Alston & Bird Consumer Finance Blog

Mortgage Servicing

Fannie Mae Issues Guidance in Response to New York Foreclosure Abuse Prevention Act

What Happened?

On March 13, 2024, Fannie Mae issued Servicing Guide Announcement (SVC-2024-02) (the “Announcement”), which announced, among other things, updates to Fannie Mae’s Loan Modification Agreement (Form 3179), with additional instructions in response to the New York Foreclosure Abuse Prevention Act (“FAPA”). Specifically, for all Loan Modification Agreements (Form 3179) sent to a borrower for signature on or after July 1, 2024, servicers are required to amend the modification agreement to insert the following as new paragraphs 5(e) and (f) for a mortgage loan secured by a property in New York:

(e) Borrower promises to pay the debt evidenced by the Note and Security Instrument.  Further, Borrower acknowledges and agrees that any election by Lender to accelerate the debt evidenced by the Note and Security Instrument and the requirement by Lender of immediate payment in full thereunder is revoked upon the first payment made under the Agreement; and, the Note and Security Instrument, as amended by the Agreement, are returned to installment status and the obligations under the Note and Security Instrument remain fully effective as if no acceleration had occurred.

(f) Borrower further agrees to execute or cause to be executed by counsel, if applicable, a stipulation (to be filed with the court in the foreclosure action), that the Lender’s election to accelerate the debt evidenced by the Note and Security Instrument and requirement of immediate payment in full thereunder is revoked upon the first payment made under the Agreement and the debt evidenced by the Note and Security Instrument is deaccelerated at that time pursuant to New York General Obligations Law § 17-105, or other applicable law.

Fannie Mae encourages servicers to implement these changes immediately but requires that servicers do so for all modification agreements sent to the borrower for signature on and after July 1, 2024. Freddie Mac does not yet appear to have issued similar guidance.

Why Is It Important?

As we previously discussed in a prior blog post, FAPA reversed judicial precedent that permitted a lender, after default, to unilaterally undo the acceleration of a mortgage and stop the running of the statute of limitations in a foreclosure action through voluntary dismissal, discontinuance of foreclosure actions, or de-acceleration letters. For more than a year following FAPA’s enactment, the mortgage industry has grappled with how to address certain of the risks created by FAPA, including whether certain language could be adopted and incorporated into servicers’ loss mitigation documents to mitigate FAPA risk.

Fannie Mae’s Announcement is significant because it represents the first piece of guidance from a federal agency or government-sponsored enterprise (i.e., Fannie Mae or Freddie Mac) that provides some clarity as to what language may be appropriate to mitigate certain of the risks engendered by the New York FAPA.

What Do I Need to Do?

Servicers of Fannie Mae-backed mortgage loans (secured by property in New York) should evaluate their loss mitigation processes and make appropriate updates to ensure compliance with the Announcement.  Servicers should also continue to monitor for additional guidance or caselaw as this issue remains in flux.

CFPB and FTC Amicus Brief Signals Stance on “Pay-to-Pay” Fees under FDCPA

What Happened?

On February 27, the Consumer Finance Protection Bureau (CFPB) and the Federal Trade Commission (FTC) filed an amicus brief in the 11th Circuit case Glover and Booze v. Ocwen Loan Servicing, LLC arguing that certain convenience fees charged by mortgage servicer debt collectors are prohibited by the Fair Debt Collection Practices Act (FDCPA).  This brief comes on the heels of an amicus brief Alston & Bird LLP filed on behalf of the Mortgage Bankers Association (MBA).  In its brief, the MBA urged the 11th Circuit to uphold the legality of the fees at issue.

While litigation surrounding convenience fees has spiked in recent years, there is no consensus on whether convenience fees violate the FDCPA.  Federal courts split on the issue, as there is little guidance at the circuit court level, and the issue before the 11th Circuit is one of first impression.  Consequently, the 11th Circuit’s ruling could significantly impact what fees a debt collector is permitted to charge, both within that circuit and nationwide.

Why is it Important?

Convenience fees or what the agencies refer to as “pay-to-pay” fees are the fees charged by servicers to borrowers for the use of expedited payment methods like paying online or over the phone.  Borrowers have free alternative payment methods available (e.g., mailing a check) but choose to pay for the convenience of a faster payment method.

Section 1692f(1) of the FDCPA provides that a “debt collector may not use unfair or unconscionable means to collect or attempt to collect any debt,” including the “collection of any amount (including any interest, fee, charge, or expense incidental to the principal obligation) unless such amount is expressly authorized by the agreement creating the debt or permitted by law.”  The CFPB and FTC argues that Section 1692f(1)’s prohibition extends to the collection of pay-to-pay fees by debt collectors unless such fees are expressly authorized by the agreement creating the debt or affirmatively authorized by law.

First, the agencies contend that pay-to-pay fees fit squarely with the provision’s prohibition on collecting “any amount” in connection with a debt and that charging this fee constitutes a “collection” under the FDCPA.  Specifically, the agencies attempt to counter Ocwen’s argument that the fees in question are not “amounts” covered by Section 1692f(1) because the provision is limited to amounts “incidental to” the underlying debt. They argue that fees need not be “incidental to” the debt in order to fall within the scope of Section 1692f(1). In making this point, the agencies claim the term “including” as used is the provision’s parenthetical suggests that the list of examples is not an exhaustive list of all the “amounts” covered by the provision.  Further, the agencies attempt to counter Ocwen’s argument that a “collection” under the FDCPA refers only to the demand for payment of an amount owed (i.e., a debt). They argue that Ocwen’s understanding of “collects” is contrary to the plain meaning of the word; rather, the scope of Section 1692f(1) is much broader and encompasses collection of any amount , not just those which are owed.

Next, focusing on the FDCPA’s exception for fees “permitted by law,” the agencies contend that a fee is not permitted by law if it is authorized by a valid contract (that implicitly authorizes the fee as a matter of state common law). The agencies suggest if such fees could be authorized by any valid agreement, the first category of collectable fees defined by Section 1692(f)(1)—those “expressly authorized by the agreement creating the debt”—would be superfluous. Lastly, the Agencies argue neither the Electronic Funds Transfer Act nor the Truth in Lending Act – the two federal laws Ocwen relies on in its argument – affirmatively authorizes pay-to-pay fees.

What Do You Need to Do?

Stay tuned. The 11th Circuit has jurisdiction over federal cases originating in Alabama, Florida, and Georgia. Its ruling is likely to have a significant impact on whether debt collectors may charge convenience fees to borrowers in those states, and it could be cited as persuasive precedent in courts nationwide.

Ginnie Mae Imposes Cybersecurity Incident Notification Obligation

What Happened?

On March 4, 2024, Ginnie Mae issued All Participant Memorandum (APM) 24-02 to impose a new cybersecurity incident notification requirement. Ginnie Mae has also amended its Mortgage-Backed Securities Guide to reflect this new requirement.

Effective immediately, all Issuers, including subservicers, of Ginnie Mae Mortgage-Backed Securities (Issuers) are required to notify Ginnie Mae within 48 hours of detection that a “Significant Cybersecurity Incident” may have occurred.

Issuers must provide email notification to Ginnie Mae with the following information:

  • the date/time of the incident,
  • a summary of in the incident based on what is known at the time of notification, and
  • designated point(s) of contact who will be responsible for coordinating any follow-up activities on behalf of the notifying party.

For purposes of this reporting obligation, a “Significant Cybersecurity Incident” is “an event that actually or potentially jeopardizes, without lawful authority, the confidentiality, integrity of information or an information system; or constitutes a violation of imminent threat of violation of security policies, security procedures, or acceptable use policies or has the potential to directly or indirectly impact the issuer’s ability to meet its obligations under the terms of the Guaranty Agreement.”

Once Ginnie Mae receives notification, it may contact the designated point of contact to obtain further information and establish the appropriate level of engagement needed, depending on the scope and nature of the incident.

Ginnie Mae also previewed that it is reviewing its information security requirements with the intent of further refining its information security, business continuity and reporting requirements.

Why Is It Important?

Under the Ginnie Mae Guarantee Agreement, Issuers are required to furnish reports or information as requested by Ginnie Mae.  Any failure of the Issuer to comply with the terms of the Guaranty Agreement constitutes an event of default if it has not been corrected to Ginnie Mae’s satisfaction within 30 days.  Moreover, Ginnie Mae reserves the right to declare immediate default if an Issuer receives three or more notices for failure to comply with the Guarantee Agreement.  It is worth noting that an immediate default also occurs if certain acts or conditions occur, including the “submission of false reports, statements or data or any act of dishonestly or breach of fiduciary duty to Ginnie Mae related to the MBS program.”

Ginnie Mae’s notification requirement adds to the list of data breach notification obligations with which mortgage servicers must comply. For example, according to the Federal Trade Commission, all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply. For example, with respect to mortgage servicing, both Fannie Mae and Freddie Mac impose notification obligations similar to that of Ginnie Mae.

What Do I Need to Do?

If you are an Issuer and facing a cybersecurity incident, please take note of this reporting obligation. For Issuers who have not yet faced a cybersecurity incident, now is the time to ensure you are prepared as your company could become the next victim of a cybersecurity incident given the rise in cybersecurity attacks against financial services companies.

As regulated entities, mortgage companies must ensure compliance with all the applicable reporting obligations, and the list is growing.  Our Cybersecurity & Risk Management Team can assist.

Mortgage Industry Update: Washington DFI Holds First Mortgage Industry Webinar of 2024

A&B Abstract:

On January 24th, the Washington Department of Financial Institutions (the “DFI”) conducted its first Mortgage Industry Webinar of 2024 and provided updates in the areas of licensing, examination, and enforcement. Highlights from the Webinar are briefly summarized below.

Licensing Update

The DFI provided the following snapshot of licensing activity as of December 31, 2023:

  • Company licenses increased since the prior year.
  • Branch licenses decreased due to authorized remote work by mortgage loan originators (“MLO”).
  • MLO licenses decreased compared to previous years.
  • 70 % of MLOs submitted renewals, representing an increase of 10% from the prior year.
  • 30% of reinstatement/late renewals submitted so far this month.
  • The DFI approved 230 company applications, 950 branch applications and approximately 3,300 individual applications.

Examination Update

The DFI also provided an overview of the following common violations found during examinations conducted of MLOs, mortgage brokers, residential mortgage loan servicers, and consumer loan licensees:

  • Failure to maintain records for 3 years.
  • Failure to date mortgage loan applications and/or complete required information.
  • Failure to maintain supervisory plans.
  • Failure to submit accurate mortgage call reports (“MCRs”) by certain mortgage brokers.
  • Failure to complete all required information on license applications.
  • Failure to report accurate information to the credit bureaus.
  • Failure to conspicuously disclose fees.
  • Failure to report mortgage loan payoffs by certain mortgage loan servicers.

Additionally, in response to an inquiry regarding the rating system used by the DFI in conducting examinations, the DFI explained that it uses a rating scale of 1 to 5, where 1 would be the best rating, and 5 would be the worst rating.

Enforcement Update

The DFI also provided an overview of complaints investigated by its Enforcement Unit during the last quarter of 2023 and identified certain common violations under Washington’s Mortgage Broker Practices Act (“MBPA”) and the Consumer Loan Act (“CLA”).

Specifically, the DFI indicated that it saw an increase in:

  • Instances where address locations of branches or companies were found to be changed and contact information changed without corresponding updates in the NMLS.
  • Complaints alleging unlicensed activity by loan modification companies.
  • Complaints alleging advertising violations, such as providing misleading information about interest rates by indicating that a loan is “interest free” without proper disclosure.

Further, with respect to unlicensed MLO activity, the DFI indicated that it examines the actual activity performed by the individual in question, and if the individual’s activity meets the definition of an MLO, then that individual has engaged in mortgage loan activity and must be licensed as an MLO.

Finally, the DFI indicated that its Enforcement Unit closed more than 950 complaints that resulted in (1) $80,000 in restitution granted to impacted consumers, (2) the postponement or halting of at least 10 or more foreclosures, and (3) the granting of several loan modifications.

Takeaway

Licensees under the MBPA or CLA are encouraged to review the issues identified by the DFI against their policies, procedures, and practices to ensure compliance with the requirements under the MBPA and/or CLA.

CFPB’s Message to Mortgage Servicers: Make Sure You Comply with RESPA’s Force-Placed Insurance Requirements

A&B Abstract:

In Case You Missed It:  At the recent Federal Housing Finance Agency’s Symposium on Property Insurance, CFPB Director Rohit Chopra spoke about force-placed insurance and conveyed the following message: “The CFPB will be carefully monitoring mortgage market participants, especially mortgage servicers to ensure they are meeting all of their obligations to consumers under the law.”

The CFPB’s servicing rules set forth in RESPA’s Regulation X specifically regulate force-placed insurance. For purposes of those requirements, the term “force-placed insurance” means hazard insurance obtained by a servicer on behalf of the owner or assignee of a mortgage loan that insures the property securing such loan. In turn, “hazard insurance” means insurance on the property securing a residential mortgage loan that protects the property against loss caused by fire, wind, flood, earthquake, falling objects, freezing, and other similar hazards for which the owner or assignee of such loan requires assistance. However, force-placed insurance excludes, for example, hazard insurance required by the Flood Disaster Protection Act of 1973, or hazard insurance obtained by a borrower but renewed by a company in accordance with normal escrow procedures.

Given the Bureau’s announcement, now is a good time to confirm that your company has adequate controls in place to ensure compliance with all of the technical requirements of RESPA’s force-placed insurance provisions.  Set forth below are some of the many questions to consider:

Escrowed Borrowers:

  • When a borrower maintains an escrow account and is more than 30 days past due, does the company ensure that force-placed insurance is only purchased if the company is unable to disburse funds from the borrower’s escrow account?
    • A company will be considered “unable to disburse funds” when the company has a reasonable basis to believe that (i) the borrower’s hazard insurance has been canceled (or was not renewed) for reasons other than nonpayment of premium charges; or (ii) the borrower’s property is vacant.
    • However, a company will not be “unable to disburse funds” only because the escrow account does not contain sufficient funds to pay the hazards insurance charges.

Required Notices:

  • Does the company ensure that the initial, reminder, and renewal notices required for force-placed insurance strictly conform to the timing, content, format, and delivery requirements of Regulation X?

Charges and Fees:

  • Does the company ensure that no premium charge or fee related to force-placed insurance will be assessed to the borrower unless the company has met the waiting periods following the initial and reminder notices to the borrower that the borrower has failed to comply with the mortgage loan contract’s requirements to maintain hazard insurance, and sufficient time has elapsed?
  • Are the company’s fees and charges bona fide and reasonable? Fees and charges should:
    • Be for services actually performed;
    • Bear a reasonable relationship to the cost of providing the service(s); and
    • Not be prohibited by applicable law.
  • Does the company have an adequate basis to assess any premium charge or fee related to force-placed insurance, meaning that the company has a reasonable basis to believe that the borrower has failed to comply with the mortgage loan contract’s requirement to maintain hazard insurance because the borrower’s coverage is expiring, has expired or is insufficient?
  • Does the company have appropriate controls in place to ensure that the company will not assess any premium charge or fee related to force-place insurance to the borrower if the company receives evidence that the borrower has maintained continuous hazard insurance coverage that complies with the fee requirements of the loan contract prior to the expiration of the waiting periods (at least 45 days have elapsed since the company delivered the initial notice and at least 15 days have elapsed since the company delivered the reminder notice)?
  • Will the company accept any of the following as evidence of continuous hazard insurance coverage:
    • A copy of the borrower’s hazard insurance policy declarations page;
    • The borrower’s insurance certificate;
    • The borrower’s insurance policy; or
    • Another similar form of written confirmation?
  • Does the company recognize that the borrower will be considered to have maintained continuous coverage despite a late payment when applicable law or the borrower’s policy contemplates a grace period for the payment of the hazard insurance premium and a premium payment is made within that period and accepted by the insurance company with no lapse in coverage?
  • Within 15 days of receiving evidence (from any source) demonstrating that the borrower has maintained hazard insurance coverage that complies with the hazard insurance requirements in the loan contract, does the company:
    • Cancel any force-placed insurance that the company has purchased to insure the borrower’s property; and
    • Refund to the borrower all force-placed insurance premium charges and related fees paid by such borrower for any period of overlapping insurance coverage and remove from the borrower’s account all force-placed insurance charges and related fees that the company assessed to the borrower for such period?

And let’s not forget that companies must continue to comply with the above requirements if the company is a debt collector under the Fair Debt Collection Practices Act (“FDCPA”) with respect to a borrower and that borrower has exercised a “cease communication” right under the FDCPA.  Of course, failure to comply with the Regulation X requirements could also result in violations of UDAAP and FDCPA provisions.

Takeaway:

Given that the CFPB is telegraphing its upcoming review of servicers’ force-placed insurance practices, now is a good time for companies to ensure that their compliance management programs are robust enough to ensure compliance with all the technical requirements of RESPA’s force-placed insurance requirements. Alston & Bird’s Consumer Financial Services team is happy to assist with such a review.