Compliance Question of the Week 2018
I register my loans with the Mortgage Electronic Registration Systems, Inc. (“MERS”). Am I required to perform an annual MERS audit?
It depends on your MERS membership type. MERS Quality Assurance Standards require all MERS General Members to perform an independent quality assurance (“QA”) review annually and certify to same as part of the Annual Report due December 31st. Depending on the size of your servicing portfolio, the review may be conducted by an internal department or you may need to engage an outside independent third party to perform the review.
If your organization is the servicer on less than 1,000 active Mortgage Identification Number (“MIN”) records as of March 31st of the current year you may conduct the review in-house and are responsible for sending an annual certification to MERS along with an updated copy of your MERS QA Plan. The reviewer may be an internal resource or you may choose to utilize an external entity. Upon deciding to use an internal resource within your organization, that internal resource must be a QA Officer, a Legal MERS system contact, or an employee who is not affiliated with the MERS System operations.
If your organization is the servicer on 1,000 or more active MINs, you must engage an outside third party review organization. Third party review organizations can be external QA auditors or third-party compliance/consulting organizations. The third-party reviewer must sign the Annual Report confirming that all quality assurance provisions have been met.
The objective of the review and Annual Report is to certify your QA performance against your MERS QA Plan. The report identifies and evaluates your organization’s system-to-system reconciliation process, your reject/warning report process, and adherence to your QA Plan. As such, keeping your MERS QA Plan up to date for accuracy and effectiveness is an important measure in passing the MERS audit. It is also important to ensure that your staff is following your written MERS policies and procedures, that all applicable forms of recordable documents contain the necessary MERS language, and that reconciliations are being performed timely.
Consequences of not performing an annual audit or not passing an annual audit could result in fines, penalties, and revocations as your program will be out of compliance.
Do Fair Lending laws prohibit a mortgage lender or broker from collecting and retaining a copy of a photographic identification document (“Photo ID”) as part of a mortgage loan application?
Although there has been some debate as to whether maintaining such a Photo ID in the loan file could create a fair lending concern, it is specifically permitted by some federal agencies. For example, the Federal Housing Administration’s (“FHA”) Single Family Housing Policy Handbook 4000.1 (“FHA Handbook”) requires a mortgagee to review an applicant’s Photo ID. The FHA Handbook indicates in relevant part, “[t]he Mortgagee must include a statement that it has verified the Borrower’s identity using valid government-issued photo identification prior to endorsement of the Mortgage or the Mortgagee may choose to include a copy of such photo identification as documentation.”
Further, the Federal Financial Institution Examination Council (“FFIEC”) permits a mortgage lender to verify the identity of an applicant using a Photo ID as part of its Bank Secrecy Act Manual (the “BSA Manual”). According to the BSA Manual, mortgage lenders and banks are expected to “review an unexpired government-issued form of identification from most customers. This identification must provide evidence of a customer’s nationality or residence and bear a photograph or similar safeguard; examples include a driver’s license or passport.”
There are various ways a mortgage lender can collect a Photo ID, while also being mindful of the fair lending concerns that may result. In an effort to prevent fair lending concerns related to maintaining a copy of a Photo ID within a loan file, mortgage lenders may choose to maintain a separate file for the applicant’s Photo ID and/or create another way to not provide the underwriter with a copy of the Photo ID. This would help ensure that reviewing the Photo ID does not affect the underwriting decision. Additionally, providing adequate fair lending training, as well as privacy training to employees is important.
Should my vendor oversight program review the financial strength of my third-party vendors?
A financial review is a vital part of assessing the risk associated with working with a third-party vendor – particularly if the vendor serves as a critical vendor for your company. Determining a vendor’s financial strength helps evaluate whether that third-party vendor can meet its financial obligations as they become due and whether the vendor may encounter operational issues. The financial assessment should review financial highlights, as well as ratios and metrics that measure the vendor’s fiscal performance. Ratios and metrics should provide information necessary to assess liquidity, profitability, operational performance, balance sheet management and the vendor’s ability to manage cash flow.
Some characteristics to consider when assessing the financial strength of a vendor may include:
- Working capital – Does the vendor have negative working capital? Is there enough liquidity or current assets to cover its current debt?
- Net worth – Does the vendor have declining net worth? May it be depleted by annual operating losses, decrease in asset values relative to liabilities, or distributions/dividends paid?
- Profitability – Does the vendor have net losses? Do expenses exceed revenue?
An effective vendor management program that assesses financial strength may help a company make an educated decision on whether or not to rely on and enter into a business relationship with a particular vendor, especially one that may be critical to your operations.
Is it true there is a new law that permits transitional licensing authority for mortgage loan originators (MLO)?
Yes. On May 24, 2018 (the “Enactment Date”), the President signed a Dodd-Frank roll back regulation, known as the Economic Growth, Regulatory Relief, and Consumer Protection Act, which, among other things, provides MLO transitional licensing authority effective 18 months after the Enactment Date.
Under the new regulation, a federally-registered MLO that has been registered as such for at least one year may obtain temporary authority to act as a MLO for up to 120 days after becoming employed by a state-licensed company and submitting a MLO application in a particular state. In order to qualify the MLO cannot (i) have had an application for a MLO license previously denied, revoked or suspended, (ii) be subject to or served with cease and desist order in any governmental jurisdiction or under the SAFE Act; or (iii) be convicted of a misdemeanor or felony that would preclude licensure in the application state.
Additionally, under the new regulation, a state-licensed MLO that has been licensed as such for at least 30 days may obtain temporary authority to act as a MLO for up to 120 days in another state if the MLO submitted a MLO application in that other state. Again, to qualify, the MLO must meet the requirements outlined in (i)-(iii) above.
I understand that the Consumer Financial Protection Bureau (the “CFPB”) recently eliminated the TRID Black Hole. Does this mean lenders can provide the Closing Disclosure (“CD”) to borrowers earlier in the origination process?
In late April 2018, the CFPB issued the Black Hole final rule, thereby eliminating one of TRID’s major annoyances to lenders. Lenders may now reset tolerances on any CD at any time regardless of the number of business days prior to closing that the change occurred. Prior to this amendment, TRID did not permit lenders to use a CD to cure a tolerance violation if there were four or more days between the time the revised disclosures are required to be provided and consummation of the loan.
In issuing the amendment, the CFPB noted that commenters were concerned that the amendment would cause lenders to provide the initial CD very early in the transaction. Addressing these concerns, the CFPB stated that it believes that the existing accuracy standard for the CD will prevent lenders from providing the initial CD too early in the process. The CFPB reiterated that the applicable accuracy standard for information required on the CD is the “best information reasonably available,” which requires lenders to perform “due diligence” in obtaining accurate information to be placed on the CD.
Based on the language in the amendment lenders should be very careful to ensure each and every CD issued contains the “best information reasonably available” at the time of issuance. Providing an initial CD which is missing information and subsequently providing a final CD which includes such information is not compliant with the terms of the statute.
The Black Hole final rule is available at the following link: https://www.consumerfinance.gov/about-us/newsroom/bureau-consumer-financial-protection-finalizes-amendment-know-you-owe-mortgage-disclosure-rule/.
The amendment will be effective on June 1, 2018, and will be available for loans in process as of that date as well as applications taken after such date.
What are a few vital IT Security controls that I should implement in my organization?
Now, more than ever, the prevention of data breaches and data loss is vital to any organization. From the all-too-common grasp of ransomware (when a hacker encrypts your business data for a monetary ransom), to the lack of appropriate IT controls and vendors, business critical data is clearly susceptible to risk.
To best avoid exposing your critical business data to risks, start with implementing these important integrations:
- Up-to-date and Reputable Anti-Malware Software
- Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.
- Install the Latest Operating System Updates
- Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets.
- Clean Desk Policies
- Ensure that your staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks.
- Off-site Data Redundancy
- Ensure that your critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site owned by your organization.
- Change Management
- Ensure that all production assets have the necessary change management tickets and approvals for any reboots, patching, upgrades, changes, or replacements.
- Create and Update Policies and Procedures
- Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when it comes to recovering from a disaster, or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.
- Seek Reputable Vendors
- Ensure all of your vendors have the appropriate IT Security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.
- Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.
- Force password changes at a frequent basis.
- Force lock computers when idle for a certain time period.
- Implement two-factor authentication.
- Train Staff
- Train your staff on the importance of phishing, ransomware, and IT security awareness. Basics, such as locking the computer when away, not leaving laptops in plain view in a parked car, and propping doors that may allow unsupervised visitors, are just a few common-sense reminders to train your team.
You can never be too secure but starting with the short list above is a great step in the right direction.
What physical security protocols should my third-party vendors have in place?
As part of a comprehensive vendor management oversight program, a thorough evaluation should be conducted on whether your third-party vendors have sufficient physical security controls in place. You should evaluate and identify the inherent risk of each of your vendors and develop a plan for managing physical security risks associated with these third-party relationships. Vendors with access to nonpublic personal consumer information and/or proprietary information generally require greater physical security standards.
One item you should request and review is your vendor’s Physical Security Policy. An effective Physical Security Policy ensures safety and security of the vendor’s location including off-site data centers, operation rooms, filing rooms, cash rooms, and any other areas that may contain confidential and/or proprietary information. In order to prevent intrusion and unauthorized access, a vendor’s Physical Security Policy should at the very least entail the following:
- Employee and visitor access levels and tracking, such as log in/log out sheets;
- Use of alarm systems and/or surveillance cameras with retention records;
- Security perimeters (card controlled entry gates, security guards, and/or manned reception desks);
- Locks, access cards and/or security codes; and,
- Enhanced data center and/or server room security features.
From a regulatory standpoint, an effective vendor management program that assesses these items can help eliminate compliance, reputational, strategic and operational risks.
The Fannie Mae requirements for Servicing Transfer Welcome calls have been updated. What do I need to know?
Effective immediately, Fannie Mae has announced they have updated their Guide with regard to servicing transfers removing the requirements that the new servicer:
- Initiate welcome calls to borrowers within five days after transfer,
- Make at least three welcome call attempts by the end of the month following the file transfer (unless contact is made or a payment is received), and
- Use commercially reasonable efforts to maintain accurate contact information.
Fannie Mae stated borrower contact rates are low and borrowers are already aware of the servicing transfer. They have concluded these requirements provided very little benefit to the borrower.
Fannie Mae still requires specific notices regarding the transfer of servicing. Servicers are also required to provide customers:
- Prompt and accurate information of a pending transfer of servicing, and
- Prompt and courteous responses to their inquiries about the transfer.
This policy change will enable servicers to implement their own process so long as it remains in compliance with applicable law.
We’ve heard that the NMLS website is being revamped. Is this true, and if so, when should we expect to see the changes?
Yes, per NMLS, the website is being rebuilt on a more modern platform in order to improve its operations, enhance the user experience, and strengthen supervision. The new platform, referred to as “NMLS 2.0,” was previously scheduled for release in September 2018. However, according to the State Regulatory Registry LLC, the organization that owns and operates NMLS, NMLS 2.0 is now expected to launch in the second quarter of 2019.
More information on NMLS 2.0 can be found at: https://nationwidelicensingsystem.org/Pages/NMLS20Information.aspx
I understand the CFPB revised the servicing requirements for borrowers in bankruptcy. What do I need to know about these changes?
The CFPB revised the rule for Bankruptcy Periodic Statements, effective April 19, 2018. It applies to all entities that own and/or service consumer first lien mortgage loans, except for small servicers of 5,000 or fewer consumer mortgages.
Unless an exemption applies, a servicer must provide periodic statements or coupon books to a borrower when the borrower is in bankruptcy. Servicers must modify these periodic statements or coupon books for the bankruptcy. Modifications depend on the type of bankruptcy filed. In certain circumstances, once the borrower exits bankruptcy or the bankruptcy no longer applies to the borrower, a servicer can then transition back to providing an unmodified periodic statement or coupon book.
A servicer may be exempt from providing coupon books if a borrower is a debtor in bankruptcy or has discharged or discharged personal liability for the mortgage loan through bankruptcy.
Further, servicers are not required to send periodic statements or coupon books to borrowers in bankruptcy when the following two requirements are satisfied:
- Any borrower on the mortgage loan is a debtor in bankruptcy or discharged personal liability for the mortgage loan through bankruptcy; and
- One of the following conditions applies to a borrower on the mortgage loan:
- The borrower requests in writing that the servicer cease providing a statement or coupon book;
- The borrower’s most recently filed bankruptcy plan provides for that the borrower will surrender the home securing the loan;
- The bankruptcy court orders the lien avoided; or
- The borrower files with the court a statement of intention to surrender the home securing the loan and the borrower has not made any partial or periodic payment on the loan after commencement of his/her bankruptcy case.
With some exceptions, periodic statements or coupon books for borrowers in bankruptcy must contain the same categories of disclosures as are provided to borrowers who are not in bankruptcy. Variations exist in regard to how “amount due” must be displayed, as well as how delinquency information and other account information must be disclosed. The periodic statement must include the discharged status of the loan or the borrower’s status as a debtor in bankruptcy, and a statement that the periodic statement is being provided to the borrower for informational purposes only.
What is the importance of a settlement agent vetting and monitoring policy?
As part of any comprehensive vendor management policy it is important for a mortgage lender to properly vet its settlement agents to ensure the agents are licensed and able to perform settlement services on behalf of the lender. Additionally, vetting settlement agents provides a lender with the opportunity to confirm whether a settlement agent maintains acceptable insurance coverage, understands the method by which funds are to be sent and received, and has policies and procedures in place to address various important matters.
Confirming your settlement agents are licensed is important since companies performing such services (i.e. title companies, escrow companies, and real estate attorneys) are required to maintain licensure. If your settlement agent fails to maintain the proper license, it can lead to costly penalties to your company and can also cause reputational harm.
It is also important for you to review your settlement agents’ insurance coverages. An Error & Omissions policy and/or Fidelity Bond policy may help protect a lender against claims that may derive from mistakes, negligence or fraudulent actions.
Further, reviewing a settlement agent’s written policies and procedures is best practice as it is critical to ensure they maintain guidelines for handling issues such as complaint management and fraud awareness and prevention.
What factors determine a high, moderate or low-risk vendor?
When determining risk factors to decide on a vendor’s inherent risk, there are many factors that must be considered. While a lender’s risk appetite will play a part in determining the risk assigned, vendors should not all fall into the same risk tier. Vendors that are not critical to a lender’s operations do not need to undergo the same due diligence process compared to a vendor that plays an important role in the day-to-day operations.
Typically, characteristics that should be examined include:
- Whether the vendor is customer facing,
- If the vendor has access to consumer NPI (non-public personal information),
- The work performed by the vendor,
- Regulatory/operational impact if the vendor does not perform the function assigned, and
- Monitoring/performance of the vendor.
It is important to note that your vendor management oversight program should clearly define the criteria for high, medium, or low-risk vendors with documentation to justify your risk rating approach.
We have both a Quality Control Department and a Compliance Department. Can one of these departments perform the Internal Audit component as required by the GSEs?
No. Fannie Mae recently published Selling Guide Announcement SEL-2017-10, which clearly outlines mortgage lender internal audit requirements with regard to independence and reporting lines, eliminating any perceived ambiguity from the current Selling Guide Eligibility requirements. The update, dated December 19, 2017, lists minimum requirements for all Fannie Mae approved sellers and servicers and indicates they “must have internal audit and management controls to evaluate and monitor the overall quality of their loan production and servicing.”
Below please find an outline of such minimum requirements. Such requirements are effective July 1, 2018.
- The procedures must be independent of all key functions of the loan manufacturing process and the servicing processes that they review.
- The seller/servicer’s lines of reporting must reflect the independence of the audit process at all levels.
- The audit function must not share any reporting lines with the functional areas that it reviews.
- The audit function must report directly to the seller/servicer’s senior management and/or board of directors. Exceptions are permitted in situations in which the size of the seller/servicer’s organization is insufficient to support adequate resources to allow for separation of these functions.
- The procedures must be consultative, so that they help the seller/servicer accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
Not only does Internal Audit reporting help lenders meet GSE requirements by identifying risks or gaps in controls, there is an added benefit in getting ahead of potential damage to a company’s reputation or financial well-being.
We understand the Government Monitoring Information (“GMI”) answer options have changed with the new HMDA rules, but can you explain our reporting obligations?
Under the new HMDA rules, if an applicant chooses not to provide information related to his/her sex, race and/or ethnicity and the application is taken in person or by electronic media with video component, you must now report how you collected such information (i.e. whether reported based on visual observation/surname or not).
If an applicant chooses to answer these questions, you must allow the applicant to provide more than one ethnicity and race and you must allow the applicant to self-identify using both aggregated categories and disaggregated ethnic and racial subcategories.
- Aggregated Category: Hispanic or Latino
- Disaggregated Subcategories: Mexican, Puerto Rican, Cuban, etc.
Additionally, applicants must be permitted to provide ethnicity and/or race information that is not provided for on the collection form (i.e. free form text). However, if the applicant chooses not to answer and you identify based on visual observation or surname you cannot use the disaggregated subcategories.
The HMDA Rule provides a transition provision that allows a financial institution to report the applicant’s ethnicity, race, and sex under the new HMDA rule requirements in effect at the time that the financial institution collects the information, not when the financial institution takes final action on the application. Thus, if a financial institution receives an application prior to January 1, 2018, but final action is taken on or after January 1, 2018, the financial institution complies with the new rules if it collects the information in accordance with the requirements in effect at the time the information was collected.
Many financial institutions have begun to require the collection of the new GMI information and adopted the use of the Demographic Information Addendum issued by Fannie Mae. If you intend to use this document, the Agencies advised that you should cross out or delete Section X of the Uniform Residential Loan Application (“URLA”) and replace it with the Addendum. The Addendum may be found at: https://www.fanniemae.com/content/guide_form/urla-demographic-addendum.pdf