Monday, June 26, 2017

Third-Party Relationships: Compliance Risk

Managing Director
Lenders Compliance Group

I am often asked if there are significant compliance risks involving third parties in mortgage banking. The answer is: without a doubt! In providing some insight, I will just mention three of the many types of third parties that pose such risks: mortgage brokers, mortgage lenders, and mortgage servicers.

Let’s be clear at the outset: managing third-party risk is critical for providers of consumer financial products and services. This is because financial institutions (“FI”) can be and often are themselves held liable for the practices of third parties acting on their behalf. Where there is contact with the public by third parties, directly or indirectly, on behalf of the FI the risk is substantively greater. From the point of view of technological factors, service providers may be integrated into an FI’s business operations. As such, this can lead to enforcement actions in which certain violations of consumer protection laws are alleged against the service provider and the FI itself!

It is the case that regulators have affirmed their intention to hold companies strictly liable for conduct of their agents. The legal principal invoked is usually the theory of “vicarious liability.” Just a few years ago, in October 2015, the Department of Housing and Urban Development (“HUD”) proposed rules to formally codify third-party liability standards under the Fair Housing Act, including strict vicarious liability for acts of an institution’s agents, as well as direct liability for negligently failing to correct and end discriminatory practices by those agents.[i]

Consider the risk posed by mortgage brokers. For many years, an area that has seen a lot of fair lending enforcement and class action litigation has been the wholesale mortgage lending industry. Since mortgage lenders close loans originated by independent mortgage brokers, regulators and private litigants have brought enforcement actions and lawsuits alleging that lenders have failed to monitor and control discretionary mortgage broker pricing and product selection practices. In these cases, it has been alleged, under the disparate impact theory, that the mortgage lenders have violated the Equal Credit Opportunity Act (ECOA) due to pricing disparities disfavoring racial and ethnic minorities.

In fact, since 2010 there have been several Department of Justice (DOJ) and Consumer Financial Protection Bureau (CFPB) enforcement actions, as well as lawsuits filed by cities, against wholesale mortgage lenders under this theory.[ii]

Most of the mortgage pricing fair lending enforcement actions to date have focused on conduct that predates April 2011, when regulations by the Federal Reserve on loan originator compensation first took effect. I have written extensively on the features of the loan originator compensation requirements that went into effect on April 6, 2011, if you are interested in reading more about these rules.[iii] The loan originator compensation regulations prohibit compensation to mortgage loan originators based on, among other things, discretionary loan pricing or product steering by a broker based on a financial incentive to a product not in the consumer’s interest.[iv]

Although these changes in the law have reduced pricing’s influence on fair lending risk, they have certainly not eliminated the risk entirely. For instance, in December 2015, the DOJ brought an enforcement action against Sage Bank in Massachusetts relating to disparities in revenue earned on retail mortgage loans to minority borrowers compared to that on mortgage loans to non-minority borrowers. What is notable about this action is that it was the first pricing discrimination enforcement action that focused on loans made after the loan originator compensation rules took effect in 2011. Obviously, it demonstrated that regulators are continuing to focus on mortgage pricing discrimination issues.

But fair lending is not the only compliance risk associated with wholesale lending. Other risks include Unfair, Deceptive, or Abusive Acts or Practices (referred to collectively, “UDAAP”) and related areas. In fact, the CFPB issued guidance on UDAAP in its Supervision and Examination Manual of October 2012.[v] With the benefit of time, litigation, guidance, and examinations, among other things, we can say that these risks arise because mortgage brokers play a key role in marketing, discussing product benefits and terms with applicants and guiding their product choices, providing disclosures, completing applications, and gathering documentation in support of the loan applications. It stands to prudent reasoning that, in addition to fair lending, oversight of an FI’s mortgage broker network is critical for mitigating UDAAP risk and managing other compliance requirements.

When we move from a consideration of risks associated with mortgage brokers to those posed by mortgage lenders the risk profile is neither better nor worse, but, as the saying goes, it is different. Much risk tends to congregate around fair lending in secondary market transactions. For instance, in the case Adkins v. Morgan Stanley, plaintiffs alleged that the policies and procedures of Morgan Stanley, which had purchased loans from subprime loan originator New Century Mortgage Company, had created a disparate impact on African-American borrowers. If as alleged, this would be a violation of the Fair Housing Act (FHA), ECOA, and state law.[vi] Although the court dismissed the ECOA claims as time-barred, it allowed the FHA claims to proceed, holding that plaintiffs’ allegations were sufficient to state a claim of disparate impact discrimination. In the ruling, the court stated that the FHA expressly applies to secondary market purchasing of mortgage loans. It further emphasized allegations relating to Morgan Stanley’s warehouse lending commitments, on-site due diligence of New Century loans, demand for loans with alleged “high-risk” features, and instructions to originate no-documentation loans when it appeared that the applicant could not afford the loan. In its conclusion, the court noted that the evidence was sufficient to support claims that Morgan Stanley’s policies “set the terms and conditions on which it would purchase loans from New Century” and that these terms and conditions had resulted in a disparate impact when they caused New Century to issue toxic loans to the plaintiffs.

In the case In re Johnson, a Chapter 13 debtor alleged that a loan originator had targeted minority borrowers for predatory loans, and that the purchasers and assignees “were involved in this enterprise of selling toxic loans and targeting vulnerable minorities” because the loans were originated with securitization as the ultimate goal.[vii] Although the court dismissed the complaints on the ground that the plaintiff had not alleged sufficient facts to support the claims, it did not summarily reject the proposition that a secondary market purchaser could be held liable under ECOA or the FHA.[viii]

My point is that fair lending scrutiny of not only mortgage lenders, but also their investors, will likely increase in the coming years as new Home Mortgage Disclosure Act (HMDA) reporting requirements, finalized in October 2015, will provide greater insight into the role of investors in the loan origination process.

Thursday, June 15, 2017

Third Party Relationships: Risk Management Guidance - Frequently Asked Questions

Managing Director
Lenders Compliance Group of Companies

On June 7, 2017, the Office of the Comptroller of the Currency (OCC) published a Frequently Asked Questions (“FAQ”), meant to supplement its Bulletin 2013­29 (“Third­Party Relationships: Risk Management Guidance,” October 30, 2013).

The FAQ, OCC Bulletin 2017-21, is entitled “Frequently Asked Questions to Supplement OCC Bulletin 2013­29” (“Supplement”).

This issuance is to be reviewed by Chief Executive Officers and Chief Risk Officers of All National Banks and Federal Savings Associations, Technology Service Providers, Department and Division Heads, all Examining Personnel, and other interested parties. Community Banks should note that the Supplement addresses questions from national banks and federal savings associations (collectively, “banks”) regarding guidance in OCC Bulletin 2013­29. The Supplement and OCC Bulletin 2013­29 are applicable to all banks.[i]

The Supplement provides the following information:
  • defines third party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers;
  • provides insight on how to adjust risk management practices specific to each relationship;
  • discusses ways to structure third party risk management processes;
  • discusses advantages and disadvantages to collaboration between multiple banks when managing third party relationships;
  • outlines bank-specific requirements when using collaborative arrangements;
  • provides information-sharing forums that offer resources to help banks monitor cyber threats;
  • discusses how to determine whether a fintech relationships is a “critical activity” and covers risks associated with engaging a start-up fintech company;
  • addresses ways in which banks and fintech companies can partner together to serve underbanked populations;
  • covers criteria to consider when entering into a marketplace lending arrangement with a nonbank entity;
  • clarifies whether OCC Bulletin 2013-29 applies when a bank engages a third party to provide mobile payments options to consumers;
  • outlines the OCC’s compliance management requirements;
  • discusses banks’ rights to access interagency technology service provider reports; and
  • answers whether a bank can rely on the accuracy of a third party’s risk management report.

It is my considered view that nonbanks should carefully review the Supplement and, where possible, adopt its guidance, in addition to any other guidance provided by the Consumer Financial Protection Bureau (CFPB) or state banking departments.[ii]

We have placed this Synopsis along with the Supplement on the Vendors Compliance Group website.[iii]

This review of the Supplement will set forth the questions asked and summarize the answers provided. A detailed reading of the Supplement is suggested. This Synopsis is meant to provide an overview of the Supplement; however, I highly advise a thorough reading of the actual Supplement. For further guidance, I recommend that you contact a compliance professional who is familiar with the processes involved in review of service provider and third party vendor due diligence.

If you have questions, please contact us at:


1)      What is a third party relationship?

OCC Bulletin 2013­29 defines a third­ party relationship as any business arrangement between the bank and another entity, by contract or otherwise.