Tuesday, November 15, 2022

The Buzz on Cyber Security

Federal Rules Expand the Scope of Your Customer's Data Protection

In case you were wondering about the onslaught of regulator or investor requests for cybersecurity plans, risk assessments, and MFA certifications, it all has to do with FTC regulations passed last year that go into effect December 9, 2022. The FTC has extended the deadline for compliance for 6 months, making the new deadline 6/9/2023.

eCFR :: 16 CFR Part 314 -- Standards for Safeguarding Customer Information

In a nutshell, our customers have all of the tools to meet these requirements in the 2-90 IT Security Plan. These include:

  • Employee Training
  • Risk Assessment
  • Third-Party Vendor Reviews
  • Data Breach Response and Remediation

Small companies - responsible individual

For small firms, you should assign a responsible individual who is knowledgeable about the technology aspects of your firm. They do not need to have a degree in cybersecurity. However, they should know all the firm's tech and communications infrastructure and have the capability to completely answer the cybersecurity questionnaire. If the individual is NOT able to answer the questionnaire, you MAY designate a third party, such as an IT consultant. We caution small companies against signing big contracts if the firm's technology consists mostly of leased cloud computing assets, such as LOS, document storage, and email. Even third-party apps, like online 1003s, should come with some tech support, and you can designate a 3rd party (even the vendor) specifically for those types of risks. 

Don't "Build Castles" - Use the Tools you Have

We really try to avoid creating additional work in the form of a separate workflow for compliance-related matters. That's why you should use some of the resources you already have to meet some or all of the requirements. 

  • Credit Bureau Audits - If you have the ability to pull credit reports yourself (instead of just through your investor/wholesaler directly) you likely have a credit bureau service provider. This firm is responsible for evaluating your firm (usually annually) and providing a risk assessment based on that evaluation. That should be a foundation. Review their report against the overall questionnaire to see how many items are covered.
    • By the way, bureaus are conducting these audits furiously as a part of the new rule's implementation
  • State Certifications - keep a copy of any questionnaire you complete to assess your technology. THIS COUNTS AS AN AUDIT or RISK ASSESSMENT
  • When you sign up with a tech provider, get their SOC or ISO certification information. Use the vendor's reviews as your own.
  • When getting training, make sure you keep a copy
  • Read your policies and procedures - if they don't make sense, get a plain English translation!

Speaking of Plain English - here's our summary of the IT/Cyber Security Plan requirements that you can use as a checklist. 



New York Cybersecurity Certification

The Section NYSDFS 500 updates that went around earlier this year include the updates from the FTC's rule. The changes do not represent a departure from current best practices but memorialize the requirements in the FTC's Safeguarding rule.

Remember that the certification only captures information on what you are doing. Policies and procedures should reflect this information; they don't replace your implementation. 

You can request help completing your Cybersecurity Certification here

 



Tuesday, November 8, 2022

The Proliferation of 1099's, Flat Fee agreements - A Warning

I've just survived a hurricane. In the resulting re-building process, I've learned one thing definitively; many people say that they can fix your problem - just give them a "deposit." In fact, that's a pretty good way to ensure you'll never hear from them again. 

I see the same thing in the loan officer compensation wars currently evolving. No compliance officer or attorney worth his or her salt will authorize a non-compliant compensation plan because the risks so far outweigh any temporary benefits. However, as margins and business shrinks companies are adopting risky plans because they're likely to be out of business when the bill comes due. Unfortunately, this drives the entire market in the same direction. 




When arranging compensation plans in a way that allows the company to capture a flat fee is fine. Charging a flat fee (subject to QM cost limits) to a customer is also fine. Charging a loan originator a monthly desk rental or other fee is also fine. However, netting costs from a loan officer's comp is a problem. You cannot withhold fees from an agreed-upon commission. 


To be considered compliant with the "Anti-Steering Rules" you must set flat commission rates from your wholesalers across the board so the loan originator cannot increase his or her income by steering the customer to a particular product or lender. 

A common trend today involves the adjustment or reduction of a loan originator's compensation because the customer changed to/from borrower-paid compensation. You should only do this in conjunction with a "best interests" scenario, not as a matter of course. We do not know that Federal regulators will accept this as a standard practice for reducing a customer's price. 

Independent Contractors, Again


We get the question about whether a specific state will always accept loan originators paid via 1099. You must know that a state does not necessarily regulate this, though it may take a position. For example, Texas, North Carolina, and CA DFPI do mandate that loan originators must be employees, not contractors. States regulate licensing and business practices, so even though you may see a tacit acceptance of originators as 1099 contractors, this is an internal decision for each company. 

To understand the consequences of 1099 contractors, understand that the IRS and the US Department of Labor define the issue of employee status. Can a loan originator really be a contractor if you control certain elements of their business? For instance, you really should require a loan originator to use your technology (laptops, phones, and networks) to avoid exposing your customers to cyber risks. If a contractor must use your equipment, are they really a contractor? In another instance of controlling the work environment, you must license a remote location or approve the use of remote access. Does this create an employee relationship? If you are offering employee benefits, such as health care, it's likely you are an employer.

For these reasons and others, any reputable compliance consultant or attorney who knows the rules will NOT recommend 1099 employment agreements. I KNOW THAT EVERYONE IS DOING IT. 
Furthermore, regulators have paid surprisingly little attention to this matter. In the end, what may drive your decision relative to 1099 or W-2 is the possible re-classification of your company's contractors as employees in an audit. The penalties are enormous - unpaid taxes, plus a 100% penalty, plus interest. 

You CAN withhold taxes and mark the employee's W-2 as "Statutory Employee" which will allow them to deduct their business expenses on Schedule C. Or have the employee get licensed as an LLC, or even as a Sole Prop, and pay the LLC directly. 


There is a sample Loan Originator Agreement in the folder you got with your 2-0 Compliance Module. You can also copy it here:


Monday, July 11, 2022

QC Requirements for Non-Delegated Correspondents

UWM, and many other wholesale lenders, comply with the Fannie Mae requirement that all third parties have a quality control plan that meets their guidelines. Among other things, this means that 

  • you need to have periodic reviews, dependent on your volume, at least quarterly (See #1)
  • you report those results to management (See #1)
  • you certify that your plan meets all federal regulatory requirements (See #4)
  • your plan requires reviewers to have independence from the production process or that you use a 3rd party (See #3)
  • your scope includes the documents you are involved in producing (e.g.; origination, closing) (See #2)
This means that non-delegated correspondents who are table funders must thread the needle on quality control procedures to avoid expensive and redundant reviews. So we structure the non-delegated QC plan to ensure that you meet these requirements without assuming lender responsibilities. 




Quality Control Plan Showing regulatory compliance



Avoiding redundancy


We call it redundant because a requirement for a full forensic review of a loan file for a non-delegated correspondent means YOU review your LENDER'S work! The lender is already reviewing the documents that you provide. And the lender includes these loans in their own QC reviews. What is gained by conducting ANOTHER review? While there 

While there is nothing wrong with another set of eyes looking for fraud in a loan file. The review is better spent reviewing critical items within your loan files - specifically compliance. Did you retain everything you needed? 

Independence - Internal or Third-Party Quality Control Reviews


In our products, independence is created by the use of checklists. However, not every lender or regulator believes that you can create independence this way. If you have a very small company, it's unlikely that personnel tasked with reviews will not have involvement in the process they review. In that circumstance, you have to hire a 3rd party reviewer.

When hiring a 3rd party reviewer, remember that YOU define the scope of the review. Do not just request a quality control review. Create a specific scope of work. For non-delegated correspondents, those requirements generally fall within the scope of the regulatory compliance review we provide in Section 6 - Post-closing Financial, Compliance, and Document Retention Review. 

These reviews cost between $100-$200 per loan, depending on the company and your volume. If you need a referral to a good provider for these needs, please let us know, and we can make a recommendation based on your profile. 

Full Scope QC Reviews or Not?


If your near future plans include applying for Fannie Mae, Freddie Mac or HUD approval, you should consider upgrading your Quality Control Reviews to a "full-scope" investor/agency-level quality control review. These reviews give you insight into what the lenders are looking for, and the depth and scope of reviews at a more intense level. This review is a full forensic re-underwriting of the loan file, including re-ordering verifications, appraisals, credit, etc. 

Then you can start self-reporting and compiling the monthly reports to document your preparedness for lender-level quality control reporting responsibilities.