Webinar: Checklist & Workbook - Business Continuity Plan and COVID-19 Pandemic Response

Announcement

Message from Jonathan Foxx, Ph.D., MBA, 

Chairman & Managing Director

Lenders Compliance Group

We are presenting a Free Webinar, entitled

Navigating the 

Checklist & Workbook

Business Continuity Plan and 

COVID-19 Pandemic Response.

Webinar: Thursday, April 16, 2020, 1PM-ET

     

We pioneered and authored the Checklist &Workbook. 

Now we want to let you know how to navigate it.

This webinar is your chance to learn how to use the Checklist!

Since its publication on March 16^th, we have received thousands of downloads.

The Checklist now consists of 6 Modules and 180 pages!

Demand is going to be high, seating is limited, so register now while there’s still space!

COVID-19 has made us take a close look at this pandemic response in the context of a Business Continuity Plan.

Here’s what you get when you attend Navigating the Checklist & Workbook:

• Update # 6 – new release – you will receive it before anyone else!
• Subject Matter Experts will present critical insights and guidance.
• Written questions during the webinar answered individually after the webinar.
• Slides
• Recording 

As I pointed out, we have limited seating for this event. Please register as soon as possible.

Webinar: Thursday, April 16, 2020, 1PM-ET

Let’s continue to work together for the sake of our companies, employees, and families.

Best wishes!

Lenders Compliance Group issues complimentary Business Continuity Plan Checklist (Includes COVID-19 Pandemic Response)

PRESS RELEASE

Modules directly address the specific requirements needed to maintain business continuity in general as well as provide business continuity during the COVID-19 Pandemic in particular.

Lenders Compliance Group (LCG), the first and only full-service compliance firm with a suite of compliance solutions for residential mortgage lenders and originators, has issued today a valuable tool, entitled Business Continuity Plan Checklist & Workbook (Includes COVID-19 Pandemic Response).

The checklist is a valuable development tool to chart the progress in developing a Business Continuity Plan. This is a 60-page, form-fillable document that provides the basic compliance elements and due diligence essentials at this most critical time in the outbreak of the COVID-19 Pandemic.

There are distinct differences between pandemic planning and traditional business continuity planning. Pandemic planning presents unique challenges. Unlike natural disasters, technical disasters, malicious acts, or terrorist events, the impact of a pandemic is much more difficult to determine because of the anticipated difference in scale and duration.

Lenders Compliance Group is providing the Business Continuity Plan Checklist & Workbook (Includes COVID-19 Pandemic Response) on a complimentary basis to the financial services industry.

There are five modules, as follows:

Module 1: Business Continuity Team

Module 2: Facilities Continuity

Module 3: Recovery Requirements

Module 4: Pandemic Planning for COVID-19

Module 5: Generalized Pandemic Response based on NYS Model

Additional sections, some of which contain subsections, provide:

• Team Alert List
• Employee Call List Instructions
• Critical Vendors List (Sample Format)
• Key Customer Description
• Meeting Place Description
• Model Risk Matrix (Sample Format)

The Business Continuity Plan Checklist & Workbook (Includes COVID-19 Pandemic Response) is meant as a means toward building a functionally adequate Business Continuity Plan. Each financial institution is different and processes will vary. However, management should consider how to accomplish the following:

• Prevention and preparedness;
• Reconciling recovery times with business unit requirements;
• Disaster declaration and plan implementation processes;
• Recovery progress reporting; and
• Testing of the plans.

Lenders Compliance Group has established a dedicated form to request a complimentary copy of the Business Continuity Plan Checklist & Workbook (Includes COVID-19 Pandemic Response) directly from its website Home Page at www.LendersComplianceGroup.com.

Cybersecurity - A Model Approach

Jonathan Foxx

Managing Director

Lenders Compliance Group

As some of you know, Lenders Compliance Group is the first risk management firm in the country to provide both a risk assessment and a disaster recovery plan for banks and nonbanks. The goal is to make the due diligence approach both affordable and consequential. Importantly, the resulting findings must meet regulatory scrutiny, since liability remains with the financial institution with respect to implementing Internet Technology, Information Security, and Cybersecurity requirements. The review process is conducted by Kevin Origoni, our Director/IT-IS-Cybersecurity, who is a Six Sigma awardee for his knowledge and experience. Our interest in this area has only grown more attentive as federal and state regulators have become very active in implementing disaster recovery and cybersecurity guidelines.

Our attentiveness has been borne out by the recently proposed regulation involving cybersecurity issued by the New York State Department of Financial Services (DFS). The regulation would impose significant cybersecurity standards on entities it supervises. The proposal is subject to a 45-day public comment period, which will end on November 14, 2016. Importantly, some of these standards exceed current state and federal requirements. It is valuable, therefore, to take a brief look at these prospective standards.

INSTITUTIONS

The proposed regulation would apply to entities operating or required to operate under a license, registration or other authorization under the New York Banking Law, Insurance Law or Financial Services Law. These covered entities include:

• New York state chartered banks,
• New York licensed branches and agencies of foreign banks,
• insurance companies,
• money transmitters,
• licensed lenders,
• mortgage brokers, and
• mortgage bankers, lenders and servicers.

Certain small entities would be exempt from some, but not all, of the requirements of the proposed regulation.

If adopted, the proposed regulation would require covered entities to adopt a written cybersecurity program and implement various safeguards to protect nonpublic information, as broadly defined in the proposal. Covered entities would have to annually certify to the DFS their compliance with the proposed regulation.

NATIONAL STANDARDS

We believe that the DFS proposal will set a nationwide standard for cybersecurity and should be carefully considered as a model for disaster recovery, IT, IS, and cybersecurity requirements.

As it is currently drafted, the proposed regulation is prescriptive, inasmuch as it goes beyond the requirements imposed by the federal banking regulators on the depository institutions they supervise. For instance, guidance provided by the Federal Financial Institutions Examination Council (FFIEC) in its September 2016 Examination Handbook suggests that financial institutions should implement the type and level of encryption that is commensurate with the sensitivity of information being protected. However, FFIEC does not mandate that all nonpublic information be encrypted while in transit and at rest, or resident, as the DFS has proposed. But the DFS proposal also appears to require multi-factor authentication in a much broader range of circumstances than the guidance provided by federal regulators to depository institutions, which is mostly focused on online banking.

Similarly, the federal banking regulators require financial institutions to provide notice of information security breaches involving unauthorized access to or use of sensitive customer information; however, the DFS would mandate such notification within 72 hours of any cybersecurity event, a timeframe which the federal banking regulators do not require.

SPECIFIC STANDARDS

The DFS sets forth standards for policies and procedures. Each covered entity’s cybersecurity program would need to be designed to ensure the confidentiality, integrity and availability of the covered entity’s information systems and to perform the following functions:

Mitigating the Risk of Distributed Denial-of-Service (DDoS) Attacks

DOWNLOAD ARTICLE

On Tuesday, April 1, 2014, Ellie Mae’s systems were compromised by a Distributed Denial-of-Service (DDoS) attack. Resources known to be affected were all Encompass services, including Encompass Docs Solution™, Electronic Document Management (“eFolder”), Encompass Product and Pricing Service™, Encompass Compliance Service™, and Ellie Mae Network Services.[1]

Ellie Mae itself proactively published a Press Release on April 1^st, announcing that “recent outages [that] have made Ellie Mae’s Encompass services unavailable to users.” And further stating that it “has detected unusually high demand for services consistent with an external malicious attack characteristic of a distributed denial of service (DDoS).”[2]

As reported by Bloomberg at the time, the system failure “prevented some mortgages from closing.” One client complained that “our business is at a standstill.”[3]

For our own clients, we sought to know how Ellie Mae was challenging this attack and also we monitored its status page.[4]

By Wednesday, April 2^nd, Ellie Mae’s focused and deliberative handling of this matter was bringing the overall problem to the stage of being resolved. The completion was met with a statement by Sig Anderman, Ellie Mae’s CEO, with a statement affirming that, “as of 2:15 p.m. PT, we verified that Encompass Homepage login and load times have returned to normal.”[5]

As it happens, and quite coincidentally, on April 2^nd the Federal Financial Institutions Examination Council (“FFIEC”) issued a statement to notify institutions of “the risks associated with the continued distributed denial of service (DDoS) attacks on public-facing Web sites and the steps institutions are expected to take to address the risks posed by such attacks.”[6]

I well remember meeting a compliance officer of a relatively large bank at his office. He asked me to step around his desk and take a look at his screen. I was astonished to see thousands and thousands of green coded lines scrolling on the screen. I asked him what was going on, and he told me that the bank’s systems were under attack and these were the unending attempts to penetrate their systems. I had never seen anything like it!

Let’s take a brief trip into this area of Internet madness that IT professionals deal with daily.

Since 2012, there has been an increasing number of DDoS attacks launched against financial institutions by politically motivated groups, so says FFIEC. However, we also know that DDoS attacks have come from foreign country proxies, mafia-type criminals, and sundry other nefarious individuals and organizations hell bent on disrupting financial institutions. DDoS attacks serve as a diversionary tactic by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers.

These DDoS attacks have increased in sophistication and intensity, almost to the point that they are commonplace. The attacks cause slow website response times, intermittently prevent customers from accessing institutions’ public websites, and adversely affect back office operations.

Thus, many financial institutions are considerably at risk to information security failures and even entire system implosions. Financial institutions of all sizes that experience DDoS attacks may face a variety of risks, including operational risks and reputation risks. And if the attack is coupled with attempted fraud, a financial institution may also experience fraud losses as well as liquidity and capital risks.

FFIEC suggests that financial institutions should address DDoS readiness as part of ongoing information security and incident response plans. Through FFIEC, such readiness has been proposed by the Board of Governors of the Federal Reserve System (FRS), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Consumer Financial Protection Bureau (CFPB), and the State Liaison Committee. Many states now mandate adopting an Information Security Plan that contains many elements of readiness, incident response, and certain risk mitigation procedures.

There are actions a financial institution’s management would be wise to take to mitigate the risks associated with DDoS attacks, given the company’s size, complexity and risk profile. Any plan to mitigate such risks should include the following elements:[7]

1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;

2. Monitor Internet traffic to the institution’s website to detect attacks;

3. Activate incident response plans and notify service providers, including Internet Service Providers (ISPs), as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;

4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre- contracted third-party services, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s ISP can assist in responding to and mitigating an attack;

5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center[8] and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and

6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.

I strongly recommend that the management of a financial institution meet regularly with the Chief Information Officer (“CIO”) or, in lieu of a CIO, the IT professional who is in charge of maintaining the institution’s systems. Furthermore, every CIO and IT professional should be fully versed in the requirements set forth in FFIEC’s booklets, Information Technology Handbook on Business Continuity Planning[9] and Information Security.[10]

Another resource is the DDoS Quick Guide, dated January 29, 2014, published by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.[11] This guide provides useful information on attack possibilities and traffic types. It should be shared with an institution’s IT department and the institution’s online banking and website service providers, if applicable.

Social Media: Consumer Compliance Risk Management Guidance

On December 11, 2013, the Federal Financial Institutions Examination Council (FFIEC) released final guidance (“Guidance”) on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau (collectively, “financial institutions”). The Guidance was issued final on behalf of the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve (Board), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), the Consumer Financial Protection Bureau (CFPB) (collectively, the “Agencies”), and the State Liaison Committee (SLC).

The Guidance is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks, such as reputation and operational risks associated with the use of social media, along with expectations for managing those risks. It also provides considerations that financial institutions may find useful in conducting risk assessments and crafting and evaluating policies and procedures regarding social media. Although this Guidance does not impose any new requirements on financial institutions, as with any process or product channel, financial institutions are expected to manage potential risks associated with social media usage and access.

The Final Rule is meant to highlight and manage potential risks to financial institutions and consumers; however, financial institutions should ensure their risk management programs provide oversight and controls commensurate with the risks presented by the types of social media in which the financial institution is engaged, including, but not limited to, the risks outlined within the Guidance.

In this article, I will set forth an outline of the Guidance along with suggestions to manage the risks associated with the use of social media.* I have also published a helpful article on this topic, entitled Social Media and Networking Compliance, which may be downloaded from our Library. 

WHAT IS SOCIAL MEDIA?

For purposes of the Guidance, messages sent via traditional email or text message, standing alone, do not constitute social media, although such communications may be subject to a number of laws and regulations discussed in the Guidance. However, messages sent through social media channels are social media. According to the Guidance, social media is considered to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video. Social media can take many forms, including, but not limited to, micro-blogging sites; forums, blogs, customer review web sites and bulletin boards; photo and video sites; sites that enable professional networking; virtual worlds; and social games. Social media can be distinguished from other online media in that the communication tends to be more interactive. 

RISK MANAGEMENT PROGRAM

The Guidance suggests that a financial institution should have a risk management program that allows it to identify, measure, monitor, and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the breadth of the financial institution’s involvement in this medium.

For instance, a financial institution that relies heavily on social media to attract and acquire new customers should have a more detailed program than one using social media only to a very limited extent. An observation made in the Guidance, and worth noting, is though a financial institution’s own risk assessment indicates that it has chosen not to use social media, nevertheless, it should “still consider the potential for negative comments or complaints that may arise within the many social media platforms”, and, when appropriate, evaluate what, if any, action it will take to monitor for such comments and determine if a response is needed. 

FEATURES OF A RISK MANAGEMENT PROGRAM

The risk management program should be designed with participation from specialists in compliance, technology, information security, legal, human resources, and marketing. Financial institutions should also provide guidance and training for employee official use of social media.

The Guidance stipulates at least seven components of a risk management program. These include, but are not limited to:

1. A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the institution (for instance, through increasing brand awareness, product advertising, or researching new customer bases) and establishes controls and ongoing assessment of risk in social media activities;

2. Policies and procedures (either stand-alone or incorporated into other policies and procedures) regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Further, policies and procedures should incorporate methodologies to address risks from online postings, edits, replies, and retention;

3. A risk management process for selecting and managing third-party relationships in connection with social media;

4. An employee training program that incorporates the institution’s policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;

5. An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;

6. Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and

7. Parameters for providing appropriate reporting to the financial institution’s board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives. 

WHAT ARE THE RISKS?

The use of social media to attract and interact with customers can impact a financial institution’s risk profile, including:

· Risk of harm to consumers
· Compliance and legal risks
· Operational risks, and
· Reputation risks.

In our own reviews on behalf of our clients, we have found that the foregoing risks are increased due to poor due diligence, oversight, or control on the part of the financial institution.

Let us now give consideration to each of the Risk Areas, with respect to the risks posed by Social Media. Suggestions are emboldened in each synopsis.

Social Media Compliance: Frequently Asked Questions

Last month, I discussed some of the salient compliance requirements associated with using Social Media.* Then, a few days later, I offered to you my article, entitled Social Media and Networking Compliance. This month, on March 6th, I was one of three presenters who gave a webinar for American Banker on Social Media, with special reference to the new rules of the Federal Financial Institutions Examination Council (FFIEC). The proposed rule, issued January 23rd, is entitled "Social Media: Consumer Compliance Risk Management Guidance."

My webinar topic: Social Media – Employee Manual. 

The webinar was very well attended by a diverse cross-section of financial institutions. I found it quite interesting that, when polled during the webinar, by a factor of two to one these companies did not have an Employee Manual, even if about a third of them have policies and procedures relating to Social Media.

I have harped on a certain point regarding policy statements, so here it goes again: policies and procedures are a rather abstract concept to employees; employee manuals, however, for certain rules and regulations, are the most effective means to ensure compliance. Training is an important and an ancillary tool, but employees do not always mentally retain training information. Keep this in mind: an employee manual is a constant reminder of a company's expectations and policies.

One aspect of social media that deserves considerable attention is trolling, using anonymity, and general blogging guidelines. Everybody knows that, for the most part, blogging is electronically available to the public. However, with regard to an individual's employment with a financial institution, what restrictions should be placed on an employee who blogs? From my own research and experience, it would seem that many employees actually have no idea of the implications, requirements, and, in some cases, the potential to easily cross over into violations of federal law or state law.

Here are the risks at stake in social media networking and blogging - though by no means less so for forms of advertising through and use of social media: financial risk, regulatory risk, sales risk, reputation risk, legal risk, strategic risk, and operational risk, such as adverse consequences to business plans, projects, Internet Technology and Information Security protections, and many core departmental functions.

In this article, I will offer a high level FAQs about the use of Social Media (SM), with some additional emphasis on blogging. I will also provide bulleted guidelines to give to employees.

________________________________________________

What is Social Media?

SM is a form of interactive online communication in which users can generate and share content through text, images, audio and/or video.

________________________________________________

Do companies use Social Media?

HubSpot found that by November 2012 companies that blog incurred an average of 55% more visitors to their sites than companies that did not blog. Statistically, blogging companies may generate 97% more external website links and 434% more indexed pages, both of which are critical to a company’s search rank. And a global survey by McKinsey of approximately 1,700 corporate executives finds that 69% of respondents claim measurable advantages from social media, including a lower cost of doing business, better access to knowledge, increased marketing effectiveness, insight for developing more innovative products and services, and higher revenues.

________________________________________________

Does SM cover micro-blogging?

SM includes, but is not limited to, micro-blogging sites (i.e., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review websites and bulletin boards (i.e., Yelp); photo and video sites (i.e., Flickr and YouTube); sites that enable professional networking (i.e., LinkedIn); virtual worlds (i.e., Second Life); and social games (i.e., FarmVille and CityVille).

________________________________________________

How do some financial institutions use SM?

SM has been used to receive and respond to complaints, provide loan pricing, and offer generic information about products and services.

________________________________________________

Social Media and Networking Compliance

When you think of advertising, do you include social media? These days, most of you do!

However, social media compliance - which I shall call "SMC" - is a considerable undertaking, far more involved than just issuing a policy and procedure. Often, implementing SMC includes working with internet technology and information security professionals, collaborating with sales, compliance, legal, marketing, and human resources personnel, and ensuring that virtually all employees understand their own obligations with respect to using internet communications.

We have drafted SMC policy statements that call for constant vigilance by management and appointed staff to monitor for and find the appropriate remedies to transgressions relating to use of a company's name, logo, products, and services, in casual and even formal social media interactions.

Recently, Federal Financial Institutions Examination Council (FFIEC) issued a request for comments, entitled Social Media: Consumer Compliance Risk Management Guidance ("Notice"). FFIEC issued this notice on behalf of its six members, Office of the Comptroller of the Currency (OCC); the Board of Governors of the Federal Reserve System (Board); the Federal Deposit Insurance Corporation (FDIC); the National Credit Union Administration (NCUA); the CFPB (collectively, the "Agencies"); and the State Liaison Committee (SLC). Succinctly put, whatever the federal agencies eventually adopt, the states will issue the final guidance as a supervisory guidance not only to the institutions that are, by extension, under its supervision but also through the State Liaison Committee, thereby encouraging state regulators to adopt the guidance.

This means that institutions will be expected to use the forthcoming guidance in their efforts to ensure that their policies and procedures provide oversight and controls commensurate with the risks posed by their social media activities. State agencies that adopt the guidance will expect the entities that they regulate to use the guidance in their efforts to ensure that their risk management and consumer protection practices adequately address the compliance and reputation risks raised by activities conducted via social media.

In this article, I will consider certain features of FFIEC's social media Notice as well as some important subjects to be addressed in constructing an SMC policy and procedure.*

_______________________________________________________

IN THIS ARTICLE

Defining Social Media

Use of Social Media

Risks of Social Media

Risk Management

Risk Areas

Laws and Regulations

Major Risks

Policy and Procedures

_______________________________________________________

Defining Social Media

Social media has been defined in a number of ways. For purposes of the proposed guidance, the Agencies consider social media to be a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.

Social media can take many forms, including, but not limited to, micro-blogging sites (i.e., Facebook, Google Plus, MySpace, and Twitter); forums, blogs, customer review Websites and bulletin boards (i.e., Yelp); photo and video sites (i.e., Flickr and YouTube); sites that enable professional networking (i.e., LinkedIn); virtual worlds (i.e., Second Life); and social games (i.e., FarmVille and CityVille).

A simple test to distinguish social media from other online media in that the social media communication tends to be more interactive.

_______________________________________________________

Use of Social Media

Financial institutions use social media in a variety of ways, including marketing, providing incentives, facilitating applications for new accounts, inviting feedback from the public, and engaging with existing and potential customers.

For instance, social media has been used to receive and respond to complaints. They have been used to provide loan pricing. Since this form of customer interaction tends to be informal and occurs in a less secure environment, it presents some unique challenges to financial institutions.

FRB: Mortgage Rulemaking Chart 2008 - 2011

Yesterday, we notified you about the testimony given by witnesses in the hearing held by the Insurance, Housing and Community Opportunity Subcommittee (Committee of Financial Services) held a hearing, entitled "Mortgage Origination: the Impact of Recent Changes on Homeowners And Businesses."

The overall purpose of the hearing was to evaluate recent changes to mortgage origination laws, with particular focus on the impact the new laws and regulations have on consumers and credit availability in the mortgage finance markets.

During the hearing, Sandra Braunstein, the FRB's Director of Division of Consumer and Community Affairs, provided written testimony containing a table entitled "Summary of Federal Reserve Board Mortgage Rulemakings - 2008 through 2011."

I have removed the table from the written testimony and featured it separately in our Library.

MORTGAGE RULEMAKINGS - 2008 THROUGH 2011

FINAL RULES

• Home Ownership and Equity Protection Act (HOEPA): Final Rule
• Mortgage Disclosure Improvement Act, Part I: Final Rule
• Mortgage Disclosure Improvement Act, Part II: Interim Final Rule
• Helping Families Save Their Homes Act - Mortgage Transfer Disclosure: Final Rule
• Loan Originator Compensation: Final Rule
• Dodd-Frank Act - Appraisal Independence: Interim Final Rule
• Dodd-Frank Act - Escrow Account: Final Rule

PROPOSED RULES

• Regulatory Review of Disclosure Rules for Closed-end Mortgages (Phase I)
• Regulatory Review of Disclosure Rules for Home Equity Lines of Credit (HELOCs) (Phase I)
• Regulatory Review of Mortgage Disclosure Rules (Phase II)
• Dodd-Frank Act - Escrow Account Disclosures
• Dodd-Frank Act - Ability to Repay/Qualified Mortgages

LIBRARY

Summary of Federal Reserve Board Mortgage Rulemakings
2008 through 2011
Statement of Sandra F. Braunstein, Director
Division of Consumer and Community Affairs, Federal Reserve System
Insurance, Housing, and Community Opportunity Subcommittee
(Committee on Financial Services)
July 13, 2011

Hearing: FRB Testimony on LO Compensation

On Wednesday, July 13, 2011, the Insurance, Housing and Community Opportunity Subcommittee (Committee of Financial Services) held a hearing, entitled "Mortgage Origination: the Impact of Recent Changes on Homeowners And Businesses."

The overall purpose of the hearing was to evaluate recent changes to mortgage origination laws, with particular focus on the impact the new laws and regulations have on consumers and credit availability in the mortgage finance markets. 

During the hearing, Sandra Braunstein, the FRB's Director of Division of Consumer and Community Affairs seemed to state that the loan officer employees of loan originators (i.e., brokers) would not be required to be paid only by a salary on consumer-paid transactions, but may also be paid "bonus" commissions.

Her testimony today actually supports my understanding of her statement to this Subcommittee.

[See page 8-9 of Director Braunstein's submitted testimony in our Library.]

Under the new TILA loan compensation rule, if a loan is brokered and the consumer is paying the broker fee, then the branch manager, the loan officer, and all the other employees may only be paid a salary or hourly wage.

Similarly, bonuses and referral fees to tellers, processors, and other staff are not be permitted for a brokered loan when the borrower pays broker fees or other origination fees to the broker.

Perhaps I did not understand fully Director Braunstein's remarks. But if that aspect of the Rule is changed, then this would be a significant relief to mortgage brokers. 

In any event, the details and facts must be considered. So further clarity will be needed to determine if this is actually a change in FRB policy.

 HEARING

The hearing consisted of two panels.

The full text of the testimony of each witness may be found in our Library.

 WITNESSES

Panel I

Sandra F. Braunstein, Director of Division of Consumer and Community Affairs, Board of Governors of the Federal Reserve System

Teresa Payne, Associate Deputy Assistant Secretary, Regulatory Affairs, Department of Housing and Urban Development

Kelly Cochran, Deputy Assistant Director for Regulations, Consumer Financial Protection Bureau , Department of Treasury

James R. Park, Executive Director, Appraisal Subcommittee, Federal Financial Institutions Examination Council

William B. Shear, Director of Financial Markets and Community Investment, Government Accountability Office

Anne Norton, Maryland Deputy Commissioner of Financial Regulation, on behalf of the Conference of State Bank Supervisors

Panel II

Steve A. Brown, Executive Vice President, Crye-Leike, on behalf of the National Association of Realtors

Henry V. Cunningham, Jr., CMB President, Cunningham & Company, on behalf of the Mortgage Bankers Association

Tim Wilson, President, Affiliated Businesses for Long & Foster Companies, on behalf of the Real Estate Services Providers Council, Inc.

Anne Anastasi, President, Genesis Abstract and President, American Land Title Association

Mike Anderson, President, Essential Mortgage, on behalf of the National Association of Mortgage Brokers

Marc Savitt, President, The Mortgage Center, on behalf of the National Association of Independent Housing Professionals

Sara Stephens, President Elect, Appraisal Institute

Don Kelly, Executive Director, Real Estate Valuation Advocacy Association (REVAA), on behalf of REVAA and the Coalition to Facilitate Appraisal Integrity Reform

Janis Bowdler, Director, Wealth-Building Policy Project Office of Research, Advocacy, and Legislation, on behalf of the National Council of La Raza

Ira Rheingold, Executive Director, National Association of Consumer Advocates

 Library

Insurance, Housing and Community Opportunity Subcommittee
(Committee of Financial Services)

"Mortgage Origination: the Impact of Recent Changes 
on Homeowners And Businesses"
 
Witness Testimony - Two Panels

July 13, 2011