Fair Lending: Pricing Discrimination

QUESTION

We have a fair lending examination that is going to start in mid-January. Our state banking department is doing it. However, our General Counsel has told us that the CFPB is also interested in our case. Everyone is getting anxious. We’ve been working over the holidays to prepare for the examination. 

What area of fair lending should we expect the banking department to audit?

ANSWER

First and foremost, as the year 2021 draws to a close, I want to express my thanks to our readership for their interest in our weekly Mortgage FAQs newsletter. The questions you have asked throughout the year show a deep and devoted concern for strong, steadfast compliance initiatives. May the coming year bring you good health, joy, and prosperity!

Many companies get anxious about a forthcoming banking examination. The fair lending examination is no exception, and, like most such audits, preparation is essential. When it comes to banking or CFPB examinations, it is best to be as prepared as possible.

You may be unprepared for a fair lending examination if you are not periodically getting a fair lending review, such as we offer, thereby ensuring that potential fair lending violations are noted. Please contact us for fair lending assistance.

For fair lending examinations, generally, state banking departments are aligned with the CFPB’s assessment criteria in its fair lending supervision program, to wit, among other things, compliance with the Equal Credit Opportunity Act (ECOA)[i] and its implementing regulation, Regulation B,[ii] as well as the Home Mortgage Disclosure Act (HMDA)[iii] and its implementing regulation, Regulation C.[iv]

In preparing for the fair lending examination, I suggest you carefully review the potential for pricing discrimination. Let’s look at this examination subject.

The ECOA prohibits a creditor from discriminating against any applicant with respect to any aspect  of a credit transaction based on race or sex. [v]

It is a “known known” that regulators have observed that mortgage lenders have violated ECOA and Regulation B by discriminating against African American and female borrowers in granting pricing exceptions based upon competitive offers from other institutions. Pricing disparities may be found in the failure of a lender’s loan officers to follow the lender’s policies and procedures concerning pricing exceptions for competitive offers, the lender’s lack of oversight and control over their loan officers’ use of such exceptions, and management’s failure to take appropriate corrective action surrounding self-identified risks.

There have been examination findings where lenders maintained policies and procedures permitting their mortgage loan officers to provide pricing exceptions for consumers – including pricing exceptions for competitive offers – but did not specifically address the circumstances where a loan officer could provide pricing exceptions in response to competitive offers. Instead, the lenders relied on managers to promulgate a verbal policy that a consumer must initiate or request a competitor price match exception.

In particular, examiners have identified certain lenders that show statistically significant disparities for the incidence of pricing exceptions for African American and female applications compared to similarly situated non-Hispanic white and male borrowers. It is worth noting that examiners have not identified evidence explaining the disparities observed in the statistical analysis. Rather, examiners identified instances where lenders provided pricing exceptions for a competitive offer to non-Hispanic white and male borrowers with no evidence of customer initiation.

Furthermore, examiners have noted that lenders fail to retain documentation to support pricing exceptions. Our firm has drafted policies, procedures, and forms for maintaining appropriate documentation for all pricing exceptions. You should do so! If you need compliance support, contact us HERE.

During the examination, examiners may determine that a lender’s fair lending monitoring reports and even the business line personnel raise fair lending concerns relating to the lack of documentation to support pricing exception decisions. We know this because, despite such concerns, lenders have been cited for not improving the processes or documenting customer requests to match competitor pricing during the review period. When that happens, the banking department and the CFPB expect the lender to undertake remedial and corrective actions regarding these violations.

Jonathan Foxx, Ph.D., MBA
Chairman and Managing Director
Lenders Compliance Group

_________________________

[i] 15 U.S.C. §§ 1691-1691f
[ii] 12 C.F.R. pt. 1002
[iii] 12 U.S.C. §§ 2801-2810
[iv] 12 C.F.R. pt. 1003
[v] 15 U.S.C. § 1691(a)(1). The ECOA also prohibits a creditor from discriminating against any applicant, with respect to any aspect of a credit transaction, on the basis of color, religion, national origin, marital status, or age (provided the applicant has the capacity to contract), because all or part of the applicant’s income derives from any public assistance program, or because the applicant has in good faith exercised any right under the Consumer Credit Protection Act, 15 U.S.C. § 1691(a).

Mother of All Computer Bugs

QUESTION
I hate to be the bearer of bad tidings right before Christmas, but I would like you to put my question on top of the others since this concerns a worst-case scenario of cybersecurity and ransomware. I am with a large regional mortgage lender, and I am the company’s CISO. 

On December  20^th, The Washington Post reported that a new bug was discovered called “log4j.” It was found on December 9^th. This is like the mother of all computer bugs! 

The article says that cloud storage companies such as Google, Amazon, and Microsoft – companies that provide the digital backbone for millions of other apps – are affected. Giant software sellers are affected, too, such as IBM, Oracle, and Salesforce. And, devices that connect to the Internet (i.e., TVs and security cameras) have been hit. Hackers can get into digital spaces and steal information or plant malicious software. This bug is virtually everywhere and affects billions of computers. 

We anticipate that ransomware attackers will now have a new way to break into computer networks and freeze out their owners. I really think you should put back up the links to your Ransomware policies and checklists. 

Banks or mortgage companies, big and small, accepting cryptocurrencies are also affected because they will be targeted and asked to send millions in cryptocurrency to hackers or risk being locked out of their computers indefinitely and exposing their sensitive information. 

My question is, Would you provide your readership with information from the government agency that monitors and advises the public about this threat?

ANSWER
Thank you for your timely question. Given the urgency, I have prioritized it for a response. I am grateful that you have contacted us to assist in making our readership aware of this immense computer threat. 

The computer bug, “log4j,” allows hackers to access deep into systems, cutting past all the typical defenses software companies use to block attacks. 

The article you cite is "The ‘most serious’ security breach ever is unfolding right now. Here’s what you need to know." It was published in The Washington Post on December 20th.  

The article quotes Jen Easterly, the Director of U.S. Cybersecurity and Infrastructure Security Agency, saying, “The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.” You can watch Director Easterly’s interview HERE. 

According to the article, “The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy, but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.” 

Because you are the Chief Information Security Officer (CISO), the remit of your undertaking is to implement the information security program, which includes the requirements to protect system assets from internal and external threats. 

The CISO has a direct responsibility to maintain the company’s security posture, which is a different task than required of the Chief Information Officer (CIO), a position that involves oversight and managing the overall systems. The CISO and CIO work together. The former is engaged in the hands-on, precise application of cybersecurity initiatives. The latter maintains the overall system comprehensiveness and usually reports to top management and the board of directors. 

As of today’s date, the bug is careening through millions of computers and degrading millions of enterprise systems and Cloud services. You mentioned the threat of ransomware attacks. Indeed, I have written extensively about them as well as cybersecurity. You can read some of my posts, such as:

• Ransomware Payments;
• Large Bank Cybersecurity Challenges;
• Phishing Scams; and
• Intrusion Detection Terms.

I have published articles and White Papers on cybersecurity guidelines, one of which concerns the cybersecurity guidelines promulgated by the New York Department of Financial Services (DFS). The regulation took effect on March 1, 2017, continuously updated. The DFS has provided a model for cybersecurity guidelines in many state banking departments. For an overview, I suggest you download my article Cybersecurity Guidelines - "First-In-The-Nation" Regulation. Consider implementing similar requirements.

We provide a free Ransomware checklist. We also offer an exceptional and reasonably priced policies and procedures for Ransomware as well as Cybersecurity For more information, visit our website. 

Short of letting the engineers figure out how to stop the bug, people can take several precautions, such as avoiding phishing emails that trick you into clicking a link or opening an attachment. This new bug vulnerability means that computers will be hit with many such messages as hackers plant malicious code before the computer gets a corrective patch. Also, be sure that the computer’s operating system and apps are updated. 

The government agency monitoring the log4j bug is the Cybersecurity and Infrastructure Security Agency (CISA). CISA as published Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability. 

The agency has a continuously updated and highly technical log4j webpage. However, the webpage does provide an Additional Resources section which provides helpful guidance, such as CISA’s Cyber Essentials. 

I suggest that senior management review Questions Every CEO Should Ask About Cyber Risks.

Also, I recommend FFIEC's Information Security Booklet, in the Information Technology Examination Handbook. Amongst the many tools provided by FFIEC, the Cybersecurity Assessment Tool helps to identify cyber-risks and determine cybersecurity preparedness.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director
Lenders Compliance Group

Working from an Unlicensed Remote Office

QUESTION
Due to the pandemic, most of our loan officers moved to remote. Basically, they work from home. 

Some of them have come back to the office, but most prefer to work from their home office. Our management has no problem with this arrangement. Whatever works and is safe – that’s management’s view. But their homes are not licensed locations. 

However, our banking department is starting to take the view that there are certain features of licensing that may require their home offices to be licensed. We are concerned. 

What would you say are the types of home office situations for our remote loan officers that require licensing requirements?

ANSWER
Indeed, some banking departments have begun to monitor remote locations for possible licensing violations. Generally, this comes under the rubric of telecommuting as it relates to licensing requirements. 

Telecommuting is a catchall phrase for financial services activities taken by employees on behalf of their employers through the Internet, email, telephone, or direct mail. In such cases, an employee makes contact with potential applicants or consumers in person, by phone or email, or through direct mail while, at all times, representing their business location as a licensed office of the individual’s employer. 

That configuration can come up against a banking department’s rule that a mortgage broker or mortgage lender may only engage in covered activities at any location for which it holds a license. That said, I have noticed that many banking departments are fully aware of the challenges caused by the pandemic. There seems to be an understanding that technological changes, such as remote computing, are continuing trends that grow unabatedly. So, the departments are grappling with how to balance their licensing rule while ensuring that opportunities to work in non-commercial locations are acceptable under certain conditions. 

There’s not much debate about applying business location licensing requirements in instances where an individual employee or the individual’s employing company does not indicate that the employee is engaging in particular financial services activities on behalf of the licensee at any unlicensed location. 

I would suggest that at least three remote practices implicate licensing requirements, as follows:

 

1. Advertising, or including within any business documents or forms (except in documents used in communications directly between the individual employee and their employer), an address that is not a licensed business location;

 

2. Advertising, making available to the general public, or including within any business documents or forms (except in documents used in communications directly between the individual employee and their employer), a telephone number in a manner that indicates an employee conducts activities at a place other than a licensed business location (i.e., using a published residential telephone number in promotions); and,

 

3. Representing, in any manner, directly or indirectly, a location at which financial services activity on behalf of the licensee may occur if such representation indicates the activity would occur at an unlicensed location or would mislead a consumer to believe an unlicensed location is an authorized location from which the employee or their employer conducts licensable financial services activity. 

I would also suggest, at minimum, three cautionary practices need to be implemented for the unlicensed, remote locations, as follows:

 

1. Data security requirements should include provisions for the employee to access the company’s secure origination system from any out-of-office device the employee uses through the use of a VPN or other system that requires passwords or identification authentication.  The company is responsible for maintaining any updates or other requirements to keep information and devices secure;

 

2. Neither the employee nor the company is to do any act that would indicate or tend to indicate that the employee is conducting business from an unlicensed location. Such acts include but are not limited to:

a. Advertising in any form, including business cards and social media, the unlicensed residence address or landline telephone or facsimile number associated with the unlicensed residence;

b. Meeting consumers at, or having consumers come, to an employee’s unlicensed residence;

c. Holding out in any manner, directly or indirectly, by the employee or company licensee, the residence address that would suggest or convey to a consumer that the residence is a licensed location for conducting licensable activities; and,

 

3. Employees and companies must exercise due diligence in safeguarding company and customer data, information and records, whether in paper or electronic format, and protecting them against unauthorized or accidental access, use, modification, duplication, destruction, or disclosure.

 

Finally, I suggest a separate policy and procedures for telecommuting. You should train on the document, provide it to the affected employee, and require an attestation of receipt thereof from the employee involved in telecommuting activities.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

Revising Closing Disclosures

QUESTION
Our banking department wrote us up for not complying with the timeline requirements for the revised Closing Disclosure. 

Our view was that providing a corrected Closing Disclosure extends the period a consumer may rescind a loan or take action for a TILA violation. That view came from our attorney. He now agrees with the banking department. 

We want a straight answer to our question to find out who is right. 

Does providing a corrected Closing Disclosure extend the period when a consumer may rescind a loan or take an action for a TILA violation?

ANSWER
Regulation Z, the implementing regulation of the Truth in Lending Act (TILA), generally[i] requires a Loan Estimate (LE) and then a Closing Disclosure (CD) for residential mortgage loans. The creditor is responsible for ensuring that the consumer receives the CD no later than three business days before consummation and that the CD meets TILA’s content, delivery, and timing requirements. 

If the CD becomes inaccurate before consummation, the creditor must provide corrected disclosures reflecting any changed terms, so the consumer receives a corrected CD at or before consummation. 

If the creditor makes any of three significant changes between the time the CD is given and consummation, the creditor must provide a new CD and an additional 3-business-day waiting period before consummation. 

The three changes are: 

(1) the disclosed APR becomes inaccurate, specifically, it is more than 1/8 of one percent (1/4 % for a loan with irregular payments or periods) above or below the actual APR;

(2) the loan product is changed, causing the loan product disclosed on the first page of the CD to become inaccurate; or 

(3) a prepayment penalty is added, causing the prepayment penalty statement in the Loan Terms table on the first page of the CD to become inaccurate. Less significant changes can be disclosed on a revised CD received by the consumer at or before consummation without delaying the closing. 

Clerical errors discovered after consummation are subject to redisclosure. No later than 60 calendar days after consummation, a creditor must provide a revised CD to correct non-numerical clerical errors and document refunds for tolerance violations. 

What is a clerical error? An error is “clerical” if it does not affect a numerical disclosure and does not affect the timing, delivery, or other requirements for the CD. 

During the 30-day period after consummation, if an event causes the CD to become inaccurate and the inaccuracy results in a change to an amount actually paid by the consumer from that disclosed, the creditor must deliver or place in the mail a corrected CD no later than 30 days after receiving information sufficient to establish that the event has occurred. 

A creditor is not required to provide a corrected CD (or a refund) for any per diem interest disclosure considered accurate under Regulation Z § 1026.17(c)(2)(i), that is, if the CD were based on the best information reasonably available at the time it was provided, even if the amount actually paid by the consumer differed from the amount disclosed.[ii] 

Having set forth some of the basics, I will answer your question about whether giving a corrected CD extends the period during which a consumer may rescind a loan or bring an action for a TILA violation? 

A recent case decided in a Hawaiian federal district court offers a resolution to your question. 

In Mathias v. HomeStreet Bank, Inc.,[iii] Mathias took out a $276,250 mortgage loan in 2009 with HomeStreet Kapolei to purchase a lot. On March 1, 2018, Mathias signed a 30-year note and mortgage with HomeStreet Bank to refinance the earlier loan. 

On April 18, 2018, HomeStreet Bank provided a revised CD that updated certain loan terms, including changing the closing date from March 1 to March 2. 

On March 22, 2021, Mathias sued to rescind the 2018 loan. He contended that the 3-year period for rescinding his loan because of TILA violations started running on April 18, 2018, the day he was given a revised CD. 

Not so, said the court, because his claim was time-barred since his right to rescind had expired before he filed his lawsuit. The parties did not dispute that Mathias had executed the loan – at the latest – on March 2, 2018. Accordingly, the right to rescind had expired several weeks before Mathias filed his lawsuit on March 22, 2021. 

The plain language of the TILA statute makes clear that the time period for exercising rescission does not restart if a creditor provides disclosures after the loan has been consummated, to wit, the statute states that “[a]n obligor’s right of rescission shall expire three years after the date of consummation of the transaction … .” 

So what is the takeaway from the Mathias case? 

Clearly, Mathias did not notify the creditor in writing of his intent to rescind until he filed the complaint to begin his court action. Had he done so before March 2, 2018, his suit most likely would have been timely. The U.S. Supreme Court, in Jesinoski v. Countrywide Home Loans, Inc.,[iv] held that a borrower need not file suit within the 3-year period so long as the borrower notified the creditor of their intent to rescind within the 3-year period. 

TILA states explicitly that a borrower “shall have the right to rescind … by notifying the creditor, in accordance with regulations of [the CFPB], of his intention to do so.” Regulation Z § 1026.23(a)(2) allows the consumer to exercise the right to rescind “by mail, telegram or other means of written communication” and provides that “[n]otice is considered given when mailed, when filed for telegraphic transmission or, if sent by other means, when delivered to the creditor’s designated place of business.” TILA does not also require the consumer to sue within three years. 

Granted, if an action is filed after the 3-year period, an issue may arise as to how much time is allowed for filing. Some courts have applied the 1-year limitation on actions contained in TILA § 130(e). As the CFPB suggested in amicus curiae briefs filed in numerous actions, others may apply borrowing doctrines to find an analogous limitation on actions.[v] 

Mathias included a TILA claim for statutory damages—for failing to notify him of his right to cancel. The court also found this claim time-barred by TILA’s 1-year limitation on actions for statutory damages, which ran from the date of the occurrence of the disclosure violation (i.e., the date of closing).

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

_______________________________

[i] TILA-RESPA Integrated Disclosure (TRID) rule: loans not covered by TRID are home-equity lines of credit, reverse mortgages, mortgages secured by a mobile home or dwelling not attached to land, no-interest second mortgage made for down payment assistance, energy efficiency or foreclosure avoidance, and loans made by a creditor who makes five or fewer mortgages in a year.
[ii] Regulation Z Comment 19(f)(2)(iii)-2
[iii] Mathias v. HomeStreet Bank, Inc., 2021 U.S. Dist. (D. Haw. June 21, 2021), and after amended complaint.
[iv] Jesinoski v. Countrywide Home Loans, Inc., 135 S. Ct. 790 (2015),
[v] For instance, example, in Hoang v. Bank of America, 910 F.3d 1096 (9th Cir. 2018), the 9th Circuit applied what it found to be the most analogous state law statute of limitation - Washington State’s 6-year statute of limitation under general contract law for a written agreement, and in Mitchell v. Deutsche Bank Nat’l Trust Co., 714 Fed. Appx. 739 (9th Cir. 2018), the 9th Circuit applied the State of California’s 4-year statute of limitation for rescission of a contract. This question was not before the Supreme Court in Jesinoski, and that Court has not yet addressed the issue.

Evaluating Credit History and Immigration Status

QUESTION
We are a small bank with one compliance manager: me. I have been tasked with setting policy for the rules involving the review of a mortgage loan applicant’s credit history. Also, I need to add a section to our guidelines for considering the immigration status of an applicant. 

What rules do we need to comply with involving an applicant's credit history? 

And, what rules should be followed for considering the immigration status in evaluating an applicant? 

ANSWER
Thanks for your question. It is a bit sparse in details, so I will provide a generic response. If you want to discuss it in more detail, you can contact me HERE. 

To your first question about the rules for consideration of credit history in the evaluation of an applicant, I set forth this caveat: my response is based on evaluating the creditworthiness of similarly qualified applicants for a similar type and amount of credit. 

A creditor may restrict the types of credit history and credit references that it will consider as long as the restrictions apply to all credit applicants without regard to sex, marital status, or any other prohibited basis. When an applicant requests, the creditor must consider credit information not reported through a credit bureau when the information relates to the same types of credit references and history that the creditor would consider if reported through a credit bureau. 

Using the Equal Credit Opportunity Act as a guide,[i] there are three specific rules in determining an applicant’s creditworthiness. 

The rules are:

 

(1) The credit history, when available, of accounts designated as accounts that the applicant and the applicant’s spouse are permitted to use or for which both are contractually liable;

 

(2) If an applicant so requests, any information the applicant may present that tends to indicate that the credit history being considered by the creditor does not accurately reflect the applicant’s creditworthiness; and,

 

(3) If the applicant so requests, the credit history, when available, of any account reported in the name of the applicant’s spouse or former spouse that the applicant can demonstrate accurately reflects the applicant’s creditworthiness.

 

With respect to the rules concerning the consideration of immigration status in the evaluation of an applicant, a creditor may consider the applicant’s immigration status or status as a permanent resident in the United States, and any additional information that may be necessary to ascertain the creditor’s rights and remedies regarding repayment.[ii] 

For example, in considering immigration status, a creditor may differentiate between a non-citizen who is a long-time resident with permanent resident status and a non-citizen who is temporarily in the United States on a student visa.[iii] 

It is not discriminatory based on national origin to deny credit on the ground that the applicant is not a U.S. citizen;[iv] however, if this scenario occurs, I strongly urge that you confer with a compliance professional for guidance. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director

Lenders Compliance Group

____________________________
[i] 12 CFR § 202.6(b)(6)
[ii] Idem. § 202.6(b)(7)
[iii] 12 CFR Supplement I to part 202 – Official Staff Interpretations § 202.6(b)(7)-1
[iv] 12 CFR Supplement I to part 202 – Official Staff Interpretations § 202.6(b)(7)-2

Affiliate Marketing: Information Sharing

QUESTION
We are a lender with several affiliates. We have been cross-marketing with the affiliates for a long time. However, our regulator now is examining us and our affiliates to find out if we have “information sharing” violations. A complaint to the CFPB triggered the examination. 

Their main concern seems to center on potential violations of the Fair Credit Report Act. 

So, our question is, are there restrictions on using our affiliates’ information for marketing purposes? 

ANSWER
A word of caution at the outset: work with a compliance professional for guidance on information sharing between affiliates. Information sharing is a very challenging area of compliance and involves several regulations. Your question specifies the Fair Credit Report Act (FCRA), so I will respond exclusively in the context of the FCRA. 

It is important to know what information is subject to affiliate marketing. The provisions apply to the use of “eligibility information” of consumers, where you receive such information from your affiliate for purposes of marketing products or services to those consumers. 

“Eligibility information” means any information that, if communicated by a consumer reporting agency, would be a consumer report but for the exclusions set forth under the definition of “consumer report” in the FCRA for 

(1) transaction or experience information regarding a consumer, or 

(2) non-transaction or experience information regarding a consumer that affiliates may share with one another if notice and opt-out procedures are followed and the consumer does not opt out. 

It is worth noting that eligibility information excludes aggregate or blind data that does not contain personal identifiers, such as account numbers, names, or addresses. 

The communication of transaction or experience information among companies related by common ownership or affiliated by corporate control is not considered sharing consumer report information. 

Furthermore, companies related by common ownership or affiliated by corporate control may communicate among one another information regarding a consumer that 

(1) is not transaction or experience information, and

(2) would otherwise be considered consumer report information, if a notice and opt-out procedure are followed and the consumer does not opt out. 

However, even though such information may be shared among affiliates, the information is subject to FCRA affiliate marketing provisions, including affiliate marketing rules adopted by the federal financial institution regulators and the Federal Trade Commission (FTC). 

The rules impose restrictions on the use of consumer report information regarding a consumer whom a company receives from an affiliate for the purpose of the company marketing its products or services to the consumer. Therefore, the affiliate marketing provisions impose restrictions on the use, not the sharing of information. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Pre-Funding & Post-Closing Quality Control – Discretionary Audits

QUESTION
We conduct pre-funding, post-closing, and discretionary quality control reviews. 

In an evaluation done in 2016, it was found that the quality control department had many auditing issues. The people who did the assessment are no longer with the company. Supposedly, the problems were corrected. 

However, now Fannie has come in and criticized us for our quality control sampling methodologies. We were cited for defective discretionary audits, in addition to other adverse results. 

So, now we’re writing you for some guidance. 

What are the sampling methodologies for pre-funding and post-closing quality control in terms of discretionary audits? 

ANSWER
Your question focuses on sampling strategies, so my response will concentrate on them. If you haven’t done an annual review of the rationale for selecting pre-funding and post-closing loans, it comes as no surprise that Fannie became concerned. Perhaps there was no attempt to evaluate trigger points, production volume changes, market conditions, and responsive procedures. Maybe your quality control department or your quality control vendor is insufficiently resourced to mitigate risk. 

Notwithstanding an annual review, you should be checking your quality control and loss mitigation risk factors at least quarterly. Reporting the QC findings to management should be ongoing. 

One of the mini-audits in our Compliance Tune-up series is the QC Tune-up. It is popular because it determines if you adequately meet GSE and investor guidelines, a mandate that virtually all mortgage loan originating entities must implement, excluding certain self-generated portfolio loan products. 

Click the link for information about the QC Tune-up. 

Let’s be clear about Fannie’s expectations with regard to selection sampling. There are two methodologies: (1) Random Sampling and (2) Discretionary Sampling. The random sample provides a high-level view of loan quality. The discretionary sample is a subset of loans within the total population that focuses on specific characteristics, such as high-risk loans, adverse findings, and so forth. 

Pre-Funding Selection

For pre-funding, you might be interested to know that Fannie does not have a minimum required sample size for pre-funding QC, nor does it require random selections for loans sampled in the pre-funding QC review. However, Fannie does require that the pre-funding sample size be relevant to the loan production volume. 

The pre-funding selection sampling is discretionary, and there are two types of discretionary methodologies: Full and Component. Whether Full or Component, you will want to incorporate them into your Clear to Close procedures. 

The full file selection is usually conducted on only a part of the loan population. In practice, there are multiple risk factors in a population of loans, so the full file selection leads to increasing certainty on the loan quality. Before our firm conducts a pre-funding audit, many clients first have selected specific characteristics, such as unique underwriting guidelines and documentation requirements or newly hired loan officers, processors, underwriters, or new third-party originators. Some clients focus on loans with multiple layers of credit risk, such as high loan-to-value ratios, low credit scores, and high debt-to-income ratios (DTI). 

The component file selection focuses on a particular element(s) of the loan file itself that has the potential for elevated risk or loan characteristics identified with defects in a post-closing QC review. For instance, we have clients who target loans with a higher risk profile, focusing on likely areas that impact eligibility (i.e., higher DTIs, where, say, an undisclosed liability could affect eligibility). 

Sometimes, a client will select on the component file basis to validate succinct procedures, such as loans that evinced process failures identified in the post-closing random sample (i.e., Form 4506-C execution rates). Another validation may be on internal exception policies and procedures to confirm all requirements are consistently followed. We’ve had clients select to validate the accuracy of loan quality tools used by their organization (i.e., fraud monitoring tools or undisclosed debt monitoring). 

Many clients select loans on the component file basis that contain top trending defects identified in their post-closing random sample (i.e., gift funds or excessive interested party contributions). The goal is to test internal controls around each defect and the effectiveness of the corrective action plans and remediation efforts. 

Post-Closing Selection

Ideally, pre-funding and post-closing are intrinsically interfaced. But post-closing QC takes us to the entirety of the loan transaction, including closing and legal documents that are not available during the pre-funding reviews. Most lenders choose random 10% sampling, though some go onto the statistical sampling method for the post-closing QC selection process. Loan quality results are reflective of the sampling method chosen. 

Lenders generally use the random 10% sampling method with an annual production of 3,500 or fewer loans. The statistical sampling method is generally advantageous for lenders with an annual production of more than 3,500 loans. 

Keeping it simple, lenders prefer the 10% sample selection because there is no need to manage a statistical calculation process. Also, it does not require a periodic evaluation to ensure the sample size is valid. However, the statistical sample selection produces statistically valid results that can be used to extrapolate loan quality conclusions. In that regard, for lenders with a consistent defect rate, it produces a predictable monthly sample that does not vary due to large swings in production volume. 

Whether 10% random or statistical, a full file review must be completed on all loans selected for the post-closing QC process, with reverifications on all the data relied upon to qualify the borrower. In addition, all selections require a comprehensive collateral risk assessment of the appraisal used to support the value of the subject property. 

Discretionary Audits

Because Fannie cited you for “defective discretionary audits,” I will provide a few extra guidelines for discretionary reviews. Keep in mind that discretionary selections allow you to optimize the reviews and target certain loan features (i.e., high-risk loan characteristics) identified in the pre-funding and post-closing random selections. This is why I mentioned the importance of regularly reviewing the selection criteria to ensure you effectively manage risk and your QC resources. Always keep the risk factors current! 

To recapitulate, discretionary reviews may be full file reviews or targeted component reviews, which should allow you to increase the overall number of reviews or the ability to evaluate the risks. 

Full file reviews require reverification of all components, whereas targeted reviews allow for reverification of only those elements being audited. In addition, targeted or component reviews are an effective way to narrow in on a particular risk element, product, or process within the loan origination process without completing a full file review. 

Breaking this down further, there are two types of sampling methods used, one type for full file reviews and the other for component file reviews. 

You would want to use the full file sampling method when selecting loans to review new hires, new products, or newly implemented processes. In this context, use discretionary reviews to ensure at least one loan from each third-party originator is pulled for a review annually. 

Selections should be based on those risk attributes that are identified as top trending defects from pre-funding and investor review results. The goal is to analyze the root causes when developing action plans to prevent future defects from occurring or test the effectiveness of an implemented corrective action. 

The component file review provides an opportunity to sample loans with known risks. For instance, the component or targeted review allows, among other things, for the ability to ensure the borrower was employed at the time of closing, the income used to qualify was accurately calculated, the assets were adequately documented, and property eligibility and validation of data were supportive of the appraised value. If there are defects in the foregoing criteria, the component file review can identify a rationale for needing a full file selection. 

Click the links for information about quality control audits and the QC Tune-up. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Ransomware Payments

QUESTION
We are a large mortgage lender in the northeast. I am the Chief Compliance Officer. We have multiple platforms, licensed in all states, and maintain an extensive servicing unit. 

Jonathan, thank you for the weekly posts. And we are grateful that you provided the ransomware checklist. Most companies would make us pay for this kind of checklist, but you offered it for free. That is real commitment! And it has helped us to configure our ransomware security. 

Recently, we learned that another large lender was hit with a ransomware attack. The attacker wants to be paid in cryptocurrency. Admittedly, we are unprepared to respond to such a demand if it happens to us. Frankly, I don’t know how cryptocurrency even works in ransomware attacks. So, we are coming to you to get an understanding. 

What role does cryptocurrency play in ransomware attacks? 

ANSWER
First and foremost, thank you for subscribing. Our posts are a labor of love as an expression of our commitment to the mortgage community. HERE’s a list of some recent FAQs. 

I also appreciate that you are using our ransomware checklist. It covers preparation, response, and recovery. If anyone wants it, please click HERE. It’s free. 

I supposed we could be paid for some of the tools we provide, but our mission is to serve and share. It is certainly possible to grow a compliance firm without having to charge for every single thing we do. We are the living proof of that philosophy! 

Lenders Compliance Group has been thriving and growing since 2006. It is strong and continuing to scale because we are focused on our clients’ compliance experience. Our goal is to help a company to build and maintain a Culture of Compliance®, a term we have pioneered for many years. 

Our team consists of some of the top professionals in mortgage compliance. Believe me, it makes a difference! 

Ransomware is an escalating concern with federal and state regulators. If you are not ready for a ransomware examination, be advised, it’s on the way. Financial institutions play a critical role in the collection of ransom payments. In effect, an institution becomes a facilitator of ransomware payments, whether handling its own response to a ransomware attack or acting as a financial intermediary. 

The severity and sophistication of ransomware attacks continue to rise[i] across various sectors, particularly governmental entities and financial, educational, and healthcare institutions.[ii] Ransomware attacks on small municipalities and healthcare organizations have increased, likely due to the victims’ weaker cybersecurity controls, such as inadequate system backups and ineffective incident response capabilities.[iii] 

So, let’s take a closer look at ransomware payments, especially as these relate to cryptocurrency. 

Most ransomware schemes involve convertible virtual currency (CVC), which is the preferred payment method of ransomware perpetrators. You might as well get used to this terminology. CVC is inherent in ransomware payments. The payment process is a bit complicated, so stay with me as I discuss it. 

Let me outline a typical ransomware payment flow using CVC. After the delivery of the ransom demand occurs, a ransomware victim will usually transmit funds via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator. Next, the victim or an entity working on the victim’s behalf sends the CVC, often from a “wallet” hosted at the exchange,[iv] to the perpetrator’s designated account or CVC address. 

Then, the perpetrator launders the funds through various means – including mixers,” “tumblers,”[v] and “chain hopping”[vi] – to convert funds into other CVCs. These transactions are often structured into smaller “smurfing”[vii] transactions involving multiple persons and across many different CVC addresses, accounts, and exchanges, including peer-to-peer (P2P)[viii] and “nested” exchanges. Criminals prefer to launder their ransomware proceeds in jurisdictions with weak anti-money laundering (AML) and countering the financing of terrorism controls. 

That’s a brief but serviceable outline of the payment process in a nutshell. 

But your company should ensure that it has a ransomware policy that covers the payment concerns and the many derivative repercussions. These other aspects and nuances are where your responsibilities as a compliance manager should also be focused. 

For instance, cyber insurance companies (CICs) and digital forensic and incident response (DFIR) companies play a role in ransomware transactions. CICs issue policies designed to mitigate an entity’s losses from various cyber incidents, such as data breaches, business interruption, and network damage. CICs may reimburse policyholders for particular remediation services, including the use of DFIRs if needed. Indeed, as part of incident remediation, some financial institutions have hired a DFIR company to negotiate with the cybercriminal, facilitate payment to the cybercriminal, and investigate the source of the cybersecurity breach. 

Some DFIR companies and CICs facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Thus, depending on the particular facts and circumstances, this activity could constitute money transmission. 

Of course, FinCEN does not hesitate to take action against entities and individuals engaged in money transmission if they fail to register with FinCEN or comply with their other AML obligations. 

Financial institutions involved in ransomware payments should be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity.[ix] On September 21, 2021, OFAC issued an updated advisory highlighting the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities.[x] Additionally, in October 2021, OFAC issued sanctions for compliance guidance involving the virtual currency industry. That issuance provides an overview of critical items such as reporting instructions, consequences of non-compliance, and compliance best practices.[xi] 

To conclude, cybercriminals using ransomware often resort to common tactics, such as wide-scale phishing and targeted spear-phishing campaigns that induce victims to download a malicious file or go to a malicious site, exploit remote desktop protocol endpoints and software vulnerabilities, or deploy “drive-by” malware attacks that host malicious code on legitimate websites. Proactive prevention through effective “cyber hygiene,” cybersecurity controls, and business continuity resiliency is

often the best defense against ransomware.[xii] 

If you want information about our ransomware checklist and policy or other compliance resources, please click HERE. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

______________________________   
[i] The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 20% more reports of ransomware incidents in 2020 than in 2019, with a 225% increase in ransom demands, totaling $29 million in 2020 up from $9 million in 2019. See FBI IC3, 2020 Internet Crime Report, (2020). In the first six months of 2021, FinCEN identified $590 million in ransomware-related SARs, a 42 percent increase, compared to 2020’s total of $416 million. See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021).
[ii] See FinCEN Advisory, FIN-2019-A005, “Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic,” (July 30, 2020).
[iii] See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021). Also see generally DHS Cybersecurity & Infrastructure Security Agency (CISA), Ransomware Guide, (September 2020).
[iv] “Hosted wallets” are CVC wallets where the CVC exchange receives, stores, and transmits the CVCs on behalf of their accountholders. See FinCEN Guidance, FIN-2019-G001, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” (May 9, 2019).
[v] Mixing or tumbling involves the use of mechanisms to break the connection between an address sending CVC and the addresses receiving CVC. For more information, see FinCEN 2021 Ransomware Report, at 13 (October 15, 2021).
[vi] Chain hopping is a “cross-virtual-asset” layering technique for users attempting to conceal criminal behavior. Criminals obfuscate the trail of virtual currency by shifting the trail of transactions from the blockchain of one virtual currency to the blockchain of another virtual currency, often in rapid succession. See DOJ Cryptocurrency Enforcement Framework, at 41-44.
[vii] Smurfing refers to a layering technique in money laundering that involves breaking total amounts of funds into smaller amounts to move through multiple accounts before arriving at the ultimate beneficiary.
[viii] P2P exchangers are individuals or entities offering to exchange fiat currencies for virtual currencies or one virtual currency for another virtual currency. P2P exchangers usually operate informally, typically advertising and marketing their services through online classified advertisements or fora, social media, and by word of mouth. See FinCEN Advisory, FIN-2019-A003, “Advisory on Illicit Activity Involving Convertible Virtual Currency,” (May 9, 2019).
[ix] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021); FinCEN Ransomware Report 2021, at 13 (October 15, 2021); and White House, FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware, (October 13, 2021).
[x] See OFAC, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” (September 21, 2021).
[xi] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021).
[xii] See FBI and DHS CISA, “Joint Cybersecurity Advisory: Ransomware Awareness for Holidays and Weekends,” (August 31, 2021).

Money-Laundering Defined

QUESTION
We are a mid-sized mortgage broker transitioning in January to a full lender. I handle compliance, and also I’m the AML officer. 

Up until now, we have gotten by, but we did not do a test last year, and the banking department now may hold up our lender license because we didn’t do it. I need to get the test done as soon as possible and have already contacted your firm to do the AML test. 

But my main issue now is updating the written AML Program. We got it from a company that supposedly specializes in mortgage manuals, but the banking department rejected it. There are glaring policy defects they noted. 

A big issue was that the policy did not define money laundering, believe it or not. Or, it wasn't the definition they wanted. So, I want a good definition to put into our AML Program. 

What is a brief definition of money laundering?

ANSWER
Money laundering is the financial side of virtually all crimes for profit. To enjoy the illicit reaping of their crime, whether drug dealing, extortion, fraud, arms trafficking, terrorism, or public corruption, criminals must find a way to insert the proceeds into the stream of legitimate commerce. 

I’m glad you’re retaining us to do the Anti-Money Laundering Program test, but, as you know, you should be doing the AML test every year. It is a statutory requirement! Get onto our schedule to do it each year. 

For those who have not done the AML test, contact me HERE for information about testing, training, program, and risk assessment. 

Money laundering has dual importance. 

First, it provides the fuel that allows criminals and criminal organizations to conduct their ongoing affairs. It may seem like an easy crime to pull off – for instance, wire transfers at the touch of a computer button, the clever unbundling of large amounts of cash into bite-size chunks, the intricate movement of funds through a series of offshore shell companies. But make no mistake, it is the companion of brutality, deceit, and corruption. 

Secondly, money laundering is pernicious in its own right. It taints our financial institutions, and, where allowed to thrive, it erodes public trust in their integrity. Indeed, in an age of rapidly advancing technology and globalization, money laundering can affect trade flows and ultimately disturb financial stability. Inevitably, like the crime and corruption of which it is a necessary part, money laundering is an issue of national security. 

Thus, the pursuit of money laundering is critical because following the money is often an essential tool in investigating the underlying crimes. We have a vital interest in maintaining the integrity of our financial system. 

Here are just a few threats posed by money laundering: 

·       Fraud 

·       Drug trafficking 

·       Terrorist financing 

·       WMD proliferation financing 

·       Organized crime 

·       Human trafficking 

·       Corruption 

Numerous vulnerabilities are exploited by money laundering. Sometimes it seems that when one crook is caught, others pop right up with new money laundering schemes. Firms like ours track these schemes, but it is often very difficult and complicated for an individual financial institution to stay current on all the attacks on their vulnerabilities. Some clients ask us to conduct an AML test quarterly or semi-annually to ensure their AML program stays current. 

I would say that the following are the salient vulnerabilities that are exploited by money laundering. 

·    Beneficial Ownership information: The lack of a requirement to collect beneficial ownership information at the time of company formation and after changes in ownership;[i] 

·    Real Estate: The lack of comprehensive AML requirements on key gatekeeper professions (i.e., lawyers) and anonymous purchases of real estate; 

·    Correspondent banking: The significant volume of foreign funds and number of transactions intermediated through U.S. correspondent banks, potentially from locations lacking ML regulation;[ii] 

·    Uneven AML obligations: The lack of comprehensive AML requirements on some financial institutions (i.e., state-chartered banks that lack a Federal functional regulator); 

·    Cash: The ubiquitous and anonymous use of U.S. currency domestically and internationally; 

·    Complicit professionals: Complicit actors in financial institutions and other businesses; 

·    Compliance weaknesses; and 

·    Digital Assets: The growing misuse of digital assets, which includes the failure of foreign jurisdictions to supervise digital asset activity effectively. 

The Financial Crimes Enforcement Network (FinCEN) defines money laundering as follows: 

“Money laundering is the process of making illegally-gained proceeds (i.e., 'dirty money') appear legal (i.e., 'clean'). Typically, it involves three steps: placement, layering, and integration. 

First, the illegitimate funds are furtively introduced into the legitimate financial system. 

Then, the money is moved around to create confusion, sometimes by wiring or transferring through numerous accounts. 

Finally, it is integrated into the financial system through additional transactions until the 'dirty money' appears 'clean.' 

Money laundering can facilitate crimes such as drug trafficking and terrorism, and can adversely impact the global economy.”[iii] [Emphasis added.] 

For a brief definition, you can't go wrong in using FinCEN's definition.

FinCEN is the Financial Intelligence Unit (FIU) of the United States and works with law enforcement and the FIUs of other countries participating in AML to curtail money laundering globally. 

Each financial institution must implement the Anti-Money Laundering Program required by the Bank Secrecy Act (BSA), including AML Risk Assessments approved by the Board of Directors, and a written Customer Identification Program (CIP) appropriate for its size and type of business that meets specified minimum requirements. The adequacy of an institution’s compliance with AML requirements is assessed by its regulatory agency. 

I urge you to contact me HERE to get more information about our AML compliance support. 

Jonathan Foxx, Ph.D., MBA
Chairman& Managing Director
Lenders Compliance Group

---

[i] 31 CFR 1010.230 states beneficial ownership as an individual who has a level of control over, or entitlement to, the funds or assets in the account that enables the individual, directly or indirectly, to control, manage or direct the account.
[ii] 31 CFR §1010.605, Correspondent account, states an account established for a foreign financial institution to receive deposits from, or to make payments or other disbursements on behalf of, the foreign financial institution, or to handle other financial transactions related to such foreign financial institution.
[iii] https://www.fincen.gov/history-anti-money-laundering-laws