Alston & Bird Consumer Finance Blog

Mortgage Loans

Ginnie Mae Imposes Cybersecurity Incident Notification Obligation

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

  • the date/time of the incident,
  • a summary of in the incident based on what is known at the time of notification, and
  • designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae.  Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days.  Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement.  It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing.  Our Cybersecurity & Risk Management Team can assist.

Consumer Finance State Roundup

With the beginning of the 2024 legislative session, we return to the Consumer Finance State Roundup, which is intended to provide a brief overview of recently enacted legislation of potential interest.

To date in January, one state has enacted a legislative measure of potential interest to Consumer Finance ABstract readers: New Jersey Assembly Bill 5664 (2023 N. J. Laws 255).  Effective immediately upon approval by Governor Phil Murphy on January 12, the measure amends the state’s Fair Foreclosure Act (“Act”) to address requirements relating to sheriff’s sales, and establishes the Community Wealth Preservation Program (“Program”).

Sheriff’s Sales:

The measure substantially amends Section 2A:50-64 of the Act, which sets forth requirements for sheriff’s sales (including obligations of the plaintiff in a foreclosure action). First, prior to the sale, the measure the foreclosing plaintiff to disclose (if known) whether the property is vacant, tenant-occupied, or owner-occupied.  Second, the measure prohibits the plaintiff (or that party’s agent) from contacting the defendant, their next of kin, or a community development corporation prior to providing the sheriff’s office with the reserve (or “upset”) price to inquire whether that party will participate in the sheriff’s sale or exercise other rights under New Jersey law.

Property Maintenance:

Beyond the requirements for sheriff’s sales, the measure amends the Act to address conditions related to foreclosure proceedings and property maintenance requirements.  After institution of a foreclosure proceeding pursuant to the Act, current law permits a creditor to engage an agent to be responsible for the care, maintenance, security, and upkeep of a vacant and abandoned property.  The measure clarifies that neither the creditor nor the agent will be liable for damage caused by entry into the property, provided that such entry is peaceful and conducted with reasonable care.


According to the measure’s definition, the legislature created the Program “to assist prospective owner-occupants, nonprofit community development corporations, foreclosed upon defendants, next of kin of foreclosed upon defendants, and tenants of foreclosed upon defendants in purchasing and financing foreclosed upon residential properties in sheriff’s sales.”  In a sheriff’s sale, an eligible party must provide an initial 3.5 percent deposit, and then has 90 days to pay the balance (or may provide proof of pre-approval to finance the remainder of the purchase amount). Such purchaser must maintain eligibility (to include that, in the case of an individual bidder, the party will occupy the purchased property as a principal residence for a period of at least 84 months after taking possession).  The sheriff’s office must maintain and publicly display (i.e., on its website) information regarding the Program written in plain language to explain financing for the purchase of foreclosure sales.


Finally, the measure amends Section 22A:4-8 of the New Jersey Statutes, which relates to the fees that a sheriff may charge for execution of a sheriff’s sale.  For sales by virtue of an execution conducted in accordance with the Act’s provisions, the amended section authorizes the sheriff to charge: (a) 6 percent; or (b) if a sale reverts to the foreclosing plaintiff, $150.

New York DFS to Impose Climate Change Safety and Soundness Expectations on Mortgage Lenders, Servicers, and other Regulated Organizations

What Happened?

On December 21, 2023, the New York Department of Financial Services (“NYDFS”) published an 18-page guidance document (the “Guidance”) on managing material, financial and operational risks due to climate change. The NYDFS issued the Guidance after considering feedback it received on proposed guidance it issued in December 2022 on the same topic. The Guidance applies to New York State regulated mortgage lenders and servicers, as well as New York State regulated banking organizations, licensed branches and agencies of foreign banking organizations (collectively, “Regulated Organizations”).

Why Is It Important?

The NYDFS has set forth its expectations, replete with examples, for Regulated Organizations to strategically manage climate change-related financial and operational risks and identify necessary actions proportionate to their size, business activities and risk profile.  Such expectations include:

  • Corporate Governance: An organization’s board of directors should establish a risk management framework, including its overall business strategy and risk appetite, which include climate related financial and operational risks, and holding management accountable for implementation. Such framework should be integrated within an organization’s three lines of defense – quality assurance, quality control and internal audit. Recognizing that low and moderate income (“LMI”) communities may be adversely impacted from climate change, the NYDFS expects an organization’s board of directors to direct management to “minimize and affirmatively mitigate disproportionate impacts” which could violate fair lending and other consumer finance laws. On that note, the NYDFS reminds organizations to consider opportunities to mitigate financial risk through financing or investment opportunities which enhance climate resiliency and are eligible for credit under the New York Community Reinvestment Act.
  • Internal Control and Risk Management: Regulated Organizations should also consider and incorporate climate related financial risks when identifying and mitigating all types of risks, including credit, liability, market, legal/compliance risk, and operational and strategic risk. The NYDFS defines financial risks from climate change to include physical risks from more intense weather events as well as transition risks, resulting from “economic and behavior changes driven by policy and regulation, new technology, consumer and investor preferences and changing liability risks.” The NYDFS recognizes that insurance is an important mitigant to climate change risk but cautions that the availability of such insurance in the future is not guaranteed.
  • Data Aggregation and Reporting: Regulated Organizations should establish systems to aggregate data and internally report its efforts to monitor climate related financial risk to facilitate board and senior management decision making. Such organizations also should consider developing and implementing climate scenario analyses.

What Do You Need to Do?

The NYDFS stresses that organizations should not let “uncertainty and data gaps justify inaction.” Although the NYDFS has not issued a timeline for implementation of the Guidance or begun incorporating such expectations into examinations (which will be coordinated with the prudential regulators to align with joint supervisory processes), now is the time to begin integrating climate-related financial and operational risks into your company’s organizational structure, business strategies and risk management operations.  This will help you prepare for when your organization is required to respond to the request for information which the NYDFS anticipates sending out later this year.  It is anticipated that the NYDFS will ask for information on the steps your organization has taken or will take within a specified period to manage financial and operational climate-related risks, including government structure, business strategy, risk management, operational resiliency measures, and metrics to measure risks.

Mortgage Industry Update: Washington DFI Holds First Mortgage Industry Webinar of 2024

A&B Abstract:

On January 24th, the Washington Department of Financial Institutions (the “DFI”) conducted its first Mortgage Industry Webinar of 2024 and provided updates in the areas of licensing, examination, and enforcement. Highlights from the Webinar are briefly summarized below.

Licensing Update

The DFI provided the following snapshot of licensing activity as of December 31, 2023:

  • Company licenses increased since the prior year.
  • Branch licenses decreased due to authorized remote work by mortgage loan originators (“MLO”).
  • MLO licenses decreased compared to previous years.
  • 70 % of MLOs submitted renewals, representing an increase of 10% from the prior year.
  • 30% of reinstatement/late renewals submitted so far this month.
  • The DFI approved 230 company applications, 950 branch applications and approximately 3,300 individual applications.

Examination Update

The DFI also provided an overview of the following common violations found during examinations conducted of MLOs, mortgage brokers, residential mortgage loan servicers, and consumer loan licensees:

  • Failure to maintain records for 3 years.
  • Failure to date mortgage loan applications and/or complete required information.
  • Failure to maintain supervisory plans.
  • Failure to submit accurate mortgage call reports (“MCRs”) by certain mortgage brokers.
  • Failure to complete all required information on license applications.
  • Failure to report accurate information to the credit bureaus.
  • Failure to conspicuously disclose fees.
  • Failure to report mortgage loan payoffs by certain mortgage loan servicers.

Additionally, in response to an inquiry regarding the rating system used by the DFI in conducting examinations, the DFI explained that it uses a rating scale of 1 to 5, where 1 would be the best rating, and 5 would be the worst rating.

Enforcement Update

The DFI also provided an overview of complaints investigated by its Enforcement Unit during the last quarter of 2023 and identified certain common violations under Washington’s Mortgage Broker Practices Act (“MBPA”) and the Consumer Loan Act (“CLA”).

Specifically, the DFI indicated that it saw an increase in:

  • Instances where address locations of branches or companies were found to be changed and contact information changed without corresponding updates in the NMLS.
  • Complaints alleging unlicensed activity by loan modification companies.
  • Complaints alleging advertising violations, such as providing misleading information about interest rates by indicating that a loan is “interest free” without proper disclosure.

Further, with respect to unlicensed MLO activity, the DFI indicated that it examines the actual activity performed by the individual in question, and if the individual’s activity meets the definition of an MLO, then that individual has engaged in mortgage loan activity and must be licensed as an MLO.

Finally, the DFI indicated that its Enforcement Unit closed more than 950 complaints that resulted in (1) $80,000 in restitution granted to impacted consumers, (2) the postponement or halting of at least 10 or more foreclosures, and (3) the granting of several loan modifications.


Licensees under the MBPA or CLA are encouraged to review the issues identified by the DFI against their policies, procedures, and practices to ensure compliance with the requirements under the MBPA and/or CLA.

Mortgage Servicers: VA Issues Guidance Regarding Noncompliance in Processing VA Assumptions

A&B Abstract:

On December 20, 2023, the Department of Veterans Affairs (VA) issued Circular 26-23-27 (the “Circular”) to remind holders and servicers of VA-guaranteed loans about their obligation to process assumptions and how the VA will address non-compliance with its assumption requirements. The Circular became effective immediately upon issuance.

The Circular

Holders and servicers of VA-guaranteed loans are responsible for ensuring compliance with VA’s requirements, including those regarding the processing of loan assumptions. Indeed, in May 2023, the VA issued guidance clarifying its assumption procedures and emphasizing that assumptions are a fundamental feature of a VA-guaranteed loan and are to be processed in accordance with VA requirements. Notably, failure to comply with the VA’s requirements constitutes a defense against the VA’s obligation to pay a guaranty claim on the affected loan(s).

In the Circular, the VA notes that “certain holders have questioned whether they are required to process an assumption that meets VA’s requirements and can instead deny approval due to holder-imposed criteria (overlays) or other reasons. Examples include, but are not limited to, cases where:

  • a holder refuses to accept an assumption package;
  • a servicer with automatic authority accepts an assumption package but does not make a decision within 45 days;
  • a holder without automatic authority accepts an assumption package but does not forward to VA within 35 days;
  • a holder denies an assumptor’s application due to a holder overlay; and
  • a holder denies an assumptor’s application, VA approves the assumption on appeal, and the holder refuses to complete the assumption due to a holder overlay or other reason.”

The Circular warns holders and servicers that willful refusal to process an assumption package in accordance with VA statutes and associated regulations negatively affects Veterans’ ability to use their earned VA-guaranteed home loan benefits, including selling their home through an assumption, and that such a willful failure to comply constitutes a defense against VA’s liability on the guaranty.

VA Procedures for Noncompliance

The Circular sets forth the following procedures that the VA will follow to address noncompliance with its loan assumption requirements. If VA determines that a holder failed to process an assumption package in accordance with VA requirements, the VA will notify the holder of the failure to comply and direct the holder to timely remediate the failure. If, after 7 calendar days, VA is not satisfied that the holder is taking appropriate steps to process the assumption, or VA determines at any time that the servicer’s inaction may result in irreparable harm to the Veteran, the VA will take the following steps:

  • Insert a notation in the loan file that VA has asserted a defense against liability and will not pay any guaranty claim for the loan.
  • Notify the Government National Mortgage Association (“Ginnie Mae”) that VA has asserted a defense against liability and, as such, the guaranty payable on the loan has been effectively reduced to $0. Note that reducing the guaranty payable on the loan to $0 may render the loan defective and subject to cure, substitution, and/or buyout under Ginnie Mae guidelines.
  • If, after taking the steps described above, VA receives sufficient notice and evidence that the servicer completed the assumption, VA will remove the notation in the loan file and notify Ginnie Mae that VA has readjusted the guaranty payable on the loan back to the original amount.

Repeated Noncompliance

In addition, the Circular notes that repeated failure to process assumptions for VA-guaranteed loans may subject holders to additional measures such as:

  • additional examination and audit;
  • referral to VA’s Office of Inspector General for further investigation;
  • various penalties associated with false claims, program fraud civil liability, and other legal or administrative sanctions;
  • action pursuant to 38 U.S.C. § 3704(d), including VA’s refusal either temporarily or permanently to guarantee any loans made by such holder or barring such holder from servicing or acquiring guaranteed loans; and
  • notification to the public that VA has found the holder responsible for repeated, willful noncompliance with VA’s statutes and regulations.


Given that the VA is telegraphing its focus on ensuring compliance with the VA’s loan assumption requirements, now is a good time for holders and servicers to ensure that their compliance management systems are robust enough to ensure compliance with the VA’s loan assumption requirements.