Thursday, February 27, 2014

Emailing an Appraisal

QUESTION: May I deliver an appraisal and other valuations to the applicant(s) via email, thereby reducing the waiting period required prior to closing? 

ANSWER:  In order to provide an answer to this question, many issues need to be discussed. 

By now, everyone in the mortgage industry should be aware of the new ECOA Valuations Rule which applies to all applications received on or after January 18, 2014. 

The ECOA Valuations Rule states as follows:
§1002.14: Rules on providing appraisal reports 

(a) Providing appraisals and other valuations.

(1) In general. A creditor shall provide an applicant a copy of all appraisals and other written valuations developed in connection with an application for credit that is to be secured by a first lien on a dwelling. A creditor shall provide a copy of each such appraisal or other written valuation promptly upon completion, or three business days prior to consummation of the transaction (for closed-end credit) or account opening (for open-end credit), whichever is earlier. An applicant may waive the timing requirement in this paragraph (a)(1) and agree to receive any copy at or before consummation or account opening, except where otherwise prohibited by law. Any such waiver must be obtained at least three business days prior to consummation or account opening, unless the waiver pertains solely to the applicant's receipt of a copy of an appraisal or other written valuation that contains only clerical changes from a previous version of the appraisal or other written valuation provided to the applicant three or more business days prior to consummation or account opening. If the applicant provides a waiver and the transaction is not consummated or the account is not opened, the creditor must provide these copies no later than 30 days after the creditor determines consummation will not occur or the account will not be opened.
If the appraisal is mailed to the consumer, you need to add additional time onto the three business days referenced in the statute. Conservatively, the appraisal should be placed in the mail for delivery six days prior to consummation. 

What if the appraisal is delivered electronically? May a lender use the delivery and read receipt to confirm receipt as the start of the three business day requirement?  The short answer is Yes, but there are other considerations.

§1002.14 (a) (5) states:
Copies in electronic form. The copies required by §1002.14(a)(1) may be provided to the applicant in electronic form, subject to compliance with the consumer consent and other applicable provisions of the Electronic Signatures in Global and National Commerce Act (E-Sign Act) (15 U.S.C. 7001 et seq.).
The E-Sign Act requires the applicant(s) to consent to the use of electronic signatures and records to satisfy any statute or regulation.  Prior to obtaining their consent, a financial institution must inform the applicant(s) of (a) an option to have the record made available on paper; (b) the right to withdraw consent; (c) the procedures the applicant must use to withdraw consent; (d) the procedures the applicant must follow to request a paper copy of the record and whether a fee will be charged for the copy; and (e) the hardware and software requirements for access to and retention of electronic records. 

While this seems simple enough, let’s not forget two of the general themes set forth by the CFPB: (1) emails from financial institutions containing non-public personal information (“NPI”) should be encrypted; and (2) financial institutions should adopt an information security program which protects non-public personal information.

Thus, the ECOA Valuations Rule and E-Sign Act allow for the delivery of an appraisal via email, but the email should be encrypted as there is non-public personal information contained in an appraisal.

One would think that if a financial institution has a methodology for sending secure disclosures that are full of NPI, than the same delivery method would work for delivering a copy of the appraisal.

Michael Barone
Director/Legal & Regulatory Compliance
Lenders Compliance Group

Thursday, February 20, 2014

Internet Security – Phishing Attacks

Recently, our firm came under a “phishing attack.” Our IT people fixed the problem, but we really don’t know what happens in a phishing attack. Can you explain it in layman’s terms? Also, How can we prevent this kind of cyber attack?

Phishing is the act of attempting to acquire information such as usernames, passwords,and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Today's spear-phishing attacks are highly targeted, technically sophisticated, and represent a real threat to data security.

Attackers can leverage information gleaned from social media to tailor messaging to individual targets, and can convincingly imitate legitimate senders. A successful attack compromises the target's device with malware and can be used by a criminal to gain access to the entire network - often with serious financial repercussions for the business.

It’s apparent that residential mortgage lenders and originators have non-public personal information at their fingertips and it would be disastrous to have that information in the wrong hands. 

How can you prevent phishing attacks on your computer?

You can start by avoiding and not opening emails that contain subject lines that read:

1) Invitation to connect on LinkedIn
2) Mail delivery failed: returning message to sender
3) Dear (insert bank name here) Customer
4) Important Communication
5) Undelivered Mail Returned to Sender

In sophisticated and large infrastructure environments, there is technology like firewalls and web-blockers in place that can prevent certain emails from filtering through to you, the user.

Certainly, your organization should implement an Information Security Plan. This is an extensive document that ensures regulatory compliance and contains practical, preventive steps to warding off a cyber attack.

However, in smaller, less-sophisticated environments, or even at your home network, you should be cognizant that your personal computer is the gateway to information that someone else may want. It’s imperative that you keep your PC’s anti-virus updated, and avoid suspicious emails that invite you to click on a hyperlink.

Kevin Origoni
Director/IT and Internet Security
Lenders Compliance Group

Thursday, February 13, 2014

Business Purpose and Consumer Purpose Loans

We need to know the difference between business purpose and consumer purpose loans. How do we distinguish between them and can you give us a few examples? Also, is a non-owner occupied rental property or an owner-occupied rental property considered business purpose?

There are at least five primary factors that must be considered in order to determine business purpose from consumer purpose. In general, these are:

1. The relationship of the borrower's primary occupation to the acquisition. The more closely related, the more likely it is to be business purpose.

2. The degree to which the borrower will personally manage the acquisition. The more personal involvement there is, the more likely it is to be business purpose.

3. The ratio of income from the acquisition to the total income of the borrower. The higher the ratio, the more likely it is to be business purpose.

4. The size of the transaction. The larger the transaction, the more likely it is to be business purpose.

5. The borrower's statement of purpose for the loan.

Admittedly, the foregoing criteria may seem somewhat subjective. Nevertheless, these are the five factors that should be applied in the loan origination process. (12 CFR Supplement I to Part 226, Official Staff Commentary 226.3(a)-3.i)

For examples of each, guidance is provided in Regulation Z, as follows:

Examples of business purpose include:
A. A loan to expand a business, even if it is secured by the borrower's residence or personal property.
B. A loan to improve a principal residence by putting in a business office.
C. A business account used occasionally for consumer purposes.

Examples of consumer purpose include:
A. Credit extensions by a company to its employees or agents if the loans are used for personal purposes.
B. A loan secured by a mechanic's tools to pay a child's tuition.
C. A personal account used occasionally for business purposes.
(12 CFR Supplement I to Part 226, Official Staff Commentary 226.3(a)-3.i-ii)

To your question about non-owner occupied rental property, credit extended to acquire, improve or maintain rental property (regardless of the number of units) that is not owner-occupied is deemed to be business purpose. If the owner expects to occupy the property for more than 14 days during the coming year, the property cannot be considered non-owner occupied. (12 CFR Supplement I to Part 226, Official Staff Commentary 226.3(a)-4)

There are two rules involved in determining business purpose of owner-occupied rental property. Rule 1: If credit is extended to acquire rental property that is or will be owner-occupied within the coming year, the rental property is deemed to be business purpose if it contains more than 2 housing units. Rule 2: If credit is extended to improve or maintain rental property that is or will be owner-occupied within the coming year, the rental property is deemed to be business purpose if it contains more than 4 housing units. Neither of these rules means that an extension of credit for property containing fewer than the requisite number of units is necessarily consumer purpose. In such cases, the determination of whether it is business purpose or consumer purpose should be made by considering the five factors listed above. (12 CFR Supplement I to Part 226, Official Staff Commentary 226.3(a)-5.i-ii)

Jonathan Foxx
President & Managing Director
Lenders Compliance Group

Thursday, February 6, 2014

E-Delivery of RESPA and TILA Disclosures to Multiple Applicants

We are a lender that initially attempts to e-mail disclosures to our loan applicants. Our e-delivery system requires the applicant to consent to e-delivery before the disclosures can be opened. If the applicant responds “yes”, the disclosures are opened. If there are co-applicants and we receive consent to e-delivery from one applicant, but not the second, is that sufficient for compliance with disclosure requirements under the Real Estate Settlement Procedures Act (“RESPA”) and the Truth in Lending Act (“TILA”)?

With respect to TILA disclosures, generally, when there are multiple applicants, the disclosures may be made to any applicant “who is primarily liable on the obligation”. [12 CFR 1026.17(d)] However, when there is a right to rescind (such as a refinance), the disclosures “shall be made to each consumer who has the right to rescind”. [12 CFR 1026.17(d)] So, if the transaction is a refinance, all applicants must consent to the e-delivery in order for the lender to be in compliance.

With respect to RESPA disclosures, the answer is not as clear cut. Regulation X, the implementing regulation of RESPA, simply states that “the lender must provide the applicant with a GFE”. [12 CFR 1024.7(a)] The term “applicant” is not defined. Thus, the conservative approach is to give the GFE to each applicant, which under your delivery system, will require each applicant to consent to e-delivery before opening the documents.

Additionally, although not part of your initial questions, note that with respect to notifications under ECOA and Regulation B, in the case of multiple applicants, notifications only need to be given to one applicant, but “must be given to the primary applicant where one is readily apparent”. [12 CFR 1002.9(f)]

Joyce Pollison
Director/Legal & Regulatory Compliance
Lenders Compliance Group