Alston & Bird Consumer Finance Blog

Dodd-Frank Act

Financial Services Advisory: CFPB Finalizes Open Banking Rule on Consumer Financial Data Rights

Executive Summary
8 Minute Read

Our Financial Services Group unpacks the Consumer Financial Protection Bureau’s final rule on consumer financial data rights under Section 1033 of the Dodd–Frank Act.

  • The rule requires “data providers” to provide consumers and authorized third parties, upon request, with access to certain consumer financial data
  • “Data providers” include Regulation E banks and credit unions, Regulation Z card issuers, payment facilitators, and digital-wallet providers
  • Compliance deadlines are staggered based on institution size, with an exclusion for financial institutions with less than $850 million in assets

_______________________________________________________________

On October 22, 2024, the Consumer Financial Protection Bureau (CFPB) finalized its rule on personal financial data rights under Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act. Known as the “open banking rule,” it permits consumers to access, control, and share their financial data with authorized third parties. The rule creates a significant shift in control over consumer data in the United States, and it is intended to provide consumers with greater control over financial data, foster competition, and stimulate innovation across the financial services industry. The rule applies broadly to banks, credit unions, and nonbank financial institutions, all of which must make consumer financial data available upon authorized request.

Key Provisions

The rule requires a “data provider” to make available, without charge, “covered data” about consumer financial products and services to consumers and certain “authorized third parties,” in electronic form, upon request by the consumer. The rule requires the provision of such data in standardized, machine-readable formats to promote consistency between financial institutions and third parties. The CFPB will name standard-setting bodies to develop consensus standards to assess compliance with the rule.

Who is a “data provider”?

The CFPB has said its definition of “data provider” will continue to evolve, but it has prioritized financial institutions and card issuers. The rule defines a “data provider” as:

  • A financial institution – that is, a bank or credit union – as defined in Regulation E, 12 CFR 1005.2(i), excluding those with less than $850 million in assets.
  • A card issuer as defined in Regulation Z, 12 CFR 1026.2(a)(7), including buy now/pay later providers.
  • Any other person that “controls or possesses information concerning a covered consumer financial product or service that the consumer obtained” from that person, including providers offering payment facilitation products and services such as digital-wallet providers.

What is “covered data”?

The rule defines “covered data” as essential consumer financial information, including:

  • At least 24 months of transaction information in the control or possession of the data provider.
  • Account balance information.
  • Information to initiate payment to or from a Regulation E account directly or indirectly held by the data provider, including an account and routing number that can be used to initiate an Automated Clearing House transaction.
  • Terms and conditions, or agreements evidencing the terms of the legal obligation between a data provider and a consumer for a covered consumer financial product or service, including pricing information such as APRs and other pricing terms.
  • Upcoming bill payment information.
  • Basic information needed for account verification, limited to name, address, email address, and phone number associated with the covered consumer financial product or service.

Data providers will not have to provide confidential commercial information, including proprietary algorithms that might be used to derive credit or risk scores and information that is used solely for the purpose of fraud detection, money laundering, or other unlawful behavior.

Who is an “authorized third party”?

Fintech apps and data aggregators that offer services to consumers using their data are included as third parties. Authorized sharing with these entities must be based on informed consent that is to be renewed annually.

  • A “third party” means any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data.
  • To access a consumer’s data, the third party must (1) provide the consumer with an authorization disclosure containing key terms of the data access; (2) provide a statement to the consumer in the authorization disclosure certifying that the third party agrees to obligations set forth in the final rule; and (3) obtain the consumer’s express informed consent to access covered data on behalf of the consumer by obtaining an authorization disclosure that is signed by the consumer electronically or in writing.
  • Third parties are limited in the collection, use, and retention of covered data to what is “reasonably necessary” to provide a product or service to a customer. Use of the data for targeted advertising, cross-selling of other products or services, or the sale of covered data are prohibited.

Stakeholder Perspectives and Compliance Considerations

Reactions to the final rule have been split. Consumer advocates have voiced support for the rule and the empowerment of consumers to control how and where their data can be used, as well as the ability to switch banks more easily. Just hours after the final rule was released, however, the Bank Policy Institute, the Kentucky Bankers Association, and Forcht Bank, a community bank in Kentucky, filed a joint lawsuit in the Eastern District of Kentucky requesting injunctive relief. The plaintiffs allege that the CFPB overstepped its statutory authority (in that Section 1033 relates to a consumer’s right to access their own information and does not speak to access by authorized third parties) and will expose banks to unreasonable liability risk. Forcing banks to share customers’ sensitive financial information while handcuffing banks from managing the risks of doing so, they allege, will increase fraud and the misuse of customer data.

Some of this concern stems from the allocation of responsibility for data security and accountability in the rule. It allows that data providers can deny access to data, but only if the denial is (1) directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security; and (2) applied in a consistent and nondiscriminatory manner. Data providers must keep a record of when a consumer or third-party request is refused. In the event of a security breach, data providers must notify affected consumers and the CFPB promptly. Notably, the rule requires data providers to verify that third parties uphold data privacy and security standards, but it places limited regulatory obligations on third parties themselves, leaving accountability for data security largely with the data providers. Data providers argue that the rule essentially forces them to subsidize third-party access to consumer data without sharing the cost burden.

During the rule comment period, a range on commentators raised concerns about potential overlaps and compliance complexities with other existing consumer financial laws, and the CFPB has attempted to address those issues in the final rule. Many comments focused on the need for clarity on how the rule interacts with laws such as the Electronic Fund Transfer Act (EFTA), Fair Credit Reporting Act (FCRA), and Gramm–Leach–Bliley Act (GLBA).

  • In comments before the final rule, data providers requested that the CFPB extend the Regulation E error resolution requirements to third parties such as data aggregators. The CFPB reasoned, however, that consumers should address these concerns with their primary financial institution, in line with statutory error resolution rights under the EFTA. Furthermore, data providers and third parties that are Regulation E financial institutions will continue to have error resolution obligations in the event of data breaches.
  • During the comment period to the final rule, there was concern that it would expand FCRA compliance. In the final rule, the CFPB clarified that data providers sharing information at the consumer’s request “does not cause data aggregators to incur legal liability under the FCRA that they would not otherwise assume through their ordinary operations” and would not “alter the types of data, parties, or permissible purposes covered by the FCRA.”
  • Some commentors asked how the rule’s data limitations align with GLBA permissions. The CFPB states Section 1033’s data sharing requirements coexist with GLBA but do not override or replace its mandates, maintaining distinct protections under each law.

Compliance Tiers and Timeline

The rule provides compliance deadlines that are staggered based on institution size:

  • First Tier: Depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024 must comply by April 1, 2026.
  • Second Tier: Depository institution data providers that hold at least $10 billion in total assets but less than $250 billion in total assets and nondepository institution data providers that generated less than $10 billion in total receipts in both calendar year 2023 and calendar year 2024 must comply by April 1, 2027.
  • Third Tier: Depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets must comply by April 1, 2028.
  • Fourth Tier: Depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets must comply by April 1, 2029.
  • Fifth Tier: Depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets must comply by April 1, 2030.

Conclusion: Prioritizing Readiness

The CFPB’s Section 1033 rule represents a transformative shift in the U.S. financial regulatory landscape, centering consumer control over data rights and driving the industry to an open banking model. Fintech advocates view it as an essential step towards consumer empowerment, while banks and credit unions warn of risks to data security and have liability concerns. Even as the CFPB begins assessing applications for standard-setting bodies, legal and compliance teams from institutions and fintech companies alike should begin to look ahead, with a focus on data security, potential contractual updates with third parties, and regulatory alignment.


Originally published November 22, 2024.

You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.

If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services Team.

CFPB and Other Federal Agencies Finally Adopt AVM Rule

What Happened?

On June 20, 2024, a group of federal regulators published a rule addressing for the use of automated valuation models (AVMs) in mortgage origination and secondary market transactions.

The rule adoption – by the Consumer Financial Protection Bureau, Office of Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), and Federal Housing Finance Agency (collectively, the Agencies) – comes more than 13 years after the enactment of the Dodd-Frank Act.  Section 1473 of the Dodd-Frank Act mandated the promulgation of a rule to implement quality control standards for the use of automated valuation models by mortgage originators and secondary market issuers in valuing the collateral worth of a mortgage secured by a consumer’s principal dwelling – even one made for business, commercial, agricultural, or organizational purposes.  The rule will take effect October 1, 2025 (the first day of a calendar quarter following the 12 months after publication in the Federal Register).

Section 1473(q) of the Dodd-Frank Act amended the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA), addressing the use of AVMs to estimate the collateral value of a mortgage for mortgage lending purposes in new section 12 U.S.C. § 3354.  The statute sets forth the framework for developing quality control standards to which AVMs must adhere and directs the Agencies to promulgate regulations implementing the standards.

What AVMs does the Rule Cover?

An AVM is any computerized model used by mortgage originators and secondary market issuers to determine the value of a consumer’s principal dwelling collateralizing a mortgage.  The rule’s quality control standards apply only to AVMs used in connection with making credit decisions or covered securitization determinations regarding a mortgage.  For example, the standards apply when determining a new value before originating, modifying terminating a mortgage, or making other changes to a mortgage including a decision whether to extend new or additional credit or change the credit limit on a home equity line of credit (including reductions or suspensions), or placing a loan in a securitization pool.  The rule treats assumptions as credit events.  By contrast, the rule does not cover other uses such as monitoring collateral in mortgage-backed securitizations after they have already been issued or validating an already completed valuation.

Why Is It Important?

The rule requires institutions that engage in covered credit decisions or securitization determinations – whether themselves, or through or in cooperation with a third party affiliate – to adopt policies, practices, procedures and control systems to ensure that the use of AVMs adheres to quality control standards.

“Control systems” are the functions (such as internal or external audits, risk review, quality control and quality assurance) and information systems that are used to measure performance, make decisions about risk, and assess the effectiveness of processes and personnel, including with respect to compliance with statutes and regulators.

In keeping with FIRREA, the rule’s quality control standards are designed to:

  • Ensure a high level of confidence in the estimates produced by the AVMs;
  • Protect against the manipulation of data;
  • Seek to avoid conflicts of interest;
  • Require random sample testing and reviews; and
  • Comply with applicable nondiscrimination laws.

In the rule, the Agencies take the standards one step further than the Dodd-Frank Act mandate, by requiring AVM quality control standards to comply with applicable nondiscrimination laws.  Exercising their statutory authority to account for other appropriate quality control factors, the Agencies’ inclusion of this fifth factor addresses concerns about the potential for AVMs to produce property estimates that reflect discriminatory bias.  In doing so, the Agencies have acted consistent with the Biden administration’s focus on appraisal bias, as exhibited in the PAVE initiative.

In adopting the rule, the Agencies remind institutions that the Equal Credit Opportunity Act and Regulation B, as well as the Fair Housing Act, apply to appraisals and AVMS.  Further, “institutions have a preexisting obligation to comply with all Federal laws including Federal nondiscrimination laws.” To that end, this fifth factor creates an independent obligation for institutions to establish policies, procedures, and control systems to ensure compliance with nondiscrimination laws.

The rule does not include specific requirements on how institutions are to structure their policies and procedures.  The Agencies intend this nonprescriptive approach to provide institutions the flexibility to set quality controls for AVMs as appropriate, based on the size of the institution and the risk and complexity of the transactions for which AVMs will be used.

Rule Applicability

Key to understanding the rule’s impact is an evaluation of what persons and loans are within its scope.

  • Mortgage Originators, Brokers, and Servicers: For purposes of the rule, the term “mortgage originator” has the same definition as under the Truth in Lending Act: any person who, for direct or indirect compensation or gain, or in the expectation of direct or indirect compensation or gain, takes a mortgage application, assists a consumer in obtaining or applying to obtain a mortgage, or offers or negotiates terms of a mortgage secured by a consumer’s principal dwelling, even if the mortgage is primarily for business, commercial agricultural or organizational purposes.  That definition includes a mortgage broker; however, the rule does not apply to mortgage brokers if they do not engage in making covered credit decisions or securitization determinations.  The rule generally does not cover mortgage servicers, unless they are engaged in covered origination activity (for example, in connection with an assumption or a refinancing).  A mortgage originator does not include an individual who engages in “modifying, replacing and subordinating principal or existing mortgages where borrowers are behind in their payments, in default or have a reasonable likelihood of being in default of falling behind.”
  • Secondary Market Issuers: The rule applies to secondary market participants, including the GSEs or “any other party that creates, structures or organizes a mortgage-backed securities transaction,” which includes coverage of entities that are responsible for determining the collateral worth of a mortgage when issuing mortgage-backed securities. This encompasses secondary market participants in the securitization process that make these types of determinations, as opposed to verifying or monitoring such determinations.
  • Loan Applicability: The rule applies when a mortgage is secured by a consumer’s principal dwelling even if the mortgage is primarily for business, agricultural, or organizational purposes.  For purposes of the rule, a “dwelling” means a residential structure that contains one to four units, regardless of whether the structure is attached to real property.
Use of AVMs by Appraisers Not Subject to the Rule

The rule excludes from its scope a certified or licensed appraiser using AVMs in the development of an appraisal.  In creating this exclusion, the Agencies recognize that to comply with the Uniform Standards of Professional Appraisal Practice, appraisers must make valuation conclusions that are supportable independently and do not rely on the results produced by AVMs. Moreover, the rule excludes reviews of completed determinations from the scope of the rule: “if an AVM is being used solely to review the completed determination, the AVM is not covered by the [r]ule regardless of when the AVM is used after that determination.”

Additionally, the Agencies’ existing guidance regarding AVMs remains applicable separately from the rule.  For example, the OCC, Board, FDIC, and NCUA have issued guidance about prudent appraisal and evaluation programs in Appendix B to the Interagency Appraisal and Evaluation Guidelines.

What To Do Now?

Largely as proposed, the rule requires regulated mortgage originators and secondary market issuers to take appropriate steps and adopt policies, practices, procedures, and control systems to ensure that the use of AVMs in valuing real estate collateral securing mortgage loans adhere to the specified quality control standards, including compliance with nondiscrimination laws to avoid potential valuation bias. The rule requires institutions to create their own policies and procedures to ensure the credibility and integrity of valuation determinations produced by AVMs.

While AVM developers and vendors are not covered by the rule, covered institutions will need to work with their AVM developers and vendors to ensure compliance with its obligations.  It is likely that third party AVM testing entities will emerge to assist with these obligations. Vendor management oversight will be important.  Institutions will need to start thinking through their existing policies, practices,  procedures, and control systems now to identify what changes are necessary to ensure compliance on or before the rule’s effective date.

Appraisal Bias Settlement: Potential Roadmap

What Happened?

The lender and consumers reached a settlement in an appraisal bias case, Nathan Connolly and Shani Mott v. Shane Lanham, 20/20 Valuations, LLC, and loanDepot.com, LLC, filed in Maryland District Court, that gained the attention of the CFPB and DOJ. While some of the terms in the settlement are already industry standard, there appear to be some newer obligations that could be a template for other lenders to follow.

Why it Matters?

The settlement is important – both for what it does and what it doesn’t do. Unfortunately, the settlement does not address the question of whether a lender is responsible for the actions of an appraiser who is neither an employee nor an agent of the lender.

By way of background, in response to the Great Financial Crisis, the Dodd-Frank Act established new rules to ensure appraisal independence and address issues of inflated appraisals or overvaluation. More recently, however, partially due to changes in the market, consumers have lodged complaints of undervaluation, alleging that discrimination resulted in the appraisal coming in too low.

Given this increase in complaints and the Administration’s focus on racial equity, regulators have been grappling with how best to address and eliminate appraisal bias. Prior to the settlement, the CFPB and DOJ jointly made arguments in a statement of interest that would hold lenders liable for the actions of an appraiser who is neither an employee nor an agent of the lender.

In response, the MBA issued an amicus brief requesting that the Court recognize that there is no existing legal authority to hold a lender liable for the alleged actions of an independent appraiser. The resulting settlement is silent on this point.

The settlement does, however, impose several obligations on the lender and its and appraisal management companies (AMCs), providing insight into what the mortgage industry could do to combat appraisal bias.

In particular, the settlement requires mortgage loan applications be provided with information on how to raise concerns with a valuation sufficiently early in the valuation process so that issues or errors can be resolved before a final decision on the application is made, including:

  • The right to request a reconsideration of value (ROV) as soon as possible;
  • A description of the process to obtain an ROV (which may not create unreasonable barriers or discourage applicants from making ROV requests) and a description of the lender’s evaluation process;
  • If the ROV is denied or the value is unchanged, a written explanation of the lender’s evaluation of the submitted material;
  • The standards that trigger a second appraisal; and
  • The applicant’s right to file a complaint with the CFPB or HUD, as part of the ROV process.

Further, the settlement requires the lender to:

  • Conduct statistical analysis tracking appraisal outcomes by protected class and neighborhood demographics including whether the loan was denied, whether a second appraisal was ordered, and whether there was a change in the valuation as a result of the ROV process. Such analysis must track individual appraisers including appraisal outcomes, ROV requests, and bias complaints.
  • Not utilize appraisers who, according to the statistical analysis, received multiple complaints from minority applicants in minority neighborhoods alleging appraisal bias, or who have a pattern of undervaluing homes owned by minority applicants or homes in minority neighborhoods, or who have been found to have discriminated in an appraisal.
  • Clearly outline internal stakeholder roles and responsibilities for processing an ROV request.
  • Ensure that ROV requests of valuation bias or discrimination complaints across all relevant business channels are escalated to the appropriate channel for research or a response.
  • Adhere to ROV timelines for certain milestones.
  • Review appraiser response to ROV requests for completeness, accuracy, and indicia of bias and discrimination.
  • Establish standards for offering a second appraisal which at a minimum must include when the first appraisal has indicia of bias or discrimination is otherwise defective.
  • Ensure that the applicant’s interest rate will remain locked during the ROV process.
  • Ensure that ensure applicants are not charged for the cost of an ROV or second appraisal.
  • Include on its website educational information on how to understand an appraisal report and contact information for questions on the appraisal report.
  • Update its fair and responsible lending policy to explicitly prohibit discrimination in violation of state and federal fair lending laws on the basis of race, color, religion, sex, familial status, national origin, disability, marital status, or age.
  • Provide training annually and for new employees on discrimination in residential mortgage lending and appraisals, and on all policies related to the ROV process, appraisal reviews, and the use of value adjustments.
  • Not utilize appraisers who previously were found by a regulatory body or court of law to have discriminated in an appraisal.

Finally, the settlement requires that AMCs and appraisers doing business with the lender contractually agree to:

  • Represent that appraisers will receive fair lending training; and
  • Certify that appraisers have not been subject to any adverse finding related to appraisal bias or discrimination, or list or describe any findings.

What to do now?

Lenders should carefully review the settlement and compare it to existing policies and procedures. While the settlement is only binding on the parties to the agreement, others should take interest. Historically, lenders conduct fair lending statistical testing for underwriting, pricing, and redlining risk. It might be time to consider adding appraisal risk.

CFPB Touts 2023 Greatest Hits and Casts a Line for Enforcement Hires

What Happened?

Earlier this week, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) released a blog post touting its 2023 successes in safeguarding “household financial stability” through the levying of fines and filing of lawsuits. The Bureau highlighted seven enforcement cases:

  • Protecting Servicemembers from Illegal High-Interest Loans and False Advertising: In February 2023, the CFPB ordered an auto title loan lender and several affiliated entities to pay a total of $15 million in penalties and consumer redress to resolve allegations that the entities violated the Military Lending Act. That same month, the CFPB permanently banned a California-based mortgage lender from the mortgage lending industry and imposed a $1 million penalty on the lender for repeatedly violating a 2015 consent order by, among other things, allegedly continuing to send advertisements to military families that led recipients to believe the company was affiliated with the U.S. government.
  • Taking Action for Illegally Charging Junk Fees, Withholding Credit Card Rewards, and Operating Fake Bank Accounts: In July 2023, the CFPB ordered a national bank to pay a more than $190 million in penalties and consumer redress to resolve allegations that the bank double dipped on insufficient funds fees imposed on customers, withheld reward bonuses promised to credit card customers, and misappropriated sensitive personal information to open accounts without customer knowledge or authorization. The Office of the Comptroller of the Currency (“OCC”) also found that the bank’s double-dipping on insufficient funds fees was illegal and ordered the bank to pay $60 million in penalties.
  • Intentional Illegal Discrimination Against Armenian Americans: In November 2023, the CFPB ordered a national bank to pay $25.9 million in fines and consumer redress for allegedly “intentionally and illegally discriminating against credit card applicants the bank identified as Armenian American.” 
  • Taking Action to Stop Loan Churning: In August 2023, the CFPB sued a high-cost installment loan lender and several of its wholly owned, state-licensed subsidiaries, for allegedly violating the Consumer Financial Protection Act by “illegally churning loans to harvest hundreds of millions in loan costs and fees.”
  • Illegal Rental Background Check and Credit Reporting Practices: In October 2023, the CFPB and the Federal Trade Commission (“FTC”) sued a rental screening subsidiary of a national consumer credit reporting agency for allegedly violating the Fair Credit Reporting Act by failing to take steps to ensure the rental background checks that landlords use to decide who gets housing were accurate and withholding from renters the names of third parties that were providing the inaccurate information. The resulting court order required the company to pay $15 million in penalties and make significant improvements to how it reports evictions. Separately, the CFPB ordered the national consumer reporting agency to pay $8 million in consumer redress and penalties for failing to timely place or remove security freezes and locks on consumer credit reports and for falsely telling certain consumers that their requests were processed.
  • Stopping unlawful junk advance fees for credit repair services: In August 2023, the CFPB entered into a settlement with a credit repair service conglomerate that imposed a $2.7 billion judgment and banned the companies from telemarketing credit repair services for 10 years.

The CFPB touted that in 2023 it secured over $3.5 billion in total fines and compensation from financial services “lawbreakers” in 2023.  The CFPB largely attributed these cases to the creation of a “team of technologists” working on emerging technologies to “enforce the law when emerging technologies harm consumers.”

Why is this Important?

The CFPB filed 29 enforcement actions in 2023 but selected the seven highlighted above, possibly signaling that junk fees, fair lending, servicemember protections, and credit reporting, among others, remain on the Bureau’s radar. We do not expect the CFPB to issue any sort of accounting covering enforcement cases which it dropped in 2023.

Interestingly, the CFPB also used this post to recruit new “cross-disciplinary” employees (both attorneys and non-attorneys) for its Office of Enforcement and reiterated that the Bureau is “significantly expanding [its] enforcement capacity in 2024 to build on [its] achievements so far.” The roles are located in the Bureau’s Washington, D.C. headquarters and its regional offices in Atlanta, Chicago, New York and San Francisco.  The last of the associated employment information virtual sessions occurred on January 30, 2024.  Strangely, the CFPB only released this blog post the day before the last of these three sessions and it is not known how that late notice may impact application numbers.

What Do You Need to Do?

Given that the CFPB is telegraphing those issues that are top of mind for the Bureau as well as its emphasis on ramping up enforcement in 2024, now is a good time for companies to review their compliance management programs and make any necessary enhancements to policies, procedures, processes, and systems to ensure compliance with all applicable consumer financial laws and regulations. In particular, institutions should revisit their compliance monitoring programs to determine whether any updates are needed to minimize enforcement risk.

CFPB’s Message to Mortgage Servicers: Make Sure You Comply with RESPA’s Force-Placed Insurance Requirements

A&B Abstract:

In Case You Missed It:  At the recent Federal Housing Finance Agency’s Symposium on Property Insurance, CFPB Director Rohit Chopra spoke about force-placed insurance and conveyed the following message: “The CFPB will be carefully monitoring mortgage market participants, especially mortgage servicers to ensure they are meeting all of their obligations to consumers under the law.”

The CFPB’s servicing rules set forth in RESPA’s Regulation X specifically regulate force-placed insurance. For purposes of those requirements, the term “force-placed insurance” means hazard insurance obtained by a servicer on behalf of the owner or assignee of a mortgage loan that insures the property securing such loan. In turn, “hazard insurance” means insurance on the property securing a residential mortgage loan that protects the property against loss caused by fire, wind, flood, earthquake, falling objects, freezing, and other similar hazards for which the owner or assignee of such loan requires assistance. However, force-placed insurance excludes, for example, hazard insurance required by the Flood Disaster Protection Act of 1973, or hazard insurance obtained by a borrower but renewed by a company in accordance with normal escrow procedures.

Given the Bureau’s announcement, now is a good time to confirm that your company has adequate controls in place to ensure compliance with all of the technical requirements of RESPA’s force-placed insurance provisions.  Set forth below are some of the many questions to consider:

Escrowed Borrowers:

  • When a borrower maintains an escrow account and is more than 30 days past due, does the company ensure that force-placed insurance is only purchased if the company is unable to disburse funds from the borrower’s escrow account?
    • A company will be considered “unable to disburse funds” when the company has a reasonable basis to believe that (i) the borrower’s hazard insurance has been canceled (or was not renewed) for reasons other than nonpayment of premium charges; or (ii) the borrower’s property is vacant.
    • However, a company will not be “unable to disburse funds” only because the escrow account does not contain sufficient funds to pay the hazards insurance charges.

Required Notices:

  • Does the company ensure that the initial, reminder, and renewal notices required for force-placed insurance strictly conform to the timing, content, format, and delivery requirements of Regulation X?

Charges and Fees:

  • Does the company ensure that no premium charge or fee related to force-placed insurance will be assessed to the borrower unless the company has met the waiting periods following the initial and reminder notices to the borrower that the borrower has failed to comply with the mortgage loan contract’s requirements to maintain hazard insurance, and sufficient time has elapsed?
  • Are the company’s fees and charges bona fide and reasonable? Fees and charges should:
    • Be for services actually performed;
    • Bear a reasonable relationship to the cost of providing the service(s); and
    • Not be prohibited by applicable law.
  • Does the company have an adequate basis to assess any premium charge or fee related to force-placed insurance, meaning that the company has a reasonable basis to believe that the borrower has failed to comply with the mortgage loan contract’s requirement to maintain hazard insurance because the borrower’s coverage is expiring, has expired or is insufficient?
  • Does the company have appropriate controls in place to ensure that the company will not assess any premium charge or fee related to force-place insurance to the borrower if the company receives evidence that the borrower has maintained continuous hazard insurance coverage that complies with the fee requirements of the loan contract prior to the expiration of the waiting periods (at least 45 days have elapsed since the company delivered the initial notice and at least 15 days have elapsed since the company delivered the reminder notice)?
  • Will the company accept any of the following as evidence of continuous hazard insurance coverage:
    • A copy of the borrower’s hazard insurance policy declarations page;
    • The borrower’s insurance certificate;
    • The borrower’s insurance policy; or
    • Another similar form of written confirmation?
  • Does the company recognize that the borrower will be considered to have maintained continuous coverage despite a late payment when applicable law or the borrower’s policy contemplates a grace period for the payment of the hazard insurance premium and a premium payment is made within that period and accepted by the insurance company with no lapse in coverage?
  • Within 15 days of receiving evidence (from any source) demonstrating that the borrower has maintained hazard insurance coverage that complies with the hazard insurance requirements in the loan contract, does the company:
    • Cancel any force-placed insurance that the company has purchased to insure the borrower’s property; and
    • Refund to the borrower all force-placed insurance premium charges and related fees paid by such borrower for any period of overlapping insurance coverage and remove from the borrower’s account all force-placed insurance charges and related fees that the company assessed to the borrower for such period?

And let’s not forget that companies must continue to comply with the above requirements if the company is a debt collector under the Fair Debt Collection Practices Act (“FDCPA”) with respect to a borrower and that borrower has exercised a “cease communication” right under the FDCPA.  Of course, failure to comply with the Regulation X requirements could also result in violations of UDAAP and FDCPA provisions.

Takeaway:

Given that the CFPB is telegraphing its upcoming review of servicers’ force-placed insurance practices, now is a good time for companies to ensure that their compliance management programs are robust enough to ensure compliance with all the technical requirements of RESPA’s force-placed insurance requirements. Alston & Bird’s Consumer Financial Services team is happy to assist with such a review.