Can property taxes and other charges paid to third party service providers for services not required by the creditor fall within the zero tolerance bucket along with the creditor’s fees and the appraisal?
As a Master Servicer, what should I be doing to oversee my subservicer?
- Subservicer oversight must be managed by adequate and qualified staff having knowledge of all mortgage servicing functions.
- Quality Control audit sample sizes must be relevant to the portfolio size (10% unless statistical representation can be achieved) and the loan level reviews should target specific risk-based factors.
- Maintain methods to track errors or identified deficiencies and develop a corresponding remediation plan.
- If the master servicer finds issues within a particular process, it must have a plan in place to increase the sample sizes and/or the frequency of audits.
- Hold meetings with the servicer’s risk committee to review audit findings and discuss action plan items on a monthly, quarterly or semi-annual basis.
- Monthly ongoing monitoring of subservicer-produced management reports.
- Quality Assurance reviews (including, but not limited to, customer service and collection activities, escrow management, payoffs, and loss mitigation activity).
- Annual subservicer onsite visit and policy/procedure review.
- And more…
Is my “independent contractor” really a W-2 employee?
- Behavioral: Does the company control or have the right to control what the worker does and how the worker does his or her job?
- Financial: Are the business aspects of the worker’s job controlled by the payer? (these include things like how worker is paid, whether expenses are reimbursed, who provides tools/supplies, etc.)
- Type of Relationship: Are there written contracts or employee type benefits (i.e. pension plan, insurance, vacation pay, etc.)? Will the relationship continue and is the work performed a key aspect of the business?
- The worker is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of such work and in fact;
- The worker performs work that is outside the usual course of the hiring entity’s business;
- The worker is customarily engaged in an independently established trade, occupation or business of the same nature as that involved in the work performed.
- Ensure the independent contractor has his/her own state business license and professional license(s) required for his/her area of service or specialty, business and/or liability insurance.
- An independent contractor should have the ability to set his/her own hours and workdays.
- An executed business contract should be in place, similar to a third-party service contract that outlines the services contracted, the compensation rate and the legal stipulation that the independent contractor is not an employee of the company. Liability and indemnification provisions should also be addressed in the agreement between the business and the independent contractor.
- The business should not collect payroll tax or offer employee benefits to an independent contractor.
- The independent contractor should work under his/her own license(s) and bear the risk of malpractice or business suit.
What does Fannie Mae require when establishing defect rates in relation to a Lender’s quality control program?
- Establish a target defect rate that reflects the lender’s loan quality standards and goals.
- Identify a target defect rate for the top severity level which indicates the loan is ineligible for delivery to Fannie Mae.
- Define lower severity levels as appropriate for the lender’s organization.
- Develop a methodology for identifying and categorizing different target defect rates for different severity levels, as applicable.
- Set defect rate targets as reasonably low as possible based on the lender’s formal cost-benefit analysis of meeting that target.
- Evaluate, and if necessary, reset the target defect rate at least annually to ensure it continues to meet credit risk needs.
What is a Qualified Written Request (QWR) and what are the requirements for response?
As a lender, am I responsible for ensuring applicants have not taken on new debt from the time of underwriting approval up until the loan closes?
My company vets its vendors that provide services relative to our core business but do we need to also perform vendor management on such non-business related service providers such as janitorial services?
Simply, yes. Any activity outsourced to a vendor or service provider can possibly introduce risk, even though it may not seem apparent. Vendor management is about identifying, measuring, monitoring and controlling risks associated with outsourcing services. Companies should risk rate vendors to help determine the level of due diligence and oversight needed. In the case of a janitorial service, it may be determined that the risk is low as the third-party provider may not be exposed to any confidential or proprietary information and may, therefore, not present data security or compliance risk to the company. However, for other companies that do not adhere to clean desk policies and procedures, a third-party janitorial crew may present a higher risk as the janitorial staff may have access to confidential or proprietary information.
Do the servicing calling requirements differ among investors for delinquent loans?
- Quality right party contact (QRPC) is achieved and the borrower has provided a promise to pay the delinquent amount by a specified date (not to exceed 30 days);
- Quality right party contact (QRPC) is achieved and/or the borrower adheres to any loss mitigation agreement made with the Servicer;
- Quality right party contact (QRPC) is achieved and the borrower indicates that he or she is not interested in a workout option;
- The borrower enters into a relief or workout option with the Servicer;
- Complete Borrower Response Package is received in accordance with the requirements;
- Delinquency is resolved.
- Contact is established; or
- The Servicer has determined through an occupancy inspection that the mortgaged property is vacant or abandoned.
- Vary the times and days of the week of call attempts to maximize the likelihood of making contact with the Borrower; and
- Have policies in place to reduce the call abandon rate and minimize the call wait time.
Are both banks and nonbanks required to perform an independent audit of their anti-money laundering (“AML”) program? What are the requirements for such audit?
Is it true the Federal Housing Administration (“FHA”) no longer requires inspectors to be chosen from their Roster?
I register my loans with the Mortgage Electronic Registration Systems, Inc. (“MERS”). Am I required to perform an annual MERS audit?
Do Fair Lending laws prohibit a mortgage lender or broker from collecting and retaining a copy of a photographic identification document (“Photo ID”) as part of a mortgage loan application?
Should my vendor oversight program review the financial strength of my third-party vendors?
- – Does the vendor have negative working capital? Is there enough liquidity or current assets to cover its current debt?
- – Does the vendor have declining net worth? May it be depleted by annual operating losses, decrease in asset values relative to liabilities, or distributions/dividends paid?
- – Does the vendor have net losses? Do expenses exceed revenue?
Is it true there is a new law that permits transitional licensing authority for mortgage loan originators (MLO)?
I understand that the Consumer Financial Protection Bureau (the “CFPB”) recently eliminated the TRID Black Hole. Does this mean lenders can provide the Closing Disclosure (“CD”) to borrowers earlier in the origination process?
What are a few vital IT Security controls that I should implement in my organization?
- Up-to-date and Reputable Anti-Malware Software
- Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.
- Install the Latest Operating System Updates
- Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets.
- Clean Desk Policies
- Ensure that your staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks.
- Off-site Data Redundancy
- Ensure that your critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site owned by your organization.
- Change Management
- Ensure that all production assets have the necessary change management tickets and approvals for any reboots, patching, upgrades, changes, or replacements.
- Create and Update Policies and Procedures
- Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when it comes to recovering from a disaster, or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.
- Seek Reputable Vendors
- Ensure all of your vendors have the appropriate IT Security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.
- Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.
- Force password changes at a frequent basis.
- Force lock computers when idle for a certain time period.
- Implement two-factor authentication.
- Train Staff
- Train your staff on the importance of phishing, ransomware, and IT security awareness. Basics, such as locking the computer when away, not leaving laptops in plain view in a parked car, and propping doors that may allow unsupervised visitors, are just a few common-sense reminders to train your team.
What physical security protocols should my third-party vendors have in place?
- Employee and visitor access levels and tracking, such as log in/log out sheets;
- Use of alarm systems and/or surveillance cameras with retention records;
- Security perimeters (card controlled entry gates, security guards, and/or manned reception desks);
- Locks, access cards and/or security codes; and,
- Enhanced data center and/or server room security features.
The Fannie Mae requirements for Servicing Transfer Welcome calls have been updated. What do I need to know?
- Initiate welcome calls to borrowers within five days after transfer,
- Make at least three welcome call attempts by the end of the month following the file transfer (unless contact is made or a payment is received), and
- Use commercially reasonable efforts to maintain accurate contact information.
- Prompt and accurate information of a pending transfer of servicing, and
- Prompt and courteous responses to their inquiries about the transfer.
We’ve heard that the NMLS website is being revamped. Is this true, and if so, when should we expect to see the changes?
I understand the CFPB revised the servicing requirements for borrowers in bankruptcy. What do I need to know about these changes?
- Any borrower on the mortgage loan is a debtor in bankruptcy or discharged personal liability for the mortgage loan through bankruptcy; and
- One of the following conditions applies to a borrower on the mortgage loan:
- The borrower requests in writing that the servicer cease providing a statement or coupon book;
- The borrower’s most recently filed bankruptcy plan provides for that the borrower will surrender the home securing the loan;
- The bankruptcy court orders the lien avoided; or
- The borrower files with the court a statement of intention to surrender the home securing the loan and the borrower has not made any partial or periodic payment on the loan after commencement of his/her bankruptcy case.
What is the importance of a settlement agent vetting and monitoring policy?
What factors determine a high, moderate or low-risk vendor?
- Whether the vendor is customer facing,
- If the vendor has access to consumer NPI (non-public personal information),
- The work performed by the vendor,
- Regulatory/operational impact if the vendor does not perform the function assigned, and
- Monitoring/performance of the vendor.
We have both a Quality Control Department and a Compliance Department. Can one of these departments perform the Internal Audit component as required by the GSEs?
- The procedures must be of the loan manufacturing process and the servicing processes that they review.
- The seller/servicer’s lines of reporting must reflect the .
- The audit function
- The audit function . Exceptions are permitted in situations in which the size of the seller/servicer’s organization is insufficient to support adequate resources to allow for separation of these functions.
- The procedures must be consultative, so that they help the seller/servicer accomplish its objectives by to evaluating and improving the effectiveness of risk management, control, and governance processes.
We understand the Government Monitoring Information (“GMI”) answer options have changed with the new HMDA rules, but can you explain our reporting obligations?
- Aggregated Category: Hispanic or Latino
- Disaggregated Subcategories: Mexican, Puerto Rican, Cuban, etc.