page contents Mortgage News Digest

Wednesday, May 31, 2017

Investor Renewals - Broker/Mini-Corr Lender lack of distinction may cause problems

My lender/investor is asking for our post-closing quality control plan and 10% audits... We are a non-delegated correspondent or broker. What now?

With the propagation of categories and levels of correspondent, including mini-correspondent, non-delegated mini-correspondent, funding non-delegated correspondent, and wholesale/broker, we see many wholesalers request quality control plan elements that do not apply to a specific business model. Specifically, lenders are asking brokers or non-delegated correspondents for agency level post closing reviews, including 10% random sampling, re-verification of all loan file exhibits, appraisal reviews, closing document reviews and re-underwriting.

If you are not delegated underwriting and closing this should not apply to you.

The requirement for random sampling and post-closing reviews of loans doesn't apply if you aren't underwriting or drawing closing documents yourself. We have found that this is usually the result of a mis-categorization of the originator as a lender. Explaining that this requirement is like asking the broker or correspondent to underwrite and evaluate the lender's credit decision - something the broker/correspondent had NOTHING to do with in the first place - clears this requirement.

Some wholesalers will not budge, though. This is the golden rule: He who has the gold makes the rules. In this case, evaluate how important the wholesaler is to your business. If it's a critical product or service, you may have to start conducting these reviews in order to maintain the investor. But DO NOT simply capitulate to the requirement and start a post-closing review process without ensuring that the requirement is absolute. Beyond being redundant for loans underwritten by someone else, post-closing reviews are expensive.

"Do they even review this stuff?.."

Wholesalers have been reviewing our quality control plans for years. It is important to note that many of these reviewers don't actually read an entire plan, so that if something doesn't jump off the page at them, they may mark your plan as deficient. That doesn't mean it isn't in the plan.  99.9% of the time we draft a rebuttal, we are simply citing the page numbers where the reviewer can locate the information he or she couldn't find (or didn't look for) the first time.

This also doesn't mean that we don't value the feedback. We always want to know if we have missed something, so we can include it for any of our clients who might get similar feedback. That's one of the ways our products have evolved since 1996.  It's also why we can guarantee our products' acceptability.


The most important thing to remember is that you want your plan to reflect PROCEDURES about how you work to catch ANY possible error. This is completely different from writing a POLICY, which simply states that you will look for various elements. For instance, a recent communication showed:

The Pre-Funding Quality Control Requirements (and where they are located in your Broker Plan):

  • Quality Control is Conducted by someone other than party to loan origination (Page 22)
  • The Borrower Social Security number is re-verified on all loans (Page 14)
  • The Income calculations and supporting documentation is reviewed. (Page 13)
  • Verbal verifications of employment are conducted (Page 20)
  • Assets needed to close or meet reserve requirements are reviewed (Page 15)
  • Appraisal or other property valuation is reviewed (Page 16)
  • Documentation is reviewed to assure adequate mortgage insurance coverage (Page 12)
  • Review loan to determine automated underwriting info is accurate (Page 18)
  • Liabilities between 1003 and credit report are reconciled (Page 12)

The page numbers show where you can locate the requirement as it is addressed as part of the much more extensive documentation review.  This is the key. You can get a repurchase request or denial for an item which is not a requirement for the quality control plan. To combat this - WHILE YOU ALSO COMPLY WITH THE QC REQUIREMENT - you need a thorough system, using checklists and peer reviews.

DO NOT write a policy that states that you will simply check for these items, as it opens you up for liability for missing other elements associated with the items requested, that have not been requested to be stated in policy in writing.

Wednesday, April 5, 2017

Brokers: Do I Report HMDA Data?

4/6/2017 Update

As we approach the 2018 HMDA reporting window, with the wider rubric for filing requirement, we are getting many calls from brokers about preparing to become reporters. We want to reiterate that a broker business that categorizes its customers as PRE-QUALIFICATIONS until the loan is referred to an investor DOES NOT HAVE TO REPORT HMDA DATA.

1.) HMDA is an extension of ECOA, so if you are not making credit decisions, you do not report. Only the ultimate decision maker reports.
2.) Technically, brokers CANNOT make decisions because they do not have the funds available to unilaterally fund applications. 
3.) Many states sanction brokers who represent that they are lenders

Original Post From 12/5/13

As compliance season descends on the mortgage business again, we start to hear growing numbers of concerns over how a firm will comply with a nuance of a rule.  Often the concern originates with a rumor or other misinformation from a networking group or an e-mail from a service provider looking for business. With respect to brokers, you should generally avoid reporting HMDA denial data for the simple reason that BROKERS DO NOT MAKE CREDIT DECISIONS.

Among the risks you expose yourself to:

  • State Regulator sanctions for acting as a lender without a lender license.
  • Scrutiny from a Federal regulator regarding why ALL your loans are denied?
  • Inconsistent reporting/reporting errors on other reports

NMLS Call Report - Requests Denied Applications

The idea that brokers should report HMDA data may come from the fact that the NMLS Call Report has a line item for "Denied."  However, this is not the intention of this element of call reporting:  this is to identify the "net loan volume."  (Pipeline + New Loans - Closed, Withdrawn and Denied Loans = Ending Pipeline) The denied loans, in this case, should be loans that you will never close because ALL of your wholesalers or investors have denied them.

Brokers should only put the loans which the INVESTOR has denied in this column.

NMLS Call Report - Don't include pre-qualifications you have denied.

Is It Really a Loan Until the Lender Has It?

If you are a straight broker, and not a mini-correspondent, you should define your application policy to ensure that loans which will not be sent to an investor, for whatever reason, are coded as pre-qualifications. Pre-Qualifications do not trigger HMDA Reporting.  This does not mean that you will not send GFE or other property or application related disclosures if you are actively processing the file.

According to the staff commentary in the HMDA Small Entity Compliance Guide: "2. Pre-Qualification. A pre-qualification request is a request by a prospective loan applicant (other than a request for preapproval) for a preliminary determination on whether the prospective applicant would likely qualify for credit under an institution’s standards, or for a determination on the amount of credit for which the prospective applicant would likely qualify. Some institutions evaluate pre-qualification requests through a procedure that is separate from the institution’s normal loan application process; others use the same process. In either case, Regulation C does not require an institution to report pre-qualification requests on the HMDA/LAR, even though these requests may constitute applications under Regulation B for purposes of adverse action notices." Commentary Appendix D, Supplement I

HMDA Small Entity Guide

ECOA, Fair Lending and Loan Disposition - Not to be Confused with HMDA Reporting

Due to the overlay of so many regulations, it can be easy to confuse what rule requires what actions.  You are still required to adhere to Fair Lending and Equal Credit Opportunity Act (Regulation B) guidelines with respect to providing an applicant with a disposition within 30 days.  To avoid monitoring challenges and potential violations on small pipelines use your Incomplete Application Notice on all loans.  If the customer fails to provide all of the information, you can withdraw the loan from your pipeline without any further action.  You MAY optionally send a letter noting the withdrawal.   

Avoid Being the Creditor

Under the current regulatory scheme, lenders bear the burden for credit and disclosure risks.  A correctly structured broker pre-qualification process allows for the unique opportunity to avoid many of the lender's pitfalls with respect to creditor actions.

Tuesday, March 28, 2017

New York State "Cybersecurity" Requirements

If you own your network infrastructure, big changes coming to New York

For customers, your Information Security Plan covers the requirements

New York State licensed financial entities have received notice of new specific requirements for cyber-security. Rules went into effective March 1, 2017, and compliance deadlines start August 28, 2017. Cyber-security is a synonym for information security when data is stored or accessed via an electronic information storage and retrieval network. In other words, cyber-security deals with network security in addition to basic information security.

Complete text of Cyber-security Rule

At the heart of the requirements, aside from standard information security remediation, companies must have some form of dual factor authorization. If you use a token or mobile password in addition to your password, you probably already comply.

Are you Exempt?

The law contains a number of key exemptions:

Exemption - Asset Size: < 10 employees OR < $5 MM in revenue OR < $10 MM assets

Exempt from 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16

You must still have policies and procedures, you must control access, conduct a risk assessment, identify if 3rd parties have an CISP,

Exemption - "Agent" classification: If you use someone else's system (such as wholesaler's or investor's)

Exemption - No server: If you don't own and operate the infrastructure

Exempt from 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16

You must still control access, conduct a risk assessment and identify if 3rd parties have a CISP.

IF YOU ARE EXEMPT, YOU MUST FILE AN EXEMPTION BY AUGUST 28, 2017. A copy of the exemption certification is on the last page of the announcement - click here.

If you are NOT Exempt

For entities which are NOT exempt, we identify where your policies and procedures meet the requirements. While there are a number of preparations entities must make to comply, unless you maintain your own servers the actual, physical changes normally will be undertaken by your third party infrastructure provider.

If you obtained your information security policy from us, you may share it with your infrastructure vendors, as it addresses the requirements:

Section 500.02 Cybersecurity Program

By virtue of having a written policy in place, you comply with this section. In addition, our policy states the protocol for testing the program, another requirement of this section.

Section 500.03 Policy 

This section defines what must be in your policy and procedure. We identify those things that are the responsibility of the network provider, and those which are the responsibility of the mortgage company.

(a) information security; the actual plan for protecting NPI - #1 - mortgage company
(b) data governance and classification; the system by which you identify data that is NPI - #2 -  mortgage company
(c) asset inventory and device management; infrastructure provider
(d) access controls and identity management; infrastructure provider & #3 password policy mortgage company
(e) business continuity and disaster recovery planning and resources; #4 mortgage company
(f) systems operations and availability concerns; infrastructure provider
(g) systems and network security; infrastructure provider
(h) systems and network monitoring; infrastructure provider
(i) systems and application development and quality assurance; infrastructure provider
(j) physical security and environmental controls; #5 mortgage company
(k) customer data privacy; #6 mortgage company
(l) vendor and Third Party Service Provider management; #7 mortgage company
(m) risk assessment; #8 mortgage company
(n) incident response. #9 mortgage company

Addressed in Info Security Plan
Chief Information Security Officer (CISO) – you must install one, if you don’t have one
2-90 #5
Penetration Testing – CISO must conduct yearly, vulnerability assessment every 6 mos
2-90-4 #7
Audit Trail – keep records of all activity
Access Control – must control access to NPI on network
2-90-2 #3
App Security – certify developed programs free of defects
Risk Assessment – Identify what NPI is at risk when
2-90-2 #8
Personnel – must have training and certifications
2-90-7 #9
3rd Party Assessments – evaluate whether 3rd parties comply
2-90-4 #7
Multi-Factor Authentication – must have at least 2
2-90-2 #3
Records Retention – limits on NPI data retained
2-90-2 #10
Training – must train annually
2-90-6 #9
Encryption – NPI protected by encryption during transit
2-90-2 #11
Incident Response Plan
2-90-2 #2

Page 1 - Information Security Plan - Showing References to Requirements

Page 2 - Information Security Plan 

Page 1 - Disaster Recovery Plan/Business Continuity Plan

Page 1 - Customer Privacy Policy