TOPICS

Thursday, June 27, 2024

Quality Control Red Flags and Automated Fraud Alerts

QUESTION 

I am the Chief Risk Officer of our company, a mortgage lender in the northwest. We have a nationwide footprint and an excellent Chief Compliance Officer. A persistent problem that she and I talk about is quality control findings, especially when the QC reports are showing fraud and misrepresentation. As a lawyer, I am cognizant of federal and state laws involving mortgage fraud. 

However, we want a Red Flags approach. We want to put Red Flag checks into our underwriting processes. Our IT department is ready to install them. However, it seems that Red Flags have to be brought in from many other areas other than quality control, such as anti-money laundering and identity theft prevention screening. Our interest, though, is concerning quality control flags. We want to layer them on the other Red Flags in our processing systems. 

What are some Red Flags relating to quality control that may be installed in our loan origination system? 

What suggestions do you have for digitizing flags, alerts, and Red Flags picked up by quality control? 

COMPLIANCE SOLUTIONS 

Quality Control Audits 

QC Tune-up®

ANSWER 

Although an objective of Quality Control (QC) is to identify and reduce fraud and misrepresentation, Red Flag awareness arising out of QC is important because it alerts to risks that can destabilize many areas of a company’s risk management areas. Please download the White Paper I published on Risk Management Principles (PDF). 

Red flag identification should be part of both post-closing and prefunding QC processes; indeed, prefunding QC is uniquely positioned to support production teams in identifying and remedying these defects. The prefunding Red Flags should be positioned in your prior-to-closing procedures. 

I hear all the time about the importance of Red Flags. But I have yet to hear a great definition of what should be considered Red Flags. Are Red Flags just itemized factors listed on an automated underwriting system, credit report, or even a mortgage fraud screening tool? Putting them in an LOS requires logic to go with it. A Red Flag is “something that indicates or draws attention to a problem, danger, or irregularity,” according to Merriam-Webster. Irregularities can take many forms, and you must ensure the logic needed to digitize those forms in a constantly changing business environment. 

The irregularities can topple an otherwise dependable approach to QC. A strong QC program is notable for its ability to assess all files for any irregularities to determine both the materiality and the cause of each irregularity. Such causes include human error, process gaps, data irregularities, misinformation, misrepresentation, and fraud. Human errors are likely to be isolated. Sure, irregularities can be identified through the use of digital technologies or simply by comparing similar data in various locations throughout the loan file (i.e., Social Security Number being consistent on all documents in the loan file). And, misinformation can be corrected through confirmation. However, multiple instances of error and misinformation may indicate misrepresentation or fraud. 

There are generally three types of Red Flags detection sources that should be installed in the logic of your loan origination system. These are digitized, automated systems such as credit reports and GSE engines, such as Desktop Underwriter and Collateral Underwriter. Digitized types function according to specific logic, for instance, by means of data validation and reconciliation, pattern recognition, and fraud detection. Each often requires a human to check online search engines to identify corroborating information, review documents for inconsistencies, and consider written or verbal reverification of information. 

You are not going to be able to rely solely on Red Flags in your loan origination system to catch mortgage fraud. At best, such embedded Red Flags will alert you to a potential threat. I would be very cautious in allowing Artificial Intelligence (AI) to trigger systemic loan flow decisions, such as issuing Adverse Action based entirely on its Red Flag utility. AI is still in the nascent stage of development. I’ve published several articles on Artificial Intelligence, if you want to consider my perspective. 

It is laudable as a matter of governance and risk management that you plan to use digital solutions that have the potential to enable QC to be more effective. Automated fraud tools can be installed in the LOS logic requirements. I also think you should watch for new solutions to automate lower-risk data accuracy elements, leaving human resources free to perform more complex reviews to some extent. Keeping your digital solutions deployed within operations must be accompanied by monitoring and periodic testing. Nevertheless, digital solutions also have limitations, and you must control for those limitations! Over-reliance on any technological solution may cause more harm than good. 

Red Flags caused by QC do not and cannot stand alone. They are part and parcel of the entirety of the loan origination process. Take a look at the prefunding checklist that your QC auditor uses. Suppose the prefunding screen is convertible into a technological solution, which thereby effectuates a means to identify loan origination risks. In that case, your list of Red Flags will grow and change over time. 

For instance, here are just a few such tools: fraud detection systems; investors’ software, such as Fannie Mae’s CU; and digital applications and proprietary tools for scrubbing internal data. Using tools such as these to identify Red Flags and elevated risk can be helpful in determining the loans that the QC auditor should sample. Other tools exist that may also be helpful, but to ensure you are selecting the best tools for your organization, you should develop a method for selecting, testing, and monitoring the efficacy of the tools you use. 

For a long time, I have heard of QC companies that provide their version of automated QC auditing, including color-coded tabs, all manner of interactive feedback, online transactions, digitized metrics, and supposedly automatic QC auditing at the loan level. Let me tell you a fact: automated risk and data-screening tools complement but do not replace a comprehensive prefunding QC program. My firm uses advanced technology for QC auditing of client files, and we audit thousands of files a year, but we never rely solely on a system solution to replace our prefunding or post-closing QC reviews. 

We always provide human analysis to prefunding and post-closing QC audits. No matter how sophisticated the automated tool is, it can fail or have gaps. If you plan to install logic that gleans prefunding QC findings in particular, you must continuously monitor for results that may reveal deficiencies while also highlighting new logic for tool enhancements and improvements. False positives can turn up in automated solutions, and there goes efficiency – along with the possibility of canceling a viable loan! Adjustments to testing parameters must be considered to ensure the proper balance between defect identification and false positives. In any event, you should continue to think of ways the tool can fail and how to fill those gaps operationally. 

If automated hard stops are not possible, implement a funding condition or post-funding review process to ensure loans with unresolved eligibility, compliance, or fraud flags do not get delivered to investors. Inevitably, some of these alerts become Red Flags that may be specific to your loan products, complexity, origination channels, geographic areas, and loan originator relationships (i.e., retail, wholesale). You should ensure that any automated tool is customized for your company’s desired controls before its use. And reject out-of-the-box settings that do not align with your organization’s unique risks. 

You do not mention the correlating action that should be taken when a Red Flag is triggered. That must be built into a system solution, with clear escalation paths for when the tool identifies flags or alerts, including individual management authorities and a sequence of escalation. It is essential that reporting, evaluation, and oversight of digitized system solutions, such as I have described above, are independent of the origination and underwriting staff. 

A final word about the “checkbox” approach to Red Flags triggered by prefunding or post-closing QC: the output of your tools should promote action that reduces a “check the box” approach. This may seem counterintuitive, but if the tool operates efficiently, it should constantly update and integrate its analytics. Therefore, your IT should consider integrating your tools into the loan origination system. Integration creates a basis for strategic loan selections and system hard stops for loans with defined eligibility, compliance, or fraud flags.


Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group