Why Haven’t Loan Officers Been Told These Facts?
Significant Sections of the Amended FTC Safeguards Rule Implementation Deadline Drawing Near, Mandatory Deadline December 9, 2022
Mortgage lenders, including mortgage brokers, need to heed the Amended FTC Safeguards Rule. The compliance deadline is fast approaching.
Good news and bad news for third-party originators. Certain sections of the Amended Safeguards Rule do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers. A customer under the Rule, as related to mortgage origination, excludes those consumers for which the Financial Institution does not retain servicing rights. Consequently, for third-party originators, generally, the funded loans do not count towards the five thousand consumer threshold.
However, pre-approvals and possibly pre-qualifications or other broker services count towards the limit. Furthermore, agreements or arrangements with the consumer regarding future services could establish a continuing relationship under the Rule.
A consumer under the Rule is defined as follows:
16 CFR 314.2(b)(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.”
16 CFR 314.2(e)(1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.
16 CFR 314.2(e)(2)(i) Continuing relationship. A consumer has a continuing relationship with you if the consumer:
16 CFR 314.2(e)(2)(i)(E) Enters into an agreement or understanding with you whereby you undertake to arrange or broker a home mortgage loan
As such, technically, most mortgage companies and brokers are probably not subject to sections 314.4 (b)(1), (d)(2), (h), and (i). Yet, all other sections of the Rule apply – even to Mom and Pop brokers.
However, in typical government fashion, the Rule needs some help. For example, compliance with 314.4(e) (appropriate training) and other Rule requirements (314.4(c,f,g)) necessitates risk assessment on some level. Therefore, ignoring the reasonable risk management practices specified in 314.4(b)1 cannot comply with the Regulation.
16 CFR 314.4(e) Implement policies and procedures to ensure that personnel are able to enact your information security program by:
(1) Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;
Amended Safeguards Rule Provides Several Exclusions for most Brokers and Correspondents
16 CFR § 314.6 Exceptions.
(See the previous comment) 314.4 (b)(1) Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks.
314.4 (d)(2) For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.
314.4 (h) Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your control.
314.4 (i) Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program.
What is a Customer under the Rule?
Section 314.4(b)(1), (d)(2), (h), and (i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.
16 CFR 314.2(c) Customer means a consumer who has a customer relationship with you.
16 CFR 314.2(d) Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
16 CFR 314.2(e) (1) Customer relationship means a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.
16 CFR 314.2(e)(2)(ii) No continuing relationship. A consumer does not, however, have a continuing relationship with you if you sell the consumer’s loan and do not retain the rights to service that loan;
About the Changes to the Safeguards Rule
From the Federal Register
The “financial institutions” subject to the Commission’s enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805. More specifically, those entities include, but are not limited to, mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.
The amended Safeguards Rule modifies the current Rule in five primary ways.
First, the Final Rule amends the current Rule to include more detailed requirements for the development and establishment of the information security program required under the Rule. For example, while the current Rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address the identified risks, the Final Rule sets forth specific criteria for what the risk assessment must include, and requires the risk assessment be set forth in writing.
As to particular safeguards, the Final Rule requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response.
And while the Final Rule retains the requirement from the current Rule that financial institutions provide employee training and appropriate oversight of service providers, it adds mechanisms designed to ensure such training and oversight are effective. Although the Final Rule has more specific requirements than the current Rule, it still provides financial institutions the flexibility to design an information security program appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.
Second, the Final Rule adds requirements designed to improve accountability of financial institutions’ information security programs. For example, while the current Rule allows a financial institution to designate one or more employees to be responsible for the information security program, the Final Rule requires the designation of a single Qualified Individual. The Final Rule also requires periodic reports to boards of directors or governing bodies, which will provide senior management with better awareness of their financial institutions’ information security programs, making it more likely the programs will receive the required resources and be able to protect consumer information.
Third, recognizing the impact of the additional requirements on small businesses, the Final Rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors.
Fourth, the Final Rule expands the definition of “financial institution” to include entities engaged in activities the Federal Reserve Board determines to be incidental to financial activities. This change brings “finders”—companies that bring together buyers and sellers of a product or service—within the scope of the Rule. Finders often collect and maintain very sensitive consumer financial information, and this change will require them to comply with the Safeguards Rule’s requirements to protect that information. This change will also bring the Rule into harmony with other Federal agencies’ Safeguards Rules, which include activities incidental to financial activities in their definition of financial institution.
Finally, the Final Rule includes several definitions and related examples, including of “financial institution,” in the Rule itself rather than incorporate them from a related FTC rule, the Privacy of Consumer Financial Information Rule, 16 CFR part 313. This will make the rule more self-contained and will allow readers to understand its requirements without referencing the Privacy Rule.
Section 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3), (h), and (i) are effective as of December 9, 2022.
Confused? Stay tuned. Next week the Journal provides help from the FTC small entity compliance guide.
BEHIND THE SCENES
2022 FINCEN Advisory On Elder Abuse
Elder Financial Exploitation (EFE)
As part of a financial institution’s BSA/AML implementation, MLOs are responsible for escalating suspicious activity encountered during the loan manufacture. MLOs often have a unique vantage of the applicant’s finances, including credit activity, banking, and investments. This view of an applicant’s finances may uniquely situate the MLO to detect signs of elder abuse.
Should an MLO suspect an elderly customer is being manipulated or abused, swift action may be in order.
From FINCEN
Behavioral Red Flags
Victims of EFE may have limited and irregular contact with others. For some, their only outside contact may involve visiting or communicating with their local financial institution, including at the bank branch, check-cashing counter, or money services businesses (MSBs).
Therefore, it is critical for customer-facing staff to identify and consider the behavioral red flags when conducting transactions involving their older customers, particularly suspicious behavior that also involves the financial red flags highlighted below.
Such information should be incorporated into SAR filings and reported to law enforcement as appropriate. Financial institutions are reminded that behavioral red flags of EFE and the names of staff who witnessed them should be included in the SAR narrative to assist future law enforcement investigations.
Behavioral Red Flags of Elder Financial Exploitation (EFE) may include:
- An older customer’s account shows sudden and unusual changes in contact information or new connections to emails, phone numbers, or accounts that may originate overseas.
- An older customer with known physical, emotional, and cognitive impairment has unexplainable or unusual account activity.
- An older customer appears distressed, submissive, fearful, anxious to follow others’ directions related to their financial accounts, or unable to answer basic questions about account activity.
- An older customer mentions how an online friend or romantic partner is asking them to receive and forward money to one or more individuals on their behalf or open a bank account for a “business opportunity.”
- During a transaction, an older customer appears to be taking direction from someone with whom they are speaking on a cell phone, and the older customer seems nervous, leery, or unwilling to hang up.
- An older customer is agitated or frenzied about the need to send money immediately in the face of a purported emergency of a loved one, but the money would be sent to the account of a seemingly unconnected third-party business or individual.
- A caregiver or other individual shows excessive interest in the older customer’s finances or assets, does not allow the older customer to speak for himself or herself, or is reluctant to leave the older customer’s side during conversations.
- An older customer shows an unusual degree of fear or submissiveness toward a caregiver, or expresses a fear of eviction or nursing home placement if money is not given to a caretaker.
- The financial institution is unable to speak directly with the older customer, despite repeated attempts to contact him or her.
- A new caretaker, relative, or friend suddenly begins conducting financial transactions on behalf of an older customer without proper documentation.
- An older customer’s financial management changes suddenly, such as through a change of power of attorney, trust, or estate planning vehicles, to a different family member or a new individual, particularly if such changes appear to be done under undue influence, coercion, or forgery or the customer has diminished cognitive abilities and is unable to agree to or understand the consequences of the new arrangement.
- An older customer lacks knowledge about his or her financial status, or shows a sudden reluctance to discuss financial matters.
Financial Red Flags
Identification of financial red flags of EFE and the associated payments are critical to detecting, preventing, and reporting suspicious activity potentially indicative of EFE. In addition to the financial red flags set out in DOJ and CFPB notices, financial red flags of EFE may include:
- Dormant accounts with large balances begin to show constant withdrawals.
- An older customer purchases large numbers of gift cards or prepaid access cards.
- An older customer suddenly begins discussing and buying convertible virtual currency (CVC)/crypto currency.
- An older customer sends multiple checks or wire transfers with descriptors in the memo line such as “tech support services,” “winnings,” or “taxes.”
- Uncharacteristic, sudden, abnormally frequent, or significant withdrawals of cash or transfers of assets from an older customer’s account.
- An older customer receives and transfers money interstate or abroad to recipients with whom they have no in-person relationship, and the explanation seems suspicious or indicative of a scam or money mule scheme.
- Frequent large withdrawals, including daily maximum currency withdrawals from an ATM.
- Sudden or frequent non-sufficient fund activity.
- Uncharacteristic nonpayment for services, which may indicate a loss of funds or of access to funds.
- Debit transactions that are inconsistent for the older customer.
- Uncharacteristic attempts to wire large sums of money.
- Closing of CDs or accounts without regard to penalties.
In addition to filing a SAR, financial institutions should refer their older customers who may be a victim of EFE to the DOJ’s National Elder Fraud Hotline at 833-FRAUD-11 or 833-372- 8311 for support, resources, and assistance with reporting suspected fraud to the appropriate government agencies.
Filers should immediately report any imminent threat or physical danger to their local FBI office or local law enforcement. FinCEN encourages filers to collaborate with other stakeholders in their communities to enhance responses and engage in professional training opportunities, community education prevention, and awareness activities and initiatives.
Filers can find whether there is an existing collaboration on elder fraud prevention and response in their area by contacting Adult Protective Services or their local Area Agency on Aging.
Get the advisory here:
https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2022-a002
Tip of the Week – Don’t Delay Meeting State CE Requirements
Not all states have the same CE deadlines. A few examples from the CSBS list of jurisdictions requiring individual MLO CE completion before December 31 are listed below. There are more.
What are the consequences for MLOs that fail to meet early CE requirements? That is up to the state. Generally, the individual failing to meet the CE timing requirements could be subject to fines. However, of more significant concern is that the non-compliant individual MLO could complicate their license renewal. Therefore, failure to clear fines or overcome license exceptions could increase the risk of license expiration.
For Example, Georgia
The deadline to complete CE is October 31. However, MLOs in Georgia are prohibited from applying to renew their license if they have not completed CE. Since it may take as long as seven (7) days for a course provider to report a course completion into NMLS, MLOs are strongly encouraged not to wait until the last minute to try to complete CE or they may be prevented from submitting for renewal on time. Alert: GA may assess a $100 late fee outside of NMLS if CE is completed after October 31.
GA Rule 80-11-5-.04 (1) Renewals
Mortgage Loan Originator Licensure Requirements
Upon submitting an application to renew a license, failure to document to the Department’s satisfaction proof of completion of eight (8) continuing education hours by October 31 may subject the licensee to a fine. The failure to document proof of completion of these hours and to pay any assessed fine by December 31 shall result in the expiration of the mortgage loan originator’s license without notice or hearing.
A mortgage loan originator who fails to meet the requirement that he or she timely obtain the type and number of continuing education hours each year as required shall be fined one hundred dollars ($100).
A Few More Examples
The deadline to complete CE is November 30. However, MLOs in Kentucky are prohibited from applying to renew their license if they have not completed CE. Since it may take as long as seven (7) days for a course provider to report a course completion into NMLS, MLOs are strongly encouraged not to wait until the last minute to try to complete CE or they may be prevented from submitting for renewal on time.
The deadline to complete CE is December 1. However, MLOs in Idaho are prohibited from applying to renew their license if they have not completed CE. Since it may take as long as seven (7) days for a course provider to report a course completion into NMLS, MLOs are strongly encouraged not to wait until the last minute to try to complete CE or they may be prevented from submitting for renewal on time.
The deadline to complete CE is December 1. However, MLOs in Kansas are prohibited from applying to renew their license if they have not completed CE. Since it may take as long as seven (7) days for a course provider to report a course completion into NMLS, MLOs are strongly encouraged not to wait until the last minute to try to complete CE or they may be prevented from submitting for renewal on time.
The deadline to complete CE is December 1. However, MLOs in Delaware are prohibited from applying to renew their license if they have not completed CE. Since it may take as long as seven (7) days for a course provider to report a course completion into NMLS, MLOs are strongly encouraged not to wait until the last minute to try to complete CE or they may be prevented from submitting for renewal on time.
The deadline to complete both Federal and State CE is December 15. However, MLOs with Utah-DRE are prohibited from applying to renew their license if they have not completed CE. Since it may take as long as seven (7) days for a course provider to report a course completion into NMLS, MLOs are strongly encouraged not to wait until the last minute to try to complete CE or they may be prevented from submitting for renewal on time.
Go to the CSBS and find your state(s) requirements. See the list here: State CE and PE Requirements
2022 CE – Sneak Preview
2022 CE has begun!
LoanOfficerSchool.com is excited to provide a sneak peek into our 2022 CE offering. The LOSJ series on subprime financing and servicing underserved markets borrows heavily from the 2022 CE 2 Hour nontraditional mortgage product market segment.
We will cover key knowledge points necessary to implement a subprime program from soup to nuts. In addition, the course covers subprime underwriting requirements, how to prove that the subprime loan is in the consumer’s best interest, best efforts requirements, steering safe harbor, residual income calculation, recognizing loan risk, and the competencies necessary to shop your loan and get your customer the best price.
Dodd-Frank and the implementation of Regulation Z have had some negative and unintended consequences for American consumers. Coupled with the Fed’s monetary policies, runaway housing costs, and the management of the GSEs, we have an ugly housing storm brewing. As a result, the growing subprime industry may be well-situated to address the needs of many consumers falling into the remnants of the 2008 housing cracks.