TOPICS

Friday, July 30, 2021

Servicing Compliance: New COVID-19 Guidelines

QUESTION
As a servicer, we are working hard to comply with the evolving servicing requirements during the pandemic. 

I am our company’s Chief Compliance Officer and General Counsel. Every time there is a regulatory change, we update procedures, and then a new round of training is done. 

As you probably know, the CFPB issued a final rule on mortgage servicing as it relates to COVID-19. 

I am looking for a brief list of the requirements in the areas of loss mitigation and early intervention. 

To assist us in training on the final rule, what should be on the list of loss mitigation and early intervention compliance with respect to COVID-19? 

ANSWER
The pandemic has caused a seismic shift in servicing guidelines regarding loss mitigation and early intervention. So, you should be focusing on these important compliance challenges. 

As I write, it appears the pandemic is entering a new and more lethal phase due to the Delta variant, a mutation that is reported to be a thousand times more transmissible than the initial COVID-19 virus. Therefore, although the Final Rule (“Rule”) was issued on June 28, 2021, there may yet be additional requirements in the future if the Delta variant wreaks havoc on the rules involving servicing compliance. 

Issued by the Consumer Financial Protection Bureau (CFPB) under the rubric 2021 Mortgage Servicing COVID-19 Final Rule, the Rule amends certain aspects of Regulation X’s mortgage servicing loss mitigation and early intervention requirements. 

The Rule also establishes procedural safeguards for mortgage servicers that help borrowers explore foreclosure alternatives, such as loan modifications or home sales. The rule is effective August 31, 2021. 

I would zero in on three aspects of loss mitigation: temporary COVID-19 safeguards; COVID-19-related loan modifications; and reasonable diligence related to COVID-19. 

As you’ve requested, I will suggest a list, but be sure to provide a deep understanding of implementation, process flow, monitoring, and testing. Construct your training in sections, as I’ve enunciated in my response. 

Loss Mitigation: Temporary Special COVID-19 Procedures Safeguards 

Currently, the mortgage servicing compliance prohibits servicers from making a foreclosure referral or completing specific foreclosure actions in certain circumstances. Generally, a servicer may not make a foreclosure referral until the borrower is more than 120 days delinquent. 

Additionally, if a borrower submits a complete loss mitigation application before the foreclosure referral, generally, the servicer must wait an additional period before initiating foreclosure to satisfy certain conditions to allow the borrower an opportunity to pursue loss mitigation. Indeed, the servicer must determine that the borrower (1) is not eligible for any loss mitigation options and notify the borrower of such; and (2) has exhausted the appeal process. 

If a loss mitigation offer is made, the borrower must reject all offered loss mitigation options or fail to perform under a loss mitigation option agreement. Similarly, if a borrower submits a complete application after foreclosure referral but at least 37 days before the foreclosure sale, the servicer must not complete certain foreclosure actions until these foreclosure protection conditions are met. 

The Rule temporarily adds to the foreclosure protection conditions in certain circumstances. 

From August 31, 2021, through December 31, 2021, unless an exception applies, before referring certain 120-day delinquent accounts for foreclosure, the servicer must ensure that at least one of the temporary procedural safeguards has been met. 

1. The borrower was evaluated based on a complete loss mitigation application, and existing foreclosure protection conditions are met. To meet this safeguard, the servicer must confirm that: 

·        The borrower submitted a complete loss mitigation application, and the servicer evaluated the application. 

·        The borrower remained delinquent since the submission of the loss mitigation application. 

·        The foreclosure protection conditions in existing servicing compliance are met, such that a servicer is permitted by the rules to make a foreclosure referral. 

2. The property is abandoned. To meet this safeguard, applicable state or local law must consider the property securing the mortgage abandoned when referred to foreclosure. 

3. The borrower is unresponsive to servicer outreach. To meet this safeguard, the servicer must not have received any communications from the borrower in the 90 days prior to the foreclosure referral, and the servicer must confirm that: 

·        It has complied with the early intervention live contact requirements in servicing compliance during that 90-day period. 

·        It has provided the early intervention 45-day written notice required by servicing compliance. The servicer must have sent the notice at least 10 but no more than 45 days before the foreclosure referral. 

·        It has complied with all loss mitigation notice requirements in servicing compliance during that 90-day period, such as the notice of an incomplete loss mitigation application. 

·        The borrower’s forbearance program, if applicable, ended at least 30 days before the foreclosure referral. 

Exceptions. 

Temporary procedural safeguards are not required if: 

·        The foreclosure referral occurs (as permitted by applicable law) on or after January 1, 2022. 

·        The borrower was more than 120 days delinquent prior to March 1, 2020. 

·        The applicable statute of limitations will expire before January 1, 2022. 

Loss Mitigation: COVID-19-Related Streamlined Loan Modifications 

Servicing compliance generally prohibits the servicer from evading the requirement to evaluate a complete loss mitigation application for all loss mitigation options available to the borrower by offering a loss mitigation option based on the evaluation of any information provided by a borrower in connection with an incomplete loss mitigation application. However, the rules do offer certain exceptions to this general prohibition, allowing some loss mitigation offers that are not based on evaluating a complete application, such as offers of specific short-term payment forbearance programs and certain COVID-19-related loss mitigation options. 

The Rule adds a new exception: it permits servicers to offer certain COVID-19-related loan modification options based on evaluating an incomplete application. To qualify for this exception, the loan modification program must: 

1. Limit loan term extensions. The loan modification must not extend the loan term more than 40 years from the date the modification is effective. 

2. Limit periodic payment increases. The loan modification must not increase the borrower’s monthly principal and interest payment beyond the amount that was required prior to the modification. 

3. Prohibit interest accrual on delayed amounts. If the loan modification allows the borrower to delay payment of any portion of the amount owed until the property is sold, the mortgage is refinanced, the modification matures, or, for Federal Housing Administration (FHA) insured loans, until the mortgage insurance terminates, then the loan modification must not allow interest to accrue on those amounts. Such amounts could include, for example, forborne periodic payments. 

4. Be available to borrowers with COVID-19-related hardships.

5. End (or be designed to end) preexisting delinquency. The loan modification must end any preexisting delinquency when the borrower accepts the modification offer. If a trial period applies, the loan modification must be designed to end any preexisting delinquency when the borrower satisfactorily completes any trial period requirements and accepts the permanent loan modification. 

6. Not include certain fees. The servicer must not charge fees in connection with the loan modification and must promptly waive certain existing fees the borrower owes, such as late fees, penalties, or stop-payment fees, that were incurred on or after March 1, 2020. 

Loss Mitigation: COVID-19-Related Reasonable Diligence 

Under the Rule, if a borrower is in a short-term payment forbearance program made available to borrowers with a COVID-19-related hardship and that program was offered based on an evaluation of an incomplete application, the rule specifies more precisely when the servicer must renew reasonable diligence efforts. For such borrowers, if the borrower remains delinquent, the servicer is required to contact the borrower no later than 30 days before the scheduled end of the forbearance period to determine if they wish to complete the loss mitigation application. If the borrower chooses to do so, the servicer must reinstate reasonable diligence efforts to complete the loss mitigation application before the end of the forbearance period. 

Early Intervention 

Turning now to early intervention, “live contact” comes under regulatory scrutiny. Be sure to monitor staff involved in “live contact information,” possibly using Call Calibration and overseeing any online interactions. Don’t mess up in this area, as dealing with the public can quickly spiral into regulatory, administrative action! 

Early Intervention: Additional Temporary COVID-19-Related Live Contact Information 

Currently, servicing compliance requires a servicer to make good faith efforts to establish live contact with delinquent borrowers no later than the borrower’s 36th day of delinquency and again no later than 36 days after each payment due date so long as the borrower remains delinquent. 

Promptly after establishing live contact, the servicer must inform the borrower about the availability of loss mitigation options, although it has discretion to determine if providing this information is appropriate and the level of specificity provided. 

Separately, servicers are also required to maintain policies and procedures that, among other things, ensure that the servicer’s personnel assigned to a delinquent borrower can identify all loss mitigation options available from the owner or assignee of the borrower’s mortgage as well as the actions the borrower must take to be evaluated for those options. The policies and procedures must ensure that the servicer has the ability to provide that information accurately. 

After establishing live contact under existing servicing compliance guidelines, the Rule temporarily requires a servicer to provide some delinquent borrowers with specific, additional information. The responsive action should be prompt. This requirement applies only until October 1, 2022. 

In particular, there are two categories relating to forbearance: borrowers who are not in forbearance and borrowers who are in forbearance. 

Borrowers not in forbearance 

For borrowers who are not in a forbearance program at the time live contact is established under the existing rules, if the owner or assignee of the mortgage provides forbearance programs for borrowers with a COVID-19-related hardship (as defined in the Rule), then promptly after establishing live contact, the servicer must inform the borrower of the following: 

·        Program availability statement 

·        List and description of applicable programs 

·        Homeownership counseling services 

Borrowers in forbearance 

For borrowers in a forbearance program made available to those experiencing a COVID-19-related hardship at the time live contact is established, the servicer must provide additional information during the live contact that occurs 10 to 45 days before the scheduled end of the borrower’s program. When live contact is established, the servicer must inform the borrower of the: 

·        Scheduled end date 

·        List and description of applicable programs 

·        Homeownership counseling services 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Thursday, July 22, 2021

Being Transparent with Borrowers

QUESTION
We are a mortgage lender with offices in 22 states. As the company’s CEO, I meet regularly with our compliance staff. A few weeks ago, we were sued by some borrowers alleging that our loan officers and processors had misled them in loan products and processes. 

I was shocked since we are very much on top of training our employees to be as transparent as possible. Our lawyer said that this kind of lawsuit happens all the time, and there are lawyers who are known for bringing these kinds of cases. 

Whatever the case, we’re now stuck in litigation, and I am concerned about a big hit to our reputation. I wonder if you could give us some guidance on ensuring that our employees know how to conduct themselves. I am looking for a brief outline that I can send to our employees. 

What should be our policy to ensure transparency with our customers?

ANSWER
Your counsel is correct. There are lawyers whose principal source of business consists of scouring for cases such as you describe. An old friend of mine is one of those guys, and he’s one of many who make a living at the class action bar. He is doing a good thing as he sees it since he believes his clients are allegedly injured by companies that do not comply with banking law. I supposed that’s fine as far as it goes. But I also know lawyers who bring long-shot, convoluted cases that generate fees but eventually crash and burn. 

However, the lack of transparency in lending can get a financial institution into significant violations of UDAAP (viz., Unfair, Deceptive, or Abusive Acts or Practices). UDAAP is very broad and filled with legal traps. It is easy to get into trouble if you don’t watch out! Many a lender has been on the receiving end of lawsuits claiming that their employees did not accurately represent their loan products and lending processes. 

Let me offer these two primary rules to your employees: 

1. Do not create unreasonable expectations! 

2. And if you give reasonable expectations, better be sure you meet them! 

That means you don’t promise a loan approval, even if the customer's creditworthiness is the best you’ve ever seen. You don’t promise a credit decision by a specified date unless, as an organization, you have implemented a standard to guarantee such a result. Don’t answer a question unless you are sure of the correct answer. Don’t answer a question for which your company does not have expertise. 

And, whatever you say and do, say only what you know and do only what you are capable of doing! 

Be sure your company has standardized policies and procedures, and drill them into the employees at every sales meeting and operational venue. Use the policies and procedures as a training tool. 

Here are some steps you can take to reduce the potential of lawsuits claiming violations of unfair and deceptive practices. Of course, it is not meant to be comprehensive, but you can get it on one page and distribute it to all affected personnel. 

1. Ask for all required documentation as soon as possible in the application process. Be clear about the information the applicant must provide. This will help avoid surprises and delays in the process. Many lawsuits arise because customers think someone else is supposed to do something, when the lender actually expected them to do it, and instead no one did anything. 

2. Avoid side oral agreements. Don’t promise to do anything beyond your business focus. For instance, don’t recommend a building contractor or promise “you’ll be approved, no problem.” 

3. If an application presents unusual issues or an exception to normal lending policy, mention the issue or exception to the applicants. Lead them to expect less than smooth sailing. 

4. If you learn of problems with an application, notify the applicant as soon as possible. 

5. Never answer an inquiry about a customer’s credit record, except in accordance with policy. If you respond, it must be truthful and complete. 

6. Memos to the file must be factual and concise. Don’t allow your emotional response to affect their content. Write them as if a pro-borrower jury will view them. 

7. If you have been handling a loan transaction and will be going away on vacation or unavailable for other reasons, summarize the status of pending requirements in a memo. 

8. Never discuss any information provided by the applicant with any individual other than the applicant unless the applicant has given you written consent to do so.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Friday, July 16, 2021

Banking Exams: Meeting the Regulator’s Expectations

QUESTION
At this time, we are handling five banking examinations. The most we’ve handled at one time was seven exams.
 

We are stretched to the limit in working on them. We are in all the states, but this demand on us is daunting, to say the least. 

Over time we put together a process flow for dealing with examinations, which has worked out well, as far as it goes. But we keep having to tweak it because some examiners keep changing their processes. 

We need help in creating more procedural descriptions based on the regulator’s point of view. Our interest is in meeting the regulator’s expectations. 

What are the typical expectations of banking department examiners? 

ANSWER
You ask a very important question. Any financial institution that is not prepared procedurally for a banking examination exposes itself to potentially adverse findings. If you are dealing with multiple exams at one time, the task of handling them all effectively is really tough if you don’t have actionable procedures. The exposure climbs if you are not cognizant of the examiner’s expectations.
 

My firm provides readiness support and hands-on involvement in banking examinations. One feature we often encounter is a client’s lack of procedures in being responsive to bank audits. In effect, many companies seem to be passively waiting for regulatory scrutiny rather than being proactively getting ready for it. Although they do not really know what to expect, they also do not seem to understand what the examiner expects! 

I am going to answer your question with a generalized overview. Each financial institution varies in terms of its size, complexity, and risk profile. Each company’s procedures will reflect its business structure and risk tolerance. It is possible to provide some insight into the kind of procedures you should develop in light of a regulator’s expectations. Too often, though, companies provide procedures based on what they believe should be done without really understanding the regulatory review process. 

In determining risk, regulatory agencies usually review or perform the following tasks: 

·    Develop a compliance risk profile for the financial institution, considering its organization structure, business lines, operations, and past supervisory performance. 

·    Determine the level of a company’s compliance management system (CMS), including determining management’s level of knowledge and attitude toward compliance, management’s responsiveness to current issues, the company’s compliance organization structure, management information systems, policies and procedures, training, and monitoring and audit programs.

    Test transactions based on risks and management’s efforts and responses.

    Validate an institution’s HMDA data and conduct a fair lending review. 

As a matter of act, the FDIC uses a tool as its first step, the Assessment of Risk of Consumer Harm (ARCH). Other agencies and several state banking departments use a similar assessment for scoping a compliance examination in their pre-examination planning. 

There is a logic behind the pre-examination plans: managing the examination based on risk factors tends to reduce the overall on-site requirement and identifies areas requiring more supervisory attention. 

A central focus is a company’s compliance management system (CMS) because it enables examiners to identify causes of compliance deficiencies and suggest appropriate corrective action. If you have not used our CMS Tune-up support, you should get it done as soon as possible. It is cost-effective, hands-on, and quick. You need to know your firm’s compliance strengths and weaknesses in your compliance management system. So, contact us! 

The following is a generic and categorical outline of a mortgage lenders’ banking examination from a regulator’s point of view. 

Request Letter

Before arriving at the bank, the regulator will issue a request letter for information, specific responses to be sent to the examiner-in-charge before the on-site review, and other responses for review on site. The request letter may ask that the following material be gathered and made available: 

·     Work papers of all compliance audits performed since the last examination, including the audit reports issued, documentation of corrective action taken, and the response from management 

·     Copies of bank compliance policies and procedures 

·     Fair lending information 

·     HMDA-LAR (if applicable) 

·     Minutes of the compliance officer, committee, or board meetings regarding compliance issues 

·     Printouts or electronic files of loans and related files 

·     Tracking documentation, such as logs, pricing, and so forth 

·     Copies of compliance forms and disclosures 

·     RĆ©sumĆ©s of all compliance personnel 

The company’s chairman of the board or president usually receives this request letter and passes the information on to the compliance officer, who is then responsible for seeing that all of the information is compiled for the examiners and that key personnel responsible for these items are aware of the examiners’ arrival date. 

When the bank examiners arrive, they should be given adequate accommodations for their time at the company. A private room, such as a conference room, with Internet connectivity, is preferred. The information requested by the examiners should be made available immediately. The compliance officer should answer any questions examiners may have regarding the audit work papers, the company’s HMDA data, its public comment file, or any other requested compliance information. 

The following sections focus on each of the items the regulator may examine as outlined in the request letter. 

Audit Procedures Work Papers 

Examiners usually review the work papers of the company’s compliance auditor to determine what steps were followed in the audit of a particular area or regulation. If the auditor has thoroughly documented the results of an internal audit and kept detailed work papers, the examiner may review those work papers and not perform any additional procedures or testing. 

Policies and Procedures 

The examiners will review copies of the compliance policies and procedures in conjunction with the audit work papers and any compliance audit reports to determine if they are being followed. For instance, a company may have several policies regarding loan approvals. These policies may include the type of employment, length of employment, length of residence, credit history, and any other factors used to evaluate creditworthiness. The examiners may review loan approvals and denials to ensure that all customers are being treated equally based on the loan policies and procedures. Note the importance of a company following its own policies and procedures! 

Required Reporting 

In addition to the policies and procedures, its fair housing information and the HMDA data (if applicable) will be reviewed to make sure that the financial institution is not discriminating against any group of people with respect to home loan transactions. These transactions include home purchase loans, home improvement loans, and refinance loans. If the mortgage lender is also a department, division, or subsidiary of a bank that files CRA data, the HMDA information also will be analyzed in conjunction with that CRA data. 

Community Reinvestment Act (if applicable) 

Under the CRA, banks are strongly urged to take an active role in meeting the credit needs of their communities, not to exclude low- to moderate-income families. Examiners carefully review the HMDA report in connection with the CRA data. Bank examiners review a bank’s CRA program and internal documentation on the role it has taken in complying with the CRA as well as the bank’s CRA public comment file. Irrespective of the apparent compliance with Regulation C, the regulation that implements HMDA data collection and filing, if examiners feel that the bank is not meeting the requirements of the Community Reinvestment Act, they can impose stiff penalties, including ceasing any branching or merging by a bank. 

Compliance Management System 

A company’s compliance management system (CMS) comprises mainly three areas: board and management oversight, compliance program, and compliance audit. When your CMS is working well, and all parties are actively involved in the compliance system, the company’s compliance risks will be limited and the program strong. Examiners prioritize this central focus of a company’s risk profile. 

If you want to information about our CMS Tune-up, please let us know! 

Management and Board Involvement 

Regulators are now taking a “top-down” approach in their reviews, so examiners will focus on the amount of management and board involvement in the company’s compliance management system. I strongly urge management and the board to take an active role in compliance. Document the involvement. Management committee minutes and board minutes should reflect that management and the board: 

·     Demonstrate compliance expectations to employees. 

·     Adopt clear compliance policy statements. 

·     Appoint a compliance officer with authority and accountability. 

·     Allocate adequate resources in all areas. 

·     Review periodic audits. 

·     Discuss compliance activities, actions, strengths, and weaknesses in their meetings. 

Printouts, Online Access, Digital Reviews 

Printouts or electronic files of all loans are usually requested for a specified period. Examiners will need access to such information and documentation. They can also request additional information concerning selected items from the reports to choose an audit sample for further review. 

Compliance Forms and Disclosures 

Regulators review numerous forms and disclosures. These forms are sometimes developed internally or purchased from an outside vendor. The regulator will review all of the compliance forms used by the company to ensure that they satisfy applicable regulatory requirements. 

The compliance officer should review these forms and disclosures before submitting them to a regulator in order to ensure that they comply with the company’s policies and the latest regulatory requirements. Personnel should not change disclosure or reporting forms before the compliance officer has a chance to approve the changes. This procedure will minimize the regulatory examiner’s discovery of incorrect or inadequate disclosure.

Thursday, July 8, 2021

Large Bank Cybersecurity Challenges

QUESTION
We purchased your new Ransomware Policy and Procedures. It is very comprehensive. We alread
y have a policy for Ransomware; however, we are going to incorporate your policy into ours. 

I am the Chief Compliance Officer and an attorney. In our case, we are a large bank with multiple business units, hundreds of branches, thousands of loan officers, a substantial online presence, and several affiliated entities. 

We have an Information Security Office, an Information Technology Operations Center, and an Information Privacy Office. Our CISO and CPO oversee cybersecurity issues involving the network architecture, operating system architecture, business applications, online sales, and internal auditing. 

As a large company, we have unique compliance needs. I would like your answers to several questions that we constantly ask one another. We would appreciate your feedback on these questions. 

Who are the stakeholders of an incident response team? 

What are the responsibilities of the incident response team? 

What are the suggested notification levels of escalation involving a cyberattack? 

ANSWER
Your mentio
ning of the offices under the CISO’s oversight in itself tells me that you have a challenging and highly articulated risk profile. You provided supporting information to your questions, which I have not included herewith. For the sake of the readership, some of your terminology may be new to them, so I will define certain nomenclature in the course of responding to your questions. 

Let’s begin with the definition of a security breach. For the sake of brevity, I define a security breach as an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information. Ransomware endeavors to monetize that breach, where a hacker stealthily gets into a system and puts encryption controls in place that lock users out. Once that succeeds, the hacker demands money to "unlock" the data. 

In a large company, protection from a security breach is guarded by various stakeholders. These individuals constitute a matrix of responsibilities, often through a “chain of command” configuration. Critical to countering a triggering event such as a ransomware demand is developing and maintaining an Incident Response Plan (“Plan”). 

I define a Plan as a documented, clearly outlined, organized approach for handling any potential threat to computers and data, even, where necessary, taking appropriate action when the source of the intrusion or incident at a third party is traced back to the organization. 

The Plan should identify and describe the roles and responsibilities of the Incident Response Team (“Team”). And the Team is responsible for putting the Plan into action. 

The Team is established to provide a quick, effective and orderly response to computer-related incidents, such as virus infections, hacker attempts and break-ins, improper disclosure of confidential information to others, system service interruptions, ransomware attacks, breach of personal information, and other events with serious information security implications. In short, the Team’s mission is to prevent a severe loss of profits, public confidence, or information assets by providing an immediate, effective and skillful response to any unexpected event involving computer information systems, networks, or databases. 

The kinds of security breaches that trigger the Plan include a breach of personal information, Denial of Service and Distributed Denial of Service, excessive port scans, ransomware attacks, firewall breaches, and virus outbreaks. 

The Plan arrangement that you describe is consistent with large companies. It is the case that many large companies have a Plan that contains the personnel of the following offices, departments, and functions (“Stakeholders”): 

- Information Security Office (“ISO”) (“Chief Information Security Officer” or “CISO”)

- Information Technology Operations Center (“ITOC”)

- Information Privacy Office (“IPO”) (“Chief Privacy Officer” of “CPO”)

- Network Architecture

- Operating System Architecture (“Operations Center”)

- Business Applications

- Online Sales

- Internal Auditing 

So, based somewhat on your description, your Plan seems consistent with similar arrangements by large companies. 

The Board or executive management must give the Team the requisite authority to take appropriate steps deemed necessary to identify, contain, mitigate, and resolve an adverse cybersecurity incident. Also, the Team is responsible for investigating suspected intrusion attempts or other security incidents in a timely, cost-effective manner and reporting its findings to management and the appropriate authorities as necessary. The CISO coordinates the Team. 

The Information Technology Operations Center is the central point of contact for reporting computer incidents or intrusions. The Operations Center notifies the CISO. 

All computer security incidents must be reported to the CISO. A preliminary analysis of the incident takes place by the CISO, determining whether the Incident Response Team activation is appropriate. 

With respect to the rules and responsibilities of the Team, I offer the following list based on the forgoing matrix of Stakeholders. It is certainly not meant to be comprehensive but suggestive. 

Information Security Office

- Determines the nature and scope of the incident

- Contacts qualified information security specialists for advice as needed

- Contacts members of the Incident Response Team

- Determines which Incident Response Team members play an active role in the investigation

- Provides proper training on incident handling

- Escalates to executive management as appropriate

- Contacts auxiliary departments as appropriate

- Monitors progress of the investigation

- Ensures evidence gathering, the chain of custody, and preservation is appropriate

- Prepares a written summary of the incident and corrective action taken 

Information Technology Operations Center 

- Central point of contact for all computer incidents

- Notifies Chief Information Security Office to activate computer incident response team 

Information Privacy Office 

- Coordinates activities with the Information Security Office

- Documents the types of personal information that may have been breached

- Provides guidance throughout the investigation on issues relating to the privacy of customer and employee personal information

- Assists in developing appropriate communication to impacted parties

- Assesses the need to change privacy policies, procedures, and practices as a result of the breach 

Network Architecture 

- Analyzes network traffic for signs of denial of service, distributed denial of service, or other external attacks

- Runs tracing tools such as “sniffers,”[i] Transmission Control Protocol (TCP)[ii] port monitors, and event loggers

- Looks for signs of a firewall breach

- Contacts external Internet service provider for assistance in handling the incident

- Takes action necessary to block traffic from a suspected intruder 

Operating Systems Architecture 

- Ensures all service packs and patches are current on mission-critical computers

- Ensures backups are in place for all critical systems

- Examines system logs of critical systems for unusual activity 

Business Applications 

- Monitors business applications and services for signs of attack

- Reviews audit logs of mission-critical servers for signs of suspicious activity

- Contacts the Information Technology Operations Center with any information relating to a suspected breach

- Collects pertinent information regarding the incident at the request of the Chief Information Security Office 

Online Sales 

- Monitors business applications and services for signs of attack

- Reviews audit logs of mission-critical servers for signs of suspicious activity

- Contacts the Information Technology Operations Center with any information relating to a suspected breach

- Collects pertinent information regarding the incident at the request of the Chief Information Security Office 

Internal Auditing 

- Reviews systems to ensure compliance with information security policy and controls

- Performs appropriate audit test work to ensure mission-critical systems are current with service packs and patches

- Reports any system control gaps to management for corrective action 

I found your question intriguing about escalating notification of a cybersecurity attack. Sometimes the path to the final decision maker is circuitous and time-consuming. During that interstitial period, the company may be unable to respond to the security threat effectively. 

Using the outline I have set forth hereinabove, I think the “chain of command” escalation for notification should consist of following layers. 

Escalation Notification 

Escalation - First Level 

- Chief Information Security Officer (CISO)

- Data Processing Operations

- IT Audit Director

- Network Architecture Manager

- Online Sales Director 

Escalation - Second Level 

- Chief Information Officer (CIO)

- Chief Privacy Officer (CPO)

- Chief Audit Executive 

Thursday, July 1, 2021

Compliance Officer Conundrum

QUESTION
We have had several compliance officers in the last few years. As the CEO of our company, I considered their resumes, and some of them came with a long list of credentials.

In theory, they should have known what they’re doing. But they wound up having blind spots and, in one case, the compliance officer put us at considerable regulatory risk.

Of the three compliance officers, two were fired, and one resigned instead of being fired.

We plan to retain a firm such as yours to keep us stabilized and work with new compliance officers. So, please contact me.

I have put together a committee to review all candidates. They are asking for a high-level outline of what a compliance officer is required to know and do.

I am turning to you for some guidance. It will go a long way to helping us find a decent compliance officer.

What are some qualifications of a compliance officer?

ANSWER
I understand your situation. I hear similar concerns all the time. Just because somebody has a long list of compliance-related credentials does not mean it’s appropriate to give them the responsibility of a compliance officer. I realize this seems counterintuitive. Due to the pervasiveness of this issue, many years ago, I even speculated about establishing a firm to vet potential compliance officers for clients. At least it would reduce situations like you find yourself in. Although I thought such a firm was needed, I felt that it was outside our mission. However, make no mistake, credentials are not equivalent to competency and actual, hands-on experience.

I’m glad you are considering a firm like ours. We provide independent support to the existing compliance function of virtually any mortgage banking firm – whether originating or servicing loans – irrespective of the size, risk profile, or complexity. We will enhance your compliance management. Compliance officers (viz., compliance managers) work closely with us on day-to-day regulatory issues. So, contact me HERE. I’ll get back to you promptly and we’ll talk. You do not need to jump through hoops to get this position filled.

Let’s start with the importance of finding a good fit for your organization. The compliance officer should have a strong positive attitude toward compliance. Avoid anyone who constantly complains about having to read all the regulatory information or is a bit too “flexible” when it comes to regulatory compliance. The attitude is a pivotal feature of the compliance officer’s effectiveness because the position requires a willingness and ability to work with departmental personnel on compliance issues.

A bad attitude or poor fit is detrimental. If a firm such as mine does an internal audit, we will pick up on this kind of personnel issue and report it in our evaluation of the risk rating. Just imagine what a regulatory agency’s examination report would say about such a situation!

A compliance officer must prioritize maintaining compliance within the financial institution to reduce or eliminate regulatory violations, costly penalties, and poor customer relations. The position should report directly to the company’s top management. Some companies put the compliance position under the legal department, but sometimes this results in important messages not getting adequately reported to the CEO or the Board of Directors. Mistakes get magnified when there are too many layers between the compliance officer and the CEO.

Thus, as a general proposition, for the compliance officer to succeed authoritatively, s/he should be recommended by executive management and approved by the Board of Directors. The individual appointed should have at least the following attributes: 

(1) be a higher-level officer of the company, 

(2) be familiar with all areas of mortgage banking, 

(3) possess strong oral and written communication skills, and 

(4) maintain a positive attitude toward compliance. 

The Board’s involvement in the appointment is a strong indicator of its emphasis on and support of the compliance program. Board approval of the officer is also a positive signal to regulatory authorities of a company’s commitment to compliance.

What do I mean by a “higher-level officer?”

I mean that a compliance officer’s position must carry authority if s/he is going to accomplish the responsibilities determined by executive management effectively. To be sure, the compliance officer should be at least a first-level officer, depending on the organization's size. A large company may want the compliance officer to be at least at the vice president level; a small company may appoint a trusted individual who exhibits many essential requirements.

Understand that, as a CEO, the success of your company’s compliance program depends on the authority you have given to the compliance officer. The compliance function requires the authority to effectuate regulatory mandates, and that means s/he must have the respect of others in the organization and the support of management. If the individual lacks such respect or management support, the compliance program is in danger of failure.

I am not in favor of a part-time – or what amounts to a part-time – compliance officer. There should be no reason why you can’t promote somebody from within who can be trusted, assuming s/he has the  essential experience and a willingness to receive appropriate compliance training, and, importantly, contribute substantially all of their time to compliance issues.

If you are a small company with only a few employees, you should still designate a compliance officer who will take on such responsibilities. Not every company has the budget to hire a compliance officer or sufficient human resources to promote from within. But you can always retain a firm such as mine to fill the gap temporarily, permanently, or continually as an adjunct to a compliance officer.

There’s really no excuse not to retain a firm such as mine since – at least in our case – the fees are very cost-effective, and you can ensure compliance guidance is prioritized. Compliance must be constantly monitored and maintained to ensure that problems or potential problems do not arise. Do not wait for a regulator to knock on your door before you pay attention to compliance requirements!

The compliance officer must communicate compliance initiatives to all affected employees. There are several ways that such communication of compliance information is customarily transmitted, such as:

- Training sessions;

- Periodic reports to executive management and the Board of Directors;

- Periodic reports to compliance committees;

- Individual meetings;

- Memos and reports; and,

- Newsletters.

Another communication responsibility of a compliance officer is providing guidance on proposed regulatory changes. For instance, to ensure that the compliance officer fulfills this obligation, my firm meets with the compliance officer of our clients regularly to discuss existing and proposed regulations to keep them current and anticipate future compliance demands. We also discuss how best to effectuate compliance mandates right now and implement expected directives in the days and months to come.

Given the foregoing criteria, I think you should search for a compliance professional who will be responsible for conveying all policy and procedural requirements imposed by the regulations, including information for and to executive management and appropriate personnel, regarding:

- Changes in current compliance requirements;

- New regulatory issues affecting the bank;

- The operation of the compliance program itself;

- Specific audit findings and suggestions for corrective action; and,

- Public comments or complaints.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group