Enterprise-Wide Risk Assessments for Small Mortgage Companies

Small mortgage companies face the same regulatory expectations as larger institutions when it comes to identifying and managing risk. Even with one or two branches and fewer than fifty employees, regulators expect management to conduct an enterprise-wide risk assessment (EWRA) that evaluates exposures across operations, compliance, cybersecurity, and customer interactions. The EWRA provides a structured approach to documenting where risks exist, how they are controlled, and how frequently those controls are reviewed.

Risk Assessment Framework

The EWRA matrix organizes risks into categories, assigns an initial rating, lists the existing mitigation measures, records the residual rating, identifies the responsible party, and determines the review frequency.

We provide a tool to conduct your Risk Assessment internally. The idea is a four-step process: 1.) Identify Risk 2.) Risk Level (low, medium, or high) 3.) Where and how the risk is mitigated (e.g. policies/audits) and 4.) Post-mitigation risk.

• Advertising – Online or remote application gateways

  • Initial Risk: Medium

  • Mitigation: Advertising compliance checklist; social media policy review

  • Residual Risk: Low

  • Responsibility: Compliance Officer

  • Review: 12 months

• Advertising – Non-compliant advertising or social media use

  • Initial Risk: Medium

  • Mitigation: Advertising audit and officer oversight

  • Residual Risk: Low

  • Responsibility: Marketing Manager, reviewed by Compliance Officer

  • Review: 12 months

• Compliance – Failure to comply with published regulations

  • Initial Risk: High

  • Mitigation: Regulatory Compliance Management System, documented policies and procedures

  • Residual Risk: Low

  • Responsibility: Compliance Officer / Management

  • Review: 12 months

• Cyber-Security – Customer data exposure

  • Initial Risk: High

  • Mitigation: Red Flags Identity Theft program, written safeguarding policies, IT security plan

  • Residual Risk: Medium

  • Responsibility: IT Administrator or designated third-party vendor, overseen by Management

  • Review: 12 months

• Fair Lending – Credit decisioning risk

  • Initial Risk: Medium

  • Mitigation: Fair Lending Plan with monitoring and comparative file review

  • Residual Risk: Low

  • Responsibility: Underwriting Manager / Compliance Officer

  • Review: Annual

Responsibility for the EWRA

Responsibility for the risk assessment rests with management. In small companies without a board of directors, the owner, managing broker, or designated compliance officer typically prepares the matrix and maintains the record. Regulators expect management to review and approve the EWRA annually and when major changes occur, such as opening a branch or introducing a new loan product. Companies may hire a third party to conduct or validate the assessment, but if they follow the structured process outlined in Form 1-80, they can complete the EWRA internally without outside assistance.

Application for Small Companies

A small mortgage company must demonstrate that it applies this framework proportionately to its size.

• Policies such as the QC Plan, Compliance Manual, and IT Security Plan serve as the mitigation layer.

• Risk ownership is documented directly in the matrix to show who is accountable for each item.

• The EWRA is updated when products, vendors, or branch operations change.

• Documentation is reviewed during examinations to confirm the company has a process to identify and mitigate risks.

States That Require Enterprise-Wide Risk Assessments

Several states have explicit or implied EWRA requirements tied to licensing examinations. Current examples include:

• Texas – Department of Savings and Mortgage Lending (SML) requires annual EWRA documentation.

• Washington – Department of Financial Institutions (DFI) cites EWRA in examinations.

• South Carolina – Department of Consumer Affairs requires an IT-security-focused EWRA.

• New York – Department of Financial Services (DFS) requires risk assessments as part of cybersecurity compliance.

• Connecticut – Banking Department requests EWRA in mortgage company exams.

• California – Department of Financial Protection and Innovation (DFPI) includes EWRA in compliance review requests.

• Florida, Virginia, and Maryland – examiners frequently request EWRA documentation, even if it is not formally codified.

Next Steps - Conduct one NOW!

An EWRA is a core element of compliance for small mortgage companies. By documenting risks, mitigation, responsibilities, and review cycles in a structured matrix, the company demonstrates control of exposures across advertising, compliance, cybersecurity, and fair lending. Regulators expect to see this process in place, regardless of company size.

The Anti-Kickback Rule - Payment or Receipt of Non-Approved Fees

Background

With the recent spate of enforcement actions surrounding kickbacks, take the time to re-visit your explicit policies and procedures surrounding the anti-kickback rules.

12/23/2024 - CFPB Sues Real Estate Firm for Referral Fees

4/30/2015 - Updated filing shows actual money penalties by participants
1/22/2015 - Baltimore CFPB Action
St. Louis CFPB Action
Kentucky CFPB Action
Baltimore Referral Fee Lawsuit

Kickbacks are a problem because they tend to inflate the cost of a transaction.

Kickbacks tend to inflate the cost to the consumer due to the fact that someone else has to get paid for the referral. 

Prohibited - Kickbacks and Referral Fees

Section 8(a) of RESPA prohibits anyone from giving or receiving a fee, kickback, or “anything of value” pursuant to an “agreement or understanding” for the referral of business related to the purchase or financing process. The purpose of the prohibition is to protect consumers from the payment of fees when no additional work is actually performed. Kickbacks tend to increase the cost of the transaction, since the borrower will have to be charged more in order to cover the cost of the referral fee.

All personnel should avoid even the appearance of accepting or paying for non-approved services.

An “Agreement or Understanding” does not have to be a formal agreement, but can be a verbal agreement or even an agreement established through a practice, pattern, or course of conduct.

Prohibited Payment – “Anything of Value”

Payments include, but are not limited to

A “Thing of Value” Money Discounts Commissions Salaries Stock Opportunities to participate in a money-making program Special or unusual banking terms Tickets to theater or sporting events Services of all types at special rates Trips and payments of another’s expenses

Prohibited - Fee Splitting 

Fee splitting is when a service provider inflates charges and splits the excess funds with another service provider in exchange for the referral of business.  This is tantamount to a kickback and is a prohibited practice.  Service providers may attempt to circumvent this prohibition by establishing joint ventures or entering into business arrangements that allow referrals between organizations and conceal the fee splitting arrangement.

Permitted – Approved Affiliated and Controlled Business Arrangements

In some cases, there can be fee splitting or referral fees paid under what is known as an “affiliated business arrangement”.  An affiliated business arrangement is where a person who refers settlement services has an “affiliate relationship” or “an ownership interest of more than one percent in a provider of settlement services.”

The payment of reasonable fees is acceptable as long as the relationship is disclosed to the borrower and the referrer actually performs a service – or somehow adds value.  The referral service provider may NOT be a REQUIRED provider of services, such as an appraiser or credit bureau that the lender must select.  An affiliate relationship structured simply to legitimize the payment of a fee is referred to as a “sham”. Affiliates must be a “Bona Fide Provider of Services” to receive a referral fee legally.

Approval Required - Desk Rental Arrangements

Because of the level of oversight, and the potential for the payment of desk rental to masquerade as payment for a referral, all Desk Rental Arrangements must be approved in advance. Provide the following:

·         Copy of the lease/rental agreement

·         Document market value of desk rental services through Craig’s list, square footage analysis or other verifiable source

Approval Required – Joint Marketing Arrangements

Similar to a Desk Rental, partnering with referral sources to advertise or market must also be evaluated for potential conflicts and approved by management. Particularly when this relates to commercial communication, the material must also be reviewed against the Provide:

·         Any advertising agreement

·         Copy of publication or proposed media

Approval Required - Marketing Vendors

Payments to marketing vendors, such as lead generation companies, may create problems if we base the payments on anything but the lead itself.  If there is a payment conditioned upon a certain criteria or threshold, such as confirmed application, underwriting approval or closing, the arrangement may be considered illegal.  For approval provide:

• Marketing Agreement
• Fee Schedule for Leads

In addition, the agreement and vendor must be approved to ensure the vendor complies with Fair Lending, Information Security, Customer Privacy and other consumer-facing regulation.

Approval Required - Payments to Counseling Agencies

Payment for services to a non-profit agencies for counseling services performed are permitted.  Provide:

• memorandum of understanding between the lender and the non-profit agency 
• establish how payments to vendor are not based on referrals .

Required Disclosures

·         Affiliated Business Arrangement Disclosure (AfBA) – if Applicable

·         Required Provider Disclosure – From LOS

·         Approved Settlement Services Provider List

Operating Areas Affected

·         Origination - Production

·         Compliance

Penalties for Non-Compliance

Penalties for violations of the anti-kickback provision include fines of up to $10,000 and up to one year in prison.

Remote Workplace Setup and Supervision

Remote work is here to stay

As much as we have addressed operations in remote work locations through technology, the simple process of setting someone up remotely means aggregating and amalgamating pieces from a number of different areas of operation - mostly IT security - into something comprehensive. We have amalgamated policies and procedures from across a mortgage operation into a unifying element, and have provided a checklist for setting up that remote worker as a tool.

Key Point - Documentation Transfer

Paper documentation and images, the mortgage industry's lifeblood, represents the single largest risk to customers and the company. Remote workplaces, being dispersed and interconnected with private residences, can be extremely insecure places to store documents. Knowing this, we structure the remote workplace as 100% paperless. Logically, arranging for the delivery of loan file exhibits in a secure manner without paper means a secure, 2-factor authentication upload. Remember - personal email is not secure. 

Key Point - Internet of Things

In an office environment, wired network connections prevail and a smaller number of items get connected to a wireless network. In small-office, home, or remote environments, wireless devices abound. Inventory of these items and their connection to a shared internet connection where you or your employees securely connect can prevent a hacker's back door access by allowing IT departments to identify items that have been exploited. (Watch Mr. Robot to see how they get in.)

Key Point - Expectations for Work Schedule, Supervision and Duties

In a remote environment, employees can often experience "mission creep" where, because of a non-office setting, priorities, and distractions detract from the customer experience. For this reason, clear rules on work hours - logging in and out, accountability for email and phone responses, as well as consequences for time spent on personal items during work hours - get set forth at the outset.

For our customers, we have provided a sample "2-94 Remote Work Policy and Procedure" which you can use as a stand-alone to prove compliance with regulatory requirements, and insert into your 2-90 IT Security Module. This supports pandemic-related remote work, as part of a disaster recovery (see 2-97 Disaster Recovery/Business Continuity) and continuity program, and general network security plan (2-92 IT Security Plan).

North Carolina Mortgage Licensing and Examinations - What have we learned?

It should surprise no one that NCCOB - the nation's FIRST state regulator to initiate anti-predatory lending laws, and one of the first to initiate robust pre-licensing training, AND was a leader in pre-Dodd-Frank regulation - has now taken the flag as one of the most detail-oriented examiners. 

Expect an initial examination within the first 12 months of licensing. Existing licensees who have never been examined should expect one, and this normally coincides with a complaint or other inconsistency.

For those licensed in the state, NCCOB (North Carolina Commissioner of Banks) has clearly and transparently posted its expectations. Yet over and over we see brokers and lenders alike responding with surprise to examination findings and questionnaires. When we review the findings to help licensees comply we aren't surprised, just a little disappointed at what some might call willful blindness.

We have a great deal of respect for the rational approach that the regulator has taken. Nothing in the findings represent anything that brokers or lenders shouldn't be responsible for. If anything, our concern is that these problems exist elsewhere and propagate because of a lack of oversight.

Broker Fee Agreements

It's illegal to collect a fee without the customer's explicit agreement. These files show missing or incorrect broker fee agreements, or incorrectly completed lender financing agreements. The common response or argument is that the LE or CD provides the customer's tacit agreement. However, it's usually too late at that point; the information on the LE/CD should come from the financing or broker agreement.

For our customers, we devote a section of our quality control plan for correct completion and retention of financing or fee agreements.

BSA/Anti-Money Laundering Plans

We sell both stand-alone anti-money laundering plans, or better yet, QC (Quality Control) plans that identify the full set of FinCEN (FINancial Crimes Enforcement Network) identified Red Flags. Our BSA/AML (Bank Secrecy Act/Anti-Money Laundering) plans use these to identify potential SARs (Suspicious Activity Reports) for reporting.

Most people don't read them.

Otherwise, they would know that they include:

• A SAR Reporting Workflow
• A Compliance Officer (You have to put the person's name where it says "Insert Compliance Officer here")
• Initial and Periodic Training (We give this away here, or provide a checklist to ensure you have taken AML specific training as part of your Continuing Education)
• Both FinCEN and Industry Specific Red Flags

When we see a finding related to "deficient AML plans" these all fall under that category.

Missing Documents in Audit Files

Inexcusably, many files reflect missing exhibits or data reflected in reporting doesn't match loan files. THIS IS JOB ONE of a quality control plan! Time spent retrieving documents from investors, closing agents or even borrowers represents lost loan production time; wouldn't you rather spend time originating than chasing old loan file exhibits? 

This is the reason our QC Plan has a closed loan checklist. Click to download NCCOB's version here. We find it interesting that the checklist they provide bears some resemblance to the one in your plan:

1099's - Beware EVERYONE

We recently wrote an article on 1099 compensation of originators. NCCOB takes the position that originators are employees. Unless you follow the recommendations in our article, expect an issue with 1099 payments. Further, BRANCH MANAGERS ARE EMPLOYEES by definition; you can't be a contract manager. No Branch Manager 1099s. Also, you can't have branches in homes.

Contract Processors and other unlicensed entities

As above, compensating 3rd parties for work normally done by employees, such as processing, should automatically prompt you to require licensing of that individual or service.

Advertising, VA QC Requirements, NY Compliance Plan Update

We continue to update our products as we get feedback from our customers. We list the recent updates here, some of which relate to our review of materials from our Compliance VP CMS product. You will notice three themes for this series of updates:

Advertising on the Radar

Prompted by a Washington state review this past spring, advertising for particular products have come on to the Federal government's radar. The CFPB has stated its renewed interest in protecting veterans, and so has Veterans Affairs. Specifically, the question surrounds whether the way companies advertise certain programs comprises puffery or a deceptive act.

Reporting Notices of Advertising Related Findings to HUD-FHA

A company must report any notice, sanction or citation received, from any state or federal regulator, agency or investor, relating to its advertising practices as a "Notice of Material Event" through their Quality Control plan.

Advertising
We recommend that you review all advertising (even business cards, emails and social media postings) using an advertising approval checklist. Look most carefully at unsubstantiated claims, like best rate, fastest service, or lowest cost and avoid them unless you can substantiate them.

Advertising Trigger Terms
An updated checklist reviews what text or information you have to include if your advertising includes "trigger" terms.

VA Adamant about following Updated Pamphlet

Inclusion of VA Specific Requirements in Plan
The VA now uses a checklist to validate that you have included its specific quality control plan requirements in your plan. The updated pamphlet published 2/1/2019, has a listing of QC requirements, which the VA simply has memorialized in writing. We have most of this material in the QC plan, so this update references where a reviewer can find it. The only addition focuses on the use of Staff Appraiser Reviews, which doesn't really impact Post Closing QC, but which we add to the post-closing review process anyway.

New York State DFS - Again

New York State Compliance Plan
We have prepared a New York State-specific compliance plan to align with licensing application and renewal review feedback. To meet their requirements, we stripped out a lot of material they felt was extraneous. You should not exclude other elements of your compliance plan and rely solely on the DFS' explicit requirements, because we have found myriad other implicit and explicit requirements within the rules which could also result in findings.

Other Updates also available

Fraud Prevention – Red Flag Process
We inadvertently truncated the Fraud Reporting process, as it applied to possible organized crime. Or maybe an unseen hand silenced the author?

Unfair Deceptive Abusive Acts and Practices (UDAAP)
Certain investors wanted us to include CFPB definitions of unfair, deceptive and abusive acts. Reading the definitions you realize their redundancy; all UDAAP actions really tie back to the same actions. One unfortunate side-effect of so much regulation: policies and procedures that no one can follow because lawyers write them for legal action.

Can't access the links?

Members receive free access to updates. Request access through the link if it prompts you, and we will respond with authorization once verified.

In addition, we now offer the Compliance VP compliance management system for small companies.

Investor Renewals - Broker/Mini-Corr Lender lack of distinction may cause problems

My lender/investor is asking for our post-closing quality control plan and 10% audits... We are a non-delegated correspondent or broker. What now?

With the propagation of categories and levels of correspondent, including mini-correspondent, non-delegated mini-correspondent, funding non-delegated correspondent, and wholesale/broker, we see many wholesalers request quality control plan elements that do not apply to a specific business model. Specifically, lenders are asking brokers or non-delegated correspondents for agency-level post-closing reviews, including 10% random sampling, re-verification of all loan file exhibits, appraisal reviews, closing document reviews, and re-underwriting.

If you are not delegated underwriting and closing this should not apply to you.

The requirement for random sampling and post-closing reviews of loans doesn't apply if you aren't underwriting or drawing closing documents yourself. We have found that this is usually the result of a miscategorization of the originator as a lender. Explaining that this requirement is like asking the broker or correspondent to underwrite and evaluate the lender's credit decision - something the broker/correspondent had NOTHING to do with in the first place - clears this requirement.

Some wholesalers will not budge, though. This is the golden rule: He who has the gold makes the rules. In this case, evaluate how important the wholesaler is to your business. If it's a critical product or service, you may have to start conducting these reviews in order to maintain the investor. But DO NOT simply capitulate to the requirement and start a post-closing review process without ensuring that the requirement is absolute. Beyond being redundant for loans underwritten by someone else, post-closing reviews are expensive.

"Do they even review this stuff?.."

Wholesalers have been reviewing our quality control plans for years. It is important to note that many of these reviewers don't actually read an entire plan, so that if something doesn't jump off the page at them, they may mark your plan as deficient. That doesn't mean it isn't in the plan.  99.9% of the time we draft a rebuttal, we are simply citing the page numbers where the reviewer can locate the information he or she couldn't find (or didn't look for) the first time.

This also doesn't mean that we don't value the feedback. We always want to know if we have missed something, so we can include it for any of our clients who might get similar feedback. That's one of the ways our products have evolved since 1996.  It's also why we can guarantee our products' acceptability.

It's a PROCEDURE, not a POLICY

The most important thing to remember is that you want your plan to reflect PROCEDURES about how you work to catch ANY possible error. This is completely different from writing a POLICY, which simply states that you will look for various elements. For instance, a recent communication showed:

The Pre-Funding Quality Control Requirements (and where they are located in your Broker Plan):

• Quality Control is Conducted by someone other than a party to loan origination (Page 22)
• The Borrower Social Security number is re-verified on all loans (Page 14)
• Income calculations and supporting documentation are reviewed. (Page 13)
• Verbal verifications of employment are conducted (Page 20)
• Assets needed to close or meet reserve requirements are reviewed (Page 15)
• Appraisal or other property valuation is reviewed (Page 16)
• Documentation is reviewed to assure adequate mortgage insurance coverage (Page 12)
• Review loan to determine automated underwriting info is accurate (Page 18)
• Liabilities between 1003 and credit report are reconciled (Page 12)

The page numbers show where you can locate the requirement as it is addressed as part of the much more extensive documentation review.  This is the key. You can get a repurchase request or denial for an item which is not a requirement for the quality control plan. To combat this - WHILE YOU ALSO COMPLY WITH THE QC REQUIREMENT - you need a thorough system, using checklists and peer reviews.

DO NOT write a policy that states that you will simply check for these items, as it opens you up for liability for missing other elements associated with the items requested, that have not been requested to be stated in policy in writing.

Brokers: Do I Report HMDA Data?

2/28/23 Update

Significant threshold changes - much lower thresholds may impact non-delegated correspondents. 

4/6/2017 Update

As we approach the 2018 HMDA reporting window, with the wider rubric for filing requirement, we are getting many calls from brokers about preparing to become reporters. We want to reiterate that a broker business that categorizes its customers as PRE-QUALIFICATIONS until the loan is referred to an investor DOES NOT HAVE TO REPORT HMDA DATA.

1.) HMDA is an extension of ECOA, so if you are not making credit decisions, you do not report. Only the ultimate decision maker reports.
2.) Technically, brokers CANNOT make decisions because they do not have the funds available to unilaterally fund applications. 
3.) Many states sanction brokers who represent that they are lenders

Original Post From 12/5/13

As compliance season descends on the mortgage business again, we start to hear growing numbers of concerns over how a firm will comply with a nuance of a rule.  Often the concern originates with a rumor or other misinformation from a networking group or an e-mail from a service provider looking for business. With respect to brokers, you should generally avoid reporting HMDA denial data for the simple reason that BROKERS DO NOT MAKE CREDIT DECISIONS.

Among the risks you expose yourself to:

• State Regulator sanctions for acting as a lender without a lender license.
• Scrutiny from a Federal regulator regarding why ALL your loans are denied?
• Inconsistent reporting/reporting errors on other reports

NMLS Call Report - Requests Denied Applications

The idea that brokers should report HMDA data may come from the fact that the NMLS Call Report has a line item for "Denied."  However, this is not the intention of this element of call reporting:  this is to identify the "net loan volume."  (Pipeline + New Loans - Closed, Withdrawn and Denied Loans = Ending Pipeline) The denied loans, in this case, should be loans that you will never close because ALL of your wholesalers or investors have denied them.

Brokers should only put the loans which the INVESTOR has denied in this column.

NMLS Call Report - Don't include pre-qualifications you have denied.

Is It Really a Loan Until the Lender Has It?

If you are a straight broker, and not a mini-correspondent, you should define your application policy to ensure that loans which will not be sent to an investor, for whatever reason, are coded as pre-qualifications. Pre-Qualifications do not trigger HMDA Reporting.  This does not mean that you will not send GFE or other property or application related disclosures if you are actively processing the file.

According to the staff commentary in the HMDA Small Entity Compliance Guide: "2. Pre-Qualification. A pre-qualification request is a request by a prospective loan applicant (other than a request for preapproval) for a preliminary determination on whether the prospective applicant would likely qualify for credit under an institution’s standards, or for a determination on the amount of credit for which the prospective applicant would likely qualify. Some institutions evaluate pre-qualification requests through a procedure that is separate from the institution’s normal loan application process; others use the same process. In either case, Regulation C does not require an institution to report pre-qualification requests on the HMDA/LAR, even though these requests may constitute applications under Regulation B for purposes of adverse action notices." Commentary Appendix D, Supplement I

HMDA Small Entity Guide

ECOA, Fair Lending and Loan Disposition - Not to be Confused with HMDA Reporting

Due to the overlay of so many regulations, it can be easy to confuse what rule requires what actions.  You are still required to adhere to Fair Lending and Equal Credit Opportunity Act (Regulation B) guidelines with respect to providing an applicant with a disposition within 30 days.  To avoid monitoring challenges and potential violations on small pipelines use your Incomplete Application Notice on all loans.  If the customer fails to provide all of the information, you can withdraw the loan from your pipeline without any further action.  You MAY optionally send a letter noting the withdrawal.   

Avoid Being the Creditor

Under the current regulatory scheme, lenders bear the burden for credit and disclosure risks.  A correctly structured broker pre-qualification process allows for the unique opportunity to avoid many of the lender's pitfalls with respect to creditor actions.

CFPB's Complaint Line a "Targeting Tool"

The targeting of audit subjects through the use of the CFPB Complaint Portal means you need a proactive complaint resolution process

Since the Consumer Financial Protection Bureau began accepting complaints related to mortgage transactions in 2011, the industry's fears that this would simply act as a targeting mechanism have been realized. Multiple complaints, more than a single complaint, act as a red flag attracting the worst kind of scrutiny. Recent presentations by CFPB Senior Analyst Ann Thompson confirmed this. As a preventative tool, our first recommendation involves adding a daily or weekly check of state and national complaint portals by the company's compliance manager.

But it goes beyond dealing with complaints. You must take a proactive attitude. Make it easy for your customers to file a complaint with you and company management directly, before the customer elevates it to the regulator to resolve it. This means:

• Adding prominent "complaint" button on web pages
• Proactively sourcing "compliments and complaints" via promotional materials
• Asking customers "have I addressed all of your concerns today?" question in the footer of all electronic communications

In addition, have an effective process for resolving complaints once they arise. This is called a "Complaint Resolution Process"

More importantly, though, all employees need to understand they must participate in communicating to troubleshoot, document and resolve complaints.

Complaint Resolution 101

This is a problem solving business, and there is rarely a loan where absolutely everything goes as planned.

If you have our Quality Control and Compliance Modules we provide you with a Complaint Resolution Policy template. It's time to pull it out and make sure you are ready to adhere to it.

Rule # 1

LISTEN! Listen to the customers complaint. Identify what the customer's real problem is and acknowledge that it is a problem. You do not have to admit fault to show empathy.

Rule # 2

DOCUMENT! Make sure the file has been documented with correspondence and that the conversation log has been populated. Complete a complaint report and deliver it to the manager for review.

Rule # 3

RESOLVE and close the complaint. Based on the manager's determination, diary your Outlook Calendar to follow up with the customer and ascertain that the problem was handled. Not every customer will be happy, but if you are responsive, the customer will not automatically elevate the complaint.

Sample Complaint Resolution Policy - Request a Free One

State Examinations - AML/BSA Compliance - Self-Audit Checklist to Ensure Compliance

The Anti-Money Laundering rule (AML) implemented by the Bank Secrecy Act (BSA) creates many questions for lenders and brokers. We know that state examiners focus on a number of specific issues. A recent spate of calls reveals that New York, Indiana, Texas and Pennsylvania have questionnaires and examiners that ask pointed questions about the AML/BSA compliance program for mortgage originators.  To ensure that you are hitting all of the requirements we have compiled a self-audit checklist for you to use to evaluate and collect data.  You should run through this checklist annually.

Use the BSA/AML Self-Audit Checklist for mortgage originators, to ensure you keep all of the information needed for an examination.  Members may download the original form for customization from http://www.mortgagepolicymanual.com/updates-and-downloads.html or mortgagemanuals.com/updatesanddownloads.htm

Compliance Officer Training

New York's examination findings sometimes cite a recommendation for the compliance officer to have training.  The FinCEN rule requires training, but does not say that it must come from a certified 3rd party.  FinCEN offers training on its website, and many compliance providers provide training for a fee. Familiarity with the rule - actually reading your policy - also counts as training.

Here is a video that instructs the Compliance Officer how to register for the FinCEN portal to report SARs

Quality Control and AML

We do not recommend that firms maintain a separate Anti-Money Laundering Plan, but rather that they integrate the AML process with their Quality Control function.  After all, FinCEN wrote the AML rule as a fraud detection/reporting requirement, and that is exactly what the quality control plan should do.  As a consequence, make sure your quality control plan has a robust red flag feature.

Register for the Portal

Your plan loses credibility if your compliance officer isn't even registered with the FinCEN portal.  It implies that you have no intention of participating in the program.  This simple fix will eliminate many citations.

Brokers Don't Approve Loans, so do not deny them - Either action is a credit decision

Is it an App? Don't Assume Excess Regulatory Responsibilities - treat all inquiries as pre-qualifications. Every pre-qualification should show what is possible, not whether you can get a loan. 

The use of the 1003 form confuses the question, particularly for brokers

The 2/14/17 Mortgage Call Report (MCR) prompted a waterfall of questions. Many of these questions center on which loans get reported. The confusion surrounds the phraseology of the MCR instructions, which seem contradictory. At the heart of the matter: Is it an application or something else? Another point became clear; people aren't using their LOS the way they should in preparing their submissions. Take the time now to learn how to generate custom reports that you can use to complete the reports. 

One point we repeatedly try to make to industry participants - don't add to your regulatory burden by including prospects to your reporting pipeline. In the case of the Quarterly Call Report, you have to report your application activity. Here's the ambiguity; what does application mean?

According to call report documentation, an application is 1.) an oral or written request for extension of credit on a residential property. Clearly, then, an application is a request for credit. If your company policy allows verbal applications, or defines any other application methodology, including the 1003 Uniform Residential Loan Application, then that becomes a report-able application. Most companies defer to the 1003 date as the application date, whether the date completed by the originator or the date signed by the customer.

So is a rate inquiry or pre-qualification request an application? According to the NMLS' instructions, (#2) inquiries or pre-qualification requests which result in denial are treated as simultaneous application and denial. But that doesn't make any sense, because a pre-qualification simply is a discussion of available products - it CAN'T be denied, because it's not a request for anything. EVEN IF THE BORROWER AUTHORIZES A CREDIT REPORT, there is no request for a credit decision. The instructions force the lender to make the jump from pre-qualification to application. But this is a big jump for the lender to make. A pre-qualification request would never result in a loan approval, so why would it result in a denial. It's not a request for credit, it's a request for an eligibility determination.

Limit your use of 1003 as the tool to collect information - use a Pre-Application process

Lenders should pay close attention to how they define application within their own policies. This impacts HMDA, ECOA, and disclosures in addition to the MCR reporting information. By developing defined application paths which segregate inquiries from applications, you close many loopholes and tripwires which could result in under reporting. This also means that deciding to complete a 1003 for an applicant takes on new significance; someone who has signed a 1003 is no longer a prospect.

Brokers should carefully consider how their prospects convert to applications. As a pre-qualification inquirer, a prospect doesn't receive disclosures - there's no property address and no credit decision. This perfectly reflects the organizational capabilities of a mortgage broker. Taking applications using a 1003 form should be reserved for the customer who has found a property and is proceeding with a loan the broker has registered with a wholesale investor. This process eliminates all of the confusion about who is responsible for disclosures, as the wholesaler will send the LE and ancillary disclosures at registration, eliminating the possibility of incorrect disclosures resulting in a rejection.

A "Pre-Application" allows you to collect information necessary for a pre-qualification without creating a credit request.

Both lender and broker can benefit from a defined "pre-application" process. The gray area of inquiry no longer exists when the status is Application Not Taken Yet. This also allows the company to completely validate a customer's eligibility, prior to assuming a regulatory or reporting burden.

More on MCR and HMDA Reporting - Brokers don't deny loans

If you are not a creditor, you cannot approve a loan. By the same token, if you cannot approve a loan then you cannot deny it, either. Brokers who complete a 1003 form should dispose of that application within 30 days through the incomplete application process or customer withdrawal. A broker will never report a denial, merely withdrawals and cancellations.

To ensure you do this correctly, look at your complete application checklist, also known as the items needed worksheet. Does it have a date by which the customer must respond? If not, you need to change the form to add a date field; code that field to reflect 30 days from the date of application. You can automatically withdraw the loan if the customer doesn't respond. If the customer does provide documentation, but that documentation doesn't meet the guidelines of a program, or what was requested, you can respond with a cancellation or termination due to incomplete information. If the information does meet the requirements and an application was completed, forward the case on to the underwriter. If the rate that the borrower wanted no longer exists, advise the customer and withdraw the request.

The paradigm; don't take on regulatory duties that exceed the scope of your duties.

Checklists - The Ultimate Independent Audit

Checklists are foundational quality control elements and can improve process efficiency and identify problem areas. But bad checklist practices can create more problems than they potentially solve.

If you have spent any time in the industry, you have seen checklists of one fashion or another. In mortgage banking, where there are literally 3,000 quality control checks in a single loan file, it's hard to conceive how any individual - new initiate or seasoned pro - could keep all of the elements in mind while reviewing a loan file. So, naturally, some sort of job aid evolves in every workplace. We need to applaud those who develop these tools because they have so many overlapping beneficial purposes and uses. But while even a bad checklist or form can solve some problems, companies don't realize their full benefits unless they use one designed to capture all purposes and work within the flow of a particular function's duties.

Independence

The insistence on independence in the review process comes from the idea that 1.) you are too close to your own work to review it and 2.) you are pre-disposed to cover up any errors you make, so these preclude you from auditing your own work. However, if honestly adhered to, checklists can create independence. Checklists don't fudge reports, or have a bad day and miss things they ordinarily wouldn't. So you don't have to hire a 3rd party auditor to obtain independence. You just need a good checklist.

Consistency

By using a single checklist across your platform, many of the misunderstandings and inefficiencies get eliminated because everyone works through the same form. No surprises!

Checklist Design Best Practices

In designing a checklist, think about the process or documents you use the checklist to review. Key principles in this process

1. You may use the review data again; more than just as a checklist for a processor, for example. You need a format that you can easily break up and re-integrate. Although you can get nicer formatting through Word, you can more easily access and manipulate data in Excel. A worksheet that will be used as a training tool, that contains manual calculations, or handwritten notes for one time use, lends itself to Word formatting. An audit checklist, which you use for extracting missing or erroneous items from a long list, lends itself to Excel formatting, so you can export the information into your LOS or aggregate into reports.
2. You can use prompts within the descriptive fields as a decision tree. For example If>then statements, or by identifying specific guideline triggers such as $____ > $, then... This level of detail allows you to aggregate the descriptive information in any report. This is one of those areas where you can get more bang for your buck from the process by understanding the different ways you can use the information garnered through the checklist review.
3. Organize the form in a way that a reviewer would rationally progress through the file. For instance, in a cross check of property address, rather than having the reviewer stop and browse through application, contract, W-2 and paystub, appraisal, survey and any other address bearing exhibit, review each exhibit one time, coming back to confirm information. Awkward checklists that make the user bounce around the file or the form don't get used and create more mistakes than errors they solve.
4. MAKE SURE BINARY CHOICES ALWAYS ADDRESS THE SAME POSITIVE OR NEGATIVE CONTEXT!! One of the most common faux pas on a checklist is having a yes/no box, but the yes or no have different meanings. This makes the reviewer have to review the entire checklist item again when recording findings. Phrase checklist elements to only flag a check if an item is wrong, or for a no flag to indicate non-compliance. For instance, don't have one question saying "is the earnest money deposit check cleared?" which a yes would be a non-finding; the next question shouldn't be "is there any evidence that the property is not owner occupied?" where no is a non finding. 
5. COMPRESS! While this can be taken to extremes (I have been guilty of this; trying to get it all on ONE PAGE!), do pay some attention to not making forms excessively long. AT A MINIMUM, on a multi-page form, try to insert page breaks when the context or content changes; again, keeping the reviewer from bouncing between pages.  (The one at left turns into a 10 page pre-funding review because of white space and inattention to compression.) 
6. WHITE SPACE can be useful, but having white space simply because of a long descriptor makes for a very long form. This is the kind of thing the government would do.
7. Multiple versions of the same checklist. We often see multiple varieties of a single checklist used for different types of loans. This multiplies the likelihood that a checklist won't get updated when there is an across the board change. Most frequently this appears in underwriting checklists, but elsewhere as well, when you have a different checklist for FHA/VA/Jumbo Investor/MI and other specs which vary slightly. In cases where the bulk of the checklist (up to 50% or more) consists of items reviewed on every loan, you shouldn't create separate versions of checklists in this way, but should work to create dropdown lists which highlight the specific investor guidelines.

These Checklists ARE Audits!

For those who want to evaluate their procedures and learn how their businesses could run better, the results of these reviews, properly imported into the LOS or database, show us where we make repetitive errors, where we miss things our partners pick up, and which individuals most effectively perform their functions. 

In the end, embrace the idea that you constantly edit your forms and checklists. "Perfect is the enemy of good." We designed our templates with that in mind; you can use them to track changes in your business, investor or wholesaler requirements, and regulatory changes. We have found that it is possible to close a loan without conditions by anticipating every possible requirement. Imagine how much time you would have left to originate new business if you weren't chasing conditions after the fact?

 

Wasted Days and Wasted Nights - Broker/Mini-Corr QC Audits Misunderstood

Many brokers and mini-correspondents spend unnecessary money and time on QC Audits that aren't required

How to Use Checklists and Investor Underwriting to Implement Your QC Plan

The problem becomes more pronounced when brokers transition to mini-correspondent or non-delegated lender status. Lending partners, investors and other providers apply the same requirements for these transitional business models as they do for fully delegated mortgage bankers. The result: Your scope for auditing loans includes auditing the lending partner's work. The ultimate lender holds the responsibility for conducting these audits, which doesn't mean that non-delegated correspondents don't conduct audits, but need to limit the scope of audits to the work actually performed. 

The question is: What is the scope of the non-delegated correspondent/lender's audit? That depends on the roles the institution performs, not the name or industry moniker. You must take care in explaining these roles, as part of the confusion comes from the fact that table-funders like to represent themselves as lenders to the public; it connotes a greater sense of institutional fortitude. However, when this representation carries into its dealings with lending partners, the lender label adds those unnecessary functions. 

Understanding Which Functions Require Audit

Image 1 - Lenders carry additional audit responsibilities if they take on actual underwriting and closing functions, and those are not performed by proxy, such as delegated closing agents, or any pre-funding underwrite.

Image 2- 1.) Delegated Lenders perform random selection reviews on a percentage of all production. 2.) Everyone must conduct pre-funding reviews, and lender reviews of a non-delegated 

Delegated Lenders conduct Post-Closing Random Audits - Non-Delegated Do Not!

How to Create Quality Control Reports Without Using a Third Party Auditor

Checklists are foundational quality control elements and can improve process efficiency and identify problem areas. But bad checklist practices can create more problems than they potentially solve.

If you have spent any time in the industry, you have seen checklists of one fashion or another. In mortgage banking, where there are literally 3,000 quality control checks in a single loan file, it's hard to conceive how any individual - new initiate or seasoned pro - could keep all of the elements in mind while reviewing a loan file. So, naturally, some sort of job aid evolves in every workplace. We need to applaud those who develop these tools because they have so many overlapping beneficial purposes and uses. But while even a bad checklist or form can solve some problems, companies don't realize their full benefits unless they use one designed to capture all purposes and work within the flow of a particular function's duties. 

Independence - At the Core of Auditing

The insistence on independence in the review process comes from the idea that 1.) you are too close to your own work to review it and 2.) you are pre-disposed to cover up any errors you make, so these preclude you from auditing your own work. However, if honestly adhered to, checklists can create independence. Checklists don't fudge reports, or have a bad day and miss things they ordinarily wouldn't. So you don't have to hire a 3rd party auditor to obtain independence. You just need a good checklist. 

Consistency

By using a single checklist across your platform, many of the misunderstandings and inefficiencies get eliminated because everyone works through the same form. No surprises!

Checklist Design Best Practices

In designing a checklist, think about the process or documents you use the checklist to review. Key principles in this process

1. You may use the review data again; more than just as a checklist for a processor, for example. You need a format that you can easily break up and re-integrate. Although you can get nicer formatting through Word, you can more easily access and manipulate data in Excel. A worksheet that will be used as a training tool, that contains manual calculations, or handwritten notes for one time use, lends itself to Word formatting. An audit checklist, which you use for extracting missing or erroneous items from a long list, lends itself to Excel formatting, so you can export the information into your LOS or aggregate into reports.
2. You can use prompts within the descriptive fields as a decision tree. For example If>then statements, or by identifying specific guideline triggers such as $____ > $, then... This level of detail allows you to aggregate the descriptive information in any report. This is one of those areas where you can get more bang for your buck from the process by understanding the different ways you can use the information garnered through the checklist review. 
3. Organize the form in a way that a reviewer would rationally progress through the file. For instance, in a cross check of property address, rather than having the reviewer stop and browse through application, contract, W-2 and paystub, appraisal, survey and any other address bearing exhibit, review each exhibit one time, coming back to confirm information. Awkward checklists that make the user bounce around the file or the form don't get used and create more mistakes than errors they solve.
4. MAKE SURE BINARY CHOICES ALWAYS ADDRESS THE SAME POSITIVE OR NEGATIVE CONTEXT!! One of the most common faux pas on a checklist is having a yes/no box, but the yes or no have different meanings. This makes the reviewer have to review the entire checklist item again when recording findings. Phrase checklist elements to only flag a check if an item is wrong, or for a no flag to indicate non-compliance. For instance, don't have one question saying "is the earnest money deposit check cleared?" which a yes would be a non-finding; the next question shouldn't be "is there any evidence that the property is not owner occupied?" where no is a non finding.
5. COMPRESS! While this can be taken to extremes (I have been guilty of this; trying to get it all on ONE PAGE!), do pay some attention to not making forms excessively long. AT A MINIMUM, on a multi-page form, try to insert page breaks when the context or content changes; again, keeping the reviewer from bouncing between pages.  (The one at left turns into a 10 page pre-funding review because of white space and inattention to compression.)
6. WHITE SPACE can be useful, but having white space simply because of a long descriptor makes for a very long form. This is the kind of thing the government would do.
7. Multiple versions of the same checklist. We often see multiple varieties of a single checklist used for different types of loans. This multiplies the likelihood that a checklist won't get updated when there is an across the board change. Most frequently this appears in underwriting checklists, but elsewhere as well, when you have a different checklist for FHA/VA/Jumbo Investor/MI and other specs which vary slightly. In cases where the bulk of the checklist (up to 50% or more) consists of items reviewed on every loan, you shouldn't create separate versions of checklists in this way, but should work to create dropdown lists which highlight the specific investor guidelines. 

Adding This Information to your LOS to Create Your QC Report

Most LOS' have the ability to record "conditions" or other items stipulated by the underwriter. A common error we see involves the individual taking the conditions resulting from an underwriting or closing prep review and typing them into a separate e-mail to the customer or other party for assistance in resolving. You have accomplished one goal - communicating the information to the customer - but you have no record of that. 

Step 1: Record the Data in the LOS

Instead of this two-step process, record the conditions in the LOS and use that data to generate a customer notification. Then, as the documents come in, mark the date received and the date satisfied. This forms the foundation of the quality control report. 

Step 2: Identify Items as Critical/Clerical/Compliance

Critical items include things that could potentially cause the loan not to close. These items get referred to as "suspense" items, potential fraud, or general mis-qualification.  These critical defects should have a target rate of "0". 

Clerical items include missing documents, errors that require explanation or correction, and checklist items not critical to loan approval, but that complete the documentation requirement

Compliance items could potentially cause the loan not to close. These compliance items can reveal repetitive system error.

Step 3: Evaluate your Defect Rate

Your defect rate has two components. Gross defects include the total number of defects in each category. Net defects reflect the number of defects AFTER you have made all corrections or resolved each issue. 

Once you start collecting data, you will start to see the trends, and can identify an average defect rate for each category. Without making any adjustments to your system, you will use this average defect rate as your target defect rate. However, if you recognize that your Gross Defects are too high, you can initiate a correction in your process, and then compare your defect rates month over month to determine whether any changes you made to process. In addition, these numbers become your quality control report, whether monthly, quarterly or annually.

Reverse Mortgages and UDAAP - Can a disclosure fix it?

How do we solve customer notification issues?

In the wake of TRID and its hegemony over the compliance discussion, several high profile compliance issues get overlooked. One of these came up in a recent examination of a Massachusetts client challenged to provide its Reverse Mortgage procedures specifically with respect to ensuring the customer received sufficient information to make an informed decision. We categorize this type of risk in the category of Unfair, Deceptive and Abusive Acts and Practices. (UDAAP)

Traditionally, we ensure we don't run into trouble with predatory-type practices through the use of informational disclosures. We used this approach to design the solution for our client. The regulator wanted to know how we made sure the customer received specific information. Our only choices was to provide an informational document. It surprised me that there was no standardized disclosure, but we simply took the regulator's requirements and extracted them into a single page disclosure.

The regulator's site describes requirements. In the audit, the regulator simply asked "How do you inform customer of who to call with complaints?"

We designed a disclosure which described the requirements for reverse mortgages in the states the client conducted business. 

Is a disclosure enough?

Ironically, GFE reform, and now TRID, took disclosure as a cure for deceptive acts off the table. Now, rules extend to the content of the disclosure and the measurement of the final terms as a cure. Will this regulatory cure extend to programs like the Reverse Mortgage, where so much elder abuse takes place? Ultimately, the regulation of the loan type, the customer's proof of understanding, such as the completion of a course in the product, now fills that need. Perhaps the customer also needs to be quizzed on the terms of the product for our own assurance of understanding.

4000.1 Revisions Making Your Teeth and Hair Hurt?

Please be calm - the changes are mostly cosmetic

As we reported earlier, there should be no real surprises in the 9/14/2015 4000.1 release. The only area that seemed to cause some alarm related to the pre-closing audit rigor. If you are a Quality Control Plan customer of ours, you know that we have ALWAYS recommended this as a standard process.

Then you have to parse the guidance to understand the percentages, To reiterate:

10% of all production gets audited
10% of all AUDITS must be pre-closing/in-process audited

If you originate 100 loans, you must audit 10 (in addition to ensuring that you capture all sources in an audit cycle). Of that 10, 1 may be a pre-closing/in-process random audit. It seems like chicken and egg, but you have to look back at your total audit percentages to make the determination that you have conducted enough pre-closing/in-process audits.

Here is a sample policy that addresses 4000.1 Requirements for your QC Plan.

1-19-1 QC HUD 4000.1 Requirements

The requirements listed in Quality Control Plan requirements are referenced below as to how we comply in our procedures.

In general, the 9/14/2016 Update to the HUD/FHA Single Family Handbook re-organized standards into a new format referred to as the 4000.1 Revision. Although HUD’s requirements for quality control did not change substantively, the new policy manual opens QC reviews to a broader definition, by referring the examiner back to the Underwriting or Delivery requirements. Single elements no longer get addressed as minutiae, rather the entire guide is incorporated by reference.

A reiteration of HUD/FHA QC Review Area. This shows with some clarity that the scope and scale of "In-Process/Pre-Closing Review" is the same as the Post-Closing Review.

1-19-2 Referrals for Elements Specified in HUD 4000.1

We have located specific elements queried by examiners in the QC Plan for ease of reference.

4000.1 Section	Requirement	Location in QC Plan
A.3.a iv(A)	Sampling Methodology	1-22 QC DEL – Loan Selection Methodology and 1-23 QC DEL - Loan Sampling/Selection Procedure
A.3.a i(A)	Pre-closing reviews	1-20-1 In-Process Quality Control Audit 1-40 QC DEL – In Process Loan Level Quality Control Review Process
A.3.a i(C)	Early Payment Default (EPD) reviews	1-22-2 Early Payment Default

1-19-21 Terminology – Pre-Funding, Pre-Closing and In-Process Reviews

Please note that terminology may vary with all of the variation between industry standards regarding the Pre-Closing, Pre-Funding and In-Process reviews.

The terminology is so close as to cause confusion among lenders and reviewers.

·         Pre-Funding reviews refer to the review of Loan Quality Initiative and similar fraud detection elements conducted on EVERY loan before it closes.

·         Pre-Closing/In-Process reviews refer to the concealed selection of individual loans in process to identify potential fraud within the production process.

·         10% of ALL audited loans should be sampled. Example: If you fund 100 loans, 10 total loans should be audited and 1 should be pre-closing audited.

·         Loans PRE-CLOSING AUDITED do NOT have to be re-audited post-closing and count toward the 10% of ALL LOANS audited.

·         The ONLY DIFFERENCE between the pre-closing and post-closing audit is that the reviewer does NOT HAVE TO WAIT for re-verifications to come in. We still request third party verifications, but we do not have to wait to close the loan.

·         Post-Closing Audit is the full scope audit conducted by lenders and delegated correspondents. 

Unlike Pre-Closing/In-Process Audits, Post-Closing Audits MUST WAIT for Third Party Verifications before completing review.

MortgageManuals.com customers may download the update here.  If your numeration doesn't match the items shown here, you have missed the past updates and need to request a complete update