervisor, loan processor, loan underwriter, or loan originator employed or retained by the Mortgagee is subject to any Unresolved Findings or Sanctions.  A Mortgagee must submit a Notice of Material Event to FHA of a change of status in any Unresolved Finding or Sanction previously reported. 4000.1.I.A.7.u. 

Recent updates to the Handbook 4000.1, effective August 19, 2024, define Unresolved Findings and Sanctions as follows:

  • Unresolved Finding = a material, adverse written finding, to include fair lending violations of the Fair Housing Act or Equal Credit Opportunity Act, contained in a lawsuit or report produced in connection with an investigation, audit, or review conducted by HUD, another federal, state, or local governmental agency, or by any other regulatory or oversight entity with jurisdiction over the Mortgagee or its officers, partners, directors, principals, managers, supervisors, loan processors, loan underwriters, or loan originators, that has not yet been resolved through final agency or judicial action.
  • Sanction = any penalty, punitive, or restrictive measure taken either for a failure to comply with or an alleged failure to comply with a court order, federal, state, or local government law, rule, or regulation.


Are there new requirements mortgage lenders must incorporate into their Reconsideration of Value (ROV) process?


Yes. In May 2024, Freddie Mac, Fannie Mae and HUD issued ROV process requirements in an effort to promote consistency and combat appraisal bias. 

The updates highlight the importance of a borrower having the knowledge and opportunity to request a ROV and understand the process.  Among other requirements, below is a summary of some of the ROV process requirements:

  • Disclosure: lenders must provide an easy-to-understand disclosure to mortgage applicants at the time of loan application and upon delivery of the appraisal report with instructions that explain the ROV process, timeframes, etc.;
  • Process: lenders must establish a standardized process for communicating with the loan applicant, as well as the appraiser. The ROV process and all communication must confirm with appraiser independent requirements;
  • Turn times: lenders must set the turn-time expectations both with the loan applicant and the appraiser and resolution of the ROV must be completed prior to loan closing;
  • Training: lenders must ensure valuation and related staff, inclusive of third parties, are trained to identify prohibited discriminatory practices and appraisal deficiencies through the valuation review and ROV processes; and
  • Cost: no costs associated with a ROV may be charged to the loan applicant.

Fannie Mae and Freddie Mac updates are effective for loans with applications dated on or after August 29, 2024.

HUD requirements must be implemented for FHA case numbers assigned on or after September 2, 2024.


Does an approved seller/servicer need to report a single fidelity bond or errors and omissions loss to Fannie Mae?


Yes, in some instances.  Fannie Mae requires an approved seller/servicer to report to Fannie Mae within 30 days after discovery of the occurrence of a single fidelity bond or errors and omissions policy loss that is mortgage related and the amount exceeds the lesser of $250,000 or the policy’s deductible, even when no claim will be filed or when Fannie Mae’s interest will not be affected.

In fact, it is a common MORA examination finding that a seller/servicer does not have a process in place to ensure Fannie Mae of such notification within 30 days. The requirements are set forth in A3-5-04 of the Single Family Selling Guide.

In addition, a seller/servicer must report to Fannie Mae within 10 business days of receipt of a notice from the insurer regarding the intended cancellation, reduction, nonrenewal, or restrictive modification of the seller/servicer’s fidelity bond or errors and omissions policy.  The seller/servicer must email Fannie Mae ( a copy of the insurer’s notice, describe in detail the reason for the insurer’s action if it is not stated in the notice, and explain the efforts it has made to obtain replacement coverage or to otherwise satisfy Fannie Mae’s insurance requirements.  


Can weak password management or other ineffective information technology controls be considered UDAAP violations?


According to the Consumer Financial Protection Bureau (CFPB), yes.  The CFPB’s Supervisory Highlights, Issue 30 (Summer 2023) indicated that CFPB examiners found institutions engaged in unfair acts or practices by failing to implement adequate information technology security controls that could have prevented or mitigated cyberattacks.  The CFPB pointed to the following specific issues cited by examiners:

(i) Weak password management policies;

(ii) Failure to establish adequate log-in attempt controls; and

(iii) Failure to adequately implement multifactor authentication or a reasonable equivalent.

The CFPB rationalized that, in the instances reviewed, lacking information technology controls caused substantial consumer harm as bad actors were able to take advantage of the vulnerabilities and steal consumer funds.  Further, the CFPB indicated that consumers were also injured because they had to devote significant time and resources to dealing with the impacts of the breach (i.e. time enrolling in credit monitoring and/or identity theft protection services, and/or changing their log-in credentials).  The CFPB noted impacted consumers could not reasonably avoid such injuries as they did not have control over the institutions’ security measures.  Further, the CFPB concluded that the injuries to consumers outweighed any countervailing benefits, such as avoiding the cost of implementing information technology controls necessary to prevent these types of attacks.


What do lenders need to consider with regard to Fannie Mae’s QC calibration process?


Fannie Mae increased its performance of QC calibrations in recent months after announcing in June 2022 that it would expand and formalize the QC calibration process. QC calibration is the process of comparing a lender’s own internal QC results to a known measurement or standard to confirm the accuracy of the lender’s results.  In its January 2024 Quality Insider, Fannie Mae shed light on some of its key learnings and observations from the QC calibrations recently performed.  Specifically, among other issues, Fannie Mae indicated:


  • It identified numerous instances of self-reporting violations. Fannie Mae requires lenders to self-report loans found to have a defect making the loan ineligible for sale to Fannie Mae within 30 calendar days of confirming the defect. The calibration exercises identified instances in which self-reporting did not occur or exceeded this timeframe. Lenders must self-report through Loan Quality Connect™.  See Selling Guide D1-3-06.


  • Lenders failed to identify collateral-related quality control issues at the same frequency and severity levels as Fannie Mae. For instance, Fannie Mae noted that more than half of the lenders reviewed cited no appraisal findings in their QC reviews on loans where Fannie Mae cited appraisal findings.


  • Lenders may benefit from revising how they classify identified errors/issues related to the 4506-C. For example, citing the specific reasons tax transcripts were not in the file may assist a lender with performing a root cause analysis (i.e. specific reasons may include that transcripts were ordered but not returned in time for the QC review, transcripts were ordered but the 4506-C was rejected because of incorrect information, or that transcripts weren’t ordered because the 4506-C form was missing).

Fannie Mae will continue to perform these QC calibration exercises and indicates the key objective is to provide feedback to help lenders determine if their internal QC program is accurately identifying and classifying defects.


Will a state-regulated mortgage company be required to report data breaches to the Federal Trade Commission (FTC)?


Yes, under an amendment to the Safeguards Rule effective May 13, 2024, the FTC will require certain nonbank financial institutions, including mortgage lenders and brokers, to notify it of data breaches and security events.  Specifically, the amendment requires notice to the FTC after discovery of a “notification event” that involves the information of at least 500 consumers.  The amendment defines a “notification event” as  follows:

cquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

Notification events must be reported to the FTC as soon as possible and no later than 30 days after discovery.  The notice must be made electronically on a form located on the FTC’s website: and include the following:

    (i) Name and contact information of the reporting financial institution;

    (ii) Description of the types of information that were involved in the notification event;

    (iii) If possible to determine, the date or date range of the notification event;

    (iv) Number of consumers affected or potentially affected by the notification event;

    (v) General description of the notification event; and

    (vi) Whether any law enforcement official provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.


What does Fannie Mae require when establishing a target defect rate in relation to a mortgage lender’s quality control (QC) program?


In order to evaluate and measure loan quality standards effectively, Fannie Mae requires mortgage lenders establish a target defect rate related to its post-closing random QC sample, reflecting the lender’s quality standards and goals.  Fannie Mae advises that different target defect rates may be established for different severity levels.  However, at a minimum, a target defect rate must be established for the lender’s highest level of severity.  A lender must document the rationale for establishing its target defect rate(s).  In the August 2023 issue of Beyond the Guide (Guide), Fannie Mae provided helpful tips to establish an appropriate target defect rate.  The Guide advised that realistic targets should be:

  • Set as low as possible;
  • Designed to be reduced over time;
  • Based on financial analysis of costs associated with defective loans;
  • Evaluated at least annually against updated performance, default and capital needs; and
  • Used to quantify the risk exposure of defects and drive change.

Fannie Mae requires lenders to document the rationale used to establish the target defect rate(s).  Fannie Mae also requires lenders to measure performance against their target defect rate(s) at least quarterly and report results to management.  The gross defect rate is the true measure of a lender’s manufacturing quality for its overall book of business.  Lenders must evaluate the target defect rate(s) at least annually and reset, if necessary, with the goal of reducing defects over time.




Will the NMLS be changing?


The Conference of State Bank Supervisors (CSBS), which oversees NMLS through the State Regulatory Registry LLC, recently announced a six-year plan to enhance and modernize NMLS in stages.  CSBS outlined its agenda for phase 1 and phase 2 occurring over the next two years:

Phase 1 – 2024:

  • Eliminate the need to call the NMLS Call Center to reset a password (the NMLS log-in site will soon have a “Password Reset” functionality);
  • Establish a single log-in per individual user (multiple accounts by the same individual will be consolidated under one profile with a single log-in);
  • Reduce duplication of individual records;
  • Introduce survey and system usage tracking; and
  • Update NMLS’ design and improve navigation.

Phase 2 – 2025:

  • License workflow changes in an effort to make NMLS more intuitive;
  • Implement enhanced integration (for example, ensure all license requirements can be found in one location rather than having to review checklists, statutes, etc.);
  • Company/Mortgage Loan Originator associations updates:
    • Streamlining processes related to company access, relationships, registered location links, and sponsorships;
    • Incorporating system-driven rules for location and sponsorship requirements, such as auto-sponsorship (provided each state adopts); and
  • More robust data validations and accuracy checks when completing the MU-4 form to help prevent incomplete applications.

CSBS launched a new NMLS Modernization site, which provides helpful  information about upcoming changes and which will be used to collect industry feedback and provide demonstrations on new and/or proposed NMLS features.


I know the Mortgage Call Report (MCR) has been updated, but where can I find information on it?


The NMLS Resource Center includes a dedicated webpage for the New Mortgage Call Report Form Version 6. Among other information and documents, the webpage provides links to the following:

  • A chart outlining which state agencies granted a grace period for filing the initial MCR requiring the new form;
  • A summary of the changes* made to the form, including a redline comparison between the old form and new form;
  • Frequently Asked Questions related specifically to the new MCR and State Specific Supplemental Form;
  • A list of states requiring the State Specific Supplemental Form;
  • A copy of the new MCR and State Specific Supplemental Form; and
  • A training demo of the new MCR Form Version 6 functionality, presented at the 2024 NMLS annual conference, and a link to register for a live training, which will be held on March 27, 2024, 2:30-4:00pm EST.

The Conference of State Bank Supervisors (CSBS) also advised inquiries may be emailed to and it will be holding office hours via Zoom from 1:00-2:00pm EST on Monday, March 25, and Monday, April 8, 2024: 

Meeting ID: 821 0299 5323 
Passcode: 102696  

*Check out AGMB’s prior Compliance Question of the Week detailing the changes to the MCR:


Is HUD no longer requiring branch office registrations to conduct FHA business?


Yes, effective March 4, 2024, HUD will be eliminating the current requirement for mortgagees and lenders to register branch offices where they conduct FHA Title I and/or Title II loan originations.  HUD explained that as the mortgage industry has evolved, it believes that requiring a mortgagee or lender to register all branches is an unnecessary administrative and cost impediment to program participation.

This final rule, Changes in Branch Office Registration Requirements, published in the Federal Register on February 2, 2024, revises 24 CFR 202.5(k) to give mortgagees and lenders the option to register all branch offices; and  makes fees applicable only to branch offices that mortgagees or lenders register, rather than applying fees to each branch authorized to originate FHA loans.   Branch offices not registered with HUD are not subject to branch registration fees and will be excluded from the HUD Lender List Search page.  

Removing the requirement to register branch offices will not affect HUD’s monitoring of lenders and mortgagees. HUD will continue to maintain oversight and risk management of lenders and mortgagees that remain responsible to FHA for the actions of its branch offices and employees. 


Has Fannie Mae issued recent guidance related to appraiser identity theft?


Yes, in a recent Fraud Alert: Appraiser Identity Theft (January 2024), Fannie Mae identified a significant number of loans originated between 2021 and 2023, which involved appraisals completed by an unlicensed appraiser unlawfully using the identities of other actively licensed appraisers.

Fannie Mae provided lenders with the following red flags for this particular mortgage fraud scenario:

  • The unlicensed appraiser’s name and signature are not found in any capacity within the appraisals (or loan files).
  • The company name, phone number, and address listed under “contact information” on page six of Form 1004 will be different from that of the licensed appraiser.
  • Email contact information reflects a name other than the name of the appraiser who is listed as having performed the appraisal.
  • The signatures of the “victim” appraisers appear forged and/or cut and pasted to the identified appraisals.
  • Appraisal fees for the appraisals were paid with proceeds going directly to the mailing address of the unlicensed appraiser, not to the address of the purported appraisers.

Fannie Mae also advised lenders that they should do the following to help minimize the risk of appraiser identity theft:

  • Perform thorough due diligence when retaining services of appraisers and other outside vendors; and
  • Utilize all available public records and licensing agencies in determining the validity of third-party documentation (including addresses) within loan files.

Fannie Mae maintains a dedicated Mortgage Fraud Prevention webpage, which provides valuable resources including publicly available data on fraud trends and recent fraud alerts.  



How important is it to evaluate the cybersecurity risk and protocols of our vendors?


In today’s environment, it is critical for mortgage companies and financial institutions to evaluate the cybersecurity risk and protocols of their vendors.  A significant number of the network intrusions and data breaches occurring today originate with a third party, including vendors.  Mortgage companies and financial institutions not only need to maintain adequate written third-party vendor management policies and procedures, but they must also perform a sufficient cybersecurity risk assessment of each vendor and ensure they conduct thorough due diligence of vendors deemed to be medium or high risk prior to on-boarding and on an ongoing basis.  Due diligence may include, but is not necessarily limited to:

  • Determining if the vendor maintains qualified information security personnel, internally or externally;
  • Identifying and evaluating controls implemented to protect confidential data and/or non-public personal information (i.e. password protocols, access management, multifactor authentication, network scanning, etc.);
  • Reviewing the vendor’s disaster recovery and incident management plans and related testing of such plans;
  • Reviewing security awareness training, including phishing exercises;
  • Reviewing external security audits performed (i.e. SOC, SSAE16, penetration tests, etc.); and
  • Determining whether the vendor utilizes subcontractors and, if so, whether confidential data and/or non-public personal information is shared with those subcontractors.

Failing to perform appropriate cybersecurity reviews of vendors opens a mortgage company and financial institution up to significant risk.



Does a mortgage lender need to monitor their employees to ensure accurate HMDA data collection and reporting of demographic information (race, ethnicity, and sex)?


YES!  The regulatory requirement for lenders to collect demographic information dates back to 1977 and is used by regulators to help detect mortgage lending discrimination.  The Consumer Financial Protection Bureau (CFPB) and other federal regulators stress the importance of collecting accurate data for this reason.  Often mortgage lenders rely upon their employees to collect this data, but this is something which can result in severe monetary penalties for a mortgage lender.  

For example, in a recent Consent Order with Bank of America, the CFPB imposed a fine of $12 million.  The CFPB found that hundreds of Bank of America loan officers failed to ask mortgage applicants certain demographic questions as required under federal law, and then falsely reported that the applicants had chosen not to respond.  The CFPB indicated Bank of America failed to adequately oversee its mortgage loan officers in regard to collection of this data, which resulted in inaccurate and false reports.   

Unfortunately, this is a common theme in the mortgage industry.  Mortgage lenders must train their mortgage loan originators regarding the responsibility to request and collect demographic information from applicants.  For online applications, mortgage lenders must ensure their systems properly request and record this information as well.  Mortgage lenders must also review and audit the data collected to make sure it is accurate.  High percentages of “I do not wish to provide this information” from a particular mortgage loan originator may be a sign to a mortgage lender (and regulators) of inaccurate reporting and requires further investigation.

Appendix B to Part 1003 – Form and Instructions for Data Collection on Ethnicity , Race, and Sex is a useful tool for lenders.  It provides a sample data collection form and explains how to report demographic information based on the applicant’s responses and method of application.


Are there any significant risks to a mortgage lender for offering pricing exceptions to an applicant in an effort to retain the customer?



In a previous AGMB FAQ, we addressed the risks posed to a lender when making a pricing exception.  We detailed how the CFPB outlined in a 2014 Supervisory Highlights that any lender who makes pricing exceptions to their credit standards should:

  • Memorialize written policies and procedures for pricing exceptions (when allowed) and how they must be documented.
  • Monitor and Audit to make sure these policies are followed.
  • Train staff on the policies (not just basic fair lending training).
  • Include pricing exceptions in the Fair Lending Analysis a lender performs to ensure there are no patterns of disparity.

The CFPB again raised concerns with pricing exception practices in their Supervisory Highlights published in the Fall 2021 Supervisory Highlights and Summer 2023 Supervisory Highlights, finding that mortgage lenders violated ECOA and Regulation B by discriminating in the incidence of granting pricing exceptions across a range of ECOA-protected characteristics, including race, national origin, sex, or age. 

Most recently, in December 2023, the CFPB issued a Matter Requiring Attention (MRA) notice to Wells Fargo regarding pricing exceptions (referenced by the CFPB as “loan discounts”).  The CFPB has previously explained that examiners use MRAs “to communicate specific goals to accomplish to address violations of law, risk of such violations, or compliance management deficiencies.”  It is not entirely clear whether the CFPB is investigating Wells Fargo for actual discrimination or found sloppy records, lack of written guidelines, poor oversight, or a combination of the foregoing.

Given the repeated warnings by the CFPB, mortgage lenders need to ensure their policies and procedures surrounding pricing exceptions are well-developed and equally applied.  Staff must be properly trained and a lender must monitor its process and procedures to ensure  fair treatment of applicants.  Fair lending and anti-discrimination are key areas of concern for the CFPB and other regulators.  In 2022, the CFPB carried out 32 fair lending investigations, more than doubling the number of probes it commenced in 2020.  Lenders should expect this number to continue to rise.