Internet Security – The Heartbleed SSL Bug

QUESTION
Last month I read about an Internet anomaly called the “Heartbleed.SSL bug.”

When I discussed this issue with our IT support staff, we were assured that the necessary precautions had been taken in-house to protect our financial applications and our network. 

However, they mentioned that we should take precautions outside of their purview and change our passwords on all our private email accounts, services and various websites that are popular today.

Is this really necessary? 

ANSWER
Yes! 

Heartbleed is a serious bug discovered across the Internet that has existed for almost two years. This flaw, found in the way secure SSL sites communicate, allows the possibility for hackers to capture passwords and even create fake sites that appear like the real ones. SSL stands for Secure Sockets Layer, and is a protocol for managing the security of a transmission on the Internet.

Many major sites such as Facebook, Google, Gmail, Yahoo, Twitter, Apple, GoDaddy, Netflix, YouTube and Dropbox have been affected. Most of them have since patched the flaw but your passwords need to now be changed in case they were stolen prior to the fix. 

A comprehensive list of the affected sites and their reactions has been compiled and can be found at this link:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/.

This is not a virus that is spreading. There is no protection to install for your computer.

The only way to be safe is to change your passwords to any online site – and I mean all your passwords!

To increase your security even more, and prevent something like this from happening in the future, we encourage you to use a process called “two-step verification” whenever possible. Known as “Two-Step Authentication,” the protocol is used on many major sites, such as Gmail, LastPass, Yahoo! Mail, Facebook, Twitter, Dropbox, Evernote, and LinkedIn. An example of Two-Step Authorization, such as the one deployed at Gmail, utilizes a password and then a second code you enter. In turn, this prompts a text message code to be sent to your cell phone, and you respond to the logon prompt with the code that was just sent to you.

As I noted here in an earlier FAQ on Internet Security, remember that your personal computer is the gateway to information that someone else may want.

Kevin Origoni
Director/IT and Internet Security
Lenders Compliance Group

AML and OFAC Compliance

QUESTION: 

Our AML program has been implemented from the effective compliance date. It contains all the required elements, including the training component. Recently, a trainer told us that there is a difference between AML compliance and OFAC compliance. This stirred up quite a debate. What is the difference between AML and OFAC compliance? 

ANSWER: 

AML (Anti-Money Laundering) means precisely what its name implies: the program relating to AML is meant to identify and prevent money laundering and, by extension, abuses of our financial system by terrorists, criminals, and others involved in suspicious financial activities. The implementation of AML guidelines stems from the Bank Secrecy Act (BSA), the foundational Act of the federal anti-money laundering statutory framework. Failure to comply with BSA requirements can lead to civil monetary penalties and even criminal liability. [FFIEC Exam Manual; 18 USC §§ 981, 982, 1956, 1957, 2339A, 2339B, 2339C (2006)]

As a result of the 2001 terrorist attacks, the Congress passed the “Uniting and Strengthening America by Providing the Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001,” better known as the “Patriot Act.” The Patriot act amended BSA, with respect to the statutes administered by the Office of Foreign Assets Control (OFAC) and various federal statutes. The Patriot Act also added some provisions, such as Section 314, which itself facilitates the sharing of information between the government and the financial industry and within the financial industry. [USA Patriot Act, Pub. L. No. 107-56 § 352(c), 115 Stat. 272 (and codified at USC § 5318]

The fact that OFAC is an office in the Treasury Department suggests its dominant role: the administration and enforcing of economic trade sanctions and national security mandates including, but not limited to, financial transactions. To date, OFAC actually acts under emergency powers, plus it is given specific authorities through legislation. Its powers include the imposition of controls on transactions and freezing assets subject to US jurisdiction. Examples are restrictions on commerce with foreign countries, targeting and averting terrorist financial activity, preventing international narcotics traffic, monitoring persons attempting to develop weapons of mass destruction, and other perceived threats to the United States.

OFAC maintains a list of targets, called the “Specially Designated Nationals” list, or “SDN.” The list contains the names of persons, entities, and countries that are subject to restrictions or prohibited from transacting any business in the United States. As is the case with AML, violations resulting from a failure to comply with OFAC’s restrictions may result in substantial civil monetary penalties and fines.

Unlike AML, OFAC does not require an entity to maintain an OFAC compliance program. Nevertheless, beware! If a violation of law occurs, the implementation of an OFAC compliance program is considered a valid mitigating factor in determining the type and amount of a penalty, if any.

Both the AML and the OFAC compliance requirements should be taken together as functionally necessary in order to protect the financial institution, maintain its safety and soundness, comply with the law, and enhance the protection of the United States. [31 USC § 5312 (2006)] It is in the interests of financial institutions to view AML and OFAC compliance as conjoining. Where possible, AML and OFAC compliance should be placed with the compliance department for oversight.

Jonathan Foxx
President & Managing Director
Lenders Compliance Group

Incentive Plan Based on Tenure

QUESTION 

We are a mortgage lender establishing an Employee Incentive Compensation Plan for all employees, including our loan officers, based upon the tenure of each employee with the Company. Following a six month probation period, each employee earns one share for each full month of employment with the Company. The Incentive Compensation Pool from which each employee will be paid equals 8 percent of the Company’s annual net income from profits. The value of each share (“Share Value”) will be equal to the Incentive Compensation Pool divided by the total number of employee shares earned by all eligible employees. On an annual basis, each employee will be paid an amount equal to the total number of shares earned by the employees multiplied by the Share Value.

Is this Employee Incentive Compensation Plan acceptable under the Loan Originator Compensation Rule?

ANSWER 

With respect to Loan Officers, the Employee Incentive Compensation Plan has the potential to violate the “10 percent limit” rule.  As discussed below, the Plan should include a limitation on the amount of Incentive Compensation that may be paid to an LO who consummates more than 10 transactions in the calendar year to 10 percent of the LO’s total compensation corresponding to the calendar year for which the compensation under the Plan is paid. 

The Incentive Compensation Pool is based upon net profit earned by the company in a given year.  As a general rule, an LO cannot receive compensation that is determined with reference to profits. There are some exceptions to this general rule, such as the “10 percent limit”. As the incentive compensation is being paid out of a bonus pool established with reference to the company’s mortgage related business profits it is subject to the additional rules regarding non-deferred profits based compensation. [12 CFR §1026.36(d); Official Interpretation Comment 36(d)(1)-1 and 36(d)(1)-3.ii]

Compensation may be paid to a LO under a non-deferred profits based compensation plan provided one of the following circumstances is met.

1) Compensation paid, in the aggregate, does not exceed 10 percent of the LO’s total compensation corresponding to the time period for which the compensation under the non-deferred profits based compensation plan is paid (the “10 percent limit”); or

2) The individual was an LO for 10 or fewer transactions consummated during the 12 month period preceding the date of the compensation determination.

[12 CFR §1026.36(d)(1)(iv)]

With respect to (1) above, total compensation includes all of the LO’s wages and tips reportable for Medicare purposes. It can also include all contributions the company paid to the LO’s accounts in designated tax advantaged plans that are defined contribution plans. [12 CFR §1026.36(a)(3)]

Additionally, the cash value of any awards of merchandise, services, trips, etc., should be included. [12 CFR §1026.36(a)(3)]  You determine whether the compensation complies with the 10 percent limit by measuring the ratio of compensation subject to the 10 percent limit and the total compensation earned during the relevant time period for which you paid compensation under the plan. [Official Interpretation Comment 36(d)(1)-3.v.D.]

Consider the following example. Let’s assume Joe is an LO. Under the Plan, he is eligible to receive incentive compensation in the amount of $18,000.00. According to the parameters set forth in the Plan, the bonus pool is based on net profits for the preceding year. Let’s further assume that Joe earned $160,000, received $10,000 in contribution to a tax advantage defined contribution plan, and received the $18,000.00 incentive compensation which totals $188,000.00 for the calendar year. As the incentive compensation does not exceed 10 percent of total compensation, it is permissible.

However, let’s assume Joe only earned $90,000, including the incentive compensation. Payment of the $18,000.00 incentive compensation would violate the 10 percent limit, as such constitutes over 20 percent of total compensation received by Joe. Of course, if Joe originates 10 or fewer loans during the preceding calendar year, the payment would be permissible under exception (1) above.

The Incentive Compensation Plan should limit the amount of Incentive Compensation that may be paid to an LO who consummates more than 10 transactions in the calendar year to 10 percent of the LO’s total compensation corresponding to the calendar year for which the compensation under the Plan is paid.  

Joyce Pollison
Director/Legal & Regulatory Compliance
Lenders Compliance Group

Prescreening and Firm Offers of Credit

QUESTION
I have heard that there are additional requirements imposed on a lender when it utilizes pre-screened credit data for marketing or advertising. Is this true?

ANSWER 

Yes.

Prescreening is a process by which a consumer reporting agency (viz., a credit bureau) compiles a list of consumers meeting specific credit-granting criteria provided by an institution. The list is provided to the institution for use in soliciting specific consumers for credit products.

The use of prescreened data is beneficial to an institution because it allows the institution to qualify consumers for an offer and ensure that only qualified consumers receive the offer.  By way of example, a financial institution could get a list of consumers (a) with a credit score over 700; (b) not down 30 in the last 12 months; and (c) in a specific zip code. A list of consumers fulfilling these three criteria could not be assembled from publicly available information. While these criteria can serve as a powerful marketing tool, if an institution uses prescreened data it must make a “firm offer of credit” to all consumers whose names appear on the prescreened list. Furthermore, if the consumer accepts the offer of credit, the institution cannot, with limited exceptions, withdraw or deny the credit, even when based on new information concerning the consumer.

The guidelines set forth in the Fair Credit Reporting Act (“FCRA”) which is now enforced by the CFPB speak to the requirements to be followed when an institution utilizes prescreened data. The FCRA permits the use of prescreened data for marketing purposes if the institution makes a “firm offer of credit” to each consumer whose name appears on the prescreened list. Specifically, Section 604(3)(A) of the FCRA permits an institution to obtain prescreened data if it intends to use the information in connection with a credit transaction involving the extension of credit to the consumer. Therefore, an institution cannot use prescreened data to send promotional materials.

The requirement to offer a consumer whose name appears on the prescreened list a “firm offer of credit” should not be taken lightly.  If your institution utilizes prescreened data, you must understand all of the requirements of a “firm offer of credit”.  

These requirements include, but are not limited to, offering a short form and long form opt-out notice on the offer, setting forth all collateral requirements on the offer and establishing and documenting all credit requirements before the offer is made to the consumer.

In addition, these requirements are imposed upon an institution that is using credit data, whether obtained directly from the credit bureau or through a third party lead provider. 

Michael Barone
Director/Legal & Regulatory Compliance
Lenders Compliance Group

Compliance Management System for Mortgage Brokers

QUESTION 

Q: I am interested in compliance services for a small broker shop. What do I need to finish the CFPB requirements and how long will it take to complete? 

Q: I am a one-person broker shop and want to make sure that I have what is necessary to comply with all rules issued by CFPB. What do I need? 

Q: I am a four MLO company that will not likely exceed fifteen originators. I would like to have ongoing communications available to me with regard to questions that occur during our business routine to help us stay compliant. What do you recommend? 

Q: Can you review what we currently have in place and tell me if everything required is in place? 

ANSWER 

The questions posed are actual questions from independent mortgage professionals trying to determine the requirement for brokers in this complex CFPB environment. The good news is that they are asking questions that reflect their concern over understanding what the actual requirements are.

Many brokers have decided to do nothing and take the chance that they will not be the target of any regulatory examinations or inquiries. They have totally disregarded the relatively new CFPB mandates except for the requirements that are being imposed on them by their lenders.

So what are the CFPB and State regulatory requirements?

As a former banking department regulator, I have stayed in touch with many of my colleagues presently with state banking departments and the CFPB. They all take a similar position as to what is required. The primary requirement is to develop and implement a Compliance Management System (CMS). In fact, the states are working hand in glove with the CFPB and will be coordinating their efforts to adhere to a single examination protocol. In a recent email from one of our clients, we read about a first day letter from one of the state examiners stating that part of the exam scope would include providing evidence of a CMS.

A CMS is a system that creates a culture of compliance within your company. It consists of policies and procedures, training and testing. You may say that you have all of your policies and procedures or that you do not need the consumer complaints policy and procedures because you do not receive any complaints.

The point here is that the days of dusting off a notebook full of policies and procedures and handing it to the examiner are over. There needs to be a process in place that causes you to treat policies and procedures as living documents in a continuous state of improvement and change. Examiners will question your mortgage loan originators as part of the examination process to determine if they are aware of the specific policies and procedures that are in place. Therefore, it is much more than a policy notebook. It requires training, some of which is mandatory, and periodic testing to ensure that your employees understand the policies and are adhering to them.

Compliance is also more expensive now. You need to have the mindset that you should be willing to spend on risk management services as you would on your electricity bill. And, the fact that you are a one-person shop does not relieve you of adhering to the above stated requirements. It’s like being a little bit pregnant!

So maybe you should run out and purchase a set of policies and procedures and get started. There is really no need to do this either. The CFPB recognizes the fact that independent mortgage professionals may not have the financial resources to meet all of the requirements up front. The key here is to be able to demonstrate that you are making a good faith effort to comply.

There are roughly twenty five policies and procedures that cover the various subject matters but there are ten or twelve policies and procedures that are deemed to be essential. One way of easing the financial burden and at the same time create a culture of compliance is to select one essential policy per month to fully implement. After six months, you will be half way home and well on your way of building a CMS. There is little value in purchasing all of your policies at once since you will not have the time to fully implement them.

One of the other keys to success is to associate with a group of independent subject matter experts, such as we provide in Brokers Compliance Group, so that you have a resource for all of the questions that come up in the normal course of doing business.

You can begin to build your program now or you can wait and catch up later. Remember that compliance or lack of compliance leaves a trail. The choice is yours!

Alan Cicchetti
Director/Agency Relations
Executive Director/Brokers Compliance Group