Thursday, September 26, 2019

Splash and Dash Loans

We have a problem with categorizing temporary financing loans in our HMDA-LAR. 

Our main concern is finding out about temporary financing in general as well as a "splash and dash" loans in particular. 

We know there are exemptions, but temporary loans seem always to cause us to worry about whether we should report them to the HMDA-LAR. 

What are the situations that do not apply to HMDA? 

How should we view temporary financing for purposes of filing HMDA data? 

And, are splash and dash loans reportable?

Certain situations are not HMDA-reportable, for instance: 
  • Loans or applications for loans that the lender originated or purchased in a fiduciary capacity (such as trustee);
  • Loans or loan applications on unimproved land;
  • Loans or loan applications for temporary financing (i.e., such as for bridge loans or construction loans);
  • The purchase of an interest in a pool of loans (i.e., mortgage participation certificates);
  • The purchase of mortgage loan servicing rights; and
  • Loans originated prior to the current reporting year and acquired as part of a merger or acquisition or acquisition of all the assets and liabilities of a branch office.
You might be interested to know that Regulation C does not specifically define the term “temporary financing.” For HMDA-reporting purposes, many lenders believe any loan under a certain term to be temporary financing, but this is not necessarily the case.

For a loan to be exempt from HMDA reporting, lenders must also consider the purpose of the loan with regards to determining an exclusion for temporary financing. 

Regulation C provides examples of temporary financing, such as bridge loans and construction loans, so you might infer that the exclusion of temporary financing only applies to loans that are not intended to be permanent. But bridge loans and construction loans are considered temporary based on the fact that their purpose is to provide short-term financing for the borrower until the borrower makes other financial arrangements. Considering that both the temporary financing and the permanent financing are for the same property and the same borrower, the reporting of both loans would result in double counting of loan data.

It is interesting that you mention “splash and dash” loans, especially since many lenders do not know about them and have never heard that euphemism. The splash and dash loan is a short-term loan for the renovation of residential property in order to immediately resell the property. But is it temporary financing? 

Although the term of a splash and dash loan is generally less than one year, this loan is the only financing the borrower intends to obtain for the subject property. So, the reporting of such loans would not result in double counting of loan data. 

Consequently, this type of loan would not qualify as temporary financing under Regulation C and must be reported on the HMDA-LAR.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Thursday, September 19, 2019

Cybersecurity Risk Profile

I heard recently about your Cyber Tune-up!™ and have contacted your office for more details. My main concern is trying to understand some of the features of a cybersecurity risk assessment. I am writing our cybersecurity policy and procedures. I want to provide a section about our risk profile. I need some help in categorizing the areas that require particular attention. I am not a techie, and a lot of this stuff baffles me! My question is, what are the criteria for a risk profile in cybersecurity?

Thank you for your interest in our Cyber Tune-up!™ We are the only compliance firm in the country that offers it; in fact, we are the only firm that offers any of the compliance tune-ups! If you want more information, go here, and we’ll respond to your request.

Your question is excellent! Many companies do not even know that they have a risk profile. That’s right! Every financial institution has a risk profile. When my team evaluates a company’s compliance needs, we take into consideration its size, complexity, products, services, business strategy, and, importantly, its risk profile. So, starting the policy with an outline of your institution’s risk profile is critical to the integrity of the policy document itself.

The regulatory agencies focus on elements of internal control systems and risk management, improving audit practice (particularly related to material errors in financial reporting), and cybersecurity throughout the enterprise.

Cybersecurity is a key risk topic because of the ever-increasing sophistication of systemic attacks. Typically, the reason these attacks are successful is because of missing or ineffective attention to rudimentary “security hygiene” practices in the systems and network environments, such as the failure to mitigate known vulnerabilities.

Regulators consider two factors in determining the risk profile vis-à-vis cybersecurity: the Inherent Risk Profile, which identifies the institution’s inherent risk before implementing controls; and the Cybersecurity Maturity, which includes domains, assessment factors, components, and individual declarative statements to identify specific controls and practices in place.

There are five risk assessment criteria for the Inherent Risk Profile that should be outlined in your institution’s risk profile and five criteria for Cybersecurity Maturity that should be met by management.

The five risk assessment criteria of Inherent Risk Profile in an institution’s risk profile are: 
  1. Technologies and Connection Types
  2. Delivery Channels
  3. Online/Mobile Products and Technology Services
  4. Organizational Characteristics
  5. External Threats

The five risk assessment criteria for Cybersecurity Maturity in an institution’s risk profile are: 
  1. Cyber Risk Management and Oversight
  2. Threat Intelligence and Collaboration
  3. Cybersecurity Controls
  4. External Dependency Management
  5. Cyber Incident Management and Resilience

I recognize that you are not a techie, but there are some actions that you can take to ensure a positive risk profile for cybersecurity.

Strengthen your Cybersecurity Risk Profile
  • Retain a firm to design internal control systems
  • Create internal control policies
  • Develop and document a formal internal control environment
  • Monitor internal control systems
  • Retain an independent firm to test the controls
  • Conduct a risk assessment independently or internally
  • Train personnel on managing internal systems

Management should document the risk mitigation efforts and choices, including the strategic, operational, and budgetary considerations that informed those choices; describe fully any accepted risk, including from unmitigated vulnerabilities; and set forth an action plan to implement and monitor the cybersecurity framework.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Thursday, September 12, 2019

Social Media Challenges

We are constantly monitoring our loan officers’ social media use. We train them from our written policies and procedures. I found out from a friend recently that Jonathan Foxx had written a White Paper on social media, so I went to your website and downloaded it. It was amazingly helpful, especially in outlining the compliance procedures! We used parts of it to update our social media policy. However, could you provide a synopsis on the areas of risk a mortgage lender could face as a result of its use of social media? 

Thank you for reading the White Paper, which was published in February 2013 as a magazine article. The article was titled, “Social Media and Networking Compliance.” You can download it from the articles page on our website HERE. This White Paper is as relevant today – perhaps even more so! – than it was in 2013.

Financial institutions tend to use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers. This electronic resource is sometimes utilized to receive and respond to complaints. Some companies use it to provide loan pricing. For the sake of brevity, I am going to use the acronym “SM” to refer to social media.

SM takes many forms, including, but not limited to, micro-blogging sites (i.e., Facebook, and Twitter); forums, blogs, customer review web sites, and bulletin boards (i.e., Yelp); photo and video sites (i.e., Instagram, Pinterest, and YouTube); sites that enable professional networking (i.e., LinkedIn); so-called virtual worlds; and social games. One way to distinguish SM from other online media is that communication tends to be more interactive. As a rule of thumb, consider messages sent through social media channels to be SM.

There are several “areas of risk,” to use your phrase, where SM attracts and interacts with customers. These areas can impact your organization’s risk profile, including the risk of harm to consumers, as well as various compliance, legal, operational, and reputation risks. 

Generally, compliance and legal risks stem from the potential for violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards. Of particular importance – and a never-ending challenge – are the SM practices used by employees. 

Training should involve making all affected employees aware that failure to comply with the financial institution’s SM policies and guidelines can expose it to enforcement actions and perhaps civil lawsuits. The big fear, of course, is a rogue employee not complying with an organization’s SM policy requirements.

These days, more and more often, I see how SM is being used to market products and originate new accounts. To the extent that an institution uses SM to engage in lending, it must comply with applicable laws and regulations. Let’s consider a few laws and regulations that may be relevant to your company’s SM activities with respect to residential mortgage banking.

Fair Lending Laws
The Equal Credit Opportunity Act, through Regulation B, prohibits creditors from making any oral or written statement, in advertising or other marketing techniques, to applicants or prospective applicants that would discourage on a prohibited basis a reasonable person from making or pursuing an application. However, a creditor may affirmatively solicit or encourage members of traditionally disadvantaged groups to apply for credit, especially groups that might not normally seek credit from that creditor.

It is also important to note that creditors may not, with limited exceptions, request certain information, such as information about an applicant’s race, color, religion, national origin, or sex. Since SM platforms may collect such information about participants in various ways, a creditor should be ensuring that it is not requesting, collecting, or otherwise using such information in violation of applicable fair lending laws. 

If the SM platform is maintained by a third party that may request or require users to provide personal information - such as age and/or sex - or use data mining technology to obtain such information from SM sites, the financial institution must notify the user that it, the financial institution, does not itself improperly request, collect, or use such information. Even giving the appearance of doing so can lead to adverse consequences. This scenario is particularly thorny and requires very carefully detailed consumer disclosure.

You probably know that the Fair Housing Act (FHA), among other things, prohibits discrimination based on race, color, national origin, religion, sex, familial status, or handicap in the sale and rental of housing, in mortgage lending, and appraisals of residential real property. FHA makes it unlawful to advertise or make any statement that indicates a limitation or preference based on race, color, national origin, religion, sex, familial status, or handicap. But, be careful, this prohibition applies to all advertising media, including SM sites.

Truth in Lending Act
I probably get asked most of all about TILA’s impact on SM. So, let me state categorically: any SM communication in which a creditor advertises credit products must comply with Regulation Z’s advertising provisions. Regulation Z broadly defines advertisements as any commercial messages that promote consumer credit. Indeed, the official commentary to Regulation Z unequivocally states that the advertising rules apply to advertisements delivered electronically.

To emphasize the foregoing caveat more broadly, an advertisement is a commercial message, in any medium, that is designed to attract public attention or patronage to a product or business. There is no ambiguity: SM is covered under Regulation Z.

Sometimes I am asked what is not considered an advertisement, as if SM does not have to fall into the advertisement bucket. Let’s be clear, under Regulation Z only a few interactions with consumers are not advertisements, such as, among other things, direct personal contacts relating to the negotiation of a specific transaction; informational material (i.e., loan pricing sheets) distributed only to business entities; notices required by federal or state law (viz., if the law requires specific information to be displayed and only the required information is included in the notice); and educational materials that do not solicit business. Tread very carefully here! Be sure to get independent guidance such as our firm offers. Don’t make up your own rules!

Thursday, September 5, 2019

Redlining – Exam Preparation

We are a bank in California with 35 branches. I am the bank's Compliance Officer and General Counsel. Recently, we were notified by our regulator that we’ll be having a fair lending examination. I believe we are prepared. However, the fact is we have a lot of branches, and I am particularly concerned that we do not receive any allegations about redlining. We have a perfect examination history in such examinations; however, we were a much smaller back at the time of the last fair lending audit. So, I want to concentrate on redlining issues. What actions can we expect the examiners to take with respect to redlining?

Interestingly, you state your bank is located in California. In late July, the Department of Housing and Urban Development settled a complaint filed by the California Reinvestment Coalition against CIT Bank dba OneWest Bank, which resolved an allegation that OneWest Bank engaged in redlining.

The settlement called for investing a stated sum in a loan subsidy fund to increase credit opportunities for residents of majority-minority neighborhoods; devoting money toward advertising and community outreach; and providing a sum in grants for homebuyer education, credit counseling, community revitalization, and homeless programs. OneWest Bank committed to originating $100,000,000 in home purchase, home improvement, and home refinance loans to borrowers in majority-minority areas and to open a full-service branch serving the banking and credit needs of residents in a majority-minority and low- and moderate-income neighborhood. Of course, redlining allegations can adversely affect a bank’s reputation.

Let’s consider a viable definition of “redlining.” It is little known minutiae of history that the term “redlining” began years ago, way before map apps were available, when some lenders looked at paper maps, used a red marker to draw a circle around a neighborhood, and then avoided doing business in that circumscribed zone.

Here's a very good definition of “redlining”:

“Redlining is a form of illegal disparate treatment in which a lender provides unequal access to credit, or unequal terms of credit, because of the race, color, national origin, or other prohibited characteristic(s) of the residents of the area in which the credit seeker resides or will reside or in which the residential property to be mortgaged is located. Redlining may violate both the FHAct and the ECOA.”

This is how redlining is defined by the federal banking agencies and the National Credit Union Administration, and if that definition is good enough for them, it’s good enough for me!

As a compliance officer, you must be aware of the actions that can be considered redlining – and that goes too for the senior lending management and the Board of Directors.

If you want to prepare for a redlining examination, I suggest the following six steps that examiners use. They have been developed over the years by the Interagency Fair Lending Examination Procedures and used in conducting a comparative analysis for redlining.

Step 1: Identify and delineate any areas within the institution’s Community Reinvestment Act (CRA) assessment area and reasonably expected market area for residential products that are of a racial or national origin minority character. (By the way, credit unions will not have a CRA assessment, but for community credit unions that have a specific geographic area designated as their field of membership, NCUA examiners will likely start with that.)

Step 2: Determine whether any minority area identified in Step 1 is excluded, underserved, selectively excluded from marketing efforts, or otherwise treated less favorably in any way by the institution. Examiners begin with the risk factors identified during the scoping process. This step will verify and measure the extent to which Home Mortgage Disclosure Act (HMDA) data show the minority areas identified in Step 1 to be underserved and/or how the institution’s explicit policies treat them less favorably.

Step 3: Identify and delineate any areas within the institution’s CRA assessment area and reasonably expected market area for residential products that are nonminority in character and that the institution appears to treat more favorably.

Step 4: Identify the location of any minority areas located just outside of the institution’s CRA assessment area, market area, or lending areas as stated in its policies for residential products, such that the institution may be purposely avoiding such areas. If there are minority areas that the institution excluded from the assessment area improperly, consider whether they ought to be included in the redlining analysis. Analyze the institution’s reasonably expected market area in the same manner.

Step 5: Obtain the institution’s explanation for the apparent difference in treatment between the areas and evaluate whether it is credible and reasonable. According to the examination procedures, this step completes the comparative analysis by soliciting from the institution any additional information not yet considered by the examiners that might show that there is a non-discriminatory explanation for the apparent disparate treatment based on race or ethnicity.