Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 31, the Maryland’s secretary of state provided updated guidance regarding the waived in-person notarization requirement as part of the state’s Covid-19 response (see here for previous coverage). The guidance provides requirements for performing remote notarizations, lists remote notary vendors, and provides a brief set of FAQ pertaining to remote notary practices in general. The temporary waiver of the in-person notarization requirement was ordered by Governor Hogan on March 30, and is set to expire when the declared state of emergency lifts.
On March 26, the Indiana secretary of state posted a statement providing that there are currently no approved remote notary technology vendors. Individuals are encouraged to check the announcement regularly as the secretary of state is working on approving vendors.
The CFPB recently issued a Request for Information (RFI) seeking vendor feedback on the agency’s consideration of establishing a web-based system that would require nonbank financial institutions to register with the CFPB. The RFI outlines the potential registration system’s capabilities and services, noting that nonbank financial institutions would use it to “apply for, amend, update, or renew a registration online using a single set of uniform applications.” In addition to other data gathering components, the potential registration system may be used for the collection of financial, operational, and organizational structure data. Responses from technology system vendors were due on July 29, 2016, with a disclaimer that the RFI was not “to be construed as a commitment that the CFPB will propose a rulemaking on the registration of nonbank financial institutions or that the CFPB will propose any specific system requirements.”
With evolving regulatory expectations and increased enforcement exposure, financial institutions are under more scrutiny than ever. Nowhere is this more evident than in the management and oversight of service providers. When service providers are part of an institution’s business practice, understanding the expectations of regulators, investors, and counterparties for compliance with consumer financial laws is critical.
In 2012, the CFPB issued Bulletin 2012-03, which outlines the CFPB’s expectations regarding supervised institutions’ use of third party service providers. Banks and nonbanks alike are expected to maintain effective processes for managing the risks presented by service providers, including taking the following steps:
- Conducting thorough due diligence of the service provider to ensure that the service provider understands and is capable of complying with federal consumer financial law
- Reviewing the service provider’s policies, procedures, internal controls, and training materials
- Including clear expectations in written contracts
- Establishing internal controls and on-going monitoring procedures
- Taking immediate action to address compliance issues
Implementing consistent risk-based procedures for monitoring third party service provider relationships is an extremely important aspect of meeting the CFPB’s expectations and mitigating risk to the institution.
The Risk Management Lifecycle and Best Practices
The CFPB is but one of many agencies that have circulated vendor management guidance. Other federal prudential regulators—most notably the Office of the Comptroller of the Currency—have developed regulatory guidance describing a “lifecycle” for oversight of third parties that supervised institutions are expected to follow. The risk management lifecycle of a service provider relationship consists of:
- Planning/risk assessment
- Due diligence and service provider selection
- Contract negotiation and implementation
- Ongoing relationship monitoring
- Relationship termination/contingency plans
Supplemented by enhanced risk management processes, including meaningful involvement by the Board of Directors and extensive monitoring of performance and condition, the new framework for oversight of third parties can present both cost and operational challenges for all institutions. Financial institutions would be prudent to implement the following best practices into their vendor management procedures, among others:
- Staffing sufficiently to ensure that service providers are properly monitored
- Incorporating Board and senior executive involvement throughout the process
- Documenting its efforts at every stage of the lifecycle
On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”
On July 21, the CFPB announced a nearly $700 million settlement against a leading financial institution and its subsidiaries. According to the consent order, the Bureau alleges that the entities engaged in deceptive marketing, billing, and collection practices related to various credit card ancillary products, including debt protection and credit monitoring services. Specifically, the Bureau alleges that the institution or its vendors marketing practices, consisting of telemarketing calls, online enrollment, point-of-sale application, and direct enrollment at retailers, mislead consumers into enrolling for certain ancillary products. The Bureau further alleges that, in some instances, telemarketers failed to accurately disclose the cost and fees associated with the ancillary products. With respect to the unfair billing allegations, the Bureau contends that the institution or its vendors improperly charged consumers, without authorization, for services that were not rendered, and failed to provide full product benefits of the services marketed to consumers. In addition, the Bureau alleges that the institution misrepresented payment fee information to consumers by failing to disclose the actual purpose of the fee associated with making payments by phone on delinquent credit card accounts. Under terms of the settlement, the institution and its subsidiaries agreed to (i) provide $479 million in consumer relief related to its marketing practices; (ii) pay roughly $220 million in restitution related to its payments collection practices and for consumers not receiving the full benefits of services promised; and (iii) pay a $35 million civil money penalty.
In a parallel enforcement action, the OCC imposed a separate $35 million civil money penalty against the institution for engaging in similar practices, and requires the institution to strengthen its oversight of third-party vendors and develop a comprehensive risk management program for ancillary products marketed or sold by the bank.
Today, the CFPB filed proposed consent orders against two credit card add-on product vendors for allegedly billing consumers for credit monitoring and identity theft protection services they did not receive. Under the proposed consent orders, one vendor will provide nearly $7 million in restitution to the holders of approximately 73,000 accounts, and pay a $1.9 million civil money penalty. The other vendor will provide almost $55,000 in restitution to consumers who were incorrectly billed for identity theft or credit monitoring services, and pay a $1.2 million civil money penalty. The Bureau specifically noted that today’s announcement is the “first time the Bureau has brought actions directly against the companies” that market or administer ancillary products.
On June 19, the OCC released recent enforcement actions taken against national banks, federal savings associations, and individuals currently or formerly affiliated with national banks and federal savings associations. Among the actions was the issuance of a consent order for a civil money penalty against a national bank for allegedly violating the Federal Trade Commission Act. During its investigation, the OCC discovered deficiencies relating to the bank’s billing and marketing practices, specifically with regard to identity protection and debt cancellation products. According to the consent order, since April 2004, the bank, along with an identity protection product vendor, marketed and sold various types of identity theft protection products to its customers. Before customers could access the credit monitoring service of the identity theft product, they “were required to provide sufficient personal verification information and consent before their credit bureau reports could be accessed.” However, the OCC found that the vendor (i) billed the bank’s customers the full fee for the products, even if they were not receiving all of the credit monitoring services; (ii) billed the customers prior to receiving the customers’ information and consent and establishment of credit monitoring; and (iii) failed to ensure that customers received electronic benefit notifications. The bank retained a portion of the fees that the customers paid. Additionally, the bank’s vendors incorrectly informed customers during telemarketing calls that only one of the products offered had the ability to access identity protection benefits electronically. As a result, some customers purchased the more expensive Enhanced Identity Theft Protection, as opposed to the less expensive Identity Theft Protection, under the mistaken belief that this was the only way they could access the product’s benefits online. Finally, the OCC also alleged that, from August 2005 through November 2013, the bank’s debt cancellation product vendor’s billing practices, which posted recurring payments on the same day of the month regardless of the payments’ due dates, resulted in some customers paying recurring late fees. The bank will pay $4,000,000 to resolve the OCC’s allegations.
Illinois AG Madigan Announces $1 Million Settlement Regarding Company's Management of Foreclosed Properties
On June 3, Illinois AG Madigan announced a $1 million settlement with an Ohio-based company that mortgage lenders hire to manage properties throughout the foreclosure process and ensure that the properties retain their value. The settlement resolves a 2013 lawsuit by Madigan that alleged that the company wrongly deemed homes vacant, and instructed its contractors to shut off utilities, change the properties’ locks and illegally remove residents’ personal belongings even though they actively remained in their homes. Under the settlement, the company agreed to overhaul its business practices by using objective standards to ensure that homes are vacant, such as: (i) requiring its inspectors to support their inspections with photographs and an affidavit; (ii) posting notice to the occupant that the property has been deemed vacant; (iii) not misrepresenting the occupants’ rights to stay in their home, even if they are behind on their mortgage payments and in foreclosure; (iv) increasing its oversight and quality control of its subcontractors; (v) providing consumers with access to a 24-hour hotline for submitting complaints; and (vi) unless the company obtains a court order, not removing any personal property prior to foreclosure.
In addition to the $1 million agreement, which will be paid in restitution to consumers who filed complaints with respect to the company’s business practices, the company agreed to adhere to ongoing monitoring by Madigan’s office to ensure compliance with the settlement.
Spotlight on Vendor Management: Mortgage Industry Continues To Bear Brunt of CFPB Regulatory Burdens
Mortgage industry players have had to adapt quickly in recent years to the evolving regulatory environment, and the latest scramble for mortgage lenders includes the various downstream effects of pending rule changes set to take effect on August 1, 2015, related to disclosures required under the implementing regulations of the Truth-in-Lending Act (“TILA”) and the Real Estate Settlement Procedures Act (“RESPA”). A critical factor to successful implementation of this historic set of rule changes, known as the TILA-RESPA Integrated Disclosure (“TRID”) rule, is coordinating with various vendors to address new timing and information requirements for Loan Estimates and Closing Disclosures, which are creating project management nightmares for mortgage professionals growing weary of the regulatory onslaught of revised regulations and enforcement actions.
“Despite the relative speed with which many companies have adapted to various rule changes since the CFPB came online, there seems to be a new rule change waiting in the wings at almost every turn,” observed Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “To make matters worse, managing service providers through the changes has undoubtedly tested the strength of deep industry relationships that have been in place for decades.”
Synchronizing TRID-related changes with third party mainstays throughout the origination and closing processes has required extensive planning with mortgage brokers, software vendors, title companies, and closing agents, all of whom play a significant role in ensuring that Loan Estimates and Closing Disclosures (and any revisions thereto) are delivered to borrowers in an accurate and timely fashion. Importantly, as the CFPB has made clear repeatedly in stating its vendor management expectations, the mortgage lender will bear primary responsibility for any failure to comply with the new TRID rules, regardless of whether such failures are the result of vendor missteps.
“There is a lot of concern that vendors and various critical third parties will not be up to the task,” notes Moorari Shah, Counsel in BuckleySandler’s Los Angeles office. “As a result, we are seeing a number of companies revising service provider contracts in an effort to have better visibility and control over the end-to-end process of loan origination.”
While many will sweat through the summer months in hopes of a flawless transition, TRID represents just the latest vendor management test for an industry that has already perspired through plenty. McGinn and Shah also recommend that legal and compliance personnel take note of recent guidance and enforcement actions which raise vendor management issues specific to the mortgage industry, including oversight of (i) mortgage servicers, (ii) mortgage advertising companies, and (iii) relationships between loan officers and title companies.
Amongst the most difficult adjustments companies have had to make has been increased oversight of mortgage servicers, which continues to consume considerable compliance resources and expense. Regulators are focused in particular with ensuring that servicers (i) have instituted policies and procedures consistent with new regulations and guidance, and (ii) comply with collections and credit reporting requirements:
- Under the revisions to Regulation X that took effect in January 2014, the CFPB may now cite an institution for failure to maintain policies and procedures reasonably designed to, among other things, facilitate (i) ready access to accurate and current documents and information reflecting actions taken by service providers, and (ii) periodic reviews of service providers. See 12 C.F.R. § 1024.38(b)(3). The Bureau explained at the time it proposed § 1024.38(b)(3), that the new regulation was designed to address evaluations of mortgage servicer practices that had found that some major servicers ‘‘did not properly structure, carefully conduct, or prudently manage their third-party vendor relationships,” citing deficiencies in monitoring foreclosure law firms and default management service providers as key examples. Going forward, the CFPB expects that servicers seeking to demonstrate that their policies and procedures are reasonably designed to achieve these objectives will demonstrate that, in fact, the servicer has been able to use its information to oversee its service providers effectively.
- The compliance burdens on servicers are also evident in the latest CFPB guidance on mortgage servicing transfers. Bulletin 2014-01, Compliance Bulletin and Policy Guidance: Mortgage Servicing Transfers, was issued August 19, 2014, and outlines a number of CFPB expectations of servicers in connection with the transfer of mortgage servicing rights, including potentially preparing and submitting informational plans to the Bureau describing how the servicers will be managing the related risks to consumers. In this regard, a primary focus of Bulletin 2014-01 is signaling that the CFPB is committed to enforcing the new servicing transfer rules under RESPA, which, requires servicers to, among other things, maintain policies and procedures that are reasonably designed to achieve the objectives of facilitating the transfer of information during mortgage servicing transfers and of properly evaluating loss mitigation applications.
- It should come as no surprise that one of the primary vendor management implications of the evolving regulatory requirements described above is that ongoing compliance will likely require significantly more dedication of financial and human resources for most mortgage servicers to comply. However, the cost of non-compliance can be substantially more devastating. Consider the troubles of one of the largest nonbank servicers that entered into a $2 billion settlement with the CFPB, authorities in 49 states, and the District of Columbia under a joint enforcement action in December 2013 over allegations related to charging customers unauthorized fees, misleading customers about alternatives to foreclosure, denying loan modifications for eligible homeowners, and sending robo-signed documents through the courts during the foreclosure process. Just one year later, in December 2014, the same servicer entered into a $150 million settlement with the New York Department of Financial Services in connection with allegations of mishandling foreclosures, abusing delinquent borrowers, and failing to maintain adequate systems for servicing hundreds of billions of dollars in mortgages. In each consent order, the failure to maintain reasonable policies and procedures and engage in appropriate vendor oversight was highlighted as a finding by the regulators.
- In addition to ensuring that mortgage servicers are implementing adequate policies and procedures with respect to vendor oversight, federal agencies have also been attentive to debt collection and credit reporting practices of mortgage servicers. A joint enforcement action by the FTC and CFPB in April of this year was critical of the servicer, in part, for allegedly (i) threatening arrest and imprisonment to consumers that were behind on payments and placing collection calls outside of the daily call window permitted under the Fair Debt Collections Practices Act (15 U.S.C. 1692 et seq.), and (ii) furnishing inaccurate credit information to consumer reporting agencies in violation of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) even after consumers indicated that they had reported the inaccuracies to the servicer. The servicer agreed to a $63 million settlement with the FTC and CFPB to resolve the matter.
Mortgage Advertising Companies
The CFPB has taken direct aim at deceptive mortgage advertisements in 2015, particularly those that imply an affiliation with programs offered by the U.S. government. At least a handful of enforcement actions have been announced by the Bureau during the first half of the year, including a simultaneous announcement in February against three private mortgage lenders that sent mailings simulating notices from the U.S. government despite the fact that none of the companies had any connection to a government agency. In bringing these actions, the CFPB made note of the customary practice of mortgage brokers and mortgage lenders to hire marketing companies to produce advertisements for mortgage credit products:
- In the two matters that resulted in consent orders (n.b., the third matter is still pending), the CFPB compelled the companies to (i) pay a civil monetary penalty for which they could not seek indemnification from any of the marketing companies that assisted with producing the advertisements, and (ii) carefully review henceforth any proposed marketing materials prepared by such marketing companies for compliance specifically with the Mortgage Acts and Practices Rule (Regulation N, 12 C.F.R. § 1014.3(n)), and the Dodd-Frank Act, which generally prohibits unfair, deceptive, or abusive acts or practices (12 U.S.C. §§ 5531(a), 5536(a)(1)(B)).
- In terms of vendor management, a key takeaway from these enforcement actions is that the CFPB expects mortgage lenders to take the same precautions with mortgage advertising companies as they are required to do with any other service provider that interacts with customers, inclusive of appropriate due diligence and oversight. Treating mortgage advertising companies as service providers has taken some in the industry by surprise as such companies have generally been viewed as marketing partners rather than service providers for mortgage brokers and lenders, and often receive a marketing fee for any advertisement that yields a new origination. Note also that the general expansion of third parties that qualify as “service providers” under Dodd-Frank is in keeping with various CFPB enforcement actions taken against ancillary and add-on product providers in the credit card and auto finance industries.
Relationships between loan officers and title companies
Another area of focus for the CFPB has been referrals made by loan officers to title companies in exchange for cash and marketing services:
- In April of this year, the CFPB joined forces with Maryland Attorney General to take action against several loan officers for their alleged participation in steering title insurance and closing services to a title company in exchange for the loan officers’ receipt of marketing services and cash from the title company. The consent orders, in addition to outlining RESPA violations which prohibit the giving of a “fee, kickback, or thing of value” in exchange for a referral of business related to a real estate settlement service (12 U.S.C. § 2607(a)), barred each of the loan officers from the mortgage industry for a period of years. The April announcements were follow-on enforcement actions to ones that the CFPB had announced in January against two large banks stemming from allegations that the banks’ loan officers had participated in similar schemes with the same (now defunct) title company.
- The potential for RESPA violations presents another compliance challenge for mortgage lenders to increase their oversight of not only third party title companies, but also the lender’s own loan officers that may be engaged, wittingly or unwittingly, in potentially illegal activity. In addition to enhanced RESPA training for loan officers and title companies, mortgage lenders may need to increase their monitoring and auditing activities of interactions between loan officers and title companies to further mitigate the risk of RESPA violations.
Note: This article previously appeared in the June 12, 2015, issue of Mortgage News Daily.
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar
- James C. Chou to discuss ransomware at NAFCU’s Regulatory Compliance & BSA seminar
- Jedd R. Bellman to provide an “Attorney exemption/medical debt update” at the North American Collection Agency Regulatory Association annual conference
- Kathryn L. Ryan to discuss “What should crypto regulation look like: Legislation, regulation and consumer issues” at WCL's First Annual Virtual Currency Law Institute
- Elizabeth E. McGinn to discuss “How to mitigate and manage third-party risks: Leveraging tools and best practices” at The Knowledge Group’s webcast
- Elizabeth E. McGinn, Benjamin W. Hutten, and James C. Chou to discuss “The evolving regulatory landscape: Third-party and cyber risk management” at the 2022 mWISE Conference
- Sherry-Maria Safchuk to discuss “For your eyes only: Privacy updates for 2022-2023” at CCFL’s Annual Consumer Financial Services Conference
- James T. Parkinson to present a “Global anti-corruption update” at IBA’s annual conference