Thursday, December 29, 2016

Reverse Occupancy

As a result of an internal audit, we just found out about two reverse occupancies. It turns out that our investors were already aware of this happening and were about to send us repurchase requests. We received the repurchase requests and it seems we have no way out but to do the repurchases. What could we have done to prevent this from happening in the first place?

To some extent, this situation can be avoided. However, when it comes to mortgage fraud, nothing is foolproof. A “reverse occupancy” occurs where a borrower buys a home as an investment property and lists rent proceeds as income in order to qualify for the mortgage, but instead of renting the home the borrower occupies the home as a primary residence.

Typically, these schemes have certain markers. Here are the most salient:
  • Subject properties are sold as investment properties;
  • Purchasers are first time home buyers with minimal or no established credit;
  • Purchasers have low income but significant liquid assets that are authenticated by bank statements;
  • Purchasers make large down payments;
  • The appraisal has a comparable rent schedule (to show expected rental income from the subject property);
  • Purchasers present “rent free” letters stating they are not paying rent to live in their primary residence.
  • Ethnic commonality among the purchasers and other parties to the transaction; and
  • Transactions occurring in a specific geographic location. 

Just because one or more of these are present in a mortgage loan transaction does not necessarily mean that the transaction is a reverse occupancy scheme.

If the financial institution is going to prevent this type of mortgage fraud, the best approach is to ensure prudent origination, processing, and underwriting practices, with an emphasis on “Red Flags” that may occur in the loan documents. For instance, closely reviewing liquid assets as compared to income and the source of qualifying income can identify a potential reverse occupancy scheme. I would further recommend that training be given not only to the operations staff but also to loan officers. In our training on Identity Theft Prevention and Anti-Money Laundering – such training being statutorily required of financial institutions – we discuss many Red Flags.

Ultimately, if this kind of mortgage fraud is to be prevented, the following initiatives would be advisable:
  • Periodically conduct vendor compliance procedures of third-party originators
  • Train, Train, and Train, either through in-source or out-source
  • Establish a “Zero Tolerance” policy for preventing mortgage fraud
  • Share information through sales and operations meetings
  • Report all suspicious activity through established channels
  • Perform a quarterly audit of loan transactions of investment properties
  • Ensure that quality control does audits for investment property transactions 

Jonathan Foxx
President & Managing Director
Lenders Compliance Group

Thursday, December 22, 2016

Documentation for a UDAAP Exam

Thank you for these weekly FAQs! My staff and I find them very informative. I am with the compliance department of a bank. We offer a full range of loan and savings products. We are preparing for a regulatory examination that will include UDAAP compliance. I was hoping you could let us know some review areas that we should include in our risk assessment. Specifically, what documentation should we be reviewing for our UDAAP risk assessment?

We appreciate your kind words about our weekly FAQs. We receive many questions and try to choose the ones that may be broad enough for our large readership. Thank you for submitting your question!

Preparing a risk assessment for Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) requires a great deal of focus not only on the material subject to review but also a concerted effort by all stakeholders. I have written extensively on UDAAP, most recently in connection with advertising compliance. You might want to read my eBook on advertising compliance (viz.,visit our website), which includes a discussion on UDAAP.

Generally, there are four examination areas that regulators seek to audit. The examiner wants to determine whether the financial institution:
  1. Avoids unfairness, deception, and abuse in the context of offering and providing consumer financial products and services;
  2. Assesses the risk of its practices being unfair, deceptive, or abusive;
  3. Identifies unfair, deceptive or abusive acts or practices; and
  4. Understands the interplay between unfair, deceptive, or abusive acts or practices and other consumer protection statutes.

A risk assessment of the financial institution should take into account its marketing programs, product and service mix, customer base, and other factors, as appropriate. This risk assessment is extensive. In responding to the posed question, only the aspects involving certain documentation is here provided. For more information, review the CFPB’s Examination Manual on UDAAP.

The following is a list of documentation areas that should be compiled and reviewed for the purposes of a UDAAP risk assessment:
  • Training materials.
  • Lists of products and services, including descriptions, fee structure, disclosures, notices, agreements, and periodic and account statements.
  • Procedure manuals and written policies, including those for servicing and collections.
  • Minutes of the meetings of the Board of Directors and of management committees, including those related to compliance.
  • Internal control monitoring and auditing materials.
  • Compensation arrangements, including incentive programs for employees and third parties.
  • Documentation related to new product development, including relevant meeting minutes of Board of Directors, and of compliance and new product committees.
  • Marketing programs, advertisements, and other promotional material in all forms of media (including print, radio, television, telephone, Internet, or social media advertising).
  • Scripts and recorded calls for telemarketing and collections.
  • Organizational charts, including those related to affiliate relationships and work processes.
  • Agreements with affiliates and third parties that interact with consumers on behalf of the entity.
  • Consumer complaint files.
  • Documentation related to software development and testing, as applicable. 

Jonathan Foxx
Managing Director 
Lenders Compliance Group

Thursday, December 15, 2016

Do Not Call for Multiplatform Institutions

We are a large mortgage banker with several origination platforms, a servicing entity, and a few affiliates. Recently, we were cited for a violation of the Telemarketing Sales Rule as a result of not complying with the Do Not Call rules. How do these rules apply across our origination platforms?

Financial institutions with multiple origination platforms, including their servicing units, are particularly vulnerable to Do Not Call violations. Years ago, in 1995, the original Telemarketing Sales Rule (“TSR”) contained a provision that prohibited calls to any consumer who previously asked not to get calls from or on behalf of a particular seller. Amendments to the TSR since then retain that provision, but now also prohibit calls to any numbers consumers have placed on the National Do Not Call Registry maintained by the Federal Trade Commission (FTC).

The FTC amended the TSR in 2003, 2008, 2010 and 2015. Like the original TSR issued in 1995, the amended Rule gives effect to the Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFPA).

The multiplatform vulnerability to TSR violations often occurs due to violations of the so-called “Entity-Specific Do Not Call Provision.” According to this provision, it is a TSR violation to call any consumer who has asked not to be called again. This means that a telemarketer may not call a consumer who previously has asked not to receive any more calls from or on behalf of a particular seller (or charitable organization). It also is a TSR violation for a seller that has been asked by a consumer not to call again to cause a telemarketer to call that consumer.

Sellers and telemarketers are responsible for maintaining their own individual Do Not Call lists of consumers who have asked not to receive calls placed by, or on behalf of, a particular seller. Calling a consumer who has asked not to be called potentially exposes a seller and telemarketer to a civil penalty of $40,000 for each violation.

But what if a consumer asks a specific division of a corporation not to call?

Does a call from a different division violate the TSR?

Distinct corporate divisions generally are considered separate sellers under the TSR. Factors relevant to determining whether distinct divisions of a single corporation are treated as separate sellers include, but are not limited to, whether there is substantial diversity between the operational structure of the divisions and whether the goods or services sold by the divisions are substantially different from each other.

If a consumer tells one division of a company not to call again, a distinct corporate division of the same company may make another telemarketing call to that consumer. Nevertheless, a single seller without distinct corporate divisions may not call again, even if the seller is offering a different good or service for sale. For a multiplatform institution, it is necessary to have clear, distinct, and separate demarcations between its corporate divisions, units and affiliates in order to avoid violations of the TSR.

Jonathan Foxx
Managing Director 
Lenders Compliance Group

Thursday, December 8, 2016

Limits on Points and Fees

We are a mortgage banker. Our policy is to place limits on points and fees in our residential mortgage loan transactions. But an applicant complained to the CFPB that we denied the application because of our limits on points and fees. Our regulator has told us that a lender does have limits on points and fees based on certain guidelines. What are those guidelines?

At a rudimentary level, the CFPB expects lenders to (1) document the loan transaction, and (2) determine the consumer’s ability to repay the loan. Depending on the loan transaction, the ability-to-repay feature – which offers certain standards for demonstrating a good faith effort to determine that the consumer is likely to be able to pay back the loan – may have some bearing on the points and fees concern.

If a consumer does not have the ability to repay the loan, the lender may not offer the credit extension. In fact, some lenders may choose to comply with the ability-to-repay rule by making only “Qualified Mortgages,” which do have caps on upfront points and fees.

Certain loan features are not permitted in Qualified Mortgages, such as an “interest-only” period, negative amortization, balloon payments, loan terms that are longer than 30 years, a limit on how much of the consumer’s income can go towards debt, and no excess upfront points and fees. If the consumer applies for a Qualified Mortgage, there are limits on the amount of certain upfront points and fees the lender can charge. These limits will depend on the size of the loan. Not all charges, like the cost of a credit report, for example, are included in this limit. If the points and fees exceed the threshold, then the loan can’t be a Qualified Mortgage.

The reason for the CFPB’s position is clear: the consumer needs protection from paying very high fees; therefore, a lender making a Qualified Mortgage can only charge up to the following upfront points and fees:

  • For a loan of $100,000 or more: 3% of the total loan amount or less.
  • For a loan of $60,000 to $100,000: $3,000 or less.
  • For a loan of $20,000 to $60,000: 5% of the total loan amount or less.
  • For a loan of $12,500 to $20,000: $1,000 or less.
  • For a loan of $12,500 or less: 8% of the total loan amount or less.
The foregoing loan amounts reflect the initial statutory base. There have been annual adjustments to these tiers. Under the CFPB’s rules, only Qualified Mortgages have a limit on points and fees. But, lenders are not required to make Qualified Mortgages, so they can charge higher points and fees if they so choose.

Jonathan Foxx 
Managing Director 
Lenders Compliance Group

Thursday, December 1, 2016

USA Patriot Act Disclosure Form and the Freedom Act

We are a lender with a client that is very passionate about NOT signing the Patriot Act Disclosure that is included in our initial closing package. He is a permanent resident alien and claims that the Patriot Act has not been in existence since June 2015 and that a lender should not be requiring him to sign the U.S. Patriot Act Information Disclosure form. The client has no difficulties with providing the identification documents we require, but he feels that the disclosure form is a legal document which is inaccurate, as it is now the Freedom Act that governs. Is the client correct and how should we respond?  

Actually, the client is incorrect. He is operating under a common misconception that the entire USA Patriot Act expired. In reality, the vast majority of the Act, including Title III, which carries a great majority of the requirements for financial institutions, remains in effect. Thus, financial institutions are still required to (1) monitor for customers and transactions that could be related to terrorist activities through section 314(a) & (b); (2) verify the identity of customers through a customer identification program under section 326; and (3) have an established AML Program under section 352.

The sections that “expired” were section 215, which included the so-called “Lone Wolf” and “Roving Wiretap” provisions. The “Lone Wolf” provision allowed U.S. intelligence and law enforcement agencies to target surveillance at suspected terrorists who are not part of any group and without direct ties to terrorist groups. The “Roving Wiretap” provision permitted the monitoring of a specific person regardless of the devices used. The National Security Agency used section 215 as a basis for the mass collection and monitoring of phone records of millions of Americans who were not necessarily under investigation, a program Edward Snowden exposed in 2013. The USA Freedom Act essentially restored and amended section 215 through 2019.    

It is not clear which version of the USA Patriot Act Disclosure form you are using.  However, in all likelihood, just above the signature loan there is a statement to the effect of “By signing the form, you acknowledge receipt of this disclosure”. So, the client’s difficulty with acknowledging receipt of the form is difficult to grasp. If you are keeping the loan in portfolio, depending on your policies, you could have a documented exception, as there is no legal requirement that it be signed.

Joyce Wilkins Pollison 
Director/Legal & Regulatory Compliance 
Lenders Compliance Group

Friday, November 25, 2016

E-Sign and Enforcing Electronic Signatures

We recognize the requirements of E-Sign. One subject of discussion has been its role in contractually binding our financial institution in mortgage loan originations, especially in the area of consumer disclosures. How valid are electronic signatures? Can electronic signatures be used to enforce contracts?

The Electronic Signatures in Global and National Commerce Act (E-Sign) was designed to allow greater flexibility to implement electronically signed transactions. Its requirements have been used more and more since E-Sign’s inception in 2000. E-Sign specifies that an electronic record or transaction may not be rendered invalid solely on the basis of its electronic or digital nature, but it makes no guarantees about the overall enforceability of such electronic contracts.

An electronic record is only enforceable if it meets the criteria specified in relevant contract laws as well as the language of E-Sign. It is worth noting that E-Sign applies to interstate or government interactions. With respect to in-state transactions, these are bound either by the Uniform Electronic Transactions Act (UETA) or the governing state laws relevant e-Signature laws – which, in some states, are actually more strict than E-Sign or UETA.

For an electronically signed document to be enforceable in court, it must meet certain requirements for legal contracts in addition to the electronic signature guidelines specified in the appropriate laws (such as E-Sign and UETA). According to E-Sign, an electronic signature is "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."

In contract law, signatures serve the following general purposes:
  1. Evidence: Authenticates agreement by identifying the signer with a mark attributable to the signer that it is capable of authentication.
  2. Ceremony: Act of signing calls attention to the legal significance of the act, preventing inconsiderate engagements.
  3. Approval: Express approval or authorization per terms of agreement. 

To elucidate on factors involving authentication, broadly, authentication is defined as evidence that a given record, contract, or form is a genuine, unaltered written representation of an agreement approved by two or more parties, whether in paper or electronic form.

An authentic document contains no evidence of fraud or tampering, such that it may be reasonably concluded that the parties in agreement did indeed assent to the enclosed terms. Assent is evidenced by an attributable, authenticated signature. To be authenticable, the transaction must contain enough information uniquely attributable to the user that fraud, forgery, or validity can be reasonably proven.

For an electronic transaction to withstand scrutiny in court, it must meet the definitions and criteria stated above; that is, it must be capable of authentication and non-repudiation, call attention to the document's legal significance (viz., creation of the electronic signature), and demonstrate approval of the terms of the agreement.

Some electronic signature technologies sufficiently meet these criteria and some do not. Therefore, it is very important for businesses and government agencies to choose their electronic signature technology carefully or risk making agreements that cannot be enforced.

If interested in a review of your electronic signature technology, please contact us. We have subject matter experts who can review the technological and regulatory compliance requirements of E-Sign.

Jonathan Foxx
Managing Director
Lenders Compliance Group

Thursday, November 17, 2016

UDAAP Violations in Consumer Debt Collection

Our compliance group recently passed around the E-Book on Advertising Compliance, written by Jonathan Foxx. In Part II, there is a section on UDAAP. We are particularly interested in UDAPP because we are updating our policies to include new language for UDAAP conduct in debt collection. Mr. Foxx’s outline was terrific in showing the range of UDAAP issues involving Advertising Compliance, but we wonder if he would provide some examples of how debt collection is impacted by UDAAP guidelines. So, what examples of conduct related to the collection of consumer debt could constitute UDAAP violations?

Thank you for the kind words about the E-Book, entitled Advertising Compliance: Getting Ready for the Banking Examination, which compiled two of my published White Papers. I have written extensively on this subject, but the E-Book has been found useful for individuals seeking a path to understanding this very complicated area of regulatory compliance.

There are many examples of Unfair, Deceptive, or Abusive Acts or Practices (“UDAAP”) violations in the context of debt collection, but any list is not going to be comprehensive. Also, please note that the obligation to avoid UDAAPs is in addition to any obligations that may arise under the Fair Debt Collection Practices Act (“FDCPA”).

First, what is an unfair act or practice? There are generally three components: (1) it causes or is likely to cause substantial injury to consumers; (2) the injury is not reasonably avoidable by consumers; and (3) the injury is not outweighed by countervailing benefits to consumers or to competition. [Dodd-Frank Act §§ 1031, 1036, 12 U.S.C. §§ 5531, 5536]

Second, what is a deceptive act or practice? This consists of three components: (1) it misleads or is likely to mislead the consumer; (2) the consumer’s interpretation is reasonable under the circumstances; and (3) the misleading act or practice is material. [Section 5 of the FTC Act. See CFPB Exam Manual at UDAAP 5]

Third, what is an abusive act or practice? This is more nuanced than the foregoing elements, but there are two primary factors: (1) the act or practice materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) takes unreasonable advantage of (a) a consumer’s lack of understanding of the material risks, costs, or conditions of the product or service, (b) a consumer’s inability to protect his or her interests in selecting or using a consumer financial product or service, or (c) a consumer’s reasonable reliance on an institution to act in his or her interests. [Dodd-Frank Act § 1031(d), 12 U.S.C. § 5531(d). See also CFPB Exam Manual at UDAAP 9. See Stipulated Final Judgment and Order, Conclusions of Law ¶ 12, 9:13-cv-80548 and Compl. ¶¶ 55-63, CFPB v. Am. Debt Settlement Solutions, Inc., 9:13-cv-80548 (S.D. Fla. May 30, 2013)]

Given the above-outlined features of UDAAP, the following non-exhaustive list of examples of conduct related to the collection of consumer debt could constitute UDAAPs:
  • Collecting or assessing a debt and/or any additional amounts in connection with a debt (including interest, fees, and charges) not expressly authorized by the agreement creating the debt or permitted by law.
  • Failing to post payments timely or properly or to credit a consumer’s account with payments that the consumer submitted on time and then charging late fees to that consumer.
  • Taking possession of property without the legal right to do so.
  • Revealing the consumer’s debt, without the consumer’s consent, to the consumer’s employer and/or co-workers.
  • Falsely representing the character, amount, or legal status of the debt.
  • Misrepresenting that a debt collection communication is from an attorney.
  • Misrepresenting that a communication is from a government source or that the source of the communication is affiliated with the government.
  • Misrepresenting whether information about a payment or non-payment would be furnished to a credit reporting agency.
  • Misrepresenting to consumers that their debts would be waived or forgiven if they accepted a settlement offer, when the company does not, in fact, forgive or waive the debt.
  • Threatening any action that is not intended or the institution or service provider does not have the authorization to pursue, including false threats of lawsuits, arrest, prosecution, or imprisonment for non-payment of a debt. [CFPB Bulletin 2013-07] 

Facts and circumstances will dictate the presence of a UDAAP violation; however, these examples are but a few of the many potential UDAAP acts or practices involving consumer debt collection.

Jonathan Foxx
Managing Director
Lenders Compliance Group

Thursday, November 10, 2016

Elements of a Disaster Recovery Plan

Our compliance department has been tasked with developing a disaster recovery plan. Banking departments of several states are expecting us to ratify such a plan. However, we are not sure about what goes into this plan. What are the essential elements of a disaster recovery plan?

Although there is some variation to the features of a disaster recovery plan, we have found that there are constituent elements that are typical of this document. Sometimes “disaster recovery” is also referred to as “business continuity.” At the most rudimentary level, this plan sets forth the procedures to be followed in the event of an emergency or other disruption of a financial institution’s normal business activities. The goal is to be able to continue or to resume any operations as soon as possible with minimal disturbance to internal and external parties and certainly to recover any documentation and data required to be maintained by applicable laws and regulations.

In our development of disaster recovery plans for our clients as well as the review of their existing policies and procedures involving such aspects as information security, cybersecurity, and other features of information technology, we have found that there are several salient elements of a disaster recovery plan. I will provide them here, with the caution that the list is not meant to be comprehensive, and, to be sure, other elements may be appropriate based on an institutions size, risk profile, and complexity.

Essential Elements of a Disaster Recovery Plan
  1. Identify documents, data, facilities, infrastructure, personnel and competencies essential to the continued operations of the financial institution.
  2. Identify supervisory personnel who are in the chain-of-command for implementing each aspect of the disaster recovery plan and the emergency contacts required to notified. These individuals must be given authorization to make key decisions in carrying out the plan’s requirements.
  3. Devise a plan to communicate with the following persons in the event of an emergency or other disruption: (a) Board of Directors; (b) Senior Management; (c) employees; (d) consumers; (e) affiliates; (f) media; (g) investors; (h) regulatory authorities; (i) data, communications and infrastructure providers and other vendors; and, (j) disaster recovery specialists and other persons involved in recovering documentation and data. 
  4. Ratify procedures for, and maintenance of, back-up facilities, systems, infrastructure, alternative staffing and other resources to achieve the timely recovery of data and documentation and to resume operations as soon as reasonably possible. We recommend that the resuming of operations be expected to occur within the next business day.
  5. Maintain back-up facilities, systems, infrastructure and alternative staffing arrangements in one or more areas that are geographically separate from the financial institution’s primary facilities, systems, infrastructure and personnel.
  6. Back up or copy, with sufficient frequency, documents and data considered essential to operations or to fulfill regulatory obligations, and store information off-site in either hard-copy or electronic format.
  7. Identify potential business interruptions encountered by third parties that are necessary to the financial institution’s continued operations and devise a plan to minimize the impact of such disruptions.
  8. Ensure that copies of the disaster recovery plan are placed at all accessible off-site locations, such as branches.
  9. Train, and periodically drill, affected employees and support systems on applicable components of the disaster recovery plan.
  10. Review and revise the disaster recovery plan at least annually or upon any material change to the financial institution. Any deficiencies or corrective actions must be documented.
  11. Test the plan at least annually by qualified, independent internal personnel or a qualified third party service capable of performing a risk assessment. The testing date should be documented, such documentation describing the nature and scope of the testing, any deficiencies found, any corrective actions taken, and the dates on which corrective actions were taken. I strongly recommend testing a disaster recovery plan at least once every three years by a qualified third party service.
  12. Keep detailed records of all activity involving the implementation of the disaster recovery plan and maintain such information in a form that may be made available promptly, upon request, to representatives of regulatory and enforcement authorities, Federal agencies, prudential regulators, and state banking departments.
Jonathan Foxx
Managing Director
Lenders Compliance Group

Thursday, November 3, 2016

Types of Lead Generation

We are thinking about obtaining leads from an online lead generation service. In the process of reviewing our marketing campaign, it seems pretty clear that there are different types of lead generators. What are the different types of lead generators? What are some pitfalls? Also, what is a lead?

For the most part, the Federal Trade Commission (“FTC”) has broad jurisdiction over lead generators. The FTC has used its authority to bring enforcement actions against unscrupulous actors in the lead generation industry. Examples abound, such as where the FTC successfully sued lead generators that lured consumers with promises of extremely low fixed rate mortgages or free refinancing, but then sold consumers’ information to entities that did not actually offer these deals, or where it sued payday loan lead generators that sold consumers’ sensitive bank account information to non-lenders who simply debited charges directly from consumers’ accounts without authorization.

I have written extensively on lead generation generally and lead generation companies in particular, such as my article titled, “The Lead Generation Company: Managing the Risks,” which can be found in our Articles library. This article is a good place to start your reading on lead generation companies, especially in light of the significant regulatory risks posed by them.

Lead generation is the process of identifying and cultivating individual consumers who are potentially interested in purchasing a product or service. The goal of lead generation services is to connect lead purchasing companies with the profiled consumers so that the lead purchaser can convert “leads” into sales. The FTC has defined a lead broadly as any consumer who has indicated interest – directly or indirectly – in buying a product or service by taking some action.

Leads cover the gamut of consumer profile information. For instance, they may consist of little more than a consumer’s name and contact information. But they can contain information that has been derived by soliciting much more detailed and sensitive consumer information, like Social Security Numbers and bank account numbers; in other words, not just information in the public record.

The lead generation world is very state-of-the-art these days. Consider that consumers increasingly research and shop for products and services online, which means that lead generation has become more sophisticated, rapid, and data-intensive.

Leads are collected from many sources. Often, leads are collected by a publisher or affiliate. This entity is encountered by the consumer through the consumer’s use of consumer-facing marketers in the lead generation ecosystem that promote products or services online. These conduits encourage consumers to submit additional information about themselves to learn more and connect with merchants or advertisers that can sell them the products or services being sought by the consumer. Many publisher websites contain marketing claims and a web form requesting consumer information. Some publishers expressly identify the merchant to which they sell consumer leads, but others do not and only make generic marketing claims.

In our reviews of client marketing strategies, we have seen where small publishers simply collect consumer information and pass it on to larger, more sophisticated actors in the lead ecosystem. We have also found that some publishers oversee networks of sub-publishers or sub-affiliates that feed them leads, often contracting with the latter to create marketing websites and web forms.

There are many types of lead sources and lead generation methods. I will mention the salient types.

Leads Transmitted to Aggregators: These are intermediaries that take in leads collected by multiple website publishers and prepare them for sale to their clients, which may be end users or even other aggregators. Generally, the aggregator identifies the leads that would be most valuable or relevant to their clients and to package the leads accordingly. Unless an aggregator chooses to operate its own websites or engage in consumer-facing marketing, its role may be largely invisible to consumers who fill out online forms.

Leads Sold to End-Buyer Merchants: These are leads sold to end-buyer merchants or advertisers that can sell consumers the products and services they are seeking. By using these leads, merchants will frequently contact consumers directly in order to pitch services and provide additional marketing materials about a potential transaction.

Leads Verified or Supplemented with Additional Information: These leads stem from a pruning process, whereby merchants and others in the lead generation ecosystem seek more data about leads. Reasons for seeking additional information include further verification of the accuracy and validity of the information consumers provide in web forms, supplementation of consumer leads with additional data for a fuller picture of a consumer, or the scoring of leads based on their potential qualifications or value. The pruning process could include even contacting consumers directly, for instance, by calling them over the telephone. Some merchants, aggregators, and publishers seek supplemental information from third-party data brokers, firms that unfortunately often act without transparency and accountability.

Finally, lead generators may sell “remnant leads” that can target consumers unlawfully. These are leads where the lead purchaser has no legitimate need for the consumer’s sensitive data. The FTC has brought enforcement actions based on the prevalence of remnant leads. Even lead generators are very cautious in how they sell remnant leads. Depending on the circumstances, they could be liable under the FTC Act if the purchaser has no legitimate need for the information, especially since privacy policies on many publisher websites provide few restrictions on the use or sale of the consumer information collected by the lead generator.

If you plan to use a lead generation company, I strongly advise that you vet it as a service provider, using the kind of due diligence review resources offered by our affiliate Vendors Compliance Group. Whatever you decide in developing your marketing campaign, keep in mind that the FTC has demonstrated significant concern about lead generators’ collection and sharing of consumer information, given that such information increases the risk of misuse and harm to consumers.

Jonathan Foxx
Managing Director
Lenders Compliance Group

Thursday, October 27, 2016

Social Media – Posting News Articles

I'd like to get some clarity on the requirements for posting news articles to different social media channels. We create several articles per month and would like to publish those articles on LinkedIn, Facebook, Instagram, Twitter, and anywhere else we deem appropriate. Are there specific issues with each of the respective channels that we need to be aware of? Any clarity you can offer on this would be greatly appreciated. 

There are a myriad of compliance issues associated with use of social media, but there are no easy or quick answers to your question. While the type of social media selected can impact compliance, the issues with which you should be most concerned are less the result of the channel you are using than the content of what you put there. Because of the rapidly evolving technology associated with social media, the regulators are struggling to identify exactly where consumer protection problems may exist and to formulate regulations that effectively address those problems.

With that in mind, in 2013, the Federal Financial Institutions Examination Council (FFIEC) promulgated “Consumer Compliance Risk Management Guidance” pertaining to the use of Social Media by regulated institutions. Basically, anything a mortgage lender – or even an individual loan officer – puts on social media (including the articles/newsletter referenced in your email, the substantive content thereof, and the identifying information surrounding that content that might lead a prospective borrower to use your services) is subject to regulatory scrutiny with respect to its compliance with a wide range of laws and regulations.

These are listed in the Guidance and include:
  1. the Fair Lending laws, Equal Credit Opportunity Act (Regulation B), and the Fair Housing Act;
  2. the Truth in Lending Act (Regulation Z);
  3. the Real Estate Settlement Procedures Act (RESPA) (Regulation X);
  4. the Fair Debt Collection Practices Act (FDCPA);
  5. Section 5 of the Federal Trade Commission Act and Sections 1031 and 1036 of the Dodd-Frank Act provisions prohibiting “unfair,” “deceptive,” or “abusive” acts or practices (UDAAP);
  6. rules governing payment systems, including the Electronic Funds Transfer Act; 
  7. the Bank Secrecy Act and Anti-Money Laundering laws;
  8. The Community Reinvestment Act;
  9. various laws pertaining to consumer privacy, including the Gramm-Leach-Bliley Act privacy rules and data security guidelines;
  10. the CAN-SPAM Act and Telephone Consumer Protection Act;
  11. the Fair Credit Reporting Act; and 
  12. various state and federal laws relating to fraud, false advertising, and brand identity. 

In addition, lenders need to be very concerned about what is commonly known as “reputation risk” and a whole range of “vendor management” issues with respect to third party service providers. 

These are discussed in more detail in two excellent articles by LCG’s Managing Director, Jonathan Foxx, entitled “Social Media and Networking Compliance” and “Advertising Compliance:Getting Ready for the Banking Examination,” both of which are available on LCG’s website, as separate White Papers or combined in an eBook. These articles provide a basic outline of the applicable legal and compliance issues involved in what you are hoping to do and at least some of the clarification you are looking for.

However, as already indicated, this is a highly complex and developing area of law and regulation and the further you delve into it, the more questions you may have. In that regard, do not be concerned by the fact that many of your competitors may not seem to be worried by any of this – that is because most MLOs and mortgage companies remain relatively uninformed about the significant legal and regulatory risks involved in the use of social media and because the regulatory enforcement mechanisms have not yet caught up to them.

Bottom line: anything you put on social media needs to be screened through the company’s compliance management systems and those systems need to be compliant in every way with the FFIEC Guidance.

Michael Pfeifer
Director/Legal & Regulatory Compliance
Lenders Compliance Group

Thursday, October 20, 2016

Spanish Language Websites and Flyers

In thinking about Spanish marketing materials, is there a problem with having a Spanish website or flyers in Spanish?

Yes, there can be specific liabilities involved here. The risks have to do with the language barriers that exist, which can, unfortunately, lead to Regulation B violations, UDAAP violations, or EFTA violations. This is because the borrowers may understand the materials that are presented in Spanish, such as the website, but they may not understand the other materials that are not in their language, such as the disclosures. The problems arise when lenders are not executing correctly.

While it is fine to have a website in Spanish, the language must continue throughout the entire process, which would include Spanish disclosures, as well. If a lender is going to advertise in a language other than English, they will be required to provide all documents and services in Spanish for those borrowers. This pertains to the entire process, such as disclosures and interpreter services.

Institutions still have the same responsibility under these Regulations and Acts to ensure that all documentation is clear and easily understood by their clients, and ensure that there is nothing which would appear to be “Unfair” or “Deceptive”, under the UDAAP law. This would begin with advertisement, and continue on through originations, disclosures, with interpreter services and possibly through to loan servicing, if applicable, in order to assist the borrowers in their language.

There has been an increase of regulatory scrutiny for the past year on this subject. We have included some commentary to assist in the understanding of what the requirements are.

In anticipation of a CFPB examination, here is a list of some actions that should be implemented in order to enforce and promote the protection of individuals that speak languages other than English in the consumer financial marketplace, entities offering consumer financial products and services should be proactive about monitoring their operations for potential ECOA, EFTA, and UDAAP violations, as well as issues involving other potential areas of vulnerability.
  • Maintain a strong compliance management and review system that includes a focus on or sensitivity to potential language discrimination issues;
  • Review current communication and transaction processes to ensure that non-English speaking individuals are given equal access to all consumer financial programs and services;
  • Self-identify potential ECOA and EFTA violations and remediate those practices as quickly as possible;
  • Implement a process to review marketing, offering, and transactional documents and materials, as well as other consumer-facing processes such as loan origination and consumer complaint systems, to screen for potential weaknesses and vulnerabilities related to language-based discrimination;
  • Limit areas where consumer-facing employees are free to exercise “subjective and unguided discretion” when interacting with non-English speaking consumers to minimize the risk of practices with unlawful discriminatory effects;
  • Conduct training programs for consumer-facing employees to increase awareness of and the appropriate handling of issues involving language-based discrimination, including educating employees on the potential for fair lending issues that could arise from the failure to appropriately handle potential language barriers;
  • Clearly disclose the terms of any consumer financial product or service in English and, where applicable, the consumer’s primary foreign language, and obtain translation services, as appropriate, to avoid potential issues;
  • Review customer complaints for signs of systemic ECOA, EFTA, or UDAAP issues arising from language-based discrimination complaints;
  • Affirmatively cooperate with federal and state regulatory authorities to address issues of concern involving potential language discrimination issues, and seek out clarity in areas in which there may be some uncertainty; and
  • Ensure accountability to monitor activities, maintain compliance programs, and address potential language-based discrimination issues throughout the organization, including at the level of senior management and Board of Directors. 

Director/Regulatory Audits and Controls
Lenders Compliance Group 
Executive Director/Servicers Compliance Group

Thursday, October 13, 2016

Force-Placed Flood Insurance

We are a lender that must occasionally force-place flood insurance. Could you please let us know what the timeline is for notification to the borrower? Also, how do we charge for retroactivity? And what is the required information on the insurance declarations page to show coverage?

If a lender or a servicer acting on behalf of the lender determines at any time during the term of a designated loan, that a building or a mobile home and any personal property securing the designated loan is not covered by flood insurance or is covered by flood insurance in an amount less than the amount required, then the lender or servicer acting on its behalf, must notify the borrower that the borrower should obtain flood insurance, at the borrower’s expense, in an amount at least equal to the amount required, for the remaining term of the loan.

With respect to notification, if the borrower fails to obtain flood insurance within 45 days after notification, then the lender or its servicer must purchase insurance on the borrower’s behalf. The lender or its servicer may charge the borrower for the cost of premiums and fees incurred in purchasing the insurance, including premiums or fees incurred for coverage beginning on the date on which flood insurance coverage lapsed or did not provide a sufficient coverage amount.

Under Regulation X, the implementing regulation of the Real Estate Settlement Procedures Act, the Consumer Financial Protection Bureau requires a servicer to send two written notices before a servicer can assess a force placement charge on a borrower: (1) a notice at least 45 days before assessment of a charge, and (2) a notice at least 30 days after the initial notice and at least 15 days before assessment of a force placement charge. [12 CFR 1024.37(c)-(d)] However, the lender or its servicer still would be required to send the mandated 45-day notice following the lapse of the borrower’s policy.

Regarding retroactivity, the plain language of the applicable statute provides that the lender or servicer may charge for premiums and fees incurred for coverage beginning on the date on which flood insurance coverage lapsed or did not provide a sufficient coverage amount. Further, when the lender determines there is a coverage lapse or insufficient coverage, the Flood Disaster Protection Act (FDPA) requires the institution to send a notice to the borrower.

A lender or its servicer can force-place flood insurance beginning on the day the borrower’s policy lapsed or did not provide sufficient coverage, and also, as of that day, the institution can charge the borrower for the force-placed insurance. [12 CFR 1024.37(c)-(d)]

If a lender, despite its monitoring efforts, discovers a policy with insufficient coverage, the lender may charge back to the date of insufficient coverage provided it has purchased a policy that covers the property for flood loss and that policy was effective as of the date of insufficient coverage. However, if purchasing a new policy is necessary to force-place insurance upon discovery of insufficient coverage, a lender may not charge back to the date of lapse or insufficient coverage because the policy did not provide coverage for the borrower prior to purchase.

Under the FDPA, as amended by the Biggert-Waters Act, a lender or its servicer must accept from the borrower an insurance policy declarations page that includes the existing flood insurance policy number and the identity of, and contact information for, the insurance company or its agent. This is known as “sufficient demonstration,” meaning that the foregoing information and documentation are all that is required under Biggert-Waters for an insurance policy declarations page to be considered sufficient evidence of a borrower’s flood insurance coverage.

This minimum sufficient demonstration can cause concern at times, since the required information does not have to include the policy term effective dates, the current flood coverage amount, limitations and exclusions, the mortgagee’s identity, and, if the coverage is provided by a private flood policy, some documentation that the policy satisfies either the Biggert-Waters definition of private flood insurance or the mandatory purchase requirement.

Indeed, with respect to private flood insurance, the requirement to accept the declarations page as sufficient demonstration may cause lenders to accept a private flood insurance policy based on the declarations page, only to later determine that the policy is unacceptable.

Nevertheless, a lender is responsible for making all necessary inquiries into the adequacy of the borrower’s insurance policy to ensure that the policy complies with the mandatory purchase requirement. If the lender determines the coverage amount or any terms and conditions fail to meet applicable requirements, the lender should notify the borrower and request that the borrower obtain an adequate flood insurance policy.

Jonathan Foxx
Managing Director 
Lenders Compliance Group

Thursday, October 6, 2016

Eligibility Information in Affiliate Marketing

We are a bank that was recently cited for violations of affiliate marketing procedures. We did not have a pre-existing business relationship, but it seems that our violation also was caused by our use of “eligibility information.” What is “eligibility information?” Also, how is it a factor in affiliate marketing?

A consumer has the right to restrict affiliate marketing from a financial institution, where the former does not have a pre-existing business relationship with the latter. The restriction applies to using certain information obtained from an affiliate to make solicitations to that consumer. This provision is distinct from giving a consumer the right to restrict the sharing of certain consumer information among affiliates. [Section 603(d)(2)(A)(iii)]

A financial institution may not use information received from an affiliate to market its products or services to a consumer, unless the consumer is given notice and a reasonable opportunity and a reasonable and simple method to opt out of the making of such solicitations. The affiliate marketing opt-out applies to both “transaction” or “experience” and “other” information, such as information from credit reports and credit applications.

To be clear, exceptions to the notice and opt out requirements apply when an entity uses “eligibility information” in certain ways. Eligibility information includes not only transaction and experience information, but also the type of information found in consumer reports, such as information from third party sources and credit scores. Eligibility information does not include aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses. [12 CFR 571.20(b)(3)]

Specifically, “eligibility information” is defined in the affiliate marketing regulation as any information the communication of which would be a consumer report if the exclusions from the definition of “consumer report” in Section 603(d)(2)(A) of the Fair Credit Reporting Act do not apply.

With respect to the pre-existing business relationship, a financial institution establishes this relationship based on:
  • A financial contract between the person and the consumer which is in force on the date on which the consumer is sent a solicitation covered by the affiliate marketing regulation;
  • The purchase, rental, or lease by the consumer of the person’s goods or services, or a financial transaction (including holding an active account or a policy in force, or having another continuing relationship) between the consumer and the person, during the 18- month period immediately preceding the date on which the consumer is sent a solicitation covered by the affiliate marketing regulation; or
  • An inquiry or application by the consumer regarding a product or service offered by that person during the three-month period immediately preceding the date on which the consumer is sent a solicitation covered by the affiliate marketing regulation. 

One of the regulatory triggers for affiliate marketing violations is in the area of solicitations, which is the marketing of a product or service initiated by a person, such as a financial institution, to a particular consumer that is:
  • Based on eligibility information communicated to that person by its affiliate; and
  • Intended to encourage the consumer to purchase or obtain such product or service. [12 CFR 571.20(b)(5)]

Examples of a solicitation include a telemarketing call, direct mail, e-mail, or other form of marketing communication directed to a particular consumer that is based on eligibility information received from an affiliate. A solicitation does not include marketing communications that are directed at the general public (i.e., television, general circulation magazine, and billboard advertisements).

Jonathan Foxx
Managing Director
Lenders Compliance Group