Thursday, November 2, 2023

Gramm-Leach-Bliley FTC Safeguard Rules Updated 6/2023 - Regulators asking lots of questions

Changes published in 2021 went into final effect in June 2023. Now, regulators are stepping up their review.

We've been seeing the impact of the updated CyberSecurity examinations prompted by the December 2021 FTC rule revisions. Regulators are dumping massive checklists into the exam load, and most companies don't have the bandwidth to address it. It's a hefty load, but it's worth going through to establish a baseline. 

Click here for the updated rule 

Click here for the CSBS Model Examination Form for non-banks 

The word you will see the most in an examination citation is "implementation." This means that, no matter how good your model policy is, if you're not doing - or have evidence that you can do - the things the rule requires, you'll likely be cited. 

Like every good compliance program, policies and procedures are simply part of a complete IT Security Plan. There are 4 pillars of every compliance program: 

  1. a compliance officer, 
  2. policies and procedures
  3. training, and 
  4. testing/auditing. 
Most of the policies we've seen are precisely that - policies. There is very little procedure. In other words, the model form says, "We will comply," but doesn't say, "This is how we comply." This is the most significant difference between our products and those written by lawyers or compliance experts. 

Location of IT Security Questionnaire Items in 2-9 IT/CyberSecurity Plan


States Strictly Enforcing GLB Compliance

  • DC
  • Maryland
  • Massachusetts
  • Virginia
  • Texas
  • New York

Remember to add those non-policy items

  • List of hardware (investor)
  • List of software and cloud services
  • List of vendors (investors, office tech, processors, etc. )
  • Cyber Insurance Policy

Tools for Self-Training

Tools for Self-Audit

Wednesday, May 17, 2023

The problem with the flip flop - Anti- Steering and Loan Originator Comp

Broker companies are creating compensation plans with flexibility for lowering the compensation of broker loan originators by switching from lender paid to borrower paid. It appears legal, by taking the Safe Harbor of "borrower's best interests" to allow pricing discretion and reduced commission to loan originators. However, this changing commission is based on loan terms (or proxy) because it results from the change of fees. Seen this way, the practice is prohibited under the anti-steering rules. Why? Because if you can reduce pricing by switching, you can achieve the inverse, too. 

This is precisely what is happening today; loan originators go to the prospect with one price based on lender-paid fixed compensation plans. Then the prospect comes back with a competing offer and the loan originator now tries to beat it. Since it's impractical to change pricing under LO comp rules under lender paid on a case-by-case basis, they switch the pricing to borrower paid where there is flexibility to reduce the charges. Now, the compensation is in the hands of the broker-company, not the wholesale lender. This is done under the auspices of "borrower's best interests" Safe Harbor. 

It should be clear that, unless you have a loan amount-based compensation plan, the temptation to flip a borrower from Borrower Paid to Lender Paid and INCREASE commission is inherent in the "flip to borrower paid" structure. 

I think any regulator will see this as flying in the face of the LO Comp/Anti-steering rule because it gives the LO pricing power with discretion to decrease his or her commission. The argument goes; it benefits the borrower - which is a SAFE Harbor. The main flaw in this thinking is that it doesn't consider that the inverse is also true; a loan originator could switch from borrower paid to lender paid at a higher commission. In a word - steering. 

Perhaps the fact that compensation is capped at a QM level of 2.75 points as a maximum commission provides a sense of no variable compensation. 

I am not sure why this has escaped scrutiny for so long. We tell our customers that we recommend a flat commission rate based on loan amounts, not a percentage of the of the fee, to avoid the appearance of steering.

The problem for the industry is that the good actors who lead with their best price in compliance are having their production poached by participants who allow loan originators to adjust pricing to "get the deal." While that seems to benefit the customer by creating a competitive market, remember that the whole idea of the rule was to regulate this practice because the pricing was opaque to the consumer. The consumer has minimal knowledge of the market, rates, and pricing, while loan originators are very knowledgeable and are extremely motivated to increase their income.  

Monday, April 10, 2023

Are Pre-Qualifications Masquerading as Pre-Approvals Illegal? DFI Says "Yes"

DFI Says "Yes" - it's a "Misleading and Deceptive Act." CFPB calls it "deceptive."

  • "I issued a pre-approval for a buyer and the lender wouldn't do the loan, so they had to pull the contract."
  • "I've been told a pre-qualification is worthless."
  • "If I have DU approval and docs, I can do a pre-approval."

As refinance volume dwindles and the spring housing market goes into full overdrive, these good questions increase. This is a minefield for brokers. It comes down to literal definitions. And, where it previously was an ethical issue, states now will cite brokers for pre-approvals that were not backed by a lender's approval. 

From the WA DFI

A Pre-approved mortgage means approved before the property, NOT approved before underwriting. If a loan is ready to close subject to an appraisal, that is a pre-approval. As you know, AUS approval doesn't mean ready to close. Approved means you, as a banker, are prepared to lend the money. Everything else is a pre-qualification.

Consequences of Fictitious Approvals

Some regulators will cite you - as a broker with no warehouse line or funds to make a loan - for approving a loan. You can also be sued by a seller or buyer for misrepresentation if the loan is delayed due to approval issues. In this market, where people submit contracts without a financing contingency, this becomes even more worrisome. 

Specifically, buyers expose themselves to legal action if they cannot perform under a contract. Though brokers are not parties to the contract, if their representations cause the action, then they become culpable.

Do the work up-front and get the loan approved by the lender (TBD) before you send the borrower out shopping. If your lender doesn't approve loans without an appraisal (TBD), find another lender who does pre-approvals. 

There IS Value in Pre-Qualification

Incorrect use of the term "pre-approved" connotes approved, subject to underwriting approval, which is contradictory. Pre-approval actually means "approved, subject to an acceptable property." (AKA TBD approval) The real estate industry has driven this confusion by recognizing that a pre-approval is better than a pre-qualification to satisfy a seller deciding between two offers; choose one with or without approval. Agents demanding instant pre-approvals have pushed originators to call a pre-qualification a pre-approval. Without underwriting, however, this is a fabrication.

A pre-qualification can include: "We have reviewed the documents and have received an automated underwriting approval; however, the loan request is still subject to lender approval." We suggest this because even with automated underwriting, without a review of the underlying documents, changes can invalidate automated underwriting approval. For instance, if the originator uses a salary for the income when the wages are actually variable, automated underwriting results will change accordingly. 

Does this mean pre-qualifications are useless? NO! Prequalifications are very valuable, but they represent an earlier stage in the process, the first step. The pre-qualification process allows the originator to address a customer's realistic expectations for affordability. Once you address any customer issues, you can request pre-approval and submit an application for approval through a lender's underwriter. Once approved, you can send the borrower into contract negotiations with financing contingencies waived.

Furthermore, brokers should maintain loans not submitted to lenders in their "prospect" pipeline as pre-qualifications to avoid triggering reporting requirements and excess regulatory responsibilities. The fact that an applicant has triggered the requirement for a Loan Estimate does not automatically mean the loan is an "application." It can still be a pre-qualification.

Ethical or Illegal?

While this is primarily an ethical issue, not a legal one, the CFPB is focusing more on "deceptive acts and practices" and saying a loan is approved when it is not falls into this category. It does not rise to a civil legal matter until someone cannot deliver on a "pre-approval" and the loan does not close. Then the consumer, and anyone else who relied on the misrepresentation, can take action under breach of contract, fraud, etc., because they have a cause of action. Some states (such as Virginia and Washington) have mandated that the term "pre-approval" be accompanied by an actual loan offer. What that means is subject to interpretation. It is often difficult to prove misrepresentation when there is no harm - e.g. the customer doesn't take action. 

Ethically, calling a loan approved when it is not ready to close - or the conditions precedent to closing have not been stipulated in a way that could be met by a reasonable person - is a misrepresentation and a deceptive act. 

TBD - Property to Be Determined

The term TBD is the industry jargon for approved, subject to property. That is a correct term.

There is no distinction between which origination channel - e.g., retail lender or broker - that makes calling a pre-qualification a pre-approval right. It's a misrepresentation if the loan isn't ready to close as described. However, a lender who can make loans from its own proceeds certainly can "chance it" based on internal criteria knowing that a loan is "approvable" if AU is correctly applied. A broker cannot "make" a loan - they are brokers. A broker's approval "subject to" is the lender's institutional letter of approval, not the broker's. Technically and logically, a broker could expose him or herself to liability when acting as a lender when, in fact, a broker - e.g., "making loans." A case in Iowa brought this to a head when a broker failed to deliver a loan after issuing a pre-approval. 

Saturday, April 1, 2023

A Look at AML Audits - Can you Audit Without a Risk Assessment?

We deal with known risks by establishing a plan to mitigate them. In the case of AML plans for mortgage companies, we face the risk of allowing financial crimes to go undiscovered and enter the financial system through our business. 

We create compliance plans as multi-tiered tools to deal with the risk. The tiers are the four (or five, depending on your business) pillars of an AML plan 

  1. the plan itself - which identifies the risks your business encounters and how you mitigate them
  2. training - your employees learn how to identify and report red flags
  3. compliance officer - the person who implements the procedures, files reports, and ensures the activity, such as training, audits, risk assessments, etc., takes place 
  4. an audit or exam - reviews your plan, determines if it is sufficient for the risks you face, and identifies if you are following it
  5. ongoing review of accounts - if we are servicing, for instance

Static Plans DO NOT Address the Risks - Make Sure you know what they are

We conduct hundreds of AML audits, and the BIGGEST problem we see is that AML plans don't address the risks the business faces explicitly. Furthermore, the audits or tests we see focus on whether the AML plan contains arcane legal citations or reviews a sampling of closed loan files. This is not where the risk is.  

In the mortgage business, we are experts in looking for fraud - documenting sources of funds and ferreting out suspicious income and transactions. This doesn't mean that fraud and suspicious activity doesn't make it through (CoreLogic reports 1 in 131, or 0.76% of loans, are fraudulent). Still, it does mean that the MAJORITY of incidences probably aren't in the files that make it through to closing. So it makes sense to focus our efforts on loans that don't go through a complete underwriting process. 

None of the AML plans and audits we have reviewed focus on risk assessments. Hawaii is the only state we have encountered where they are requesting a specific AML risk assessment - (Bravo! Mahalo!). New York requires large-scale risk assessments of the entire operation, including AML. 

This leads me to conclude that people don't know what a risk assessment is or even why you do one. The purpose of the Risk Assessment is to look at YOUR business for areas of risk. Only then can you create a strategy to mitigate money laundering activity? 

How to Conduct a Risk Assessment?

Depending on the firm's scope, our risk assessments create a binary decision tree instead of a complex "relative risk rating" approach - e.g., low, medium, and high. We do it this way because the risk increases on an absolute basis. One red flag doesn't necessarily indicate fraud or money laundering activity; however, two levels of risk means that we should, at a minimum, document that we validated there were no red flags. We refer to this as "risk layering," where two or more inherent risks exist in a file. 

  • Higher risk components - Company-wide
    • Geography
    • Business model -
      • delegated, non-delegated, 
      • retail/wholesale, etc. 
    • Origination strategy - 
      • direct/indirect
      • relationship/transactional
  • Higher risk components - Loan Level
    • Loan Type
      • Gift Letter
      • ALT/Non-QM
      • Investment
    • Borrower Type
      • Self-employed
      • Real Estate
      • Medical
      • Cash Business
This allows us to have a methodical elevation of the review of the file. 

We do this because things that don't matter to the underwriter from an approval perspective (the loan meets guidelines) often matter for detecting and reviewing red flags. In our business, we review files for these elements, and it always surprises us how often these are overlooked. Examples include:

Deposits not needed for down payment or closing costs - the underwriter isn't concerned about whether a borrower has a $100,000 CD in one bank if he has the $20,000 he needs for closing seasoned in another account. The money has been there forever, and the account doesn't move. But does it make sense that someone who makes $60,000 a year has $100,000 stashed in an account they don't touch? Especially when they have a lot of debt? No, it doesn't. That's a SAR.

Income and Expenses from a side business - the underwriter doesn't include the borrower's side business which involves cash in the computation. He or she has enough income to qualify for the loan. The side job (documented by frequent small dollar cash deposits) is a compensating factor, and the borrower didn't need to provide tax returns because she was on salary. That makes perfect sense, except that if there is more than $5,000 of this kind of activity in the loan file (e.g., 2 months' bank statements), then that triggers a SAR report for "smurfing."

  • Focus on engagements/applications/rate quotes/pre-quals which do not complete
  • The greatest risk lies in loans or prospects not reviewed by underwriting/credit.

Tuesday, February 28, 2023

HMDA Data Reporting Process Changes - LOWER THRESHOLDS

Substantially lower reporting thresholds mean most LENDERS must report HMDA data - Implications for non-delegated correspondents

As you may be aware, a Federal District court ruling in September 2022 changed HMDA reporting thresholds. The previous lookback formula stated that if you made credit decisions on 100 mortgages in each of the previous 2 years, you were required to report in the current year. The ruling reduces the threshold for reporting based on the number of mortgages with credit decisions to 25 in each of the previous 2 years.
Section of manual describing threshold changes

Implications for Non-Delegated Correspondents

It has come to our attention that equal numbers of wholesalers do NOT report HMDA data on correspondent loans as those who do. The HMDA rules stipulate as the credit decision maker must report (in other words, the underwriter/approver), but not all companies follow this edict. Some believe that if your name is on the note, you are the lender of record, and so reporting is your responsibility. YOU MUST CHECK with each wholesaler to find our what their procedures are. If they do not report for you, and you have over 25 loans closed, you must report HMDA data. 

Retroactively Effective

Since the ruling reverses a previous regulation it now applies retroactively. If you were previously not a reporter because you made fewer than 100 loans in each of the previous 2 years, you most likely are now. If you’re a broker, you’re not making credit decisions, so this does not impact you, UNLESS you are denying loans. The CFPB has stated that it will not penalize those organizations which now must report due to the change who are now implementing the new reporting.

We have updated our HMDA Policy to reflect these changes. You may download it here:

Download Updated HMDA Policy

Insert it in your Section 2-42 of your 2-0 Compliance Module

Download Updated HMDA Policy

Wednesday, January 18, 2023

How much information can I share with a real estate agent?

As we get into a more competitive real estate environment, where all-cash offers aren't the only way for a buyer to make an offer that might be accepted by a seller, these questions surface again. Specifically, how much about a customer can we share with a listing or selling agent? 

Understanding Real Estate Agent's Role

First, understand that real estate agents, for the most part, have a fiduciary responsibility to the seller. While selling agents (who work with buyers) say they work for the buyer - and may even have the buyer brokerage disclosure or contract signed - the real estate agent is paid by the seller. So information about a customer's profile, the likelihood of getting financing, and other transactional information a loan originator may possess can be pretty valuable to a seller. 

Loan originators often pass this information out to the agent who referred them to the transaction as a way of currying favor with the agent. You must carefully monitor and limit this data flow for many reasons. For example

  • While negotiating a contract, a seller wants to obtain the highest price and net proceeds. The buyer wants the opposite. If a loan originator offers a prequalification or pre-approval letter, the seller wants to know if the buyer can afford more. The loan originator capitulates and says, "well, he can afford another $200,000 in the loan amount," the seller may counter-offer a higher amount. The buyer, however, asked for prequalification for a certain amount, and the originator's disclosure took away the buyer's leverage. 
  • While processing a transaction, the seller accepts backup contracts, perhaps more favorable than the current contract. With the information that financing is still pending or in question, the seller may act in ways that further diminish the buyer's ability to consummate the transaction to obtain a more favorable sale.
  • The loan is denied, and the seller wants to know "why?" The seller is trying to figure out if the borrower did something wrong - acted in bad faith, perpetrated fraud, or another scheme - that kept the property off the market during the financing contingency period. The seller wants to keep the buyer's deposit because they needed to actively pursue financing. 

Pre-Qualification is NOT an Approval; it's an Opinion

A buyer asks for your opinion on how much he or she can afford by asking to be prequalified. You should address that pre-qualification letter, certificate, or other documents to the prospect, not the real estate agent. Then, if the real estate agent has questions about the customer's qualifications, such as where is the money for the down payment coming from, what their monthly debts are, how they receive their income, etc., the agent should address it to the prospect. 

Prospects should be careful about what information they provide to a real estate agent because they risk exposing their Personally Identifiable Information or their Non-Public Information to identity thieves. Real estate firms generally are not regulated by entities that insist on secure data because most real estate-specific information is public knowledge. 

On the other hand, the agent will likely communicate the information to the seller in support of an offer to purchase, so a prospect may feel compelled to share more information than prudent to advance their home purchase. 

To avoid disclosing this information, a prospect should actually obtain the financing in question via a loan application, loan underwriting, and loan commitment, subject to a final property selection; a pre-approval. With this in hand, the customer does not have to provide additional documentation supporting an offer contingent on financing because the financing has already been obtained. 

How Much Can You Share?

Technically, none. Your customer has a right to limit the information you share and under what circumstances the information is shared. To share any information a prospect gives you, you should review a copy of the sales contract (offer) to see if the customer has already authorized the lender to share information on loan status. Otherwise, you should obtain authorization to release information to the agent(s) or builders; Consent to deliver loan status updates, generally. 

Loan Status vs. Personally Identifiable Information or Non-Public Information

Loan status simply details what is in and out on a loan file and provides dates when certain tasks have been performed on a transaction. This is a good example of how this information could be shared (Source: AZ Association of Realtors). There is no NPI or PII in any of this material. 

When the loan originator provides Non-Public Information or Personal Financial Information, such as credit scores, payment history, or any other information gathered during transacting business or in conjunction with a loan application, this is a clear violation of the Gramm-Leach-Bliley Privacy Act. It MAY be permissible in a situation where there is an affiliated business and the sharing of information would be NECESSARY to conduct business. 

So, NO. Don't Share Private Information

In other words, a customer may share their own information, but you, as a financial service provider, may not provide any non-public private information.