Alston & Bird Consumer Finance Blog

mortgage lending

CFPB’s War on Mortgage Fees Continues

By ,

What Happened?

Immediately following President Biden’s State of the Union Address announcing plans to lower homebuyer and refinancing costs, the CFPB issued a blog post seeking public input on how mortgage closing costs impact consumers. The CFPB also announced that it will work to monitor closing costs and, “as necessary, issue rules and guidance to improve competition, choice and affordability.” Significantly, the CFPB also signaled that it will continue to use its supervision and enforcement tools for companies that fail to comply with the law.

Why Is It Important?

The CFPB is putting companies on notice that the Bureau will be taking a close look at the total loans costs for originating a residential mortgage loan, including origination fees, appraisal fees, credit report fees, title insurance, discount points, and other fees. In particular, the CFPB is paying “significant attention to the recent rise in discount points,” and seems concerned with the lack of competition in connection with certain fees, such as lender’s title insurance and credit reports. The CFPB also has expressed concerns with how companies may charge lender credits and fees that are financed into the loan amount (through higher interest rates or mortgage insurance payments).

While the CFPB’s blog post does not identify any specific laws, it does provide some clues. First, the Bureau is concerned that some closing costs are high and increasing due to lack of competition. According to the Bureau, “[b]orrowers are required to pay for many of the costs associated with closing a home loan but cannot pick the provider and do not benefit from the service.” Taking unreasonable advantage of the inability of a consumer to protect their interests in selecting or using a consumer financial product or service could be construed as abusive under the Dodd-Frank Act’s UDAAP statute.

Because certain fees are fixed and don’t fluctuate with the loan size or interest rate, the Bureau is concerned that such fees could disproportionately impact borrowers with smaller loans, such as low-income borrowers, first-time borrowers, or Black or Hispanic borrowers.  This could present a fair lending problem under the Equal Credit Opportunity Act. Indeed, the CFPB already has announced that, pursuant to its authority to prevent unfair, deceptive, and abusive acts or practices (“UDAAPs”), the Bureau will begin examining institutions for alleged discriminatory conduct that the Bureau deems to be unfair.

Of course, Congress passed the Dodd-Frank Act to address many of the above concerns, and the TRID Rule already attempts to ensure that consumers are provided with greater and more timely information on the nature and costs of the residential real estate settlement process and are protected from unnecessarily high settlement charges.

What Do I Need to Do?

The CFPB is sending a strong message to the industry that closing fees will be receiving scrutiny from the CFPB.  And knowing that the CFPB has been on a hiring spree in its enforcement division, now is a good time to take a close look at the fees being charged from both a UDAAP and fair lending perspective.  The team at Alston & Bird has deep knowledge on mortgage fees and is happy to assist with such a review.

Ginnie Mae Imposes Cybersecurity Incident Notification Obligation

By ,

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

  • the date/time of the incident,
  • a summary of in the incident based on what is known at the time of notification, and
  • designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae.  Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days.  Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement.  It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing.  Our Cybersecurity & Risk Management Team can assist.

New York DFS to Impose Climate Change Safety and Soundness Expectations on Mortgage Lenders, Servicers, and other Regulated Organizations

By

What Happened?

On December 21, 2023, the New York Department of Financial Services (“NYDFS”) published an 18-page guidance document (the “Guidance”) on managing material, financial and operational risks due to climate change. The NYDFS issued the Guidance after considering feedback it received on proposed guidance it issued in December 2022 on the same topic. The Guidance applies to New York State regulated mortgage lenders and servicers, as well as New York State regulated banking organizations, licensed branches and agencies of foreign banking organizations (collectively, “Regulated Organizations”).

Why Is It Important?

The NYDFS has set forth its expectations, replete with examples, for Regulated Organizations to strategically manage climate change-related financial and operational risks and identify necessary actions proportionate to their size, business activities and risk profile.  Such expectations include:

  • Corporate Governance: An organization’s board of directors should establish a risk management framework, including its overall business strategy and risk appetite, which include climate related financial and operational risks, and holding management accountable for implementation. Such framework should be integrated within an organization’s three lines of defense – quality assurance, quality control and internal audit. Recognizing that low and moderate income (“LMI”) communities may be adversely impacted from climate change, the NYDFS expects an organization’s board of directors to direct management to “minimize and affirmatively mitigate disproportionate impacts” which could violate fair lending and other consumer finance laws. On that note, the NYDFS reminds organizations to consider opportunities to mitigate financial risk through financing or investment opportunities which enhance climate resiliency and are eligible for credit under the New York Community Reinvestment Act.
  • Internal Control and Risk Management: Regulated Organizations should also consider and incorporate climate related financial risks when identifying and mitigating all types of risks, including credit, liability, market, legal/compliance risk, and operational and strategic risk. The NYDFS defines financial risks from climate change to include physical risks from more intense weather events as well as transition risks, resulting from “economic and behavior changes driven by policy and regulation, new technology, consumer and investor preferences and changing liability risks.” The NYDFS recognizes that insurance is an important mitigant to climate change risk but cautions that the availability of such insurance in the future is not guaranteed.
  • Data Aggregation and Reporting: Regulated Organizations should establish systems to aggregate data and internally report its efforts to monitor climate related financial risk to facilitate board and senior management decision making. Such organizations also should consider developing and implementing climate scenario analyses.

What Do You Need to Do?

The NYDFS stresses that organizations should not let “uncertainty and data gaps justify inaction.” Although the NYDFS has not issued a timeline for implementation of the Guidance or begun incorporating such expectations into examinations (which will be coordinated with the prudential regulators to align with joint supervisory processes), now is the time to begin integrating climate-related financial and operational risks into your company’s organizational structure, business strategies and risk management operations.  This will help you prepare for when your organization is required to respond to the request for information which the NYDFS anticipates sending out later this year.  It is anticipated that the NYDFS will ask for information on the steps your organization has taken or will take within a specified period to manage financial and operational climate-related risks, including government structure, business strategy, risk management, operational resiliency measures, and metrics to measure risks.

Mortgage Industry Update: Washington DFI Holds First Mortgage Industry Webinar of 2024

By

A&B Abstract:

On January 24th, the Washington Department of Financial Institutions (the “DFI”) conducted its first Mortgage Industry Webinar of 2024 and provided updates in the areas of licensing, examination, and enforcement. Highlights from the Webinar are briefly summarized below.

Licensing Update

The DFI provided the following snapshot of licensing activity as of December 31, 2023:

  • Company licenses increased since the prior year.
  • Branch licenses decreased due to authorized remote work by mortgage loan originators (“MLO”).
  • MLO licenses decreased compared to previous years.
  • 70 % of MLOs submitted renewals, representing an increase of 10% from the prior year.
  • 30% of reinstatement/late renewals submitted so far this month.
  • The DFI approved 230 company applications, 950 branch applications and approximately 3,300 individual applications.

Examination Update

The DFI also provided an overview of the following common violations found during examinations conducted of MLOs, mortgage brokers, residential mortgage loan servicers, and consumer loan licensees:

  • Failure to maintain records for 3 years.
  • Failure to date mortgage loan applications and/or complete required information.
  • Failure to maintain supervisory plans.
  • Failure to submit accurate mortgage call reports (“MCRs”) by certain mortgage brokers.
  • Failure to complete all required information on license applications.
  • Failure to report accurate information to the credit bureaus.
  • Failure to conspicuously disclose fees.
  • Failure to report mortgage loan payoffs by certain mortgage loan servicers.

Additionally, in response to an inquiry regarding the rating system used by the DFI in conducting examinations, the DFI explained that it uses a rating scale of 1 to 5, where 1 would be the best rating, and 5 would be the worst rating.

Enforcement Update

The DFI also provided an overview of complaints investigated by its Enforcement Unit during the last quarter of 2023 and identified certain common violations under Washington’s Mortgage Broker Practices Act (“MBPA”) and the Consumer Loan Act (“CLA”).

Specifically, the DFI indicated that it saw an increase in:

  • Instances where address locations of branches or companies were found to be changed and contact information changed without corresponding updates in the NMLS.
  • Complaints alleging unlicensed activity by loan modification companies.
  • Complaints alleging advertising violations, such as providing misleading information about interest rates by indicating that a loan is “interest free” without proper disclosure.

Further, with respect to unlicensed MLO activity, the DFI indicated that it examines the actual activity performed by the individual in question, and if the individual’s activity meets the definition of an MLO, then that individual has engaged in mortgage loan activity and must be licensed as an MLO.

Finally, the DFI indicated that its Enforcement Unit closed more than 950 complaints that resulted in (1) $80,000 in restitution granted to impacted consumers, (2) the postponement or halting of at least 10 or more foreclosures, and (3) the granting of several loan modifications.

Takeaway

Licensees under the MBPA or CLA are encouraged to review the issues identified by the DFI against their policies, procedures, and practices to ensure compliance with the requirements under the MBPA and/or CLA.

Don’t Miss the Small Stuff Lenders: New Mexico Issues Regulatory Guidance for Completing the “Freedom to Choose” Insurance Company Form

By

A&B Abstract:

Under New Mexico’s Insurance Code, it has been a long-standing requirement that lenders may not condition a loan of money on the procurement of insurance from any particular insurer, agent, solicitor, or broker.  The lender is required to inform the buyer of their rights “regarding the placement of insurance on a form prescribed by the superintendent” and the borrower must “signify that he has been so informed.”  The form of the required “Freedom to Choose” is provided by regulation to the Insurance Code as follows:

FREEDOM TO CHOOSE INSURANCE COMPANY AND INSURANCE PROFESSIONAL

The undersigned person hereby acknowledges that I have been informed by (individual’s name) on behalf of (name of lender) that, although I may be required by the seller or lender to purchase insurance to cover the property that is being used as security for the loan, I may purchase that insurance from the insurance company or agent of my choice, and cannot be required by the seller or lender, as a condition of the sale or loan, to purchase or renew any policy of insurance covering the property through any particular insurance company, agent, solicitor, or broker. I hereby acknowledge receipt of a true copy of this notice on the _____day of_____________, _____.

__________________________________

(Signature of Purchaser or Borrower)

The New Mexico Financial Institutions Division (FID) issued regulatory guidance (the “Guidance”) this month as some lenders have not been completing the form correctly.  The Guidance clarifies that the “Freedom to Choose” notice requires the name of the individual providing the notice, and the FID finds the practice of providing only the company name in the blank reserved for the individual’s name as a violation of the Insurance Code.

 Takeaway:

Lenders take note as this is an easy violation to avoid.  To that end, now is a good time to review your New Mexico policies, procedures and QC reviews to ensure compliance with this requirement.  Please don’t hesitate to reach out with any questions on when the form is required and how to ensure it is completed correctly.  While the FID’s Guidance does not speak to penalties, it is worth noting that the Superintendent of the New Mexico Regulation and Licensing Department has authority to impose monetary penalties for violations of this provision, including a fine not to exceed $500 per violation. The statute also authorizes administrative penalties and civil actions.