Oversight: Three Lines of Defense

QUESTION

I’ve heard many different things about oversight of banks, non-banks and their related vendors. Some say it should be done, others say it isn’t that important. Can you tell me if there are any requirements regarding oversight and what they say?

ANSWER

We have noted over the last few years that the Federal Regulators refer to the Three Lines of Defense for oversight execution. Not only do they verbalize it, but this same verbiage can also be found on many of their First Day Letters.

These are as follows:

1st Line of Defense

At the business line level, Quality Assurance of business processes must be performed on a monthly basis. For their vendors, the business should also be completing scorecards on a monthly basis, all rolled up to management and into the 2^nd line of defense.

2nd Line of Defense

This refers to both:

1. Corporate Quality Control (not the same as Quality Assurance) that audits by a selection of loans through Statistically Valid Sampling or Stratified Sampling, and against GSE and FHA guidelines and best practices; and,
2. Regulatory Compliance Audit, which compares the line of business work product execution and vendor management with the actual governing laws. These two groups have to perform testing independently of the business.

These audits and their findings must report through senior management, with all issues tracked by the business and second line for oversight until the remediation is complete.

3^rd Line of Defense

This refers to the Internal Audit Structure that reports directly to the Board of Directors or to the highest level of senior management. This is totally independent of all other lines of defense. This group reviews everything bank-wide, including the first two lines of defense, and all processes of the business, end to end, the organizational structure, vendor and ensures remediation takes place on all that they discover.  

Michelle Leigh

Director/Internal Audits and Controls

Lenders Compliance Group

Executive Director

Servicers Compliance Group

Complaint Resolution

QUESTION

We are redrafting on consumer complaint policy and we’re getting stuck on how to handle the early stages of complaint resolution. Can you provide some practical guidance with respect to starting the complaint resolution process?

ANSWER

The Board of Directors or Senior Management should delegate the responsibility of monitoring and responding to complaints to a manager. Some companies give this individual the title Complaint Resolution Officer or CRO.

All written complaints initially would be directed to the appropriate department and functional area, or, if there is any uncertainty, instead to the CRO. The appropriate personnel will draft responses to consumers and/or regulators, and cross copy the CRO. If the company is small, the initial complaints would be sent directly to the CRO.

Generally, the CRO will keep a central file of complaints and responses. The Board and Management should meet, at least quarterly, to review new complaints and responses. Senior management would determine if certain complaints must be brought to the attention of the Board more often or if the response to the consumer and/or regulator should come from the Board.

Once a complaint is noted, institution personnel may be interviewed individually by the functional department manager or designated CRO if they are involved in the consumer’s complaint or comment. Explanations of the occurrence can be requested during the interview process, and copies of any written instructions furnished to employees about the allegation would be reviewed and discussed during the interview process.

A written report should by written by a department manager or CRO, presenting the facts and information in a clear, objective manner. The report should:

• Summarize the facts in a chronological order;
• Detail the precise claims of the complainant;
• Express the resolution desired by the complainant; and,
• Indicate management’s response to the claims of the complainant. 

The report should include the recommended course of action or corrective procedures and comments on whether the complaint represents an isolated case or a pattern or practice that needs to be corrected.

Complaint resolution must follow a timed response process. Unless otherwise required by regulation for different timely response criteria, the following general guidelines should be followed regarding responses to complaints:

• Complaints should be acknowledged within 15 days after receipt of the correspondence, oral, telephonic, or electronic notification of a complaint;
• Inquiries, comments, or objections should be answered or information provided within 15 business days after receipt;
• Complaints not involving an on-site investigation should be fully processed and responded to within 30 days after receipt; and,
• Complaints involving an on-site investigation should be resolved within 45 days after receipt.

Jonathan Foxx

Managing Director 

Lenders Compliance Group

Policies and Procedures – Separate or Combined Documents

QUESTION

Our company has a single set of policies and procedures combined into one document. I have heard people talk about having them in separate documents. What is the benefit of splitting them out?

ANSWER

We frequently see the same common mistakes companies make when writing policies and procedures. Combining policies and procedures all in the same document is one of the biggest mistakes that can keep your policies and procedures from being utilized to their individual fullest extent.

Not having a clear understanding of the difference between a policy and procedure is where most firms get into trouble. Here’s a simple definition of both:

• A policy is a guideline or statement of position with respect to a given topic, and
• A procedure is a set of steps or instructions for completing a task. 

Your Quality Control Policy is a good example. The policy itself contains a compilation of the rules and guidelines mandated by the governing agencies and the overlay of policies set forth by the company.

Related procedures to this policy are the “how to’s” that cover such things as the steps required for when and how to review a specific loan type, how to enter the review findings in a report set or in a database or how to prepare a monthly quality control report, and so forth. 

When policy and procedure information is combined in a single document, employees have a hard time finding what they need – and so they may guess or ask a co-worker, or worse yet not complete the required action.

Your policy and procedure information should be covered in separate documents that are linked together for easy reference. That way employees can more rapidly find and understand the policy, then find the specific task steps they need to carry out the policy.

If you have questions or concerns regarding the policies you have in place, we are happy to work with you to determine that 1) your policies meet agency guidelines and 2) the policies and procedures are properly correlated.

Brandy George

Director/Underwriting Operations Compliance

Lenders Compliance Group, and

Executive Director/LCG Quality Control

Settlement Agent failing to observe Three Day Waiting Period

QUESTION

On a purchase money transaction, the lender issued a Closing Disclosure which set forth a 30- year term, as opposed to the 15 year term the borrower wanted. The error was discovered while the borrower was at the closing table. The lender issued a corrected CD reflecting an APR increase of more than 0.125%, thus triggering a new three day waiting period. The lender did not give the settlement agent a “clear to close”. However, for whatever reason, the settlement agent thought he had funding authorization and proceeded to consummate the transaction, including the disbursement of funds to the seller. It appears that the settlement agent closed on the initial CD, as that is the CD, signed by the borrower, that he returned to the lender. The following day the lender learned that the transaction closed and now seeks to “cure” the regulatory violation through the issuance to the borrower of a corrected CD within 30 days of consummation in accordance with 12 C.F.R § 1026.19(f)(2)(iii). Does doing so, in fact, cure the situation? 

ANSWER

You are correct, that under the TILA-RESPA Integrated Disclosure Rule (“TRID”), the lender must issue a revised Closing Disclosure if any of the fees reflected therein become inaccurate at or before consummation and, if such revisions result in an increase in the APR of more than 0.125%, consummation must not take place sooner than three business days following the issuance of the corrected CD. [12 CFR § 1026.19(f)(2)]

As to the regulatory violation described in your question, there is no “cure” for failing to comply with the three day waiting period rule. Regardless of what actions the lender takes now, the lender can still be cited for this violation.  

As to the 30-day post consummation cure period, under the regulation, a revised CD must be issued within thirty days of consummation if two criteria are met. 

1. “An event in connection with the settlement of the transaction occurs that causes the disclosures . . . to become inaccurate”, and
2. “Such inaccuracy results in a change to an amount actually paid by the consumer from that amount disclosed under paragraph (f)(1)(i) of this section . . . “ [12 CFR 1026.19(f)(2)(iii)] 

In the Section by Section analysis (78 FR 79878), the Bureau sets forth its position that post-consummation redisclosures should only be made if a subsequent event results in a change to a charge paid by the consumer. 

“The final rule requires redisclosure only for post-consummation events that change an amount actually paid by the consumer. The Bureau does not believe consumers would benefit from revisions to the Closing Disclosure due to post-consummation events that do not affect charges imposed on them . . . Thus, the Bureau believes a redisclosure to the consumer after consummation should be required only if a subsequent event changes a charge actually paid by the consumer and not for any change to the transaction”.

So the question is, what is the post-closing event that caused the disclosure to become inaccurate? 

The lender learning that the settlement agent consummated the transaction using the incorrect CD? That does not appear to qualify as a post-consummation event, as the event was the consummation of the transaction, not the lender learning of the error. 

The second question is, what charges did the consumer actually pay? Those charges disclosed on the incorrect CD or those disclosed on the corrected CD? If the former (assuming they are less), I would suggest the creditor simply eat the difference in fees. If the latter, consider looking to the cure provisions under 15 USC § 1640(b); notify the consumer of the error and refund the lesser of the charge actually disclosed or the dollar equivalent of the APR disclosed on the incorrect CD.

Additionally, if on a good faith analysis, the charges disclosed on the corrected CD exceeded the amounts set forth on the Loan Estimate beyond permissible tolerances, the corrected CD must be issued together with a refund for excess to the borrower within 60 days of consummation. [12 C.F.R. § 1026.19(f)(2)(v)]

Joyce Wilkins Pollison

Director/Legal & Regulatory Compliance

Lenders Compliance Group

Loan Officer Licensing: Multiple Locations

QUESTION

We have a few questions regarding RMLO licensing. Our scenario is a bit complicated, so please excuse the length. We have a branch office in City “Y,” which is within a one hour drive of our headquarters in City “X.” It is not uncommon to live in one and commute to the other for work. We have a Loan Officer (“LO”) based in our headquarters office in City X and licensed there. The LO also assists our loan officer in City Y, taking applications there, and often commuting from City X to City Y to meet borrowers. Because the LO is licensed in our state, she is able to do business out of our headquarters office in City X for anyone in our state.

The issue we’re curious about concerns business cards and representation on our website.

The LO has run into some resistance from some borrowers in City Y who want someone “local,” even though the LO is regularly in City Y once or twice a week.

Our LO wants to print business cards for her City Y clients using the address of our branch office in City Y, and to have us show her on our website as resident under both the City X office and the City Y office. All of her applications, LE’s, etc., would reflect the office she is licensed out of (City X), and all applications would be taken out of the City X office.

So, here are our questions:

• Would this scenario be permissible?
• Do we need to get our LO licensed in both locations in order to allow her to distribute business cards for both locations?
• And if so, does NMLS allow for LO’s to be licensed in multiple locations? 

Please let me know as soon as you can. Thank you!

ANSWER

In answer to your question, it is important to distinguish between “licensing” and the information required to be submitted to the National Mortgage Licensing System (“NMLS”).  Your question indicates that the LO is licensed in your state. That should allow her to originate loans to borrowers in your state from anywhere in the state. Depending on your state’s requirements for having a “brick and mortar” office in the state, her license may even allow her to originate loans from outside the state as long as she is employed by your company and your company has an office in the state.

NMLS reporting requirements are something different. The NMLS does not issue licenses. The NMLS also does not restrict your LO’s state license to a particular location, or limit her ability to originate loans from anywhere in the state. The NMLS is an information tracking and reporting system, not a licensing authority. Its purpose is to enable consumers and regulators to find your LO and keep track of who she is working for. Under 12 CFR 1007.103(d)(1)(C), one of the regulations implementing the federal “SAFE Act” (“Secure and Fair Enforcement for Mortgage Licensing Act of 2008” pursuant to which the NMLS was established), the LO is required to report to the NMLS only her “principal business location address and contact information.” (Emphasis added.)  I could not find any provision in the SAFE Act or its implementing regulations permitting or requiring your LO to report multiple addresses.

           

Moreover, in the “employment history” section of the NMLS “MU4” report form (which is the NMLS reporting form for individual loan officers), there is only room enough to report one address for the LO’s “current employer.” There is no mention of, or provision for, multiple locations. According to page 83 of the NMLS Guidebook (which can be found on the NMLS website), the address of the LO’s “current employer” is defined as being “where the individual receives their compensation.” Under the situation you have described, that location is probably your headquarters office in City X.  

Further, page 60 of the Guidebook, dealing with NMLS Branch Registration form MU3, says:

“Applicant and licensees are not considered authorized to conduct licensed activities from branch locations in a participating state unless they have an approved license tied to the Branch Form. Only one Branch Form is allowed to be filed per physical location. Regulators and SRR will periodically monitor compliance with this requirement.”

While this provision may at first seem confusing, in practice it applies only to your company and not individual loan officers employed by your company. Since the LO is an employee of your company and not operating independently, this reporting requirement does not apply to her – unless she is the manager of the branch, in which event she would need to be identified as such on form MU3.

There appears to be nothing in the NMLS Guidebook or MU3 form that authorizes or provides for a listing of individual loan officers working out of a branch office; only a requirement for listing of the branch manager. Thus, it does not appear that NMLS requires you to report City Y as an alternative location out of which the LO does business. You should check the reporting requirements of your particular state, however, to confirm that your state does not require reporting more specific information to the state.

Finally, neither state licensing rules, nor the NMLS reporting requirements, alter your LO’s obligations to be truthful and avoid deceptive marketing. In most states, the laws implementing the SAFE Act contain certain “prohibited acts and practices,” under which persons required to be licensed may not:

• employ, directly or indirectly, a scheme, device or artifice to defraud or mislead borrowers or lenders or defraud a person;
• engage in an unfair or deceptive practice toward a person;
• make, in any manner, a false or deceptive statement or representation; 
• negligently make a false statement, or knowingly or willfully make an omission of material fact in connection with: (A) information or a report filed with a governmental agency or the Nationwide Mortgage Licensing System and Registry…” 

In light of these provisions, both you and your LO should be careful not to distribute any marketing materials – including business cards and information on your website – that contain information which is false, misleading, or deceptive. For example, if your LO never performs any activities for which a license is required at your City Y office, it may be misleading to borrowers for her to list that location on her business cards, or for you to list her on your website as someone working out of that office.

This is a highly technical area, however, so if you have any questions, please do not hesitate to contact us.

Michael Pfeifer

Director/Legal & Regulatory Compliance 

Lenders Compliance Group