The most common question my colleagues and I are asked by prospective clients is whether we provide the “full set” of policies and procedures for all of the mortgage acts and practices. Of course we do! But policies and procedures are only one aspect of the many risk management services my firm offers.*
Nevertheless, policy statements seem to be ‘first and foremost’ when it comes to a client’s compliance needs.
Yet we do not often get questions such as the following:
- How can we effectuate policies and procedures?
- What policies are the most important for us to adopt?
- Although we have policy statements, how often should we update them?
- Who would be in charge of maintaining and enforcing policies?
- How do we build policy statements into a Compliance Management System (CMS)?
- Which policy statements are important to our warehouse lenders?
- Which policy statements are important to investors and Regulators?
- Which policy statements are important to our servicing affiliate and subservicers?
- How can we prove that our policies are being adequately implemented?
- What are the key components of policies and procedures?
- What vendor offers the most professionally safe policy statements?
- How do we go about building our own policies and procedures?
- How often should we train our employees on our policies?
- Is there a self-assessment checklist that we can put into our policy statements?
- What is the best way to document our implementation of procedures?
- Is there a core set of policies that we absolutely must have at all times?
- Which policies require testing and auditing, either internally or externally?
- How do we stay up to date on regulatory changes that affect our policies?
- What method is preferred to review, adopt, and update policy statements?
- Do we have a sufficient budget for maintaining policies and procedures?
- What resources should we use to draft comprehensive policy statements?
- What is the best method to retire a policy that is no longer a regulatory requisite?
- Where should we go for guidance in those areas that are not yet fully regulated?
In my view, we ought to get away from the thinking that considers policies and procedures to be a panacea for the effects of improper management, regulatory deficiencies, and trending defects. Policies are a continually changing, dynamic means to an end, but not the end itself. And they are only as good as the accuracy of their content and the efficacy of their implementation.
Just one employee who does not know, or contravenes, the requirements of a policy statement becomes the weakest link in an otherwise strong chain of compliance enforcement. When it comes to acting in compliance with, and according to, a policy and procedure, the financial institution is only and always as strong as its weakest link!
Most mortgage bankers want to be proactive, not reactive, though, often, that is not always achievable, especially when new policies, guidelines, rules, procedures, and actionable implementations seem to arise all the time. This reminds me of Say’s Law in economics, which, when referring to aggregate expenditure in an economy, states that spending rises to the level of income. In the case of policy statements, it seems that policies and procedures rise to the level of demands for them by the spate of regulations requiring them. If this seems like a circular kind of way to get things done, it is!
Still, we must make our way through the thicket of policy statements, hopefully coming oneday to a clearing where, if even for a brief moment, there is some equilibrium between the policies needed and the regulatory demand for them.
Some proactive lenders make it their business to always be ready for a regulatory examination; others drag out the process interminably, waiting to receive an examination letter before they get ready – which, by the way, is usually too late. And, yes, in mortgage compliance, it is certainly possible to be too late to do anything about a violation of law. Compliance leaves traces; it is impossible to obliterate its trail. I have said many times, preparation is protection! Indeed, I have written extensively on this theme.[i]
The US Coast Guard has a famous Latin motto: Semper Paratus, which means “Always Ready”. Let’s use an admonishment, also in Latin! I offer this cautionary advice to mortgage bankers: always stay vigilant; always make sure your policy statements meet regulatory scrutiny; and, to now use my own Latin phrase, never be put in the position of being Ex Abrupto, which means “Without Preparation”.
Impressing the Regulators
Examiners are past the point where they’re seriously willing to accept as viable a standardized policy from a manual mill or existing policies that have not been updated recently to reflect regulatory changes. Some Examiners actually keep a list of the one-size-fits-all policies from manual mills, and they are keenly aware of the stratagem of using an off-the-shelf policy to satisfy a regulatory mandate, obviously in anticipation of a banking examination.
A Word of Caution
This is the second part of a two-part series. It concerns policies and procedures for mortgage bankers. The first article in this series dealt with the policy and procedure needs of mortgage brokers.[ii]
I am going to provide an expanded chart of certain core policies and procedures that a mortgage banker should obtain and continually update, as regulations change. I will also provide some useful policy implementation guidance relating to preparing for a state banking examination.[iii]
Before getting started, though, I feel constrained to offer the same cautionary note that I offered in Part I of this series, using yet another well-known Latin phrase, Caveat Emptor! (Let the Buyer Beware!) I would be remiss if I did not emphasize that obtaining a boilerplate document, with or without your company’s name on it, is fundamentally regressive, and it is a tactic that Examiners are now regularly criticizing in adverse findings. Indeed, in some cases, template-driven policy and procedures may cause Examiners to escalate their regulatory review. Drafting and implementing a policy statement that conforms to the way an institution does business is a critical responsibility of management, where the purchase price of a policy and procedure should not be an operative consideration.
This is not an area to take a pecuniary short cut to compliance, especially when an insufficient policy statement may cause adverse examination findings. Put it this way: if you are not allocating sufficient funds toward reliable policies and procedures, then maybe you should consider some other line of work, because an inept policy infers an inept management, one with economically deplorable priorities - for the cost in penalties, administrative actions, and challenges to licensure, may far exceed your company’s ability to survive.
Policies and Procedures
**Many lenders now require quality control audits to be conducted by their third-party originators.
Preparing for an Examination
Generally, banking departments consider themselves to be consumer advocacy agencies and, as such, they approach examinations in a threefold process, which includes:
(1) Examining the licensee’s implementation of its own policies and procedures, and ensuring that all relevant policies and procedures are safe and sound and lawful;
(2) Investigating consumer complaint allegations relating to the licensee; and
(3) Conducting on-site or off-site visitations to audit a licensee’s operations, and determining a company’s implementation of previously identified corrective actions from prior examinations.
The primary means of monitoring the licensee is through examinations.
Therefore, banking departments seek to evaluate the following elements:
- Conduct a compliance review to determine implementation of relevant laws and regulations;
- Audit and assess the integrity of the Compliance Management System, especially with respect to implementing state and federal consumer protection statutes and regulations; and,
- Issue examination reports, outlining where compliance is sufficient; or, in the case of an adverse examination report, issue supervisory and administrative actions resulting from defective and deficient operations of banking law or administrative rules.
Mortgage Risk Management
Here is the appropriate goal of ‘mortgage risk management’, a term I coined years ago to broaden the reach of compliance administration and provide a more focused approach toward assessing the kinds of risk associated with the business models of residential mortgage lenders and originators:
(1) Identify Risk
(2) Mitigate Risk
(3) Reduce Risk
(4) Eliminate Risk
Not all of these goals are achievable, most especially the goal of eliminating risk. But going to the goal is the goal! When you move in the right direction, Regulators are more receptive to the circumstances.
Here’s a rule of thumb:
- Things in your control that require, or should require, corrective action, but you fail to implement such corrective action, usually cause Examiners to be unyielding in their reporting evaluations and administrative actions.
- Things that are not in your control, or not expected to be in your control, even where they produce adverse findings, usually cause Examiners to be a little more flexible in their examination reports.
Compliance and loan production are now cemented together! Success in mortgage banking is dependent on the extent to which production and compliance are protagonists for each other - each within its own bounds of responsibilities and authorities, working for the common good of the consumer.
Who has the Edge: Examiner or Lender?
Picture, if you will, the capital letter “H” – only turn it on its side.
The lower axis is the state banking examination level, the vertical axis is the information that flows from the state to the CFPB at the federal level,[vi] and the higher axis is the federal level where information obtained from both state and federal examinations may be shared with various governmental agencies. The streaming of regulatory information is becoming seamless.
In May of this year, the Memorandum of Understanding (MOU) of 2011 between the CFPB, the Conference of State Bank Supervisors (CSBS), and various state financial regulatory authorities (i.e., state Regulators) was reaffirmed, establishing the agreement for coordination and information sharing in supervision and enforcement work. Specifically, that MOU promulgated a framework intended to establish a process for coordinated federal and state consumer protection supervision and enforcement of entities providing consumer products or services that are subject to concurrent jurisdiction of the CFPB and one or more state Regulators.[vii]
So, whatever axis of that side-bound, capital “H” is the rightful place of a particular financial institution, the information derived from its regulatory examination has become transparent to the federal and state regulatory authorities.
Gone are the days when policies and procedures, by themselves, suffice to provide a solid demonstration of a mortgage banker’s commitment to mortgage compliance. Be aware, also that examinations now include an evaluation of the management’s competency to implement policies, because it is management that is accountable for administering the institution’s risk.
Questions that Examiners consider in determining management’s effectiveness include:
- What is the knowledge level and commitment of the company and its personnel?
- How does the mortgage banker respond to deficiencies and potential violations?
- Do the information and loan origination systems provide reliable and secure data?
- Does management maintain and follow its own policies and procedures?
- To what extent and how often are training programs offered to affected employees?
Policies pertaining to both federal and state regulatory compliance guidelines that are not appropriate or sufficiently comprehensive may lead to adverse findings in the examination report.
Trust me: the exit interview is simply not the place to find out that a commitment to corrective action is going to be required!
The examination report consists of several parts, more or less varying state to state, with each part contributing to a general outline of a licensee’s qualifications to continue being licensed.
Generally, the examination report includes:
- Scope of Examination
- Compliance Rating or Similar Description
- Loan Sample Outline used for the Examination
- Summary and Detail of Significant Violations (where applicable)
- Evaluation of the Compliance Management System
- Assessment of Policies and Procedures
- Summary of the Exit Interview
- Management Response to Findings and Corrective Actions (where applicable)
Policies and Procedures
Here’s another analogy: policies and procedures are like an automobile’s chassis; implementation of policies is the car’s superstructure; and, the employee is the driver who takes (and passes) the road test. All three must be intact and reliable for the car to be considered safe to be driven, and all of these components depend on one another to effectuate the vehicle’s purpose. All three deserve equal emphasis!
Policy statements must address the financial institution’s business philosophy, goals, objectives, procedures, required actions, remedies, and, of course, the metrics with which to judge them. They do not have to be extensive in length, but they certainly do have to be comprehensive in detail, and based on the size, complexity, and risk profile of the company. Further, I believe certain policy statements should be converted into Employee Manuals, such as an Advertising Manual or a Social Media Manual, with attestation of receipt thereof by, and distributed to, all affected employee. Each policy statement should be reinforced with training – not generic, out-of-the-can training, but training on the company’s actual policy itself.
Additionally, a policy and procedure must be updated immediately when regulations change or the company changes its way of doing business with respect to legal and regulatory compliance requirements. This means that not only should citations and definitions be included, where needed, but also procedures should highlight forms, disclosures, ‘chain of command’ guidelines, and any other areas inherent in carrying out management’s expectations and directives.
Finally, management should monitor all aspects of the loan flow process, in order to identify, mitigate, reduce, or eliminate risk. To a considerable extent, training plays an important role in risk management, but the monitoring must go beyond training employees. When exposure to risk is identified, management should document that event and implement corrective actions.
For the most part, whatever defect or deficiency has been cited, an Examiner may understand a mortgage banker’s actions in affirmatively endeavoring to prevent any continuation of a defect trend or deficiency practice. However, the one thing that no banking department will tolerate is a deficiency that, once discovered, remains irresolutely unresolved.
[i] For instance, see Foxx, Jonathan, Anti-Money Laundering Program: Preparation is Protection, National Mortgage Professional Magazine, August 2012, Volume 4, Issue 8, pp 22-34
[ii] Foxx, Jonathan, Policy, Procedures, and Examination - Part I: Mortgage Brokers, National Mortgage Professional Magazine, March 2013, Volume 5, Issue 3, pp. 8-32.
[iii] I will not treat important areas of preparation, such as readiness for Community Reinvestment Act (CRA), tie-in restrictions, insider lending, and other compliance areas, if the mortgage banker is affiliated with a depository institution.
[iv] Portions of this table are adapted from Pannabecker, James H., Mortgage Lending Compliance (With Federal and State Guidance), Volume I, Second Edition, xv-xvi, A. S. Pratt, 2012
[v] The table is based on legal and regulatory compliance requirements as of February 28, 2013.
[vi] For instance, see CFPB Statement of Intent for Sharing Information With State Banking and Financial Services Regulators, December 6, 2012; 2013 CFPB-State Supervisory Coordination Framework, May 7, 2013; Memorandum of Understanding between the Consumer Financial Protection Bureau and the United States Department of Justice Regarding Fair Lending Coordination, December 2012; Memorandum of Understanding between the Consumer Financial Protection Bureau, the Conference of State Bank Supervisors, and the Other Signatories Hereto, On the Sharing of Information for Consumer Protection Purposes, January 2011
[vii] Section IV.B, Memorandum of Understanding between the Consumer Financial Protection Bureau, the Conference of State Bank Supervisors, and the Other Signatories Hereto, On the Sharing of Information for Consumer Protection Purposes, January 2011
* Jonathan Foxx is the President & Managing Director of Lenders Compliance Group
© 2013 Lenders Compliance Group, Inc. All Rights Reserved. © 2013 NMP Media Corp. All Rights Reserved. This article is copyrighted material and provided to you as a courtesy for your personal use only. Policy, Procedures, and Examination - Part II: Mortgage Bankers is a White Paper and also a Magazine Article in National Mortgage Professional Magazine, July 2013, Volume 5, Issue 7, pp. 17-65. You may not make copies for any commercial purpose. You may use this article in print or on-line media as long as you properly acknowledge the author and source. Reproduction or storage of this article is subject to the U.S. Copyright Act of 1976, Title 17 U.S.C.