Coronavirus: CDC Guidance - An Urgent Message

PRINT THIS

The Center for Disease Control and Prevention (CDC) has issued an alert regarding the Coronavirus Disease, entitled Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019 (COVID-19), February 2020.

This Interim Guidance (“Guidance”) is based on what is currently known about the coronavirus disease 2019 (COVID-19). The CDC will update this Guidance as needed and as additional information becomes available.

Read the CDC's Guidance HERE.

Unfortunately, much is unknown about how the virus that causes COVID-19 spreads. Current knowledge is largely based on what is known about similar coronaviruses.

The Guidance is meant to help prevent workplace exposures to acute respiratory illnesses, including COVID-19, in non-healthcare settings. The guidance also provides planning considerations if there are more widespread, community outbreaks of COVID-19.

Lenders Compliance Group is willing to help!

At this time, we suggest that you review your Disaster Recovery and Business Continuity Plan (“DRBC”), as the impact, features, factors, procedures, and policy requirements relating to COVID-19 should be set forth therein. The plan should include the CDC’s recommended strategies for employers to implement. 

Due to this emergency, if you need help with your DRBC, Lenders Compliance Group is offering to provide its DRBC review, assessment, risk rating, recommendations, and policy at a 20% discount from our already low fee. If the cost is a bit tough to manage, we will give you an affordable payment plan. Avoid the manual mills, one-size-fits-all, and fill-in-the-blanks versions. The DRBC must be customized to your institution to be effective and meet regulatory scrutiny!

To request support with your DRBC, click HERE.

EMPLOYER ACTIONS

• Ensure the plan is flexible and involve your employees in developing and reviewing your plan.
• Conduct a focused discussion or exercise using your plan to find out ahead of time whether the plan has gaps or problems that need to be corrected.
• Share your plan with employees and explain what human resources policies, workplace and leave flexibilities, and pay and benefits will be available to them.
• Share best practices with other businesses in your communities (especially those in your supply chain), chambers of commerce, and associations to improve community response efforts. 

Response Plan

There are numerous actions that must be implemented now. 

Do not wait! 

Time is not on your side!

• Identify possible work-related exposure and health risks to your employees.
• Review human resources policies to make sure that policies and practices are consistent with public health recommendations and are consistent with existing state and federal workplace laws.
• Explore whether you can establish policies and practices, such as flexible worksites (i.e., telecommuting) and flexible work hours (i.e., staggered shifts), to increase the physical distance among employees and between employees and others if state and local health authorities recommend the use of social distancing strategies.
• Identify essential business functions, essential jobs or roles, and critical elements within your supply chains (i.e., raw materials, suppliers, subcontractor services/products, and logistics) required to maintain business operations.
• Plan for how your business will operate if there is increasing absenteeism or these supply chains are interrupted.
• Set up authorities, triggers, and procedures for activating and terminating the company’s infectious disease outbreak response plan, altering business operations (i.e., possibly changing or closing operations in affected areas), and transferring business knowledge to key employees.
• Plan to minimize exposure between employees and also between employees and the public, if public health officials call for social distancing.
• Establish a process to communicate information to employees and business partners on your infectious disease outbreak response plans and latest COVID-19 information.
• Anticipate employee fear, anxiety, rumors, and misinformation, and plan communications accordingly.
• In some communities, early childhood programs and K-12 schools may be dismissed, particularly if COVID-19 worsens. Determine how you will operate if absenteeism spikes from increases in sick employees, those who stay home to care for sick family members, and those who must stay home to watch their children if dismissed from school.
• Local conditions will influence the decisions that public health officials make regarding community-level strategies; employers should take the time now to learn about plans in place in each community where they have a business.
• If there is evidence of a COVID-19 outbreak in the US, consider canceling non-essential business travel to additional countries per travel guidance on the CDC website.
• Travel restrictions may be enacted by other countries which may limit the ability of employees to return home if they become sick while on travel status.
• Consider cancelling large work-related meetings or events.
• Engage state and local health departments to confirm channels of communication and methods for dissemination of local outbreak information.

Mortgage Regulators Conference – A Synopsis

Alan Cicchetti

Director/Agency Relations

Lenders Compliance Group

Recently, I attended the annual meeting of the American Association of Mortgage Regulators Association (AARMR), held in San Antonio, Texas, on August 1, 2017.

The meeting is an important event in the calendar of state and federal banking regulators, as it is largely devoted to regulatory compliance involving banks and nonbanks.

As the former Deputy Commissioner of the Connecticut Banking Department, I have attended these conferences for many years. Of course, as our Director of Agency Relations, I take a particular interest in this event because it enhances my understanding of key issues that may be facing the mortgage banking community in general and our clients in particular.

I would like to share some of the “take-aways” that I have surmised from this valuable AARMR regulatory conference. 

To be sure, I think that it will be helpful to understand the mission statement of AARMR, which is:

“To promote the exchange of information and education of licensing, supervision and regulation of the residential mortgage industry, ensure the ability to provide effective supervision for a safe and sound industry meeting the needs of the local financial markets and protect the rights of consumers.”

This conference provides an opportunity for regulators and industry to discuss current issues and to come away with a better understanding of regulatory concerns as well as those of the industry. It is worth noting that the meeting attendees include not only regulators from most of the states but also legal and regulatory compliance folks as well as a variety of mortgage lenders and mortgage brokers of all sizes.

One of the most compelling and interesting presentations had to do with the industry’s need for clarity and consistency in mortgage supervision and enforcement.

I am offering the following synopsis with the hope that you may obtain a better understanding of some of these mortgage industry concerns, as presented by certain panel discussions relating to challenges in the areas of licensing, advertising, reporting, disclosures, “desk drawer” policies, and the need for collaboration in producing a standard cybersecurity policy.

Please let us know your thoughts, questions or concerns. 

We welcome your feedback!

Contact Us

Email Us

Some of the challenges and opportunities presented by the industry are summarized below.

Cybersecurity Guidelines – “First-in-the-Nation” Regulation

Jonathan Foxx

President & Managing Director

WHITE PAPER

On December 28, 2016, the New York Department of Financial Services (DFS) announced that it had revised its proposed cybersecurity regulations in response to public comments that they would be too burdensome, particularly on smaller institutions. The proposed rules, which were initially announced on September 13, 2016, and set to take effect on January 1, 2017, were billed as a “first-in-the-nation regulation” to protect New York residents from cyberattacks.

The “Cybersecurity Requirements for Financial Services Companies (“Regulation”) is promulgated through Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, and takes effect upon publication in the State Register.[i]

These guidelines would require banks, insurers and other financial services companies regulated by the DFS to set up a cybersecurity program aimed at protecting consumer information from cyberattacks. The revised regulation eases certain reporting and encryption requirements, and exempts small institutions from complying with certain sections of the rule.

The Regulation, as revised, is set to take effect on March 1, 2017. There is a transitional period, which is 180 days from the effective date of March 1^st, with implementation timeframes layered in as exceptions granted for certain requirements, from 12 months to 18 months to 24 months. Covered entities will be required to annually prepare and submit to the DFS a Certification of Compliance[ii] with the New York State Department of Financial Services Cybersecurity Regulations, commencing February 15, 2018.

In this article, I will provide a high-level overview of these guidelines. This outline is not meant to be comprehensive. However, I will hit on several salient areas of interest. Expect these requirements to become a model for examination and enforcement in most other states. Lenders Compliance Group has provided risk assessments for cybersecurity, information security, and information technology based on the Federal Financial Institutions Examination Council's (FFIEC) procedures. So, my firm has experience in cybersecurity risk assessments. Given that familiarity, we now are providing an overlay for the DFS cybersecurity requirements that are promulgated in the Regulation.

Cybersecurity Program

Each covered entity – that is, any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York State Banking Law, the Insurance Law or the Financial Services Law – must maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s Information Systems.

The Regulation defines a “cybersecurity event” as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system. For purposes of this regulation, an information system is a “discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information,” as well as any specialized system such as industrial and process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

A risk assessment must be conducted by the covered entity and the cybersecurity program must be based on that risk assessment and also be designed to perform the following core cybersecurity functions:

1. identify and assess internal and external cybersecurity risks that may threaten the security or integrity of all electronic information that is not publicly available information, known as Nonpublic Information (“NPI”), stored on the covered entity’s information systems;
2. use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the NPI stored on those information systems, from unauthorized access, use or other malicious acts;
3. detect cybersecurity events;
4. respond to identified or detected cybersecurity events to mitigate any negative effects;
5. recover from cybersecurity events and restore normal operations and services; and
6. fulfill applicable regulatory reporting obligations. 

With respect to covered entities that have affiliates, the requirements of the Regulation permit adoption of a cybersecurity program maintained by an affiliate, provided that the affiliate’s cybersecurity program covers the covered entity’s information systems and NPI and meets the requirements of the Regulation. An affiliate is any Person that controls, is controlled by or is under common control with another Person. For purposes of the Regulation, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a Person, whether through the ownership of stock of such Person or otherwise.

Cybersecurity - A Model Approach

Jonathan Foxx

Managing Director

Lenders Compliance Group

As some of you know, Lenders Compliance Group is the first risk management firm in the country to provide both a risk assessment and a disaster recovery plan for banks and nonbanks. The goal is to make the due diligence approach both affordable and consequential. Importantly, the resulting findings must meet regulatory scrutiny, since liability remains with the financial institution with respect to implementing Internet Technology, Information Security, and Cybersecurity requirements. The review process is conducted by Kevin Origoni, our Director/IT-IS-Cybersecurity, who is a Six Sigma awardee for his knowledge and experience. Our interest in this area has only grown more attentive as federal and state regulators have become very active in implementing disaster recovery and cybersecurity guidelines.

Our attentiveness has been borne out by the recently proposed regulation involving cybersecurity issued by the New York State Department of Financial Services (DFS). The regulation would impose significant cybersecurity standards on entities it supervises. The proposal is subject to a 45-day public comment period, which will end on November 14, 2016. Importantly, some of these standards exceed current state and federal requirements. It is valuable, therefore, to take a brief look at these prospective standards.

INSTITUTIONS

The proposed regulation would apply to entities operating or required to operate under a license, registration or other authorization under the New York Banking Law, Insurance Law or Financial Services Law. These covered entities include:

• New York state chartered banks,
• New York licensed branches and agencies of foreign banks,
• insurance companies,
• money transmitters,
• licensed lenders,
• mortgage brokers, and
• mortgage bankers, lenders and servicers.

Certain small entities would be exempt from some, but not all, of the requirements of the proposed regulation.

If adopted, the proposed regulation would require covered entities to adopt a written cybersecurity program and implement various safeguards to protect nonpublic information, as broadly defined in the proposal. Covered entities would have to annually certify to the DFS their compliance with the proposed regulation.

NATIONAL STANDARDS

We believe that the DFS proposal will set a nationwide standard for cybersecurity and should be carefully considered as a model for disaster recovery, IT, IS, and cybersecurity requirements.

As it is currently drafted, the proposed regulation is prescriptive, inasmuch as it goes beyond the requirements imposed by the federal banking regulators on the depository institutions they supervise. For instance, guidance provided by the Federal Financial Institutions Examination Council (FFIEC) in its September 2016 Examination Handbook suggests that financial institutions should implement the type and level of encryption that is commensurate with the sensitivity of information being protected. However, FFIEC does not mandate that all nonpublic information be encrypted while in transit and at rest, or resident, as the DFS has proposed. But the DFS proposal also appears to require multi-factor authentication in a much broader range of circumstances than the guidance provided by federal regulators to depository institutions, which is mostly focused on online banking.

Similarly, the federal banking regulators require financial institutions to provide notice of information security breaches involving unauthorized access to or use of sensitive customer information; however, the DFS would mandate such notification within 72 hours of any cybersecurity event, a timeframe which the federal banking regulators do not require.

SPECIFIC STANDARDS

The DFS sets forth standards for policies and procedures. Each covered entity’s cybersecurity program would need to be designed to ensure the confidentiality, integrity and availability of the covered entity’s information systems and to perform the following functions:

Cases and Regulations: 2016 Predictions

I have noticed that there has been a spate of articles in the last few months about the regulatory events of 2015. Indeed, the highest profile event was the implementation of the rules governing TILA-RESPA Integration Disclosure (“TRID”). Looking back at history is important; after all, “what’s past is prologue,”[i] as Shakespeare’s insight offers in The Tempest. Or is it? Can our vision be so blurred by the emoluments of the past that we lose sight of the recompense awaiting us in the future?

Enjoy'd no sooner but despised straight,

Past reason hunted, and no sooner had

Past reason hated, as a swallow'd bait

On purpose laid to make the taker mad;

Mad in pursuit and in possession so;

Had, having, and in quest to have, extreme.

Thus said Shakespeare in Sonnet 129, pouting how past sentiments can beguile future attractions in inscrutable ways, focused on consuming demands, whipped from one extreme to another, passionately meeting the madness of a gripping mission. Having gone through 2015’s glut of objections, tests, threats, claims, confrontations, defiances, demurs, provocations, remonstrances, ultimatums, impositions, exigencies, and importunities, perhaps now we should set our zealous pursuit of adaptation and expediency to the dispatch that is likely awaiting us in 2016.

I propose to discuss two categories that, though separate in purpose and determinate qualities, are each intrinsic to the way residential mortgage lenders and originators, as well as other financial service entities involved in extending credit through consumer loan products, will be responsive to the regulatory compliance environment in the year ahead: cases and regulations. Each often is rooted in the past, though usually springs to a trajectory into the future. Instead of traveling down Memory Lane, let’s take a modest excursion through the imminent happenings soon to come. In briefly discussing these cases and regulations, I hope to further stimulate public policy debates.

Cases

Both the U.S. Supreme Court and the Second Circuit will be prominent in deciding cases affecting the origination of mortgages in 2016. Also, the D.C. Circuit and the D.C. district court will adjudicate pertinent cases. The range of consequences is considerable, from cases that could make it more difficult to consummate secondary market transactions to cases further limiting class actions. I believe the following five cases should be on a watch list.

PHH Corp. et al. v. Consumer Financial Protection Bureau[ii]

I have been following this case since its inception. In its recent iteration, on November 5, 2015 the Consumer Financial Protection Bureau (“Bureau”) stated in a brief filed with the D.C. Circuit that its $109 million disgorgement order against PHH Corp. in a mortgage reinsurance kickback case met all statutory requirements and should be allowed to stand in order to keep other companies from engaging in similar schemes.

The Bureau contends that PHH incorrectly interpreted the Real Estate Settlement Procedures Act (“RESPA”) in its appeal of the $109 million disgorgement order. The Bureau and its Director, Richard Cordray, contend that they were correct in levying the foregoing penalty, which, they claim, serves as a necessary deterrent to other firms that might consider engaging in kickback schemes.

To quote the Bureau itself:

“Eliminating kickbacks is a primary goal of RESPA. If PHH is permitted to keep the fruits of its kickback scheme merely because it claims it believed its scheme was legal, this will encourage others to take advantage of areas of statutory uncertainty.”

Further, the Bureau contests PHH’s claims that the agency’s ‘single-director structure,’ as opposed to ‘multimember-commission leadership,’ and funding through the Federal Reserve rather than the congressional appropriations process, violate the U.S. Constitution.

To refresh the history of this matter, the Bureau had filed administrative claims against PHH in January 2014, alleging that when PHH originated mortgages, the financial institution referred consumers to mortgage insurers with which it had relationships. In exchange for this referral, the agency claimed, these insurers purchased reinsurance from PHH’s subsidiaries, and PHH took the reinsurance fees as kickbacks.

The Bureau contended that PHH also charged more money for loans to consumers who did not buy mortgage insurance from one of its supposed kickback partners and, in general, charged consumers additional percentage points on their loans.