Alston & Bird Consumer Finance Blog

Ginnie Mae

Enhanced Financial Monitoring of Nonbank Mortgage Servicers is Coming Soon

By

What Happened?

On February 10th, the U.S. Government Accountability Office (the GAO) published a report on nonbank mortgage servicers’ financial risk due to their growing role in the U.S. housing finance system, titled “Nonbank Mortgage Companies: Ginnie Mae and FHFA Could Enhance Financial Monitoring” (the GAO Report). The GAO Report draws from the GAO’s prior work and from the Financial Stability Oversight Council’s 2024 Report on Nonbank Mortgage Servicing, which we discussed in a prior blog.

The GAO Report addresses (i) the growing role of nonbanks in the mortgage market since 2024, and (ii) Ginnie Mae’s and FHFA’s processes for assessing the financial condition of nonbank mortgage companies. The report includes several recommendations. Both Ginnie Mae and the FHFA agreed with these recommendations and signaled that changes may be coming later this fall.

Why Does it Matter?

For over a decade, the Conference of State Bank Supervisors and federal regulators have sought to impose financial condition requirements on nonbank servicers. Over time, regulators have issued multiple recommendations and have imposed enhanced capital and liquidity requirements on these entities. The GAO Report builds on that prior work and provides concrete recommendations to Ginnie Mae and the FHFA—the regulator for Fannie Mae and Freddie Mac (the GSEs).

Once implemented, the revised requirements will flow down to the nonbanks that service GSE and agency (e.g., HUD/FHA, VA, USDA) loans.

According to the GAO Report, “[f]inancial monitoring of nonbanks has become increasingly important because of nonbanks’ expanding market role and financial vulnerabilities.” Nonbanks now service the majority of federally backed mortgages, which secure more than $9 trillion in securities backed by Ginnie Mae, Fannie Mae and Freddie Mac—a market share that has increased from 27% in 2014 to 66% in 2024. The share of nonbank originations has also grown extensively in the past decade—from 51% in 2014 to 76% in 2024.

The GAO Report recognizes the benefits nonbanks provide to markets and consumers, including increased liquidity, adoption of new technology, and playing a large role in serving the needs of underserved borrowers. However, consistent with other reports, the GAO Report concludes that the federal monitoring framework does not fully capture the liquidity and funding risk due in part to (i) the lack of a federal prudential regulator, (ii) fragmented oversight that increases the likelihood that weaknesses go undetected, (iii) nonbanks’ reliance on short-term warehouse credit that may become unavailable during economic downturns, and (iv) the potential for substantial government exposure.

Key Recommendations

Given these vulnerabilities, the GAO Report identifies specific opportunities for FHFA and Ginnie Mae to improve how they assess nonbanks’ financial condition. The recommendations focus primarily on data reliability, warehouse lending risk, which is viewed as a key liquidity risk, and consideration of nonbank stress scenarios. Specifically:

Improve Reliability of MBFRF Data

FHFA and Ginnie Mae rely on the data reported by mortgage servicers on the Mortgage Bankers Financial Reporting Form (MBFRF) to monitor the financial condition of nonbanks. Both agencies have identified reliability issues in the data reported on the MBFRF. While Ginnie Mae has already implemented certain controls, the GAO Report recommends that FHFA develop procedures to improve the quality and reliability of MBFRF data.

Improve Qualitative Assessment of Nonbanks to Fully Address Warehouse Lending Risks and Stress Test Scenarios

The GAO Report identifies five key components of warehouse lending risk:

  • Diversification: Number of warehouse lines available to a nonbank;
  • Utilization: Portion of available credit in use;
  • Maturity: Credit line maturity dates;
  • Covenant violations: Financial or collateral breaches that could lead to termination of the credit line; and
  • Committed amount: Extent of committed versus uncommitted capacity (i.e., a lender may be able to reprice an uncommitted amount at any time whereas a committed line can be altered in limited circumstances).

Neither FHFA’s nor Ginnie Mae’s monitoring currently captures all five components. The GAO Report recommends that FHFA assess the “feasibility and utility” of including all five components in its risk scoring process. For Ginnie Mae, the GAO Report recommends developing guidance that requires analysts to consistently review warehouse lending risks—particularly committed funding amounts—as part of its manual credit review process.

Expand Stress Testing Framework to Consider Alternative Economic Framework

In monitoring counterparty risk, Ginnie Mae currently conducts stress tests, but those tests only simulate a protracted recession. The GAO Report recommends that Ginnie Mae expand its stress testing framework to address other economic stress scenarios, such as stagflation—a type of recession where delinquencies rise and interest rates remain high (which means lower originations).

What Do You Need to Do?

Regulators continue to focus on the potential vulnerabilities of nonbank mortgage lenders and servicers—a priority that has persisted across both Democratic and Republican administrations, signaling that these issues will remain an area of focus. Both FHFA and Ginnie Mae have accepted the GAO’s recommendations, and changes are expected later this year. As a result, now is a good time to conduct additional stress testing using a broader range of economic stress scenarios. Additionally, FHFA indicated that, by September 30, 2026, its Division of Enterprise Regulation (DER) will develop procedures for assessing the reliability of MBRFR data and handling potentially unreliable data. Accordingly, nonbanks should ensure they have appropriate controls in place to support accurate MBFRF reporting.

Large Nonbank Ginnie Mae Issuers: Ginnie Mae Wants Your Recovery Plans

By

What Happened?

Following the release of the Financial Stability Oversight Council (FSOC) Report on Nonbank Mortgage Servicing, Ginnie Mae announced in APM 24-08 that certain large nonbank Ginnie Mae Issuers will now be required to prepare and submit recovery plans to address the event of a material adverse change in business operations or failure.  Such issuers will also be required to attest to the content in the recovery plans every to two years.

Why Does it Matter?

To understand why it matters, it is important to consider some interesting statistics.  According to the recent report of FSOC (an interagency panel of regulators commissioned by the Dodd Frank Act to monitor financial stability) on nonbank mortgage servicing, the share of loans serviced by nonbank mortgage servicers for Ginnie Mae rose from 34 percent in 2014 to 83 percent in 2023.  For the last several annual reports, FSOC has highlighted the vulnerabilities of nonbank mortgage companies.  In its most recent report specific to nonbank mortgage servicing, FSOC has indicated that such concerns are becoming “more acute” because of government’s increasing exposure to nonbank mortgage companies, the strain on mortgage origination due to the high interest rate environment, and the fact that “vulnerabilities in mortgage origination can bleed into mortgage servicing.”  FSOC is particularly concerned with the ability of nonbank mortgage companies to carry out their responsibilities in times of stress and provides, in relevant part, that “[t]he federal government has an interest in addressing servicing risks due to . . . the direct responsibility for Ginnie Mae’s guarantee to bond investors.” FSOC encourages Congress to provide Ginnie Mae more tools to manage counterparty risk.  If and until that occurs, it should come as no surprise that Ginnie Mae is utilizing its existing tools for managing the failure of servicers (such as facilitating servicing transfers), by requiring its nonbank Issuers to document how they would proceed if an adverse event were to occur.

What Do I Need to Do?

First, it is important to determine if your company is subject to these new obligations.  Generally speaking, nonbank Ginnie Mae Issuers whose portfolios equal or exceed a remaining principal balance of $50 billion at the end of December 31, 2024 will be required to prepare and submit recovery plans to Ginnie Mae by no later than June 30, 2025. Of note, the requirements do not apply to bank holding companies, banks, wholly owned subsidiaries of bank holding companies that are consolidated for purposes of regulatory oversight, thrifts, savings and loan holding companies, and credit unions.

Second, it is important to start developing a plan which, at a high level, must include:

  • Business Operations Description: For business operations relevant to the Ginnie Mae MBS Program (i.e., single-family, multi-family, manufactured housing and HECM), the plan must provide a detailed description of the company’s corporate structure, identify the interconnections and interdependencies among the company and its key stakeholders, related financial entities, and critical operations of the core business. The plan must also identify major counterparties, to whom the company had pledged MBS collateral, and the locations of its servicing operations.
  • Information Systems: In the event that Ginnie Mae must complete a servicing transfer, it is requiring companies to provide a detailed inventory and description of all key management information systems and applications in servicing Ginnie Mae loans along with a mapping of such systems and a description of how ancillary systems feed into the core servicing system.
  • Recovery Planning: Companies will need to consider and respond to a series of questions including but not limited to, providing a general framework for the order in which the company’s assets would be liquidated in the event of a material adverse event, identifying whether funding has been set aside to continue operations for a certain period. Ginnie Mae also requires how intercompany services would continue under such circumstances and to provide excerpts of its business continuity plan relevant to this recovery planning exercise.
  • Current Documentation: Ginnie Mae requires the plan to identify senior management official who will serve as a point of contact and a vendor directory for material vendors.

While the deadline for submitting recovery plans to Ginnie Mae is June 30, 2025, it is not too early to start gathering all the stakeholders, calendaring the deadline, and starting the framework for a thoughtful plan.

Ginnie Mae Imposes Cybersecurity Incident Notification Obligation

By ,

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

  • the date/time of the incident,
  • a summary of in the incident based on what is known at the time of notification, and
  • designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae.  Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days.  Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement.  It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing.  Our Cybersecurity & Risk Management Team can assist.