Thursday, December 24, 2015

Home Mortgage Disclosure Act – Big Changes on the Way!

President & Managing Director
Lenders Compliance Group

“It’s just a way to keep the PhD’s employed in Washington, DC!” Such was the statement that a CEO of a regional mortgage banker said to me recently about the new changes to the Home Mortgage Disclosure Act, known by its acronym HMDA. “More statistics that go nowhere and tell us nothing,” he said, “and more ways to interfere in our loan origination process.” I grant that the regulatory burdens these days are demanding, but I was surprised by the sense of futility in those remarks.

Over the years, in fact, HMDA data has played a very useful role in identifying fair lending concerns, helping financial institutions to avoid disparate impact and disparate treatment violations. It certainly is important to mortgage lenders and originators in their obligation to ensure a level market to all consumers, without the impediment of discriminatory practices by bad actors. Perhaps another way to make sense of the Bureau’s amendments to HMDA is to recognize that a primary reason for those changes is to create a better tool for rectifying adverse fair lending patterns.

At the core of the revisions undertaken by the Consumer Financial Protection Bureau (“Bureau”) is the commitment to consumer protection laws generally, and, by enhancing the metrics of HMDA data collection, the commitment in particular to strengthening fair lending standards. What better way to understand fair lending than through a deep analysis of the HMDA Loan Application Register or “HMDA-LAR.” The fact is, the new changes to HMDA will derive over 250 million data points from financial institutions related to mortgage loan applications and originations in 2018.

The amendments to existing HMDA requirements, effectuated through HMDA’s implementing Regulation C, will be spread over four effective dates between January 1, 2017, and January 1, 2020.[i] However, the key date that contains most of the amendments, will be the compliance effective date of January 1, 2018. On that effective date, financial institutions will be required to collect HMDA data for applications they receive and loans they originate on or after January 1, 2018.[ii] [iii]

Certain changes will be new to non-banks, though familiar to depository institutions. For instance, beginning in 2018, non-banks will be required to record HMDA data internally within 30 days of the end of the quarter in which final action was taken. Regulation C has not previously required quarterly recording for non-banks, so this will be a new undertaking for non-depository institutions.[iv]

I am going to provide an outline of four HMDA-related areas that the Bureau revised in its update to Regulation C, promulgated through its issuance of the Final Rule (“Rule”) on October 15, 2015.

These changes to Regulation C affect the following guidelines:
  1. Covered institutions (financial institutions required to collect and report HMDA data);
  2. Covered transactions (transaction types and applications);
  3. Loan-level data (transaction data to collect and report on); and
  4. Reporting and disclosure (method and frequency of data reporting and public access to that data). 

Covered Institutions

The Rule provides guidelines to both depository and non-depository institutions. Both of these institution types are covered if, among other things, they originated at least 25 covered closed-end mortgage loans or 100 covered open-end lines of credit in each of the previous two calendar years. This standard is called a “uniform loan volume threshold,” and is part of the new evaluation process to determine if an institution is required to collect and report HMDA data. Regulation C eliminates the existing origination volume and asset size criteria and replaces them with the “uniform loan volume threshold.”

The standard will have the most impact on non-depository institutions, sweeping up many non-bank creditors into Regulation C compliance. This is due to the fact that the Rule actually removes the current coverage requirement that, in the preceding calendar year, a non-depository institution should have originated home purchase loans (including refinancings) equaling: (A) at least 10 percent of the institution’s origination volume in dollars, or (B) at least $25 million.

Comparatively, the Rule removes the current coverage requirement for a non-depository institution; to wit, (a) have total assets of more than $10 million as of the preceding December 31, or (b) have originated at least 100 home purchase loans (including refinancings) in the preceding calendar year. Furthermore, currently a non-depository institution must satisfy at least one prong (either (a) or (b) above) or both of these coverage criteria in order to be covered. Consequently, the removal of the foregoing thresholds for non-depository institutions will increase the number of non-depository institutions required to collect and report data.

Yet, the Rule will actually decrease the number of depository institutions covered, because it adds the uniform loan volume threshold to the existing coverage criteria for those institutions. The Bureau estimates that the new coverage criteria will exclude from coverage approximately 1400 depository institutions that are currently covered by the rule and include about 450 non-depository institutions that are not currently covered by the rule. Clearly, the Bureau is casting a wide net in order to apprehend the largest, reliable data set possible!

Tuesday, December 1, 2015

Ten Core Competencies in a Compliance Management System

President & Managing Director
Lenders Compliance Group

In my view, there are ten core competencies to implementing a Compliance Management System, often referred to by its acronym CMS. The Consumer Financial Protection Bureau requires it, state regulators are now asking for it, and investors want assurance of its application.

I have written extensively about the CMS concept and its importance in mortgage risk management. For instance, see my article on Creating a Culture of Compliance. Also, other articles here. When I speak on the subject, it is often the case that some in the audience actually have no idea about what constitutes the CMS. They think it is no more than a compilation of policies and procedures. But, the fact is that a viable CMS is composed of several integral features, each of which contributes to the cohesiveness of the whole compliance function.

Here’s a brief synopsis of the Ten Core Competencies that should inform a CMS:

1)  Loan portfolio, secondary and capital market management processes, mortgage servicing.

2)  Loan flow process, from point of sale to securitization or secondary market transaction.

3)  Internal Audit and Control Plan, including calendrical reviews, reporting protocol, rank and file training in all departments, and testing.

4)  Consumer disclosures, all loan types, federal and state.

5)  Mortgage quality control, not only random sampling, but proactive audits that target criteria.

6)  Record retention and maintenance, securing against unauthorized alteration or destruction.

7)  Marketing and advertising, including use of third-party services.

8)  Vendor, settlement agent, closing agent, and third-party vetting and approvals.

9)  Safeguards for privacy protection of consumer records and information.

10)  Reporting mandates to agencies, both federal and state, investors, and third-party relationships.

The compliance framework is built on the foregoing competencies. Destabilize one of them and it is possible that the others will crash like a tottering stack of cards!

Also, it should be noted that there is a growing expectation amongst regulators for a residential mortgage lender or originator to have a business continuity plan.

It is not necessary to consolidate all compliance policies and procedures into a single document. Nor does it require compliance managers to memorialize every action that must be taken in order to remain in compliance with federal and state banking law. In some cases, it may be enough for the compliance policies and procedures to allocate responsibility within the organization for the timely performance of many obligations, such as the filing or updating of required forms.

However, observed instances in which compliance policies and procedures were not followed or the actual practices were not consistent with the description in the compliance manuals, will likely lead to an adverse banking examination finding. Observed practices in areas that are required to be reviewed in accordance with specific regulations and in areas that include policies and procedures, but are not expressly required to be reviewed by regulations, will come under significant regulatory scrutiny.

What good is a compliance management system if it is not continually reviewed and, where needed, updated? In our work with new clients, we have found the following issues happening often:

·         Critical areas not identified, thus certain compliance policies and procedures were not adopted.

·         Policies were adopted, but were not applicable to the businesses and operations.

·         Critical control procedures were not performed, or not performed as described in the CMS.

·         Annual Review of the compliance function was rarely, if ever, implemented.

During examinations, an examiner may observe certain compliance weaknesses. But examiners review periodically, not continually, in most cases. The rest of the time, the residential mortgage lender or originator should be self-assessing the compliance programs in order to spot weaknesses, particularly with respect to identifying applicable mortgage compliance risks, and thereby ensure that the compliance management system encompasses all relevant business activities.