Now that 2017 has ended, many lenders are breathing a strong sigh of relief. In the past few years regulatory and compliance directives from Washington have fueled increased loan costs, spurred the development of new compliance-related industries, and have caused audits to evolve from rather tame file reviews to multiple week om-site visits by well-trained auditors out on a mission. In a few words, the industry was forced from a sale-driven business model to a compliance driven model really fast. So with TRID implemented everyone can take a well-deserved break right? Well, no actually because more is coming.
But before we look ahead, it is useful to take a quick look backwards and see how far we have come since last January.
Last year, fears of Consumer Financial Protection Bureau (CFPB) audits created a cottage industry of compliance consultants. Mock CFPB audits at a cost of $10,000-$50,000 became commonplace as lenders sought a heads-up on internal policy and procedure adjustments to ensure a potential audit might be less painful. Lenders must have either on-staff legal and compliance experts or, at a hefty cost, outsource the responsibility to a qualified third party professional.
Vendor management came of age as lenders and vendors both realized that the CFPB was serious when it enacted Bulletin 20I2-3 requiring risk evaluation, monitoring and reporting of third party service providers as a measure of consumer protection. Whether lenders are trying to manage this risk themselves or outsourcing the evaluation and monitoring to others, it is safe to say that doing business with a bank is now considered a privilege and not a right.
Section 8 kick-back penalty threats caused many folks to divest themselves of affiliated title, appraisal and settlement service business, and others swiftly exited real estate joint marketing arrangements. Wells Fargo and Prospect Mortgage were the first to publicly announce their exit, in July 2015, but soon others followed. Those who remain are faced with significant ambiguities regarding a compliant manner to engage in mutually beneficial marketing arrangements with companies seen by regulators as possible RESPA violation targets.
Managing consumer non-public private information under data privacy rules added additional burdens, and fears, for lenders nationwide. Controlling who has access to such information both internally and externally has proven to be a major task. Many lenders have adopted confidential email delivery rules and have stepped up evaluation of their technology platforms and data process flow procedures. In addition, several hacking scams rocked the industry when lenders and settlement agents were unwittingly duped into wiring funds to criminals after email addresses were hacked, duplicated and misused. Once again Wells Fargo took the lead, issuing a fraud alert bulletin to their industry partners after noticing scammers trying to intercept their mortgage wires through the use of these fake email addresses.
Perhaps no new regulatory scheme in recent memory created as much anxiety, anger, confusion, comedy memes and general anticipation as TRID: the TILA, RESPA Integrated Disclosure Rule. Designed to reduce paperwork, increase transparency, and slow down the closing process a bit to provide consumers with more time to study and understand loan costs, the implementation was delayed from August to October and has so far failed to trigger the Apocalypse.
As the year unfolds the CFPB has given a hint at where it is focused, beyond supervision and audits. Discriminatory lending practices appear to be of paramount concern, and data privacy and integrity another.
In October 2015 the CFPB finalized a rule requiring all lenders to collect more data from borrowers and thereby provide more details to analyze and uncover potential discriminatory pending practices and patterns. Regulators have always been concerned about discrimination in lending, particularly practices that may not be designed to discriminate but rather have unintended discriminatory consequences freezing out homeownership opportunities for minorities and other protected classes. The big issue for lenders is that if you must report it, then you must track the data and evaluate your own information so that you can take steps to correct illegal practices. Many lenders view HMDA reporting as a nuisance and rarely consider that the information they are certifying might come back to bite them.
These changes to HMDA reporting requirements should be a warning to lenders that they can expect the nature and practice of whom they lend to and whom they decline will be under heightened scrutiny. The CFPB seems laser focused on rooting-out any practices that by design or consequence limit lending efforts and home-buying opportunities in under-served communities. Expect new rules, aggressive audit questions, and fines and penalties where disparate treatment and disparate impact in discriminatory lending practices are uncovered.
As for data privacy and integrity, the industry began to look more closely at this last year but this year will see even more pressure to get things right.
When one considers the breadth of personal information provided to lenders, stored onsite, exposed to employees and third parties, the responsibility to manage this effectively seems quite daunting. The typical loan application eventually contains a borrower’s name, home address, place of business, social security number, date of birth, phone numbers, income, bank accounts, personal and real property, and family relationships. Credit reports contained within a loan file provide even more non-public, private financial data.
The concern is that there is no such thing as a foolproof data security system and that all systems are ultimately vulnerable to breach by determined criminals. Recall what happened to corporate giants like Target, Home Depot, Ebay, JP Morgan and Anthem. What does this mean for regional and mid-sized lenders, let alone small broker shops, who now must demonstrate they have developed, implemented and monitor internal data privacy and data integrity policies? It means that anyone and everyone with access to consumer NPPI must make a commitment to adopting the most stringent policies relevant to the size and scope of their business, while also considering purchasing crimes and cyber liability insurance to off-load risk in the event of unexpected and unintended breaches.
Making sure all borrower data is private and being used properly can be a near-impossible task that involves multiple layers of security. Fortunately, with the right people, process and technology, lenders may support their data security policies through continual monitoring and visibility into every access point and with insurance back-up.
These past few years have been watershed moments for many mortgage lenders. Hard decisions have had to be made about whether one can still be profitable in an industry of increasing regulatory complexity, scrutiny, costs and penalties. Some have closed the doors, while others have consolidated, finding strength in numbers. Many more are viewing the current environment as a golden opportunity. These lenders see regulation as inevitable and therefore instead of complaining about it, have embraced it. While the short-term costs may be heavy, they are betting that the long-term benefits will bear rich fruit.
While 2018 may not bring much relief from regulatory pressures, hopefully we are all getting used to the idea that a successful business today requires serious attention to risk management, quality control and consumer protection. If we forget however, you can be sure that there are plenty of state and federal regulators poised to remind us.