Tuesday, December 1, 2015

Ten Core Competencies in a Compliance Management System

President & Managing Director
Lenders Compliance Group

In my view, there are ten core competencies to implementing a Compliance Management System, often referred to by its acronym CMS. The Consumer Financial Protection Bureau requires it, state regulators are now asking for it, and investors want assurance of its application.

I have written extensively about the CMS concept and its importance in mortgage risk management. For instance, see my article on Creating a Culture of Compliance. Also, other articles here. When I speak on the subject, it is often the case that some in the audience actually have no idea about what constitutes the CMS. They think it is no more than a compilation of policies and procedures. But, the fact is that a viable CMS is composed of several integral features, each of which contributes to the cohesiveness of the whole compliance function.

Here’s a brief synopsis of the Ten Core Competencies that should inform a CMS:

1)      Loan portfolio, secondary and capital market management processes, mortgage servicing.

2)      Loan flow process, from point of sale to securitization or secondary market transaction.

3)      Internal Audit and Control Plan, including calendrical reviews, reporting protocol, rank and file training in all departments, and testing.

4)      Consumer disclosures, all loan types, federal and state.

5)      Mortgage quality control, not only random sampling, but proactive audits that target criteria.

6)      Record retention and maintenance, securing against unauthorized alteration or destruction.

7)      Marketing and advertising, including use of third-party services.

8)      Vendor, settlement agent, closing agent, and third-party vetting and approvals.

9)      Safeguards for privacy protection of consumer records and information.

10)   Reporting mandates to agencies, both federal and state, investors, and third-party relationships.

The compliance framework is built on the foregoing competencies. Destabilize one of them and it is possible that the others will crash like a tottering stack of cards!

Also, it should be noted that there is a growing expectation amongst regulators for a residential mortgage lender or originator to have a business continuity plan.

It is not necessary to consolidate all compliance policies and procedures into a single document. Nor does it require compliance managers to memorialize every action that must be taken in order to remain in compliance with federal and state banking law. In some cases, it may be enough for the compliance policies and procedures to allocate responsibility within the organization for the timely performance of many obligations, such as the filing or updating of required forms.

However, observed instances in which compliance policies and procedures were not followed or the actual practices were not consistent with the description in the compliance manuals, will likely lead to an adverse banking examination finding. Observed practices in areas that are required to be reviewed in accordance with specific regulations and in areas that include policies and procedures, but are not expressly required to be reviewed by regulations, will come under significant regulatory scrutiny.

What good is a compliance management system if it is not continually reviewed and, where needed, updated? In our work with new clients, we have found the following issues happening often:

·         Critical areas not identified, thus certain compliance policies and procedures were not adopted.

·         Policies were adopted, but were not applicable to the businesses and operations.

·         Critical control procedures were not performed, or not performed as described in the CMS.

·         Annual Review of the compliance function was rarely, if ever, implemented.

During examinations, an examiner may observe certain compliance weaknesses. But examiners review periodically, not continually, in most cases. The rest of the time, the residential mortgage lender or originator should be self-assessing the compliance programs in order to spot weaknesses, particularly with respect to identifying applicable mortgage compliance risks, and thereby ensure that the compliance management system encompasses all relevant business activities.

Monday, October 19, 2015

The CFPB's HMDA Strategy

President & Managing Director
Lenders Compliance Group

Last week on October 15th, the Consumer Financial Protection Bureau (“Bureau”) issued the Final Rule (“Rule”) of the Home Mortgage Disclosure Act (“HMDA”). The Rule is hundreds of pages long, providing numerous important changes to HMDA data collection and reporting requirements. Ostensibly, the Rule is meant to provide distinct means by which to determine fair lending analytics. However, as a practical matter, the data derived therefrom will likely lead to fair lending enforcement actions. I am preparing a thorough analysis of the Rule and will publish an article shortly on its mandates and implications.

By some estimates, the Rule doubles the amount of data collected from creditors and requires new reporting timing requirements. The Bureau may take the position that a more streamlined process is being implemented in order to obtain a much broader understanding of fair lending compliance, but a process that is extensively attenuated does not necessarily translate into actionable intelligence. It will take some time for lenders to learn how to manage the new data sets, prepare system solutions, and institute adequate training formats. Each of the foregoing will mean new, substantial investments in technology and human resources.

It is worth noting that the Dodd-Frank Act required the CFPB to update HMDA’s regulatory compliance mandates in areas such as race and gender of consumers. This initiative was based on expanding HMDA’s data collection from roughly 20 data points. Now the Rule, via Regulation C, the implementing regulation of HMDA, includes some 48 categories, including 25 new data sets and the modification of 14 existing ones.

As but one example, the new information requirements will cause creditors to provide the property value, term of the loan, duration of any teaser or introductory interest rates. The other information to be collected that was not previously collected is considerable.

Although the compliance effective date for most of the new Regulation C requirements is January 2018, creditors will have to be very cautious in phasing in the entirety of the HMDA data collection process. For instance, the Rule should be reviewed for the new data points and data sets in order to prognosticate the impact on creditors’ fair lending initiatives. Consideration ought to be given to conducting a fair lending review not only with the current data points but also the Rule’s new data points. This may not ultimately be possible for most lenders, because existing review analytics do not actually have the technology yet to produce substantive findings. But, when such technology becomes available, such enhanced fair lending reviews should be considered as a proactive undertaking for the compliance function.

Just because the compliance effective date is months away does not mean that an endeavor toward building a rebuttable defense is futile. Litigation will come as the Rule is used by the Bureau, private plaintiffs, and other market participants to seek, respectively, enforcement and potentially large settlements. Once the new HMDA data is released, a fertile ground will be ready for fair lending litigation. Because of the huge number of data points and data sets, litigators will be in a position to allege patterns and practices involving discriminatory activity. Other information being collected, such as debt-to-income ratios, interest rates, and credit data would provide the bases for allegations of fair lending violations.

Friday, September 18, 2015

CFPB Enforcement Actions: Trends and Lessons

Jonathan Foxx
President & Managing Director
Lenders Compliance Group

Sometimes, it is a good idea to use a chart to describe a relatively complex subject. One such chart that I keep involves noting the CFPB's administrative actions as they relate to the so-called mortgage industry. The exercise allows me to watch for a trend, perhaps gain a better understanding of the Bureau's concerns, and thereby bring that information to bear on the best ways to provide compliance support to our clients. Especially since the Bureau has been promulgating by Consent Order in some instances, I find a chart useful in allowing me to evaluate strengths and uncover weaknesses in the compliance management system of a financial institution.

Since announcing its first enforcement action in July 2012, the CFPB has claimed credit for generating nearly $9 billion in refunds, restitution and penalties during its pursuit of 90 publicly-announced enforcement actions, including 37 actions announced in 2015 (through July 20th). Of course, mortgage related actions are subsumed in the foregoing amount.

What I have noticed in the Bureau's enforcement actions in the period from January 2015 through June 2015 has helped to provide significant insights to our clients. Take a look at the chart below and see what patterns you can discern. 

For instance, a careful scrutiny of the consent decrees disproves the frequently voiced complaint that the Bureau bases its enforcement actions on broad and loose interpretations of its UDAAP authority and that, as a result, industry participants cannot anticipate the agency’s draconian application of the UDAAP provisions. Such a view is belied by the last column of the chart (entitled "Alleged Violations"): in most cases, the Bureau used other statutes and regulations as the basis for - and/or to support any UDAAP grounds for - its positions. The consent decrees usually contain considerable detail about the alleged violations, with more specific legal citations than appear in this chart.

A little known fact is the CFPB’s Supervision Office is about four times as large as its Enforcement Office. That is not to say that the enforcement staff is not involved in supervisory examinations as well as in determinations of supervisory policy. The message we should all get loud and clear is that each financial institution must be committed to ongoing implementation of the mortgage acts and practices. CFPB examinations are not the place to find out about deficiencies in operations or weaknesses in implementation. The trend is clear: the Bureau will be aggressive in its interpretation of statutory mandates available to it through all of its enumerated authorities.

CFPB Enforcement Actions: January-June 2015 – Mortgage Related *
Date
Firm
Payments
Topic (Alleged)
Alleged Number of Consumers Affected
Alleged Violations
1/22/15
Wells Fargo
$10.8MM in redress; $24MM penalty
Marketing services kickback scheme
Thousands
RESPA 8(a); D-F 1036; Md. Com. Law 13-101–13-501
1/22/15
JPMorgan Chase
$300K in redress; $600K penalty
Marketing services kickback scheme
200
RESPA 8(a); D-F 1036; Md. Com. Law 13-101–13-501
2/10/15
NewDay Financial
$2MM penalty
Kickback scheme for referrals from veterans’ organization
Recipients of over 50MM solicitations
RESPA 8(a); D-F 1031 and 1036
2/12/15
All Financial Services
Complaint filed; no settlement
Deceptive advertising misrepresenting U.S. government affiliation, regarding reverse mortgages
Recipients of 420,917 advertisements
Reg. N; D-F 1031 and 1036
2/12/15
Flagship Financial Group
$225K penalty
Deceptive advertising misrepresenting U.S. government affiliation
Recipients of more than 1 million mailers
Reg. N; D-F 1031 and 1036
2/12/15
American Preferred Lending
$85K penalty
Deceptive advertising misrepresenting U.S. government affiliation
Recipients of more than 100,000 mailings
Reg. N; D-F 1031 and 1036
4/21/15
Green Tree Servicing, LLC
$48MM in restitution; $15MM penalty
Failure to honor in-process modifications, demanding payment before providing loss mitigation options, delayed decisions on short sales, harassment and threats, deceptive tactics to charge convenience fees
Thousands
FTC 5; FDCPA; FCRA; RESPA 6 and Regulation X; D-F 1031 and 1036
4/29/15
Genuine Title and 6 individuals
$662,500 in redress and penalties; banning 5 individuals from mortgage industry; sixth person did not settle
Trading of cash and marketing services for mortgage loan referrals
Thousands (see related Jan. 22, 2015 settlements with JPMorgan Chase and Wells Fargo)
RESPA; D-F 1036; Maryland State statute
5/28/15
Provident Funding Associates
$9MM damages
Charging higher broker fees on mortgage loans to African-American and Hispanic borrowers
Unspecified
Fair Lending Act; ECOA;
6/4/15
RPM Mortgage, Inc. and CEO
$18MM redress; $2MM civil penalty
Illegally paying bonuses and higher commissions to mortgage loan originators for steering consumers into costlier loans
Thousands
Reg. Z 1026.36(d)(1)(i); D-F 1036
6/5/15
Guarantee Mortgage Corp.
$228K civil penalty
Paying branch managers based, in part, on interest rates charged on mortgage loans
Unspecified
Reg. Z 1026.36(d)(1)(i); D-F 1036
* Typically without admitting or denying any findings of fact or violations of law.
© 2015 Lenders Compliance Group, Inc. All Rights Reserved.








Monday, August 31, 2015

Tolerance for Owner’s Title Insurance

Jonathan Foxx
President & Managing Director
Lenders Compliance Group

Given the stringent disclosure demands of Regulation Z, the implementing regulation of the Truth in Lending Act, sometimes there is confusion around the tolerances for owner’s title insurance. The confusion stems from a relatively basic feature of identifying whether it is required by the lender. That determination is operative to the effect on tolerances.

TRID continues and expands RESPA’s Regulation X general rule that the charges actually paid by or imposed on a consumer for certain settlement services and transfer taxes when the loan is closed may not exceed the amounts included on the early disclosures, with several exceptions. Like Regulation X, Regulation Z establishes tolerance categories limiting the permissible variations between the estimated amounts and the actual amounts: an unlimited variation category, a 10% category, and a zero percent category.

The amount disclosed on the Loan Estimate is considered in good faith (and in compliance with the regulation) if the actual charge does not exceed the estimated amount by the amount permitted by the applicable tolerance rule. Under TRID, estimates of fees for owner’s title insurance may fit into any of the three tolerance categories, according to the category’s criteria.

Let’s look at an outline of the tolerance categories and a chart.

Unlimited Tolerance

An estimate of a fee for owner’s title insurance for which the consumer was permitted to shop and which is paid to a provider the creditor did not identify on its written list of service providers falls within the unlimited tolerance category. A fee for owner’s title insurance not required by the creditor falls in the unlimited tolerance category, even if paid to an affiliate of the creditor.

10% Tolerance

If the creditor requires owner’s title insurance, allows the consumer to shop, and the provider is not the creditor or an affiliate of the creditor but is on the written list of settlement service providers, then the fee falls in the 10% tolerance category. A fee for required owner’s title insurance not paid to the creditor or an affiliate of the creditor, for which the consumer is permitted to shop beyond the list of settlement service providers, as disclosed on the list, falls in the 10% tolerance category (assuming the aggregate amount of charges does not exceed the 10% tolerance).

Zero Tolerance

A fee for owner’s title insurance required by the creditor for which the creditor does not allow the consumer to shop falls in the zero tolerance category.

All of the tolerance categories assume that the estimates are consistent with the best information reasonably available to the creditor at the time of disclosure.

This chart provides a brief outline of how tolerances are affected by fees:

Tolerance
Descriptions
Unlimited
·       Prepaid interest
·       Property insurance premiums
·       Amounts escrowed
·       Charges paid to third-party service providers selected by the consumer (for which the consumer was permitted to shop) not on the creditor’s list of settlement service providers
·       Charges for third-party services not required by the creditor (even if paid to affiliates of the creditor)
10% Aggregate
·       Recording fees
·       A third-party charge not paid to the creditor or an affiliate of the creditor and for which the creditor (a) permits the consumer to shop, (b) provides a list of settlement service providers, and (c) includes a disclosure that the consumer is permitted to shop (whether the consumer selects the provider from the list or does not choose the provider; if the consumer chooses a provider not on the list, then the fee would fall into the unlimited tolerance category)
Zero
·       All fees that do not fit into either of the preceding two categories


If a particular fee appears to fit into more than one category, it is entitled to be placed in the more tolerant category. For example, if owner’s title insurance is not required, and the consumer is allowed to shop and selects a third-party provider who is not the creditor or an affiliate of the creditor, the fee falls in the unlimited tolerance category whether or not the provider is on the creditor’s written list of settlement service providers.

Tuesday, August 25, 2015

“A” is for Abusive

President & Managing Director
Lenders Compliance Group

Financial institutions and other market participants have struggled to understand how the Consumer Financial Protection Bureau defines "abusive" conduct, but a series of enforcement actions has shown that the bureau intends to go beyond the terms of a loan contract to wield its broad and unique power.

Dodd-Frank poked the financial services industry with an expansion of an age-old acronym, acronyms being the mnemonic that enables us to remember dozens and dozens of mortgage acts and practices and their abundant, multifarious regulations. I have actually kept count of the acronyms involving residential mortgage loans, and by my tally the current number is a whopping 345 acronyms of various stripes and sizes.

In Dodd-Frank, a new word – and, therefore, a new letter – was added to Unfair or Deceptive Acts or Practices; that word being “Abusive,” which parachuted down and nudged itself disjunctively between “Deceptive” and “Acts.” So, the new term is Unfair, Deceptive, or Abusive Acts or Practices, and the acronym has asymptotically expanded from UDAP to UDAAP.

Back in July 2013,[i] the Bureau set forth a whole set of guidelines on UDAAP, some of which told us what we already know, some of it new, and some of which did not enlighten us at all. Amongst regulatory compliance nerds and cognoscenti the need for the word “Abusive” seemed like an arcanum for Dodd-Frank to prime the litigation pump.

Defining “Abusive” has been a task for the Bureau. Director Cordray has stated that figuring out what is and is not ‘abusive’ is “a little bit of a puzzle.” Reminds me of Justice Potter Stewart’s observation for an obscenity test in Jacobellis v. Ohio: “I shall not today attempt further to define the kinds of material I understand to be embraced within that shorthand description ["hard-core pornography"], and perhaps I could never succeed in intelligibly doing so. But I know it when I see it …”[ii]

When it comes to abusive conduct, we know it by the litigation it causes!

Going by the Bureau’s involvement in enforcement actions and litigation, it’s possible to draw some understanding – I reiterate, some understanding – of how the Bureau seems to set up certain criteria for pinpointing the potential dissymmetry between creditors and consumers. But the process is steadily and always evolving, meaning that Dodd-Frank requirements may be only a baseline threshold.

Let’s get this conundrum into the schematic that the Bureau actually derives mutatis mutandis from Dodd-Frank, with respect to determining various conditions as being ‘abusive.’ There are but four prongs, it would seem. Think of them as four sharp tentacles with deep claws. Or, like gangplanks: walk far enough out on them and you know what will happen!

Here they are, in brief: a financial institution "materially interferes" with consumers' ability to understand a product's terms or conditions; it "takes unreasonable advantage" of consumers' lack of understanding regarding a product's material risks, costs or conditions; it exposes consumers' to the risk of inability to take steps to protect themselves; and last, but not least, it causes consumers to believe that the company is putting its interests above theirs.

Of such material are litigation and administrative settlements made!

You might think that the Bureau has clearly, concisely, and conspicuously defined what constitutes an abusive practice. You would be correct to think that, but wrong to conclude that there are guidelines to follow. The fact is the Bureau does have the authority to define abusive acts or practices. However, it simply has not done so to date.

Why? Because, quite obviously, by not defining abusive conduct the Bureau gains a significant advantage in enforcement and, by extension, in the ability to prevail in litigation. Perhaps it will define rules for abusive conduct eventually in the forthcoming rules that apply to debt collection and payday lending. But those rules are still in the hopper awaiting the Bureau’s annunciation.

That leaves divination and enforcement actions. Setting aside divining rods and other dowsing methodologies – though a double-blind study might yield the same outcome as any construal provided by the Bureau’s current, litigious consuetude – we might look to some enforcement actions as a guide.

For instance, using abusive conduct as leverage, the Bureau has obtained a $25 million settlement with PayPal. New York’s Department of Financial Services and the Bureau, working jointly, used abusive practices in its enforcement action against two pension advance companies. So there’s gold in them there hills!

CashCall and NDG Financial matters are good examples of enforcement at its finest. Both cases involved offshore, online payday lenders that offered loans in states where usury laws or interest rate caps made the loans illegal. Neither complaint has gone to trial yet. While many of the allegations in the cases are similar, the ways that the Bureau interpreted "abusive" are different.

In CashCall,[iii] the Bureau alleged that the company took “unreasonable advantage of consumers’ lack of understanding about the impact of applicable state laws on the parties’ rights and obligations” to recover the full amount of loans they obtained despite a lack of enforceability.

In NDG Financial,[iv] the Bureau used a broader reading of an ‘abusiveness standard,’ alleging that NDG “materially interfered” with consumers’ ability to understand that they were not required to repay the loans under state laws and took “unreasonable advantage” of consumers' lack of understanding by repeatedly telling borrowers they were exempt from state law.