TOPICS

Thursday, June 27, 2024

Quality Control Red Flags and Automated Fraud Alerts

QUESTION 

I am the Chief Risk Officer of our company, a mortgage lender in the northwest. We have a nationwide footprint and an excellent Chief Compliance Officer. A persistent problem that she and I talk about is quality control findings, especially when the QC reports are showing fraud and misrepresentation. As a lawyer, I am cognizant of federal and state laws involving mortgage fraud. 

However, we want a Red Flags approach. We want to put Red Flag checks into our underwriting processes. Our IT department is ready to install them. However, it seems that Red Flags have to be brought in from many other areas other than quality control, such as anti-money laundering and identity theft prevention screening. Our interest, though, is concerning quality control flags. We want to layer them on the other Red Flags in our processing systems. 

What are some Red Flags relating to quality control that may be installed in our loan origination system? 

What suggestions do you have for digitizing flags, alerts, and Red Flags picked up by quality control? 

COMPLIANCE SOLUTIONS 

Quality Control Audits 

QC Tune-up®

ANSWER 

Although an objective of Quality Control (QC) is to identify and reduce fraud and misrepresentation, Red Flag awareness arising out of QC is important because it alerts to risks that can destabilize many areas of a company’s risk management areas. Please download the White Paper I published on Risk Management Principles (PDF). 

Red flag identification should be part of both post-closing and prefunding QC processes; indeed, prefunding QC is uniquely positioned to support production teams in identifying and remedying these defects. The prefunding Red Flags should be positioned in your prior-to-closing procedures. 

I hear all the time about the importance of Red Flags. But I have yet to hear a great definition of what should be considered Red Flags. Are Red Flags just itemized factors listed on an automated underwriting system, credit report, or even a mortgage fraud screening tool? Putting them in an LOS requires logic to go with it. A Red Flag is “something that indicates or draws attention to a problem, danger, or irregularity,” according to Merriam-Webster. Irregularities can take many forms, and you must ensure the logic needed to digitize those forms in a constantly changing business environment. 

The irregularities can topple an otherwise dependable approach to QC. A strong QC program is notable for its ability to assess all files for any irregularities to determine both the materiality and the cause of each irregularity. Such causes include human error, process gaps, data irregularities, misinformation, misrepresentation, and fraud. Human errors are likely to be isolated. Sure, irregularities can be identified through the use of digital technologies or simply by comparing similar data in various locations throughout the loan file (i.e., Social Security Number being consistent on all documents in the loan file). And, misinformation can be corrected through confirmation. However, multiple instances of error and misinformation may indicate misrepresentation or fraud. 

There are generally three types of Red Flags detection sources that should be installed in the logic of your loan origination system. These are digitized, automated systems such as credit reports and GSE engines, such as Desktop Underwriter and Collateral Underwriter. Digitized types function according to specific logic, for instance, by means of data validation and reconciliation, pattern recognition, and fraud detection. Each often requires a human to check online search engines to identify corroborating information, review documents for inconsistencies, and consider written or verbal reverification of information. 

You are not going to be able to rely solely on Red Flags in your loan origination system to catch mortgage fraud. At best, such embedded Red Flags will alert you to a potential threat. I would be very cautious in allowing Artificial Intelligence (AI) to trigger systemic loan flow decisions, such as issuing Adverse Action based entirely on its Red Flag utility. AI is still in the nascent stage of development. I’ve published several articles on Artificial Intelligence, if you want to consider my perspective. 

It is laudable as a matter of governance and risk management that you plan to use digital solutions that have the potential to enable QC to be more effective. Automated fraud tools can be installed in the LOS logic requirements. I also think you should watch for new solutions to automate lower-risk data accuracy elements, leaving human resources free to perform more complex reviews to some extent. Keeping your digital solutions deployed within operations must be accompanied by monitoring and periodic testing. Nevertheless, digital solutions also have limitations, and you must control for those limitations! Over-reliance on any technological solution may cause more harm than good. 

Red Flags caused by QC do not and cannot stand alone. They are part and parcel of the entirety of the loan origination process. Take a look at the prefunding checklist that your QC auditor uses. Suppose the prefunding screen is convertible into a technological solution, which thereby effectuates a means to identify loan origination risks. In that case, your list of Red Flags will grow and change over time. 

For instance, here are just a few such tools: fraud detection systems; investors’ software, such as Fannie Mae’s CU; and digital applications and proprietary tools for scrubbing internal data. Using tools such as these to identify Red Flags and elevated risk can be helpful in determining the loans that the QC auditor should sample. Other tools exist that may also be helpful, but to ensure you are selecting the best tools for your organization, you should develop a method for selecting, testing, and monitoring the efficacy of the tools you use. 

For a long time, I have heard of QC companies that provide their version of automated QC auditing, including color-coded tabs, all manner of interactive feedback, online transactions, digitized metrics, and supposedly automatic QC auditing at the loan level. Let me tell you a fact: automated risk and data-screening tools complement but do not replace a comprehensive prefunding QC program. My firm uses advanced technology for QC auditing of client files, and we audit thousands of files a year, but we never rely solely on a system solution to replace our prefunding or post-closing QC reviews. 

We always provide human analysis to prefunding and post-closing QC audits. No matter how sophisticated the automated tool is, it can fail or have gaps. If you plan to install logic that gleans prefunding QC findings in particular, you must continuously monitor for results that may reveal deficiencies while also highlighting new logic for tool enhancements and improvements. False positives can turn up in automated solutions, and there goes efficiency – along with the possibility of canceling a viable loan! Adjustments to testing parameters must be considered to ensure the proper balance between defect identification and false positives. In any event, you should continue to think of ways the tool can fail and how to fill those gaps operationally. 

If automated hard stops are not possible, implement a funding condition or post-funding review process to ensure loans with unresolved eligibility, compliance, or fraud flags do not get delivered to investors. Inevitably, some of these alerts become Red Flags that may be specific to your loan products, complexity, origination channels, geographic areas, and loan originator relationships (i.e., retail, wholesale). You should ensure that any automated tool is customized for your company’s desired controls before its use. And reject out-of-the-box settings that do not align with your organization’s unique risks. 

You do not mention the correlating action that should be taken when a Red Flag is triggered. That must be built into a system solution, with clear escalation paths for when the tool identifies flags or alerts, including individual management authorities and a sequence of escalation. It is essential that reporting, evaluation, and oversight of digitized system solutions, such as I have described above, are independent of the origination and underwriting staff. 

A final word about the “checkbox” approach to Red Flags triggered by prefunding or post-closing QC: the output of your tools should promote action that reduces a “check the box” approach. This may seem counterintuitive, but if the tool operates efficiently, it should constantly update and integrate its analytics. Therefore, your IT should consider integrating your tools into the loan origination system. Integration creates a basis for strategic loan selections and system hard stops for loans with defined eligibility, compliance, or fraud flags.


Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group

Thursday, June 20, 2024

Elder Theft and Elder Scams

QUESTION 

Our bank formed a group to prevent elder financial exploitation. Most of our clients are seniors and elderly, so we want to be sure our customers are protected from being exploited. They revised a number of screening procedures to catch fraud. They report directly to our Chief Compliance Officer. 

In the last year, we have seen a substantial increase in elder financial exploitation. What bothers me is that most of the crooks seem to get away with financially exploiting older people because we sometimes catch the crooks after the fraud happens. This means we are constantly revising the filters, and we are continually having to update our training. 

As a member of the group, I have been asked to contact you to help us further develop our policy and procedures involving the prevention of elder financial exploitation. In particular, we are interested in outlining the difference between Elder Theft and Elder Scams because we plan to separate the policy into those two primary parts. We have read your articles on elder financial exploitation and have heard you speak on this subject. We need some assistance in developing better filters. 

What is the difference between Elder Theft and Elder Scams? 

COMPLIANCE SOLUTIONS 

EFE TUNE-UP®

Elder Financial Exploitation - Prevention 

POLICIES AND PROCEDURES 

ANSWER 

I have published extensively on the financial abuse and scams referred to as Elder Financial Exploitation (EFE). My efforts have included numerous articles and published White Papers, lectures, and webinars, being a panelist in organizational conferences, and, of course, working with clients who needed to file a Strategic Activity Report (SAR) or notify the FBI with respect to EFE concerns. 

Here are a few of my writings on this subject: 

Suspicious Activity and Elder Financial Abuse 

Elder Financial Abuse: Disclosure, Schemes, and “Red Flags” 

Elder Financial Exploitation 

Elder Financial Exploitation: Prevention and Filing SARs 

Elder Financial Abuse Epidemic 

Elder Financial Abuse: Prevention and Remedies (PDF) 

Elder Financial Abuse (PDF) 

The Articles section of our website has several articles that directly and indirectly relate to Elder Financial Exploitation. Use them to help build your policy and procedures document. 

My firm even provides a free checklist of Behavioral and Financial Red Flags – Elder Financial Abuse! Contact us for a copy! 

I will tell you straight out: EFE seems to keep happening relentlessly – and growing rapidly. 

My answer here is going to be in the form of a “preamble” to your policy. Consider using these preambles as a base for the further formulation of your policies and procedures relating to Elder Theft and Elder Scams. 

For many years, amid rampant fraud and abuse targeting older adults, FinCEN has urged financial institutions to detect, prevent, and report suspicious financial transactions. Every year since 2006, FinCEN has issued an advisory in support of World Elder Abuse Awareness Day[i], commemorated on June 15th. The statistics are not getting better. They are worsening. 

For instance, depository institutions filed 46,888 EFE-related BSA reports from March 2023 to May 2023, accounting for nearly 30 percent of the total EFE-related reports filed in the review period. This pace appears to be continuing, as FinCEN received an average of 15,993 EFE BSA reports per month between 15 June 2023 and 15 January 2024.[ii] You do the math! 

Before we get too far into my response, let me put down a working definition of EFE: 

Elder Financial Exploitation (EFE) is the illegal or improper use of an older adult’s funds, property, or assets. Older adults are typically considered individuals aged 60 or older. EFE consists of two primary subcategories: elder theft and elder scams. 

Elder theft consists of schemes involving the theft of an older adult’s assets, funds, or income by a trusted person. Elder scams involve the transfer of money to a stranger or imposter for a promised benefit or good that the older adult did not receive. EFE is one type of elder abuse, which includes physical, emotional, and financial abuse. Elder abuse and EFE definitions vary statutorily by state.[iii] 

Elder theft often occurs when persons known and trusted by older adults steal victim funds, while elder scams involve fraudsters with no known relationship to their victims. Indeed, some scammers are located outside the United States.[iv] Sadly, elder theft is likely to be underreported and can go undetected because the perpetrators are typically individuals whom the victim trusts.[v] 

FinCEN analysis of Bank Secrecy Act (BSA) information indicates that elder scams mostly rely on less sophisticated scam typologies. However, some scammers make their scams more complex by blending multiple scam types into one victimization and using victims both as a source of funds and to launder illicit gains.[vi] 

Scammers are often organized, with fraud rings ranging from small groups of individuals to organizations with hundreds of members. There are violent criminal organizations known to carry out fraud schemes, including EFE-related fraud. 

Unfortunately, perpetrators of EFE schemes often do not stop after first exploiting their victims. In both elder theft and elder scams, older adults are frequently re-victimized[vii] and subject to potentially further financial loss, isolation, and emotional or physical abuse long after the initial exploitation due to the significant illicit gains at stake. Scammers may also sell victims’ Personally Identifiable Information (PII) on the black market to other criminals who continue to target the victims using new and emerging scam typologies.[viii] 

ELDER THEFT 

Elder theft is so insidious because the family of the victim is often the perpetrator. Another form of elder theft is where a non-family caregiver financially abuses the relationship from t a position of trust. In 2019, FinCEN analyzed SARs based on elder theft narratives.[ix] The analysis found that a family member was involved in the theft of assets from older adults in 46 percent of elder theft cases reported between 2013 and 2019. 

Who were these perpetrators? Family members, familiar associates, acquaintances such as neighbors, friends, financial services providers, business associates, or those in routine close proximity to the victims. 

Considerable studies have been undertaken by senior citizen organizations, FinCEN, DOJ, and many state governmental authorities to find a pattern to this criminality. It turns out elder theft often follows a similar methodology in which trusted persons may use deception, intimidation, and coercion against older adults in order to access, control, and misuse their finances. Criminals frequently exploit victims’ reliance on support and services and will take advantage of any cognitive and physical disabilities.[x] Environmental factors such as social isolation lead to elder theft. 

The criminal’s goal is to establish control over the victims’ accounts, assets, or identity.[xi] Here are just a few of the ways in which financial exploration takes place. The elder may be financially abused by the exploitation of legal guardianships[xii] and power of attorney arrangements[xiii] or the use of fraudulent investments such as Ponzi schemes[xiv] to defraud older adults of their income and retirement savings. These relationships lead to repeated abuse, as the trusted person repeatedly abuses the victims by liquidating their savings and retirement accounts, stealing Social Security benefit checks and other income, transferring property and other assets, or maxing out credit cards in the name of the victims until most of their assets are stolen.[xv] 

ELDER SCAMS 

Criminals involved in elder scams defraud victims into sending payments and disclosing PII under false pretenses or for a promised benefit or good the victims will never receive. These scammers are often located outside of the United States and have no known previous relationship with the victims. 

Like Elder Theft, a pattern of criminality can be identified. Elder scams often follow a similar methodology in which scammers contact older adults under a fictitious persona via phone call, robocall, text message, email, mail, in-person communication, online dating apps and websites, or social media platforms. In order to appear legitimate and establish trust with older adults, scammers commonly impersonate government officials, law enforcement agencies, technical and customer support representatives, social media connections, or family, friends, and other trusted persons. 

There are several typical types of elder scams. To name but a few: 

·       Government Imposter Scams; 

·       Romance Scams;[xvi] 

·       Emergency or Person-in-Need Scams; 

·       Lottery and Sweepstakes Scams; 

·       Tech and Customer Support Scams. 

This set-up is a con that evokes stress in the victim. Perpetrators often create high-pressure situations by appealing to their victims’ emotions and taking advantage of their trust or by instilling fear to solicit payments and PII. This is, in effect, an Imposter Scam.[xvii] Scammers often request victims to make payments through wire transfers at money services businesses (MSBs) but are increasingly requesting payments via prepaid access cards, gift cards, money orders, tracked delivery of cash and high-valued personal items through the U.S. Postal Service, ATM deposits, cash pick-up at the victims’ houses, and convertible virtual currency (CVC).[xviii] 

Money Mules are a particularly deceitful way to trap victims into an elder scam.[xix] A money mule is a person who, wittingly or unwittingly, transfers or moves illicit funds at the direction of or on behalf of another, in this case, transfers or moves illicit funds at the direction of the scammers. The victim of an elder scam can also serve as a money mule: the scammer convinces the victim to set up a bank account or Limited Liability Corporation (LLC) in the victim’s name to receive, withdraw, deposit, or transfer multiple third-party payments from other victimized older adults to accounts controlled by the scammer under the illusion of a “business opportunity.” In some circumstances, victims of EFE acting as money mules may be prosecuted for this illegal activity and are liable for repaying the other victims. They may also be subject to damaged credit and further victimized through their stolen PII.[xx] 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group


[i] World Elder Abuse Awareness Day, Administration for Community Living, launched by the International Network for the Prevention of Elder Abuse and the World Health Organization at the United Nations.

[ii] Financial Trend Analysis, Elder Financial Exploitation: Threat Pattern & Trend Information, June 2022 to June 2023, April 2024, Financial Crimes Enforcement Network.

[iii] Memorandum on Financial Institution and Law Enforcement Efforts to Combat Elder Financial Exploitation, Consumer Financial Protection Bureau (CFPB) and FinCEN, August 30, 2017; see also, Elder Abuse and Elder Financial Exploitation Statutes, U.S. Department of Justice (DOJ).

[iv] Advisory on Elder Financial Exploitation, FinCEN Advisory, FIN-2022-A002, June 15, 2022

[v] Recovering from Elder Financial Exploitation, A Framework for Policy and Research, September 2022, Consumer Financial Protection Bureau

[vi] Phantom Hacker Scams Target Senior Citizens and Result in Victims Losing their Life Savings, Alert Number I-091223-PSA, September 29, 2023, Federal Bureau of Investigations Internet Crime Complaint Center

[vii] For additional information on re-victimization in EFE schemes, see Addressing the Challenge of Chronic Fraud Victimization, March 2021, FINRA Investor Education Foundation (FINRA Foundation), American Association of Retired Persons (AARP), and Heart+Mind Strategies.

[viii] List Brokerage Firm Pleads Guilty to Facilitating Elder Fraud Schemes, September 28, 2020, Department of Justice

[ix] Elders Face Increased Financial Threat from Domestic and Foreign Actors, December 2019, FinCEN Financial Trend Analysis

[x] Idem

[xi] Associate Deputy Attorney General Paul R. Perkins Delivers Remarks at the ABA/ABA Financial Crimes Enforcement Conference, December 9, 2020, Department of Justice

[xii] Court-Appointed Pennsylvania Guardian and Virginia Co-Conspirators Indicted for Stealing Over $1 Million from Elderly Wards, June 30, 2021, Department of Justice

[xiii] Franklin, Tennessee Couple Charged With Defrauding Elderly Widow of $1.7 Million, May 12, 2021, Department of Justice; and Former Waterloo Medicaid Provider Sentenced to More than Five Years in Federal Prison for Defrauding Elderly Victim, June 28, 2021, Department of Justice

[xiv] Arizona Man Sentenced for Multimillion-Dollar Nationwide Investment Fraud Scheme, March 15, 2021, Department of Justice

[xv] Annual Report to Congress on Department of Justice Activities to Combat Elder Fraud and Abuse, October 18, 2021, Department of Justice

[xvi] In Romance Gone Awry: A Tale of AML and Negligence, April 14, 2022, I outline litigation involving a Romance Scam. Visit https://mortgage-faqs.blogspot.com/2022/04/romance-gone-awry-tale-of-aml-and.html. See O’Rourke v. PNC Bank, 2022 Del. Super. (Del. Sup. Ct. February 15, 2022)

[xvii] The Federal Trade Commission provides extensive information about Imposter Scams. Visit its webpage How To Avoid Imposter Scams, https://consumer.ftc.gov/features/how-avoid-imposter-scams. See my articles, such as Imposter Robocalls, February 9, 2023, https://mortgage-faqs.blogspot.com/2023/02/imposter-robocalls.html and COVID-19: Imposters and Money Mules, August 6, 2020, https://mortgage-faqs.blogspot.com/2020/08/covid-19-imposters-and-money-mules.html.

[xviii] FBI Warns of a Grandparent Fraud Scheme Using Couriers, Alert Number I-072921-PSAJuly 29, 2021, FBI; New Twist to Grandparent Scam: Mail Cash, December 3, 2018, Federal Trade Commission

[xix] See my article Op. cit. xvi COVID-19: Imposters and Money Mules.

[xx] The FBI maintains a website to increase public awareness of money mules. Visit Money Mules at https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-scams-and-crimes/money-mules

Thursday, June 13, 2024

CFPB’s Repeat Offender Registry – Part Two

QUESTION 

Last week, you published an article about the Repeat Offender rule. The questioner was pretty upset about it. But I am not upset about it. After all, if a company repeats violations, why shouldn’t the public know about it? 

I also run a mortgage lender, just like the other guy. I’m the President and CEO. My company is almost 30 years old. We’ve made it through upturns and downturns, and we’re positioned well for the next upturn. Along the way, we have had violations cited on banking audits. We corrected them and moved on. I can’t think of a single instance when the violation that we corrected got repeated. Not once has that happened. 

So, my view is different. Companies that make the same violations over and over again make it harder for companies like mine to be trusted by the public. I want a level playing field where my loan officers are able to provide our services without having to worry that a competitor is getting away with repeat violations. Repeat offenders are bad for business and mess with the public trust. 

I learned a lot from your article. I printed it out and sent it to my mortgage bankers association as well as all our employees. I want people to know that our company supports the Repeat Offender rule because it is good for business and strengthens the public trust. 

You ended last week’s article by saying that Part Two would further discuss other aspects of the Repeat Offender requirements. I look forward to reading it soon. 

What are other essential aspects of the Repeat Offender requirements? 

COMPLIANCE SOLUTION 

CMS Tune-up®

(Compliance Management System)

ANSWER 

I appreciate your message. The response to Part One was enormous. 

Clearly, this is a controversial subject. But, in a sense, it shouldn’t be. After all, analogously, if you obey the speed limit, it is not unreasonable to want others to follow the speed limit, too. Do you enjoy being tailgated? Are you entertained by cars swerving in and out of fast-moving traffic? Do you feel safe when somebody races past your car at 80 MPH in a 50 MPH zone? About 11% of Americans have had at least one speeding ticket.[i] Repeat driving offenses risk increased insurance fees, loss of a driver’s license (a privilege, not a right), a hazard to safety, destruction of property, and a threat to life.    

Why should some people get bent out of shape by calling a company that continues to violate banking laws a “repeat offender?” What else should it be called? If the term “recidivist” is a proxy, then go for it – use “recidivist.” Both terms infer a tendency to relapse, and "repeat offender," in particular, does seem to be associated with criminal behavior. It is quite a stretch to imply that mortgage companies that repeat offenses of legal and regulatory mandates are criminals. They are certainly not criminals. The problem is the terminology. Perhaps the CFPB can come up with a less objectionable term. 

A quick recap:

On Monday, June 3rd, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued a Final Rule[ii] (“Rule”) requiring nonbank consumer financial services companies to register court orders or government agency orders in a new Nonbank Registry (“Registry”). This Rule is the “Repeat Offender” registration requirement. The effective compliance date is September 16, 2024. 

In Part One, I outlined the following areas: 

·       Repeat Offender Unit; 

·       Risk Profile; 

·       Agency and Court Orders; 

·       Registration; and 

·       Attestation. 

In Part Two, I will discuss[iii] optional alternative registration, timing requirements, the written statement requirement, and when the registration requirement comes to an end. Also, I provide tables for the submission periods and registration protocols. 

Optional Alternative Registration Requirements 

The Rule provides a limited one-time, alternative registration option for covered orders that are published on the Nationwide Multistate Licensing System (NMLS) Consumer Access website.[iv] 

As a covered nonbank, you may alternatively choose to file a special one-time registration for NMLS-published covered orders that were not issued or obtained, at least in part, by the CFPB. By “covered orders,” the CFPB means court orders or government agency orders.[v] 

If the alternative option is chosen, the nonbank must submit certain required information. After such submission, the nonbank has no further obligations to register any changes to or expiration of the order or to file written statements with respect to that order (if applicable). 

The alternative option is not available for any order issued or obtained at least in part by the CFPB, regardless of whether it is published on the NMLS Consumer Access website. 

Timing Requirements 

The timing requirements are a little bit tricky, so stay with me as I elaborate on them. I suggest you work with a compliance professional to ensure the filing and timing requirements are adhered to meticulously. 

Initially, the Rule has a phased-in implementation. During the implementation submission period, nonbanks are categorized into three institutional types, as follows:

 1)    Larger Participant CFPB-Supervised Covered Nonbanks;

 

2)    Other CFPB-Supervised Covered Nonbanks (i.e., CFPB-supervised covered nonbanks that do not meet the definition of a larger participant under the CFPB’s regulations); and

 

3)    All Other Covered Nonbanks (i.e., covered nonbanks that the CFPB does not supervise).

 

For each category, the final rule provides a 90-day window for covered nonbanks to register all covered orders with effective dates from January 1, 2017, until the start of that implementation submission period.

 

The table below identifies registration submission periods based on the Rule’s effective date of September 16, 2024. 

Implementation Submission Periods[vi]

 

Covered Nonbank
Type
Registration
Submission Period
Registration
Deadline

Larger Participant CFPB-Supervised Covered Nonbanks

October 16, 2024
through
January 14, 2025

January 14, 2025

Other CFPB-Supervised Covered Nonbanks

January 14, 2025 
through
April 14, 2025

April 14, 2025

All Other Covered Nonbanks

April 14, 2025
through
July 14, 2025

July 14, 2025

Any dates that fall on a Saturday, Sunday, or Federal holiday should be converted to the next day that is not a Saturday, Sunday, or Federal holiday. Accordingly, the Bureau has adjusted the submission period dates, as listed above.

Two orders are subject to registration: orders that 

1.     Have an effective date from January 1, 2017, through the start of the nonbank’s submission period, and 

2.     For orders issued prior to September 16, 2024, the order remains effective as of September 16, 2024. 

Here’s how this works. I will use the institutional category two (above)—Other CFPB-Supervised Covered Nonbanks—to illustrate the protocol. It reflects the Bureau’s example.[vii] My protocol table shows how to determine the analysis. 

Protocol for Registration of Covered Orders - Example

 

Order Types
Order
Timeframe
Registration
Disposition

First Order

Order takes effect[viii] on January 1, 2016, and expires on January 1, 2026.

Do not register (effective January 1, 2016) because it takes effect before January 1, 2017.

Second Order

Order takes effect on January 1, 2017, and expires on October 30, 2025.

Register (effective January 1, 2017) because it takes effect on or after January 1, 2017 (and prior to the start of the applicable submission period) and remains in effect as of September 16, 2024.

Third Order

Order that becomes effective on January 1, 2025, and expires on January 1, 2031.

Register (effective January 1, 2025) because it takes effect on or after September 16, 2024, and prior to the start of the applicable submission period.

Note 1: Continue to comply with the ongoing registration requirements for these orders until they expire or are terminated.

Note 2: If a new order is issued and effective on or after the start date of the implementation submission period, follow the ongoing registration timing requirements.

 

Understanding the Ongoing Registration Timing Requirements 

After the start of a nonbank’s implementation submission period, it must begin complying with the Rule’s ongoing registration timing requirements to register new orders and submit changes or updates related to previously registered covered orders. 

The nonbank should access the CFPB’s Nonbank Registry and provide a registration submission within the identified 90-day window for each of the following events: 

1.     Within 90 days after the date of updates or changes to the nonbank’s identifying information or administrative information. 

2.     Within 90 days after the date of any amendments made to previously registered orders, including changes to submitted order information. 

3.     Within 90 days after the effective date of any new order(s) applicable to the nonbank (with effective dates on or after the start of the applicable implementation period). 

4.     Within 90 days after the effective date of termination or expiration, submit a revised filing of a previously registered covered order. 

Written Statement – Attestation 

In Part One, I discussed the annual filing requirement of the written statement. It is, in effect, an attestation.[ix] 

·       For CFPB-Supervised Covered Nonbanks, these written statements must be submitted annually on or before March 31 of each year. 

·       For Larger Participant CFPB-Supervised Covered Nonbanks that register by December 31, 2024, the first written statement submission is required by March 31, 2025. It would cover all applicable orders registered with an effective date from October 16, 2024 to December 31, 2024. 

·       For Other CFPB-Supervised Covered Nonbanks, the first written statement submission is required on March 31, 2026. It will cover all applicable orders registered with an effective date on or after the beginning of their implementation submission period, January 14, 2025 to December 31, 2025. 

As I pointed out in Part One, the written statement is where governance plays a role because the designated executive must provide:

Thursday, June 6, 2024

CFPB’s Repeat Offender Registry – Part One

QUESTION 

We just learned from our lawyers about the possibility that our firm will need to file as a Repeat Offender. I am really angry about this, and I am turning to you for feedback. This type of filing could crush our business reputation. I am the President and have built this company for over twenty years. Now, because we had a few violations, we are going to be considered repeat offenders. And the whole world is going to view us as repeat offenders. 

I am outraged. I had a conference call with other company owners, and they wanted me to ask you for your understanding of this nasty situation. I mean, really, repeat offenders are felons, sex perverts, murderers, crooks, and criminals of all sorts and stripes. It is insulting to say we are Repeat Offenders. We are not hardened criminals. We are not crooks. 

We are hardworking business people who do the best we can in a highly regulated industry. If we make mistakes, we try to fix them. Sometimes, we make the same mistake, but not out of malice. We’re licensed, and the last thing we want to do is call regulators down on our company for repeating a mistake. We don’t run from our responsibilities. 

Our lawyers are telling us how to manage the situation legally. But all I’m hearing is there’s nothing we can do but accept that we are going to be called “repeat offenders.” One of our lawyers used a fancy word, saying we are a “recidivist” company. Is that word supposed to make me feel better? Whatever. We are going to be burned on the “repeat offender” stake. 

Thank you for letting me rant. I am just so pissed off. Please give me and others some basic understanding of what this new set of regulatory shackles is all about. 

What is the Repeat Offender requirement? 

How does the Repeat Offender filing work? 

Why is my firm being singled out? 

COMPLIANCE SOLUTION 


CMS Tune-up®
(Compliance Management System)

ANSWER 

For the last few days, we’ve gotten so many calls on this subject that we had to double up the reception team. The emails to us were peaking each day. That’s because, on Monday, June 3rd, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) issued a Final Rule[i] (“Rule”) requiring nonbank consumer financial services companies to register court orders or government agency orders in its Nonbank Registry (“Registry”). This Rule is the “Repeat Offender” registration requirement that you’re referring to. The effective compliance date is September 16, 2024. 

Given the complexity of the Rule, my answer today constitutes Part One. We’ll publish Part Two next week, which will be a continuation of today’s answer and will also contain a chart and another checklist outline. Furthermore, since we have received so many inquiries on this topic, I may include some of those questions in Part Two. 

I understand your concerns. Before I get into some of the details and answer your questions, please relax. If you have competent counsel, they should be responsive and provide helpful guidance. 

You can contact me personally here if you want us to discuss your compliance needs. We have a range of compliance services that will likely mitigate your risk management challenges. When risk management is not functioning well, repeated violations may happen, and regulations can become a minefield. 

REPEAT OFFENDER UNIT 

You seem surprised by the terminology of “Repeat Offender.” You might like to know that the CFPB has had a Repeat Offender Unit since 2022. It was set up specifically to focus[ii] on these four activities: 

1)    reviewing and monitoring the activities of repeat offenders;

2)    identifying the root cause of recurring violations;

3)    pursuing and recommending solutions and remedies that hold entities accountable for failing to comply with Federal consumer financial law consistently; and

4)    designing a model for order review and monitoring that reduces the occurrences of repeat offenders.

The Repeat Offender Unit is equipped with a national supervision team that is responsible for designing and executing comprehensive oversight of supervised entities subject to CFPB law enforcement orders.[iii] In effect, it is a deterrence strategy that actively ensures a company, its senior management, and its board of directors are not treating any orders as mere suggestions.

Thus, the Bureau is taking several steps to identify specific individuals and entities responsible for repeat offenses. 

And you are correct: the CFPB will make the Registry publicly accessible. The Bureau states in the Rule that a public registry will enable other Federal, state, and local regulators to “realize many of the same market-monitoring benefits that the Bureau anticipates obtaining from this rule.”[iv] The plan here is to facilitate the ability of consumers to identify the entities that are registered with the Bureau, with the goal of enhancing “the ability of investors, research organizations, firms conducting due diligence, and the media to locate, review, and monitor orders enforcing the law.”[v]  

RISK PROFILE 

Your firm is not being singled out, though it may feel that way. Don’t develop a persecution complex when dealing with regulators. I have even admonished lawyers who presumably know how to interact with regulators but come at them with righteous indignation. They should know better. 

You’ve spent decades building your business, but compliance issues are always traceable and never erasable. Like it or not, your firm has established a risk profile with the Bureau and likely with state banking departments. Your goal must be to prevent, reduce, and mitigate legal and regulatory risks. 

If you want to be proactive, do a self-assessment, such as our CMS Tune-up®which will help you to get a better understanding of the strengths and weaknesses in your Compliance Management System. Get our report. Fix the weaknesses. Conduct an annual review.  

Contact us for more information about the CMS Tune-up® 

We have a Compliance Tune-up® audit for virtually all areas of mortgage banking. Whatever you do, stay focused on ensuring the resiliency of your overall compliance program. 

As you know, we only work in the mortgage compliance space. If you are a covered nonbank providing consumer financial products or services, such as residential mortgage loans, you are probably covered by the Rule.[vi] 

AGENCY AND COURT ORDERS 

As I said above, the Rule requires the covered nonbank to register court orders or government agency orders into a new Registry. Let me discuss this requirement because it is mandated due to investigations, proceedings, administrative matters and actions, consent orders, agency orders, and court orders. 

Since your lawyers have notified you that you need to register, my guess is that your risk profile contains some of the requirements that mandate registration. Given that you may need to register with the Registry, let’s drill down into the types of orders that can trigger the filing requirement. 

Here’s a helpful outline to help you identify whether you may need to file with the Registry. If any of these orders have happened, you certainly may be subject to registration.[vii]

An order[viii] is covered by the Rule if it:

  • Is a final public order issued by an agency or court. 
  • Identifies a covered nonbank by name as a party subject to the order;
  • Was issued at least in part in any action or proceeding brought by any Federal agency, state agency, or local agency; 
  • Contains public provisions that impose obligations on the covered nonbank to take certain actions or to refrain from taking certain actions;
  • Imposes obligations on the covered nonbank based on an alleged violation of a covered law, which includes Federal consumer financial laws, other laws enforced by the CFPB, and certain unfair, deceptive, or abusive acts or practices laws at both Federal and state levels identified in the final rule; and
  • Has an effective date on or after January 1, 2017. An order is effective on the date specified in the order. If an order does not have an effective date identified, the date of issuance is the effective date. If the issuing agency or a court stays or otherwise suspends an order’s effectiveness, the order’s effective date for purposes of the final rule is delayed until the stay or suspension is lifted.[ix]

The Bureau casts a wide net with respect to the laws covered by the Rule. The Rule covers a federal consumer financial law or any other law the CFPB enforces; Section 5 of the FTC Act (UDAP); state UDAAP laws; and specific state laws identified by the Rule. 

REGISTRATION

Unfortunately, filing is going to add an administrative burden on management and governance. There’s no getting around it; registration will require you to file information and documentation.[x] The Bureau will provide the Registry format and filing instructions. And, the Rule requires you to submit revised filings within 90 days if any information outlined above changes or the covered order is amended, terminated, rescinded, or abrogated. 

So, it’s clear you will need to do the following: 

1) Covered Nonbank Identity Information 

As specified in the CFPB’s filing instructions, a covered nonbank must submit identifying information about itself, such as its legal name and the address of its principal place of business. 

2) Administrative Information 

As specified in the CFPB’s filing instructions, a covered nonbank must submit certain additional administrative information. For example, administrative information may include information regarding a registered entity’s affiliates that are registered with respect to the same order. 

3) Covered Order Information 

To register a covered order, a covered nonbank must submit at least the following to the CFPB:

  • A fully executed, accurate, and complete copy of the covered order in a PDF format.[xi]
  • The applicable agency(ies) and court(s) that issued or obtained the covered order.[xii]
  • The effective date of the covered order.[xiii]
  • The date of expiration, if any, of the covered order or a statement that there is none.