Alston & Bird Consumer Finance Blog

Uncategorized

FHA and VA Announce New Loss Mitigation Options

What Happened?

Both the FHA and VA have established new loss mitigation options to provide payment reduction to delinquent borrowers.  On February 21, 2024, the Federal Housing Administration (“FHA”) within the U.S. Department of Housing and Urban Development (“HUD”) issued a new mortgagee letter (ML 2024-02) which, among other things, establishes the Payment Supplement loss mitigation option for all FHA-insured Title II Single-Family forward mortgage loans (the “Payment Supplement”) and also extends FHA’s COVID-19 Recovery Options through April 30, 2025. The provisions of ML 2024-02 may be implemented starting May 1, 2024 but must be implemented no later than January 1, 2025. The Payment Supplement will bring a borrower’s mortgage current and temporarily reduce their monthly mortgage payment without requiring a modification.

And, on April 10, 2024 , the U.S. Department of Veterans Affairs (“VA”) announced the release of its much-anticipated Veterans Affairs Servicing Purchase (“VASP”) program, which is a new, last-resort tool in the VA’s suite of home retention options for eligible veterans, active-duty servicemembers, and surviving spouses with VA-guaranteed home loans who are experiencing severe financial hardship. The VASP program will take effect beginning on May 31, 2024.

Why Does it Matter?

FHA’s Payment Supplement

ML 2024-02 establishes the Payment Supplement as a new loss mitigation option to be added to FHA’s current loss mitigation waterfall. Specifically, if a servicer is unable to achieve the target payment reduction under FHA’s current COVID-19 Recovery Modification option, the mortgage must review the borrower for the Payment Supplement. The Payment Supplement is a loss mitigation option that utilizes Partial Claim funds to bring a delinquent mortgage current and couples it with the subsequent provision of a Monthly Principal Reduction (“MoPR”) that is applied toward the borrower’s principal due each month for a period of 36 months to provide payment relief without having to permanently modify the borrower’s mortgage loan. The maximum MoPR is the lesser of a 25 percent principal and interest reduction for 36 months, or the principal portion of the monthly mortgage payment as of the date the Payment Supplement period begins.

The Payment Supplement will temporarily reduce an eligible borrower’s monthly mortgage payment for a period of three years, without requiring modification of the borrower’s mortgage loan. At the end of the three-year period, the borrower will be responsible for resuming payment of the full monthly principal and interest amount. A borrower is not eligible for a new Payment Supplement until 36 months after the date the borrower previously executed Payment Supplement documents.

To be eligible for the Payment Supplement, servicers must ensure that:

  • that at least three or more full monthly payments are due and unpaid;
  • the mortgage is a fixed rate mortgage;
  • sufficient Partial Claim funds are available to bring the mortgage current and to fund the MoPR;
  • the borrower meets the requirements for loss mitigation during bankruptcy proceedings set forth in Section III.A.2.i.viii of FHA Single-Family Handbook 4000.1;
  • the principal portion of the borrower’s first monthly mortgage payment after the mortgage is brought current will be greater than or equal to a “Minimum MoPR” which must be equal to or greater than 5 percent of the principal and interest portion of the borrower’s monthly mortgage payment, and may not be less than $20.00 per month, as of the date the Payment Supplement period begins;
  • the MoPR does not exceed the lesser of a 25% principal and interest reduction for three years or the principal portion of the monthly mortgage payment as of the date the Payment Supplement period begins; and
  • the borrower indicates they have the ability to make their portion of the monthly mortgage payment after the MoPR is applied (servicers are not required to obtain income documentation from the borrower).

Servicers are responsible for making monthly disbursements of the MoPR from a Payment Supplement Account, which is a separate, non-interest bearing, insured custodial account that holds the balance of the funds paid by FHA for the purpose of implementing the Payment Supplement, and which must segregated from funds associated with the FHA-insured mortgage, including escrow funds, and any funds held in accounts restricted by agreements with Ginnie Mae. Neither the servicer nor the borrower has any discretion in how the Payment Supplement funds are used or applied.

Borrowers will be required to execute a non-interest-bearing Note, Subordinate Mortgage, and a Payment Supplement Agreement, which is a rider to and is incorporated by reference into the Payment Supplement promissory Note, given in favor of HUD, to secure the Partial Claim funds utilized and the amount of the MoPR applied toward the borrower’s principal during the 36-month period. The Note and Subordinate Mortgage do not require repayment until maturity of the mortgage, sale or transfer of the property, payoff of the mortgage, or termination of FHA insurance on the mortgage.

After the Payment Supplement is finalized, servicers must send borrowers written disclosures annually and 60-90 days before the expiration of the Payment Supplement period. ML 2024-02 also sets forth servicers’ obligations if a borrower defaults during the Payment Supplement period.

Contemporaneous with the publication of ML 2024-02, HUD published the following model documents necessary to complete a Payment Supplement: (1) Payment Supplement Promissory Note and Security Instrument, (2) Payment Supplement Agreement Rider, (3) Annual Payment Supplement Disclosure, and (4) Final Payment Supplement Disclosure. However, servicers will need to ensure these model documents comply with applicable state law.

Given that the Payment Supplement only provides temporary relief, it is likely that borrowers will experience “payment shock” at the end of the Payment Supplement period. HUD has indicated that it is aware of this risk and intends to assess this issue on an ongoing basis as borrowers begin to reach the end of their Payment Supplement period to help inform future updates to FHA loss mitigation.

VA’s VASP Program

Effective May 31, 2024, VASP will be added as the final home retention option on the VA Home Retention Waterfall where the VA may elect to purchase a loan from the servicer under an expediated basis after the servicer evaluates the loans and certain criteria are met.  Unlike a traditional VA Purchase, a trial payment period may also be required before VA purchases the loan.

Importantly, a borrower cannot elect to use the VASP program. Rather, servicers must follow the VA’s home retention waterfall to determine the most appropriate home retention option. If the waterfall leads to VASP, then the servicer must determine if certain qualifying loan criteria are met, including:

  • the loan is between 3 to 60-months delinquent on the date the servicer submits to VALERI either the VASP TPP event or VASP with No TPP event;
  • the property is owner-occupied;
  • none of the obligors are in active bankruptcy at the time of the applicable VASP event;
  • the reason for default has been resolved and the borrower has indicated they can resume scheduled payments;
  • the loan is in first-lien position and is not otherwise encumbered by any liens or judgments that would jeopardize VA’s first-lien position;
  • the borrower has made at least six monthly payments on the loan since origination;
  • the borrower is the property’s current legal owner of record; and
  • the borrower and all other obligors agree to the terms of the VASP modification.

After determining that a loan qualifies for VASP, the servicer must determine the appropriate terms that may be offered to the borrower. Until further notice, all VASP loans will be modified at a fixed rate of 2.5% interest, with either a 360-month term or, if this does not realize at least a 20% reduction in the principal and interest payment, a 480-month term. Borrowers who cannot afford to resume monthly payments at the 480-month term are to be evaluated for and offered any appropriate alternatives to foreclosure. A three-payment trial payment plan will be required if (i) the loans is 24 months or more delinquent, or (ii) the principal and interest portion of the monthly payment is not reduced by at least 20%. Borrowers who fail three trial payment plans during a single default episode are no longer eligible for VASP.

Once VA has certified the VASP payment, servicers have 60 days to complete a standard transfer to VA’s contractor, after which the servicer must report the transfer event in VALERI.

Importantly, servicers that fail to properly evaluate the loan in accordance with VA’s requirements may be subject to enforcement action and/or refusal by VA to either temporarily or permanently guarantee or insure any loans made by such servicer and may bar such servicer from servicing or acquiring guaranteed loans. The risk of enforcement is exacerbated by the VASP program’s technical requirements, which may cause operational challenges for servicers.

What Do I Need to Do?

FHA’s Payment Supplement and VA’s VASP programs both have relatively short implementation timelines but will likely require substantial effort to operationalize given their technical requirements.  Therefore, servicers of FHA-insured and/or VA-guaranteed mortgage loans should begin reviewing the requirements of both programs now, as applicable, and ensure that they make any necessary updates to policies, procedures, systems, training, and other controls to ensure compliance with these programs once they take effect. Alston & Bird’s Consumer Financial Services team is well-versed in these programs and is happy to assist with such a review.

Don’t Miss the Small Stuff Lenders: New Mexico Issues Regulatory Guidance for Completing the “Freedom to Choose” Insurance Company Form

A&B Abstract:

Under New Mexico’s Insurance Code, it has been a long-standing requirement that lenders may not condition a loan of money on the procurement of insurance from any particular insurer, agent, solicitor, or broker.  The lender is required to inform the buyer of their rights “regarding the placement of insurance on a form prescribed by the superintendent” and the borrower must “signify that he has been so informed.”  The form of the required “Freedom to Choose” is provided by regulation to the Insurance Code as follows:

FREEDOM TO CHOOSE INSURANCE COMPANY AND INSURANCE PROFESSIONAL

The undersigned person hereby acknowledges that I have been informed by (individual’s name) on behalf of (name of lender) that, although I may be required by the seller or lender to purchase insurance to cover the property that is being used as security for the loan, I may purchase that insurance from the insurance company or agent of my choice, and cannot be required by the seller or lender, as a condition of the sale or loan, to purchase or renew any policy of insurance covering the property through any particular insurance company, agent, solicitor, or broker. I hereby acknowledge receipt of a true copy of this notice on the _____day of_____________, _____.

__________________________________

(Signature of Purchaser or Borrower)

The New Mexico Financial Institutions Division (FID) issued regulatory guidance (the “Guidance”) this month as some lenders have not been completing the form correctly.  The Guidance clarifies that the “Freedom to Choose” notice requires the name of the individual providing the notice, and the FID finds the practice of providing only the company name in the blank reserved for the individual’s name as a violation of the Insurance Code.

 Takeaway:

Lenders take note as this is an easy violation to avoid.  To that end, now is a good time to review your New Mexico policies, procedures and QC reviews to ensure compliance with this requirement.  Please don’t hesitate to reach out with any questions on when the form is required and how to ensure it is completed correctly.  While the FID’s Guidance does not speak to penalties, it is worth noting that the Superintendent of the New Mexico Regulation and Licensing Department has authority to impose monetary penalties for violations of this provision, including a fine not to exceed $500 per violation. The statute also authorizes administrative penalties and civil actions.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation

On November 1, 2023, the New York Department of Financial Services (NYDFS) published the finalized Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500), which includes a number of significant and, for many covered entities, onerous changes to its original regulation. The finalized Second Amendment is much like the June 2023 proposed draft (which made certain revisions to the November 2022 draft). Covered entities should take note of these now-final changes that will require covered entities to review and revamp major components of their cybersecurity programs, policies, procedures, and controls to ensure they are in compliance. This is particularly important as the NYDFS continues to take on an active enforcement role following cyber events, marking itself as a leading cyber regulator in the United States.

Covered entities must notify the NYDFS of certain cybersecurity incidents, including providing notice within: (1) 72 hours after determining a cybersecurity event resulting in the “deployment of ransomware within a material part of the covered entity’s information system” occurred; and (2) 24 hours of making an extortion payment in connection with a cybersecurity event.

Covered entities must implement additional cybersecurity controls, including expanding their use of multifactor authentication and maintaining a comprehensive asset inventory. Covered entities are also required to maintain additional (or more prescriptive) cybersecurity policies and procedures, including ensuring that their incident response plans address specific delineated issues (outlined in the Second Amendment) and maintaining business continuity and disaster recovery plan requirements (both of which must be tested annually).

The most senior levels of the covered entity (senior governing body) must have sufficient knowledge to oversee the cybersecurity program. Additionally, the highest-ranking executive and the CISO are required to sign the covered entity’s annual certification of material compliance.

A material failure (which could be a single act) to comply with any portion of the Cybersecurity Regulation for a 24-hour period is considered a violation.

The Second Amendment became effective on November 1, 2023, and covered entities generally have 180 days to come into compliance with the new requirements. There are certain requirements, however, that will be phased in over the next two years. We have outlined the material changes and the effective dates below.

NYDFS Finalizes Second Amendment to Its Cybersecurity Regulation Chart

The NYDFS is providing a number of resources for covered entities, including a helpful visual overview of the implementation timeline for covered entitiesClass A companies, and small businesses (NYDFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d)). The NYDFS is also hosting a series of webinars to provide an overview of the Second Amendment; individuals can register for the webinars on the NYDFS’s website.

 

 

 

FTC Approves New Data Breach Notification Requirement for Non-Banking Financial Institutions

On October 27, 2023, the FTC approved an amendment to the Safeguards Rule (the “Amendment”) requiring that non-banking financial institutions notify the FTC in the event of a defined “Notification Event” where customer information of 500 or more individuals was subject to unauthorized acquisition.  The Amendment becomes effective 180 days after publication in the Federal Register.  Importantly, the amendment requires notification only to the Commission – which will post the information publicly – and not to the potentially impacted individuals.

Financial institutions subject to the Safeguards Rule are those not otherwise subject to enforcement by another financial regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805 (“GLBA”). The Safeguards Rule within the FTC’s jurisdiction include mortgage brokers, “payday” lenders, auto dealers, non-bank lenders, credit counselors and other financial advisors and collection agencies, among others.  The FTC made clear that one primary reason for adopting these new breach notification requirements is so the FTC could monitor emerging data security threats affecting non-banking financial institutions and facilitate prompt investigations following major security breaches – yet another clear indication the FTC intends to continue focusing on cybersecurity and breach notification procedures.

Notification to the FTC

Under the Amendment, notification to the FTC is required upon a “Notification Event,” which is defined as the acquisition of unencrypted customer information without authorization that involves at least 500 consumers. As a new twist, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has evidence that the unauthorized party only accessed, but did not acquire the information.  The presumption of unauthorized acquisition based on unauthorized access is consistent with the FTC’s Health Breach Notification Rule and HIPAA, but not state data breach notification laws or the GLBA’s Interagency Guidelines Establishing Information Security Standards (“Interagency Guidelines”).

As mentioned above, individual notification requirements for non-banking financial institutions will continue to be governed by state data breach notification statutes and are not otherwise included in the Amendment. The inclusion of a federal regulatory notification requirement and not an individual notification requirement in the Amendment is a key departure from other federal financial regulators, as articulated in the Interagency Guidelines which applies to banking financial institutions, and the SEC’s proposed rules that would require individual and regulatory reporting by registered investment advisers and broker-dealers.

Expansive Definition of Triggering Customer Information

Again departing from pre-existing notification triggers of “sensitive customer information” in the Interagency Guidelines or “personal information” under state data breach reporting laws, the FTC’s rule requires notification to the Commission if “customer information” is subject to unauthorized acquisition. “Customer information” is defined as “non-public personal information,” (see 16 C.F.R. 314.2(d)) which is further defined to be “personally identifiable financial information” (see 16 C.F.R. 314.2(n)).

Under the FTC’s rule, “personally identifiable financial information” is broadly defined to be (i) information provided by a consumer to obtain a service or product from the reporting entity; (ii) information obtained about a consumer resulting from any transaction involving a financial product or service from the non-banking financial institution; or (iii) information the non-banking financial institution obtains about a consumer in connection with providing a financial product or service to the consumer. Unlike the Interagency Guidelines which defines “sensitive customer information” as a specific subset of data elements (“customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account”) (see 12 CFR Appendix F to Part 225 (III)(A)(1)), the FTC’s definition of “personally identifiable financial information” is much broader.

For example, “personally identifiable financial information” could include information a consumer provides on a loan or credit card application, account balance information, overdraft history, the fact that an individual has been one of your customers, and any information collected through a cookie. As a result of this broad definition, notification obligations may be triggered for a wider variety of data events, as compared to data breach notifications for banking financial institutions under the Interagency Guidelines or state data breach notification laws. As a result, non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements under the Amendment, as distinct from state law notification requirements.

No Risk of Harm Provision

Although the FTC considered whether to include a “risk of harm” standard for notifying the Commission, it ultimately decided against including one to avoid any ambiguity or the potential for non-banking financial institutions to underestimate the likelihood of misuse. However, numerous state data breach reporting statutes contain risk of harm provisions that excuse notice to individuals and/or state regulators where the unauthorized acquisition and/or access of personal information is unlikely to cause substantial harm (such as fraud or identify theft) to the individual.  This divergence between FTC notifications and state law has set the stage for the possibility that a reporting non-banking financial institution could be required to report to the FTC, but not to potentially affected individuals and/or state attorneys general pursuant to state law.

Timing and Content for Notice to FTC

Non-banking financial institutions must notify the Commission as soon as possible, and no later than 30 days after discovery of the Notification Event. Discovery of the event is deemed to be the “first day on which such event is known…to any person other than the person committing the breach, who is [the reporting entity’s] employee, officer, or other agent.” The FTC’s timeline is similar to the timeline dictated for notifying state Attorney Generals under most state data breach notification laws (either explicitly or implicitly), but a key difference from the Interagency Guidelines, which requires notification to the bank’s primary federal regulator as soon as possible.

The notification must be submitted electronically on a form located on the FTC’s website (https://www.ftc.gov), and include the following information, which will be available to the public: (i) the name and contact information of the reporting financial institution, (ii) a description of the types of information involved in the Notification Event, (iii) the date or date range of the Notification Event (if available), (iv) the number of consumers affected or potentially affected; (v) a general description of the Notification Event; and (vi) whether law enforcement official (including the official’s contact information) has provided a written determination that notifying the pu of the breach would impede a criminal investigation or cause damage to national security.  Making this type of information regarding a data security incident available to the public is not part of any current U.S. regulatory notification structure.

Law Enforcement Delays Public Disclosure by FTC, Not FTC Reporting

A law enforcement delay may preclude public posting of the Notification Event by the FTC for up to 30 days but does not excuse timely notification to the FTC.  A law enforcement official may seek another 60 days’ extension, which the Commission may grant if it determines that public disclosure of the Notification Event “continues to impede a criminal investigation or cause damage to national security.”

As Economic Winds Blow, So Do Whistleblowers: How to Protect Your Company Through Turbulent Times

A&B ABstract:

As recently reported by the Financial Times, banks are preparing for the “deepest job cuts since the financial crisis,” with firings to be “super brutal.” Already, nonbank lenders and service providers have been suffering with several rounds of layoffs and, potentially, more to come. Former employees, particularly disgruntled ones, may have information they want to share with the government.  An Insider article highlighted that remote work has resulted in a surge of whistleblower complaints.  If true, even current employees, including those whose complaints or grievances fall on deaf ears, also could be potential whistleblowers.

Alston & Bird Partners Nanci Weissgold, Joey Burby, and Cara Peterman (ably assisted by, and a special thanks to, Charlotte BohnAndrew Brown, and Melissa Malpass) addressed today’s challenging economic conditions, and how companies can protect themselves during an expected surge in whistleblowing by disgruntled current and former employees.  The webinar slides address:

  • What you need to know about government whistleblower reward programs and laws with whistleblower incentives and protections, including the False Claims Act, FIRREA, and the SEC’s Whistleblower program.
  • Recent trends, developments, major settlements, and awards in whistleblower-related settlements and litigation.
  • Best practices for companies when responding to, de-escalating, and defending against whistleblower complaints.

Best Practices for Responding to Whistleblower Complaints

#1: Keep complaints internal. It is critical to have procedures in place for employees (as well as contractors and other agents) to report compliance concerns internally.

  • Establish a compliance hotline or other means of anonymous
  • Have an anti-retaliation policy to protect employees who make a report.
  • Promote these policies and procedures, and train employees on them.

This is a required element of an effective compliance program under DOJ and SEC guidance, and factors into their charging decisions; also considered under U.S. Sentencing Guidelines in determining corporate penalties.

Additionally, internal complaints allow companies to investigate and remediate (if necessary) and to consider whether/how to self-disclose. The 2023 revisions to DOJ’s Corporate Enforcement Policy strongly encourage self-disclosure, offering significant incentives to companies who do.

#2: Maintain a strong Compliance Management System (CMS). A strong CMS is one that establishes compliance responsibilities, communicates those responsibilities to employees, ensures the responsibilities are carried out and met, takes corrective action, and updates tools, systems, and processes as needed.

Scaled to the size of the company’s operations, a CMS requires:

  • A strong board of directors and management oversight – “tone at the top.”
  • Comprehensive written policies and procedures to demonstrate an understanding of all applicable laws and regulations.
  • Training of all applicable laws to ensure that employees can perform their functions.
  • Monitoring and testing based on an assessment of risk carried out through three lines of defense:
    (1) functions that own and manage risk; (2) functions that oversee risk; and (3) functions that provide independent assurance.
  • Timely corrective action that remediates past issues and prevents reoccurrence prospectively.
  • Consumer complaint response, root cause analysis, and enterprise-wide action.

#3:  Time is of the essence. Whether you learn of a whistleblower complaint internally, or via contact from a government agency, you should initiate an internal investigation into the subject matter of the complaint immediately. DOJ takes the immediacy of self-disclosure into account in determining whether to file charges. If there is ongoing problematic conduct, you want to stop it and cut off potential liability.

  • What the investigation will involve, and how it will be conducted, will vary depending on the seriousness of the complaint and how credible it appears.
  • Inside or outside counsel should generally conduct the investigation to ensure communications and work product are protected by the attorney-client privilege.
  • Some basic steps are common to almost every internal investigation:
    • Ensure that all potentially relevant documents (including emails and IMs) are preserved.
    • Collect and review relevant documents.
    • Interview involved employees (using Upjohn warning).

Takeaway

Given that a surge in whistleblower complaints is likely, financial institutions should ensure that they are adequately prepared to address them.