Managing Director
Lenders Compliance Group
I am often asked if there are significant
compliance risks involving third parties in mortgage banking. The answer is:
without a doubt! In providing some insight, I will just mention three of the
many types of third parties that pose such risks: mortgage brokers, mortgage
lenders, and mortgage servicers.
Let’s be clear at the outset: managing
third-party risk is critical for providers of consumer financial products and
services. This is because financial institutions (“FI”) can be and often are themselves
held liable for the practices of third parties acting on their behalf. Where
there is contact with the public by third parties, directly or indirectly, on
behalf of the FI the risk is substantively greater. From the point of view of
technological factors, service providers may be integrated into an FI’s
business operations. As such, this can lead to enforcement actions in which
certain violations of consumer protection laws are alleged against the service
provider and the FI itself!
It is the case that regulators have affirmed
their intention to hold companies strictly liable for conduct of their agents.
The legal principal invoked is usually the theory of “vicarious liability.”
Just a few years ago, in October 2015, the Department of Housing and Urban Development
(“HUD”) proposed rules to formally codify third-party liability standards under
the Fair Housing Act, including strict vicarious
liability for acts of an institution’s
agents, as well as direct liability for negligently failing to correct
and end discriminatory practices by those agents.[i]
Consider the risk posed by mortgage brokers.
For many years, an area that has seen a lot of fair lending enforcement and
class action litigation has been the wholesale mortgage lending industry. Since
mortgage lenders close loans originated by independent mortgage brokers, regulators
and private litigants have brought enforcement actions and lawsuits alleging
that lenders have failed to monitor and control discretionary mortgage broker
pricing and product selection practices. In these cases, it has been alleged,
under the disparate impact theory, that the mortgage lenders have violated the
Equal Credit Opportunity Act (ECOA) due to pricing disparities disfavoring
racial and ethnic minorities.
In fact, since 2010 there have been several Department
of Justice (DOJ) and Consumer Financial Protection Bureau (CFPB) enforcement
actions, as well as lawsuits filed by cities, against wholesale mortgage
lenders under this theory.[ii]
Most of the mortgage pricing fair lending
enforcement actions to date have focused on conduct that predates April 2011,
when regulations by the Federal Reserve on loan originator compensation first
took effect. I have written extensively on the features of the loan originator
compensation requirements that went into effect on April 6, 2011, if you are
interested in reading more about these rules.[iii]
The loan originator compensation regulations prohibit compensation to mortgage
loan originators based on, among other things, discretionary loan pricing or
product steering by a broker based on a financial incentive to a product not in
the consumer’s interest.[iv]
Although these changes in the law have reduced
pricing’s influence on fair lending risk, they have certainly not eliminated
the risk entirely. For instance, in December 2015, the DOJ brought an
enforcement action against Sage Bank in Massachusetts relating to disparities
in revenue earned on retail mortgage loans to minority borrowers compared to
that on mortgage loans to non-minority borrowers. What is notable about this
action is that it was the first pricing discrimination enforcement action that focused
on loans made after the loan originator compensation rules took effect in 2011.
Obviously, it demonstrated that regulators are continuing to focus on mortgage
pricing discrimination issues.
But fair lending is not the only compliance
risk associated with wholesale lending. Other risks include Unfair, Deceptive,
or Abusive Acts or Practices (referred to collectively, “UDAAP”) and related
areas. In fact, the CFPB issued guidance on UDAAP in its Supervision and Examination Manual of October 2012.[v] With
the benefit of time, litigation, guidance, and examinations, among other
things, we can say that these risks arise because mortgage brokers play a key
role in marketing, discussing product benefits and terms with applicants and
guiding their product choices, providing disclosures, completing applications,
and gathering documentation in support of the loan applications. It stands to
prudent reasoning that, in addition to fair lending, oversight of an FI’s
mortgage broker network is critical for mitigating UDAAP risk and managing
other compliance requirements.
When we move from a consideration of risks
associated with mortgage brokers to those posed by mortgage lenders the risk
profile is neither better nor worse, but, as the saying goes, it is different. Much risk tends to congregate
around fair lending in secondary market transactions. For instance, in the case
Adkins v. Morgan Stanley, plaintiffs
alleged that the policies and procedures of Morgan Stanley, which had purchased
loans from subprime loan originator New Century Mortgage Company, had created a
disparate impact on African-American borrowers. If as alleged, this would be a
violation of the Fair Housing Act (FHA), ECOA, and state law.[vi] Although
the court dismissed the ECOA claims as time-barred, it allowed the FHA claims
to proceed, holding that plaintiffs’ allegations were sufficient to state a
claim of disparate impact discrimination. In the ruling, the court stated that
the FHA expressly applies to secondary market purchasing of mortgage loans. It
further emphasized allegations relating to Morgan Stanley’s warehouse lending
commitments, on-site due diligence of New Century loans, demand for loans with
alleged “high-risk” features, and instructions to originate no-documentation
loans when it appeared that the applicant could not afford the loan. In its
conclusion, the court noted that the evidence was sufficient to support claims
that Morgan Stanley’s policies “set the terms and conditions on which it would
purchase loans from New Century” and that these terms and conditions had
resulted in a disparate impact when they caused New Century to issue toxic
loans to the plaintiffs.
In the case In re Johnson, a Chapter 13 debtor alleged that a loan originator
had targeted minority borrowers for predatory loans, and that the purchasers
and assignees “were involved in this enterprise of selling toxic loans and
targeting vulnerable minorities” because the loans were originated with
securitization as the ultimate goal.[vii]
Although the court dismissed the complaints on the ground that the plaintiff
had not alleged sufficient facts to support the claims, it did not summarily reject
the proposition that a secondary market purchaser could be held liable under
ECOA or the FHA.[viii]
My point is that fair lending scrutiny of not
only mortgage lenders, but also their investors, will likely increase in the
coming years as new Home Mortgage Disclosure Act (HMDA) reporting requirements,
finalized in October 2015, will provide greater insight into the role of
investors in the loan origination process.
A very brief tour of the data collection being
required in Regulation C, HMDA’s implementing regulation, will suffice to prove
my prediction. When the new HMDA rule becomes effective in 2018, loan originators
will be required to report Universal Loan Identifiers that will help regulators
track the life cycle of a loan among HMDA-reporting institutions (including
investors that report HMDA data). In addition, originators will be required to
identify the Automated Underwriting System (“AUS”) and results thereof when the
originator uses an AUS developed by securitizers, federal government insurer,
or federal government guarantor in the origination of the loan.[ix] [x]
But fair lending is but one of several salient
risks associated with loan originations. Go back to November 2015 and you will
find guidance to supervised institutions that was issued by the Federal Deposit
Insurance Corporation (FDIC). The guidance involved safety-and-soundness requirements
and consumer compliance risks associated with purchased loans and loan
participations.[xi]
In this guidance, the FDIC cautioned that “over-reliance on lead institutions”
has, in some instances, caused significant credit losses and contributed to
bank failures, and that “it is evident that financial institutions have not
thoroughly analyzed the potential risks arising from third-party arrangements.”
Consequently, the FDIC advised institutions to underwrite and administer loan
purchases “in the same diligent manner as if they were being directly originated
by the purchasing institution.” It asserted that a supervised FI should perform
due diligence prior to entering into and during the course of TPO
relationships, such review to include an evaluation of the TPO’s compliance
with consumer protection laws.
The third TPO category to be considered is the
mortgage servicer – and I will include the subject of Real Estate Owned (“REO”)
concerns thereunder. Permit me to take you back to the 2008 financial crisis
for some historical perspective. In the wake of this financial crisis, regulators
increased their scrutiny of mortgage servicers and the way they manage third
parties that handle loan modifications and foreclosures.
Of importance, note the enforcement actions
that were taken in April 2011 against 14 bank mortgage servicers for allegedly
deficient practices. These actions were brought by the Office of the
Comptroller of the Currency (OCC), the FDIC, Office of Thrift Supervision (OTS),
and the Federal Reserve System (Federal Reserve), which took enforcement
actions against 14 bank mortgage servicers for allegedly deficient practices.[xii] Then
in February 2012, federal agencies and the attorneys general of 49 states
entered into what is known as the National
Mortgage Settlement with the five largest mortgage servicers.[xiii]
This was the largest consumer financial protection settlement ever! It required
more than $25 billion in financial relief to borrowers. Following this
settlement, on December 19, 2013, the CFPB and state attorneys general entered
into a similar agreement with Ocwen, a large non-bank mortgage servicer.[xiv]
This action resulted in Ocwen agreeing to fund $2 billion in principal reduction
to eligible borrowers and refund $125 million to certain borrowers whose homes
were foreclosed.
What do these enforcement actions have in
common? Surely one commonality was that the regulators alleged deficiencies in
the management of vendors and other third parties, such as attorneys, that were
involved in the foreclosure process. Regulators alleged that servicers
“generally did not properly structure, carefully conduct, or prudently manage
their third-party vendor relationships with outside law firms and other
third-party foreclosure services providers,” resulting in “increased
reputational, legal, and financial risks to the servicers.”[xv]
Remember the “robo-signing” of affidavits and
other documents? Those “robo-signing” procedures – if you want to call them
‘procedures’ - were the kind of allegations swirling around mortgage servicers
and their service providers at the time. These ‘procedures’ were really just a
robotic process of the mass production of false and forged execution of
mortgage assignments, satisfactions, affidavits, and other legal documents
related to mortgage foreclosures and legal matters being created by persons
without knowledge of the facts being attested to, including accusations of
notary fraud wherein the notaries pre- and/or post-notarized the affidavits and
signatures of so-called robo-signers. “Robo-signing” amounted to no more than submitting
affidavits and other documents in foreclosure proceedings without verifying the
information contained in these forms.[xvi]
There has been no abating in the CFPB’s
continued interest in regulating mortgage servicing. It has issued rules that
took effect in 2014 to implement broad mortgage servicing reforms pursuant to
provisions in the Dodd-Frank Act, covering topics such as enhanced periodic
disclosures, lender-placed insurance, payment posting, and loss mitigation.[xvii]
With respect to REOs, the conduct of service
providers has also triggered numerous complaints regarding marketing of
residential properties acquired by a mortgage lender or mortgage servicer after
foreclosure. One organization, the National Fair Housing Alliance (“NFHA”) has
filed complaints with HUD against eight banks or property maintenance vendors,
alleging that REO properties in non-minority areas were marketed and maintained
materially better than REO properties in predominantly minority areas. One of
these cases resulted in a public Conciliation Agreement.[xviii]
Mortgage servicers often hire vendors to perform the maintenance and marketing
of the properties, so the complaints have focused directly on vendor oversight
and the alleged failure to ensure that vendors provide consistent services
regardless of the racial or ethnic composition of the neighborhood.
What can be done to reduce the compliance risk
posed by third parties?
I suggest the following 8-part strategy for
evaluating third party risk. It is the kind of approach that my firm takes all
the time in its audit and review processes with clients, whether our guidance
is project-based or in the context of an on-going monthly relationship.
1) Due
Diligence
2) Contract
Review
3) Policies
and Procedures
4) Compensation
5) Risk
Assessments
6) Monitoring
7) Training
8) Remediation
1. Due
Diligence
The
vetting process should include searching public information and conducting
background checks on the third party and/or its principals, and inquiring about
prior litigation and regulatory proceedings against the third party. In
addition to the initial vetting, financial institutions could conduct periodic
reviews or re-certification of the third party. Our affiliate, Vendors
Compliance Group,[xix]
conducts just such a review, not a mere compilation, but actual due diligence.
2. Contracts
Written agreements should specify compliance expectations and set
in place mechanisms to monitor and enforce those expectations. Contracts should
have strong provisions, especially those related to allowing for auditing and
inspection of the service provider. Furthermore, contracts should also specify
how the service provider will handle, respond to, and report consumer
complaints.
3. Policies
and Procedures
The policies and procedures, and even service level agreements (if
needed), should comply with the standards and expectations of the applicable
supervising agencies.
4. Compensation
UDAAP and fair lending risk are directly and indirectly related to
third-party compensation policies, as compensation tied to discretionary
decision-making can present elevated fair lending risk. With respect to
mortgage brokers, mortgage lenders, and mortgage servicers, these institutions
should review third-party compensation policies to ensure compliance with the
CFPB’s loan originator compensation rules, as well as compliance with the RESPA
Section 8 prohibition on kickbacks and unearned fees. Be mindful of any
relevant metrics associated with quality control and compliance-based assessments,
where such are used as a component of compensation, such as in sales.
5. Risk
Assessments
Our firm often conducts risk assessments for departments and
functions, but we also recommend conducting risk assessments of third-parties –
most especially those third-parties that interact directly with consumers. The
FI’s ability to control those consumer communications is critical to mitigating
the potential for consumer harm based on conduct by a third party.
6. Monitoring
Monitoring for fair lending should be an internal mandate for FIs,
irrespective of a supervising agencies rules. Institutions should consider
regular monitoring and oversight of vendors, including fair lending monitoring
where appropriate. Wholesale mortgage lenders should also consider monitoring their
mortgage broker for potential disparities on a prohibited basis. In addition to
statistical monitoring, audits, mystery shopping, customer surveys, and other
evaluations may also help FI’s assess the performance of service providers.
7. Training
Financial institutions must provide to, or validate compliance
training for, third parties, especially those entities that interact directly
with the public, in general, and consumers, in particular. Given the
extraordinary risk associated with fair lending, third parties should be given,
or obtain training, on fair lending laws and UDAAP compliance. If third parties
are involved in managing and marketing REOs, training on fair housing should be
considered.
8. Remediation
Fair lending
remediation programs must include counseling or training, enhanced scrutiny of
contracts, careful review of loan originations, and termination where
unexplained disparities are noted.
My list is really a sort of
extrapolation of what Federal banking regulators such as the OCC and Federal
Reserve have promulgated for many years. The agencies have issued extensive
guidance on third-party oversight and closely supervised such relationships. For
instance, on October 30, 2013, the OCC substantially reworked its guidance for
overseeing third-party relationships.[xx] This guidance from the
OCC is one of the most comprehensive, bank regulatory guidances available on
third-party risk management.[xxi]
In the foregoing issuance, the
OCC’s expectations were expressed in the following requirements:
1. Planning
Develop a
plan to manage the third-party relationship before consummating the
relationship.
2. Due diligence and Third-party Selection
Include
strategies and goals, legal and regulatory compliance, financial condition, and
business experience and reputation, derived internally or from a risk
management firm, such as Vendors Compliance Group.[xxii]
3. Contract Negotiations
Cover nature
and scope, but also define performance metrics and benchmarks, the right to
audit and require remediation, responsibilities for compliance with applicable
laws and regulations, cost and compensation, indemnification, insurance,
default and termination, and customer complaints.
4. Ongoing Monitoring
Determine
quality and sustainability of the third-party’s controls and compliance with
legal and regulatory requirements. Pay attention to volume, nature, and trends
of consumer complaints and the third-party’s ability to appropriately remediate
customer complaints.”
5. Termination
Termination
should be efficient and not disruptive to safety and soundness. Consider a
contingency plan to transition the subject services to another service
provider, or bring the activity in-house, or discontinue the activity
altogether.
6. Oversight and Accountability
Chain of
command access to information involving third-party relationships, where the
decision tree contains feedback from, and accountability to, the Board of
Directors, Senior Management, and other employees.
7. Documentation and Reporting
Periodic
reporting on new information or risks associated with third-party
relationships, such reporting to be derived internally or from a risk
management firm.
8. Independent Reviews
Regularly scheduled,
independent reviews of the third-party risk management processes to determine
if those processes align with a financial institution’s strategy and risk
profile, derived internally or from a risk management firm
Third-parties have considerable impact on a financial institution’s
safety and soundness. Critical activities, such as functions like payments,
clearing, settlements, custody, and certain services, such as information
technology, and many other activities, may cause significant risk or consumer
impact. While wanting to offer the consumer the best quality service, financial
institutions must realize that third-parties also pose one of the most
significant areas of exposure to compliance risk.
[i] 80 Fed. Reg.
63,720 (Oct. 21, 2015)
[ii] Here are just a few. Joint Motion for Entry of Consent Order, United States & Consumer
Financial Protection Bureau v. Provident Funding Assocs., L.P., No.
3:15-cv-02373 (N.D. Cal. May 28, 2015); Consumer
Financial Protection Bureau & United States v. National City Bank, No.
2:13-cv-01817 (W.D. Pa. Dec. 23, 2013); United
States v. Wells Fargo Bank, NA, No. 1:12-cv-01150 (D.D.C. July 12, 2012); Consent Order, United States v. Countrywide
Financial Corp., No. 2:11-cv-10540-PSG-AJW (C.D. Cal. Dec. 28, 2011); Consent Order, United States v. AIG Federal
Savings Bank, No. 1:10-cv-00178-JJF (D. Del. Mar. 19, 2010); City of Miami v. Bank of Am. Corp., No.
1:13-cv-24506-WPD, 2014 WL 3362348 (S.D. Fla. July 9, 2014), affirmed in part,
revised in part, 800 F.3d 1262 (11th Cir. 2015).
[iii] To read some of the articles, visit the Articles
section at www.LendersComplianceGroup.com
[iv] 12 C.F.R. § 1026.36(d), (e) (Regulation Z, the
implementing regulation of the Truth in Lending Act, rules regarding loan
originator compensation and steering incentives); 15 U.S.C. § 1639b(c)
(Dodd-Frank Act mortgage anti-steering provisions)
[v] Unfair,
Deceptive, or Abusive Acts or Practices, in Version 2,
Consumer Financial Protection Bureau, in CFPB Supervision and Examination
Manual, October 2012
[vi] No. 12-cv-7667 (HB), 2013 WL 3835198, S.D.N.Y. July
25, 2013
[vii] No. 09-49420, 2014 WL 4197001 Bankruptcy E.D.N.Y. Aug.
22, 2014
[viii] See Johnson v.
Wells Fargo Bank, N.A., No. 14-MC-1100 (RRM), 2015 U.S. Dist., LEXIS 28046,
E.D.N.Y. Mar. 6, 2015
[ix] Home Mortgage Disclosure Act (Regulation C), 80 Fed.
Reg. 66,128-01, 66,174, October 28, 2015
[x] Idem at 66,337
[xi] FIL-49-2015, Advisory
on Effective Risk Management Practices for Purchased Loans and Purchased Loan
Participations, FDIC, November 6, 2015
[xii] See Interagency
Review of Foreclosure Policies and Practices (2011), Federal Reserve
System, OCC and OTS. The Office of Thrift Supervision merged with the Office of
the Comptroller of the Currency on July 21, 2011.
[xiii] DOJ, Federal
Government and State Attorneys General Reach $25 Billion Agreement with Five
Largest Mortgage Servicers to Address Mortgage Loan Servicing and Foreclosure
Abuses, Press Release, February 9, 2012
[xiv] Consent
Judgment, Consumer Financial Protection Bureau v. Ocwen Financial Corp.,
No. 1:13-cv-02025-RMC, D.D.C. Feb. 26, 2014
[xv] Interagency
Review, supra 12, at 9
[xvi] See Robo-signing
Controversy, in 2010 United States Foreclosure Crisis, Wikipedia
[xvii] Mortgage
Servicing Rules under the Real Estate Settlement Procedures Act (Regulation X),
12 C.F.R. Part 1024, 78 FR 10,696, February 14, 2013
[xviii] National Fair
Housing Alliance and Wells Fargo Announce Collaboration to Rebuild
Homeownership Opportunities in 19 Cities, Press Release, NFHA, June 6,
2013; see also U.S. Department of Housing
and Urban Development and Urban Development Conciliation Agreement, No.
09-12-0708-8, National Fair Housing Alliance & Wells Fargo Bank, N.A., 2013
[xix] For more information, visit www.VendorsComplianceGroup.com
[xx] Bulletin No.
2013-29, Third-Party Relationships, OCC, 2013. This and other such
issuances can be found at the Presentations page of www.VendorsComplianceGroup.com.
[xxi] The Federal Reserve issued updated third-party
oversight guidance addressing similar topics for supervised institutions in
December 2013. See Guidance on Managing
Outsourcing Risk, 2013, SR 13-19/CA 13-21. Also see the Presentations page
at www.VendorsComplianceGroup.com, where also is available CFPB - Bulletin 2012-03 - Service Providers, CFPB; Compliance Bulletin and Policy Guidance -
2016-02 - Services Providers; Compliance
Bulletin and Policy Guidance 2016-02 - Service Providers - Questions and
Answers, Vendors Compliance Group; Synopsis
of Supplement to OCC Bulletin 2013-29; Frequently
Asked Questions - "Third Party Relationships: Risk Management
Guidance," Vendors Compliance Group
[xxii] Op. cit., 19
