Wednesday, April 10, 2024

How to create a compliance library for your company

Creating content takes weeks and months. That's why many people purchase off-the-shelf training subscriptions for compliance training. But in truth, much of this material is the same stuff that's been trotted out for years. Why not take the material directly from the source (e.g., government agency, regulator, or mortgage insurance company) and just document that our employees have taken it with a quiz? 

This allows you to devote your training program development to those areas where there is a gap or where your specific situation needs more attention. 

Step 1 - Assemble the Playlist

We did this here on YouTube. It's a great resource for compliance managers who need to have more than their line employee's training. Visit

You can curate playlists with the content you want your employees to see.

Then it's just a matter of developing a quiz to ensure the students have gotten the message. You can create a quiz in Chat GPT, or use our models here:

Thursday, November 2, 2023

Gramm-Leach-Bliley FTC Safeguard Rules Updated 6/2023 - Regulators asking lots of questions

Changes published in 2021 went into final effect in June 2023. Now, regulators are stepping up their review.

We've been seeing the impact of the updated CyberSecurity examinations prompted by the December 2021 FTC rule revisions. Regulators are dumping massive checklists into the exam load, and most companies don't have the bandwidth to address it. It's a hefty load, but it's worth going through to establish a baseline. 

Click here for the updated rule 

Click here for the CSBS Model Examination Form for non-banks 

The word you will see the most in an examination citation is "implementation." This means that, no matter how good your model policy is, if you're not doing - or have evidence that you can do - the things the rule requires, you'll likely be cited. 

Like every good compliance program, policies and procedures are simply part of a complete IT Security Plan. There are 4 pillars of every compliance program: 

  1. a compliance officer, 
  2. policies and procedures
  3. training, and 
  4. testing/auditing. 
Most of the policies we've seen are precisely that - policies. There is very little procedure. In other words, the model form says, "We will comply," but doesn't say, "This is how we comply." This is the most significant difference between our products and those written by lawyers or compliance experts. 

Location of IT Security Questionnaire Items in 2-9 IT/CyberSecurity Plan


States Strictly Enforcing GLB Compliance

  • DC
  • Maryland
  • Massachusetts
  • Virginia
  • Texas
  • New York

Remember to add those non-policy items

  • List of hardware (investor)
  • List of software and cloud services
  • List of vendors (investors, office tech, processors, etc. )
  • Cyber Insurance Policy

Tools for Self-Training

Tools for Self-Audit

Wednesday, May 17, 2023

The problem with the flip flop - Anti- Steering and Loan Originator Comp

Broker companies are creating compensation plans with flexibility for lowering the compensation of broker loan originators by switching from lender paid to borrower paid. It appears legal, by taking the Safe Harbor of "borrower's best interests" to allow pricing discretion and reduced commission to loan originators. However, this changing commission is based on loan terms (or proxy) because it results from the change of fees. Seen this way, the practice is prohibited under the anti-steering rules. Why? Because if you can reduce pricing by switching, you can achieve the inverse, too. 

This is precisely what is happening today; loan originators go to the prospect with one price based on lender-paid fixed compensation plans. Then the prospect comes back with a competing offer and the loan originator now tries to beat it. Since it's impractical to change pricing under LO comp rules under lender paid on a case-by-case basis, they switch the pricing to borrower paid where there is flexibility to reduce the charges. Now, the compensation is in the hands of the broker-company, not the wholesale lender. This is done under the auspices of "borrower's best interests" Safe Harbor. 

It should be clear that, unless you have a loan amount-based compensation plan, the temptation to flip a borrower from Borrower Paid to Lender Paid and INCREASE commission is inherent in the "flip to borrower paid" structure. 

I think any regulator will see this as flying in the face of the LO Comp/Anti-steering rule because it gives the LO pricing power with discretion to decrease his or her commission. The argument goes; it benefits the borrower - which is a SAFE Harbor. The main flaw in this thinking is that it doesn't consider that the inverse is also true; a loan originator could switch from borrower paid to lender paid at a higher commission. In a word - steering. 

Perhaps the fact that compensation is capped at a QM level of 2.75 points as a maximum commission provides a sense of no variable compensation. 

I am not sure why this has escaped scrutiny for so long. We tell our customers that we recommend a flat commission rate based on loan amounts, not a percentage of the of the fee, to avoid the appearance of steering.

The problem for the industry is that the good actors who lead with their best price in compliance are having their production poached by participants who allow loan originators to adjust pricing to "get the deal." While that seems to benefit the customer by creating a competitive market, remember that the whole idea of the rule was to regulate this practice because the pricing was opaque to the consumer. The consumer has minimal knowledge of the market, rates, and pricing, while loan originators are very knowledgeable and are extremely motivated to increase their income.