Alston & Bird Consumer Finance Blog

Uncategorized

Attorneys General Urge FHFA and HUD to Take Additional Measures to Protect Borrowers Affected by COVID-19

A&B Abstract:

On April 23, 2020, the attorneys general of 33 states, the District of Columbia and Puerto Rico (the “Attorneys General”) sent two letters, one to the Federal Housing Finance Agency (“FHFA”) and the other to the U.S. Department of Housing and Urban Development (“HUD” and collectively with FHFA, the “Agencies”), respectively, noting that the “national response must recognize the unique challenges presented by the unprecedented number of homeowners who are affected by COVID-19, including the fact that all of these homeowners need relief at the same time..[and that] [m]eeting this challenge will require straightforward and consistent guidance that can be quickly operationalized.”  As a result, the Attorneys General urged the Agencies to make changes to their respective guidelines addressing COVID-19-related mortgage and foreclosure relief.

Revision of Forbearance Programs

The Attorneys General acknowledged that forbearance plans are a critical first response to borrowers affected by the COVID-19 pandemic.  However, the Attorneys General expressed concern that both the mortgage servicing industry and homeowners will become overwhelmed if changes are not made.   The Attorneys General recommended or encouraged that:

  • the Agencies “issue simple, self-executing guidance that servicers can easily implement to meet demand while providing an immediate, responsive resolution to borrowers.” The Attorneys General specifically expressed concern about HUD guidelines requiring an individualized evaluation for every borrower who receives a CARES Act forbearance, as well as guidelines issued by both of the Agencies requiring an individualized evaluation for borrowers coming out of forbearance, due to “grave doubts about servicers’ abilities to effectively manage the unprecedented number of borrowers who will be emerging from forbearance plans related to COVID-19 if individualized evaluations are required for each borrower.”
  • the Agencies amend their forbearance programs so that the obligation to repay forborne payments is automatically placed at the end of the loan term in the form of additional monthly payments that will follow the current term of the loan.  The Attorneys General noted that “there can be no reasonable expectation that a borrower who has experience a loss of employment or a reduction in income will be able to repay the forborne payments in a lump sum at the end of the forbearance period.” FHFA subsequently clarified its repayment requirements for its forbearance program on April 27, 2020.
  • the Agencies issue guidance allowing these post-forbearance agreements to occur without requiring borrowers to execute any additional documents, such as a loan modification agreement or a promissory note for the forborne payments, or at least waiving or easing those requirements until the pandemic abates.
  • FHFA to clarify that a borrower may receive a forbearance based on the borrower’s verbal attestation of a hardship related to COVID-19, and to encourage servicers to proactively notify borrowers of their right to verbally request a forbearance.

Expanded Eligibility for Disaster Relief-Related Modifications and Loss Mitigation Programs

The Attorneys General urged the Agencies to expand their eligibility standards for post-forbearance loss mitigation programs to enable a greater number of borrowers to qualify.  The Attorneys General urged HUD to reconsider its decision to remove the Disaster Loan Modification option for borrowers affected by COVID-19.  Further, the Attorneys General requested that the Agencies revise their respective loan modification eligibility criteria to ensure these programs have the same reach as the forbearance program mandated by the CARES Act, as the Agencies’ current guidelines impose several delinquency-related eligibility requirements.  For example:

  • Under current Fannie Mae and Freddie Mac guidelines, borrowers affected by COVID-19 are eligible for any one of three modification programs. Currently, however, a borrower is only eligible for such programs if the borrower was current or less than 31 days delinquent as of March 13, 2020. Additional delinquency-related eligibility criteria apply for the Cap and Extend Modification and Flex Modification programs.
  • Under current HUD guidelines, a borrower is only eligible for the COVID-19 Partial Claim if the borrower was current or less than 30 days delinquent as of March 1, 2020 and the partial claim amount does not exceed 30 percent of the unpaid balance. If a borrower is ineligible for the COVID-19 Partial Claim, then the borrower will be reviewed for HUD’s FHA-HAMP program. The Attorneys General noted that the FHA-HAMP program has additional seasoning requirements, such as requiring the borrower to have made at least 4 payments and the loan to have aged at least 12 months.

The Attorneys General urged the Agencies to waive the delinquency status requirements of these modification programs and noted that post-forbearance modification programs should be commensurate with the forbearance plans required by the CARES Act, as the CARES Act requires forbearance for any borrower experiencing a COVID-19 financial hardship regardless of delinquency status.  Moreover, the CARES Act authorizes forbearances of up to 360 days, so many borrowers receiving CARES Act forbearances will be more than 360 days delinquent by the end of the forbearance period.

Eviction and Foreclosure Moratoriums

Finally, the Attorneys General urged the Agencies to “instruct servicers that they also must suspend all foreclosures and evictions currently in process and cannot move forward to complete any step in the judicial or non-judicial foreclosure or eviction process while the moratorium is in place,” to address differences in various states’ foreclosure and eviction processes.

Currently, the CARES Act states that servicers of federally backed mortgages may not initiate any judicial or non-judicial foreclosures process, move for a foreclosure judgment or order of sale, or execute a foreclosure-related eviction or foreclosure sale until at least May 17, 2020. The Attorneys General asserted that advancing any step of the eviction or foreclosure process during a forbearance related to COVID-19 will only lead to borrower confusion and harm.

Takeaway

As the COVID-19 pandemic continues to affect homeowners and the mortgage servicing industry, there will likely be continued political pressure on the Agencies to further revise servicer loss mitigation guidelines. Servicers will need to be vigilant to stay on top of the rapidly evolving market conditions and regulatory environment.

 

Delaware Governor Issues Order Restricting Residential Foreclosures and Evictions

A&B Abstract:

On March 24, 2020, Delaware Governor, John Carney, issued a Sixth Modification (the “Order”) to the Declaration of a State of Emergency (the “State of Emergency”) initially issued on March 12, 2020. The Order addresses a number of issues that impact residential mortgage loan servicers, including restrictions on residential foreclosures and evictions and certain fees or charges.

Restrictions on Late Fees and Excess Interest for Missed Payments

The Order provides that with respect to any missed payment on a residential mortgage occurring during the State of Emergency, no late fee or excess interest may be charged or accrue on the account for such residential mortgage during the State of Emergency.  One could interpret this language to mean that while no late fees or additional interest may be charged or accrued with respect to a missed payment, regularly scheduled interest due on the missed payment may be charged.  While not free from doubt, arguably this provision applies only to owner-occupied 1- to 4-family primary residential property, as this provision immediately follows the below restriction on the commencement of a foreclosure action, which is so limited.

 Foreclosure Restrictions

The Order imposes restrictions on a mortgage servicer’s ability to initiate or complete a foreclosure action or sale and to charge certain fees or interest.  Specifically, until the State of Emergency is terminated and the public health emergency is rescinded, the provisions of the Delaware Code relating to residential mortgage foreclosures, including Subchapter XI, Chapter 49 of Title 10, are modified in the following respects:

  • A servicer may not commence a residential mortgage foreclosure action with respect to any owner-occupied 1- to 4-family primary residential property that is subject to a mortgage; the Order excludes from this restriction any mortgage that is held by the seller of the subject property who does not hold more than five such mortgages;
  • For any residential mortgage foreclosure action initiated prior to the declaration of the State of Emergency, all deadlines in that action, including those related to the Automatic Residential Mortgage Foreclosure Mediation Program established pursuant to § 5062C of Title 10 of the Delaware Code, are extended until 31 days following the termination of the State of Emergency and the rescission of the public health emergency and no late fees or interest may be charged to or accrued on the balance due on the mortgage that is the subject of the residential mortgage foreclosure action during this time period;
  • No residential property that is the subject of a residential mortgage foreclosure action, for which a judgment of foreclosure was issued prior to the declaration of the State of Emergency, may proceed to sheriff’s sale until 31 days following the termination of the State of Emergency and the rescission of the public health emergency; and
  • No residential property that was the subject of a residential mortgage foreclosure action, and which was sold at sheriff’s sale, may be subject to action of ejectment or writ of possession until 31 days following the termination of the State of Emergency and the rescission of the public health emergency.

Except as otherwise provided above, nothing in the Order is intended to relieve any individual of the obligation to make mortgage payments or to comply with any other obligation that an individual may have under a residential mortgage.  Note that Delaware is a judicial foreclosure state requiring a notice of intent to foreclose be sent to the borrower 45 days prior to the commencing foreclosure.  One could read the Order as prohibiting a servicer from sending such notices during the State of Emergency.

Restrictions on Evictions

Similarly, with respect to evictions, the Order provides that, until the State of Emergency is terminated and the public health emergency is rescinded, the provisions of Chapter 57, Title 25 of the Delaware Code (governing summary possession of residential rental units) are modified in the following respects:

  • No action for summary possession may be brought with respect to any residential rental unit located within Delaware;
  • With respect to any past due balance for a residential rental unit, no late fee or interest may be charged or accrue on the account for the residential rental unit during the State of Emergency;
  • For any action for summary possession for a residential rental unit located within Delaware, commenced prior to the declaration of the State of Emergency, all deadlines in that action are extended until at least 31 days after the termination of the State of Emergency and the rescission of the public health emergency;
  • No late fee or interest may be charged or accrue on the balance due on the account for the residential rental unit that is the subject of the action for summary possession during this time period; and
  • For any residential rental unit that was the subject of an action for summary possession, for which a final judgment was issued prior to the declaration of the State of Emergency, no writ of possession may be executed until the seventh day following the termination of the State of Emergency and the rescission of the public health emergency.

The foregoing restrictions do not apply to actions for summary possession based upon a claim that continued tenancy will cause or is threatened to cause irreparable harm to person or property.  Moreover, except as modified above, all other provisions of the Landlord Tenant Code (Chapters 51-59 of Title 25 of the Delaware Code) remain in effect in accordance with their terms and nothing in the Order is to be construed as relieving any individual of the obligation to pay rent or to comply with any other obligation that an individual may have under their tenancy.

Takeaway

As discussed above, the Order imposes a number of restrictions that impact a residential mortgage loan servicer’s ability to initiate or complete foreclosure actions and eviction proceedings as well as limitation on certain fees and charges.  Accordingly, mortgage servicers should carefully review the Order to determine their obligations with respect to impacted borrowers.

Six Practical Tips for Practicing Cyberhygiene in the Middle of a Global Pandemic

Businesses large and small are encouraging (or requiring) employees to work remotely or cancel work travel as part of the response to COVID-19. But suddenly expanding the number of employees working remotely comes with increased cybersecurity and information technology risks. A cybercriminal (including malicious insiders) will have a target-rich environment during this time since more devices will be used for company business and more company data will be sent, located, or stored outside the protections of the company infrastructure and activity logging. It will also be easier for devices to be lost, stolen, or compromised, particularly if employees are not familiar with company policies on how to securely work from home. Information Security and IT teams should consider the following practical tips as they prepare for these risks.

1. Prepare for a Strain on Existing Resources

Increasing the number of remote employees increases the number of people or devices using your remote access resources, such as virtual desktop environments and virtual private networks. Continue to actively monitor these resources to ensure that they are properly updated and resourced (bandwidth, computing power, and storage capacity). This is a unique opportunity to fully test your infrastructure and remote capabilities. Also, companies may want to reevaluate how employees will be authenticated when connecting remotely. Utilizing multifactor authentication should be the goal. The Department of Homeland Security’s recent alert on enterprise VPN security may also be a useful resource here.

Consider also expanding your help desk staffing. More employees working from home will likely result in increased calls for IT support since these employees may have connectivity or other technical issues in a remote environment. Similarly, some employees may be forced to use personal devices during this period. It will be important to have help desk staff and software resources available to ensure that antivirus software can be downloaded to personal devices and that the devices are encrypted.

2. Review and Update Business Continuity, Disaster Recovery, and Incident Response Plans

The coronavirus pandemic is unlikely to directly impact your IT infrastructure. However, it is possible that a severe outbreak will impact the availability of personnel assigned to monitor or use that infrastructure. Companies should review their business continuity and disaster recovery plans (with their related IT and Security roles and responsibilities) to ensure they appropriately cover scenarios that might arise if multiple key personnel are ill or incapacitated. Similarly, if you use Managed Security Service Providers or other security vendors for critical parts of your program, you should verify that those vendors have similar plans, redundancies, and current capacity to help (you may want to verify and secure this help now while we are still in the early stages of this crisis). Ultimately, this is the perfect opportunity to ensure that all key players have recently reviewed these plans, there is necessary expertise redundancy, and staff have engaged in tabletop simulations relating to business continuity.

Companies should also consider conducting a similar assessment for their incident response plans as well as their cyber insurance, crime fraud, technical E&O, or network interruption policies. Such policies or plans may need to be revised to include backup personnel if key personnel such as a CTO, CISO, or privacy officer are incapacitated or otherwise unavailable. Also, you may want to consider cross-training appropriate personnel in all aspects of the incident response, reporting, and claims process, including the location of core documents and notice templates that would be used in an incident. If you have not already, consider what key elements of your incident response plan could be reduced to a diagrammed flow for your team to have in front of them in a crisis.

3. Warn Employees of the Security Risks of Working from Home

In times of crisis, increased work, or nonstandard work routines, personnel are more likely to forget to use recommended cybersecurity practices, but warning them now may help with security awareness during unfamiliar times. This will be particularly true for mission-critical services since employees may feel pressure to forgo security to get work done. All employees should be reminded of the corporate resources that are available, such as cloud storage or other applications, the need for increased vigilance, and the following basic security principles:

  • Secure home wireless networks with strong passwords and avoid using unsecured public networks when possible. If using an unsecured public network, be on the lookout for any certificate errors or warnings that a site may be misconfigured.
  • Do not use personal devices for work without prior approval because these may lack the security controls that protect work devices.
  • Do not use personal email or cloud storage accounts to transfer or store business information.
  • Avoid downloading or printing sensitive information from email or other IT services to personal computers or other personal devices even if authorized to use the device for work purposes. If you must download data to personal devices, confirm with IT help desk staff that antivirus software is installed on your device and that it is properly encrypted.
  • Practice good physical document management by only taking documents offsite if necessary and ensuring all materials are returned to the office for proper destruction.

4. Be Wary of Scams and Phishing Attacks

Scammers and cyber threat actors have always followed the headlines, using the public’s heightened fear and desire for information or solutions as leverage to gain access to systems, data, and money. The current pandemic is no different. There are reports of schemes where malicious actors are stealing credentials from remote workers by supposedly offering updated company guidance on the COVID-19 response. And cyber researchers recently discovered a website of a map showing COVID-19 cases on a global scale that contained a hidden code that could steal usernames, passwords, credit card numbers, and other data stored in the user’s browser. While the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) are working to crack down on phony COVID-19 cures and requests for “donations” from fake charities, employees must be on the lookout for scams and phishing attacks. All employees should be reminded of the following recommended practices:

  • Be careful opening attachments and links from distrusted or unknown sources. Phishing or other malicious emails can easily be disguised as alerts about COVID-19.
  • Try to use only trusted sources, for example, the CDC’s official COVID-19 website, for receiving up-to-date information about the outbreak.
  • Never respond to emails or phone calls asking for personal or financial information, usernames, or passwords.
  • Be careful making donations and reject any request for donations in cash, by gift card, or by wiring money.

This is also an excellent opportunity to remind employees of how to report security incidents within the company. Consider creating a short checklist for all employees detailing tips for how to detect suspicious activity, and what to do and who to contact if they believe they have been the victim of a security incident, scam, or phishing attack.

Additional resources from the FTC and U.S. Office of Personnel Management on working remotely and how to avoid scams and phishing attacks can be found here and here.

5. Be Aware of Applicable Industry-Specific Guidelines

Some heavily regulated industries (e.g., banking, financial services, and health) will have additional considerations at play. For example, FINRA has just released guidance that addressed telework arrangements with a section specifically related to cybersecurity risks posed by those arrangements. Additional commentary on this guidance can be found here. Similarly, HIPAA covered entities and business associates may face an increased risk of violating the HIPAA Privacy and Security rules. Best practices on how to address these risks and other HIPAA-specific guidance can be found here.

6. If Security Exceptions Must Occur Temporarily, Take Steps to Document Them

Your company may have no choice but to make security exceptions to get work done, especially if your industry is on the front lines of this crisis (e.g., health care and necessities supply chains). If this is the case, take steps to ensure that Security and IT document any security exceptions made so the company can resume its full security measures once volumes return to normal. If security exceptions are not documented, there is the potential for these items to be forgotten once the crisis passes.

Alston & Bird has formed a multidisciplinary task force to advise clients on the business and legal implications of the coronavirus (COVID-19). You can view all our work on the coronavirus across industries and subscribe to our future webinars and advisories.

California Attorney General Issues Second Round of Modifications to CCPA Regulations

On March 11, 2020, California Attorney General Xavier Becerra announced a second round of modifications to the draft regulations his office is preparing for the California Consumer Privacy Act (the “Draft CCPA Regulations”).  These modifications follow two previous rounds of drafting:

(a) the initial publication of the Draft CCPA Regulations, in regards to which we analyzed 21 potentially material business impacts here, and

(b) a first round of modifications to the Draft CCPA Regulations, for which we provided 30 key business impacts here.

Alston & Bird is currently preparing a detailed analysis of this second round of modifications to the Draft CCPA Regulations, which will be published via this blog.  A copy of the Draft CCPA Regulations containing all modifications from both the first and second rounds of modifications can be downloaded here.

Companies who see relevant issues in the most current modifications to the Draft CCPA Regulations should note the Attorney General indicates that the deadline for comments is 5:00 p.m. Pacific time on Friday, March 27.

For further information, contact Jim HarveyDavid KeatingKathleen BenwayAmy Mushahwar, or Daniel Felz.

Alston & Bird Webinar Series: Coronavirus: What Does My Business Need to Know?

Thursday, March 12, 2020  | 11:00am ET 
For Employers: Coronavirus and Travel: A Complicated Business Decision 

The 2019 novel coronavirus outbreak (also known as COVID-19) causes respiratory illness and can spread from person to person. There have been thousands of deaths reported globally, making the coronavirus deadlier than SARS. Coronavirus infections have been reported in dozens of countries. Individuals are being extracted from and departing China and the region, and pandemic fears have also affected shipping and travel around the world. Concerns about the coronavirus have closed factories and forced quarantines throughout China – delaying and even stopping manufacturing and deliveries.

The number of COVID-19 cases in the U.S continues to rise, affecting employers and employees in every industry, from hospitality to manufacturing to health care. What should employers consider in making decisions? This Alston & Bird webinar will review advice we are giving clients related to:

  • Travel, both foreign and domestic
  • Employee health precautions
  • Events and conferences
  • Office/workplace visitors
  • Remote workforce
  • Force majeure and the coronavirus

Our Speakers:

Dawnmarie Matlock regularly advises health care clients on complex regulatory issues, including Stark Law and AntiKickback compliance. She counsels clients facing government investigations and other enforcement actions to mitigate risks and help resolve active matters. She serves as Alston & Bird’s HIPAA privacy officer and counsels clients on HIPAA compliance and breach response.

Angie Burnette assists hospitals, physicians, and other providers with a variety of issues, including those involving medical staff, the National Practitioner Data Bank, mental health, surrogate births, minors, duty to warn, do-not-resuscitate orders, end-of-life issues, and refusal of blood transfusions. Angie provides general risk management and compliance advice to health care facilities, providers, and health plans. She also advises health care providers and non-health-care companies on HIPAA privacy, HIPAA security, and breach notification issues under the HITECH Act and state laws.

Christy Eikhoff will discuss force majeure in light of the coronavirus. She represents clients in significant and high-profile complex commercial litigation matters, with experience in manufacturing, media, and insurance. She is the co-chair of Alston & Bird’s Industrials & Manufacturing Litigation Team. She has handled several multimillion-dollar cases for publicly and privately held entities, with extensive experience in trial, arbitration hearings, mediation, written advocacy, settlement negotiations, and discovery management. Christy has been instrumental in helping business clients achieve resolution in litigated disputes involving claims of breach of contract, fraud, business torts, property torts, defamation, negligence, and unfair and deceptive trade practice and consumer protection statutes.

Charlie Morgan concentrates his practice in litigation and government and internal investigations, including occupational safety and health, employment and traditional labor matters. He represents Fortune 500 companies, retailers, manufacturers and privately held organizations across the U.S. in investigations and litigation involving accidents and safety issues, in class and collection actions, and in anti-union campaigns. He also develops programs and training initiatives for compliance with safety and health laws and federal sentencing guidelines.

Our Experience 

Alston & Bird has formed a working group to advise clients on the business and legal implications of the coronavirus. Our multidisciplinary team can assist and advise a broad range of economic sectors on responses to coronavirus news and proactive steps to ensure business continuity, supply-chain alternatives, data security if remote access for all employees is required, and new product development. We regularly work on coronavirus-related issues with the gamut of relevant regulatory bodies as well as congressional policymakers who are leading the response to this fast-moving event. Our team includes members with experience in regulations for employment issues, medical product development, and pharmaceuticals, as well as every type of business interruption scenario. Members of our team have previously worked for, or represent clients before, the White House, Congress, HHS—especially staff and operating divisions such as the Assistant Secretary for Preparedness and Response (ASPR) — FDA, CDC, USDA, EPA, DEA, DOD, SEC, DHS, DOS, and OSHA.

Webinar Details

Thursday, March 12, 2020

Login information will be provided to participants before the program.

Additional Programs 

Thursdays | 11:00 am ET  

March 19 – For Hospitals, Health Systems, Laboratories and Other Providers: Reimbursement issues, new codes, special employee issues, telemedicine, and how to navigate this new environment.

March 26 – For employers, health plan sponsors and insurers, hospitals, hospitality, and pharmaceutical and medical device manufacturers: What’s still pending on the legislative and regulatory front in response to the coronavirus pandemic.

CLE

These programs are provided as a complimentary service to clients and friends of Alston & Bird. CLE credit is pending for Georgia, Texas, California, New York, Pennsylvania, and Missouri. Additional states may be available upon request.

CLICK HERE TO RSVP