Affiliate Marketing: Information Sharing

QUESTION
We are a lender with several affiliates. We have been cross-marketing with the affiliates for a long time. However, our regulator now is examining us and our affiliates to find out if we have “information sharing” violations. A complaint to the CFPB triggered the examination. 

Their main concern seems to center on potential violations of the Fair Credit Report Act. 

So, our question is, are there restrictions on using our affiliates’ information for marketing purposes? 

ANSWER
A word of caution at the outset: work with a compliance professional for guidance on information sharing between affiliates. Information sharing is a very challenging area of compliance and involves several regulations. Your question specifies the Fair Credit Report Act (FCRA), so I will respond exclusively in the context of the FCRA. 

It is important to know what information is subject to affiliate marketing. The provisions apply to the use of “eligibility information” of consumers, where you receive such information from your affiliate for purposes of marketing products or services to those consumers. 

“Eligibility information” means any information that, if communicated by a consumer reporting agency, would be a consumer report but for the exclusions set forth under the definition of “consumer report” in the FCRA for 

(1) transaction or experience information regarding a consumer, or 

(2) non-transaction or experience information regarding a consumer that affiliates may share with one another if notice and opt-out procedures are followed and the consumer does not opt out. 

It is worth noting that eligibility information excludes aggregate or blind data that does not contain personal identifiers, such as account numbers, names, or addresses. 

The communication of transaction or experience information among companies related by common ownership or affiliated by corporate control is not considered sharing consumer report information. 

Furthermore, companies related by common ownership or affiliated by corporate control may communicate among one another information regarding a consumer that 

(1) is not transaction or experience information, and

(2) would otherwise be considered consumer report information, if a notice and opt-out procedure are followed and the consumer does not opt out. 

However, even though such information may be shared among affiliates, the information is subject to FCRA affiliate marketing provisions, including affiliate marketing rules adopted by the federal financial institution regulators and the Federal Trade Commission (FTC). 

The rules impose restrictions on the use of consumer report information regarding a consumer whom a company receives from an affiliate for the purpose of the company marketing its products or services to the consumer. Therefore, the affiliate marketing provisions impose restrictions on the use, not the sharing of information. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Pre-Funding & Post-Closing Quality Control – Discretionary Audits

QUESTION
We conduct pre-funding, post-closing, and discretionary quality control reviews. 

In an evaluation done in 2016, it was found that the quality control department had many auditing issues. The people who did the assessment are no longer with the company. Supposedly, the problems were corrected. 

However, now Fannie has come in and criticized us for our quality control sampling methodologies. We were cited for defective discretionary audits, in addition to other adverse results. 

So, now we’re writing you for some guidance. 

What are the sampling methodologies for pre-funding and post-closing quality control in terms of discretionary audits? 

ANSWER
Your question focuses on sampling strategies, so my response will concentrate on them. If you haven’t done an annual review of the rationale for selecting pre-funding and post-closing loans, it comes as no surprise that Fannie became concerned. Perhaps there was no attempt to evaluate trigger points, production volume changes, market conditions, and responsive procedures. Maybe your quality control department or your quality control vendor is insufficiently resourced to mitigate risk. 

Notwithstanding an annual review, you should be checking your quality control and loss mitigation risk factors at least quarterly. Reporting the QC findings to management should be ongoing. 

One of the mini-audits in our Compliance Tune-up series is the QC Tune-up. It is popular because it determines if you adequately meet GSE and investor guidelines, a mandate that virtually all mortgage loan originating entities must implement, excluding certain self-generated portfolio loan products. 

Click the link for information about the QC Tune-up. 

Let’s be clear about Fannie’s expectations with regard to selection sampling. There are two methodologies: (1) Random Sampling and (2) Discretionary Sampling. The random sample provides a high-level view of loan quality. The discretionary sample is a subset of loans within the total population that focuses on specific characteristics, such as high-risk loans, adverse findings, and so forth. 

Pre-Funding Selection

For pre-funding, you might be interested to know that Fannie does not have a minimum required sample size for pre-funding QC, nor does it require random selections for loans sampled in the pre-funding QC review. However, Fannie does require that the pre-funding sample size be relevant to the loan production volume. 

The pre-funding selection sampling is discretionary, and there are two types of discretionary methodologies: Full and Component. Whether Full or Component, you will want to incorporate them into your Clear to Close procedures. 

The full file selection is usually conducted on only a part of the loan population. In practice, there are multiple risk factors in a population of loans, so the full file selection leads to increasing certainty on the loan quality. Before our firm conducts a pre-funding audit, many clients first have selected specific characteristics, such as unique underwriting guidelines and documentation requirements or newly hired loan officers, processors, underwriters, or new third-party originators. Some clients focus on loans with multiple layers of credit risk, such as high loan-to-value ratios, low credit scores, and high debt-to-income ratios (DTI). 

The component file selection focuses on a particular element(s) of the loan file itself that has the potential for elevated risk or loan characteristics identified with defects in a post-closing QC review. For instance, we have clients who target loans with a higher risk profile, focusing on likely areas that impact eligibility (i.e., higher DTIs, where, say, an undisclosed liability could affect eligibility). 

Sometimes, a client will select on the component file basis to validate succinct procedures, such as loans that evinced process failures identified in the post-closing random sample (i.e., Form 4506-C execution rates). Another validation may be on internal exception policies and procedures to confirm all requirements are consistently followed. We’ve had clients select to validate the accuracy of loan quality tools used by their organization (i.e., fraud monitoring tools or undisclosed debt monitoring). 

Many clients select loans on the component file basis that contain top trending defects identified in their post-closing random sample (i.e., gift funds or excessive interested party contributions). The goal is to test internal controls around each defect and the effectiveness of the corrective action plans and remediation efforts. 

Post-Closing Selection

Ideally, pre-funding and post-closing are intrinsically interfaced. But post-closing QC takes us to the entirety of the loan transaction, including closing and legal documents that are not available during the pre-funding reviews. Most lenders choose random 10% sampling, though some go onto the statistical sampling method for the post-closing QC selection process. Loan quality results are reflective of the sampling method chosen. 

Lenders generally use the random 10% sampling method with an annual production of 3,500 or fewer loans. The statistical sampling method is generally advantageous for lenders with an annual production of more than 3,500 loans. 

Keeping it simple, lenders prefer the 10% sample selection because there is no need to manage a statistical calculation process. Also, it does not require a periodic evaluation to ensure the sample size is valid. However, the statistical sample selection produces statistically valid results that can be used to extrapolate loan quality conclusions. In that regard, for lenders with a consistent defect rate, it produces a predictable monthly sample that does not vary due to large swings in production volume. 

Whether 10% random or statistical, a full file review must be completed on all loans selected for the post-closing QC process, with reverifications on all the data relied upon to qualify the borrower. In addition, all selections require a comprehensive collateral risk assessment of the appraisal used to support the value of the subject property. 

Discretionary Audits

Because Fannie cited you for “defective discretionary audits,” I will provide a few extra guidelines for discretionary reviews. Keep in mind that discretionary selections allow you to optimize the reviews and target certain loan features (i.e., high-risk loan characteristics) identified in the pre-funding and post-closing random selections. This is why I mentioned the importance of regularly reviewing the selection criteria to ensure you effectively manage risk and your QC resources. Always keep the risk factors current! 

To recapitulate, discretionary reviews may be full file reviews or targeted component reviews, which should allow you to increase the overall number of reviews or the ability to evaluate the risks. 

Full file reviews require reverification of all components, whereas targeted reviews allow for reverification of only those elements being audited. In addition, targeted or component reviews are an effective way to narrow in on a particular risk element, product, or process within the loan origination process without completing a full file review. 

Breaking this down further, there are two types of sampling methods used, one type for full file reviews and the other for component file reviews. 

You would want to use the full file sampling method when selecting loans to review new hires, new products, or newly implemented processes. In this context, use discretionary reviews to ensure at least one loan from each third-party originator is pulled for a review annually. 

Selections should be based on those risk attributes that are identified as top trending defects from pre-funding and investor review results. The goal is to analyze the root causes when developing action plans to prevent future defects from occurring or test the effectiveness of an implemented corrective action. 

The component file review provides an opportunity to sample loans with known risks. For instance, the component or targeted review allows, among other things, for the ability to ensure the borrower was employed at the time of closing, the income used to qualify was accurately calculated, the assets were adequately documented, and property eligibility and validation of data were supportive of the appraised value. If there are defects in the foregoing criteria, the component file review can identify a rationale for needing a full file selection. 

Click the links for information about quality control audits and the QC Tune-up. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Ransomware Payments

QUESTION
We are a large mortgage lender in the northeast. I am the Chief Compliance Officer. We have multiple platforms, licensed in all states, and maintain an extensive servicing unit. 

Jonathan, thank you for the weekly posts. And we are grateful that you provided the ransomware checklist. Most companies would make us pay for this kind of checklist, but you offered it for free. That is real commitment! And it has helped us to configure our ransomware security. 

Recently, we learned that another large lender was hit with a ransomware attack. The attacker wants to be paid in cryptocurrency. Admittedly, we are unprepared to respond to such a demand if it happens to us. Frankly, I don’t know how cryptocurrency even works in ransomware attacks. So, we are coming to you to get an understanding. 

What role does cryptocurrency play in ransomware attacks? 

ANSWER
First and foremost, thank you for subscribing. Our posts are a labor of love as an expression of our commitment to the mortgage community. HERE’s a list of some recent FAQs. 

I also appreciate that you are using our ransomware checklist. It covers preparation, response, and recovery. If anyone wants it, please click HERE. It’s free. 

I supposed we could be paid for some of the tools we provide, but our mission is to serve and share. It is certainly possible to grow a compliance firm without having to charge for every single thing we do. We are the living proof of that philosophy! 

Lenders Compliance Group has been thriving and growing since 2006. It is strong and continuing to scale because we are focused on our clients’ compliance experience. Our goal is to help a company to build and maintain a Culture of Compliance®, a term we have pioneered for many years. 

Our team consists of some of the top professionals in mortgage compliance. Believe me, it makes a difference! 

Ransomware is an escalating concern with federal and state regulators. If you are not ready for a ransomware examination, be advised, it’s on the way. Financial institutions play a critical role in the collection of ransom payments. In effect, an institution becomes a facilitator of ransomware payments, whether handling its own response to a ransomware attack or acting as a financial intermediary. 

The severity and sophistication of ransomware attacks continue to rise[i] across various sectors, particularly governmental entities and financial, educational, and healthcare institutions.[ii] Ransomware attacks on small municipalities and healthcare organizations have increased, likely due to the victims’ weaker cybersecurity controls, such as inadequate system backups and ineffective incident response capabilities.[iii] 

So, let’s take a closer look at ransomware payments, especially as these relate to cryptocurrency. 

Most ransomware schemes involve convertible virtual currency (CVC), which is the preferred payment method of ransomware perpetrators. You might as well get used to this terminology. CVC is inherent in ransomware payments. The payment process is a bit complicated, so stay with me as I discuss it. 

Let me outline a typical ransomware payment flow using CVC. After the delivery of the ransom demand occurs, a ransomware victim will usually transmit funds via wire transfer, automated clearinghouse, or credit card payment to a CVC exchange to purchase the type and amount of CVC specified by the ransomware perpetrator. Next, the victim or an entity working on the victim’s behalf sends the CVC, often from a “wallet” hosted at the exchange,[iv] to the perpetrator’s designated account or CVC address. 

Then, the perpetrator launders the funds through various means – including mixers,” “tumblers,”[v] and “chain hopping”[vi] – to convert funds into other CVCs. These transactions are often structured into smaller “smurfing”[vii] transactions involving multiple persons and across many different CVC addresses, accounts, and exchanges, including peer-to-peer (P2P)[viii] and “nested” exchanges. Criminals prefer to launder their ransomware proceeds in jurisdictions with weak anti-money laundering (AML) and countering the financing of terrorism controls. 

That’s a brief but serviceable outline of the payment process in a nutshell. 

But your company should ensure that it has a ransomware policy that covers the payment concerns and the many derivative repercussions. These other aspects and nuances are where your responsibilities as a compliance manager should also be focused. 

For instance, cyber insurance companies (CICs) and digital forensic and incident response (DFIR) companies play a role in ransomware transactions. CICs issue policies designed to mitigate an entity’s losses from various cyber incidents, such as data breaches, business interruption, and network damage. CICs may reimburse policyholders for particular remediation services, including the use of DFIRs if needed. Indeed, as part of incident remediation, some financial institutions have hired a DFIR company to negotiate with the cybercriminal, facilitate payment to the cybercriminal, and investigate the source of the cybersecurity breach. 

Some DFIR companies and CICs facilitate ransomware payments to cybercriminals, often by directly receiving customers’ fiat funds, exchanging them for CVC, and then transferring the CVC to criminal-controlled accounts. Thus, depending on the particular facts and circumstances, this activity could constitute money transmission. 

Of course, FinCEN does not hesitate to take action against entities and individuals engaged in money transmission if they fail to register with FinCEN or comply with their other AML obligations. 

Financial institutions involved in ransomware payments should be aware of any Office of Foreign Assets Control (OFAC)-related obligations that may arise from that activity.[ix] On September 21, 2021, OFAC issued an updated advisory highlighting the sanctions risks associated with facilitating ransomware payments on behalf of victims targeted by malicious cyber-enabled activities.[x] Additionally, in October 2021, OFAC issued sanctions for compliance guidance involving the virtual currency industry. That issuance provides an overview of critical items such as reporting instructions, consequences of non-compliance, and compliance best practices.[xi] 

To conclude, cybercriminals using ransomware often resort to common tactics, such as wide-scale phishing and targeted spear-phishing campaigns that induce victims to download a malicious file or go to a malicious site, exploit remote desktop protocol endpoints and software vulnerabilities, or deploy “drive-by” malware attacks that host malicious code on legitimate websites. Proactive prevention through effective “cyber hygiene,” cybersecurity controls, and business continuity resiliency is

often the best defense against ransomware.[xii] 

If you want information about our ransomware checklist and policy or other compliance resources, please click HERE. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

______________________________   
[i] The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 20% more reports of ransomware incidents in 2020 than in 2019, with a 225% increase in ransom demands, totaling $29 million in 2020 up from $9 million in 2019. See FBI IC3, 2020 Internet Crime Report, (2020). In the first six months of 2021, FinCEN identified $590 million in ransomware-related SARs, a 42 percent increase, compared to 2020’s total of $416 million. See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021).
[ii] See FinCEN Advisory, FIN-2019-A005, “Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic,” (July 30, 2020).
[iii] See FinCEN 2021 Ransomware Report, at 3 (October 15, 2021). Also see generally DHS Cybersecurity & Infrastructure Security Agency (CISA), Ransomware Guide, (September 2020).
[iv] “Hosted wallets” are CVC wallets where the CVC exchange receives, stores, and transmits the CVCs on behalf of their accountholders. See FinCEN Guidance, FIN-2019-G001, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” (May 9, 2019).
[v] Mixing or tumbling involves the use of mechanisms to break the connection between an address sending CVC and the addresses receiving CVC. For more information, see FinCEN 2021 Ransomware Report, at 13 (October 15, 2021).
[vi] Chain hopping is a “cross-virtual-asset” layering technique for users attempting to conceal criminal behavior. Criminals obfuscate the trail of virtual currency by shifting the trail of transactions from the blockchain of one virtual currency to the blockchain of another virtual currency, often in rapid succession. See DOJ Cryptocurrency Enforcement Framework, at 41-44.
[vii] Smurfing refers to a layering technique in money laundering that involves breaking total amounts of funds into smaller amounts to move through multiple accounts before arriving at the ultimate beneficiary.
[viii] P2P exchangers are individuals or entities offering to exchange fiat currencies for virtual currencies or one virtual currency for another virtual currency. P2P exchangers usually operate informally, typically advertising and marketing their services through online classified advertisements or fora, social media, and by word of mouth. See FinCEN Advisory, FIN-2019-A003, “Advisory on Illicit Activity Involving Convertible Virtual Currency,” (May 9, 2019).
[ix] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021); FinCEN Ransomware Report 2021, at 13 (October 15, 2021); and White House, FACT SHEET: Ongoing Public U.S. Efforts to Counter Ransomware, (October 13, 2021).
[x] See OFAC, “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” (September 21, 2021).
[xi] See OFAC, “Sanctions Compliance Guidance for the Virtual Currency Industry,” (October 15, 2021).
[xii] See FBI and DHS CISA, “Joint Cybersecurity Advisory: Ransomware Awareness for Holidays and Weekends,” (August 31, 2021).

Money-Laundering Defined

QUESTION
We are a mid-sized mortgage broker transitioning in January to a full lender. I handle compliance, and also I’m the AML officer. 

Up until now, we have gotten by, but we did not do a test last year, and the banking department now may hold up our lender license because we didn’t do it. I need to get the test done as soon as possible and have already contacted your firm to do the AML test. 

But my main issue now is updating the written AML Program. We got it from a company that supposedly specializes in mortgage manuals, but the banking department rejected it. There are glaring policy defects they noted. 

A big issue was that the policy did not define money laundering, believe it or not. Or, it wasn't the definition they wanted. So, I want a good definition to put into our AML Program. 

What is a brief definition of money laundering?

ANSWER
Money laundering is the financial side of virtually all crimes for profit. To enjoy the illicit reaping of their crime, whether drug dealing, extortion, fraud, arms trafficking, terrorism, or public corruption, criminals must find a way to insert the proceeds into the stream of legitimate commerce. 

I’m glad you’re retaining us to do the Anti-Money Laundering Program test, but, as you know, you should be doing the AML test every year. It is a statutory requirement! Get onto our schedule to do it each year. 

For those who have not done the AML test, contact me HERE for information about testing, training, program, and risk assessment. 

Money laundering has dual importance. 

First, it provides the fuel that allows criminals and criminal organizations to conduct their ongoing affairs. It may seem like an easy crime to pull off – for instance, wire transfers at the touch of a computer button, the clever unbundling of large amounts of cash into bite-size chunks, the intricate movement of funds through a series of offshore shell companies. But make no mistake, it is the companion of brutality, deceit, and corruption. 

Secondly, money laundering is pernicious in its own right. It taints our financial institutions, and, where allowed to thrive, it erodes public trust in their integrity. Indeed, in an age of rapidly advancing technology and globalization, money laundering can affect trade flows and ultimately disturb financial stability. Inevitably, like the crime and corruption of which it is a necessary part, money laundering is an issue of national security. 

Thus, the pursuit of money laundering is critical because following the money is often an essential tool in investigating the underlying crimes. We have a vital interest in maintaining the integrity of our financial system. 

Here are just a few threats posed by money laundering: 

·       Fraud 

·       Drug trafficking 

·       Terrorist financing 

·       WMD proliferation financing 

·       Organized crime 

·       Human trafficking 

·       Corruption 

Numerous vulnerabilities are exploited by money laundering. Sometimes it seems that when one crook is caught, others pop right up with new money laundering schemes. Firms like ours track these schemes, but it is often very difficult and complicated for an individual financial institution to stay current on all the attacks on their vulnerabilities. Some clients ask us to conduct an AML test quarterly or semi-annually to ensure their AML program stays current. 

I would say that the following are the salient vulnerabilities that are exploited by money laundering. 

·    Beneficial Ownership information: The lack of a requirement to collect beneficial ownership information at the time of company formation and after changes in ownership;[i] 

·    Real Estate: The lack of comprehensive AML requirements on key gatekeeper professions (i.e., lawyers) and anonymous purchases of real estate; 

·    Correspondent banking: The significant volume of foreign funds and number of transactions intermediated through U.S. correspondent banks, potentially from locations lacking ML regulation;[ii] 

·    Uneven AML obligations: The lack of comprehensive AML requirements on some financial institutions (i.e., state-chartered banks that lack a Federal functional regulator); 

·    Cash: The ubiquitous and anonymous use of U.S. currency domestically and internationally; 

·    Complicit professionals: Complicit actors in financial institutions and other businesses; 

·    Compliance weaknesses; and 

·    Digital Assets: The growing misuse of digital assets, which includes the failure of foreign jurisdictions to supervise digital asset activity effectively. 

The Financial Crimes Enforcement Network (FinCEN) defines money laundering as follows: 

“Money laundering is the process of making illegally-gained proceeds (i.e., 'dirty money') appear legal (i.e., 'clean'). Typically, it involves three steps: placement, layering, and integration. 

First, the illegitimate funds are furtively introduced into the legitimate financial system. 

Then, the money is moved around to create confusion, sometimes by wiring or transferring through numerous accounts. 

Finally, it is integrated into the financial system through additional transactions until the 'dirty money' appears 'clean.' 

Money laundering can facilitate crimes such as drug trafficking and terrorism, and can adversely impact the global economy.”[iii] [Emphasis added.] 

For a brief definition, you can't go wrong in using FinCEN's definition.

FinCEN is the Financial Intelligence Unit (FIU) of the United States and works with law enforcement and the FIUs of other countries participating in AML to curtail money laundering globally. 

Each financial institution must implement the Anti-Money Laundering Program required by the Bank Secrecy Act (BSA), including AML Risk Assessments approved by the Board of Directors, and a written Customer Identification Program (CIP) appropriate for its size and type of business that meets specified minimum requirements. The adequacy of an institution’s compliance with AML requirements is assessed by its regulatory agency. 

I urge you to contact me HERE to get more information about our AML compliance support. 

Jonathan Foxx, Ph.D., MBA
Chairman& Managing Director
Lenders Compliance Group

---

[i] 31 CFR 1010.230 states beneficial ownership as an individual who has a level of control over, or entitlement to, the funds or assets in the account that enables the individual, directly or indirectly, to control, manage or direct the account.
[ii] 31 CFR §1010.605, Correspondent account, states an account established for a foreign financial institution to receive deposits from, or to make payments or other disbursements on behalf of, the foreign financial institution, or to handle other financial transactions related to such foreign financial institution.
[iii] https://www.fincen.gov/history-anti-money-laundering-laws