Archives for November 3, 2023

HUD Seeks Comment on Proposed Notice to Change HECM for Purchase Program to Expand Funding Sources and Interested Party Contributions

November 3, 2023 By Anoush Garakani, Gloria Han

A&B Abstract:

On October 24, 2023, the U.S. Department of Housing and Urban Development (“HUD”) published, for public comment, a Federal Register Notice (“Proposed Notice”) to implement changes to the Federal housing Administration’s (“FHA”) Home Equity Conversion Mortgage (“HECM”) for Purchase program. The Proposed Notice expands the list of acceptable funding sources and permits additional interested party contributions to satisfy the borrower’s monetary investment requirement. Under the Proposed Notice, the FHA would also remove existing restrictions that prohibit the borrower from accepting cash from a seller or another person or entity that financially benefits from the HECM for Purchase transaction. HUD is seeking comment from interested members of the public on the Proposed Notice. The period for public comment ends on November 24, 2023.

Background

The HECM for Purchase program allows mortgagees to originate HECM for Purchase transactions to purchase a 1-to-4 family dwelling unit, one unit of which will serve as the borrower’s principal residence. The program requires borrowers to contribute substantial liquid assets to meet the negotiated contract sales price for the property plus standard origination fees and charges.

In 2009, the FHA published Mortgage Letter 2009-11 (“ML 2009-11”) which prohibited certain funding sources for the investment:

sweat equity;
trade equity;
rent credit; and
cash or its equivalent, in whole or in part, received from the seller or any other person or entity that financially benefits from the HECM for Purchase transaction, or any third party or entity that is reimbursed, directly or indirectly, by the seller or any other person or entity that financially benefits from the HECM for Purchase transaction.

In addition, ML 2009-11 prohibited seller contributions (or “seller concessions”) in any HECM for Purchase transaction. “Seller concessions” are the use of “loan points, interest rate buy-downs, closing cost down payment assistance, builder incentives, gifts or personal property given by the seller, or any other party involved in the transaction.” These limits are meant to redirect expenses customarily paid by the seller or other interest parties to the borrower.

In 2017, the FHA codified the requirements for the HECM for Purchase program, and other program changes, and also codified three permitted funding sources for the borrower’s required money investment (the “Final Rule”):

Cash on hand;
Cash from the sale or liquidation of the borrower’s assets; and
HECM proceeds.

The Final Rule also changed the funding source restrictions to permit interested party contributions to pay for:

fees required to be paid by the seller under state or local law;
fees that are customarily paid by the seller in the locality of the subject property; and
purchase of the Home Warranty policy by the seller.

The Proposed Notice

The Proposed Notice would permit interested parties to contribute up to six percent of the sales price and expand the list of permitted interested party contributions.

Under the Proposed Notice, an “interested party contribution” would be defined to mean a payment by an interested party or combination of parties, toward the borrower’s origination fees, other closing costs including any items paid outside of closing, prepaid items, and discount points. “Interested Parties” refers to sellers, real estate agents, builders, developers, mortgagees, third-party originators, or other parties with an interest in the transaction.

Under the Proposed Notice, the six percent limit on interest party contributions may be applied towards but may not exceed the cost of:

origination fees;
other closing costs paid outside of closing (e.g., credit report and appraisal);
prepaid items;
discount points;
interested party payment for permanent and temporary interest rate buydowns; and
payment of the initial mortgage insurance premium.

Additionally, the Proposed Notice would also permit the following additional funding sources to satisfy the borrower’s monetary investment:

premium pricing;
gifts;
disaster relief grants; and
employer assistance.

This would be the first time that premium pricing is permitted for use in the HECM for Purchase program. Under the Proposed Notice, borrowers would be able to receive a credit from the mortgagee or third-party originator to reduce their closing costs in exchange for a certain initial mortgage interest rate.

Premium pricing credits from the mortgagee or third-party originator would be excluded from the six percent limit if the mortgagee or third-party originator is not the seller, real estate agent, builder, or developer. The interested party contributions for the various fees permitted under 24 C.F.R. § 206.44(c)(1) will also be excluded from the six percent interested party contribution limit. The FHA will also exclude the satisfaction of a Property Assessed Clean Energy (“PACE”) lien or obligation against the property by the property seller from the definition of an interested party contribution in the HECM for Purchase program.

Takeaway

The Proposed Notice is an effort by the FHA to more closely align the HECM for Purchase program with its forward mortgage programs. If implemented, the Proposed Notice would likely make it easier for borrowers to meet their monetary investment requirement by expanding the list of funding sources and permitting interested party contributions. Lenders participating in the HECM for Purchase program should review the Proposed Notice and consider submitting a comment.

Majority of States Now Permit Remote Work for MLOs and Mortgage Company Employees

November 3, 2023 By Aldys London

A&B Abstract:

On June 9, Illinois became the latest state in a growing trend to authorize remote work for mortgage loan originators and mortgage company employees. This makes five states joining the list of jurisdictions legislatively permitting MLOs to work remotely since Montana enacted similar legislation in March, with more states expected during the 2024 legislative sessions.

The Illinois amendments to The Residential Mortgage License Act of 1987, signed by Governor Pritzker on June 30, 2023, take effect on January 1, 2024 and specifies requirements that licensed MLOs must follow to allow employees to work from remote locations. These changes include:

Requiring the licensee to have written policies and procedures for supervising mortgage loan originators working from a remote location;
Restricting access to company platforms and customer information in accordance with the licensee’s comprehensive written information security plan;
Prohibiting in-person customer interactions at a mortgage originator’s residence unless the residence is a licensed location;
Prohibiting maintaining physical records at a remote location;
Requiring customer interactions and conversations about consumers to be in compliance with state and federal information security requirements.
Mandating mortgage loan originators working from a remote location to use a secure connection, either through a virtual private network (VPN) or other comparable system, to access the company’s system;
Ensuring the licensee maintains appropriate security updates, patches, or other alterations to devices used for remote work;
Requiring the licensee to be able to remotely lock, erase, or otherwise remotely limit access to company-related contents on any device; and
Designating the loan originator’s local licensed office as their principal place of business on the NMLS.

Nevada, Virginia, and Florida passed legislation resembling the Illinois law, mandating similar security, compliance, and surveillance requirements.

Temporary Guidance Ending

Remote work flexibility is now the majority stance for the industry. The four states mentioned above are the most recent since Montana passed similar legislation in March. Of the 53 U.S. jurisdictions tracked by the Mortgage Bankers Association (including Washington, D.C., Guam, and Puerto Rico), 30 have implemented permanent statutes or regulations allowing remote work, with 9 more jurisdictions still operating under temporary guidance permitting remote work.

Of the states still operating under temporary guidance, Oklahoma’s guidance expires December 31, 2023. The state government will need to take further action, whether legislative or regulatory, to continue to allow MLOs to work remotely. Louisiana issued temporary guidance in July 2020, which would stay active, “as long as there is a public health emergency relating to COVID-19, as declared by Governor Edwards of the State of Louisiana, or until rescinded or replaced.” Governor Edwards ended the emergency in March 2022 when he did not renew the expiring order. Remote work in Louisiana is now operating in a grey zone with regards to whether the temporary order is still in effect due to the, “until rescinded” language.

Different Methods, Similar Results

Although remote work is the new norm, states are taking different routes to allow MLOs to work remotely. Many statehouses passed legislative statutes, which allow for stable policies but can be difficult to revise through the legislative process. These statutes tend to follow similar structures and have similar requirements. Illinois, Virginia, Florida, and Nevada require MLOs to work from home so long as certain records are not maintained in remote locations, professionals do not meet with customers outside of licensed facilities, employees are properly supervised as required by the license, and the company maintains adequate cybersecurity measures to protect customer data.

Nebraska’s state legislature did not pass specific guidance regarding remote work for MLOs, but rather, passed authorization to allow the Nebraska Department of Banking and Finance to promulgate regulations allowing remote work for MLOs. The Department has not yet issued permanent guidance for local MLOs regarding remote work requirements. Although using the regulatory system to implement rules may take longer to implement, it is also more flexible to changing circumstances and generally permits regulators to revise guidance faster than it takes a state legislature to convene, draft, and pass appropriate amendments to existing legislation.

Takeaway

The post-COVID workforce is clinging onto the last bit of convenience that the pandemic forced upon us. Surveys show that remote work flexibility is now the primary perk that would drive people to different employers. Since the technology needed to safely conduct business remotely is now proven, states are realizing that the easiest way to retain qualified mortgage professionals is to allow remote work flexibility. The American Association of Residential Mortgage Regulators (AARMR) expressed concern over a lack of remote work options in 2022 before states started passing permanent legislation. State legislatures embraced AARMR’s concern that a lack of remote work options could cause professionals to leave the industry, further widening the access gap for already underserved communities. The remote work trend has touched other industries that were previously in-person only and is likely to grow in those other industries (e.g., remote notarization) as far as practically feasible.

* We would like to thank Associate, CJ Blaney, for their contributions to this blog post.

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

November 3, 2023 By Kimberly Peretti, Kate Hanniford, Amy Mushahwar, Kathleen Benway, Lance Taubin

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition. The Amendment becomes effective 180 days after publication in the Federal Register. Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others. The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information. The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual. This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (https://www.ftc.gov), and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security. Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC. A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”