Phishing Scams

QUESTION
We had training on protecting our emails from being scammed. 

On the subject of phishing, some of us were disappointed because we learned what phishing is but not how to protect ourselves from it. 

We don’t feel there is an organized effort to doing enough to stop phishing scams. There must be Best Practices, yet we can’t even get the trainer to give us a list of them. 

What are some Best Practices for preventing the phishing of our emails?

ANSWER
Phishing has been trending up for a long time, evincing greater sophistication and ingenuity. Such scams adversely affect business relationships, transactions, customer relations, and cause compromised interactions in the loan flow process. We are heavily dependent on emails to conduct business, yet phishing continues to invade email interactions with increasing frequency 

So, how does a phishing scam work? 

Let’s illustrate using a simple order to change wiring instructions. You can extrapolate this illustration to many other business interactions. So, we’ll use it as a proxy for other areas that phishing scams can compromise. 

Although there are non-email ways of handling the change order, thousands of institutions use email, and email is ripe for attack. To change the wiring instructions, the bad actor first obtains access to the communications containing the instructions. 

The more individuals on an email thread, the greater the likelihood that one of them will be compromised unknowingly. And it only takes one person to open the gate to the scammer. In effect, the thread is only as strong as the weakest link! 

Once the bad actor has access to a target’s email, the attacker learns the details of the pending transaction and mimics the parties’ written communications. The attacker then takes over or “spoofs” certain email addresses and interposes itself in the email traffic, often starting with innocuous communications to build trust. 

Ultimately, the attacker is ready to announce a change in fund transfer details due to a bank “audit” or similar justification or no justification at all. If the attacker’s deception is undetected, the payment will transfer to the attacker’s account instead of the intended recipient. And unless the transfer is caught and reversed within 24 hours, it can be very complicated, if not impossible, to claw the funds back, resulting in a significant financial loss. 

Subsequently, there is often an investigation and a dispute regarding who bears the financial responsibility for the loss. In the meantime, the loss is all too real, fees pile up, the transaction is destabilized, and legal costs skyrocket. 

So, what are some practices to protect yourself from phishing scams? 

If you think that you can cover all possibilities to prevent phishing scams, be advised, that is not possible. The scammers tend to be one step ahead of even IT people. Indeed, whole U.S. government agencies have been hacked via phishing scams! Therefore, no single security tactic is going to thwart all attacks, given that the attackers have many targets to choose from among all of the parties involved in a transaction 

There are few steps you can take to reduce the likelihood of a successful attack. I’m not sure if we can call them Best Practices since dozens of proposed ways are constantly being found to prevent phishing attacks. That said, I think a viable list of Best Practices should contain some of the following safeguards. 

- Maintain strong payment authorization procedures by requiring a review of wire transfers, particularly those above a certain amount, to limit the chance of making a payment to a fraudulent account. I suggest multiple approval thresholds, obtaining verbal confirmations of wires, and educating affected personnel on the prevalence of these scams. The theme here is to be on “high alert” for any change in protocol. 

- Some companies insert the label “EXTERNAL” in all emails from external sources, thereby reminding employees to exercise caution. This label may help to identify a purported internal email coming from a spoofed email address. 

- Develop a checklist of “Red Flag” issues that require further due diligence, such as procedures for wiring to new recipients or previously unused destination accounts or any other change in the standard protocol. 

- Implement Multi-factor Authentication for emails, which can help prevent many, although not all, phishing attacks. Multi-factor Authentication is not foolproof, but it is strong protection. This authentication method requires the user to provide two or more verification factors to access a resource such as an application, an online account, or a VPN. Rather than just asking for a username and password, the user must provide one or more additional verification factors. 

- Periodically train and test employees to identify and report phishing attempts. Teach them to follow “email security hygiene,” such as checking email domains and not following links, opening documents, providing credentials, or sending payments without verifying the source. 

- You might want to get cyber insurance because it may include, among other things, the coverage for misdirected funds transfers, loss of business due to a cyber event. 

If you are snared in a phishing scam, it’s a good idea to consider the following actions: 

- Change account passwords for all employees on the impacted email chain and, if possible, everyone in the entire company; 

- Check relevant email accounts for any auto-forwarding rules, which attackers may create, given that they can remain running even after passwords are reset; 

- Contact counsel familiar with cyberattacks to determine appropriate steps to investigate and contain the incident, including, if needed, retaining a forensic consultant and, where possible, coordinating with other financial institutions to attempt to block the transfer of funds. 

- Contact law enforcement to assist in the recovery of the funds. While recovery can be challenging if funds have already been transferred, agencies such as the FBI do try to help; and, 

- If any accounts have been compromised, determine whether any other information was affected, such as personal information for which there could be a breach notification obligation.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director

Lenders Compliance Group

Reputation Risk: Misinformation Challenges

QUESTION
We have had a major problem caused by a group that is spreading misinformation about our company. They have made all kinds of claims about us, all lies, saying that we discriminate in lending, do not hire minorities, charge higher loan rates to minorities, and even have a health insurance plan that reduces women’s health care. They are lying about much more. It hurts because these are all lies. 

The result of this barrage is that the news media got involved. After that, local officials got involved. They are demanding that the CFPB get involved, even though we have never had a fair lending issue and passed all our fair lending examinations with no adverse findings. 

Now, our company has seen a drastic drop in loan originations. Our marketing department is small, and they have done what they can by issuing press releases and setting up community meetings. We even outsourced our response to an outside law firm to fight back. None of these options have worked. The barrage keeps coming, and our loan officers are finding it impossible to originate loans. 

I realize that you may not have the magic recipe to stop this onslaught. But maybe you could give us some suggestions that are outside regulatory compliance. We know that you can help with insight and ideas that might stem the tide. 

So, our question is, how can we contain the spread of misinformation about our company?

ANSWER
Thank you for your question. I appreciate the confidence you have in me. Given the urgency of your question, I will provide some feedback, ideas, and suggestions. 

The fact is, dealing with the challenge of misinformation is really not outside the purview of regulatory compliance. Of the many risks that a financial institution faces, one of the most difficult to manage is reputation risk. Indeed, the OCC lists reputation risk as among the top four risks associated with corporate and risk governance. The other three are strategic risk, compliance risk, and operational risk. 

By “misinformation,” I mean the spreading by witting and unwitting agents of false, inaccurate, or misleading information that is communicated regardless of an intention to deceive. Typically, misinformation consists of falsehoods, false rumors, insults, and even pranks. 

Your question demonstrates how quickly and pervasively misinformation can destroy the reputation of a company. Years of building up a company’s reputation can be decimated in a matter of minutes due to social media and other lightning-fast purveyors of information. A feeding frenzy targets the institution, and although you may slow it down or sometimes stop it, the damage is done and can last for many years. 

Instead of getting into all the regulatory details, as it seems you have that somewhat covered, I will provide the feedback that I believe will help you in ‘real time.’ If you want guidance in evaluating your reputation risk procedures, you can contact me to arrange a review. 

I think you would be best helped by asking your crisis management team a set of several important questions. Meet regularly to determine updates and resolutions. Reduce to writing the actions taken and the results. You will likely need them if a regulatory agency gets involved. 

One of the difficulties in containing misinformation is the lack of critical thinking skills of those exposed to or perpetuating the falsehoods. So, I will mention the areas where the absence of such skills causes a “blind spot” in their thinking. There are tons of books and manuals involving critical thinking skills. Consult them. Courses and training are available, too. I will highlight a policy and procedure model for you to consider. However, be sure you educate yourself, your personnel, and your consumers on critical thinking skills. 

Procedural Model for Evaluating Misinformation

 In my model, I set forth the challenges as being threefold: 

(1) the question: how to identify the problem; 

(2) the critical thinking dynamic: what kind of thinking causes the entrenchment of the misinformation; and, 

(3) the responsive action: determining the actions required to respond to the misinformation. 

You cannot stop misinformation from being disseminated if you cannot develop an understanding of at least these three challenges. Therefore, I suggest that you immediately provide critical thinking skills training to your affected personnel, especially those who have contact with the public. They are your primary ambassadors to the community. 

What follows are some suggestions using the question, critical thinking dynamic, and responsive action model. Of course, you can design your own model. I am only grazing the surface of the procedural methods needed to organize a response to the damaging misinformation affecting your company’s reputation. 

Reputation Risk 

Challenges to Controlling Misinformation 

Three Primary Questions 

1. Question: What is the misinformation problem, and where does it originate?

 

Critical Thinking Dynamic:

The exposure to misinformation tends to increase people’s belief in its truth. The dynamic causes a condition known as the illusory truth effect. This often occurs because people generally forget the source but remember the information.

 

In fact, misinformation often continues to influence people’s thinking even after correction, a condition called the continued influence effect.

 

Responsive Action:

Identify the source(s) of the misinformation. Determine the extent of repeated exposure to information, which includes false declarative statements and assertions. 

2. Question: What can be done culturally and preemptively?

 

Critical Thinking Dynamic:

Unfortunately, people do not routinely track and evaluate the credibility of sources. However, when they do, the impact of misinformation from less credible sources can be reduced (but usually not eliminated). Unfortunately, many people lack “news literacy,” that is, the ability to identify misinformation.

 

Online source evaluations are challenging but can be taught. News literacy interventions can help people to identify misinformation. This condition can be controlled by prebunking, which is the alternative to debunking and should be the first strategic maneuver.

 

Responsive Action:

Encourage your personnel and community to evaluate information as they encounter it, thereby reducing the likelihood of mentally encoding inaccurate information.

 

Provide accurate corrections on all media, especially social media, as soon as possible, because doing so increases the quality of people's sharing decisions on the media platform.

 

Corrections should only come from an authorized spokesperson. Warn people that they might be misinformed, thereby reducing their reliance on misinformation. 

3. Question: What can be done to deal with specific pieces of misinformation?

 

Critical Thinking Dynamic:

In responding to misinformation, beware of the overkill backfire effect. This occurs where there are too many counterarguments, which, ironically, tend to strengthen misconceptions.

 

Then again, the familiarity backfire effect can also create havoc because corrections that repeat misinformation can ironically strengthen misconceptions. Keep in mind that the efficacy of corrections depends in part on the recipient’s motivation to believe the statement.

 

If the correction challenges a person’s worldview, it is usually less effective than one consistent with a person’s worldview. Thus, there is another backfire effect, the worldview backfire effect, where corrections to misinformation can ironically strengthen misconceptions.

 

And, emotional language influences the spread of misinformation and carries the corrective information in the form of further misinformation. Thus, even if successful, updates to factual beliefs may not translate into an actual attitude change.

 

Responsive Action:

Fact-checking and corrections may work, at least in part, but this does not mean fact-checking can eliminate all inaccurate beliefs.

 

Corrections are more effective if:

- In addition to providing a simple retraction (viz., “not true”), a company proposes a causal alternative, and generally if it provides substantive, relevant information; 

- They are periodically repeated; 

- They involve multiple relevant counterarguments and explanations; 

- People are made to be suspicious of the source or intent of the misinformation; and, 

- They come from trusted sources or highlight expert consensus.

Now, let’s turn our attention to a brief outline of how to handle corrections and responses to the instances where misinformation adversely affects your institution’s reputation. 

Ten Ways to Promote Corrections to Misinformation

1. The first response is going to be the most important response. So, be very sure of the entirety of the correction. Misreporting a correction has significant cascading effects that often are abused by bad actors.

 

2. Encourage your personnel to detect discrepancies in the correction to avoid inaccurate presentations and understandings. For example, to encourage your personnel to determine the accuracy of the correction, you should:

a.   Promote critical thinking and project confidence to the public;

b.   Encourage people to shift to analytical thinking; and,

c.   Advise consumers to follow sourcing Best Practices by showing them how to be their own fact checkers.

 

3. Assemble an internal group to ensure that there is a process to review and publish a correction to misinformation when it occurs. Follow the Best Practices approach to issuing corrections (viz., accurate headlines, and avoiding defensive statements).

 

4. Do not refrain from attempting to debunk or correct misinformation out of fear that doing so will backfire or increase beliefs in false information. And, don’t worry too much about a worldview backfire, despite issues around motivated reasoning and ideology-based selective sharing of fact checks, and so forth.

 

5. Do not get into defensively publishing simple negations. They are not effective. The public must receive a clear explanation of (1) why the mistaken information was thought to be correct in the first place, (2) why it is now clear it is wrong, and (3) why your correction is accurate.

 

6. Make sure your corrective claim is plausible. Do not confuse the issue with unlikely scenarios. When using factual (i.e., causal) alternatives, the alternative should not be complex, and it must have the same explanatory relevance as the original misinformation.

 

7. Ensure the misinformation is clearly and saliently paired with the correction. It should be virtually impossible for the individual to ignore, overlook, or not notice the correction. I know this seems counterintuitive, but juxtaposing the correction with the mistaken information leads to people seeing the inconsistency, which leads to them accepting the resolution. Repeat the misinformation only once and directly prior to the correction. While multiple repetitions of the misinformation prior to the correction should be avoided, one repetition is beneficial to updating the mistaken belief.

 

8. Do not polarize or stigmatize unnecessarily and be sure to use inclusive language.

 

9. Make a concerted effort to translate complicated ideas into cogent, simple, and easily understood concepts readily accessible to the target audience. This will facilitate the acceptance of the correction as well as encode the memory of it.

 

10. Finally, and importantly, use your critical thinking skills to develop a strong rebuttal technique that will debunk attempts at misinformation. But also, think ahead! Be sure to encourage prebunking to detect and, if needed, correct potential challenges to your institution’s reputation.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director

Lenders Compliance Group

Mortgage Forbearance Complaints

QUESTION
In the last few months, we have had an increase in consumer complaints. Most of them have to do with issues at our servicing department. However, we get complaints about our loan originating department, too. 

Our complaint log for the originations department is small compared to the one for our servicing department. We want your firm to conduct an internal audit of our servicing department. I spoke with your representatives, and they sent me helpful material. We’re scheduling you for September. 

We would like to know more about the types of complaints that involve mortgage servicing. Our servicing manager is particularly interested in learning about forbearance complaints. 

So, what kind of forbearance complaints are typical in servicing these days? 

ANSWER
Complaints relating to mortgage servicing have been increasing. What your question does not mention is the effect of the pandemic on triggering consumer complaints involving servicing. The pandemic was declared a national emergency due to COVID-19. The CFPB issued legislative and policy responses aimed at assisting mortgage borrowers. Given the toll that the pandemic took on people’s financial stability, it should come as no shock that high on the list of complaints is the forbearance issue.[i] 

There were 2.7 million borrowers in active forbearance as of January 2021. Many of these borrowers had been in forbearance for more than a year.[ii] As of April 2021, a good portion of those borrowers have missed three months' payments.[iii] 

I will offer a response based on my firm’s experience providing servicing compliance support as well as the Bureau’s recent Complaint Bulletin in May 2021. The CFPB found[iv] that four significant statistics reflect the huge number of complaints. These are: 

1. The volume of overall mortgage complaints increased to more than 3,400 complaints in March 2021 – the highest monthly mortgage complaint volume in nearly three years. 

2. Some consumers experience various communication issues related to forbearance plans and options available at the end of these plans. 

3. Some consumers described confusion with mandatory account notices. 

4. Some consumers reported long delays in modifying their loans to address forborne payments. 

The range of complaints includes such issues as applying for a mortgage or refinancing an existing mortgage; closing on a mortgage; problems with a credit or consumer report; struggling to pay the mortgage; and trouble during the payment process. The most common issue reported since January 2020 has been the difficulties encountered during the payment process. 

Indeed, the number of borrowers delinquent on their mortgage has doubled since the beginning of the pandemic.[v] By “delinquent” is meant borrowers who are behind on their scheduled payments. Many of these borrowers are in forbearance and are reported as current on their credit reports vis-à-vis the CARES Act. 

Furthermore, although the number of borrowers struggling to pay their mortgage increased in March and April 2020, the number decreased in the following months. It picked up again in 2021 and has just regained pre-pandemic levels. 

According to the CFPB, it received approximately 38,100 mortgages (origination and servicing) complaints from January 1, 2020 through March 31, 2021. This is around 5% of all complaints the CFPB received during this period. Mortgage complaint volume has averaged about 2,500 per month since January 2020. But in March 2021, the volume of mortgage complaints spiked 36% to more than 3,400, which appears to be the highest such volume to date. 

Take a look at this chart. 

Mortgage Complaint Volume

Indexed by Month[vi]

 

To put the chart in perspective, the decreases may be explained, in part, by relief provided by the CARES Act, which was effective in March 2020.[vii] I will not provide all the ways the CARES Act addressed forbearance concerns; however, a few relevant areas include such assistance as requiring only an attestation of hardship due to COVID-19, which permitted borrowers to obtain relief quickly; homeowners with an eligible mortgage who had experienced financial hardship due to the pandemic had the right to request and obtain forbearance on their mortgage for up to 180 days; and, homeowners had the right to request and obtain an extension for up to another 180 days (for a total of up to 360 days). 

In February 2021, the Federal Housing Finance Agency (FHFA), Federal Housing Administration (FHA), Department of Veterans Affairs (VA), and Department of Agriculture (USDA) announced they were expanding their forbearance programs beyond the minimum required by the CARES Act for a maximum of up to 18 months of forbearance for borrowers who requested additional forbearance by a date certain.[viii] 

Although the number of mortgage forbearance complaints is increasing, their share of overall mortgage complaint volume peaked at more than 20% in April 2020. Since that point, they have remained in the range of 11 to 14% of overall volume, which, according to the CFPB, suggests that several issues are contributing to the increase in mortgage complaints. 

When indexed on a monthly basis, this chart shows mortgage forbearance complaints as a percentage of overall mortgage complaints. 

Mortgage Forbearance Complaints as a Share of Mortgage Complaints Overall

Indexed by Month[ix]

Concerning your question about what kind of forbearance complaint is typical in servicing these days, I would say the most usual complaint involves servicer communications with consumers. Lack of clarity in communications leads to consumer frustration, especially when the answer is relatively easy for the servicer to provide, such as informing consumers about when their forbearance period ended, what would happen to forborne payments, and if the forbearance period could be extended. 

Based on the review of complaints and servicers’ responses, the CFPB has taken the position that consumers would benefit from more precise communication from servicers over the phone and in writing. As the Bureau has stated, in part:

Consumers appear concerned about their forbearance plan end date and available loss mitigation options, especially options that would resolve forborne payments (e.g., deferment). Complaints also suggest that at least some consumers are anticipating the end of their forbearance plans; therefore, servicers that are proactive in communicating before the end of the forbearance period may help give consumers sufficient time to understand all available relief options and to apply for help.[x] 

Additionally, servicers must provide several written and oral notices to consumers. For instance, no later than the 36th day of delinquency, the servicer is generally required to make good faith efforts to establish live contact with the consumer to inform them of certain loss mitigation option information.[xi] Or, no later than the 45th day of delinquency, in most circumstances, the servicer is also required to provide the borrower a written notice concerning their delinquency and providing specific information about loss mitigation options.[xii] 

Consumers have expressed confusion when their monthly mortgage statement indicated that their mortgage loan account was delinquent during a forbearance period. In evaluating this challenge, the CFPB believes that “it may be helpful for servicers to more clearly communicate to borrowers about whether their mortgage loan could be considered delinquent during a forbearance plan.”[xiii] 

One other area of complaints is consistently a problem: loan modifications following a forbearance period. Complaints include long delays in servicers establishing an FHA partial claim or otherwise modifying their loan to address forborne payments. Or, delays were due to additional document requests from servicers. Other consumers reported receiving conflicting information about potential relief options that were later denied because the borrowers did not meet certain criteria. 

Finally, from the Bureau’s point of view,[xiv] I will provide several issues that servicers will have to navigate as consumers extend or exit forbearance plans. 

Those issues include: 

- Difficulty reaching a servicer representative to talk through options; 

- Needing to correct inaccurate credit information furnished about a loan in forbearance; 

- Ensuring that the principal balance is accurate after a deferral plan becomes effective; 

- Providing accurate information about loan status and relief options during forbearance; 

- Accurately communicating that no written application would be required to extend a forbearance plan; 

- Not imposing an inspection fee, late payment fee, or modification fee during a CARES Act forbearance period; and, 

- Accurately applying payments while a loan is in forbearance or while the post-forbearance review is ongoing, including after a servicing transfer. 

Be sure to review all relevant policies and procedures to ensure that they reflect the Bureau’s expectations and applicable regulatory requirements. I also suggest routinely conducting testing, training, risk assessments, servicing quality control, and internal audits. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director

Lenders Compliance Group

___________________________

[i] The Coronavirus Aid, Relief, and Economic Security (CARES) Act, for example, provides that homeowners with GSE and federally backed mortgages may request and obtain a forbearance for up to 180 days, and an extension for another 180 days (for a total of 360 days). Guidance from the GSEs and federal agencies allow up to 18 months of forbearance. Preventing foreclosures is a top priority. See Bulletin 2021-02: Supervision and Enforcement Priorities Regarding Housing Insecurity, CFPB, at https://files.consumerfinance.gov/f/documents/cfpb_bulletin-2021-02_supervision-and-enforcement-priorities-regarding-housing _WHcae8E.pdf
[ii] Protection for Borrowers Affected by the COVID-19 Emergency under the Real Estate Settlement Procedures Act (Act), Regulation X, FR, 12 CFR Part 1024, Bureau of Consumer Financial Protection, Proposed Rule, p. 14, et sequi
[iii] Idem p. 17
[iv] May 2021 Complaint Bulletin: Mortgage Forbearance issues described in Consumer Complaints, Consumer Financial Protection Bureau. I will be using certain graphics and some direct findings from this Bulletin.
[v] Housing Insecurity and the COVID-19 Pandemic, p. 6, March 2021, CFBP, available at https://www.consumerfinance.gov/documents/9512/cfpb_Housing_insecurity_and_the_COVID-19_pandemic.pdf
[vi] Op. cit. 4, Figure 1
[vii] 15 U.S.C. § 9056(c), Coronavirus Aid, Relief, and Economic Security (CARES) Act
[viii] See Press Release, The White House, Fact Sheet: Biden Administration Announces Extension of COVID-19 Forbearance and Foreclosure Protections for Homeowners, February 16,2021). Inter alia.
[ix] Op. cit. 4, Figure 4
[x] Op. cit. 4, p. 9
[xi] 12 CFR 1024.39(a)
[xii] 12 CFR 1024.39(b)
[xiii] Op. cit. 4, p. 10
[xiv] Op. cit. 4, p. 11

Sham Employment

QUESTION
We are the CEO and General Counsel of a regional mortgage banker. We decided to write you about an administrative action that has been taken against us by our state banking department.

The issue involves employer-employee compensation. The banking department claims that we are engaged in “sham employment” in violation of RESPA. We do not want to describe the alleged violation here. 

However, we would like to know some history and context related to “sham employment.” We have already contacted your firm to conduct a risk assessment of our employment practices. 

What is “sham employment?”

ANSWER
To say this area of the Real Estate Settlement Procedures Act (RESPA) is complicated would be an understatement. Thank you for contacting us to assist you. If you or anyone else would like to discuss this subject, please feel free to contact me HERE.

Right from the start, issues involving employer-employee compensation have proved to be one of the more controversial areas covered by RESPA. 

You can go back to HUD’s decision in 1996 to withdraw the employer-employee exemption the Department had promulgated only four years earlier,[i] followed by HUD’s Congressionally mandated postponement of the effective date of the withdrawal.[ii] 

As a result, the 1992 exemption, which states that Section 8 of RESPA does not prohibit an employer’s payment to its own employees for any referral services, remains in effect. That section of the RESPA statute specifically lists several practices that do not violate the statute. 

The statute provides: 

Nothing in this section shall be construed as prohibiting (1) the payment of a fee … (C) by a lender to its duly appointed agent for services actually performed in the making of a loan, (2) the payment to any person of a bona fide salary or compensation or other payment for goods or facilities actually furnished or for services actually performed … 

The foregoing subsections support the payment of fees by employers to their employees.

In December 2011, when the CFPB republished Regulation X as its own regulation, it removed the unimplemented provisions of the 1996 rule that had remained part of HUD’s Regulation X. Accordingly, Regulation X, RESPA’s implementing regulation, currently allows an employer to pay its own employees for any referral activity. For the most part, this is all most mortgage professionals usually need to know about employer-employee compensation in the context of “sham employment.” 

In place of the 1992 exemption, HUD adopted but then postponed the effective date, and then the CFPB permanently eliminated it, providing two additional limited exemptions for payments: 

1. One for employer payments to managerial employees.[iii] 

2. Another for payments to employees who do not perform settlement services.[iv] 

The proposed 1996 revision also would have added a third exemption to clarify that payments made to an employer’s own bona fide employee for generating business for that employer are permissible.[v] 

HUD’s May 9, 1997, proposal,[vi] which the Department withdrew on February 13, 2001,[vii] would have added a new “like-provider” exemption to RESPA’s Section 8 prohibition against kickbacks and unearned fees. (I will not treat the 1996 amendments and the proposed “like-provider” exemption in this response.)

HUD proposed amending Regulation X[viii] to add an exemption that would allow payments by an employer to its own bona fide employees for the referral of settlement service business to an affiliated settlement service provider, provided that the referred settlement service business is the same category of settlement service as provided by the employer of the employee making the referral, the employee makes the affiliated business arrangement disclosure[ix], and the employee making the referral does not perform any other category of settlement service in the same transaction.

Thus, here is the current situation with respect to your question about “sham employment,” specifically, the variety of developments regarding payments by an employer to its employees. Under RESPA, an employer may pay its own employees for any settlement service, including referrals to affiliates. A company may pay the employees of another company only reasonable compensation for settlement services actually rendered.

HUD has made clear, both in its regulatory guidance and its enforcement actions,[x] that it regards “sham employment” or “bogus employee” arrangements as RESPA violations. There is no reason to believe the CFPB takes a different position on this issue.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

________________________

[i] 12 CFR 1024.14(g)(1)(vii), originally adopted by 57 Fed. Reg. 49600 (November 2, 1996) and republished by the CFPB, 76 Fed. Reg. 78978 (December 20, 2011)
[ii] Section 2103(b) of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (Title II of the Omnibus Consolidated Appropriations Act, 1997, Pub. L. 104-208), signed by President Clinton on September 30, 1996; 61 Fed. Reg. 58,472 (11/15/96)
[iii] Withdrawn Regulation X Section 3500.14(g)(1)(viii)
[iv] Withdrawn Regulation X Section 3500.14(g)(1)(ix)
[v] Withdrawn Regulation X Section 3500.14(g)(1)(vii)
[vi] 62 Fed. Reg. 25,740 (May 9, 1997)
[vii] 66 Fed. Reg. 25,478, at 25,497 (5/14/01). HUD withdrew the proposal following the January 20, 2001, issuance of a “Regulatory Review Plan” by the new Bush administration’s White House Chief of Staff, Andrew H. Card, Jr. HUD pointed out in its semiannual regulatory agenda that “Withdrawal of a rule does not necessarily mean that HUD will not proceed with the rulemaking. Withdrawal allows the new HUD Administration to further assess the subject matter and determine whether rulemaking for this subject matter is appropriate.”
[viii] Section 3500.14(g)(1)
[ix] As provided in 12 CFR 1024.15
[x] For instance, see the Znet Financial settlement (September 17, 2003). HUD found that Znet paid ReMax of Atlanta real estate agents as "employees" even though the agents performed little or no work for the lender. These agents were, therefore, sham “employees" who did little or no work for referral fees. Investigators found the agents performed little or no origination work other than filling out loan application forms.