Alston & Bird Consumer Finance Blog


Iowa Adopts Mortgage Servicer Prudential Standards

What Happened?

Effective July 1, Iowa House File 2392 (the “Iowa Law”) enacts mortgage servicer prudential standards (codified in Chapter 535B of the Iowa Code) that largely follow those promoted by the Conference of State Bank Supervisors (“CSBS”).

As we have previously reported, the CSBS adopted model “State Regulatory Prudential Standards for Nonbank Mortgage Servicers” (the “CSBS Standards”) in 2021.  The CSBS Standards address financial condition and corporate governance requirements for certain mortgage servicers.

Why Is It Important?

Following the CSBS Standards, the Iowa Law’s requirements apply to a “covered institution.”  A “covered institution” services or subservices at least 2,000 residential mortgage loans (excluding whole loans owned and loans being interim serviced prior to sale) as of the most recent calendar year end as reported on the NMLS mortgage call report.  For entities within a holding company or an affiliated group of companies, the Iowa Law’s requirements apply at the covered institution level.

Financial Condition:

The Iowa Law requires a covered institution to meet specified financial condition standards. First, a covered institution must maintain capital and liquidity as set forth in new Section 535B.24.  Second, a covered institution must maintain written policies and procedures necessary to implement that section’s capital, operating liquidity, servicing liquidity requirements.

Third, a covered institution must maintain sufficient allowable assets for operating liquidity, in addition to amounts required for servicing liquidity.  Fourth, a covered institution must develop, establish, and implement written plans, policies and procedures, utilizing sustainable documented methodologies to maintain operating liquidity.  Finally, a covered institution must have a sound written cash management plan and a sound written business operating plan (commensurate with the entity’s complexity) that ensures normal business operations.

The financial condition standards do not apply to servicers that solely own or conduct servicing on reverse annuity mortgage loans, or to a covered institution’s  reverse annuity mortgage loan portfolio.

Corporate Governance:

The Iowa Law also requires a covered institution to comply with enumerated corporate governance requirements. First, a covered institution must establish and maintain a board of directors (or equivalent body).  The board’s responsibilities include: (a) establishing a written corporate governance framework that includes appropriate internal controls to monitor and assessing compliance with the corporate governance framework; (b)  monitoring and ensuring that the covered institution complies with the corporate governance framework and with the Iowa Law’s requirements; and (c) ensuring that the covered institution establishes and maintains a risk management program that identifies, measures, monitors, and controls risk commensurate with the covered institution’s size and complexity.

Second, new Section 535B.25 enumerates criteria for a covered institution’s risk management program (to include addressing the potential that a borrower or counterparty fails to perform on an obligation). Third, the Iowa Law requires a covered institution to undergo an annual external audit (including an evaluation of the entity’s internal control structure, a review of the entity’s annual financial statements of the company, and a computation of the entity’s tangible net worth).

Fourth, the Iowa law requires a covered institution to conduct an annual risk management assessment that concludes with a formal report to the board of directors. The risk management assessment must include findings and action taken to address each issue. Additionally, a covered institution must maintain ongoing documentation of risk management activities and include the documentation in its risk management assessment.

What Do I Need to Do?

Mortgage servicers subject to the Iowa Law should review the new standards and ensure that their business practices are compliant.  We will continue to monitor other states for adoption of their own versions of the CSBS Standards.

CSBS Releases Cybersecurity Programs to Help Nonbank Financial Services Institutions Improve Cybersecurity Posture

A&B ABstract

On August 9, 2022, the Conference of State Bank Supervisors (CSBS) released two cybersecurity tools for nonbank financial services institutions to help them prepare for state cybersecurity examinations and, ultimately, improve cybersecurity maturity and protect financial institution infrastructure. These tools are designed to address key aspects of the Uniform Rating System for Information Technology; namely, Audit, Management, Development and Acquisition, and Support and Delivery. The CSBS also outlined the key documents that state examiners are likely request during examinations to help ensure nonbank financial services institutions are prepared to respond to examination questions.

CSBS Cybersecurity Tools

Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program (the “Programs”) are a set of cybersecurity questions used by state examiners to assess the ability of nonbank financial services companies to comply with applicable cybersecurity and data protection requirements. While these Programs are optional resources, the CSBS encourages nonbank financial services institutions to leverage these Programs as prescriptive guidance in implementing and maintaining a compliant cybersecurity program.

The Baseline Nonbank Cybersecurity Exam Program is intended for small nonbank financial services institutions, whereas the Enhanced version is used by state examiners evaluating larger more complex nonbank financial services institutions (the distinction between which institutions fall under the Baseline vs the Enhanced Program are not specified). Both Programs cover four overarching areas of the Uniform Rating System for Information Technology (URSIT) – (1) Audit, (2) Management, (3) Development and Acquisition, and (4) Support and Delivery. Specifically, the examination covers a wide range of topics, such as executive oversight of the cybersecurity program, details on the institution’s network security, vendor management, cyber insurance, malware protection controls, patch management procedures, asset inventory, business continuity management and incident response plan.  The examination questions, where relevant, cite to the FTC Safeguards Rule, as amended (16 CFR § 314) which became effective January 10, 2022 (with the exception of a limited number of sections that are not enforceable until December 9, 2022).

The CSBS also provides a Document Request List, outlining key artifacts that state examiners may request (and have requested during past examinations) to help support the institutions’ response to the examination questions. Key artifacts include core policies and procedures, written information security programs, risk assessment(s), materials presented to the board/senior management discussing cybersecurity, vulnerability assessments, and patch deployment confirmation.

These Programs, according to CSBS’s Senior Vice President of Nonbank Supervision, Chuck Cross, are intended to streamline supervisory clarity and create a more resilient financial system. These Programs are a part of CSBS’ larger initiative to equip the industry with the necessary tools to protect the critical infrastructure of financial institutions; for example, it previously provided nonbanks with a Ransomware Self-Assessment Tool and a Cybersecurity 101 Guide for executives.


Through the Programs, CSBS has provided nonbank financial services institutions the ability to more adequately prepare for regulatory examinations by outlining core questions and artifacts. However, the cybersecurity regulations applicable to financial institutions continue to evolve, both on the federal and state level, requiring additional resources and expertise. It is also unclear how widely adopted these Programs will be by state regulators, particularly state regulators that have developed their own comprehensive cybersecurity examination questions (such as the New York Department of Financial Services), and there will likely continue to be differences across state regulatory examinations.

We will continue monitoring the guidance issued by CSBS and other financial industry participants and regulators with respect to the evolving cybersecurity compliance landscape.

NMLS Seeks Comments on Proposed Revisions to Company and Individual Disclosure Questions

A&B Abstract:

The Nationwide Multistate Licensing System & Registry (NMLS) Policy Committee is inviting comments on the NMLS Disclosure Questions Proposal. The comment period is now open and runs until August 22. Among other revisions, the proposal details suggested revisions to the disclosure questions on the Company (MU1) and Individual (MU2) forms.

Proposed Revisions to NMLS Disclosure Questions

In key part, the proposed revisions include:

Company Disclosure Questions:

  • Adding a new question to incorporate a requirement of the Money Transmission Modernization Act, g., companies disclosing “material litigation” (which would be a newly defined term) in the past 10 years;
  • Expanding the civil judicial disclosures to include whether companies have been found in the past 10 years: (1) to have made a false statement or omission or been dishonest, unfair, or unethical, or (2) to have been a cause of another financial services business having its license or authorization denied, suspended, revoked, or restricted;
  • Amending the civil judicial disclosure question to include whether there are any pending financial services civil actions alleging that a company has made a false statement or omission, or had been dishonest, unfair, or unethical;
  • Requiring the criminal disclosure of any pending felony charges against companies, instead of any past felony charges;
  • Broadening the bankruptcy disclosure to include whether a company or control affiliate filed a bankruptcy petition in the past 10 years (in addition to being the subject of a bankruptcy petition) and clarifying that disclosure of either voluntary or involuntary petitions is required;
  • Adding a question whether companies have ever been denied issuance of a bond;
  • Introducing a new question asking whether a third-party service provider has notified a company of its intent to modify or cancel an arrangement that would materially alter the company’s ability to conduct business activities, and relatedly, defining “third-party service provider” to include lines of credit, whether warehouse or operation, technology solutions, etc.; and
  • Separating out into two sections under the existing regulatory action disclosures for: (1) companies that hold or have ever held an authorization to act as a contractor for a federal, state, or local government entity, (2) companies who have “key individuals” (which would be a newly defined term) or control individuals who are or have been licensed as attorneys or accountants or who hold or have been licensed as financial services professionals, and (3) added that dismissal of an action pursuant to a settlement agreement requires disclosure.
    • Regarding the last point in (3), this proposed revision is added in Question 14.e. which, according to the NMLS Policy Committee, is intended to broaden the question to account for how regulatory actions may be brought, including dismissal of an action pursuant to a settlement agreement. However, by including the term “settlement agreement”, which is not separately defined in the NMLS Policy Guidebook, Question 14.e. may potentially require the disclosure of nonpublic settlement agreements, which would be a significant change and perhaps an unintended result. The original questions are limited by the terms “found” (in Question 14.a-c.) and “order” (in Question 14.e.), both of which are defined terms indicating that only public settlement agreements and orders are required to be disclosed. Thus, we recommend that industry members consider whether to submit comments on this question to seek clarification.

Individual Disclosure Questions:

  • Making conforming proposed revisions relating to civil judicial and financial disclosures as described above in the Company Disclosure Questions;
  • Limiting the time period for the disclosure of misdemeanors to the past 10 years;
  • Making clarifications to require disclosure of judicial and non-judicial foreclosures on either commercial or residential property;
  • Adding new questions relating to pending regulatory actions against a holder of a financial services license or other professional license that could result in the restriction, revocation, debarment, or suspension of the license; and
  • Adding new questions regarding any pending financial services civil actions alleging a violation of a financial services statute or regulation for a company over which an individual exercised control, or a prior finding of the same.

Additional Proposed Revisions

In addition to proposed revisions to Company (MU1) and Individual (MU2) disclosure questions, the proposed revisions include amendments to the NMLS Policy Guidebook Glossary Terms.  Significantly, definitions for nine new terms are proposed: (1) Consumer Protection; (2) Court; (3) Efforts to Foreclose; (4) Governmental Entity; (5) Key Individual; (6) Lien; (7) Material Litigation; (8) Third Party Service Provider; and (9) Unsatisfied.  Amendments to existing terms include revising “financial services” to include consumer protection laws or regulations that pertain to enumerated financial services items, and clarifying the term “found” to cover agreements or settlements that are a matter of public record including those in which the findings are neither admitted or denied. The existing term “order” would be amended to add language to cover orders agreed to by the parties such as consent orders and stipulated orders, and to clarify that agreements relating to payments, limitations on activity, or other restrictions are excluded from the definition unless they are in a written directive that otherwise qualifies as an order.


We recommend that industry members, both licensees and applicants on NMLS, review the proposed revisions to the disclosure questions and consider whether to submit comments.  In particular, and as highlighted above, the proposed changes to Question 14.e. would appear to potentially require the disclosure of nonpublic settlement agreements, which would be a significant change from Question 14.e as currently worded.  If so, this may require companies to update their responses to the disclosure questions and submit additional information to NMLS regarding nonpublic settlement agreements.  Comments may be submitted via e-mail to by August 22.

Connecticut and Maryland Adopt Model Mortgage Servicer Prudential Standards

A&B Abstract:

On May 24, 2022, Connecticut enacted legislation that, among other things, adds financial condition and corporate governance requirements for certain licensed mortgage servicers (the “CT Standards”). In similar fashion, the Maryland Commissioner of Financial Regulation (the “Commissioner”) issued a notice of final action on March 25, 2022 adopting similar standards by regulation (the “MD Standards”).  In both instances, the CT and MD Standards are intended to implement the Model State Regulatory Prudential Standards for Nonbank Mortgage Servicers (the “Model Standards”) drafted and released by the Conference of State Bank Supervisors (“CSBS”) last July.

The CSBS Model Standards

As mentioned in our prior blog post, the CSBS initially proposed standards for mortgage servicers in 2020. In July 2021, after substantial revision to the proposed standards, the CSBS adopted the Model Standards to provide states with uniform financial condition and corporate governance requirements for nonbank mortgage servicer regulation while preserving local accountability to consumers and to “provide a roadmap to uniform and consistent supervision of nonbank mortgage servicers nationwide.”

The Model Standards cover two major categories that comprise prudential standards: financial condition and corporate governance. The financial condition component consists of capital and liquidity requirements. Corporate governance components include separate categories for establishment of a board of directors (or “similar body”); internal audit; external audit; and risk management.

The Model Standards apply to nonbank mortgage servicers with portfolios of 2,000 or more 1 – 4-unit residential mortgage loans serviced or subserviced for others and operating in two or more states as of the most recent calendar year end, reported in the Nationwide Multistate Licensing System (“NMLS”) Mortgage Call Report. For purposes of determining coverage under the Model Standards, “residential mortgage loans serviced” excludes whole loans owned and loans being “interim” serviced prior to sale. Additionally, the financial condition requirements in the Model Standards do not apply to servicers solely owning and/or conducting reverse mortgage servicing or the reverse mortgage portfolio administered by forward mortgage servicers that may otherwise be covered under the standards. The capital and liquidity requirements also have limited application to entities that only perform subservicing for others. Moreover, the whole loan portion of portfolios are not included in the calculation of the capital and liquidity requirements.

While CSBS drafted the Model Standards, they are implemented only through individual state legislation or other rulemaking.

Connecticut’s and Maryland’s Implementation of the Model Standards

The CT and MD Standards both track the Model Standards in many respects, including the following:

  • Covered servicers are required to satisfy the Federal Housing Finance Agency’s (“FHFA”) Eligibility Requirements for Enterprise Single-Family Seller/Servicers for minimum capital ratio, net worth and liquidity, whether or not the mortgage servicer is approved for servicing by the government sponsored enterprises (i.e., Fannie Mae and/or Freddie Mac) (the “GSEs”), as well maintain policies and procedures implementing such requirements; these requirements do not apply to servicers solely owning and/or conducting reverse mortgage loan servicing, or the reverse mortgage loan portfolio administered by covered institution that may otherwise be covered under the standards, and do not include the whole loan portion of servicers’ portfolios.
  • With respect to corporate governance, covered servicers are required to establish and maintain a board of directors responsible for oversight of the servicer; however, for covered servicers that are not approved to service loans by one of the GSEs, or Ginnie Mae, or where a federal agency has granted approval for a board alternative, a covered servicer may establish a similar body constituted to exercise oversight and fulfill the board of directors’ responsibilities.
  • A covered mortgage servicer’s board of directors, or approved board alternative, must (1) establish a written corporate governance framework, including appropriate internal controls designed to monitor corporate governance and assess compliance with the corporate governance framework, (2) monitor and ensure institutional compliance with certain established rules, and (3) establish internal audit requirements that are appropriate for the size, complexity and risk profile of the servicer, with appropriate independence to provide a reliable evaluation of the servicer’s internal control structure, risk management and governance.
  • Covered mortgage servicers must receive an annual external audit, which must include audited financial statements and audit reports, conducted by an independent accountant, and which must include: (1) annual financial statements, (2) internal control assessments, (3) computation of tangible net worth, (4) validation of MSR valuation and reserve methodology, (5) verification of adequate fidelity and errors and omissions insurance, and (6) testing of controls related to risk management activities, including compliance and stress testing, as applicable.
  • Covered mortgage servicers must establish a risk management program under the oversight of the board of directors, or the approved board alternative, that addresses the following risks: credit, liquidity, operational, market, compliance, legal, and reputation.
  • Covered mortgage servicers must conduct an annual risk assessment, concluding with a formal report to the board of directors, which must include evidence of risk management activities throughout the year including findings of issues and the response to address those findings.

Notwithstanding the foregoing, the CT Standards appear to deviate from the Model Standards in a few notable ways. First, with respect to coverage, the CT Standards differ from the Model Standards, in that the CT Standards can apply to a servicer who only services Connecticut residential mortgage loans, whereas the Model Standards do not apply unless the servicer operates “in two or more states as of the most recent calendar year end, reported in the [NMLS] Mortgage Call Report.” Additionally, the capital and liquidity requirements under the Model Standards have limited application to entities that only perform subservicing for others, including limiting the definition of “servicing liquidity or liquidity” to entities who own servicing rights. The comments to the Model Standards explain that “[f]inancial condition requirements for subservicers are limited under the FHFA eligibility requirements due to the lack of owned servicing. For example, net worth add-on and liquidity requirements apply only to UPB of servicing owned, thereby limiting the financial requirements for subservicers, and servicers who own MSRs and also subservice for others. However, the base capital and operating liquidity requirements … apply to subservicers.” On the other hand, the capital and liquidity requirements under the CT Standards explicitly do not apply to an entity that solely “performs subservicing for others with no responsibility to advance moneys not yet received in connection with such subservicing activities.”

The MD Standards, on the other hand, largely adopt the Model Standards. However, with respect to internal audit requirements, the MD Standards contain additional guidance, specifying that “[u]nless impracticable given the size of the licensee, internal audit functions shall be performed by employees of the licensee who report to the licensee’s owners or board of directors and who are not otherwise supervised by the persons who directly manage the activities being reviewed.” That said, it is worth noting that in an accompanying notice to servicers and lenders, the Maryland Commissioner of Financial Regulation clarified that the purpose of the MD Standards is “aligning Maryland regulations with nationwide model standards and creating uniform standards regarding safety and soundness, financial responsibility, and corporate governance for certain mortgage service providers.”


Connecticut and Maryland are the first two states to adopt implementing laws or regulations following the CSBS’s adoption of the Model Standards. Connecticut-licensed mortgage servicers subject to the CT Standards must comply by October 1, 2022, the section’s effective date. The MD Standards took effect on June 27, 2022. Servicers subject to the CT and/or MD Standards should review the standards and ensure their business satisfies the applicable requirements. As with any model law, the Model Standards require states to adopt implementing laws or regulations. Accordingly, we expect to see additional states begin to adopt similar measures.

CSBS Proposes Prudential Standards for Servicers

A&B Abstract: The Conference of State Bank Supervisors (“CSBS”) proposed regulatory prudential standards (the “Standards”) to develop a consistent regulatory structure of nonbank mortgage servicers.  Comments on all aspects of the Standards are encouraged by December 31, 2020.


Since the financial crisis, the rapid growth of mortgage bank mortgage servicers has led regulators to call for the enhanced oversight of such entities.  The Financial Stability Oversight Council (charged under the Dodd-Frank Act with identifying risk to the stability of the U.S. markets) recommended in its 2014 and 2019 annual reports that state regulators work collaboratively to develop prudential and corporate governance standards. Earlier this year, the Federal Housing Finance Agency (FHFA) proposed new financial eligibility requirement for nonbank servicers doing business with Fannie Mae and Freddie Mac.

In 2015, state regulators working through the Mortgage Servicing Rights Task Force proposed baseline and enhanced prudential regulatory standards (including capital and net worth requirements) for nonbank mortgage servicers.  Although those standards were not finalized, several states – including Maryland, Oregon and Washington –imposed new net worth requirements for nonbank servicers.

The CSBS’s newly released  proposed standards update the 2015 proposal “to reflect a changed nonbank mortgage market, continued significant growth and complexity and an evolved understanding of state regulators concerning the need for supervisory standards.” The stated goals of the Standards are to: (i) provide better protections for borrowers, investors, and other stakeholders in the occurrence of a stress event, which could result in borrower harm; (ii) enhance regulatory oversight and market discipline; and (iii) improve transparency, accountability, risk management, and corporate governance standards.

Baseline Prudential Standards vs. Enhanced Prudential Standards:

The Standards include proposed baseline prudential standards (“Baseline Standards”) and enhanced prudential standards (“Enhanced Standards”).  The Standards apply to state-licensed nonbank mortgage servicers and investors, including MSR investors, originator servicers, monoline servicers, subservicers and owners of whole loans.  The Standards are not intended to apply to servicers solely owning and conducting reverse mortgage servicing and they -have limited applicability to entities that only perform subservicing for others.

The Baseline Standards, as proposed, will cover eight areas:

  • Capital
  • Liquidity
  • Risk management
  • Data standards and integrity
  • Data protection (including cyber risk)
  • Corporate governance
  • Servicing transfer requirements
  • Change of control requirements

Notably, CSBS and state regulators intend to align supervisory approaches wherever possible, and the proposed standards are intended to do so with the calculations for capital and liquidity under FHFA eligibility requirements but apply the calculations to the entire owned servicing portfolio, including whole loans. To prevent double counting of MRS, the Baseline Standard’s capital and liquidity requirements differentiates “owned” servicing and servicing for others

The Enhanced Standards, as proposed, cover four areas:

  • Capital
  • Liquidity
  • Stress testing and
  • Living will/recovery and resolution planning

The Enhanced Standards are intended to apply to  Complex Servicers,  companies servicing whole loans plus mortgage servicing rights (“MSR(s)”) totaling the lesser of $100 billion or representing at least 2.5% total market share based on Mortgage Call Report quarterly data of licensed nonbank owned whole loans and MSRs. State regulators may determine that specific servicers, including subservicers only, that do not meet the definition of Complex Servicers are subject to the Enhanced Standards based on their unique risk profile, growth, market importance, or financial condition of the institution.

Request for Feedback:

While the CSBS is seeing comments on all aspects of the Standards, they specifically seek feedback on the following questions:

  • Is the need for state prudential standards sufficiently established?
  • Do any of the standards threaten the viability of a servicer or a specific subsector within the industry?
  • What is a reasonable transition period to implement the standards?
  • Are there specific standards that would require additional time to implement?
  • What effect will the enhanced standards have on the warehouse and advance facility borrowing contracts/capacity of large servicers?
  • Is a scaled approach appropriate where all servicers are subject to Baseline Standards and Complex Servicers only subject to Enhanced Standards?
  • Nonbank servicer coverage in the proposal is intentionally unspecific. What should be the appropriate coverage triggers? Should reverse mortgage servicers be included in scope?
Capital and Liquidity
  • Are the capital and liquidity aspects of the proposal alignment with existing and future FHFA Seller/Servicer requirements the right approach?
  • Should there be an alternative net worth calculation method?
  • State supervisors hold jurisdiction over a nonbank servicer’s entire portfolio. Should the FHFA calculations to all owned servicing the appropriate approach?
  • Do you agree with the Standard’s definition for the two types of liquidity needs (servicing liquidity for the direct performance of servicing and operating liquidity for general operations of the organization)?
  • Do you agree that allowable assets for liquidity should align with FHFA’s 2019 Servicer Eligibility 2.0 Proposal?
  • Do the risk management standards appropriately capture the risks faced by nonbank mortgage servicers?
Corporate Governance
  • Should all covered servicers be expected to establish a risk management program under a board of directors scaled to the complexity of the organization?
  • Is it appropriate for the data standards to incorporate the CFPB’s Mortgage Servicing Rules Standards or is there a different alternative that should be considered?
  • Are the data protection standards appropriate for the data risks inherent in nonbank mortgage servicers?
  • Are the Ginnie Mae audit standards the appropriate standards for corporate governance under the Standards?
  • Should all covered nonbank mortgage servicers be required to have a full financial statement audit conducted by an independent certified public accountant?
  • Is it appropriate for the servicing transfer requirements to rely on existing CFPB and FHFA transfer requirements?
  • For change of ownership and contract, do the Standards reflect the correct number of days for notification (30 business days) and appropriate ownership percent trigger (10% or more)?


Some have called for the imposition of federal capital and liquidity standards.  The states, on the other hand, believe that they should be the primary prudential regulator over nonbank mortgage servicers and have developed the Standards to comprehensively cover safety and soundness and consumer protection concerns. While the Standards are very detailed in some areas, they are vague in others such as coverage and implementation.  Consistent implementation, interpretation, and enforcement of the standards will be imperative for the state’s to achieve their objectives.