TOPICS

Thursday, May 25, 2023

Investigating Direct Disputes

QUESTION

A recent audit of our servicing platform showed that we failed to investigate direct disputes in our reporting to the credit agencies. There seemed to be a gap in how we identified what dispute needed to be investigated and what dispute did not. 

We reviewed thousands of files and found that some of the disputes were definitely miscategorized. Because of the miscategorizing of them, we did not conduct investigations. That led to consumer complaints. Our regulator also contacted us about the consumer complaints. It is coming here in a few weeks to examine our process. 

We found out that our loan servicing software had incorrect rules for identifying the proper categorizing of the disputes. Now, we are putting in new rules and overriding the old rules. This was a preventable calamity. We want your guidance to know when we must conduct an investigation. 

When must we investigate a direct dispute over the information in a credit report? 

What are the exceptions to the requirements to conduct the investigation? 

ANSWER 

To begin, let's be clear about what is a "direct dispute." This is a statutorily defined term.[i] In essence, it is a dispute by a consumer directly to a furnisher – including a furnisher that is a debt collector – concerning the accuracy of any information in a consumer report and pertaining to an account or other relationship that the furnisher has or had with the consumer. 

By the word "accuracy," I mean reported information[ii] about an account or other relationship with the consumer that reflects the terms of and liability for the account (or other relationship), reflects the consumer's performance and other conduct with respect to the account (or other relationship), and identifies the appropriate consumer. 

So, when should you conduct an investigation in connection with a direct dispute involving a consumer report? What is required is a reasonable investigation. There are four primary direct disputes that require a reasonable investigation. Let's consider each of them.

 Required Investigation of a Direct Dispute

 1. The consumer's liability for a credit account or other debt with the furnisher, such as direct disputes relating to whether (a) there is or has been identity theft or fraud against the consumer, (b) whether there is individual or joint liability on an account, or (c) whether the consumer is an authorized user of a credit account;

 2. The terms of a credit account or other debt with the furnisher, such as direct disputes relating to the type of account, principal balance, scheduled payment amount on an account, or the amount of the credit limit on an open-end account;

3. The consumer's performance or other conduct concerning an account or other relationship with the furnisher, such as direct disputes relating to the current payment status, high balance, the date a payment was made, the amount of a payment made, or the date an account was opened or closed; or

 4. Any other information included in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.[iii] 

Exceptions to Requiring an Investigation of a Direct Dispute 

Concerning the exceptions to the requirements to conduct the investigation, there are two primary exceptions. Specifically, the following direct disputes do not apply to a furnisher if:

(1) The direct dispute relates to:

 a) The consumer's identifying information (other than a direct dispute relating to a consumer's liability for a credit account or other debt with the furnisher, such as name(s), date of birth, Social Security number, telephone number(s), or address(es);

 b) The identity of past or present employers;

 c) Inquiries or requests for a consumer report;

 d) Information derived from public records, such as judgments, bankruptcies, liens, and other legal matters (unless provided by a furnisher with an account or other relationship with the consumer);

 e) Information related to fraud alerts or active duty alerts; or

 f) Information provided to a consumer reporting agency by another furnisher; or

 (2) The furnisher has a reasonable belief that the direct dispute is submitted by, is prepared on behalf of the consumer by, or is submitted on a form supplied to the consumer by a credit repair organization[iv] or an entity that would be a credit repair organization, but for any nonprofit organization which is exempt from taxation under as a 501(c)(3).[v]


Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group


[i] 16 CFR § 660.2(b)

[ii] 16 CFR § 660.2(a)

[iii] 16 CFR § 660.4(a)

[iv] As defined in 15 USC § 1679a(3)

[v] 15 USC § 1679a(3)(B)(i). See also, § 501(c)(3) in 26 USC § 501 - Exemption from tax on corporations, certain trusts, etc.

Thursday, May 18, 2023

Reverse Mortgages – A Policy Definition

QUESTION 

We thought we knew what a Reverse Mortgage was until one of our investors rejected our policy and procedure for several defects, one of which was they didn’t accept our definition of a Reverse Mortgage. 

Now we are scrambling to rewrite the Reverse Mortgage policy but need a really good definition. We’ve spoken with our attorneys and a few companies that sell this policy. But we are unsatisfied with all of them. Our CEO told us to contact you to see how you would define a Reverse Mortgage. He told us you would provide the kind of guidance we would need. 

So, we’re writing you to get a good definition of a Reverse Mortgage that will hopefully meet our investor’s expectations. 

What is the definition of a Reverse Mortgage? 

ANSWER 

Please thank your CEO for the kind words! Your question is a good one. My rule of thumb in developing a policy document is to begin with definitions. 

In answering your question, I will provide a definition of a reverse mortgage that should assist you in drafting a dependable outline. There are specific procedural rules and disclosure requirements, such as the various mandates involving the Total Annual Loan Cost Rates (TALC) disclosure. However, I will limit my response to offering a definition of a reverse mortgage for your policy statement.

 A reverse mortgage transaction is defined[i] as a “nonrecourse” consumer credit obligation in which: 

·       A mortgage, deed of trust, or equivalent consensual security interest securing one or more advances is created in the consumer’s principal dwelling; and 

·       Any principal, interest, or shared appreciation or equity is due or payable (other than in the case of default) only after: 

o   The consumer dies; 

o   The dwelling is transferred; or 

o   The consumer ceases to occupy the dwelling as a principal dwelling. 

The term “nonrecourse” requires an explanation. A nonrecourse transaction limits the homeowner’s liability to no more than the proceeds of the sale of the home unless a lesser amount is called for in the credit obligation. For example, there might be an equity reservation or conservation provision in the agreement between the consumer and the creditor. 

Stay with me for a moment. A “nonrecourse” transaction requires a slightly attenuated outline.[ii] A transaction must be nonrecourse to meet the definition of a reverse mortgage.[iii] That is, the consumer’s liability must be limited to the proceeds from the sale of the home. If a closed-end reverse mortgage does not limit the consumer’s liability to the proceeds of the sale of the home, and the transaction meets the definition of a high-cost mortgage loan,[iv] the transaction[v] is subject to all the requirements of high-cost mortgages[vi] and prohibited acts or practices in connection with high-cost mortgages.[vii] 

Furthermore, the term “default” is not defined by the statute or regulation,[viii] but rather by the legal obligation and state or other applicable law. This means that the definition of that term is left to the agreement between the parties or state law. 

To meet the definition of a reverse mortgage transaction, a creditor cannot require principal, interest, or shared appreciation or equity to be due and payable (other than in the case of a default) until after the consumer’s death, transfer of the dwelling, or the consumer ceases to occupy the dwelling as a principal dwelling.[ix] 

The reverse mortgage obligation may state a specific maturity date or term of repayment and still meet the definition of a reverse mortgage as long as the maturity date or term will not cause maturity prior to the occurrence of any of the maturity events recognized in the regulation. For example, the obligation could state a term but automatically extend the term for consecutive periods if no recognized maturity event has occurred. All costs and charges the consumer incurs in a reverse mortgage are included in the projected total cost,[x] whether or not the cost or charge is a finance charge.[xi] 

·       So, let’s stop here and clarify. By definition, in a reverse mortgage transaction, a creditor may not require any principal, interest, or shared appreciation or equity to be due or payable (absent default) until after the consumer’s death, transfer of the dwelling, or cessation of occupancy by the consumer. 

·       And, how is this affected by state laws that require legal obligations secured by a mortgage to specify a definite maturity date or term of repayment? Stating a definite maturity date or term of repayment in an obligation would not conflict with the definition of a reverse mortgage if the maturity date or term of repayment would in no case operate to cause maturity prior to the occurrence of any of the events recognized in the regulation. 

With respect to a definition of a definite maturity date or term of repayment, a creditor cannot require any principal, interest, or shared appreciation or equity to be due and payable (other than in the case of default) until after the consumer’s death, transfer of the dwelling, or the consumer ceases to occupy the dwelling as a principal dwelling. Some state laws require legal obligations secured by a mortgage to specify a definite maturity date or term of repayment in the instrument. 

An obligation may state a definite maturity date or term of repayment and still meet the definition of a reverse mortgage transaction if the maturity date or term of repayment used would not operate to cause maturity prior to the occurrence of any of the maturity events recognized in the regulation. For example, some reverse mortgage programs specify that the final maturity date is the borrower’s 150th birthday; other programs include a shorter term but provide that the term is automatically extended for consecutive periods if none of the other maturity events has yet occurred. These programs would be permissible. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group


[i] Truth-in-Lending Act § 103(cc), Regulation Z § 1026.33

[ii] § 1026.33, Comment 33(a)-1

[iii] § 1026.33(a)

[iv] § 1026.32

[v] Op. cit. ii

[vi] Idem

[vii] § 1026.34.

[viii] § 1026.33, Comment 33(a)(2)-1

[ix] § 1026.33, Comment 33(a)(2)-2

[x] § 1026.33, Comment 33(c)(1)-1

[xi] Under §1026.4

Thursday, May 11, 2023

Third Line of Defense and Risk-Based Auditing

QUESTION 

Although we're a small bank in the Midwest, we still are required to have policies and procedures that are similar to banks much larger than ours. However, our regulator has sent a letter notifying us that our corporate governance is not adequately implementing the "third line of defense." The letter also cited our need for "risk-based auditing." 

We want to show that we are responding to the regulator by revising our corporate governance policy to acknowledge this third line of defense. And we want to include a reference to risk-based auditing. We hope you can provide some insight into how to revise our policy for these requirements. 

What is the third line of defense? 

What is risk-based auditing? 

ANSWER 

The term "corporate governance" is a general term that refers to the oversight of daily business activities. Specifically, the board of directors should be actively and attentively looking over the performance of senior executives to ensure daily operations are performed within the adopted policies and objectives of the institution. 

Ultimately, the board of directors is responsible for the organization's performance. When delegating authority to senior management team members for day-to-day activities and decisions, the board should also require feedback and monitoring reports to assess executive performance. For the directors, it becomes a matter of setting high standards and ensuring they are maintained. 

The process whereby governance directs auditing programs is essential to effective risk management and internal control systems. Effective internal and external audit programs are also a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control, among other things. 

Here's a generalized three-step process involved in corporate governance: 

1.   The board of directors and senior management is responsible for establishing, maintaining, and operating effective audit programs. This responsibility must not be delegated. 

2.   Audit programs must be performed by independent, competent staff or external auditors who objectively evaluate the institution's control environment. 

3.   Examiners validate the adequacy of the institution's audit programs. 

Regulators and investors evaluate corporate governance relating to audits. They will assess and draw conclusions about the adequacy of the overall audit function as part of every supervisory cycle or periodic review (i.e., Fannie Mae's MORA[i] audit). An assessment includes some level of audit validation, including verification procedures as necessary. The conclusions can significantly influence the institution's scope of other supervisory activities and investor relationship parameters. Where regulators are involved, examiners may expand supervisory activities in applicable areas if they identify significant concerns about the quality or extent of audit programs or the control environment. 

Now, let's turn to the "three lines of defense." These three lines of defense form a model that explains governance and roles among an institution's business units, support functions, and audit functions from a risk management perspective. So, I will conjoin the term "line of defense" with the words "risk management activities" because they are conceptually and explicitly inherent. 

·     The first line of defense risk management activities occur at the frontline units[ii] where risks are created. 

·     The second line of defense risk management activities occur in an area or function separate from the frontline unit, sometimes referred to as "independent risk management."[iii] These oversee and assess the frontline units' risk management activities. 

·     The third line of defense risk management activities are usually called the "internal audit function." These risk management activities are primarily responsible for providing independent assurance and challenging the risk structure. The audit function assesses the effectiveness of the policies, processes, personnel, and control systems created in the first and second lines of defense. 

Risk-Based Auditing is an approach to auditing an institution. This methodology links internal or external auditing to the overall risk management framework. The audit risk assessment is a process by which an auditor identifies and evaluates the quantity of the risks and the quality of its risk controls. The board, its audit committee, and the auditors use the results of the risk assessments to focus on the areas of greatest risk and to set priorities for audit work. 

The audit function should not ignore areas that are rated low-risk. An effective risk-based audit program includes adequate audit coverage for the institution's auditable activities. The frequency and depth of each area's audit should vary according to the audit risk assessment. In risk-based auditing, the audit is meant to assure the board that risk management processes manage risks effectively concerning the risk appetite. The risk appetite must be commensurate with the institution's size and complexity. 

Generally speaking, risk-based auditing seeks to report on at least the following risk management areas: 

·      objective, independent reviews and evaluations of bank activities, internal controls, and management information systems (MIS); 

·      adequate documentation of tests, findings, and any corrective actions; 

·      assistance in maintaining or improving the effectiveness of bank risk management processes, controls, and corporate governance; 

·      reasonable assurance about the accuracy and timeliness with which transactions are recorded and the accuracy and completeness of financial and regulatory reports; and 

·      validation and review of management actions to address material weaknesses. 

Well-planned, properly structured auditing programs are essential to effective risk management and adequate internal control systems. Effective internal and external audit programs are also a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control systems. 

The high-level basis for the third line of defense is to provide a resource to assist internal auditors in their primary role to independently and objectively review and evaluate the institution's activities with respect to maintaining or improving the efficiency and effectiveness of its risk management, internal controls, and corporate governance. 

The audit function does this by: 

·      Evaluating the reliability, adequacy, and effectiveness of accounting, operating, and administrative controls. 

·      Ensuring that internal controls result in prompt and accurate recording of transactions and proper safeguarding of assets. 

·      Determining that an institution complies with laws and regulations and adheres to established bank policies. 

·      Confirming that management is taking appropriate steps to address current and prior control deficiencies and audit report recommendations. 

Whether the auditor is internal or external, auditors should clearly understand the institution's strategic direction, objectives, products, services, and processes to conduct these risk management activities. The auditors can then communicate findings to the board of directors, its audit committee, and senior management. 

Additionally, auditors often have a role in merger, acquisition, and transition activities. This role may include helping the board and management evaluate safeguards and controls, including appropriate documentation and audit trails, during acquisition planning and implementation processes. Each of these roles, duties, and responsibilities are critical to the overall safety and soundness of the institution.


Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group


[i] Lenders that sell loans to GSEs such as Fannie Mae are subject to a Mortgage Origination Risk Assessment (MORA) review, which includes assessing the adequacy and effectiveness of the company’s internal audit function.

[ii] 12 CFR 30, Appendix D, at 6, “Front Line Unit”

[iii] 12 CFR 30, appendix D, at 7, “Independent Risk Management”

Thursday, May 4, 2023

Data Breach – An Unprepared Company

QUESTION 

We were just hit with a data breach and were completely unprepared for it. Hackers took personal information from our corporate server. We believe that customer information was stolen. The hacker also went after our website, meaning information there may be exposed. 

Our Business Continuity policy is all of two pages. We put it together by pasting it from a few Google searches. You may think we are a small mortgage lender, but we have branches in eight states and originate a large volume of mortgage loans. 

We have already alerted law enforcement. We are working on a quick plan to notify investors and customers. But we have no process to follow for this data breach. We're working without a guide. 

All of us in management know you have written a lot about issues like ours. Please help as soon as possible. 

What should we do immediately if we are hacked? 

ANSWER 

NOTE: This article provides links to subject articles, presentations, and a complimentary Data Breach: Quick Reference Checklist. 

As many of you know, I am like a Mother Hen regarding our clients, always looking to protect them. And through these weekly newsletters, I try to ensure our readers are made aware of regulatory compliance challenges. However, some readers ignore my advice, one of which is the importance of having a policy for Business Continuity. 

Our Business Continuity plan is comprehensive. We believe it meets regulatory scrutiny; however, I don't care if you want ours or another firm's policy. Assuming the policy is reliable, get it and implement it! If you are not operating with a plan, your company is unprepared for a data breach. Also consider our mini-audit, BCP Tune-up, which provides a review of your Business Continuity plan and procedures.

For information about our Business Continuity Plan, click HERE.

For information about our BCP Tune-up, click HERE.

Here are just some articles I have published on Business Continuity: 

·       Disaster Recovery and Business Continuity

·       Cybersecurity Rule – Proposed Updates

·       Ransomware Payments

·       Prohibited Acts and Practices

·       Large Bank Cybersecurity Challenges

·       UDAAP Violations caused by Insufficient Data Protection

·       Mother of All Computer Bugs

·       Phishing Scams

·       Intrusion Detection Terms 

As Falstaff said, "Better three hours too soon than a minute too late." 

Don't delay. Procrastinate at your peril! 

Let's turn to the situation you find yourself in, to wit, a data breach and no plan for Business Continuity, which should include a Disaster Recovery component. 

If your company experiences a data breach, you should notify law enforcement, other affected businesses, and individuals. Since I do not know your company's size, complexity, or risk profile, my remarks are necessarily generic. 

However, I will provide a bulleted outline so you can act promptly. 

Request the complimentary Data Breach: Quick Reference Checklist. 

Evidence

·       Do not destroy evidence.

·       Don't destroy any forensic evidence in the course of your investigation and remediation.

·       Document your investigation. 

Immediate Response

·       Secure physical areas potentially related to the breach. Lock them and change access codes.

·       Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the nature of the breach and the structure of your business.

·       Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and complexity of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.

·       Identify a data forensics team. Consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.

·       Consult with legal counsel. You may consider hiring counsel with privacy and data security expertise. They can advise you on federal and state laws that a breach may implicate. 

Stop Data Loss

·       Take all affected equipment offline immediately — but don't turn any machines off until the forensic experts arrive.

·       Closely monitor all entry and exit points, especially those involved in the breach.

·       If possible, put clean machines online in place of affected ones.

·       Update credentials and passwords of authorized users. If a hacker stole credentials, your system will remain vulnerable until you change those credentials, even if you've removed the hacker's tools. 

Remove Web Vulnerability

·       Your website – If the data breach involved personal information improperly posted on your website, immediately remove it. Be aware that internet search engines store, or "cache," information for some time. You can contact the search engines to ensure that they don't archive personal information posted in error.

·       Other websites – Search for your company's exposed data to ensure no other websites have saved a copy. If you find any, contact those sites and ask them to remove it. This applies to websites operated by your company's loan officers and agents. 

Interviews

·       People who discovered the breach should be interviewed.

·       Talk with anyone else who may know about it. 

·       If you have a customer service center, ensure the staff knows where to forward information that may aid your investigation of the breach. 

Service Providers

·       If service providers were involved, examine what personal information they can access and decide if you need to change their access privileges.

·       Ensure your service providers take the necessary steps to ensure another breach does not occur.

·       If your service providers say they have remedied vulnerabilities, verify that they fixed things.