Alston & Bird Consumer Finance Blog

State Law

Highlights of Washington Department of Financial Institutions’ Recent Mortgage Industry Webinar

A&B ABstract: In a webinar earlier this month, the Washington Department of Financial Institutions provided updates on licensing, rulemaking, and recent examination findings.

On June 2, the Washington Department of Financial Institutions (“DFI”) held a webinar covering mortgage industry updates in the state.  Among the topics discussed were:

Licensing Updates

Between May 2020 and May 2021, the DFI has seen a substantial increase in licensing activities involving issuances and renewals for both mortgage loan originators and companies, including MLO temporary authority to operate.

Rulemaking Updates

On June 15, the DFI will hold an industry stakeholders meeting to consider amending the rules under the Consumer Loan Act (“CLA,” WAC 208-620) and the Mortgage Broker Practices Act (“MBPA,” WAC 620-660) to allow MLOs to work from home without licensing the residence as a branch office.  The proposed rules will implement enacted Senate Bill 5077 (2021 Wash. Sess. Laws 15), which takes effect on July 25.

Examination Updates

During the first quarter of 2021, the DFI conducted examinations for the review period of October 2020 through April 2021.  Commonly identified violations included:

For mortgage loan servicing:
  • Failure to file accurate annual assessments;
  • Failure to suppress adverse credit reporting for CARES Act forbearances, most often during the initial months of forbearance;
  • Failure to maintain records (typically involving subservicers);
  • Inaccurate adjustable rate change information (i.e., incorrect margin or index); and
  • Inaccurate consolidated annual reports.
For mortgage loan origination, under the CLA:
  • Failure to update surety bond amounts as required by WAC 208-620-320;
  • Failure to date residential mortgage loan applications (initial and revised) as required by WAC 208-620-550(18);
  • Failure to have day-to-day operations managers licensed as an MLO; and
  • Failure to have a written supervisory plan in place.
For mortgage loan origination, under the MBPA:
  • With respect to quarterly mortgage condition reports (“MCRs”), failure to timely file and/or failure to file accurate MCRs;
  • Failure to develop and implement an adequate Anti-Money Laundering program;
  • Failure to provide updated lock-in agreements when lock terms change;
  • Failure to include a link to the company’s NMLS consumer access website on all internet advertisements; and
  • Advertising violations, namely using disallowed phrases (such as “best” or “lowest” when describing rates, fees, and programs) or advertising “no closing costs” or that something is “free”.

Takeaways

The webinar suggests that the pandemic has created both a surge in license applications and renewals, as well as increases in the volume of mortgage loans, for Washington licensees.

The examination findings serve as a reminder to Washington State licensees to be mindful of their own compliance management and quality control processes, in order to ensure that they are conducting business activities in compliance with all statutes and regulations (to include the CLA and MBPA).

NYDFS Reports Major Cybersecurity Settlement

In early March, the New York Department of Financial Services (NYDFS) announced a settlement involving a $1.5M penalty and mandatory remediation in response to a mortgage lender’s alleged failure to report a cyber breach, and other alleged cybersecurity failures. This enforcement action marks the second public enforcement action under 23 NYCRR Part 500 (the “Cybersecurity Regulation”) (see our post on the prior action here).

It is noteworthy that the settlement follows a routine safety and soundness exam by the regulator which included a review of security issues under the Cybersecurity Regulation.  This settlement provides an example of both the alleged failure to have reported a security incident and the potential that any such failure will later be detected by the NYDFS in routine examinations.

The consent order noted two major cybersecurity failings on the part of the licensee, Residential Mortgage Services, Inc. (“Residential Mortgage”), according to the NYDFS:

  • Failure to Adequately Investigate and Respond to a Cybersecurity Event. The consent order recounts a successful phishing attack that resulted in a “cyber intruder” accessing an employee’s email account. Residential Mortgage’s IT staff determined that improper access had occurred and quickly took steps to prevent further unauthorized access. However, the consent order faults Residential Mortgage for failing to conduct any further investigation to determine (1) whether the compromised inbox “contained private consumer data,” (2) “which consumers were impacted,” and then (3) “apply the applicable state notice requirements triggered by the breach.” The consent order notes that, following the NYDFS’s examination and investigation of the Cybersecurity Event, Residential Mortgage did determine that it was obligated to notify individuals under various state laws based on a review of all data elements “that could have been accessed” during the intrusion. According to the consent order, Residential Mortgage subsequently made notifications to individuals as required by those laws.
  • Lack of “Comprehensive Cybersecurity Risk Assessment.” The consent order states that Residential Mortgage “was missing a comprehensive cybersecurity risk assessment.” Such risk assessments are required under the Cybersecurity Regulation to periodically evaluate vulnerabilities and inform operation of the cybersecurity program.

In addition to assessing a $1.5M civil penalty, the settlement provisions require Residential Mortgage to make the following submissions to the NYDFS within 90 days:

  • “a comprehensive written Cybersecurity Incident Response Plan;”
  • a comprehensive risk assessment;
  • “Policies, procedures and controls” relating to monitoring user activity and detecting unauthorized access or use of personal or confidential information; and
  • “Cybersecurity awareness training for all personnel, updated to reflect risks identified by Residential Mortgage in its Cybersecurity Risk Assessment.”

Residential Mortgage also agreed to “fully cooperate” with the NYDFS “regarding all terms of this Consent Order,” and the NYDFS reserved all rights to take further action in the event of noncompliance. The consent order notes Residential Mortgage’s “commendable cooperation” with the investigation and remediation efforts, including “devoting significant financial and other resources to enhance its cybersecurity program.”

New Virginia Privacy Law Promises Big Impacts

Virginia became the second state after California to pass a comprehensive privacy law when the governor signed the Consumer Data Protection Act, which contains many elements found in the California Consumer Privacy Act and other proposed privacy frameworks, as well as a number of new requirements for businesses.

In a client advisory, our Privacy, Cyber & Data Strategy Team pinpoints critical steps companies should take to ensure compliance.

  • How is it different from California’s CCPA and the EU’s GDPR?
  • What is its scope and how will it be enforced?
  • How extensive are consumers’ opt-out and other rights?

New York State Revises Restrictive HECM Foreclosure Law

A&B ABstract

On December 15, 2020, New York State enacted legislation amending the New York Real Property Law that would have placed various restrictions and requirements on the servicing of Home Equity Conversion Mortgages secured by New York properties effective as of April 14, 2021 (the “Foreclosure Law”).  The new law would significantly hinder a servicer’s ability to foreclose on a defaulted HECM, and could conflict with existing default procedures promulgated by the Department of Housing and Urban Development (“HUD”) relating to the foreclosure of HECMs.

On January 6, 2021, legislation was introduced in the New York State Senate to eliminate certain of these burdensome provisions (the “Revised Law”).  Both the Senate and the New York State General Assembly have approved this measure, and it currently awaits Governor Cuomo’s signature.

The Foreclosure Law as Enacted

As enacted, the Foreclosure Law would impose a series of requirements on foreclosures comments on or after April 14, 2021.

First, the law would, among other things, upon the commencement of a foreclosure proceeding of a HECM secured by real property in New York State, require transmission to the New York Department of Financial Services (“NYDFS”) of

  • proof that HUD has granted prior approval to accelerate the loan,
  • proof of the default leading to the foreclosure action and notice to the mortgagor, and
  • any other information required by the NYDFS.

Second, the Foreclosure Law would require mortgagees to engage in mandatory loss mitigation activities to be specified in regulations promulgated by the NYDFS before commencing a foreclosure action.

Third, the Foreclosure Law would prohibit the making of advance payments for any obligation arising from the related Mortgaged Property and provide that payments by the Servicer for insurance premiums and taxes may only be made when they are in arrears.

The Revised Foreclosure Law

The Revised Law would eliminate many of these burdensome provisions.  Specifically, the Revised Law would:

  • require lenders to send a notice to consumers that will be promulgated by the NYDFS relating to the borrower’s rights in foreclosure,
  • authorize the NYDFS to regulate the notice of such rights,
  • require lenders to send the NYDFS proof that they received permission from HUD to foreclose on a reverse mortgage,
  • require lenders to maintain policies on loss mitigation to ensure compliance with all applicable law, and
  • require lenders to maintain certain loss mitigation and foreclosure records.

If signed by Governor Cuomo, the Revised Law would take effect 120 days after enactment.

Significant Penalties for Failure to Comply

Under both the Foreclosure Law and the Revised Law, consumers “injured” by a violation of the law are entitled to recover treble damages in a private right of action.  Further, adherence to the requirements of the law is a condition precedent to filing the foreclosure in New York State, and failure to comply with these provisions constitutes a complete defense to such foreclosure.

Takeaway

Even as amended, the legislation is cumbersome and creates additional hurdles for servicers foreclosing on delinquent HECMs in New York State.  Arguably, the existing HUD HECM pre-foreclosure procedures provide ample consumer protection.  Nevertheless, with many consumers struggling financially during the COVID pandemic, New York State seeks to provide additional consumer protections to elderly New Yorkers who have HECMs.

Virginia Ready to Pass First State Privacy Statute after CCPA

Both houses of Virginia’s legislature recently passed the Virginia Consumer Data Protection Act (S.B. 1392H.B. 2307) (VCDPA). If approved by the state governor, the VCDPA would become the United States’ second comprehensive state privacy law behind the California Consumer Privacy Act (CCPA).  For a comparison of the VCDPA to the CCPA and the European Union’s General Data Protection Regulation, see the Alston & Bird Privacy, Cyber and Data Strategy Blog.