Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Spotlight on Vendor Management: Mortgage Industry Continues To Bear Brunt of CFPB Regulatory Burdens
Mortgage industry players have had to adapt quickly in recent years to the evolving regulatory environment, and the latest scramble for mortgage lenders includes the various downstream effects of pending rule changes set to take effect on August 1, 2015, related to disclosures required under the implementing regulations of the Truth-in-Lending Act (“TILA”) and the Real Estate Settlement Procedures Act (“RESPA”). A critical factor to successful implementation of this historic set of rule changes, known as the TILA-RESPA Integrated Disclosure (“TRID”) rule, is coordinating with various vendors to address new timing and information requirements for Loan Estimates and Closing Disclosures, which are creating project management nightmares for mortgage professionals growing weary of the regulatory onslaught of revised regulations and enforcement actions.
“Despite the relative speed with which many companies have adapted to various rule changes since the CFPB came online, there seems to be a new rule change waiting in the wings at almost every turn,” observed Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “To make matters worse, managing service providers through the changes has undoubtedly tested the strength of deep industry relationships that have been in place for decades.”
Synchronizing TRID-related changes with third party mainstays throughout the origination and closing processes has required extensive planning with mortgage brokers, software vendors, title companies, and closing agents, all of whom play a significant role in ensuring that Loan Estimates and Closing Disclosures (and any revisions thereto) are delivered to borrowers in an accurate and timely fashion. Importantly, as the CFPB has made clear repeatedly in stating its vendor management expectations, the mortgage lender will bear primary responsibility for any failure to comply with the new TRID rules, regardless of whether such failures are the result of vendor missteps.
“There is a lot of concern that vendors and various critical third parties will not be up to the task,” notes Moorari Shah, Counsel in BuckleySandler’s Los Angeles office. “As a result, we are seeing a number of companies revising service provider contracts in an effort to have better visibility and control over the end-to-end process of loan origination.”
While many will sweat through the summer months in hopes of a flawless transition, TRID represents just the latest vendor management test for an industry that has already perspired through plenty. McGinn and Shah also recommend that legal and compliance personnel take note of recent guidance and enforcement actions which raise vendor management issues specific to the mortgage industry, including oversight of (i) mortgage servicers, (ii) mortgage advertising companies, and (iii) relationships between loan officers and title companies.
Amongst the most difficult adjustments companies have had to make has been increased oversight of mortgage servicers, which continues to consume considerable compliance resources and expense. Regulators are focused in particular with ensuring that servicers (i) have instituted policies and procedures consistent with new regulations and guidance, and (ii) comply with collections and credit reporting requirements:
- Under the revisions to Regulation X that took effect in January 2014, the CFPB may now cite an institution for failure to maintain policies and procedures reasonably designed to, among other things, facilitate (i) ready access to accurate and current documents and information reflecting actions taken by service providers, and (ii) periodic reviews of service providers. See 12 C.F.R. § 1024.38(b)(3). The Bureau explained at the time it proposed § 1024.38(b)(3), that the new regulation was designed to address evaluations of mortgage servicer practices that had found that some major servicers ‘‘did not properly structure, carefully conduct, or prudently manage their third-party vendor relationships,” citing deficiencies in monitoring foreclosure law firms and default management service providers as key examples. Going forward, the CFPB expects that servicers seeking to demonstrate that their policies and procedures are reasonably designed to achieve these objectives will demonstrate that, in fact, the servicer has been able to use its information to oversee its service providers effectively.
- The compliance burdens on servicers are also evident in the latest CFPB guidance on mortgage servicing transfers. Bulletin 2014-01, Compliance Bulletin and Policy Guidance: Mortgage Servicing Transfers, was issued August 19, 2014, and outlines a number of CFPB expectations of servicers in connection with the transfer of mortgage servicing rights, including potentially preparing and submitting informational plans to the Bureau describing how the servicers will be managing the related risks to consumers. In this regard, a primary focus of Bulletin 2014-01 is signaling that the CFPB is committed to enforcing the new servicing transfer rules under RESPA, which, requires servicers to, among other things, maintain policies and procedures that are reasonably designed to achieve the objectives of facilitating the transfer of information during mortgage servicing transfers and of properly evaluating loss mitigation applications.
- It should come as no surprise that one of the primary vendor management implications of the evolving regulatory requirements described above is that ongoing compliance will likely require significantly more dedication of financial and human resources for most mortgage servicers to comply. However, the cost of non-compliance can be substantially more devastating. Consider the troubles of one of the largest nonbank servicers that entered into a $2 billion settlement with the CFPB, authorities in 49 states, and the District of Columbia under a joint enforcement action in December 2013 over allegations related to charging customers unauthorized fees, misleading customers about alternatives to foreclosure, denying loan modifications for eligible homeowners, and sending robo-signed documents through the courts during the foreclosure process. Just one year later, in December 2014, the same servicer entered into a $150 million settlement with the New York Department of Financial Services in connection with allegations of mishandling foreclosures, abusing delinquent borrowers, and failing to maintain adequate systems for servicing hundreds of billions of dollars in mortgages. In each consent order, the failure to maintain reasonable policies and procedures and engage in appropriate vendor oversight was highlighted as a finding by the regulators.
- In addition to ensuring that mortgage servicers are implementing adequate policies and procedures with respect to vendor oversight, federal agencies have also been attentive to debt collection and credit reporting practices of mortgage servicers. A joint enforcement action by the FTC and CFPB in April of this year was critical of the servicer, in part, for allegedly (i) threatening arrest and imprisonment to consumers that were behind on payments and placing collection calls outside of the daily call window permitted under the Fair Debt Collections Practices Act (15 U.S.C. 1692 et seq.), and (ii) furnishing inaccurate credit information to consumer reporting agencies in violation of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.) even after consumers indicated that they had reported the inaccuracies to the servicer. The servicer agreed to a $63 million settlement with the FTC and CFPB to resolve the matter.
Mortgage Advertising Companies
The CFPB has taken direct aim at deceptive mortgage advertisements in 2015, particularly those that imply an affiliation with programs offered by the U.S. government. At least a handful of enforcement actions have been announced by the Bureau during the first half of the year, including a simultaneous announcement in February against three private mortgage lenders that sent mailings simulating notices from the U.S. government despite the fact that none of the companies had any connection to a government agency. In bringing these actions, the CFPB made note of the customary practice of mortgage brokers and mortgage lenders to hire marketing companies to produce advertisements for mortgage credit products:
- In the two matters that resulted in consent orders (n.b., the third matter is still pending), the CFPB compelled the companies to (i) pay a civil monetary penalty for which they could not seek indemnification from any of the marketing companies that assisted with producing the advertisements, and (ii) carefully review henceforth any proposed marketing materials prepared by such marketing companies for compliance specifically with the Mortgage Acts and Practices Rule (Regulation N, 12 C.F.R. § 1014.3(n)), and the Dodd-Frank Act, which generally prohibits unfair, deceptive, or abusive acts or practices (12 U.S.C. §§ 5531(a), 5536(a)(1)(B)).
- In terms of vendor management, a key takeaway from these enforcement actions is that the CFPB expects mortgage lenders to take the same precautions with mortgage advertising companies as they are required to do with any other service provider that interacts with customers, inclusive of appropriate due diligence and oversight. Treating mortgage advertising companies as service providers has taken some in the industry by surprise as such companies have generally been viewed as marketing partners rather than service providers for mortgage brokers and lenders, and often receive a marketing fee for any advertisement that yields a new origination. Note also that the general expansion of third parties that qualify as “service providers” under Dodd-Frank is in keeping with various CFPB enforcement actions taken against ancillary and add-on product providers in the credit card and auto finance industries.
Relationships between loan officers and title companies
Another area of focus for the CFPB has been referrals made by loan officers to title companies in exchange for cash and marketing services:
- In April of this year, the CFPB joined forces with Maryland Attorney General to take action against several loan officers for their alleged participation in steering title insurance and closing services to a title company in exchange for the loan officers’ receipt of marketing services and cash from the title company. The consent orders, in addition to outlining RESPA violations which prohibit the giving of a “fee, kickback, or thing of value” in exchange for a referral of business related to a real estate settlement service (12 U.S.C. § 2607(a)), barred each of the loan officers from the mortgage industry for a period of years. The April announcements were follow-on enforcement actions to ones that the CFPB had announced in January against two large banks stemming from allegations that the banks’ loan officers had participated in similar schemes with the same (now defunct) title company.
- The potential for RESPA violations presents another compliance challenge for mortgage lenders to increase their oversight of not only third party title companies, but also the lender’s own loan officers that may be engaged, wittingly or unwittingly, in potentially illegal activity. In addition to enhanced RESPA training for loan officers and title companies, mortgage lenders may need to increase their monitoring and auditing activities of interactions between loan officers and title companies to further mitigate the risk of RESPA violations.
Note: This article previously appeared in the June 12, 2015, issue of Mortgage News Daily.
Two regulatory enforcement matters announced in April offer a view into the current mindset of regulators in the ever-evolving world of vendor management. First, the Federal Communications Commission (FCC) announced a $25 million settlement with a telecommunications carrier related to the unauthorized release of personal information of more than a quarter-million customers. The identified cause of the data breach were employees of the carrier’s service providers based in Mexico, Columbia, and the Philippines, who confessed to selling customer information to unauthorized third parties. In holding the carrier responsible, the FCC issued its largest data security enforcement action to date. Although severe in its punishment, the FCC action did not break new ground, as regulators have shown an increasing willingness in recent years to assess monetary penalties against supervised institutions for legal violations committed by vendors.
“This approach is entirely consistent with the FCC’s past enforcement actions related to data security breaches, as well as those of other regulatory bodies where consumer harm has resulted,” advises Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In the current environment, virtually every regulator has made accountability a fundamental axiom of its vendor management guidance.”
In the second action, the Consumer Financial Protection Bureau (CFPB) announced that it had filed a lawsuit in the United States District Court for the Northern District of Georgia in connection with an allegedly illegal debt collection operation whereby a group of individuals and companies based in New York and Georgia attempted to collect debts that consumers did not owe or that collectors were not authorized to collect. Specifically, the collectors allegedly placed “robo-calls” to millions of consumers stating that the consumers had engaged in check fraud and threatening them with legal action if they did not provide payment information. The CFPB asserts that, as a result, the debt collectors received millions of dollars in profits from the targeted consumers.
In addition, several service providers were named as defendants in the case because, according to the CFPB, the illegal scheme depended upon the participation of the service providers. Specifically, the CFPB charged payment processors and a telephone broadcast provider hired by the debt collectors, because these service providers, in pertinent part, (i) “failed to conduct reasonable due diligence to detect unlawful conduct,” which helped to facilitate millions of dollars in ill-gotten profits, and (ii) transmitted robo-call messages created by the debt collectors that the service providers “knew or should have known … contributed to unlawful debt collection.”
“The CFPB is holding the vendors accountable in this case on the theory that the vendors had a duty to vet the business practices used by the debt collectors to determine if they were unfair or deceptive or violate the debt collections laws,” according to Moorari Shah, Counsel in BuckleySandler’s Los Angeles office. “Having to take responsibility for another entity’s wrongdoing is likely a wake-up call for many vendors, but the CFPB has now shown on several occasions that it intends to cast a wide net when it comes to protecting consumers from unwarranted harm, including over entities that may not have known they were subject to this type of supervision.”
The bottom line: Compliance continues to be a significant outsourcing challenge for regulated institutions and their service providers. Thorough due diligence and ongoing oversight are becoming an imperative to avoid guilt-by-association predicaments such as was the case in the recent FCC and CFPB actions.
McGinn and Shah suggest the following steps supervised institutions and service providers can take to adapt and comply with a rapidly changing regulatory and enforcement environment:
- Commit to developing or enhancing compliance management systems to:
- Establish compliance responsibilities;
- Communicate those responsibilities to employees;
- Ensure that responsibilities for meeting legal requirements and internal policies are incorporated into business processes;
- Review operations to ensure responsibilities are carried out and legal requirements are met; and
- Take corrective action and update tools, systems, and materials;
- Review written policies and procedures including responsibilities for documenting compliance-related activities and regular reporting to senior management and the board of directors;
- Monitor training for service provider employees to ensure that contractual responsibilities align with operational realities, including procedures to identify legal and regulatory issues for escalation and resolution;
- Conduct regular on-site compliance audits of service provider operations, and proactively address issues discovered when reviewing service provider controls, performance, and information systems; and
- Dedicate sufficient resources and personnel to vendor management and compliance activities especially with respect to pre-contract due diligence and ongoing monitoring during the term of the contract.
As data security, privacy, and vendor management issues continue to intersect, there are a number of new focal points that will be particularly relevant to service providers.
- Commit to developing or enhancing compliance management systems to:
E-discovery is poised to enter a new revolution as the Internet of Things (“IoT”) continues its seemingly exponential growth. IoT is the ecosystem of interconnected sensory devices that perform coordinated, pre-programmed – and even learned – tasks without the need for continuous human input. Consider your fitness tracker that logs your sleep and physical activity, or sensors in your vehicle that track your driving habits on behalf of your auto insurance provider– all of these objects log and upload data about your body and habits into the cloud for analysis and use in automated tasks. All this data, projected to impact nearly every facet of industrialized society, has presented numerous preservation, collections, and analytical challenges for litigators navigating e-discovery in the world of the IoT. But despite these challenges, litigators can use technological and legal tools to effectively manage IoT discovery.
- It is true that IoT was not designed with e-discovery in mind, but neither was email or social media.
IoT data is generated by machines and usually transferred to the cloud rather than being stored on devices. This data storage process, which is largely automated, presents numerous preservation conundrums for litigators.
“Although innovation in e-discovery necessarily lags behind the innovation of the underlying technology, technology has always solved the problem that it had created. There’s no reason to believe the IoT experience will be materially different. But until that day arrives, courts should avail litigants of protections against disproportionate e-discovery efforts,” said Elizabeth McGinn, Partner in the DC office of BuckleySandler LLP.
- The responding litigant may not have the requisite control over IoT data to preserve it.
“The challenge of who controls cloud data is not unique to the IoT,” said Ty Yankov, Associate in the DC office of BuckleySandler LLP.
Technology companies have invested billions to maintain access to the data created from IoT devices, which calls into question who can control data created by such devices – the company who created the device or the person who’s data the device has collected?
- Preservation of IoT may be limited by the proposed revisions to the Federal Rules of Civil Procedure.
“Perhaps the most potent limitation to a party’s preservation and collection obligation of IoT data may rest in the timely proposed revisions to the Federal Rules of Civil Procedure, which are widely expected to take effect by the end of 2015,” said McGinn. Mindful of litigants’ inclination to over-preserve evidence, the Rules Committee seeks to clarify and limit litigants’ discovery obligations in four important ways:
- Proposed Rule 26(b) limits discoverability to issues within the parties’ claims or defenses, eliminating broad subject matter discovery.
- Proposed Rule 26(b)(2)(i) redefines the scope of discovery to include a proportionality principle.
- Proposed Rule 37(e) extends the proportionality principle to the duty to preserve evidence.
- Proposed Rule 26(b)(2)(B) reaffirms the allocation of expenses as a potential protective order remedy.
“IoT’s impact to data preservation and collection in e-discovery will be more muted that many fear,” said Yankov. “This is in large part due to the anticipated adoption of the proposed revisions to the Federal Rules as applied to the unique challenges of its preservation and accessibility.”
In their recently published article, “Treading Beyond the Iota of Fear: eDiscovery of the Internet of Things,” McGinn and Yankov provide further discussion on the changes and challenges IoT brings to e-discovery.
In April 2012, the Consumer Protection Financial Bureau issued Bulletin 2012-03, a guidance document setting forth the CFPB’s high-level expectations related to the engagement of third party service providers by supervised financial institutions. Since then, the Bureau has often referenced the Service Provider Bulletin in subsequent guidance and enforcement actions, but has not provided much in the way of detailed requirements for managing service providers. Despite the absence of strong guideposts, the CFPB has nonetheless sent unmistakable signals to highlight conduct which fails to meet the Bureau’s expectations on a variety of vendor relationship issues.
“The CFPB has voiced its dissatisfaction on a number of occasions with supervised entities that fail to perform adequate vendor oversight,” according to Elizabeth McGinn, Partner in the D.C. office of BuckleySandler. “In particular, nonbanks and service providers that are still coming up-to-speed on federal agency supervision and enforcement have to be alert and aware of important trends in recent enforcement actions that challenge outdated notions of vendor management.”
McGinn notes that a pattern appears to be emerging regarding the Bureau’s preference for the inclusion of certain contractual language in vendor agreements. Confidentiality obligations, audit rights, training responsibilities, and remedies for contractual breaches are among the thornier terms and conditions that may need to be enhanced in light of these developing trends.
One of the ways to minimize the vendor management risks is to be proactive when performing due diligence of potential service providers. Thorough examination of a vendor’s policies, procedures, and practices as they relate to compliance with federal consumer financial law is often the most important preventative step that a regulated entity can take to ensure that outsourcing relationships do not expose the financial institution and its customers to costly regulatory risks and unwarranted harm. In addition, consistent, risk-based procedures for monitoring existing service provider relationships are critical to meeting the CFPB’s expectations.
“The notion that a CFPB-supervised entity can avoid liability by asserting that a service provider is responsible for legal violations that caused harm to customers has long been dispelled,” says Moorari Shah, Counsel in BuckleySandler’s Los Angeles office. “In fact, in many enforcement actions, the CFPB has gone so far as to prohibit the supervised entity from invoking indemnification rights or insurance coverage to satisfy civil money penalties assessed by the Bureau, even if the supervised entity has negotiated the right to do so in its contract with the service provider.”
In their recently published article, Regulatory Blue Pencil: CFPB Guidance, Enforcement Actions Signal Expanding Focus on Vendor Management, McGinn and Shah provide additional vendor management insight in light of the CFPB’s increased regulatory scrutiny in this area.