Director/Agency Relations
Lenders Compliance Group
Recently, I attended the annual meeting of the American Association of Mortgage Regulators Association (AARMR), held in San Antonio, Texas, on August 1, 2017.
The meeting is an important event in the calendar of state and federal banking regulators, as it is largely devoted to regulatory compliance involving banks and nonbanks.
As the former Deputy Commissioner of the Connecticut Banking Department, I have attended these conferences for many years. Of course, as our Director of Agency Relations, I take a particular interest in this event because it enhances my understanding of key issues that may be facing the mortgage banking community in general and our clients in particular.
I would like to share some of the “take-aways” that I have surmised from this valuable AARMR regulatory conference.
To be sure, I think that it will be helpful to understand the mission statement of AARMR, which is:
To be sure, I think that it will be helpful to understand the mission statement of AARMR, which is:
“To promote the exchange of information and education of licensing, supervision and regulation of the residential mortgage industry, ensure the ability to provide effective supervision for a safe and sound industry meeting the needs of the local financial markets and protect the rights of consumers.”
This conference provides an opportunity for regulators and industry to discuss current issues and to come away with a better understanding of regulatory concerns as well as those of the industry. It is worth noting that the meeting attendees include not only regulators from most of the states but also legal and regulatory compliance folks as well as a variety of mortgage lenders and mortgage brokers of all sizes.
One of the most compelling and interesting presentations had to do with the industry’s need for clarity and consistency in mortgage supervision and enforcement.
I am offering the following synopsis with the hope that you may obtain a better understanding of some of these mortgage industry concerns, as presented by certain panel discussions relating to challenges in the areas of licensing, advertising, reporting, disclosures, “desk drawer” policies, and the need for collaboration in producing a standard cybersecurity policy.
I am offering the following synopsis with the hope that you may obtain a better understanding of some of these mortgage industry concerns, as presented by certain panel discussions relating to challenges in the areas of licensing, advertising, reporting, disclosures, “desk drawer” policies, and the need for collaboration in producing a standard cybersecurity policy.
Please let us know your thoughts, questions or concerns.
We welcome your feedback!
· LICENSING
o There is a need to streamline the licensing process so as to put mortgage loan originators to work in the shortest period of time. Transitional licensing was one area that was discussed. The SAFE Transitional Licensing Act of 2015 would allow bank registered mortgage loan originators who move to another state or switch from a depository institution to a nonbank lender to work without having to wait for a new license. Under the proposal, transitioning MLO’s are given 120 days during which time they can work for a new nonbank lender while they complete the more rigorous requirements of pre-education and testing.
o The definition of “Control Persons” needs to be standardized among states as there are conflicting positions as to “who it is.”
o It is sometimes difficult to figure out who needs to be licensed as third-party processors.
· ADVERTISING
o There are more states taking action regarding RESPA Section 8 violations. One such violation was by an MLO who sponsored a “training room” in the realtor’s office. The MLO allowed for different levels of sponsorship such as $1000, $750 or $500 per month. Bottom line here is that Marketing Services Agreements need clarity, consistency, and careful regard for all aspects of regulatory compliance.
o Social Media presents challenges to larger lenders in that “they do not know what they do not know.” Lenders are looking for states to inform them about what they do not know in this area. Examples include some states that deem each MLO’s Social Media as a separate website and limit the option to the websites of the first ten MLOs. Social Media is today’s telephone and, as such, rational rules are required.
· Reporting and Disclosures
o The primary take-away here is that there needs to be some coordination between the requirements to file Mortgage Call Reports (MCRs)and some state-specific requirements to file quarterly and annual reports.
o Secondly, larger lenders have difficulty with state-specific disclosure requirements as part of the MCR. The Mortgage Call Report should be the only report required by all states without the additional state mandates for traditional annual or quarterly reports or the collection of additional state-specific, regulatory mandates relating to the MCR.
· “Desk Drawer” Policies
o When there are no written or formal rules, it would be helpful if the regulators’ Opinion Letters could be published. Some states refuse to share Opinion Letters and the mortgage community believes that more transparency would be extremely helpful. The point here is that the rules need to be known in advance and not kept in a desk drawer.
o Panelists maintained that the CFPB will not provide specific guidance on issues, as a result of the large volume of regulatory issues. The CFPB recommends that the mortgage community review published enforcement actions as an alternative.
· CYBERSECURITY
Another critical topic was the need for State, Federal and industry participants to collaborate in Cybersecurity.
One model put forward to illustrate the success of collaboration was the NMLS initiative that resulted in a licensing system for all consumer license types to be managed on a universal system. Other models include the SAFE Act and Multi-State Mortgage Examinations.
Cybersecurity is the body of technologies, processes, and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.
Cybersecurity standards today include states banking department requirements, such as the New York State new rules (23 NYCRR 500) and the Massachusetts existing data security regulations (201 CMR 17.00.) There are 47 breach notification laws across the United States and additional laws in US territories and other industry-specific regulations. Federal laws include GLBA, the FCRA, and the Proposed Joint Rules (OCC, Federal Reserve, FDIC) in Enhanced Cyber Risk Management Standards. Additionally, there is the guidance provided by the National Institute of Standards and Technology (NIST).
As Judith H. Germano, Senior Fellow at the New York University Center for Cybersecurity and an Adjunct Professor at NYU School of Law, has stated:
“Cybersecurity is a top threat, to America and worldwide. We have made progress in developing practical standards, best practices, and systems for information sharing and coordinating threat response. There also is a panoply of technological solutions available to detect, prevent and respond to cyber threats. Yet it is still not enough. More needs to be done. The approach must be practical, flexible and resilient. Otherwise, we threaten to undermine our security posture by distracting organizations with uncoordinated, ineffective “check the box” security protocols that divert resources from more potent security operations and emphasize compliance over security. We, as a nation, cannot take that risk.”
[Panel Discussion, my emphasis.]
Consequently, the financial services industry is proposing a Model-Uniform Cybersecurity Rules Taskforce.
The task force would include representatives from a variety of lending institutions. It would also include representatives from State and Federal Government.
To quote Judith H. Germano again:
“Work needs to be done, not on a state-by-state and industry-by-industry basis, but through a cohesive, national cybersecurity dialogue and plan. We collectively must strike the right balance between mandating reasonable and flexible policies and programs, and allowing entities and industries to develop an individualized and effective risk-based approach to preventing, detecting and responding to cyber threats.” [Panel Discussion]
We suggest that you contact us for support in risk assessment reviews for cybersecurity compliance. Our Director of IT, IS, and Cybersecurity, Kevin Origoni, conducts a deep review to determine that a financial institution is implementing the appropriate cybersecurity plans.
