TOPICS

Thursday, June 30, 2022

SAFE Act Policy Dilemma

QUESTION 

We are a small mortgage broker up in the Pacific Northwest. The banking department here cited us for not having a policy for the SAFE Act. Aside from being blindsided by them, we honestly have no idea what should be in such this policy. 

Your firm has a reputation for having really good policies that the regulators like. So many companies offer policies that it is confusing to choose the best one, and their prices are all over the place and ridiculously high. Some of them will give us policies "free" if we sign up with them for their compliance services. 

I guess we're asking you to tell us what to do. We need to know at least what goes into a SAFE Act policy. I realize you probably sell the policy, but hopefully, you will tell us some of the basics. 

What are some basic features of a good SAFE Act policy? 

ANSWER 

For many years I have railed against companies that provide the one-size-fits-all policies. There are all sorts of deals out there, and it is caveat emptor ("let the buyer beware") all the way! 

I have an old friend who is a high-level regulator. He tells me that his field examiners keep track of policies that are the same from shop to shop but have different company names stated on the policies. 

My term for these policy vendors is Mortgage Policy Mills. And, yes, some companies give out policies as a shill to get the buyer into becoming a client of their other services. Their templated policies are known to regulators, and it's not a good look. 

From the regulator's point of view, when they see the same policy in your shop that they already saw at another shop, it makes them think that you are not serious about implementing the policy guidelines. In some cases, it makes the regulator test to see if you are doing what your policy says you are doing. It is not a smart idea to go in that direction. 

Yes, we have a SAFE Act policy. There are no strings attached. And it is affordable. But the most important thing is that we work with you to ensure it conforms to your business model. Just contact us HERE, and we'll be in touch. 

Under the S.A.F.E. Mortgage Licensing Act (SAFE),[i] institutions that employ one or more mortgage loan originators must adopt and follow written policies and procedures designed to assure compliance with the Nationwide Multistate Licensing System ("NMLS" or "Registry") rules. 

These policies and procedures must be appropriate to the nature, size, complexity, and scope of the mortgage lending activities of the institution and apply only to those employees acting within the scope of their employment at the institution. 

In my view, at a minimum, these policies and procedures must: 

·     Establish a process for identifying which employees must be licensed or registered mortgage loan originators; 

·     Require that all employees who are mortgage loan originators be informed of the licensing and registration requirements of the SAFE Act and the Registry rules and be instructed on how to comply with such requirements and procedures; 

·     Establish procedures to comply with the unique identifier requirements;[ii] 

·     Establish reasonable procedures for confirming the adequacy and accuracy of employee registrations, including updates and renewals, by comparisons with its own records; 

·     Establish reasonable procedures and tracking systems for monitoring compliance with registration and renewal requirements and procedures; 

·     Provide for independent testing for compliance with the Registry rules to be conducted at least annually by institution personnel or by an outside party; 

·     Provide for appropriate action in the case of any employee who fails to comply with the licensing and registration requirements of the SAFE Act, the Registry rules, or the institution's related policies and procedures, including prohibiting such employees from acting as mortgage loan originators or other appropriate disciplinary actions; 

·     Establish a process for reviewing employee criminal history background reports received under the Registry rules, taking appropriate action consistent with applicable federal law and implementing regulations with respect to these reports, and maintaining records of these reports and actions taken regarding applicable employees; 

·     Establish procedures to ensure that any third party with which the institution has arrangements related to mortgage loan origination has policies and procedures to comply with the SAFE Act, including appropriate licensing and/or registration of individuals acting as mortgage loan originators. 

Finally, be sure you have properly defined who is a mortgage loan originator and, therefore, which individuals within your organization must be licensed or registered.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group


[i] 12 CFR § 1007.104 - Policies and Procedures

[ii] See § 1007.105

Thursday, June 23, 2022

Suspicious Activity and Elder Financial Abuse

QUESTION 

Our bank caters to older people, so-called seniors and elders. As a group, these customers are 65 and older. We are located in a state where the senior and elderly population is about 20% of the population, which is the highest percentage in the country. 

Not a week goes by when we don’t have alarm bells going off because one of our elderly customers seems to be getting financially exploited. It is harrowing and unnerving. You would not believe the types and number of scams. It is so frustrating I could scream! 

I’m just a lowly branch manager. I have taken the BSA/AML employee training. But I am required to pass these situations up to our compliance people, who do a great job of resolving the issues. I believe they file SARs with FinCEN, too. Although compliance does a great job, I want to have my own list of Red Flags. 

You’ve written about elder financial abuse and even provided some Red Flags. But I would like to spot behavioral and financial activities. I would be very grateful if I could get a list of such Red Flags.

What are some Red Flags for elder financial abuse?

ANSWER 

For many years, I have written about elder financial exploitation. I have spoken at conferences, interviewed, been a podcast guest, and provided many checklists and Red Flag templates. Yet the situation keeps getting worse. Often, I feel like the proverbial Dutch boy with his finger in the dike, but I am only one person. 

Here’s an article with downloads and links to some of my writing on this subject. 

I’ve been so concerned about Elder Financial Exploitation that my firm developed and added the EFE Tune-up® to our Compliance Tune-up® series. Now, our clients have an additional tool to fight back at the crooks and scammers. Click HERE to request information about the EFE Tune-up®. 

What is there in human nature that drives a person to take advantage of an older adult? 

Our audits and reviews have encountered horrific elder financial abuse over the years. I recall one older gentleman left bereft of his money and virtually all other earthly assets by his son’s greedy, avaricious actions. Others in his family jumped into the feeding frenzy. His financial advisor came to us through a bank referral for a due diligence review of the excessive cash-out refinancing of his home. This man was of sound mind and body. But he was old, and age often brings many cognitive, emotional, and physical challenges. An older person can be easily preyed upon by corrupt family, friends, professionals, and strangers. 

Sad to say, but the clown in Hamlet got it about right when he said 

“Age, with his stealing steps,

Hath clawed me in his clutch.”[i] 

In 2021, financial institutions filed 72,000 Suspicious Activity Reports (SARs) related to EFE.[ii] This represents an increase of 10,000 SARs over the previous year’s filings. The Consumer Financial Protection Bureau’s (CFPB’s) estimate of the dollar value of suspicious transactions linked to EFE has similarly increased from $2.6 billion in 2019 to $3.4 billion in 2020. This is the largest year-to-year increase since 2013.[iii] 

I appreciate that you have asked for Red Flags based on behavior and financial actions. My firm has placed these Red Flags into a dynamic Behavioral and Financial Red Flags Checklist, which includes SAR filing instructions. Later on, I will give you a link to request it. As a courtesy to you, it’s free. 

Because you are a branch manager, you are often on the “front lines” of first noticing elder financial exploitation, categorized by the Financial Crimes Enforcement Network (FinCEN) as “EFE.” FinCen has been tracking EFE for many years. Recently, it issued an Advisory on Elder Financial Exploitation (“Advisory”).[iv] I am going to discuss some aspects of this Advisory because of its outlining of behavioral and financial Red Flags. The last time FinCEN came out with typologies and Red Flags goes back to 2011. 

But remember, crooks come in many guises, and their scams seem always to be one step ahead of the law. 

Broadly speaking, FinCEN defines EFE as an act that involves the illegal or improper use of an older adult’s funds, property, or assets and is often perpetrated either through theft or scams. 

EFE schemes generally involve either theft or scams. The perpetrators of elder theft are often known and trusted by older adults, but many scams, which can disproportionally affect older adults, frequently involve fraudsters, usually located outside of the United States, with no known relationship to their victims. Regardless of the relationship, these criminals can place older adults in financially, emotionally, and physically compromising situations. The resulting loss of income and life-long earnings devastates the victims’ financial security, dignity, and quality of life. 

Let’s bifurcate the way the crooks go about preying on the elderly. One way is through elder theft. The other is through elder scams. 

In the case of elder theft, perpetrators are often family members and non-family caregivers who abuse their relationship and position of trust. In 2019, FinCEN analyzed a statistically significant, random sampling of SAR narratives. It found that a family member was involved in the theft of assets from older adults in 46% of elder theft cases reported between 2013 and 2019. Unfortunately, the trusted persons who commit elder theft can also include familiar associates and acquaintances, such as neighbors, friends, financial services providers, other business associates – or even those in routine proximity to the victims. 

According to the Advisory, elder theft often follows a similar methodology: “trusted persons may use deception, intimidation, and coercion against older adults to access, control, and misuse their finances.” The financial abuser frequently exploits victims’ reliance on support and services and “takes advantage of any cognitive and physical disabilities or environmental factors such as social isolation to establish control over the victims’ accounts, assets, or identity. 

The abuse takes many forms, including the exploitation of legal guardianship and power of attorney arrangements or fraudulent investments such as Ponzi schemes. Thus, older adults are stripped of their income and retirement savings. 

It bears repeating, these relationships enable trusted persons to continuously abuse the elderly victims “by liquidating savings and retirement accounts, stealing Social Security benefit checks and other income, transferring property and other assets, or maxing out credit cards in the name of the victims until most of their assets are stolen.” 

Elder scams are a conglomeration of criminals defrauding victims into sending payments and disclosing personal identifiable information (PII) under false pretenses or for a promised benefit or good the victims will never receive. These scammers are often located outside the United States and have no known previous relationship with the victims.

Friday, June 17, 2022

Adverse Action Conundrum

QUESTION 

I have been told conflicting advice about the adverse action notice. Supposedly, these are people who are in the know. However, I am a compliance manager with no staff and don’t have a clear answer to my concerns. 

First, I want to know what information I need from a credit bureau to issue an adverse action notice. 

Secondly, I want to know what information I need from third parties that are not credit bureaus for me to issue the adverse action notice. 

Third, and the biggest issue for me, I want to know who we should notify when multiple applicants are on a loan application. I say this is the biggest issue because this is the one on which I get a lot of conflicting advice. 

So, here are my questions. 

What is required for adverse action based on credit bureau information? 

What is required for adverse action based on third parties? 

And, who is supposed to get the adverse action notice when the loan is for multiple applicants? 

ANSWER 

You are not alone in feeling some consternation. Many compliance professionals express some confusion about the notification requirements of adverse action. Section 615 of the Fair Credit Reporting Act (FCRA)[i] requires lenders to provide adverse action notices in cases where information from a consumer reporting agency is used and instances where information from other third parties is used to make the adverse credit decision. 

If you use a consumer credit report to take any type of adverse action that is based at least in part on information contained in a consumer report, you are required by the FCRA[ii] to notify the consumer. The notification may be in writing, orally, or by electronic means. 

You may already be familiar with what the notice must contain, such as: 

·      A numerical credit score[iii] used in taking any adverse action based in whole or in part on any information in a consumer report along with the following related information:[iv] 

o   The range of possible credit scores under the model used;

o   All of the key factors that adversely affected the credit score of the consumer in the model used, not to exceed four;

o   The date on which the credit score was created; and

o   The name of the person or entity that provided the credit score or credit file upon which the credit score was created. 

However, the adverse action notice must also include the following: 

-  The name, address, and telephone number of the credit reporting agency (CRA) (including a toll-free telephone number, if it is a nationwide CRA) that provided the report;

-  A statement that the CRA did not make the adverse decision and cannot explain why the decision was made;

-  A statement setting forth the consumer’s right to obtain a free disclosure of the consumer’s file from the CRA if the consumer requests the report within 60 days; and

-  A statement setting forth the consumer’s right to dispute directly with the CRA the accuracy or completeness of any information provided by the CRA. 

I suggest you review the model adverse action forms in Appendix C of Regulation B, the implementing regulation of the Equal Credit Opportunity Act (ECOA), which include model language for making the above disclosures, including the credit score information. 

Your second question is about adverse action notices based on information obtained from third parties that are not CRAs. I would add affiliates to that category. When a lender denies (or increases the charge for) credit for personal, family, or household purposes based either wholly or partly on information from a person other than a consumer reporting agency (such as a credit bureau), the FCRA[v] requires that the institution clearly and accurately discloses to the consumer their right to obtain disclosure of the nature of the information that was relied on by making a written request within 60 days of notification. The financial institution must provide the disclosure within a reasonable period of time following the consumer’s written request. 

You may take an adverse action involving insurance, employment, or a credit transaction initiated by the consumer, based on information of the type covered by the FCRA. If this information was obtained from an entity affiliated with the institution by common ownership or control, the FCRA[vi] requires the financial institution to notify the consumer of the adverse action. The notification must inform the consumer that they may obtain a disclosure of the nature of the information relied on by making a written request within 60 days of receiving the adverse action notice. And if the consumer makes such a request, the financial institution must disclose the nature of the information no later than 30 days after receiving the request. The applicable section of the FCRA[vii], however, does not cover information obtained directly from an affiliated entity relating solely to its transactions or experiences with the consumer and information from a consumer report obtained from an affiliate. 

Finally, you wanted to know about disclosing the adverse action notice where multiple applicants are on a loan application. The answer invokes both Regulation B as well as the Fair Trade Commission’s interpretation of the FCRA. In some cases, the rules of Regulation B regarding who must be provided the adverse action notice will differ from the rules under the FCRA. This is due to a Federal Trade Commission interpretation of Section 615(a) of the FCRA. The explanation is going to be a bit nerdy, but hang in there! 

Section 615(a) of the FCRA requires that “any consumer,” with respect to whom adverse action is taken, must receive the disclosures mandated by this section if that action is based “in whole or in part” on information from a consumer report. In the FTC’s view, the plain language “any consumer” includes a co-applicant. Neither the applicable section of Regulation B[viii] nor the combined disclosure permitted in Appendix C remove or modify that requirement for co-applicants. The objective of the combined disclosures permitted by the Federal Reserve Board in Appendix C to Regulation B is only to simplify the paperwork involved in making ECOA and FCRA notifications to a single applicant, where both are required – for instance, where the action by the creditor is both adverse to the applicant (ECOA) and is based in whole or in part on information from that applicant’s consumer report (FCRA).

Thursday, June 9, 2022

War of the Trusts: Identifying a Business Purpose Loan

QUESTION

One of our investors kicked a loan back to us because, supposedly, the loan was a business purpose, not an owner-occupied residential loan. We protested but to no avail. Now we’re stuck with a business purpose loan. 

As a small lender, we now have to find a buyer and probably take a haircut. This was a retail transaction, and we did everything right – at least, that’s our view! 

We want some guardrails for determining what is and is not a business purpose loan. 

Many of the guidelines we already know. However, we’re looking for a deeper set of guardrails. 

What special guidelines can be used to identify a business purpose loan? 

ANSWER

The guidelines you provided are relatively standard fare. I won’t go here into the ones you mentioned. I will give you five factors that a court used to identify a business purpose loan. Are they comprehensive? Certainly not. However, to use your terminology, these five factors should be considered “guardrails.” 

The U.S. District Court for the Central District of California recently granted summary judgment for the defendant, Joel Sherman Levine (“Levine Trustee”), the trustee of the Joel Sherman Levine Revocable Trust (“Levine Trust”), in a case asserting violations of the Truth in Lending Act (TILA) and the Real Estate Settlement Procedures Act (RESPA). The court found that the loan to the Ross Trust was a business purpose loan.[i] 

Maxine Gilliam (“Ross Trustee”), the plaintiff, had approached a loan broker to procure a lender for a $150,000 loan to be secured by the property owned by the Lou Easter Ross Trust (“Ross Trust”), of which she was the successor trustee. 

So, starting us off, we shall observe the war between the Ross Trust against the Levine Trust.[ii] 

Please stick with me because, like all wars, it can get complicated! 

The broker emailed the Levine Trustee and invited him to fund the loan. The broker and the Levine Trustee exchanged a series of emails in which the broker indicated that 

“[t]he subject property has a tenant in place paying $2,000 monthly,” and the Ross Trustee would be “using the funds to invest in a small rental.” 

The broker attached an unsigned loan application which stated that: 

·       The property was an “investment” property, and the purpose of the refinance loan was “business”; 

·       Ross Trustee was a “Real Estate Investor (retired teacher)”; and 

·       Ross Trustee owned three pieces of real property. 

In connection with the loan, the Ross Trustee signed, among other documents, an occupancy and financial status affidavit certifying that the property was an “investment property.” 

The loan had a two-year term with the option for a one-year extension and a balloon payment. 

The Levine Trustee subsequently received a letter from an attorney for the beneficiary of the Ross Trust, La Randa Ross (“Ross Beneficiary”), claiming that she resided at the property and had not authorized the Ross Trustee to enter into the loan. Prior to funding the loan, the Levine Trustee didn’t know that the Ross Beneficiary resided at the property. 

Although the Ross Trustee maintained that she sought the loan “to make necessary repairs” to the property, she did not provide evidence that she told the broker that the Ross Beneficiary was the tenant living at the property or that the broker or Ross Trustee informed the Levine Trustee of this fact before the parties entered into the loan. After receiving the letter from Ross Beneficiary’s attorney, the Levine Trustee asked for the return of the loan funds and to unwind the loan transaction, but the Ross Trustee refused. The Levine Trust continued to receive loan payments until the end of the two-year term. 

At that point, the Levine Trustee declined to grant an optional one-year loan extension. 

After the Ross Trustee failed to make the final loan payment, including the balloon payment, the Levine Trustee recorded a notice of default and an election to sell the property under the deed of trust. 

This is where the legal gears started cranking because the Ross Trustee then sent the Levine Trustee a notice of rescission of the loan. The Levine Trustee did not respond to the notice, so the Ross Trustee filed an action against the Levine Trustee, alleging violations of TILA and RESPA. The Levine Trustee later filed a motion for summary judgment. 

Now, before outlining the five factors for identifying a business purpose loan, let’s recognized that TILA only applies to “consumer credit transactions,” which are loans issued to a natural person and primarily for personal, family, or household purposes. Similarly, RESPA does not apply to credit transactions involving extensions of credit primarily for business purposes. 

The five factors – or, if you will, the five-factor test – the court used were meant to determine whether a loan was obtained primarily for business or personal purposes. And I suggest you include these factors in your “guardrail” analysis. 

Five Factors to Identify a Business Purpose Loan 

Factor 1 

“The relationship of the borrower’s primary occupation to the acquisition.” 

The court found that the Levine Trustee relied on the statement in the loan application, even though it was completed by the broker, and that the Ross Trustee was a real estate investor, suggesting that the loan was for business purposes. 

Factor 2 

“The degree to which the borrower will personally manage the acquisition.” 

The court found that there was evidence that the Ross Trustee was managing the loan on behalf of the Ross Trust, and there was a lack of evidence as to how the loan proceeds were actually used, which leaned toward a business purpose.

Thursday, June 2, 2022

Risk Factors and Risk Ratings

QUESTION

I am our company’s Compliance Manager. We enjoy reading your weekly FAQs. In fact, we use them in our weekly sales and compliance meetings. Over the years, we have kept them together in a companywide folder for everyone to read. 

This is the first time we’ve written to you. Our problem is that we need guidance in determining risk ratings for our risk assessments. We conduct internal risk assessments but are unsure how to arrange a risk rating. Each regulation is broken down into its major requirements in our risk assessment procedures. Each of these requirements is then assessed for its risk by determining if it is affected by any risk factors that present increased compliance risk. 

The matrix we use is not broken down to the level of detail contained in the checklists, so we may need to refine our risk ratings further when they are entered into the checklists. For example, under Regulation Z, the matrix includes one item for section 1026.18, the content of disclosures. However, not all items in 1026.18 will carry the same risk level; the requirement that the disclosure contains the name of the creditor will carry a lower risk than the requirement that the annual percentage rate and finance charge be accurate. 

What are the primary risk factors that we can use in our matrix? Also, how should we provide the risk ratings? 

ANSWER 

I reviewed the documents you sent me as specimens of your assessment matrix. There are many types of risk assessments and many areas of risk in a financial institution. A risk assessment should be designed to evaluate consistently the extent of risk to consumers arising from the activities of a particular entity and to identify the sources of that risk. 

One way to conceptualize risk is to view it through the backdrop of risk to consumers; specifically, the potential for consumers to suffer economic loss or other legally-cognizable injuries due to a violation of Federal or state consumer financial law. To determine the risk to consumers, the risk assessment should consider the interaction of two broad sets of factors: (1) inherent risks in a particular line of business or the entity as a whole and (2) the quality of controls implemented by the entity to manage and mitigate those risks. 

Let’s start with inherent risk. Inherent risk includes factors that increase the potential for unfair, deceptive, or abusive acts or practices, discrimination, or violations of other Federal consumer financial laws. It also includes factors that increase compliance management challenges and thereby increase the risk of various legal and regulatory violations. 

Then there’s the quality of risk controls, which includes factors related to managing and mitigating specific inherent risks and the strength of an entity’s overall Compliance Management System (“CMS”). 

The most affordable and quickest means to check the viability of your Compliance Management System is our CMS Tune-up, a mini-audit that reviews the CMS, provides recommendations, and issues a risk rating. I note that your company is already on our list to conduct a CMS Tune-up in August. I think this is a prudent decision. If others want more information about the CMS Tune-up, contact us HERE

In my view, there are six factors to include in a risk assessment. 

The six factors are penalties, litigation, examiner scrutiny, new areas, internal violations, and exam violations. 

Let’s take a brief look at each of these factors. 

Penalties 

The regulatory agencies can impose additional penalties for violations of regulations, notwithstanding the general penalties they can impose as part of their broad enforcement powers. Most of these penalties are criminal and civil monetary penalties, but one exception is the Community Reinvestment Act, where the penalty for violation can involve the denial of bank applications for expansion, merger, and so forth; or the savings account/MMDA transaction limitations, where the penalty can involve the recalculation of reserve requirements. Within these areas, the penalties for noncompliance can be severe. The Bank Secrecy Act and Regulation O are two such areas. As another example, finance charge and annual percentage rate (APR) calculation violations under Regulation Z require mandatory reimbursement. 

Litigation 

There is often a significant risk of customer litigation. Within these areas, violations can lead to substantial risks of civil liability to customers. In many cases, the law provides for additional damages beyond those suffered by the customer, such as specific, additional monetary damages, attorneys’ fees, class action status, and so forth. For instance, violation of the right of rescission under Regulation Z can lead to customer litigation, resulting in the loss of the security interest and income from the loan. 

Examiner Scrutiny 

Numerous regulatory areas receive increased scrutiny during regulatory examinations. For example, BSA and Regulation O receive increased scrutiny during almost every examination. Also, compliance with flood insurance requirements is an area that is currently experiencing increased scrutiny by some agencies in some areas. 

New Areas 

There are relatively new compliance requirements. Also, there are areas in which the financial institution only recently introduced products that require compliance with a particular existing or new requirement. To assist you in identifying new compliance requirements, your matrix should include the effective date for any new regulations. 

Internal Violations

 These are areas where violations were found as a part of the financial institution’s own internal compliance monitoring.

Exam violations 

These are areas in which violations were found during a previous regulatory examination. 

Let’s move on to the risk rating itself!