TOPICS

Wednesday, December 29, 2021

Fair Lending: Pricing Discrimination

QUESTION

We have a fair lending examination that is going to start in mid-January. Our state banking department is doing it. However, our General Counsel has told us that the CFPB is also interested in our case. Everyone is getting anxious. We’ve been working over the holidays to prepare for the examination. 

What area of fair lending should we expect the banking department to audit?

ANSWER

First and foremost, as the year 2021 draws to a close, I want to express my thanks to our readership for their interest in our weekly Mortgage FAQs newsletter. The questions you have asked throughout the year show a deep and devoted concern for strong, steadfast compliance initiatives. May the coming year bring you good health, joy, and prosperity!

Many companies get anxious about a forthcoming banking examination. The fair lending examination is no exception, and, like most such audits, preparation is essential. When it comes to banking or CFPB examinations, it is best to be as prepared as possible.

You may be unprepared for a fair lending examination if you are not periodically getting a fair lending review, such as we offer, thereby ensuring that potential fair lending violations are noted. Please contact us for fair lending assistance.

For fair lending examinations, generally, state banking departments are aligned with the CFPB’s assessment criteria in its fair lending supervision program, to wit, among other things, compliance with the Equal Credit Opportunity Act (ECOA)[i] and its implementing regulation, Regulation B,[ii] as well as the Home Mortgage Disclosure Act (HMDA)[iii] and its implementing regulation, Regulation C.[iv]

In preparing for the fair lending examination, I suggest you carefully review the potential for pricing discrimination. Let’s look at this examination subject.

The ECOA prohibits a creditor from discriminating against any applicant with respect to any aspect  of a credit transaction based on race or sex. [v]

It is a “known known” that regulators have observed that mortgage lenders have violated ECOA and Regulation B by discriminating against African American and female borrowers in granting pricing exceptions based upon competitive offers from other institutions. Pricing disparities may be found in the failure of a lender’s loan officers to follow the lender’s policies and procedures concerning pricing exceptions for competitive offers, the lender’s lack of oversight and control over their loan officers’ use of such exceptions, and management’s failure to take appropriate corrective action surrounding self-identified risks.

There have been examination findings where lenders maintained policies and procedures permitting their mortgage loan officers to provide pricing exceptions for consumers – including pricing exceptions for competitive offers – but did not specifically address the circumstances where a loan officer could provide pricing exceptions in response to competitive offers. Instead, the lenders relied on managers to promulgate a verbal policy that a consumer must initiate or request a competitor price match exception.

In particular, examiners have identified certain lenders that show statistically significant disparities for the incidence of pricing exceptions for African American and female applications compared to similarly situated non-Hispanic white and male borrowers. It is worth noting that examiners have not identified evidence explaining the disparities observed in the statistical analysis. Rather, examiners identified instances where lenders provided pricing exceptions for a competitive offer to non-Hispanic white and male borrowers with no evidence of customer initiation.

Furthermore, examiners have noted that lenders fail to retain documentation to support pricing exceptions. Our firm has drafted policies, procedures, and forms for maintaining appropriate documentation for all pricing exceptions. You should do so! If you need compliance support, contact us HERE.

During the examination, examiners may determine that a lender’s fair lending monitoring reports and even the business line personnel raise fair lending concerns relating to the lack of documentation to support pricing exception decisions. We know this because, despite such concerns, lenders have been cited for not improving the processes or documenting customer requests to match competitor pricing during the review period. When that happens, the banking department and the CFPB expect the lender to undertake remedial and corrective actions regarding these violations.

Jonathan Foxx, Ph.D., MBA
Chairman and Managing Director
Lenders Compliance Group

_________________________

[i] 15 U.S.C. §§ 1691-1691f
[ii] 12 C.F.R. pt. 1002
[iii] 12 U.S.C. §§ 2801-2810
[iv] 12 C.F.R. pt. 1003
[v] 15 U.S.C. § 1691(a)(1). The ECOA also prohibits a creditor from discriminating against any applicant, with respect to any aspect of a credit transaction, on the basis of color, religion, national origin, marital status, or age (provided the applicant has the capacity to contract), because all or part of the applicant’s income derives from any public assistance program, or because the applicant has in good faith exercised any right under the Consumer Credit Protection Act, 15 U.S.C. § 1691(a).

Wednesday, December 22, 2021

Mother of All Computer Bugs

QUESTION
I hate to be the bearer of bad tidings right before Christmas, but I would like you to put my question on top of the others since this concerns a worst-case scenario of cybersecurity and ransomware. I am with a large regional mortgage lender, and I am the company’s CISO. 

On December  20th, The Washington Post reported that a new bug was discovered called “log4j.” It was found on December 9th. This is like the mother of all computer bugs! 

The article says that cloud storage companies such as Google, Amazon, and Microsoft – companies that provide the digital backbone for millions of other apps – are affected. Giant software sellers are affected, too, such as IBM, Oracle, and Salesforce. And, devices that connect to the Internet (i.e., TVs and security cameras) have been hit. Hackers can get into digital spaces and steal information or plant malicious software. This bug is virtually everywhere and affects billions of computers. 

We anticipate that ransomware attackers will now have a new way to break into computer networks and freeze out their owners. I really think you should put back up the links to your Ransomware policies and checklists. 

Banks or mortgage companies, big and small, accepting cryptocurrencies are also affected because they will be targeted and asked to send millions in cryptocurrency to hackers or risk being locked out of their computers indefinitely and exposing their sensitive information. 

My question is, Would you provide your readership with information from the government agency that monitors and advises the public about this threat?

ANSWER
Thank you for your timely question. Given the urgency, I have prioritized it for a response. 
am grateful that you have contacted us to assist in making our readership aware of this immense computer threat. 

The computer bug, “log4j,” allows hackers to access deep into systems, cutting past all the typical defenses software companies use to block attacks. 

The article you cite is "The ‘most serious’ security breach ever is unfolding right now. Here’s what you need to know." It was published in The Washington Post on December 20th.  

The article quotes Jen Easterly, the Director of U.S. Cybersecurity and Infrastructure Security Agency, saying, “The log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.” You can watch Director Easterly’s interview HERE

According to the article, “The fact that log4j is such a ubiquitous piece of software is what makes this such a big deal. Imagine if a common type of lock used by millions of people to keep their doors shut was suddenly discovered to be ineffective. Switching a single lock for a new one is easy, but finding all the millions of buildings that have that defective lock would take time and an immense amount of work.” 

Because you are the Chief Information Security Officer (CISO), the remit of your undertaking is to implement the information security program, which includes the requirements to protect system assets from internal and external threats. 

The CISO has a direct responsibility to maintain the company’s security posture, which is a different task than required of the Chief Information Officer (CIO), a position that involves oversight and managing the overall systems. The CISO and CIO work together. The former is engaged in the hands-on, precise application of cybersecurity initiatives. The latter maintains the overall system comprehensiveness and usually reports to top management and the board of directors. 

As of today’s date, the bug is careening through millions of computers and degrading millions of enterprise systems and Cloud services. You mentioned the threat of ransomware attacks. Indeed, I have written extensively about them as well as cybersecurity. You can read some of my posts, such as:

I have published articles and White Papers on cybersecurity guidelines, one of which concerns the cybersecurity guidelines promulgated by the New York Department of Financial Services (DFS). The regulation took effect on March 1, 2017, continuously updated. The DFS has provided a model for cybersecurity guidelines in many state banking departments. For an overview, I suggest you download my article Cybersecurity Guidelines - "First-In-The-Nation" Regulation. Consider implementing similar requirements.

We provide a free Ransomware checklist. We also offer an exceptional and reasonably priced policies and procedures for Ransomware as well as Cybersecurity For more information, visit our website

Short of letting the engineers figure out how to stop the bug, people can take several precautions, such as avoiding phishing emails that trick you into clicking a link or opening an attachment. This new bug vulnerability means that computers will be hit with many such messages as hackers plant malicious code before the computer gets a corrective patch. Also, be sure that the computer’s operating system and apps are updated. 

The government agency monitoring the log4j bug is the Cybersecurity and Infrastructure Security Agency (CISA). CISA as published Emergency Directive 22-02 Mitigate Apache Log4j Vulnerability

The agency has a continuously updated and highly technical log4j webpage. However, the webpage does provide an Additional Resources section which provides helpful guidance, such as CISA’s Cyber Essentials

I suggest that senior management review Questions Every CEO Should Ask About Cyber Risks.

Also, I recommend FFIEC's Information Security Booklet, in the Information Technology Examination Handbook. Amongst the many tools provided by FFIEC, the Cybersecurity Assessment Tool helps to identify cyber-risks and determine cybersecurity preparedness.

Jonathan Foxx, Ph.D., MBA

Chairman & Managing Director
Lenders Compliance Group

Thursday, December 16, 2021

Working from an Unlicensed Remote Office

QUESTION
Due to the pandemic, most of our loan officers moved to remote. Basically, they work from home. 

Some of them have come back to the office, but most prefer to work from their home office. Our management has no problem with this arrangement. Whatever works and is safe – that’s management’s view. But their homes are not licensed locations. 

However, our banking department is starting to take the view that there are certain features of licensing that may require their home offices to be licensed. We are concerned. 

What would you say are the types of home office situations for our remote loan officers that require licensing requirements?

ANSWER
Indeed, some banking departments have begun to monitor remote locations for possible licensing violations. Generally, this comes under the rubric of telecommuting as it relates to licensing requirements. 

Telecommuting is a catchall phrase for financial services activities taken by employees on behalf of their employers through the Internet, email, telephone, or direct mail. In such cases, an employee makes contact with potential applicants or consumers in person, by phone or email, or through direct mail while, at all times, representing their business location as a licensed office of the individual’s employer. 

That configuration can come up against a banking department’s rule that a mortgage broker or mortgage lender may only engage in covered activities at any location for which it holds a license. That said, I have noticed that many banking departments are fully aware of the challenges caused by the pandemic. There seems to be an understanding that technological changes, such as remote computing, are continuing trends that grow unabatedly. So, the departments are grappling with how to balance their licensing rule while ensuring that opportunities to work in non-commercial locations are acceptable under certain conditions. 

There’s not much debate about applying business location licensing requirements in instances where an individual employee or the individual’s employing company does not indicate that the employee is engaging in particular financial services activities on behalf of the licensee at any unlicensed location. 

I would suggest that at least three remote practices implicate licensing requirements, as follows:

 

1. Advertising, or including within any business documents or forms (except in documents used in communications directly between the individual employee and their employer), an address that is not a licensed business location;

 

2. Advertising, making available to the general public, or including within any business documents or forms (except in documents used in communications directly between the individual employee and their employer), a telephone number in a manner that indicates an employee conducts activities at a place other than a licensed business location (i.e., using a published residential telephone number in promotions); and,

 

3. Representing, in any manner, directly or indirectly, a location at which financial services activity on behalf of the licensee may occur if such representation indicates the activity would occur at an unlicensed location or would mislead a consumer to believe an unlicensed location is an authorized location from which the employee or their employer conducts licensable financial services activity. 

I would also suggest, at minimum, three cautionary practices need to be implemented for the unlicensed, remote locations, as follows:

 

1. Data security requirements should include provisions for the employee to access the company’s secure origination system from any out-of-office device the employee uses through the use of a VPN or other system that requires passwords or identification authentication.  The company is responsible for maintaining any updates or other requirements to keep information and devices secure;

 

2. Neither the employee nor the company is to do any act that would indicate or tend to indicate that the employee is conducting business from an unlicensed location. Such acts include but are not limited to:


a. Advertising in any form, including business cards and social media, the unlicensed residence address or landline telephone or facsimile number associated with the unlicensed residence;


b. Meeting consumers at, or having consumers come, to an employee’s unlicensed residence;


c. Holding out in any manner, directly or indirectly, by the employee or company licensee, the residence address that would suggest or convey to a consumer that the residence is a licensed location for conducting licensable activities; and,

 

3. Employees and companies must exercise due diligence in safeguarding company and customer data, information and records, whether in paper or electronic format, and protecting them against unauthorized or accidental access, use, modification, duplication, destruction, or disclosure.

 

Finally, I suggest a separate policy and procedures for telecommuting. You should train on the document, provide it to the affected employee, and require an attestation of receipt thereof from the employee involved in telecommuting activities.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Thursday, December 9, 2021

Revising Closing Disclosures

QUESTION
Our banking department wrote us up for not complying with the timeline requirements for the revised Closing Disclosure. 

Our view was that providing a corrected Closing Disclosure extends the period a consumer may rescind a loan or take action for a TILA violation. That view came from our attorney. He now agrees with the banking department. 

We want a straight answer to our question to find out who is right. 

Does providing a corrected Closing Disclosure extend the period when a consumer may rescind a loan or take an action for a TILA violation?

ANSWER
Regulation Z, the implementing regulation of the Truth in Lending Act (TILA), generally[i] requires a Loan Estimate (LE) and then a Closing Disclosure (CD) for residential mortgage loans. The creditor is responsible for ensuring that the consumer receives the CD no later than three business days before consummation and that the CD meets TILA’s content, delivery, and timing requirements. 

If the CD becomes inaccurate before consummation, the creditor must provide corrected disclosures reflecting any changed terms, so the consumer receives a corrected CD at or before consummation. 

If the creditor makes any of three significant changes between the time the CD is given and consummation, the creditor must provide a new CD and an additional 3-business-day waiting period before consummation. 

The three changes are: 

(1) the disclosed APR becomes inaccurate, specifically, it is more than 1/8 of one percent (1/4 % for a loan with irregular payments or periods) above or below the actual APR;

(2) the loan product is changed, causing the loan product disclosed on the first page of the CD to become inaccurate; or 

(3) a prepayment penalty is added, causing the prepayment penalty statement in the Loan Terms table on the first page of the CD to become inaccurate. Less significant changes can be disclosed on a revised CD received by the consumer at or before consummation without delaying the closing. 

Clerical errors discovered after consummation are subject to redisclosure. No later than 60 calendar days after consummation, a creditor must provide a revised CD to correct non-numerical clerical errors and document refunds for tolerance violations. 

What is a clerical error? An error is “clerical” if it does not affect a numerical disclosure and does not affect the timing, delivery, or other requirements for the CD. 

During the 30-day period after consummation, if an event causes the CD to become inaccurate and the inaccuracy results in a change to an amount actually paid by the consumer from that disclosed, the creditor must deliver or place in the mail a corrected CD no later than 30 days after receiving information sufficient to establish that the event has occurred. 

A creditor is not required to provide a corrected CD (or a refund) for any per diem interest disclosure considered accurate under Regulation Z § 1026.17(c)(2)(i), that is, if the CD were based on the best information reasonably available at the time it was provided, even if the amount actually paid by the consumer differed from the amount disclosed.[ii] 

Having set forth some of the basics, I will answer your question about whether giving a corrected CD extends the period during which a consumer may rescind a loan or bring an action for a TILA violation? 

A recent case decided in a Hawaiian federal district court offers a resolution to your question. 

In Mathias v. HomeStreet Bank, Inc.,[iii] Mathias took out a $276,250 mortgage loan in 2009 with HomeStreet Kapolei to purchase a lot. On March 1, 2018, Mathias signed a 30-year note and mortgage with HomeStreet Bank to refinance the earlier loan. 

On April 18, 2018, HomeStreet Bank provided a revised CD that updated certain loan terms, including changing the closing date from March 1 to March 2. 

On March 22, 2021, Mathias sued to rescind the 2018 loan. He contended that the 3-year period for rescinding his loan because of TILA violations started running on April 18, 2018, the day he was given a revised CD. 

Not so, said the court, because his claim was time-barred since his right to rescind had expired before he filed his lawsuit. The parties did not dispute that Mathias had executed the loan – at the latest – on March 2, 2018. Accordingly, the right to rescind had expired several weeks before Mathias filed his lawsuit on March 22, 2021. 

The plain language of the TILA statute makes clear that the time period for exercising rescission does not restart if a creditor provides disclosures after the loan has been consummated, to wit, the statute states that “[a]n obligor’s right of rescission shall expire three years after the date of consummation of the transaction … .” 

So what is the takeaway from the Mathias case? 

Clearly, Mathias did not notify the creditor in writing of his intent to rescind until he filed the complaint to begin his court action. Had he done so before March 2, 2018, his suit most likely would have been timely. The U.S. Supreme Court, in Jesinoski v. Countrywide Home Loans, Inc.,[iv] held that a borrower need not file suit within the 3-year period so long as the borrower notified the creditor of their intent to rescind within the 3-year period. 

TILA states explicitly that a borrower “shall have the right to rescind … by notifying the creditor, in accordance with regulations of [the CFPB], of his intention to do so.” Regulation Z § 1026.23(a)(2) allows the consumer to exercise the right to rescind “by mail, telegram or other means of written communication” and provides that “[n]otice is considered given when mailed, when filed for telegraphic transmission or, if sent by other means, when delivered to the creditor’s designated place of business.” TILA does not also require the consumer to sue within three years. 

Granted, if an action is filed after the 3-year period, an issue may arise as to how much time is allowed for filing. Some courts have applied the 1-year limitation on actions contained in TILA § 130(e). As the CFPB suggested in amicus curiae briefs filed in numerous actions, others may apply borrowing doctrines to find an analogous limitation on actions.[v] 

Mathias included a TILA claim for statutory damages—for failing to notify him of his right to cancel. The court also found this claim time-barred by TILA’s 1-year limitation on actions for statutory damages, which ran from the date of the occurrence of the disclosure violation (i.e., the date of closing).

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
_______________________________
[i] TILA-RESPA Integrated Disclosure (TRID) rule: loans not covered by TRID are home-equity lines of credit, reverse mortgages, mortgages secured by a mobile home or dwelling not attached to land, no-interest second mortgage made for down payment assistance, energy efficiency or foreclosure avoidance, and loans made by a creditor who makes five or fewer mortgages in a year.
[ii] Regulation Z Comment 19(f)(2)(iii)-2
[iii] Mathias v. HomeStreet Bank, Inc., 2021 U.S. Dist. (D. Haw. June 21, 2021), and after amended complaint.
[iv] Jesinoski v. Countrywide Home Loans, Inc., 135 S. Ct. 790 (2015),
[v] For instance, example, in Hoang v. Bank of America, 910 F.3d 1096 (9th Cir. 2018), the 9th Circuit applied what it found to be the most analogous state law statute of limitation - Washington State’s 6-year statute of limitation under general contract law for a written agreement, and in Mitchell v. Deutsche Bank Nat’l Trust Co., 714 Fed. Appx. 739 (9th Cir. 2018), the 9th Circuit applied the State of California’s 4-year statute of limitation for rescission of a contract. This question was not before the Supreme Court in Jesinoski, and that Court has not yet addressed the issue
.

Thursday, December 2, 2021

Evaluating Credit History and Immigration Status

QUESTION
We are a small bank with one compliance manager: me. I have been tasked with setting policy for the rules involving the review of a mortgage loan applicant’s credit history. Also, I need to add a section to our guidelines for considering the immigration status of an applicant. 

What rules do we need to comply with involving an applicant's credit history? 

And, what rules should be followed for considering the immigration status in evaluating an applicant? 

ANSWER
Thanks for your question. It is a bit sparse in details, so I will provide a generic response. If you want to discuss it in more detail, you can contact me HERE

To your first question about the rules for consideration of credit history in the evaluation of an applicant, I set forth this caveat: my response is based on evaluating the creditworthiness of similarly qualified applicants for a similar type and amount of credit. 

A creditor may restrict the types of credit history and credit references that it will consider as long as the restrictions apply to all credit applicants without regard to sex, marital status, or any other prohibited basis. When an applicant requests, the creditor must consider credit information not reported through a credit bureau when the information relates to the same types of credit references and history that the creditor would consider if reported through a credit bureau. 

Using the Equal Credit Opportunity Act as a guide,[i] there are three specific rules in determining an applicant’s creditworthiness. 

The rules are:

 

(1) The credit history, when available, of accounts designated as accounts that the applicant and the applicant’s spouse are permitted to use or for which both are contractually liable;

 

(2) If an applicant so requests, any information the applicant may present that tends to indicate that the credit history being considered by the creditor does not accurately reflect the applicant’s creditworthiness; and,

 

(3) If the applicant so requests, the credit history, when available, of any account reported in the name of the applicant’s spouse or former spouse that the applicant can demonstrate accurately reflects the applicant’s creditworthiness.

 

With respect to the rules concerning the consideration of immigration status in the evaluation of an applicant, a creditor may consider the applicant’s immigration status or status as a permanent resident in the United States, and any additional information that may be necessary to ascertain the creditor’s rights and remedies regarding repayment.[ii] 

For example, in considering immigration status, a creditor may differentiate between a non-citizen who is a long-time resident with permanent resident status and a non-citizen who is temporarily in the United States on a student visa.[iii] 

It is not discriminatory based on national origin to deny credit on the ground that the applicant is not a U.S. citizen;[iv] however, if this scenario occurs, I strongly urge that you confer with a compliance professional for guidance. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director

Lenders Compliance Group
____________________________
[i] 12 CFR § 202.6(b)(6)
[ii] Idem. § 202.6(b)(7)
[iii] 12 CFR Supplement I to part 202 – Official Staff Interpretations § 202.6(b)(7)-1
[iv] 12 CFR Supplement I to part 202 – Official Staff Interpretations § 202.6(b)(7)-2