Wednesday, February 26, 2014

Creating a Culture of Compliance

Everywhere we turn, there is compliance, compliance,
and more compliance required across the board.
Donald J. Frommeyer, CRMS
President of NAMB

The ancient Greek philosophers knew the fundamental distinction between theory and practice. For them “theory” (or theoria) differed from “practice” (or praxis) in that the former meant examining things and the latter meant doing things! In other words, theory was a sort of spectators’ sport, while practice was playing the sport itself. Advanced mathematics is somewhat similar: there is pure (or theoretical) mathematics and then there is applied mathematics. Some theories remain theories forever, and others are extrapolated into practice. So, as it happens, some cogent theories simply do not need to have applied applications to be cohesive theories. Practical applications, however, must be experimentally valid all of the time.

The requirements of implementing a theory can be daunting, especially when the consequences of its practical applications are not sufficiently understood. To put a fine point on this observation: what may seem perfectly acceptable in theory can be entirely unacceptable in practice. Thus, some things are possible theoretically and other things are not possible practically. In compliance, I have learned to approach the notion of something being ‘theoretically possible’ with extreme caution!

So, given the challenges of regulations (theories) and compliance requirements (practices), (1) how should a financial institution accomplish evaluations of its loan origination risks and, most importantly, (2) how to go about embedding such assessments into a culture of compliance? In this article, I am going to provide ways and means by which the management of a financial institution will be able to create a culture of compliance that serves as the foundation upon which to manage risk associated with mortgage loan originations. I will provide an extensive set of questions, the answers to which should call forth the ways and means to establish compliance solutions.*

If you have ten thousand regulations,
you destroy all respect for the law.

Winston Churchill

So, how to create a culture of compliance?

Begin at the beginning!

When was the last time that a risk assessment was performed to identify all the loan products, which departments were affected in originating them, and what staff are responsible to effectuate the origination? That is where to begin. Residential mortgage lenders and originators may offer some, or all, of the loan products subject to the Ability-to-Repay (ATR) and Qualified Mortgage (QM) rule promulgated by the Consumer Financial Protection Bureau (Bureau). But originating those loan products starts with identifying the loan flow process itself.

Furthermore, any new origination requirements will affect a number of parts of business systems and processes. For instance, a very short list of affected areas are the forms and processes used to communicate internally and externally that are subject to verification requirements; systems and processes used to underwrite loans must be considered; secondary marketing and servicing processes and systems need risk evaluation metrics, especially with respect to ATR provisions related to the refinancing of non-standard loans into a standard loans.

Specifically, are the various integrated processes and procedures set up to identify loans on the transaction systems with their definitional status under such regulations as the ATR and QM rule, which may involve creating new data element(s) within those very processing systems? Likewise, if the loan is a QM, is a formal consideration undertaken to determine levels of liability exposure and liability protection that a loan is receiving as it moves through the origination process?

To insure peace of mind
ignore the rules and regulations.
George Ade

The American humorist, George Ade, may have found a way to peace of mind by ignoring rules and regulations. Perhaps he intuitively knew something about the stress involved in originating residential mortgage loans! If you have problems with rules and regulations, I suggest you choose another line of work, for happiness will forever elude you.

Consider this: the ATR and QM rule is just one component of the Bureau’s Dodd-Frank Act Title XIV rulemakings! Here are a few other rules that are now the law of the land:

  • 2013 HOEPA Rule
  • ECOA Valuations Rule
  • TILA Higher-Priced Mortgage Loans Appraisal Rule
  • Loan Originator Rule
  • RESPA and TILA Mortgage Servicing Rules
  • TILA Higher-Priced Mortgage Loans Escrow Rule

Some of these rules are directly and indirectly intersected, interlocked, overlapped, interfaced, and cross-tabulated; they are correlated, tabularized and re-tabularized, re-ordered, enumerated and re-enumerated, re-codified, and, generally, comprehensively systematized.[ii] Each of these rules affects one or more aspects of the loan origination process, organizational structure, and risk exposure. So maybe the great American humorist was on to something!

Nevertheless, if we are going to play, we will have to play within the rules. This means not only considering the compliance implications internally but also the interaction between the financial institution and third-parties upon which the institution relies for verifications, credit and other borrower information, disclosures, underwriting software, compliance and quality-control systems and processes, records management. Notwithstanding the foregoing third-parties, also to be considered are software providers, various vendors, and business partners. Training may also be necessary for these service providers and agents!

All the starting-point reviews in the world will lead to little or no action throughout an organization where certain training needs are not being met. Therefore, from the outset, it is critical to consider what training will be necessary for loan officers, secondary marketing, processing, compliance, and quality control personnel. Any staff involved at critical junctures in the loan flow process should receive training, certainly anyone who approves, processes, or monitors credit transactions.

For the remainder of this article, I will outline the key questions that should be asked, the answers to which will determine the extent, depth, and integrity of a culture of compliance. I am going to take you through a set of questions that will form the basis of a self-assessment. This type of internal review should be undertaken in order to set a baseline and determine progress towards compliance with mortgage acts and practices, and certainly the new mortgage rules.[iii] During any such evaluation, keep in mind that this is a due diligence process which is subject to an institution’s size, products offered, risk mitigation, complexity, and overall strength of the existing compliance management system.

Regulations grow at the same rate as weeds.  
Norman Ralph Augustine[iv]

The Implementation Plan

1. Evaluate the current products or services you offer to consumers to determine applicability:
  • Do you offer mortgage loans to consumers?
  • Do you offer any of the following mortgage products:
    • Home equity lines of credit secured by a dwelling (i.e., HELOCs)?
    • Mortgages that qualify as higher-priced mortgages?[v]
    • Mortgages that qualify as high-cost mortgages?[vi]
    • Loans that are intended to meet the criteria for Qualified Mortgages?[vii]
    • Second mortgages?[viii]
  • Do you service mortgage loans or own servicing rights?
  • Do you own mortgage notes that you have sold servicing rights to?

2. Based on the products you offer to consumers, determine which regulatory amendments impact your current products.
  • What are the requirements that apply for each of your products?
  • Do you qualify for any exemptions?[ix]
  • Have you discussed which rules apply and any potential exemptions with your compliance counsel or risk management firm, as applicable, or regulator?
3. Have you developed an implementation plan?
  • Have you performed gap analysis to determine what business, operational, and automated transaction processes need to change as a result of the new rules?
  • Has the plan been approved by senior management and the board, if applicable, or similar oversight functions, as appropriate?
  • Has the plan been developed in consultation with or reviewed by key stakeholders, such as legal, compliance, and information technology?
  • Does it contain key milestones, dates for completion of required steps for compliance, and progress reports?
    • How are you tracking progress?
    • Who reviews progress reports?
  • Does the plan include an audit review?
    • Have testing procedures been defined?
    • How are results and progress tracked?
  • Does the plan identify the responsible parties for developing the plan, ensuring adherence to the plan, and future compliance?
    • Is progress reported to senior management or the board (or similar oversight functions), as applicable?
    • Is your plan on schedule?
      • If not, has the deviation from schedule been approved by the board, or similar oversight function, or senior management, as appropriate, and discussed with regulators?
    • Are all aspects of your plan scheduled to be completed prior to the rule effective dates?
  • Have you discussed your implementation plan with your regulators, compliance counsel or a compliance professional, as applicable?
    • Have discussions with regulators resulted in any changes to your implementation plan?
    • Do you have contracts with any third parties related to mortgage activities?
    • If so, have you discussed and evaluated their implementation plan?
    • Do you have a back-up plan should the vendor not fully implement the necessary changes prior to the effective dates?
The problem is that agencies sometimes lose sight of
common sense as they create regulations.

Fred Thompson[x]

Policies and Procedures

1. Do your policies and procedures at least reflect the appropriate provisions in these rules?[xi]
Ability-to-Repay and Qualified Mortgage Standards[xii]
To the extent you seek to preserve your ability to make loans that are not Qualified Mortgages, do your policies and procedures address the key components of the ability-to-repay provisions, including:
  • Obtaining and verifying certain financial information related to the consumer(s)?
  • Ensuring that borrowers have sufficient assets or income to pay back the mortgage?
  • For adjustable-rate mortgages, that the monthly payment is calculated using either a fully indexed rate or an introductory rate, whichever is higher?
  • Any exemptions that apply and a full description of when the exemptions apply and conditions for exemptions (e.g., for a customer trying to refinance certain risky loans only after specific conditions are met)?
Qualified Mortgages
Do your policies and procedures address the key components of the qualified mortgage provisions, including:
  • Documenting, where applicable, that loans were eligible for purchase by Fannie Mae or Freddie Mac or insurable by FHA?
  • Restrictions on charging points and fees and prohibition of certain risky loan features (as applicable)?
  • Limits on debt to income ratios (as applicable)?
  • Full descriptions of qualifications for any qualified mortgage provisions (e.g., if the loan is made by a smaller creditor in rural or underserved areas)?
Escrow Requirements under TILA[xiii]
Do your policies and procedures address the key components of the higher-priced mortgage loan escrow provisions, including:
  • Requirements to establish and maintain escrow accounts for at least five years after consummating a higher-priced mortgage loan?
  • If you qualify for any exemptions and a full description why, for instance, if you are a smaller creditor operating predominantly in rural or underserved areas and meet the other elements of that exemption?
  • If you are eligible for the smaller creditor exemption above but you nevertheless intend to continue to offer escrow accounts on loans covered by the rule for which applications are accepted after June 1, 2013 (which will mean you will forgo the exemption unless you offer escrow accounts for distressed borrowers only)?
  • Limited exemptions for “common interest communities?”
High-Cost Mortgage and Homeownership Counseling[xiv]
Do your policies and procedures address the key components of the High- Cost Mortgage provisions, including:
  • Identifying High-Cost mortgages under the revised HOEPA coverage tests?
    • Determining the applicable average prime offer rate.
    • Determining points and fees thresholds.
    • Determining prepayment penalty triggers.
    • Imposing limitations and restrictions on certain loan terms for HOEPA loans?
  • Do your policies and procedures address the key components of the Homeownership Counseling provisions, including:
    • Identifying when Homeownership Counseling is required?
    • When required, providing a list of homeownership counseling organizations to applicants within three business days after they apply for a federally-related mortgage loan?
    • Receiving confirmation that required borrowers have received the appropriate counseling before making a loan that provides for or permits negative amortization to the borrower?
Mortgage Servicing Rules[xv]
Do your policies and procedures address the key components of the Mortgage Servicing provisions, including:
  • Periodic billing statements
    • Interest-rate adjustment notices for ARMs
    • Prompt payment crediting and payoff statements
    • Force-placed insurance
    • Error resolution and information requests
  • General servicing policies, procedures, and requirements
    • Assessing and providing timely and accurate information
    • Properly evaluating loss mitigation applications
    • Facilitating oversight of, and compliance by, service providers
    • Facilitating transfer of information during servicing transfers
    • Informing borrowers of the written error resolution and information request procedures
  • Early intervention with delinquent borrowers
    • Continuity of contact with delinquent borrowers
    • Loss mitigation procedures
Valuations for First Lien Loans Secured by a Dwelling[xvi]
Do your policies and procedures address the key components of the ECOA Valuations provisions, including:
  • Notifying applicants of their right to receive copies of all valuations and appraisals developed, along with other information required in the notice?
  • Providing applicants a copy of each appraisal and other written valuation “promptly upon their completion” or three business days prior to consummation (for closed-end credit) or account opening (for open-end credit), whichever is earlier?
  • That fees cannot be charged in connection with providing a copy of the appraisal or valuation?
Appraisals for Higher-Priced Mortgage Loans[xvii]
Do your policies and procedures address the key components of the higher-priced mortgage loan appraisal provisions, including:
  • For all higher-priced mortgage loans that are not eligible for at least one of the several exemptions from the rule:
    • notifying applicants of their right to receive copies of all valuations and appraisals developed, along with other information required in the notice?
    • obtaining a written appraisal (including a physical visit of the interior of the property) performed by a certified or licensed appraiser?
    • obtaining an additional written appraisal (including a physical visit of the interior of the property), at no cost to the borrower, in connection with certain “flipped” properties?
    • consumer receiving a free copy of all written appraisals for the transaction at least three business days before consummation?
Loan Originator Compensation Requirements[xviii]
Do your policies and procedures address the key components of the Loan Originator Compensation provisions, including:
  • Requirements that a loan originator’s compensation cannot be based on any of the transaction’s terms?[xix]
  • Assuring that a loan originator that receives compensation directly from a consumer cannot receive compensation from another person in connection with the same transaction?
  • Requirements that your individual loan originators are licensed or registered as applicable under the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (SAFE Act) and other applicable laws?
  • Requirements that your loan originators provide their name and unique identifier under the Nationwide Mortgage Licensing System and Registry on loan documents?
  • Requirements for maintaining records concerning loan originator compensation for at least three years?
Mandatory Arbitration and Financed Single-Premium Insurance
Do your policies and procedures address provisions that:
  • Prohibit contracts or agreements from requiring consumers to submit disputes concerning a residential mortgage loan or home equity line of credit to arbitration and prohibit applying or interpreting such contracts or agreements to waive federal statutory causes of action?
  • Prohibit financing of any premiums or fees for credit insurance or debt cancellation or suspension in connection with a consumer credit transaction secured by a dwelling?[xx]
2. Do your policies contain all the relevant disclosures required by the new rules?
  • Do you use model disclosure forms and language contained in the regulatory guidance?
    • If not, are your disclosures clearly written in a way that consumers are likely to understand?
    • Are the disclosures presented in a way that is likely to call the consumer’s attention to the nature and significance of the information in the notice?
  • Have disclosures been reviewed by compliance and audit?
3. Have the policies been reviewed by the board (or similar oversight functions) and senior management as appropriate, the compliance officer, risk management firm, or legal counsel?
  • Were any concerns identified at this level?
  • If yes, have they been resolved?
4. Do the policies reflect your actual practices?
  • Do you have testing planned to confirm this?
5. What processes do you have in place to ensure that policies are kept current and account for all changes in the regulatory environment?
  • Who is responsible for maintaining content?
6. Describe the steps you will take to ensure that new product development considers new regulatory rules and associated risks.
  • Is the compliance function represented in the new product development process?
7. Do your policies and procedures vary materially regionally, by delivery method, or by legal entity?
  • If practices vary:
    • Is testing done for each segment?
    • Are all policies individually approved?
    • What controls are in place to ensure that regulatory updates are accounted for in all policies?
8. Have automated tools been updated to reflect your new policies and procedures?
  • Have they been tested to confirm accuracy?
9. Have you updated your risk assessment to reflect the regulatory changes?
  • Do your policies and procedures define a process for ongoing updates to the risk assessment to account for regulatory changes?
Confidence comes from discipline and training.  
Robert Kiyosaki[xxi]


Training is a critical component of self-assessment and, indeed, it is a pivotal part of a compliance management system. Policies statements are guide posts, but, inevitably, the employees of a financial institution must know the many requirements related to the company’s regulatory compliance commitments. Consider this list a de minimis set of questions!
1. Have you determined what training needs to be developed?
2. Have you determined who needs training?
3. Have you considered the following questions in developing training:
  • What information will be covered in the new training?
  • What will the format be for training? (Instructor-led, online, et cetera.)
  • How will training vary based on job duties?
  • How do you document completed training?
  • What are the consequences for employees not completing training by the assigned deadline?
  • Have the changes to the training program been fully integrated into your full training program and ongoing schedule?
4. How will you roll out the changes to your training program?
  • When will training be completed?
  • Do training timelines allow for enough time for staff to fully understand rule requirements prior to the effective dates?
  • Have you done any testing of training program changes?
5. Who is responsible for developing course content?
  • Did you purchase content from an outside vendor?
  • How is senior management involved in developing and approving course content?
  • How did you determine that course content is adequate?
  • What is the process for identifying the need for additional changes?
6. Have you determined what training will be needed to address operational changes?
  • What areas are impacted by the changes?
Life is the continuous adjustment of
internal relations to external relations.

Herbert Spencer[xxii]

Audit, Compliance Review, Internal Control

The following questions tease out certain factors that are central to a compliance management system with respect to auditing and internal control functions. Ideally, these factors include the nature and extent of present compliance with Federal consumer financial law, the commitment of management to compliance and its ability and willingness to take the necessary steps to ensure compliance, and the adequacy of systems, including internal procedures, controls, and audit activities designed to ensure compliance on a routine and consistent basis.

1. Did audit and compliance review play a role in developing and implementing your new procedures for complying with the new mortgage rules?
  • If so, did they make any suggestions for process improvement?
  • Are any action items outstanding?
  • How are they being tracked?
  • Will enhancements be made prior to the rule effective dates?
2. Have audit/compliance review/internal control procedures been updated to reflect the regulatory changes?
  • Have the updated procedures been tested?
  • Has the updated audit/compliance/internal control program been approved by the board (or similar oversight function) and senior management, as appropriate?
  • Have you conducted a pre-exam review to determine the level of compliance?
Complainers change their complaints,
but they never reduce the amount of time spent in complaining.
Mason Cooley[xxiii]


1. What training will the associates that process consumer complaints receive regarding the changes to the mortgage rules?
  • Will all training be completed prior to the effective dates of the new rules?
2. Are complaints processed centrally or by individual business lines?
  • If by line of business, how will complaints training vary?
3. Is complaint data analyzed to identify training needs and process breakdowns?
4. How are complaints handled when regulatory violations are noted?
  • Are violations tracked?
  • Is root cause analysis done when violations are noted?
It is not enough to have great qualities;
We should also have the management of them.
Francois de La Rochefoucauld[xxiv]

Third Party and Vendor Management

1. What arrangements, agreements, or contracts exist with vendors and third parties related to mortgage products or servicing?
  • Do you have changes planned for third party practices as a result of the new rules?
  • Will your third party service providers deliver compliant application technology releases and/or fully tested process updates in time for the effective dates?
2. What changes have been made or need to be made to the above arrangements, agreements, or contracts to ensure that service providers comply with new regulations and all legal obligations?

3. Do you review complaints regarding vendor activity for compliance and process concerns?
  • How frequently do you receive this complaint data?
4. Do you receive and review training procedures for third parties related to regulatory requirements?

5. Will you provide training for any third party service providers?

From the end spring new beginnings.
Pliny the Elder[xxv]

Pliny the Elder saw the eruption of Mount Vesuvius, on August 24, 79 CE, during which Pliny the Elder, his uncle, died. Pliny started writing at the age of 14, and was particularly drawn to writing in the style of Greek tragedy. In the course of his life he wrote a quantity of poetry, most of which was lost despite the great affection he had for it. Also known as a notable orator, he professed himself a follower of Cicero, but his prose was certainly more eloquent and less direct than Cicero's, who was a well-respected philosopher, politician, lawyer, orator, political theorist, consul and constitutionalist. Pliny understood that it is possible to build anew, even in the face of substantial challenges, and even if the difficulties seem insurmountable! The dried-up soil of the past become the green plains of the future.

The Bureau expects institutions to comply with all relevant provisions by the effective date of each rule. Policies and procedures should be updated to ensure that employees fully understand the changes prior to the effective dates. Indeed, the Bureau expects to assess policies and procedures in a timely fashion. It will implement robust transaction testing. You should be prepared to discuss your implementation plan and policy changes. Remember: the Bureau, in carrying out its mandate,[xxvi] will coordinate with other regulators, and those regulators, state and federal, will communicate examination plans and findings with each other. When appropriate, the regulators will coordinate examination efforts.

In my view, there are two ways to meet a challenge: (1) be pulled along by it or (2) get in front of it and stop its unfolding! The Bureau has set forth its challenges. Its theories and our practiced responses can bring about greater consumer financial protection. We can meet this new challenge, now rising from the ways of the past. We can find beginnings that bring stability to market participants, both consumers and residential mortgage loan originators.

*Jonathan Foxx is the President & Managing Director of Lenders Compliance Group
Published in: National Mortgage Professional Magazine – February 2014

[i] Statement of Donald J. Frommeyer, CRMS, President of NAMB – The Association of Mortgage Professionals, “Compliance, Compliance, and More Compliance,” Monday Morning Messenger, February 10, 2014
[ii] These rules may be viewed at
[iii] To discuss some facets of these due diligence considerations, I will draw on the 2013 CFPB Dodd-Frank Mortgage Rules Readiness Guide, Version 1.1, July 2013, especially “Part II – Readiness Questionnaire”
[iv] Chairman of the Review of United States Human Space Flight Plans Committee
[v] Regulation Z 1026.35
[vi] Regulation Z 1026.32
[vii] Regulation Z 1026.43
[viii] See the requirements of 1026.32 or 1026.35 of Regulation Z
[ix] Refer to the Bureau’s Small Entity Compliance Guides or the rules themselves for additional information on exemptions.
[x] American politician, actor, attorney, lobbyist, columnist, and radio host
[xi] This outline of questions is not meant to be nor is it comprehensive of all questions and due diligence requirements for any given financial institution. Each institution must be evaluated as comprehensively as possible.
[xii] Regulation Z 1026.43
[xiii] Regulation Z 1026.35
[xiv] Regulation Z 1026.32 and Regulation X 1024.20
[xv] Regulation Z 1026 and Regulation X 1024
[xvi] Regulation B 1002
[xvii] Regulation Z 1026.35
[xviii] Regulation Z 1026.36
[xix] The Bureau has issued a complete exemption to the prohibition on loan originators receiving origination fees or charges from someone other than the consumer where the consumer pays upfront points and fees pursuant to its exemption authority while it scrutinizes several crucial issues relating to the design, operation, and possible effects in a mortgage market undergoing regulatory overhaul of such a restriction.
[xx] Credit insurance can be paid on a monthly basis and some unemployment insurance is excluded.
[xxi] American investor, businessman, self-help author, motivational speaker, financial literacy activist, and financial commentator.
[xxii] English philosopher, biologist, anthropologist, sociologist
[xxiii] American aphorist known for his witty aphorisms
[xxiv] French author of maxims and memoirs
[xxv] Lawyer, author, and magistrate of Ancient Rome
[xxvi] As set forth in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Public Law 111–203, H.R. 4173)