Alston & Bird Consumer Finance Blog


Fannie Mae and Freddie Mac Sunset the QM Patch

The qualified mortgage (QM) rules have become a world of contradictions. In a client advisory, our Financial Services & Products Group investigates how the residential mortgage markets can thread the needle between new rulings from Fannie Mae and Freddie Mac and recent rulings from the Consumer Financial Protection Bureau.

An Open Letter from Richard Hays, Chairman and Managing Partner, Alston & Bird

As Alston & Bird is pausing today for a “Day of Learning and Reflection” in observation of Juneteenth, Chairman and Managing Partner Richard Hays posted an open letter regarding recent events, and how Alston & Bird can spur lasting and meaningful change in both the firm and the communities we serve:

“As a firm with its roots in Atlanta, the cradle of the civil rights movement, we have a long history of involvement in the advancement of civil and human rights and liberties for all. We especially have a focus on supporting and promoting justice, equality, and inclusion. We are committed to do more, to be leaders through action and endurance, and to act by example, not rhetoric.”


Attorneys General Urge FHFA and HUD to Take Additional Measures to Protect Borrowers Affected by COVID-19

A&B Abstract:

On April 23, 2020, the attorneys general of 33 states, the District of Columbia and Puerto Rico (the “Attorneys General”) sent two letters, one to the Federal Housing Finance Agency (“FHFA”) and the other to the U.S. Department of Housing and Urban Development (“HUD” and collectively with FHFA, the “Agencies”), respectively, noting that the “national response must recognize the unique challenges presented by the unprecedented number of homeowners who are affected by COVID-19, including the fact that all of these homeowners need relief at the same time..[and that] [m]eeting this challenge will require straightforward and consistent guidance that can be quickly operationalized.”  As a result, the Attorneys General urged the Agencies to make changes to their respective guidelines addressing COVID-19-related mortgage and foreclosure relief.

Revision of Forbearance Programs

The Attorneys General acknowledged that forbearance plans are a critical first response to borrowers affected by the COVID-19 pandemic.  However, the Attorneys General expressed concern that both the mortgage servicing industry and homeowners will become overwhelmed if changes are not made.   The Attorneys General recommended or encouraged that:

  • the Agencies “issue simple, self-executing guidance that servicers can easily implement to meet demand while providing an immediate, responsive resolution to borrowers.” The Attorneys General specifically expressed concern about HUD guidelines requiring an individualized evaluation for every borrower who receives a CARES Act forbearance, as well as guidelines issued by both of the Agencies requiring an individualized evaluation for borrowers coming out of forbearance, due to “grave doubts about servicers’ abilities to effectively manage the unprecedented number of borrowers who will be emerging from forbearance plans related to COVID-19 if individualized evaluations are required for each borrower.”
  • the Agencies amend their forbearance programs so that the obligation to repay forborne payments is automatically placed at the end of the loan term in the form of additional monthly payments that will follow the current term of the loan.  The Attorneys General noted that “there can be no reasonable expectation that a borrower who has experience a loss of employment or a reduction in income will be able to repay the forborne payments in a lump sum at the end of the forbearance period.” FHFA subsequently clarified its repayment requirements for its forbearance program on April 27, 2020.
  • the Agencies issue guidance allowing these post-forbearance agreements to occur without requiring borrowers to execute any additional documents, such as a loan modification agreement or a promissory note for the forborne payments, or at least waiving or easing those requirements until the pandemic abates.
  • FHFA to clarify that a borrower may receive a forbearance based on the borrower’s verbal attestation of a hardship related to COVID-19, and to encourage servicers to proactively notify borrowers of their right to verbally request a forbearance.

Expanded Eligibility for Disaster Relief-Related Modifications and Loss Mitigation Programs

The Attorneys General urged the Agencies to expand their eligibility standards for post-forbearance loss mitigation programs to enable a greater number of borrowers to qualify.  The Attorneys General urged HUD to reconsider its decision to remove the Disaster Loan Modification option for borrowers affected by COVID-19.  Further, the Attorneys General requested that the Agencies revise their respective loan modification eligibility criteria to ensure these programs have the same reach as the forbearance program mandated by the CARES Act, as the Agencies’ current guidelines impose several delinquency-related eligibility requirements.  For example:

  • Under current Fannie Mae and Freddie Mac guidelines, borrowers affected by COVID-19 are eligible for any one of three modification programs. Currently, however, a borrower is only eligible for such programs if the borrower was current or less than 31 days delinquent as of March 13, 2020. Additional delinquency-related eligibility criteria apply for the Cap and Extend Modification and Flex Modification programs.
  • Under current HUD guidelines, a borrower is only eligible for the COVID-19 Partial Claim if the borrower was current or less than 30 days delinquent as of March 1, 2020 and the partial claim amount does not exceed 30 percent of the unpaid balance. If a borrower is ineligible for the COVID-19 Partial Claim, then the borrower will be reviewed for HUD’s FHA-HAMP program. The Attorneys General noted that the FHA-HAMP program has additional seasoning requirements, such as requiring the borrower to have made at least 4 payments and the loan to have aged at least 12 months.

The Attorneys General urged the Agencies to waive the delinquency status requirements of these modification programs and noted that post-forbearance modification programs should be commensurate with the forbearance plans required by the CARES Act, as the CARES Act requires forbearance for any borrower experiencing a COVID-19 financial hardship regardless of delinquency status.  Moreover, the CARES Act authorizes forbearances of up to 360 days, so many borrowers receiving CARES Act forbearances will be more than 360 days delinquent by the end of the forbearance period.

Eviction and Foreclosure Moratoriums

Finally, the Attorneys General urged the Agencies to “instruct servicers that they also must suspend all foreclosures and evictions currently in process and cannot move forward to complete any step in the judicial or non-judicial foreclosure or eviction process while the moratorium is in place,” to address differences in various states’ foreclosure and eviction processes.

Currently, the CARES Act states that servicers of federally backed mortgages may not initiate any judicial or non-judicial foreclosures process, move for a foreclosure judgment or order of sale, or execute a foreclosure-related eviction or foreclosure sale until at least May 17, 2020. The Attorneys General asserted that advancing any step of the eviction or foreclosure process during a forbearance related to COVID-19 will only lead to borrower confusion and harm.


As the COVID-19 pandemic continues to affect homeowners and the mortgage servicing industry, there will likely be continued political pressure on the Agencies to further revise servicer loss mitigation guidelines. Servicers will need to be vigilant to stay on top of the rapidly evolving market conditions and regulatory environment.


Delaware Governor Issues Order Restricting Residential Foreclosures and Evictions

A&B Abstract:

On March 24, 2020, Delaware Governor, John Carney, issued a Sixth Modification (the “Order”) to the Declaration of a State of Emergency (the “State of Emergency”) initially issued on March 12, 2020. The Order addresses a number of issues that impact residential mortgage loan servicers, including restrictions on residential foreclosures and evictions and certain fees or charges.

Restrictions on Late Fees and Excess Interest for Missed Payments

The Order provides that with respect to any missed payment on a residential mortgage occurring during the State of Emergency, no late fee or excess interest may be charged or accrue on the account for such residential mortgage during the State of Emergency.  One could interpret this language to mean that while no late fees or additional interest may be charged or accrued with respect to a missed payment, regularly scheduled interest due on the missed payment may be charged.  While not free from doubt, arguably this provision applies only to owner-occupied 1- to 4-family primary residential property, as this provision immediately follows the below restriction on the commencement of a foreclosure action, which is so limited.

 Foreclosure Restrictions

The Order imposes restrictions on a mortgage servicer’s ability to initiate or complete a foreclosure action or sale and to charge certain fees or interest.  Specifically, until the State of Emergency is terminated and the public health emergency is rescinded, the provisions of the Delaware Code relating to residential mortgage foreclosures, including Subchapter XI, Chapter 49 of Title 10, are modified in the following respects:

  • A servicer may not commence a residential mortgage foreclosure action with respect to any owner-occupied 1- to 4-family primary residential property that is subject to a mortgage; the Order excludes from this restriction any mortgage that is held by the seller of the subject property who does not hold more than five such mortgages;
  • For any residential mortgage foreclosure action initiated prior to the declaration of the State of Emergency, all deadlines in that action, including those related to the Automatic Residential Mortgage Foreclosure Mediation Program established pursuant to § 5062C of Title 10 of the Delaware Code, are extended until 31 days following the termination of the State of Emergency and the rescission of the public health emergency and no late fees or interest may be charged to or accrued on the balance due on the mortgage that is the subject of the residential mortgage foreclosure action during this time period;
  • No residential property that is the subject of a residential mortgage foreclosure action, for which a judgment of foreclosure was issued prior to the declaration of the State of Emergency, may proceed to sheriff’s sale until 31 days following the termination of the State of Emergency and the rescission of the public health emergency; and
  • No residential property that was the subject of a residential mortgage foreclosure action, and which was sold at sheriff’s sale, may be subject to action of ejectment or writ of possession until 31 days following the termination of the State of Emergency and the rescission of the public health emergency.

Except as otherwise provided above, nothing in the Order is intended to relieve any individual of the obligation to make mortgage payments or to comply with any other obligation that an individual may have under a residential mortgage.  Note that Delaware is a judicial foreclosure state requiring a notice of intent to foreclose be sent to the borrower 45 days prior to the commencing foreclosure.  One could read the Order as prohibiting a servicer from sending such notices during the State of Emergency.

Restrictions on Evictions

Similarly, with respect to evictions, the Order provides that, until the State of Emergency is terminated and the public health emergency is rescinded, the provisions of Chapter 57, Title 25 of the Delaware Code (governing summary possession of residential rental units) are modified in the following respects:

  • No action for summary possession may be brought with respect to any residential rental unit located within Delaware;
  • With respect to any past due balance for a residential rental unit, no late fee or interest may be charged or accrue on the account for the residential rental unit during the State of Emergency;
  • For any action for summary possession for a residential rental unit located within Delaware, commenced prior to the declaration of the State of Emergency, all deadlines in that action are extended until at least 31 days after the termination of the State of Emergency and the rescission of the public health emergency;
  • No late fee or interest may be charged or accrue on the balance due on the account for the residential rental unit that is the subject of the action for summary possession during this time period; and
  • For any residential rental unit that was the subject of an action for summary possession, for which a final judgment was issued prior to the declaration of the State of Emergency, no writ of possession may be executed until the seventh day following the termination of the State of Emergency and the rescission of the public health emergency.

The foregoing restrictions do not apply to actions for summary possession based upon a claim that continued tenancy will cause or is threatened to cause irreparable harm to person or property.  Moreover, except as modified above, all other provisions of the Landlord Tenant Code (Chapters 51-59 of Title 25 of the Delaware Code) remain in effect in accordance with their terms and nothing in the Order is to be construed as relieving any individual of the obligation to pay rent or to comply with any other obligation that an individual may have under their tenancy.


As discussed above, the Order imposes a number of restrictions that impact a residential mortgage loan servicer’s ability to initiate or complete foreclosure actions and eviction proceedings as well as limitation on certain fees and charges.  Accordingly, mortgage servicers should carefully review the Order to determine their obligations with respect to impacted borrowers.

Six Practical Tips for Practicing Cyberhygiene in the Middle of a Global Pandemic

Businesses large and small are encouraging (or requiring) employees to work remotely or cancel work travel as part of the response to COVID-19. But suddenly expanding the number of employees working remotely comes with increased cybersecurity and information technology risks. A cybercriminal (including malicious insiders) will have a target-rich environment during this time since more devices will be used for company business and more company data will be sent, located, or stored outside the protections of the company infrastructure and activity logging. It will also be easier for devices to be lost, stolen, or compromised, particularly if employees are not familiar with company policies on how to securely work from home. Information Security and IT teams should consider the following practical tips as they prepare for these risks.

1. Prepare for a Strain on Existing Resources

Increasing the number of remote employees increases the number of people or devices using your remote access resources, such as virtual desktop environments and virtual private networks. Continue to actively monitor these resources to ensure that they are properly updated and resourced (bandwidth, computing power, and storage capacity). This is a unique opportunity to fully test your infrastructure and remote capabilities. Also, companies may want to reevaluate how employees will be authenticated when connecting remotely. Utilizing multifactor authentication should be the goal. The Department of Homeland Security’s recent alert on enterprise VPN security may also be a useful resource here.

Consider also expanding your help desk staffing. More employees working from home will likely result in increased calls for IT support since these employees may have connectivity or other technical issues in a remote environment. Similarly, some employees may be forced to use personal devices during this period. It will be important to have help desk staff and software resources available to ensure that antivirus software can be downloaded to personal devices and that the devices are encrypted.

2. Review and Update Business Continuity, Disaster Recovery, and Incident Response Plans

The coronavirus pandemic is unlikely to directly impact your IT infrastructure. However, it is possible that a severe outbreak will impact the availability of personnel assigned to monitor or use that infrastructure. Companies should review their business continuity and disaster recovery plans (with their related IT and Security roles and responsibilities) to ensure they appropriately cover scenarios that might arise if multiple key personnel are ill or incapacitated. Similarly, if you use Managed Security Service Providers or other security vendors for critical parts of your program, you should verify that those vendors have similar plans, redundancies, and current capacity to help (you may want to verify and secure this help now while we are still in the early stages of this crisis). Ultimately, this is the perfect opportunity to ensure that all key players have recently reviewed these plans, there is necessary expertise redundancy, and staff have engaged in tabletop simulations relating to business continuity.

Companies should also consider conducting a similar assessment for their incident response plans as well as their cyber insurance, crime fraud, technical E&O, or network interruption policies. Such policies or plans may need to be revised to include backup personnel if key personnel such as a CTO, CISO, or privacy officer are incapacitated or otherwise unavailable. Also, you may want to consider cross-training appropriate personnel in all aspects of the incident response, reporting, and claims process, including the location of core documents and notice templates that would be used in an incident. If you have not already, consider what key elements of your incident response plan could be reduced to a diagrammed flow for your team to have in front of them in a crisis.

3. Warn Employees of the Security Risks of Working from Home

In times of crisis, increased work, or nonstandard work routines, personnel are more likely to forget to use recommended cybersecurity practices, but warning them now may help with security awareness during unfamiliar times. This will be particularly true for mission-critical services since employees may feel pressure to forgo security to get work done. All employees should be reminded of the corporate resources that are available, such as cloud storage or other applications, the need for increased vigilance, and the following basic security principles:

  • Secure home wireless networks with strong passwords and avoid using unsecured public networks when possible. If using an unsecured public network, be on the lookout for any certificate errors or warnings that a site may be misconfigured.
  • Do not use personal devices for work without prior approval because these may lack the security controls that protect work devices.
  • Do not use personal email or cloud storage accounts to transfer or store business information.
  • Avoid downloading or printing sensitive information from email or other IT services to personal computers or other personal devices even if authorized to use the device for work purposes. If you must download data to personal devices, confirm with IT help desk staff that antivirus software is installed on your device and that it is properly encrypted.
  • Practice good physical document management by only taking documents offsite if necessary and ensuring all materials are returned to the office for proper destruction.

4. Be Wary of Scams and Phishing Attacks

Scammers and cyber threat actors have always followed the headlines, using the public’s heightened fear and desire for information or solutions as leverage to gain access to systems, data, and money. The current pandemic is no different. There are reports of schemes where malicious actors are stealing credentials from remote workers by supposedly offering updated company guidance on the COVID-19 response. And cyber researchers recently discovered a website of a map showing COVID-19 cases on a global scale that contained a hidden code that could steal usernames, passwords, credit card numbers, and other data stored in the user’s browser. While the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) are working to crack down on phony COVID-19 cures and requests for “donations” from fake charities, employees must be on the lookout for scams and phishing attacks. All employees should be reminded of the following recommended practices:

  • Be careful opening attachments and links from distrusted or unknown sources. Phishing or other malicious emails can easily be disguised as alerts about COVID-19.
  • Try to use only trusted sources, for example, the CDC’s official COVID-19 website, for receiving up-to-date information about the outbreak.
  • Never respond to emails or phone calls asking for personal or financial information, usernames, or passwords.
  • Be careful making donations and reject any request for donations in cash, by gift card, or by wiring money.

This is also an excellent opportunity to remind employees of how to report security incidents within the company. Consider creating a short checklist for all employees detailing tips for how to detect suspicious activity, and what to do and who to contact if they believe they have been the victim of a security incident, scam, or phishing attack.

Additional resources from the FTC and U.S. Office of Personnel Management on working remotely and how to avoid scams and phishing attacks can be found here and here.

5. Be Aware of Applicable Industry-Specific Guidelines

Some heavily regulated industries (e.g., banking, financial services, and health) will have additional considerations at play. For example, FINRA has just released guidance that addressed telework arrangements with a section specifically related to cybersecurity risks posed by those arrangements. Additional commentary on this guidance can be found here. Similarly, HIPAA covered entities and business associates may face an increased risk of violating the HIPAA Privacy and Security rules. Best practices on how to address these risks and other HIPAA-specific guidance can be found here.

6. If Security Exceptions Must Occur Temporarily, Take Steps to Document Them

Your company may have no choice but to make security exceptions to get work done, especially if your industry is on the front lines of this crisis (e.g., health care and necessities supply chains). If this is the case, take steps to ensure that Security and IT document any security exceptions made so the company can resume its full security measures once volumes return to normal. If security exceptions are not documented, there is the potential for these items to be forgotten once the crisis passes.

Alston & Bird has formed a multidisciplinary task force to advise clients on the business and legal implications of the coronavirus (COVID-19). You can view all our work on the coronavirus across industries and subscribe to our future webinars and advisories.