| Of Interest

What Happened?

Following the release of the Financial Stability Oversight Council (FSOC) Report on Nonbank Mortgage Servicing, Ginnie Mae announced in APM 24-08 that certain large nonbank Ginnie Mae Issuers will now be required to prepare and submit recovery plans to address the event of a material adverse change in business operations or failure. Such issuers will also be required to attest to the content in the recovery plans every to two years.

Why Does it Matter?

To understand why it matters, it is important to consider some interesting statistics. According to the recent report of FSOC (an interagency panel of regulators commissioned by the Dodd Frank Act to monitor financial stability) on nonbank mortgage servicing, the share of loans serviced by nonbank mortgage servicers for Ginnie Mae rose from 34 percent in 2014 to 83 percent in 2023. For the last several annual reports, FSOC has highlighted the vulnerabilities of nonbank mortgage companies. In its most recent report specific to nonbank mortgage servicing, FSOC has indicated that such concerns are becoming “more acute” because of government’s increasing exposure to nonbank mortgage companies, the strain on mortgage origination due to the high interest rate environment, and the fact that “vulnerabilities in mortgage origination can bleed into mortgage servicing.” FSOC is particularly concerned with the ability of nonbank mortgage companies to carry out their responsibilities in times of stress and provides, in relevant part, that “[t]he federal government has an interest in addressing servicing risks due to . . . the direct responsibility for Ginnie Mae’s guarantee to bond investors.” FSOC encourages Congress to provide Ginnie Mae more tools to manage counterparty risk. If and until that occurs, it should come as no surprise that Ginnie Mae is utilizing its existing tools for managing the failure of servicers (such as facilitating servicing transfers), by requiring its nonbank Issuers to document how they would proceed if an adverse event were to occur.

What Do I Need to Do?

First, it is important to determine if your company is subject to these new obligations. Generally speaking, nonbank Ginnie Mae Issuers whose portfolios equal or exceed a remaining principal balance of $50 billion at the end of December 31, 2024 will be required to prepare and submit recovery plans to Ginnie Mae by no later than June 30, 2025. Of note, the requirements do not apply to bank holding companies, banks, wholly owned subsidiaries of bank holding companies that are consolidated for purposes of regulatory oversight, thrifts, savings and loan holding companies, and credit unions.

Second, it is important to start developing a plan which, at a high level, must include:

Business Operations Description: For business operations relevant to the Ginnie Mae MBS Program (i.e., single-family, multi-family, manufactured housing and HECM), the plan must provide a detailed description of the company’s corporate structure, identify the interconnections and interdependencies among the company and its key stakeholders, related financial entities, and critical operations of the core business. The plan must also identify major counterparties, to whom the company had pledged MBS collateral, and the locations of its servicing operations.
Information Systems: In the event that Ginnie Mae must complete a servicing transfer, it is requiring companies to provide a detailed inventory and description of all key management information systems and applications in servicing Ginnie Mae loans along with a mapping of such systems and a description of how ancillary systems feed into the core servicing system.
Recovery Planning: Companies will need to consider and respond to a series of questions including but not limited to, providing a general framework for the order in which the company’s assets would be liquidated in the event of a material adverse event, identifying whether funding has been set aside to continue operations for a certain period. Ginnie Mae also requires how intercompany services would continue under such circumstances and to provide excerpts of its business continuity plan relevant to this recovery planning exercise.
Current Documentation: Ginnie Mae requires the plan to identify senior management official who will serve as a point of contact and a vendor directory for material vendors.

While the deadline for submitting recovery plans to Ginnie Mae is June 30, 2025, it is not too early to start gathering all the stakeholders, calendaring the deadline, and starting the framework for a thoughtful plan.

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

the date/time of the incident,
a summary of in the incident based on what is known at the time of notification, and
designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae. Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days. Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement. It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing. Our Cybersecurity & Risk Management Team can assist.