Risk Management Principles

WHITE PAPER

Jonathan Foxx

Chairman and Managing Director

A number of years ago I coined the term “Mortgage Risk Management,” in order to differentiate managing mortgage risk from the many other types of risk management. At that time, risk management was associated mostly with such areas as pharmaceutical companies, stock brokers, and information technology firms. My view was that mortgage loan originations and mortgage servicing present a unique set of risks to consumers, loan originators, mortgage servicers, and those industries and individuals that depend on the foregoing for their financial well-being. The term became popular and is in now in commonplace use.

But I also realized that managing mortgage risk would require a strong commitment on the part of companies, because regulatory oversight would fluctuate, often prey to the prevailing politics, and that meant companies had to build out an environment where managing risk could be joined to complying with the regulations themselves. I felt that a company could be successful in managing its mortgage risk if it developed a “Culture of Compliance.”[i] I wrote articles on the Culture of Compliance and gave numerous talks on this subject. In due course, the term was picked up by regulators and made a feature of everyday parlance.

I think consumers, mortgage loan originators, and regulators read my articles and attend my lectures because I strive to give everyone a fair shake. I call it like I see it, without fear of whether some view or another is stepping on somebody’s sacred political toes. Sometimes there really is a right and a wrong, irrespective of the controversy surrounding a regulatory mandate.

My standard is simple: doing all we can to protect the consumer is the only way to protect the viability of the mortgage loan originator and mortgage servicer in the long run.

And the only effective way to ensure that the originator or servicer is protected is to manage its risk. That is the basis for the formation of our firm so many years ago. Lenders Compliance Group®, which has grown to a national mortgage risk management firm over the years, has never lost its original mission to not only provide comprehensive risk management to mortgage industry participants but also offer ways and means to help build a Culture of Compliance for our clients.

Every loan originator and mortgage servicer should be a consumer advocate. Consumers will flock to the companies that present the very best standards of ethics and reliability. If any originating or servicing entity waits for a regulatory agency to tell it what to do on behalf of consumer financial protection, it has already lost the right to expect the consumer’s loyalty.

Third-Party Relationships: Compliance Risk

Jonathan Foxx

Managing Director

Lenders Compliance Group

I am often asked if there are significant compliance risks involving third parties in mortgage banking. The answer is: without a doubt! In providing some insight, I will just mention three of the many types of third parties that pose such risks: mortgage brokers, mortgage lenders, and mortgage servicers.

Let’s be clear at the outset: managing third-party risk is critical for providers of consumer financial products and services. This is because financial institutions (“FI”) can be and often are themselves held liable for the practices of third parties acting on their behalf. Where there is contact with the public by third parties, directly or indirectly, on behalf of the FI the risk is substantively greater. From the point of view of technological factors, service providers may be integrated into an FI’s business operations. As such, this can lead to enforcement actions in which certain violations of consumer protection laws are alleged against the service provider and the FI itself!

It is the case that regulators have affirmed their intention to hold companies strictly liable for conduct of their agents. The legal principal invoked is usually the theory of “vicarious liability.” Just a few years ago, in October 2015, the Department of Housing and Urban Development (“HUD”) proposed rules to formally codify third-party liability standards under the Fair Housing Act, including strict vicarious liability for acts of an institution’s agents, as well as direct liability for negligently failing to correct and end discriminatory practices by those agents.[i]

Consider the risk posed by mortgage brokers. For many years, an area that has seen a lot of fair lending enforcement and class action litigation has been the wholesale mortgage lending industry. Since mortgage lenders close loans originated by independent mortgage brokers, regulators and private litigants have brought enforcement actions and lawsuits alleging that lenders have failed to monitor and control discretionary mortgage broker pricing and product selection practices. In these cases, it has been alleged, under the disparate impact theory, that the mortgage lenders have violated the Equal Credit Opportunity Act (ECOA) due to pricing disparities disfavoring racial and ethnic minorities.

In fact, since 2010 there have been several Department of Justice (DOJ) and Consumer Financial Protection Bureau (CFPB) enforcement actions, as well as lawsuits filed by cities, against wholesale mortgage lenders under this theory.[ii]

Most of the mortgage pricing fair lending enforcement actions to date have focused on conduct that predates April 2011, when regulations by the Federal Reserve on loan originator compensation first took effect. I have written extensively on the features of the loan originator compensation requirements that went into effect on April 6, 2011, if you are interested in reading more about these rules.[iii] The loan originator compensation regulations prohibit compensation to mortgage loan originators based on, among other things, discretionary loan pricing or product steering by a broker based on a financial incentive to a product not in the consumer’s interest.[iv]

Although these changes in the law have reduced pricing’s influence on fair lending risk, they have certainly not eliminated the risk entirely. For instance, in December 2015, the DOJ brought an enforcement action against Sage Bank in Massachusetts relating to disparities in revenue earned on retail mortgage loans to minority borrowers compared to that on mortgage loans to non-minority borrowers. What is notable about this action is that it was the first pricing discrimination enforcement action that focused on loans made after the loan originator compensation rules took effect in 2011. Obviously, it demonstrated that regulators are continuing to focus on mortgage pricing discrimination issues.

But fair lending is not the only compliance risk associated with wholesale lending. Other risks include Unfair, Deceptive, or Abusive Acts or Practices (referred to collectively, “UDAAP”) and related areas. In fact, the CFPB issued guidance on UDAAP in its Supervision and Examination Manual of October 2012.[v] With the benefit of time, litigation, guidance, and examinations, among other things, we can say that these risks arise because mortgage brokers play a key role in marketing, discussing product benefits and terms with applicants and guiding their product choices, providing disclosures, completing applications, and gathering documentation in support of the loan applications. It stands to prudent reasoning that, in addition to fair lending, oversight of an FI’s mortgage broker network is critical for mitigating UDAAP risk and managing other compliance requirements.

When we move from a consideration of risks associated with mortgage brokers to those posed by mortgage lenders the risk profile is neither better nor worse, but, as the saying goes, it is different. Much risk tends to congregate around fair lending in secondary market transactions. For instance, in the case Adkins v. Morgan Stanley, plaintiffs alleged that the policies and procedures of Morgan Stanley, which had purchased loans from subprime loan originator New Century Mortgage Company, had created a disparate impact on African-American borrowers. If as alleged, this would be a violation of the Fair Housing Act (FHA), ECOA, and state law.[vi] Although the court dismissed the ECOA claims as time-barred, it allowed the FHA claims to proceed, holding that plaintiffs’ allegations were sufficient to state a claim of disparate impact discrimination. In the ruling, the court stated that the FHA expressly applies to secondary market purchasing of mortgage loans. It further emphasized allegations relating to Morgan Stanley’s warehouse lending commitments, on-site due diligence of New Century loans, demand for loans with alleged “high-risk” features, and instructions to originate no-documentation loans when it appeared that the applicant could not afford the loan. In its conclusion, the court noted that the evidence was sufficient to support claims that Morgan Stanley’s policies “set the terms and conditions on which it would purchase loans from New Century” and that these terms and conditions had resulted in a disparate impact when they caused New Century to issue toxic loans to the plaintiffs.

In the case In re Johnson, a Chapter 13 debtor alleged that a loan originator had targeted minority borrowers for predatory loans, and that the purchasers and assignees “were involved in this enterprise of selling toxic loans and targeting vulnerable minorities” because the loans were originated with securitization as the ultimate goal.[vii] Although the court dismissed the complaints on the ground that the plaintiff had not alleged sufficient facts to support the claims, it did not summarily reject the proposition that a secondary market purchaser could be held liable under ECOA or the FHA.[viii]

My point is that fair lending scrutiny of not only mortgage lenders, but also their investors, will likely increase in the coming years as new Home Mortgage Disclosure Act (HMDA) reporting requirements, finalized in October 2015, will provide greater insight into the role of investors in the loan origination process.

CFPB's Compliance Bulletin and Policy Guidance 2016-02 - Service Providers: Questions and Answers

Jonathan Foxx

Managing Director

Lenders Compliance Group

On Wednesday, October 26, 2016, the CFPB issued updated guidance on service providers, based on its previous issuance of April 13, 2012, titled CFPB Bulletin 2012-03, Subject: Service Providers (“Bulletin”), that had been published in the Federal Register. The Bulletin is a statement of policy that articulates considerations relevant to the Bureau’s exercise of its supervisory and enforcement authority. This new issuance is published in the Federal Register and is titled Compliance Bulletin and Policy Guidance 2016-02, Service Providers (“Guidance”).

Click HERE for a copy of the Guidance and the Bulletin.

Essentially, this updated guidance provides additional clarifications regarding how supervised entities are to manage their risk management program for service providers. It is meant to clarify that “the depth and formality of the risk management program for service providers” may vary depending upon the service being performed (i.e., the service provider’s size, scope, complexity, importance and potential for consumer harm) and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations. 

Much of the guidance is a reiteration of the Bulletin, with a reminder that “while due diligence does not provide a shield against liability for actions by the service provider, it could help reduce the risk that the service provider will commit violations for which the supervised bank or nonbank may be liable.” This reiterating of the Bulletin seems to have been made necessary because, although other CFPB Bulletins were published in the Federal Register, it appears that the Bureau did not previously publish Bulletin 2012-03 when it was issued.

I have said all along how important it is to work with an outsource due diligence company, if a financial institution is not going to adequately equip and staff an in-house evaluation function, which means ensuring the presence of competent risk management professionals and the required research tools. This is why we established VendorsCompliance Group as the an outsource evaluator that would be far more than a compilation service. 

These compilation services that hold themselves out as evaluators for vendor management purposes are just putting together and providing a compilation rating. That is simply insufficient, viewed from the standpoint of effective due diligence. Vendors Compliance Group does not merely compile information and documentation, which is only a first step, but also it actually evaluates and risk rates service providers by means of hands-on reviews conducted by risk management professionals using state of the art research methodologies. The evaluator actually is often personally in contact with the bank or nonbank to ensure that there is a strong and steady flow of transaction information. 

When Vendors Compliance Group risk rates a service provider, the supervised bank or nonbank can be sure that it is a rigorously derived, vendor compliance risk rating, provided by a due diligence methodology which stands up to regulatory scrutiny.

Let’s review some basics, as set forth in the Guidance. 

I am going to frame this outline in the form of Questions and Answers for the sake of ensuring a broad understanding of the Bureau’s expectations with respect to service provider evaluations. I will use the Guidance as the source document.

Q: Why is a service provider evaluation necessary?

A: The Bureau expects supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm. 

Q: What is the governing statute for the definition of a Federal consumer financial law?

A: Section 1002(14) of the Dodd- Frank Act (12 U.S.C. 5481(14)).

Q: What institutions are expected to evaluate their service providers?

A: Supervised banks and nonbanks, as follows:

• Large insured depository institutions, large insured credit unions, and their affiliates (12 U.S.C. 5515); and
• Certain non-depository consumer financial services companies (12 U.S.C. 5514). 

Q: What service providers are expected to be evaluated?

A: The following supervised entities are to be evaluated:

• Service providers to supervised banks and nonbanks (12 U.S.C. 5515, 5514); and
• Service providers to a substantial number of small insured depository institutions or small insured credit unions (12 U.S.C. 5516).

Q: Specifically, how is the term “service provider” defined by the Bureau?

A: “Service provider” is generally defined in Section 1002(26) of the Dodd-Frank Act as ‘‘any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service.’’ (12 U.S.C. 5481(26)) A service provider may or may not be affiliated with the person to which it provides services.