Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 6, the Department of Veteran’s Affairs (VA) Office of the Inspector General (OIG) issued a report concluding that the VA improperly charged exempt veterans VA home loan funding fees. According to the OIG, from 2012 through 2017, the VA charged approximately 72,900 exempt veterans around $286.4 million in funding fees, which represents 3 percent of the total amount of funding fees collected during that time. The OIG reports that, while the Certificate of Eligibility (COE) that the VA produces is intended to assist lenders in identifying the exempt veterans, “many COEs reflected an outdated, incorrect, or missing exemption status resulting in veterans being incorrectly charged a funding fee.”
Additionally, the OIG found that the VA does not have a policy in place to identify and issue refunds for inappropriate funding fee charges. Currently the VA relies on the veterans to contact the VA and file a claim for a refund, although the VA has not published a standard form for the request. Based on the findings, the OIG recommends that the VA develop a plan to (i) identify exempt veterans who were inappropriately charged funding fees and issue refunds; (ii) create system enhancements or procedural changes that minimize inappropriate funding fee charges; (iii) conduct periodic reviews to identify exempt veterans charged funding fees from January 1, 2018, forward and issue refunds in a timely manner; and (iv) consistently obtain documentation and verify lenders apply the funding fee refunds to loan balances in a timely manner.
On April 16, the FDIC’s Office of Inspector General (OIG) released its Special Inquiry Report—“The FDIC’s Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches”—which contains findings from an examination of the FDIC’s practices and policies related to data security, incident response and reporting, and Congressional interactions. The Special Inquiry Report is the culmination of a request made by the former Chairman of the Senate Committee on Banking, Housing, and Urban Affairs in 2016, and focuses on the circumstances surrounding eight information security incidents that occurred in 2015 and 2016—seven of which involved personally identifiable information and constituted data breaches. An eighth incident involved the removal of “highly sensitive components of resolution plans submitted by certain large systemically important financial institutions without authorization” by a departing FDIC employee.
According to the report, the OIG asserts that, among other things, the FDIC failed to (i) put in place a “comprehensive incident response program and plan” to handle security incidents and breaches; (ii) clearly document risk assessments and decisions associated with data incidents; (iii) fully consider the range of impacts on bank customers whose information was compromised; (iv) promptly notify consumers when an incident occurred and did not adequately consider notifications as a separate decision from whether it would provide credit monitoring services; (v) for at least one incident, failed to convey the seriousness of the breach; and (vi) provide timely, accurate, and complete responses to Congressional requests to gather information about how the agency was handling the incidents.
As a result of these findings, the OIG presented recommendations and timeframes for the FDIC to “address the systemic issues.” Recommendations include: (i) clearly defining roles and responsibilities within the FDIC Breach Response Plan, and establishing procedures “consistent with legal, regulatory, and/or operational requirements for records management”; (ii) establishing a separation between consumer breach notifications and the offer of credit monitoring services; (iii) adhering to established timeframes for reporting incidents to FinCEN when suspicious activity report information has been compromised; (iv) conducting an annual review of the Breach Response Plan to confirm that that the guidance has been consistently followed during the preceding year; (v) developing guidance and training to ensure that employees and contractors are fully aware of the legal consequences of removing any sensitive information from FDIC premises before they depart; (vi) ensuring that FDIC policies, procedures, and practices result in complete, accurate statements and representations to Congress, and updating and correcting prior statements and representations as necessary; (vii) clarifying “legal hold policies and processes”; and (viii) specifying that the Office of Legislative Affairs is responsible for “providing timely responses to Congressional requests and communicating with Congressional staff regarding those requests.”
The FDIC concurred with the recommendations and has completed corrective actions for two, with plans to address the remaining recommendations between June and December of this year. The FDIC has also agreed to keep the OIG informed of the progress made to address the identified performance issues.
On December 6, the FDIC’s Office of Inspector General (OIG) released an evaluation report to examine how the agency implements certain consumer protection rules concerning consumers’ ability to repay mortgage loans and limits for loan originator compensation. The OIG report, FDIC’s Implementation of Consumer Protection Rules Regarding Ability to Repay Mortgages and Compensation for Loan Originators (EVAL-18-001), focused on the FDIC’s Division of Depositor and Consumer Protection (DCP), which is responsible for implementing the Ability to Repay/Qualified Mortgage (ATR/QM) and Loan Originator rules and tracking violations of the rules. The report found that the DCP “incorporated these rules into its examination program, trained its examiners, and communicated regulatory changes to FDIC-supervised institutions.” However, based on a sample of 12 examinations, the OIG also determined that examination workpapers generally needed improvement, finding (i) inconsistent documentation by examiners on decisions to exclude compliance testing for the ATR/QM and Loan Originator rules, and (ii) in certain circumstances, incomplete, incorrect, or improperly stored examiners’ workpapers, “which would preclude someone independent of the examination team from fully understanding examination findings and conclusions, based on the workpapers alone.”
OIG further noted that, because DCP’s examination practices did not include tracking the number of institutions subject to the rules or recording how frequently examiners tested for compliance, any identified variances among the FDIC’s six regional offices could not be assessed for significance due to lack of context.
As a result of these findings, the OIG made several recommendations for the DCP to strengthen its compliance examination process, including:
- “research potential reasons for the regional variances in the number of rule violations by banks in the FDIC’s six regional offices”;
- “track the aggregate number of FDIC-supervised institutions in each region that are subject to the rules”;
- “track how often examiners test for compliance with the rules”; and
- ‘‘take steps to improve workpaper documentation and retention.”
The DCP agreed to implement these recommendations June 30, 2018.
HUD IG Blames Ginnie Mae for Inadequate Supervision; HUD IG Concludes HUD Did Not Follow Requirements When Forgiving Debts
On September 21, the HUD Inspector General (IG) released an audit report of Ginnie Mae’s oversight of nonbanks in the mortgage servicing industry. The report found that Ginnie Mae did not adequately respond to the growth in its nonbank issuer base; a base, the report notes, that tends to have more complex financial and operating structures than banking institutions. The IG found, among other things, that Ginnie Mae may not be prepared to identify problems with nonbank issuers prior to default, requiring additional funds from the U.S. Treasury to pay back investors in the event of a large default.
On the same day, the IG also announced a report which found that HUD did not always follow applicable requirements when forgiving debts and terminating debt collections. The report determined that HUD’s review process for evaluating debt forgiveness or collection termination was not thorough enough to ensure that statutory, regulatory, and policy requirements associated with this process were met—such as ensuring DOJ approval was obtained when required.
OIG Report: Potential for Improvement Within CFPB Examiner Commissioning and On-the-Job Training Programs
On September 20, the Office of Inspector General (OIG) for the CFPB issued findings in a report entitled The CFPB Can Enhance the Effectiveness of Its Examiner Commissioning Program and On-the-Job Training Program (the Report) stemming from an evaluation to assess the Bureau’s effectiveness when designing, implementing, and executing these two programs.
Examiner Commissioning Program (ECP). The Report found that, despite efforts to enhance the program since it began in 2014, the CFPB's Supervision Learning and Development Division (SL&D)—which is responsible for examiner training—presented several areas in need of improvement, including: (i) where examiners appeared to pursue commissioning before being fully prepared or required multiple attempts to pass commissioning components, which in turn affected the number of examiners available for examinations; (ii) where examiners commenced components of the ECP, despite inadequate training, developmental opportunities, or exposure to certain internal processes; (iii) findings that SL&D lacked a formal method for evaluating and updating the ECP, thus reducing opportunities to identify potential areas for improvement; (iv) inconsistent delivery of ECP requirements to prospective employees; and (v) a lack of clarity on when the start of the five-year time requirement begins for examiners trying to obtain their commissioning, which can create the risk of examiners moving through the ECP before being ready.
On-the-Job Training Program (OJT). The OIG also identified areas for improvement in the CFPB’s implementation of the OJT program. Specifically, the OIG found that due to inconsistent implementation of the OJT program, examiners are unable to clearly understand the program’s requirements and expectations.
Recommendations. The OIG presented the following recommendations: (i) issue guidance documenting an examiner’s readiness, including recommendations from regional management; (ii) update ECP guidance to better prepare examiners in understanding the program’s requirements, including the starting point of the five-year requirement; (iii) implement a formal method to evaluate the ECP program; (iv) develop guidelines for applicants of the ECP program; and (v) reassess the OJT program timeline for module development, communicate guidelines effectively at all regional offices, and develop guidelines for OJT program expectations.
On July 14, the HUD Office of Inspector General (HUD-OIG) published a report on HUD’s rulemaking process for its single-family note sales program, now referred to as the Distressed Asset Stabilization Program (DASP), under which HUD has sold more than 108,000 notes with over $18 billion in unpaid principal balances. According to the report, HUD-OIG conducted an audit to determine whether HUD adhered to open public rulemaking requirements when it implemented the program. The report concluded that while HUD issued an advance notice of proposed rulemaking in 2006, it did not finalize the comment process or prepare the program for a final rule. The report further stated that there was a lack of formal guidance and procedures for the program, stating that “[s]ince its inception, HUD has issued 31 enhancements, or changes, to its single-family note sales program . . . [but does not have] a handbook or guidebook that establishe[s] its formal requirements or policies for the administration of the program.”
As a result, HUD-OIG recommended that HUD (i) “[c]omplete the rulemaking process for [its] single-family note sales program,” and (ii) “[d]evelop and implement formal procedures and guidance for the note sales program.”
Treasury Audit Report Analyzes Responses to Threats by Office of Terrorist Financing and Financial Crimes
On May 23, the Treasury Department’s Office of Inspector General issued an audit report presenting the results of its study into how, and to what extent, the Treasury’s Office of Terrorist Financing and Financial Crimes (TFFC) addresses threats to international financial systems. The OIG reviewed TFFC—which is responsible for leading and assisting tasks forces, including the Anti-Money Laundering Task Force—to determine how its collaboration efforts with the national security community and other federal agencies identifies and addresses “threats to the international financial system from money laundering and other forms of illicit finance.” According to the findings, while the majority of federal agency officials interviewed for the report were satisfied with TFFC’s collaboration efforts overall, others believed enhanced collaboration efforts were warranted. The OIG also found that TFFC failed to establish “policies or procedures for collaboration or a mechanism to monitor, evaluate, and report the results of its collaborative efforts as recommended by the Government Accountability Office” in a 2009 report. Accordingly, the OIG recommended that TFFC develop and improve upon the necessary policies and procedures needed to monitor the effectiveness of “interagency collaboration,” as well as address areas of concern regarding collaboration efforts with foreign countries. TFFC agreed with these recommendations and stated it is currently working to improve interagency collaboration.
On May 15, the Office of Inspector General for the Consumer Financial Protection Bureau issued findings in a report entitled The CFPB Can Improve Its Practices to Safeguard the Office of Enforcement’s Confidential Investigative Information (the Report), stemming from an evaluation to determine whether the Bureau has effective controls to manage and safeguard access to Confidential Investigative Information (CII). The Report found that the Bureau’s practices could be improved. According to the findings, the Bureau’s Office of Enforcement (Office) allowed 113 unique users to have access to databases in which there was CII—which may include personally identifiable information—about companies that were subject to reviews by enforcement staff. Of those 113 users, 72 were still employed by the CFPB but did not have a need for access to that information, the report said.
Specifically, the OIG determined users continued to have access to at least one electronic application when it was no longer relevant to the performance of the users’ assigned duties. The OIG also cited instances of improper handling and safeguarding of sensitive information and inconsistent naming conventions for matters across its four electronic applications and two internal drives, which impeded the Office’s ability to verify, maintain, and terminate access to files. The OIG noted in the report that during its assessment the Office took several steps to correct these issues.
The OIG presented the following recommendations: (i) enhance practices for managing access rights to matter folders; (ii) improve the handling of printed sensitive information; and (iii)establish a standard naming convention for electronically stored information.
HUD Issues Restated Consolidated Financial Statements for 2016 and 2015 Correcting $520 Billion in Errors
On March 1, HUD-OIG issued an Independent Auditor's Report (Auditor’s Report) (2017-FO-0005) on HUD’s fiscal years 2016 and 2015 (Restated) consolidated financial statements. The Auditor’s Report—issued in accordance with the Chief Financial Officers Act of 1990—revealed, among other things, eleven “material weaknesses,” seven “significant deficiencies,” and five “instances of noncompliance” with applicable laws and regulations. Each of these findings related to what the auditor described as HUD’s “inability to establish a compliant control environment, implement adequate financial accounting systems, retain key financial staff, and identify appropriate accounting principles and policies.” The dollar amount of errors corrected in HUD’s 2016 and 2015 notes and consolidated financial statements were $516.4 billion and $3.4 billion, respectively. The Auditor’s Report further noted that there were several “unresolved audit matters,” which “restricted [the auditor’s] ability to obtain sufficient, appropriate evidence to express an opinion. Based on these observed issues, the Auditor’s Report recommended, among other things, that HUD (i) reassess its current consolidated financial statement and notes review process to ensure that sufficient internal controls are in place to prevent and detect errors; (ii) evaluate the current content of HUD’s consolidated note disclosures to ensure compliance with regulations and GAAP; and (iii) develop a plan to ensure that restatements are properly reflected in all notes impacted.
Testimony before the House Subcommittee on Transportation, Housing and Urban Development. On March 16, shortly after the Restated Financial Statements and Auditor’s Report were released, David A. Montoya, Inspector General of HUD, testified before the House Subcommittee on Transportation, Housing and Urban Development, and Related Agencies concerning, among other things, “HUD’s inability to maintain an effective financial management governance structure, which [the OIG has] reported on for the last 3 years and which contributed to [the OIG’s] issuing disclaimers of opinion as part of [their] annual audits of HUD’s financial statements.”
- A link to an archived webcast of Hearing can be accessed here.
- A copy of the Inspector General’s Testimony before the House Subcommittee on Transportation, Housing and Urban Development can be accessed here.
A copy of the Inspector General’s October 2016 Statement Summarizing the Major Management and Performance Challenges Facing HUD for Fiscal Year 2017 and Beyond can be found here.
On April 11, the Office of Inspector General (OIG) for the Fed and the CFPB published its Strategic Plan 2017–2020, providing an overview of the OIG’s organizational objectives for the next four years, as well as the indicators it will use to measure its performance as the “trusted oversight organization” of the Fed and the CFPB. According to a “Message From the Inspector General,” the Strategic Plan, is “the culmination of an extensive process that included a thorough functional assessment and organizational review of the OIG,” as well as an “extensive rebranding initiative.” The plan notes, among other things, that in order to “effectively engage all [its] stakeholders,” it is important that the OIG “successfully communicate [its] mission,” and “timely and effectively communicate [its] results.”
- APPROVED Webcast: Introducing Mogy — APPROVED’s licensing technology solution
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Christopher M. Witeck and Moorari K. Shah to discuss "The latest in vendor management regulations" at a Mortgage Bankers Association webinar
- Buckley Webcast: Hot topics in debt collection — An analysis of recent federal FDCPA litigation
- Jonice Gray Tucker to discuss "How to succeed in law school" at the SEO Law DC Panel Discussions
- Amanda R. Lawrence to discuss "Navigating the challenges of the latest data protection regulations and proven protocols for breach prevention and response" at the ACI National Forum on Consumer Finance Class Actions and Government Enforcement
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference