Alston & Bird Consumer Finance Blog

Mortgage Servicing

Fannie Mae Issues Guidance in Response to New York Foreclosure Abuse Prevention Act

By

What Happened?

On March 13, 2024, Fannie Mae issued Servicing Guide Announcement (SVC-2024-02) (the “Announcement”), which announced, among other things, updates to Fannie Mae’s Loan Modification Agreement (Form 3179), with additional instructions in response to the New York Foreclosure Abuse Prevention Act (“FAPA”). Specifically, for all Loan Modification Agreements (Form 3179) sent to a borrower for signature on or after July 1, 2024, servicers are required to amend the modification agreement to insert the following as new paragraphs 5(e) and (f) for a mortgage loan secured by a property in New York:

(e) Borrower promises to pay the debt evidenced by the Note and Security Instrument.  Further, Borrower acknowledges and agrees that any election by Lender to accelerate the debt evidenced by the Note and Security Instrument and the requirement by Lender of immediate payment in full thereunder is revoked upon the first payment made under the Agreement; and, the Note and Security Instrument, as amended by the Agreement, are returned to installment status and the obligations under the Note and Security Instrument remain fully effective as if no acceleration had occurred.

(f) Borrower further agrees to execute or cause to be executed by counsel, if applicable, a stipulation (to be filed with the court in the foreclosure action), that the Lender’s election to accelerate the debt evidenced by the Note and Security Instrument and requirement of immediate payment in full thereunder is revoked upon the first payment made under the Agreement and the debt evidenced by the Note and Security Instrument is deaccelerated at that time pursuant to New York General Obligations Law § 17-105, or other applicable law.

Fannie Mae encourages servicers to implement these changes immediately but requires that servicers do so for all modification agreements sent to the borrower for signature on and after July 1, 2024. Freddie Mac does not yet appear to have issued similar guidance.

Why Is It Important?

As we previously discussed in a prior blog post, FAPA reversed judicial precedent that permitted a lender, after default, to unilaterally undo the acceleration of a mortgage and stop the running of the statute of limitations in a foreclosure action through voluntary dismissal, discontinuance of foreclosure actions, or de-acceleration letters. For more than a year following FAPA’s enactment, the mortgage industry has grappled with how to address certain of the risks created by FAPA, including whether certain language could be adopted and incorporated into servicers’ loss mitigation documents to mitigate FAPA risk.

Fannie Mae’s Announcement is significant because it represents the first piece of guidance from a federal agency or government-sponsored enterprise (i.e., Fannie Mae or Freddie Mac) that provides some clarity as to what language may be appropriate to mitigate certain of the risks engendered by the New York FAPA.

What Do I Need to Do?

Servicers of Fannie Mae-backed mortgage loans (secured by property in New York) should evaluate their loss mitigation processes and make appropriate updates to ensure compliance with the Announcement.  Servicers should also continue to monitor for additional guidance or caselaw as this issue remains in flux.

CFPB and FTC Amicus Brief Signals Stance on “Pay-to-Pay” Fees under FDCPA

By ,

What Happened?

On February 27, the Consumer Finance Protection Bureau (CFPB) and the Federal Trade Commission (FTC) filed an amicus brief in the 11th Circuit case Glover and Booze v. Ocwen Loan Servicing, LLC arguing that certain convenience fees charged by mortgage servicer debt collectors are prohibited by the Fair Debt Collection Practices Act (FDCPA).  This brief comes on the heels of an amicus brief Alston & Bird LLP filed on behalf of the Mortgage Bankers Association (MBA).  In its brief, the MBA urged the 11th Circuit to uphold the legality of the fees at issue.

While litigation surrounding convenience fees has spiked in recent years, there is no consensus on whether convenience fees violate the FDCPA.  Federal courts split on the issue, as there is little guidance at the circuit court level, and the issue before the 11th Circuit is one of first impression.  Consequently, the 11th Circuit’s ruling could significantly impact what fees a debt collector is permitted to charge, both within that circuit and nationwide.

Why is it Important?

Convenience fees or what the agencies refer to as “pay-to-pay” fees are the fees charged by servicers to borrowers for the use of expedited payment methods like paying online or over the phone.  Borrowers have free alternative payment methods available (e.g., mailing a check) but choose to pay for the convenience of a faster payment method.

Section 1692f(1) of the FDCPA provides that a “debt collector may not use unfair or unconscionable means to collect or attempt to collect any debt,” including the “collection of any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law.”  The CFPB and FTC argues that Section 1692f(1)’s prohibition extends to the collection of pay-to-pay fees by debt collectors unless such fees are expressly authorized by the agreement creating the debt or affirmatively authorized by law.

First, the agencies contend that pay-to-pay fees fit squarely with the provision’s prohibition on collecting “any amount” in connection with a debt and that charging this fee constitutes a “collection” under the FDCPA.  Specifically, the agencies attempt to counter Ocwen’s argument that the fees in question are not “amounts” covered by Section 1692f(1) because the provision is limited to amounts “incidental to” the underlying debt. They argue that fees need not be “incidental to” the debt in order to fall within the scope of Section 1692f(1). In making this point, the agencies claim the term “including” as used is the provision’s parenthetical suggests that the list of examples is not an exhaustive list of all the “amounts” covered by the provision.  Further, the agencies attempt to counter Ocwen’s argument that a “collection” under the FDCPA refers only to the demand for payment of an amount owed (i.e., a debt). They argue that Ocwen’s understanding of “collects” is contrary to the plain meaning of the word; rather, the scope of Section 1692f(1) is much broader and encompasses collection of any amount , not just those which are owed.

Next, focusing on the FDCPA’s exception for fees “permitted by law,” the agencies contend that a fee is not permitted by law if it is authorized by a valid contract (that implicitly authorizes the fee as a matter of state common law). The agencies suggest if such fees could be authorized by any valid agreement, the first category of collectable fees defined by Section 1692(f)(1)—those “expressly authorized by the agreement creating the debt”—would be superfluous. Lastly, the Agencies argue neither the Electronic Funds Transfer Act nor the Truth in Lending Act – the two federal laws Ocwen relies on in its argument – affirmatively authorizes pay-to-pay fees.

What Do You Need to Do?

Stay tuned. The 11th Circuit has jurisdiction over federal cases originating in Alabama, Florida, and Georgia. Its ruling is likely to have a significant impact on whether debt collectors may charge convenience fees to borrowers in those states, and it could be cited as persuasive precedent in courts nationwide.

Ginnie Mae Imposes Cybersecurity Incident Notification Obligation

By ,

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

  • the date/time of the incident,
  • a summary of in the incident based on what is known at the time of notification, and
  • designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae.  Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days.  Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement.  It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing.  Our Cybersecurity & Risk Management Team can assist.

New York DFS to Impose Climate Change Safety and Soundness Expectations on Mortgage Lenders, Servicers, and other Regulated Organizations

By

What Happened?

On December 21, 2023, the New York Department of Financial Services (“NYDFS”) published an 18-page guidance document (the “Guidance”) on managing material, financial and operational risks due to climate change. The NYDFS issued the Guidance after considering feedback it received on proposed guidance it issued in December 2022 on the same topic. The Guidance applies to New York State regulated mortgage lenders and servicers, as well as New York State regulated banking organizations, licensed branches and agencies of foreign banking organizations (collectively, “Regulated Organizations”).

Why Is It Important?

The NYDFS has set forth its expectations, replete with examples, for Regulated Organizations to strategically manage climate change-related financial and operational risks and identify necessary actions proportionate to their size, business activities and risk profile.  Such expectations include:

  • Corporate Governance: An organization’s board of directors should establish a risk management framework, including its overall business strategy and risk appetite, which include climate related financial and operational risks, and holding management accountable for implementation. Such framework should be integrated within an organization’s three lines of defense – quality assurance, quality control and internal audit. Recognizing that low and moderate income (“LMI”) communities may be adversely impacted from climate change, the NYDFS expects an organization’s board of directors to direct management to “minimize and affirmatively mitigate disproportionate impacts” which could violate fair lending and other consumer finance laws. On that note, the NYDFS reminds organizations to consider opportunities to mitigate financial risk through financing or investment opportunities which enhance climate resiliency and are eligible for credit under the New York Community Reinvestment Act.
  • Internal Control and Risk Management: Regulated Organizations should also consider and incorporate climate related financial risks when identifying and mitigating all types of risks, including credit, liability, market, legal/compliance risk, and operational and strategic risk. The NYDFS defines financial risks from climate change to include physical risks from more intense weather events as well as transition risks, resulting from “economic and behavior changes driven by policy and regulation, new technology, consumer and investor preferences and changing liability risks.” The NYDFS recognizes that insurance is an important mitigant to climate change risk but cautions that the availability of such insurance in the future is not guaranteed.
  • Data Aggregation and Reporting: Regulated Organizations should establish systems to aggregate data and internally report its efforts to monitor climate related financial risk to facilitate board and senior management decision making. Such organizations also should consider developing and implementing climate scenario analyses.

What Do You Need to Do?

The NYDFS stresses that organizations should not let “uncertainty and data gaps justify inaction.” Although the NYDFS has not issued a timeline for implementation of the Guidance or begun incorporating such expectations into examinations (which will be coordinated with the prudential regulators to align with joint supervisory processes), now is the time to begin integrating climate-related financial and operational risks into your company’s organizational structure, business strategies and risk management operations.  This will help you prepare for when your organization is required to respond to the request for information which the NYDFS anticipates sending out later this year.  It is anticipated that the NYDFS will ask for information on the steps your organization has taken or will take within a specified period to manage financial and operational climate-related risks, including government structure, business strategy, risk management, operational resiliency measures, and metrics to measure risks.

Mortgage Industry Update: Washington DFI Holds First Mortgage Industry Webinar of 2024

By

A&B Abstract:

On January 24th, the Washington Department of Financial Institutions (the “DFI”) conducted its first Mortgage Industry Webinar of 2024 and provided updates in the areas of licensing, examination, and enforcement. Highlights from the Webinar are briefly summarized below.

Licensing Update

The DFI provided the following snapshot of licensing activity as of December 31, 2023:

  • Company licenses increased since the prior year.
  • Branch licenses decreased due to authorized remote work by mortgage loan originators (“MLO”).
  • MLO licenses decreased compared to previous years.
  • 70 % of MLOs submitted renewals, representing an increase of 10% from the prior year.
  • 30% of reinstatement/late renewals submitted so far this month.
  • The DFI approved 230 company applications, 950 branch applications and approximately 3,300 individual applications.

Examination Update

The DFI also provided an overview of the following common violations found during examinations conducted of MLOs, mortgage brokers, residential mortgage loan servicers, and consumer loan licensees:

  • Failure to maintain records for 3 years.
  • Failure to date mortgage loan applications and/or complete required information.
  • Failure to maintain supervisory plans.
  • Failure to submit accurate mortgage call reports (“MCRs”) by certain mortgage brokers.
  • Failure to complete all required information on license applications.
  • Failure to report accurate information to the credit bureaus.
  • Failure to conspicuously disclose fees.
  • Failure to report mortgage loan payoffs by certain mortgage loan servicers.

Additionally, in response to an inquiry regarding the rating system used by the DFI in conducting examinations, the DFI explained that it uses a rating scale of 1 to 5, where 1 would be the best rating, and 5 would be the worst rating.

Enforcement Update

The DFI also provided an overview of complaints investigated by its Enforcement Unit during the last quarter of 2023 and identified certain common violations under Washington’s Mortgage Broker Practices Act (“MBPA”) and the Consumer Loan Act (“CLA”).

Specifically, the DFI indicated that it saw an increase in:

  • Instances where address locations of branches or companies were found to be changed and contact information changed without corresponding updates in the NMLS.
  • Complaints alleging unlicensed activity by loan modification companies.
  • Complaints alleging advertising violations, such as providing misleading information about interest rates by indicating that a loan is “interest free” without proper disclosure.

Further, with respect to unlicensed MLO activity, the DFI indicated that it examines the actual activity performed by the individual in question, and if the individual’s activity meets the definition of an MLO, then that individual has engaged in mortgage loan activity and must be licensed as an MLO.

Finally, the DFI indicated that its Enforcement Unit closed more than 950 complaints that resulted in (1) $80,000 in restitution granted to impacted consumers, (2) the postponement or halting of at least 10 or more foreclosures, and (3) the granting of several loan modifications.

Takeaway

Licensees under the MBPA or CLA are encouraged to review the issues identified by the DFI against their policies, procedures, and practices to ensure compliance with the requirements under the MBPA and/or CLA.