Tuesday, November 15, 2022

The Buzz on Cyber Security

Federal Rules Expand the Scope of Your Customer's Data Protection

In case you were wondering about the onslaught of regulator or investor requests for cybersecurity plans, risk assessments, and MFA certifications, it all has to do with FTC regulations passed last year that go into effect December 9, 2022. The FTC has extended the deadline for compliance for 6 months, making the new deadline 6/9/2023.

eCFR :: 16 CFR Part 314 -- Standards for Safeguarding Customer Information

In a nutshell, our customers have all of the tools to meet these requirements in the 2-90 IT Security Plan. These include:

  • Employee Training
  • Risk Assessment
  • Third-Party Vendor Reviews
  • Data Breach Response and Remediation

Small companies - responsible individual

For small firms, you should assign a responsible individual who is knowledgeable about the technology aspects of your firm. They do not need to have a degree in cybersecurity. However, they should know all the firm's tech and communications infrastructure and have the capability to completely answer the cybersecurity questionnaire. If the individual is NOT able to answer the questionnaire, you MAY designate a third party, such as an IT consultant. We caution small companies against signing big contracts if the firm's technology consists mostly of leased cloud computing assets, such as LOS, document storage, and email. Even third-party apps, like online 1003s, should come with some tech support, and you can designate a 3rd party (even the vendor) specifically for those types of risks. 

Don't "Build Castles" - Use the Tools you Have

We really try to avoid creating additional work in the form of a separate workflow for compliance-related matters. That's why you should use some of the resources you already have to meet some or all of the requirements. 

  • Credit Bureau Audits - If you have the ability to pull credit reports yourself (instead of just through your investor/wholesaler directly) you likely have a credit bureau service provider. This firm is responsible for evaluating your firm (usually annually) and providing a risk assessment based on that evaluation. That should be a foundation. Review their report against the overall questionnaire to see how many items are covered.
    • By the way, bureaus are conducting these audits furiously as a part of the new rule's implementation
  • State Certifications - keep a copy of any questionnaire you complete to assess your technology. THIS COUNTS AS AN AUDIT or RISK ASSESSMENT
  • When you sign up with a tech provider, get their SOC or ISO certification information. Use the vendor's reviews as your own.
  • When getting training, make sure you keep a copy
  • Read your policies and procedures - if they don't make sense, get a plain English translation!

Speaking of Plain English - here's our summary of the IT/Cyber Security Plan requirements that you can use as a checklist. 

New York Cybersecurity Certification

The Section NYSDFS 500 updates that went around earlier this year include the updates from the FTC's rule. The changes do not represent a departure from current best practices but memorialize the requirements in the FTC's Safeguarding rule.

Remember that the certification only captures information on what you are doing. Policies and procedures should reflect this information; they don't replace your implementation. 

You can request help completing your Cybersecurity Certification here


Tuesday, November 8, 2022

The Proliferation of 1099's, Flat Fee agreements - A Warning

I've just survived a hurricane. In the resulting re-building process, I've learned one thing definitively; many people say that they can fix your problem - just give them a "deposit." In fact, that's a pretty good way to ensure you'll never hear from them again. 

I see the same thing in the loan officer compensation wars currently evolving. No compliance officer or attorney worth his or her salt will authorize a non-compliant compensation plan because the risks so far outweigh any temporary benefits. However, as margins and business shrinks companies are adopting risky plans because they're likely to be out of business when the bill comes due. Unfortunately, this drives the entire market in the same direction. 

When arranging compensation plans in a way that allows the company to capture a flat fee is fine. Charging a flat fee (subject to QM cost limits) to a customer is also fine. Charging a loan originator a monthly desk rental or other fee is also fine. However, netting costs from a loan officer's comp is a problem. You cannot withhold fees from an agreed-upon commission. 

To be considered compliant with the "Anti-Steering Rules" you must set flat commission rates from your wholesalers across the board so the loan originator cannot increase his or her income by steering the customer to a particular product or lender. 

A common trend today involves the adjustment or reduction of a loan originator's compensation because the customer changed to/from borrower-paid compensation. You should only do this in conjunction with a "best interests" scenario, not as a matter of course. We do not know that Federal regulators will accept this as a standard practice for reducing a customer's price. 

Independent Contractors, Again

We get the question about whether a specific state will always accept loan originators paid via 1099. You must know that a state does not necessarily regulate this, though it may take a position. For example, Texas, North Carolina, and CA DFPI do mandate that loan originators must be employees, not contractors. States regulate licensing and business practices, so even though you may see a tacit acceptance of originators as 1099 contractors, this is an internal decision for each company. 

To understand the consequences of 1099 contractors, understand that the IRS and the US Department of Labor define the issue of employee status. Can a loan originator really be a contractor if you control certain elements of their business? For instance, you really should require a loan originator to use your technology (laptops, phones, and networks) to avoid exposing your customers to cyber risks. If a contractor must use your equipment, are they really a contractor? In another instance of controlling the work environment, you must license a remote location or approve the use of remote access. Does this create an employee relationship? If you are offering employee benefits, such as health care, it's likely you are an employer.

For these reasons and others, any reputable compliance consultant or attorney who knows the rules will NOT recommend 1099 employment agreements. I KNOW THAT EVERYONE IS DOING IT. 
Furthermore, regulators have paid surprisingly little attention to this matter. In the end, what may drive your decision relative to 1099 or W-2 is the possible re-classification of your company's contractors as employees in an audit. The penalties are enormous - unpaid taxes, plus a 100% penalty, plus interest. 

You CAN withhold taxes and mark the employee's W-2 as "Statutory Employee" which will allow them to deduct their business expenses on Schedule C. Or have the employee get licensed as an LLC, or even as a Sole Prop, and pay the LLC directly. 

There is a sample Loan Originator Agreement in the folder you got with your 2-0 Compliance Module. You can also copy it here: