Joint Users of Credit Reports

QUESTION 

I am the Compliance Officer of a bank in the northwest. We run credit reports on applications. If we cannot make the loans, we provide them to our investors and other lenders. 

Be that as it may, our regulator suggests we revise our FCRA policy regarding transferring an applicant's credit report to other lenders for processing. They want us to include language requiring an applicant's express consent to transfer the credit report. 

What advice can you offer to revise our FCRA policy for transferring the credit report and application to another lender?

COMPLIANCE SOLUTION

Policies and Procedures 

ANSWER 

Let's begin with some basics about the Fair Credit Reporting Act (FCRA). In general, the FCRA affects any person or entity that is: 

·       A Consumer Reporting Agency (CRA), such as a credit bureau; 

·       Users of the consumer reports that a CRA produces; or 

·       Those who furnish information about consumers to CRAs. 

CRAs have several responsibilities under the FCRA, such as: 

·       Ensuring that consumer reports are provided to others only for a purpose permissible under the FCRA; 

·       Ensuring that consumer reports include required information but not information that is prohibited; 

·       Disclosing information on file to consumers in response to their request; and 

·       Investigating consumers' claims of inaccurate information in a consumer report and correcting the information if it is erroneous. 

Anyone who provides a consumer report to others becomes a CRA[i] and is subject to the regulations governing these agencies. This is true regardless of whether the person prepared the consumer report or provided a copy of a consumer report prepared by someone else. 

For example, if a financial institution obtains a consumer's credit report from a CRA (i.e., a credit bureau), it would become a CRA if it provided a copy of that credit report to anyone else. 

Most financial institutions do not want to become CRAs because they do not want the compliance responsibilities imposed on such agencies. Therefore, most financial institutions do not provide credit reports or information contained in credit reports to third parties unless doing so is specifically permitted under the FCRA. 

Which brings us to joint users of credit reports! 

Lenders are permitted to provide consumer report information to other lenders without violating the FCRA if they are "joint users" of the specific consumer report. Although not contained in the FCRA, this exception is established in a commentary of the Federal Trade Commission (FTC).[ii] 

Lenders who forward credit reports to other lenders jointly involved in a lending decision are not considered CRAs, provided the application is forwarded to the other lenders at the consumer's request. 

A loan application, including the credit report, is forwarded to several investors in many mortgage loan situations. If this exception were not permitted, the lender forwarding the credit report would be considered a CRA under the FCRA. However, because of the exception, the lender and the investors who receive the application and credit report are considered "joint users" involved jointly in the credit decision. 

The key to taking advantage of this exception is that the application is forwarded to these other lenders at the consumer's request: 

"In order for the additional creditors to whom your client forwards the loan application to have a permissible purpose to obtain a consumer report, the potential credit transaction must be initiated by the consumer. For this reason, … a lender may forward a loan application to another lender at the consumer's request. Accordingly, [the lender] must obtain the consumer's consent prior to forwarding such information to additional lenders."[iii] (My emphasis.) 

Note that consumer consent is required to forward the application. 

This leaves open the question of what form such consent should take. In light of this, the FTC concluded that the inclusion in a lender's loan application of a section that enables the consumer to indicate consent for the loan application file to be forwarded to "other lenders" would be 

"… sufficient to satisfy the requirement that subsequent creditors have a permissible purpose to receive the consumer report included in the file. Such action can only be taken, however, in pursuit of the approval of the loan application."[iv] 

Therefore, a consumer's written authorization to submit an application to other lenders should be included in any situation where it may occur. This can be done separately, as part of the application, or as part of a broker agreement with the consumer. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] Fair Credit Reporting Act, Section 603(f); 15 USC section 1681a(f))

[ii] Elucidated regarding an earlier version of the FCRA. See “Joint Users” – FCRA §§ 603(f) and 604(a)(3)(A), Federal Trade Commission Letter, November 20, 1998, Division of Financial Practices, Federal Trade Commission. 16 CFR 600. See also Statement of General Policy or Interpretation; Commentary on the Fair Credit Reporting Act, 55 FR 18804, May 4, 1990, Rules and Regulations.

[iii] Idem

[iv] Op. cit. ii

Evaluating Character and Fitness

QUESTION 

We are a lender in the northwest. We have a Code of Ethics that was accepted by our banking department. Recently, they did an audit. In the exit interview, they said we should have a hiring and employment policy that screens for character and fitness. 

Our Compliance Manager asked who should be screened, and the auditor said we should screen for loan and senior officers, managers, and directors. We do this, but it’s not formal enough for them. They want a set of procedures and criteria. 

In researching procedures, we found that some banking departments have broad statements but not many procedures, and others have pretty rigorous ones. We’re leaning toward the rigorous approach since we are licensed in several states and plan to expand into more states this year. 

What are some procedures and criteria to use for determining character and fitness? 

ANSWER 

Character and fitness, taken together, form an evaluation in many professional fields. Many people don’t know this, but such criteria are a central pillar of ethics in the legal profession. Just because somebody is admitted into law school doesn’t mean the state bar has to admit them into legal practice. It is up to them to prove to the state bar that they possess the requisite character and fitness to be a member of the bar. Evaluation may be based, among other things, on such issues as alcohol and substance abuse problems, previous disbarment or suspension, mental health issues, civil legal actions, misdemeanor and felony convictions, academic misconduct, and straight-out lack of honest candor and full disclosure. 

In financial services such as mortgage banking, character and fitness failures can disrupt safety and soundness requirements, increase the significant risks resulting from contact with the public, and degrade a financial institution’s operational and financial structure. This is why the evaluation is meant to be applied not only to loan officers but also to owners, directors, senior officers, and managers. Indeed, character and fitness assessment should be a mainstay of virtually all employees directly or indirectly involved in the loan flow process. Many banking departments already screen for character and fitness of individual licensees in their licensing and renewal processes. 

We have had clients that merged or were acquired. In each instance, our guidance has been the same: upon consummation of the transaction, each affected individual should be screened in the onboarding review. The continuing or surviving entity should not rely on previous vetting or due diligence. Each such entity is responsible for fully vetting its affected individuals in the onboarding and ongoing relationship of the individual with the institution. 

Screening procedures should have ways, means, and methods to denote sensitive issues, warning signs, and other indicia of character and fitness. If there are concerns, the affected individual should not be permitted to commence, carry out, or continue fulfilling the responsibilities of their position, at least until such time as an enhanced review has resolved any perceived risk-based issues. 

Remedial efforts are required if a review vets through to materially adverse findings. Possible remedies include removing an individual from a position, revising the individual’s responsibilities, terminating the individual’s employment, or not hiring the individual in the first place. Where materially adverse findings are established, the banking department should be notified. Due to materially adverse findings, removal from a position, revising position responsibilities, terminating employment or not hiring, and notifying the banking department, should be undertaken with the advice of legal counsel. 

There are many tools to evaluate character and fitness. There is one that I find particularly well-conceived. It is provided by New York State’s Department of Financial Services (DFS). The DFS has long had an examination methodology that embraces a financial institution’s program to assess character and fitness.[i] It is entitled Suggested Questions to Facilitate Initial and Ongoing Assessment of Designated Persons’ Character and Fitness.[ii] I emphasize the word “suggested” because each institution must ratify policies and procedures that are appropriate to its risk profile and complexity as well as consistent with state and, where applicable, federal law. 

The DFS lists twenty questions. Our experience is that many more questions could be asked. These, however, are essential and basic. The questions are not minimum requirements, prescriptive, or meant to be comprehensive. 

We provide a free Character and Fitness Checklist. 

Get the free Character and Fitness Checklist. 

Suggested Questions to Evaluate Character and Fitness[iii] 

1.     Acknowledge that you have reviewed and understood the following policies of the company and provide evidence of any documented exceptions to compliance with certain specified policies in a separate attachment. 

2.     For ongoing assessment, to the best of your knowledge, have you complied with all above-listed policies [during [year(s)], and made all disclosures required, including seeking exceptions from these policies as appropriate, and being granted such exceptions? 

3.     During [year(s)], have you been charged with, indicted for, or convicted of a crime and/or pleaded nolo contendere in any criminal matter (including, but not limited to, driving under the influence, reckless driving, and/or disorderly conduct)? 

4.     Have you or any financial institution with which you are or were associated been sanctioned and/or censured in any way by a banking or securities regulator during [year(s)], including any regulatory sanction, consent order, enforcement order, supervisory agreement, civil monetary penalty, or other administrative penalties? 

5.     Have you been the subject of any professional disciplinary actions, denied a license, and/or had a license suspended or revoked during [year(s)] (i.e., a governmental or professional licensing organization), excepting banking and securities regulators referenced in Question 4? 

6.     Please describe in a separate attachment any civil litigation, investigation, or sanction – including but not limited to any regulatory sanction, consent order/agreement, enforcement order/agreement, or other administrative findings or penalties – in which you have, to your knowledge, been named or have otherwise become involved in your professional capacity, or which have been initiated against a prior employer in connection with your responsibilities in that position, in the preceding ten (10) years. 

7.     Have you ever been dismissed or asked to resign from past employment, including a less-than-honorable discharge from military service? 

8.     Have you been involved in certain filings where the filing was denied, disapproved, withdrawn, or otherwise returned without favorable action by a federal or state regulatory authority or a self-regulatory organization? 

9.     Has anyone in your immediate family or an individual in your household worked for the institution or an affiliate in [year(s)]? If so, please state their name and their relationship to you. “Immediate family” means the individual’s children, parents, siblings, spouse, or partner. 

10.  Have you or an immediate family member started or continued an outside business relationship with an auditor of the institution during [year(s)]? 

11.  Please describe in a separate attachment all indebtedness to the institution or an affiliate that you have incurred [during the past year / since your previous report] (excluding indebtedness associated with a general-purpose credit card) and the balance outstanding of all such indebtedness to the institution or an affiliate at the end of [year]. 

12.  Please describe in a separate attachment any lobbying activities in which you have been engaged in your personal capacity during [year(s)] and whether you were registered as a lobbyist in any jurisdiction during [year(s)]. 

13.  Please describe in a separate attachment any litigation (unless described above) or bankruptcy proceedings of which you have been a part during [year(s)] and provide copies of all relevant documents. 

14.  Do you owe outstanding child support in connection with any unemancipated child(ren)? 

15.  Please describe in a separate attachment all settlements of litigation (threatened or actual) brought against you in your personal or professional capacity during [year(s)] and provide copies of all relevant documents. 

16.  Have you or any company with which you are associated or were associated during [year(s)]:

o   Filed a petition under any chapter of the Bankruptcy Code or had an involuntary bankruptcy petition filed against you or the company?

o   Defaulted on a loan or financial obligation of any sort, whether as obligor, cosigner, or guarantor?

o   Forfeited property in full or partial satisfaction of any financial obligation?

o   Had any liens or other judgments filed against you?

o   Had wages or income garnished for any reason?

o   Failed or refused to pay any outstanding judgments? 

17.  Have you filed/paid all of your required income and other taxes for [year(s)]? 

18.  Please list in a separate attachment all companies (whether publicly traded or not) and any organizations (including not-for-profit and/or charitable) of which you have been a member of the board of directors or an executive officer during [year(s)]. 

19.  Have you been a senior officer or a board member at a financial institution that filed for reorganization or bankruptcy; became subject to a receivership or conservatorship proceeding; became subject to a resolution or liquidation proceeding; had its license, charter, or registration surrendered or revoked; received financial assistance from a federal or state agency or instrumentality (i.e., FDIC); merged with or been acquired by an institution that received financial assistance from a federal or state agency or instrumentality in connection with the transaction; or otherwise failed or ended business operations? 

20.  Please disclose all compensation received during [year(s)] beyond the amounts paid to you as compensation by the institution. 

Character and fitness can be tested and monitored, whether you think so or not. A risk-based approach should also be proportionate to an institution’s risk profile. Risk-based testing means a layered evaluation attuned to ongoing assessments, monitoring frequency, and continuity. 

We provide a free Character and Fitness Checklist. 

Get the free Character and Fitness Checklist. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] See New York Banking Law § 599-e et seq.

[ii] Suggested Questions to Facilitate Initial and Ongoing Assessment of Designated Persons’ Character and Fitness, Appendix, Industry Letter: Guidance on Assessment of the Character and Fitness of Directors, Senior Officers, and Managers, January 22, 2024, Department of Financial Services, New York State

[iii] Ibid. Condensed and edited for the sake of brevity.

Money Mules: ID Theft and AML Compliance

QUESTION 

Our company is under investigation by the banking department and law enforcement for allowing "money mules" to use our financial services. They managed to use our mortgage and depository services. The crooks targeted people in nursing homes and hospice care facilities. 

The banking department is now determining if we properly implemented an Identity Theft Protection Program and Anti-Money Laundering Program. They're looking back at the procedures as well as the level of testing and training. Our CEO has told us that she expects an administrative action against us. 

We haven't updated our Identity Theft Protection Program and Red Flags Rule in years. We're reviewing it now. Well, better late than never! 

But we do the Anti-Money Laundering Program testing and training as required. The banking department is closely scrutinizing both written policies. Yesterday, we received a notice from FinCEN that they are investigating our SAR filings. 

The news fallout has been devastating. We have been in business for decades and have never had a hit to our reputation, let alone something as shocking as being an unwitting accessory to an identity theft and money-laundering scheme. There's not enough money in the world to reestablish trust! 

How do "money mules" operate? 

How do "money mules" exploit the stealing of identities? 

How do "money mules" undermine anti-money laundering procedures? 

ANSWER 

Your situation reminds me of a recent arrest in California involving money mules. The victims' money is often initially handled by "money mules," individuals who permit their addresses or bank accounts to be used or agree to receive or negotiate cashier's checks. In brief, a money mule moves money obtained illegally on behalf of another individual. Funds are transferred in person, digitally, or through mail or courier. 

I have discussed money mules previously. Here is one about how the COVID pandemic was used by criminals to bilk the public: COVID-19: Imposters and Money Mules. 

Money mules can be – but are not always! – aware they are involved in laundering money obtained illegally. The purpose of this illegal activity is to obscure the source of funds. They are a key element in the money laundering and identity theft process. 

Scheme 

With some variance and nuances here and there, the following are the steps to money mule schemes: 

Step 1: Criminal looking to launder money employs a money mule to layer illicit funds. 

Step 2: Criminal transfers the funds to the money mule in person or electronically. 

Step 3: Money mule either places[i] the money into the financial system or receives money that has already been integrated[ii] into the financial system. 

Step 4: Money mule uses a series of transfers and transactions to layer[iii] the money. 

Step 5: Money mule returns the layered funds to the criminal. 

In the case I have in mind,[iv] the FBI arrested money mules involved in scams that bilked grandparents. This is brutal, wicked, and heartless, of course, but crooks will do what crooks will do! A con is a con. A mark is a mark. As Hamlet observed, "one may smile, and smile, and be a villain!"[v] 

Two money mules were arrested and indicted for their scheme to launder at least $2 million in proceeds obtained from victims of grandparent scams who were defrauded with false claims that their relatives were in distress and urgently needed funds. 

The indictment detailed how perpetrators of grandparent scams convince victims to send money – purportedly to help relatives, frequently their grandchildren, who are typically described as being in legal trouble – "to bank accounts, business entities, and physical addresses specified by the scammers, using interstate wires and cashier's checks…for the supposed purpose of assisting the relatives in distress." 

One of the money mules is said to be a manager of money mules, and the other, thus recruited, recruited his own money mules. Federal prosecutors further assert that the manager created business entities and opened bank accounts using information stolen from identity theft victims. 

Once the money was in the accounts associated with the money mules or identity theft victims, the two money mules allegedly engaged in transactions designed to conceal the true nature of the funds, which, in this case, had been obtained via wire fraud. 

The indictment specifically alleges that the scheme laundered funds obtained from victims of grandparent scams who live in California and Pennsylvania. The bank fraud scheme alleged in the indictment involves fraudulently obtained funds held in suspense in an account set up in the name of an identity theft victim. 

The two money mules and a co-conspirator allegedly worked in concert to contact the bank and impersonate the identity theft victim to secure the issuance of a check for nearly $83,000 that was remaining in the account. 

As I noted above, money mules can be unwittingly involved in a money mule scam. That seems hard to believe. Investigators find that the trail usually ends with the money mule, who might not have realized that they are laundering money for crime gangs. Unfortunately, the process often depends on the unwitting money mule for its effectuation. The enforcement authorities have found at least three primary types of money mules: (1) unwitting, (2) witting, and (3) complicit. Here's a synopsis of each type. 

Types 

(1) Unwitting Individuals are unaware they are involved in criminal activity and engage in it thinking it's legal. They are often deceived into doing the activity for someone they believe to be an employer, acquaintance, perhaps a romance scammer, or somebody in a position of some trust. 

(2) Witting Individuals who should be aware they are involved in suspicious activity but engage in it anyway. While they aren't fully aware of the extent to which they are involved in criminal activity, they typically ignore clear indicators that what they do is illegal or suspicious. 

(3) Complicit Individuals know they are involved in criminal activity yet still engage in it willfully. This type of money mule ranges from inexperienced individuals unaware of their involvement to experienced and adept fraudsters who run entire money mule rings. 

Identity Theft Prevention Program 

Beyond the legal ramifications of acting as a money mule,[vi] the people who serve as money mules may open themselves up to identity theft. All of their personally identifiable information ("PII") can be stolen by criminals, leading to the theft of their financial assets. Victims often wind up with drained accounts, damaged credit, and deprivation of medical treatment due to loss of cash liquidity. 

Stealing an individual's identity is a fraud committed or attempted using the identifying information of another person without authority.[vii] The "identifying information" of a victim is particularly onerous because such information means "any name or number that may be used, alone or in conjunction with any other information, to identify a specific person."[viii] 

The Red Flags Rule (" Rule") goes back to 2007 under a section in the Fair and Accurate Credit Transaction Act (FACTA), which amended the Fair Credit Reporting Act (FCRA).[ix] The Rule was promulgated in 2010.[x] 

If you haven't reviewed your written Identity Theft Protection Program – which is statutorily required – it is a bit late now, given that the regulators are currently involved in an investigation. In compliance, it is not the case to throw up your hands and, as you do, declare it is "better late than never." Indeed, that phrase harks all the way back to Geoffrey Chaucer in the 14^th century, who said, "For better than never is late; never to succeed would be too long a period."[xi] 

In compliance, virtually everything has a tail, a trace, a remnant, a vestige, some lingering scintilla of activity, a dash of evidence that cannot escape discovery at some point and in some way. Thus, "better late than never" is not functionally good enough in compliance. 

Pay attention to the second half of Chaucer's statement, "never to succeed would be too long a period." There are no viable exceptions to maintaining regulatory vigilance, and if there is a systemic or some other failure, admitting the mistake and fixing it permanently. Regulators are sometimes sympathetic to companies that recognize and willingly fix mistakes. But be assured that most of the time, they will find out about the errors you prefer not to tell them about. To succeed in compliance, you must proactively review, monitor, test, train, and implement regulatory requirements. 

There are notorious correlations between money mules and identity theft. I have been discussing "traditional" money mules, but there are "synthetic identities" used by money mules. Synthetic identities are created using a discrete combination of PII to fabricate a person or entity. Given the availability of stolen data on the dark web, these identities are easy to create on a large scale. 

If you haven't reviewed your Identity Theft Prevention Program in some time, you are quite remiss, and, from a regulatory compliance perspective, you are not only opening yourself to regulator scrutiny but may also be recklessly endangering your customers. 

Anti-Money Laundering Program 

You asked, How do "money mules" undermine anti-money laundering procedures? In our Anti-Money Laundering test audits, we have noted weaknesses in screening for money mules. The results of our findings are provided in our Executive Summary, and we offer our work papers so that you can see how deep we have gone to evaluate your AML program. We provide recommendations to fix the weaknesses. 

Our reviews have uncovered many money mule schemes. However, catching the scams is a never-ending task because the crooks are remarkably inventive in finding ways to undercut even the best AML programs. 

There are telltale elements that might indicate a money mule has landed on your AML radar. We are always adding to our audit list as crooks invent new schemes and scams. You should do the same! These scams come up repeatedly in our AML test audits to the point that we consider them triggers to conducting an investigation to determine if a Suspicious Activity Report (SAR) should be filed with FinCEN[xii]. 

Our organization maintains a list of warning signs that a money mule may be making their way onto a client's AML radar. Our list contains elements provided by CISA[xiii], and we build on these elements continually. In our estimation, AML compliance must include, among other things, periodic testing, employee training, due diligence, transaction monitoring, Identity Theft Protection Program mandates, KYC and KYB[xiv] requirements, CIP[xv], OFAC[xvi], identity theft[xvii] "frozen credit" alerts, and historical SAR filings. 

An example of due diligence is conducting your own investigation. Money mules can contaminate PII. During an investigation, a client of ours discovered that a money mule group used fake websites and social media profiles to trick victims into providing their personal information. It then used that PII to open bank accounts, apply for mortgage loans, and set up cryptocurrency wallets. This criminal group then laundered the stolen funds through a network of money mules, who received and transferred the funds on behalf of the criminals.

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 

Lenders Compliance Group

---

[i] Placement is where illegitimate funds are introduced to the legitimate financial system.

[ii] Integration is where layered funds (which now appear legitimate) are returned to the criminal.

[iii] Layering is where the criminal intentionally moves funds to disguise where the money actually originated.

[iv] Two Indicted in Scheme that Allegedly Laundered over $2 Million Generated by ‘Grandparent Scams’ Targeting Elderly Victims, Press Release, Department of Justice, U.S. Attorney's Office, Central District of California, December 12, 2023

[v] Hamlet, Act 1, Scene 5, Shakespeare

[vi] For instance, among other things, the charge of conspiracy to commit money laundering carries a statutory maximum penalty of 20 years in federal prison, and the charge of conspiracy to commit bank fraud carries a sentence of up to 30 years.

[vii] 16 CFR 603.2(a)

[viii] 16 CFR 603.2(b)

[ix] The Red Flags Rule was issued in 2007 under § 114 of the Fair and Accurate Credit Transaction Act of 2003 (FACT Act), Pub. L. 108-159, amending the Fair Credit Reporting Act (FCRA), 15 USC 1681m(e). The Red Flags Rule is published at 16 CFR 681.1. See also 72 FR, Nov. 9, 2007.

[x] The Rule was amended in 2010 by the Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4), Pub. L. 111-319, 124 Stat. 3457 (December 18, 2010).

[xi] Actually, the phrase is a direct translation from the Latin “potiusque sero quam nunquam” (viz., and better late than never) in Livy’s fourth book Ab Urbe Condita (History of Rome), 27 BC. The full quote in Livy is “Their insolence and recklessness must be opposed, and better late than never.” (My translation.)

[xii] Financial Crimes Enforcement Network (FinCEN), for nonbanks, see Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Residential Mortgage Lenders and Originators, Financial Crimes Enforcement Network, 77 FR 8148-8160 (February 14, 2012), as revised from time to time.

[xiii] CISA provides several publications involving money mules and other schemes. One example is Understanding and Protecting Yourself Against Money Mule Schemes, Matthew DeSantis, Chad Dougherty, Mindi McDowell, US-CERT, Cybersecurity & Infrastructure Security Agency

[xiv] Respectively, Know Your Customer (KYC) and Know Your Business (KYB)

[xv] Customer Information Program (CIP)

[xvi] Office of Foreign Assets Control (OFAC)

[xvii] FCRA Identity Theft Rules, Op. cit. ix

HMDA: Procedures & Internal Controls

QUESTION 

I am a compliance analyst in our compliance department. We are getting ready to file our HMDA-LAR. Yesterday, our internal auditor requested an outline of the steps we take to evaluate our HMDA policies and procedures. 

Our compliance manager has put together a few bullet points. However, we need some procedures and internal controls that tell the internal auditors adequate measures are in place to ensure compliance. 

Mostly, our procedures are informal. We follow the HMDA guide and use HMDA reporting software. 

I am reaching out to you for guidance in putting together a list of HMDA procedures. 

What are some procedures and internal controls needed to comply with filing HMDA data? 

ANSWER 

Compliance Solution: HMDA, CRA, Fair Lending

The Home Mortgage Disclosure Act (HMDA) requires certain financial institutions to collect, report, and disclose information about their mortgage lending activity. HMDA was enacted by Congress in 1975 and implemented by Regulation C.[i] Over the years, there have been numerous amendments, updates, and linkages to other Acts. HMDA is a disclosure law that relies upon public scrutiny for its effectiveness. 

Contrary to what some people think, HMDA does not prohibit any specific activity of lenders, nor does it establish a quota system for mortgage loans to be made in any geographic area. The federal supervisory agencies use HMDA data to support a variety of activities.[ii] For instance, some federal supervisory agencies use HMDA data as part of their fair lending examination process,[iii] and other agencies use HMDA data in conducting Community Reinvestment Act (CRA) performance evaluations.[iv] 

HMDA disclosures provide the public with information on the home mortgage lending activities of particular reporting entities and activity in their communities. These disclosures are used by local, state, and federal officials to evaluate housing trends and issues and by community organizations to monitor financial institutions' lending patterns. Because HMDA data serve numerous important purposes, validating the accuracy of HMDA data is a key element of the federal supervisory agencies' examination activities. 

For the purpose of this article, I will use the term "institution" to refer to an institution that is either a depository financial institution or a non-depository financial institution that is subject to Regulation C. An institution is required to comply with Regulation C only if it is a financial institution as that term is defined in Regulation C. The definition of financial institution includes depository and non-depository financial institutions, as those terms are separately defined in Regulation C.[v] It is beyond the scope of this response to delve into the method to identify whether an institution meets the definition. An institution utilizes certain coverage tests and thresholds to determine whether a financial institution is required to comply with Regulation C.[vi] 

If your internal auditor plans to review your procedures and internal controls, I suggest you let them know that Regulation C requires an institution to record the data about a covered loan or application on a Loan Application Register (LAR), hereinafter "HMDA-LAR," within 30 calendar days after the end of the calendar quarter in which the financial institution takes final action on the covered loan or application.[vii] An institution is not required to record all its HMDA data for a quarter on a single HMDA-LAR. Rather, it may record data on a single HMDA-LAR or may record data on one or more HMDA-LARs for different branches or different loan types (such as home purchase loans, home improvement loans, or loans on multifamily dwellings). State or federal regulations may require an institution to record its data on a HMDA-LAR more frequently. 

Depending on various criteria, under Regulation C, an institution must submit its annual HMDA-LAR in electronic format to its appropriate federal supervisory agency by March 1 of the year following the calendar year for which the data are collected.[viii] Certain institutions must file their HMDA-LAR quarterly and annually,[ix] where the institution reported at least 60,000 originated covered loans and applications (combined) for the preceding calendar year. 

Guidelines for Procedures and Internal Controls 

for HMDA Recording and Reporting 

I will provide a list of some procedures and internal controls to ensure compliance with HMDA and Regulation C. The list is not meant to be comprehensive. 

·       Whether the individual assigned responsibility for the institution's compliance with HMDA and Regulation C possesses an adequate level of knowledge and has established a method for staying abreast of changes to laws and regulations. 

·       If the institution ensures that individuals assigned compliance responsibilities receive adequate training to ensure compliance with the requirements of the regulation. 

·       Whether the individuals assigned responsibility for the institution's compliance with HMDA and Regulation C know whom to contact, at the financial institution or their supervisory agency, if they have questions not answered by the written materials. 

·       If the institution has established and implemented adequate controls to ensure separation of duties exists (i.e., data entry, review, oversight, and approval). 

·       Any internal reports or records documenting policy and procedure revisions and any informal self-assessment of the institution's compliance with the regulation. 

·       If the institution offers preapprovals, whether the institution's preapproval program meets the specifications detailed in the HMDA regulation. If so, whether the institution's policies and procedures provide adequate guidance for reporting preapproval requests that are approved or denied in accordance with the regulation. 

·       Whether the institution's policies and procedures address the reporting of (1) non-dwelling secured loans that are originated in whole or in part for home improvement and classified as such by the institution, and (2) dwelling-secured loans that are originated in whole or in part for home improvement, whether or not classified as such. 

·       Whether the institution established a method for determining and reporting the lien status for all originated loans and applications. 

·       Whether the institution's policies and procedures contain guidance for collecting ethnicity, race, and sex for all loan applications, including applications made by telephone, mail, and Internet. 

·       Whether the institution's policies and procedures address the collection of the rate spread (the difference between the APR and the average prime offer rate for a comparable transaction as of the date the interest rate is set) and whether the institution has established a system for tracking rate lock dates and calculating the rate spread. 

·       Whether the institution's policies and procedures address determining if a loan is subject to the Home Ownership and Equity Protection Act and the reporting of applications involving manufactured home loans. 

·       Whether the HMDA-LAR is updated within 30 days after the end of each calendar quarter. 

·       Whether data are collected at all branches, and if so, whether the appropriate personnel are sufficiently trained to ensure that all branches are reporting data under the same guidelines. 

·       Whether the institution's loan officers, including loan officers in the commercial loan department who may handle loan applications reportable under HMDA (including loans and applications for multifamily or mixed-use properties and small business refinances secured by residential real estate), are informed of the reporting requirements necessary to assemble the information. 

·       Whether the Board of Directors has established an independent review of the policies, procedures, and HMDA data to ensure compliance and accuracy and is advised each year of the accuracy and timeliness of the financial institution's data submissions. 

·       What procedures the institution has put in place to comply with the requirement to submit data in machine-readable form, and whether the institution has some mechanism in place to ensure the accuracy of the data that are submitted in machine-readable form. 

·       Whether the institution's loan officers are familiar with the disclosure, reporting, and retention requirements associated with the loan application registers and the FFIEC public disclosure statements. 

·       Whether the institution's loan officers are familiar with the disclosure statements that will be produced from the data. 

·       Whether the institution's loan officers and affected staff know that civil money penalties may be imposed when an institution has submitted erroneous data and has not established adequate procedures to ensure the accuracy of the data. 

·       Whether the institution's loan officers and affected staff know that correction and resubmission of erroneous data may be required when data are incorrectly reported for at least 5 percent of the loan application records. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

---

[i] 12 CFR Part 1003

[ii] Home Mortgage Disclosure Act (HMDA), Consumer Financial Protection Bureau, September 2021. Also see 12 USC 2801–2810.

[iii] 15 USC 1691–1691f, 42 USC 3605, a nd 12 CFR 1002

[iv] 12 USC 2901–2908, and 12 CFR 25, 195, 228, and 345

[v] 12 CFR 1003.2(g)

[vi] HMDA Data Collection and Reporting: Keys to an Effective Program, Consumer Compliance Outlook, Fourth Issue 2020, published by the Philadelphia FRB, provides a good overview of coverage tests and thresholds, among other things.

[vii] 12 CFR 1003.4(f)

[viii] 12 CFR 1003.5(a)(1)(i)

[ix] Effective January 1, 2020.