Compliance Question of the Week 2018

Question

 

       Answer

Can property taxes and other charges paid to third party service providers for services not required by the creditor fall within the zero tolerance bucket along with the creditor’s fees and the appraisal?

Yes. Buried in TRID 2.0 was a clear warning from the CFPB that creditors must ensure that they always disclose with the “best information reasonably available.” Failure to do so could result in charges, such as property taxes and the buyer’s attorney fee, being subject to the zero-tolerance standard. Under TRID 2.0, the CFPB revised its comment located in 1026.19(e)(3)(iii)-3 as follows:

Good faith requirement for property taxes or non-required services chosen by the consumer. Differences between the amounts of estimated charges for property taxes or services not required by the creditor disclosed under § 1026.19(e)(1)(i) and the amounts of such charges paid by or imposed on the consumer do not constitute a lack of good faith, so long as the original estimated charge, or lack of an estimated charge for a particular service, was based on the best information reasonably available to the creditor at the time the disclosure was provided. For example, if the subject property is located in a jurisdiction where consumers are customarily represented at closing by their own attorney, even though it is not a requirement, and the creditor fails to include a fee for the consumer’s attorney, or includes an unreasonably low estimate for such fee, on the original estimates provided under § 1026.19(e)(1)(i), then the creditor’s failure to disclose, or unreasonably low estimation, does not comply with § 1026.19(e)(3)(iii). Similarly, the amount disclosed for property taxes must be based on the best information reasonably available to the creditor at the time the disclosure was provided. For example, if the creditor fails to include a charge for property taxes, or includes an unreasonably low estimate for that charge, on the original estimates provided under § 1026.19(e)(1)(i), then the creditor’s failure to disclose, or unreasonably low estimation, does not comply with § 1026.19(e)(3)(iii) and the charge for property tax would be subject to the good faith determination under § 1026.19(e)(3)(i).

This means that if a creditor fails to disclose altogether or discloses an unreasonably low fee for the borrower’s personal attorney or real estate taxes, these charges would need to be placed in the zero tolerance bucket and any increase in the amount disclosed would require a cure by the creditor. While the CFPB limited the commentary to these two examples, it could be expected that this situation could apply to any fee not disclosed with the best information reasonably available.

As a Master Servicer, what should I be doing to oversee my subservicer?

Fannie Mae recently updated some of the master servicer oversight requirements in Section 10 of its Servicer Self-Assessment Guide. Pages 30-31 of the Servicer Self-Assessment Guide outline requirements and best practices that a master servicer should have in place in order to adequately oversee the subservicer relationship. Some, but not all, of the safeguards listed below include:

  1. Subservicer oversight must be managed by adequate and qualified staff having knowledge of all mortgage servicing functions.
  2. Quality Control audit sample sizes must be relevant to the portfolio size (10% unless statistical representation can be achieved) and the loan level reviews should target specific risk-based factors.
  3. Maintain methods to track errors or identified deficiencies and develop a corresponding remediation plan.
  4. If the master servicer finds issues within a particular process, it must have a plan in place to increase the sample sizes and/or the frequency of audits.
  5. Hold meetings with the servicer’s risk committee to review audit findings and discuss action plan items on a monthly, quarterly or semi-annual basis.
  6. Monthly ongoing monitoring of subservicer-produced management reports.
  7. Quality Assurance reviews (including, but not limited to, customer service and collection activities, escrow management, payoffs, and loss mitigation activity).
  8. Annual subservicer onsite visit and policy/procedure review.
  9. And more…

Master servicers are responsible for the actions and inactions of their subservicer. As a critical vendor, the master servicer should ensure it is meeting all of the minimum subservicer oversight requirements outlined in the Fannie Mae Servicer Self-Assessment Guide, other GSE and investor requirements, in addition to all other vendor management responsibilities.

Is my “independent contractor” really a W-2 employee?

The IRS and some states, such as California, are auditing businesses who report their workers as independent contractors. This is an area of increasing concern for the mortgage industry as there are several factors to consider in addition to the labor law issue, such as Agency requirements and licensing implications.

IRS Rule “Understanding Employee vs. Contractor Designation” Guide: FS-2017-09, July 20, 2017, established the following categories and Common Law Rules to assist in providing evidence of the degree of control or independence when evaluating a business relationship:

  1. Behavioral: Does the company control or have the right to control what the worker does and how the worker does his or her job?
  2. Financial: Are the business aspects of the worker’s job controlled by the payer? (these include things like how worker is paid, whether expenses are reimbursed, who provides tools/supplies, etc.)
  3. Type of Relationship: Are there written contracts or employee type benefits (i.e. pension plan, insurance, vacation pay, etc.)? Will the relationship continue and is the work performed a key aspect of the business?

States have also begun to adopt their own evaluation methods. For example, in April, 2018, California Supreme Court’s adopted an “ABC Test.” Under the “ABC test,” workers are presumed to be employees, and employers may classify workers as independent contractors only if they can prove these three elements of the test:

  1. The worker is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of such work and in fact;
  2. The worker performs work that is outside the usual course of the hiring entity’s business; and
  3. The worker is customarily engaged in an independently established trade, occupation or business of the same nature as that involved in the work performed.

As a Best Practice, a business should have documentation to establish a clear separation between a business and an independent contractor including but not limited to some of the following:

  • Ensure the independent contractor has his/her own state business license and professional license(s) required for his/her area of service or specialty, business and/or liability insurance.
  • An independent contractor should have the ability to set his/her own hours and workdays.
  • An executed business contract should be in place, similar to a third-party service contract that outlines the services contracted, the compensation rate and the legal stipulation that the independent contractor is not an employee of the company. Liability and indemnification provisions should also be addressed in the agreement between the business and the independent contractor.
  • The business should not collect payroll tax or offer employee benefits to an independent contractor.
  • The independent contractor should work under his/her own license(s) and bear the risk of malpractice or business suit.

With regard to the mortgage industry specifically, HUD Handbook 4000.1 I.A.6.j.i and ii detail how mortgagees may use contract support for administrative, human resources, and clerical functions, but cannot contract out management or underwriting functions. Further, most states generally require independent processors and underwriters to maintain licensure through NMLS.

Organizations should fully understand state employment and licensing requirements, in addition to Agency guidelines prior to categorizing and retaining an individual as an independent contractor.

What does Fannie Mae require when establishing defect rates in relation to a Lender’s quality control program?

Fannie Mae requires lenders to implement a quality control program that regularly evaluates, measures and manages their progress in meeting their loan quality standards. Fannie expects lenders to demonstrate how they manage loan quality to meet their established targets. As part of an effective quality control plan, a lender should understand the defect rate principles and, at a minimum, do the following:

  • Establish a target defect rate that reflects the lender’s loan quality standards and goals.
  • Identify a target defect rate for the top severity level which indicates the loan is ineligible for delivery to Fannie Mae.
  • Define lower severity levels as appropriate for the lender’s organization.
  • Develop a methodology for identifying and categorizing different target defect rates for different severity levels, as applicable.
  • Set defect rate targets as reasonably low as possible based on the lender’s formal cost-benefit analysis of meeting that target.
  • Evaluate, and if necessary, reset the target defect rate at least annually to ensure it continues to meet credit risk needs.

Once a defect rate is set and defined, the lender should monitor performance against the rate, and report findings to the senior management team. The target defect rate allows a lender to monitor and measure its actual performance against its target.

What is a Qualified Written Request (QWR) and what are the requirements for response?

A QWR is written correspondence, other than a notice on a payment coupon or bill statement that: a) includes, or otherwise enables the servicer to identify, the name and account number of the borrower; and b) includes a statement of the reasons the borrower believes the account is in error or provides sufficient detail to the servicer regarding other information sought by the borrower.

Upon receipt of a QWR, a mortgage servicer is required to take certain steps, subject to deadlines. The mortgage servicer has five business days to acknowledge receipt and must respond within 30 business days (with a possible 15-day extension provided the servicer sends the borrower notice of the extension and the reason for the delay). During this period beginning on the date of receipt, the servicer may not provide information regarding any overdue payment, owed by such borrower and relating to such period of qualified written request, to any consumer reporting agency.

It’s important that a master servicer implement processes and controls to ensure all correspondence is properly reviewed to identify and segregate the tracking and/or monitoring of QWRs. Items to review include, but are not limited to, the date of receipt, date of acknowledgement of the QWR, date of response, and/or date of request for extension. Internal controls should be implemented to alert the management team of any approaching date where the appropriate action has not been taken, prior to the regulatory time frame. It is also recommended the servicer follow up on any corrections of identified errors to determine whether the issue may be indicative of a systemic problem and/or involve a larger population.

Failure to comply with QWR requirements could lead to a borrower claiming statutory damages in the amount of $2,000 and/or statutory damages in a class lawsuit in the amount of $1,000,000.

As a lender, am I responsible for ensuring applicants have not taken on new debt from the time of underwriting approval up until the loan closes?

Yes, lenders are responsible for ensuring applicants have not taken on new debt, which may impact the applicant’s ability to qualify for the loan, from the time of underwriting approval until loan closing. Continuous monitoring through the use of undisclosed debt monitoring or a soft credit refresh to check for new debts should mitigate undisclosed debt and identify any new debt obtained by the applicant prior to closing.

Ultimately, the lender is responsible for ensuring the applicant qualifies for the mortgage loan at the time of closing. Fannie Mae indicates that it “expects lenders to have in place processes to facilitate borrower disclosure of changes in financial circumstances throughout the origination process and prefunding quality control processes to increase the likelihood of discovering material undisclosed debts or reduced income.” Fannie Mae Selling Guide B3-6-02: Debt-to-Income Ratios (7/25/2017).

Undisclosed debt or new debt obtained by an applicant could negatively impact debt-to-income (“DTI”) ratios and could affect an applicant’s loan qualification. As such, Fannie Mae advises lenders that they may need to re-underwrite a loan if an applicant reveals or a lender discovers additional debt after an underwriting decision has been made. Further, Fannie Mae requireslenders to re-underwrite a loan if the new information causes the DTI ratio to increase by 3 or more percentage points up to the maximum allowed. “Re-underwriting means that loan case files must be resubmitted to DU with updated information; and for manually underwritten loans, a comprehensive risk and eligibility assessment must be performed.”

Additionally, in the event a loan goes delinquent or an investor selects a loan for quality control review, the investor may re-pull a borrower’s credit and review liabilities to ensure that the lender included all debt at the time of loan closing in the qualifying ratios. If an investor identifies new debt during the “gap” period between loan approval and closing, the loan may be subject to repurchase.

My company vets its vendors that provide services relative to our core business but do we need to also perform vendor management on such non-business related service providers such as janitorial services?

Simply, yes. Any activity outsourced to a vendor or service provider can possibly introduce risk, even though it may not seem apparent. Vendor management is about identifying, measuring, monitoring and controlling risks associated with outsourcing services. Companies should risk rate vendors to help determine the level of due diligence and oversight needed. In the case of a janitorial service, it may be determined that the risk is low as the third-party provider may not be exposed to any confidential or proprietary information and may, therefore, not present data security or compliance risk to the company. However, for other companies that do not adhere to clean desk policies and procedures, a third-party janitorial crew may present a higher risk as the janitorial staff may have access to confidential or proprietary information.

Do the servicing calling requirements differ among investors for delinquent loans?

Yes. According to FNMA and FHLMC, Servicers must initiate outbound contact attempts with each newly delinquent borrower no later than the 36th day of delinquency. Servicers must continue contact attempts every fifth day until one of the following outcomes is attained:

  • Quality right party contact (QRPC) is achieved and the borrower has provided a promise to pay the delinquent amount by a specified date (not to exceed 30 days);
  • Quality right party contact (QRPC) is achieved and/or the borrower adheres to any loss mitigation agreement made with the Servicer;
  • Quality right party contact (QRPC) is achieved and the borrower indicates that he or she is not interested in a workout option;
  • The borrower enters into a relief or workout option with the Servicer;
  • Complete Borrower Response Package is received in accordance with the requirements;
  • Delinquency is resolved.

After the 210th day of delinquency Servicers are authorized to continue outbound contact attempts at their discretion.

Under HUD guidelines, Servicers must initiate outbound contact attempts with each newly delinquent borrower by the 17-20th day of delinquency and continue contact attempts at a minimum of two times per week until one of the following outcomes is attained:

  • Contact is established; or
  • The Servicer has determined through an occupancy inspection that the mortgaged property is vacant or abandoned.

Additionally, the Servicer is expected to:

  • Vary the times and days of the week of call attempts to maximize the likelihood of making contact with the Borrower; and
  • Have policies in place to reduce the call abandon rate and minimize the call wait time.

Promptly after establishing live contact, the Servicer must determine whether the borrower is occupying the property, ascertain the reason for the delinquency, and inform the borrower about the availability of loss mitigation options.

Are both banks and nonbanks required to perform an independent audit of their anti-money laundering (“AML”) program? What are the requirements for such audit?

Yes, the Bank Secrecy Act (“BSA”) requires all residential mortgage lenders and originators to perform an independent review or audit of their AML program. Although the BSA does not specifically set forth the time frame for performing such testing, the Federal Financial Institutions Examination Council (“FFIEC”) indicated that sound practice is for an entity to perform an independent audit of its AML program at least every 12-18 months, commensurate with the entity’s risk profile.

Testing must be performed by both an independent and qualified party. While this does not mean the audit cannot be performed by an employee, the individual or individuals completing the audit must be fully familiar with AML requirements and cannot be involved in any of the AML functions of the Company. As such, the Company designated AML Officer would be unable to perform the audit. For this reason, many entities engage outside service providers to perform independent audits of their AML program.

Whoever performs the review should report directly to the entity’s Board of Directors or Executive Management. Testing should cover all of the entity’s activities and the results should be sufficiently detailed to assist the Board of Directors and/or Executive Management in identifying areas of weakness so that improvements may be made and additional controls may be established. Among other items, the Company’s written policies and procedures should be reviewed as well as the qualifications of the AML Officer and the Company’s training materials and attendance logs.

In recent years, state regulators have commenced examining the AML programs of their supervised entities more closely. In particular, many states now require entities to produce AML policies and procedures, as well as AML risk assessments and independent AML audit results as part of examinations. Failure to maintain these documents can oftentimes result in an adverse finding. Some states also maintain their own money laundering regulations, such as California, Florida, Hawaii, New Jersey, and Texas.

Is it true the Federal Housing Administration (“FHA”) no longer requires inspectors to be chosen from their Roster?

Yes, FHA issued a Final Rule eliminating the FHA Inspector Roster. The Roster was a list of inspectors approved by FHA as eligible to determine whether a 1-4 family unit had the requisite construction quality to serve as security for an FHA-insured loan. FHA acknowledged the sufficiency and quality of inspections performed by International Code Council certified Combination Inspectors, Residential Combination Inspectors, and other qualified individuals and explained that eliminating the Roster should streamline inspection requirements for FHA loans.

The Final Rule is effective as of August 2, 2018, and may be found at https://www.federalregister.gov/documents/2018/07/03/2018-14212/streamlining-inspection-requirements-for-federal-housing-administration-fha-single-family-mortgage.

I register my loans with the Mortgage Electronic Registration Systems, Inc. (“MERS”). Am I required to perform an annual MERS audit?

It depends on your MERS membership type. MERS Quality Assurance Standards require all MERS General Members to perform an independent quality assurance (“QA”) review annually and certify to same as part of the Annual Report due December 31st. Depending on the size of your servicing portfolio, the review may be conducted by an internal department or you may need to engage an outside independent third party to perform the review.

If your organization is the servicer on less than 1,000 active Mortgage Identification Number (“MIN”) records as of March 31st of the current year you may conduct the review in-house and are responsible for sending an annual certification to MERS along with an updated copy of your MERS QA Plan. The reviewer may be an internal resource or you may choose to utilize an external entity. Upon deciding to use an internal resource within your organization, that internal resource must be a QA Officer, a Legal MERS system contact, or an employee who is not affiliated with the MERS System operations.

If your organization is the servicer on 1,000 or more active MINs, you must engage an outside third party review organization. Third party review organizations can be external QA auditors or third-party compliance/consulting organizations. The third-party reviewer must sign the Annual Report confirming that all quality assurance provisions have been met.

The objective of the review and Annual Report is to certify your QA performance against your MERS QA Plan. The report identifies and evaluates your organization’s system-to-system reconciliation process, your reject/warning report process, and adherence to your QA Plan. As such, keeping your MERS QA Plan up to date for accuracy and effectiveness is an important measure in passing the MERS audit. It is also important to ensure that your staff is following your written MERS policies and procedures, that all applicable forms of recordable documents contain the necessary MERS language, and that reconciliations are being performed timely.

Consequences of not performing an annual audit or not passing an annual audit could result in fines, penalties, and revocations as your program will be out of compliance.

Do Fair Lending laws prohibit a mortgage lender or broker from collecting and retaining a copy of a photographic identification document (“Photo ID”) as part of a mortgage loan application?

Although there has been some debate as to whether maintaining such a Photo ID in the loan file could create a fair lending concern, it is specifically permitted by some federal agencies. For example, the Federal Housing Administration’s (“FHA”) Single Family Housing Policy Handbook 4000.1 (“FHA Handbook”) requires a mortgagee to review an applicant’s Photo ID. The FHA Handbook indicates in relevant part, “he Mortgagee must include a statement that it has verified the Borrower’s identity using valid government-issued photo identification prior to endorsement of the Mortgage or the Mortgagee may choose to include a copy of such photo identification as documentation.”

Further, the Federal Financial Institution Examination Council (“FFIEC”) permits a mortgage lender to verify the identity of an applicant using a Photo ID as part of its Bank Secrecy Act Manual (the “BSA Manual”). According to the BSA Manual, mortgage lenders and banks are expected to “review an unexpired government-issued form of identification from most customers. This identification must provide evidence of a customer’s nationality or residence and bear a photograph or similar safeguard; examples include a driver’s license or passport.”

There are various ways a mortgage lender can collect a Photo ID, while also being mindful of the fair lending concerns that may result. In an effort to prevent fair lending concerns related to maintaining a copy of a Photo ID within a loan file, mortgage lenders may choose to maintain a separate file for the applicant’s Photo ID and/or create another way to not provide the underwriter with a copy of the Photo ID. This would help ensure that reviewing the Photo ID does not affect the underwriting decision. Additionally, providing adequate fair lending training, as well as privacy training to employees is important.

Should my vendor oversight program review the financial strength of my third-party vendors?

A financial review is a vital part of assessing the risk associated with working with a third-party vendor – particularly if the vendor serves as a critical vendor for your company. Determining a vendor’s financial strength helps evaluate whether that third-party vendor can meet its financial obligations as they become due and whether the vendor may encounter operational issues. The financial assessment should review financial highlights, as well as ratios and metrics that measure the vendor’s fiscal performance. Ratios and metrics should provide information necessary to assess liquidity, profitability, operational performance, balance sheet management and the vendor’s ability to manage cash flow.

Some characteristics to consider when assessing the financial strength of a vendor may include:

  • Working capital – Does the vendor have negative working capital? Is there enough liquidity or current assets to cover its current debt?
  • Net worth – Does the vendor have declining net worth? May it be depleted by annual operating losses, decrease in asset values relative to liabilities, or distributions/dividends paid?
  • Profitability – Does the vendor have net losses? Do expenses exceed revenue?

An effective vendor management program that assesses financial strength may help a company make an educated decision on whether or not to rely on and enter into a business relationship with a particular vendor, especially one that may be critical to your operations.

Is it true there is a new law that permits transitional licensing authority for mortgage loan originators (MLO)?

Yes. On May 24, 2018 (the “Enactment Date”), the President signed a Dodd-Frank roll back regulation, known as the Economic Growth, Regulatory Relief, and Consumer Protection Act, which, among other things, provides MLO transitional licensing authority effective 18 months after the Enactment Date.

Under the new regulation, a federally-registered MLO that has been registered as such for at least one year may obtain temporary authority to act as a MLO for up to 120 days after becoming employed by a state-licensed company and submitting a MLO application in a particular state. In order to qualify the MLO cannot (i) have had an application for a MLO license previously denied, revoked or suspended, (ii) be subject to or served with cease and desist order in any governmental jurisdiction or under the SAFE Act; or (iii) be convicted of a misdemeanor or felony that would preclude licensure in the application state.

Additionally, under the new regulation, a state-licensed MLO that has been licensed as such for at least 30 days may obtain temporary authority to act as a MLO for up to 120 days in another state if the MLO submitted a MLO application in that other state. Again, to qualify, the MLO must meet the requirements outlined in (i)-(iii) above.

I understand that the Consumer Financial Protection Bureau (the “CFPB”) recently eliminated the TRID Black Hole. Does this mean lenders can provide the Closing Disclosure (“CD”) to borrowers earlier in the origination process?

In late April 2018, the CFPB issued the Black Hole final rule, thereby eliminating one of TRID’s major annoyances to lenders. Lenders may now reset tolerances on any CD at any time regardless of the number of business days prior to closing that the change occurred. Prior to this amendment, TRID did not permit lenders to use a CD to cure a tolerance violation if there were four or more days between the time the revised disclosures are required to be provided and consummation of the loan.

In issuing the amendment, the CFPB noted that commenters were concerned that the amendment would cause lenders to provide the initial CD very early in the transaction. Addressing these concerns, the CFPB stated that it believes that the existing accuracy standard for the CD will prevent lenders from providing the initial CD too early in the process. The CFPB reiterated that the applicable accuracy standard for information required on the CD is the “best information reasonably available,” which requires lenders to perform “due diligence” in obtaining accurate information to be placed on the CD.

Based on the language in the amendment lenders should be very careful to ensure each and every CD issued contains the “best information reasonably available” at the time of issuance. Providing an initial CD which is missing information and subsequently providing a final CD which includes such information is not compliant with the terms of the statute.

The Black Hole final rule is available at the following link: https://www.consumerfinance.gov/about-us/newsroom/bureau-consumer-financial-protection-finalizes-amendment-know-you-owe-mortgage-disclosure-rule/.

The amendment will be effective on June 1, 2018, and will be available for loans in process as of that date as well as applications taken after such date.

What are a few vital IT Security controls that I should implement in my organization?

Now, more than ever, the prevention of data breaches and data loss is vital to any organization. From the all-too-common grasp of ransomware (when a hacker encrypts your business data for a monetary ransom), to the lack of appropriate IT controls and vendors, business critical data is clearly susceptible to risk.

To best avoid exposing your critical business data to risks, start with implementing these important integrations:

  • Up-to-date and Reputable Anti-Malware Software
    • Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.
  • Install the Latest Operating System Updates
    • Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets.
  • Clean Desk Policies
    • Ensure that your staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks.
  • Off-site Data Redundancy
    • Ensure that your critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site owned by your organization.
  • Change Management
    • Ensure that all production assets have the necessary change management tickets and approvals for any reboots, patching, upgrades, changes, or replacements.
  • Create and Update Policies and Procedures
    • Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when it comes to recovering from a disaster, or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.
  • Seek Reputable Vendors
    • Ensure all of your vendors have the appropriate IT Security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.
  • Assets
    • Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.
    • Force password changes at a frequent basis.
    • Force lock computers when idle for a certain time period.
    • Implement two-factor authentication.
  • Train Staff
    • Train your staff on the importance of phishing, ransomware, and IT security awareness. Basics, such as locking the computer when away, not leaving laptops in plain view in a parked car, and propping doors that may allow unsupervised visitors, are just a few common-sense reminders to train your team.

You can never be too secure but starting with the short list above is a great step in the right direction.

What physical security protocols should my third-party vendors have in place?

As part of a comprehensive vendor management oversight program, a thorough evaluation should be conducted on whether your third-party vendors have sufficient physical security controls in place. You should evaluate and identify the inherent risk of each of your vendors and develop a plan for managing physical security risks associated with these third-party relationships. Vendors with access to nonpublic personal consumer information and/or proprietary information generally require greater physical security standards.

One item you should request and review is your vendor’s Physical Security Policy. An effective Physical Security Policy ensures safety and security of the vendor’s location including off-site data centers, operation rooms, filing rooms, cash rooms, and any other areas that may contain confidential and/or proprietary information. In order to prevent intrusion and unauthorized access, a vendor’s Physical Security Policy should at the very least entail the following:

  • Employee and visitor access levels and tracking, such as log in/log out sheets;
  • Use of alarm systems and/or surveillance cameras with retention records;
  • Security perimeters (card controlled entry gates, security guards, and/or manned reception desks);
  • Locks, access cards and/or security codes; and,
  • Enhanced data center and/or server room security features.

From a regulatory standpoint, an effective vendor management program that assesses these items can help eliminate compliance, reputational, strategic and operational risks.

The Fannie Mae requirements for Servicing Transfer Welcome calls have been updated. What do I need to know?

Effective immediately, Fannie Mae has announced they have updated their Guide with regard to servicing transfers removing the requirements that the new servicer:

  • Initiate welcome calls to borrowers within five days after transfer,
  • Make at least three welcome call attempts by the end of the month following the file transfer (unless contact is made or a payment is received), and
  • Use commercially reasonable efforts to maintain accurate contact information.

Fannie Mae stated borrower contact rates are low and borrowers are already aware of the servicing transfer. They have concluded these requirements provided very little benefit to the borrower.

Fannie Mae still requires specific notices regarding the transfer of servicing. Servicers are also required to provide customers:

  • Prompt and accurate information of a pending transfer of servicing, and
  • Prompt and courteous responses to their inquiries about the transfer.

This policy change will enable servicers to implement their own process so long as it remains in compliance with applicable law.

We’ve heard that the NMLS website is being revamped. Is this true, and if so, when should we expect to see the changes?

Yes, per NMLS, the website is being rebuilt on a more modern platform in order to improve its operations, enhance the user experience, and strengthen supervision. The new platform, referred to as “NMLS 2.0,” was previously scheduled for release in September 2018. However, according to the State Regulatory Registry LLC, the organization that owns and operates NMLS, NMLS 2.0 is now expected to launch in the second quarter of 2019.

More information on NMLS 2.0 can be found at: https://nationwidelicensingsystem.org/Pages/NMLS20Information.aspx

I understand the CFPB revised the servicing requirements for borrowers in bankruptcy. What do I need to know about these changes?

The CFPB revised the rule for Bankruptcy Periodic Statements, effective April 19, 2018. It applies to all entities that own and/or service consumer first lien mortgage loans, except for small servicers of 5,000 or fewer consumer mortgages.

Unless an exemption applies, a servicer must provide periodic statements or coupon books to a borrower when the borrower is in bankruptcy. Servicers must modify these periodic statements or coupon books for the bankruptcy. Modifications depend on the type of bankruptcy filed. In certain circumstances, once the borrower exits bankruptcy or the bankruptcy no longer applies to the borrower, a servicer can then transition back to providing an unmodified periodic statement or coupon book.

A servicer may be exempt from providing coupon books if a borrower is a debtor in bankruptcy or has discharged or discharged personal liability for the mortgage loan through bankruptcy.

Further, servicers are not required to send periodic statements or coupon books to borrowers in bankruptcy when the following two requirements are satisfied:

  1. Any borrower on the mortgage loan is a debtor in bankruptcy or discharged personal liability for the mortgage loan through bankruptcy; and
  2. One of the following conditions applies to a borrower on the mortgage loan:
    • The borrower requests in writing that the servicer cease providing a statement or coupon book;
    • The borrower’s most recently filed bankruptcy plan provides for that the borrower will surrender the home securing the loan;
    • The bankruptcy court orders the lien avoided; or
    • The borrower files with the court a statement of intention to surrender the home securing the loan and the borrower has not made any partial or periodic payment on the loan after commencement of his/her bankruptcy case.

With some exceptions, periodic statements or coupon books for borrowers in bankruptcy must contain the same categories of disclosures as are provided to borrowers who are not in bankruptcy. Variations exist in regard to how “amount due” must be displayed, as well as how delinquency information and other account information must be disclosed. The periodic statement must include the discharged status of the loan or the borrower’s status as a debtor in bankruptcy, and a statement that the periodic statement is being provided to the borrower for informational purposes only.

What is the importance of a settlement agent vetting and monitoring policy?

As part of any comprehensive vendor management policy it is important for a mortgage lender to properly vet its settlement agents to ensure the agents are licensed and able to perform settlement services on behalf of the lender. Additionally, vetting settlement agents provides a lender with the opportunity to confirm whether a settlement agent maintains acceptable insurance coverage, understands the method by which funds are to be sent and received, and has policies and procedures in place to address various important matters.

Confirming your settlement agents are licensed is important since companies performing such services (i.e. title companies, escrow companies, and real estate attorneys) are required to maintain licensure. If your settlement agent fails to maintain the proper license, it can lead to costly penalties to your company and can also cause reputational harm.

It is also important for you to review your settlement agents’ insurance coverages. An Error & Omissions policy and/or Fidelity Bond policy may help protect a lender against claims that may derive from mistakes, negligence or fraudulent actions.

Further, reviewing a settlement agent’s written policies and procedures is best practice as it is critical to ensure they maintain guidelines for handling issues such as complaint management and fraud awareness and prevention.

What factors determine a high, moderate or low-risk vendor?

When determining risk factors to decide on a vendor’s inherent risk, there are many factors that must be considered. While a lender’s risk appetite will play a part in determining the risk assigned, vendors should not all fall into the same risk tier. Vendors that are not critical to a lender’s operations do not need to undergo the same due diligence process compared to a vendor that plays an important role in the day-to-day operations.

Typically, characteristics that should be examined include:

  • Whether the vendor is customer facing,
  • If the vendor has access to consumer NPI (non-public personal information),
  • The work performed by the vendor,
  • Regulatory/operational impact if the vendor does not perform the function assigned, and
  • Monitoring/performance of the vendor.

It is important to note that your vendor management oversight program should clearly define the criteria for high, medium, or low-risk vendors with documentation to justify your risk rating approach.

We have both a Quality Control Department and a Compliance Department. Can one of these departments perform the Internal Audit component as required by the GSEs?

No. Fannie Mae recently published Selling Guide Announcement SEL-2017-10, which clearly outlines mortgage lender internal audit requirements with regard to independence and reporting lines, eliminating any perceived ambiguity from the current Selling Guide Eligibility requirements. The update, dated December 19, 2017, lists minimum requirements for all Fannie Mae approved sellers and servicers and indicates they “must have internal audit and management controls to evaluate and monitor the overall quality of their loan production and servicing.”

Below please find an outline of such minimum requirements. Such requirements are effective July 1, 2018.

  1. The procedures must be independent of all key functions of the loan manufacturing process and the servicing processes that they review.
  2. The seller/servicer’s lines of reporting must reflect the independence of the audit process at all levels.
  3. The audit function must not share any reporting lines with the functional areas that it reviews.
  4. The audit function must report directly to the seller/servicer’s senior management and/or board of directors. Exceptions are permitted in situations in which the size of the seller/servicer’s organization is insufficient to support adequate resources to allow for separation of these functions.
  5. The procedures must be consultative, so that they help the seller/servicer accomplish its objectives by bringing a systematic, disciplined approachto evaluating and improving the effectiveness of risk management, control, and governance processes.

Not only does Internal Audit reporting help lenders meet GSE requirements by identifying risks or gaps in controls, there is an added benefit in getting ahead of potential damage to a company’s reputation or financial well-being.

We understand the Government Monitoring Information (“GMI”) answer options have changed with the new HMDA rules, but can you explain our reporting obligations?

Under the new HMDA rules, if an applicant chooses not to provide information related to his/her sex, race and/or ethnicity and the application is taken in person or by electronic media with video component, you must now report how you collected such information (i.e. whether reported based on visual observation/surname or not).

If an applicant chooses to answer these questions, you must allow the applicant to provide more than one ethnicity and race and you must allow the applicant to self-identify using both aggregated categories and disaggregated ethnic and racial subcategories.

For example,

  1. Aggregated Category: Hispanic or Latino
  2. Disaggregated Subcategories: Mexican, Puerto Rican, Cuban, etc.

Additionally, applicants must be permitted to provide ethnicity and/or race information that is not provided for on the collection form (i.e. free form text). However, if the applicant chooses not to answer and you identify based on visual observation or surname you cannot use the disaggregated subcategories.

The HMDA Rule provides a transition provision that allows a financial institution to report the applicant’s ethnicity, race, and sex under the new HMDA rule requirements in effect at the time that the financial institution collects the information, not when the financial institution takes final action on the application. Thus, if a financial institution receives an application prior to January 1, 2018, but final action is taken on or after January 1, 2018, the financial institution complies with the new rules if it collects the information in accordance with the requirements in effect at the time the information was collected.

Many financial institutions have begun to require the collection of the new GMI information and adopted the use of the Demographic Information Addendum issued by Fannie Mae. If you intend to use this document, the Agencies advised that you should cross out or delete Section X of the Uniform Residential Loan Application (“URLA”) and replace it with the Addendum. The Addendum may be found at: https://www.fanniemae.com/content/guide_form/urla-demographic-addendum.pdf