DocuSign Breach a Strong Reminder for the Mortgage Industry to Manage Third-Party Service Provider Risks

On May 16, DocuSign confirmed that a data breach resulted in widespread malware phishing attacks targeting its customers. DocuSign provides electronic signature solutions for many companies in the mortgage banking industry that may have been victims of the phishing campaigns launched during the past week. Companies should move swiftly to protect themselves from the impact of the DocuSign breach as well as consider what next steps may be appropriate as part of any ongoing relationship with DocuSign.

As one of the most dominant players in providing mortgage technology solutions, the DocuSign  name and brand has frequently been exploited in phishing emails; but this particular attack was able to target more than 100 million customer email addresses that had been hacked from what DocuSign characterizes as “a separate, non-core system.” These phishing emails appeared to be sent from DocuSign with the goal of tricking recipients into opening an attached Word document that, when clicked, installs malicious software. DocuSign recommends that its customers delete any emails with the following subject lines:

  • Completed: [domain name]  – Wire transfer for recipient-name Document Ready for Signature”; or
  • Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature”.

DocuSign has stated that its “core” systems, which contain all other customer files, remain secure, and that only email addresses were accessed. No names, physical addresses, passwords, Social Security numbers, or credit card information was accessed by the hackers. DocuSign has also purportedly put further security controls in place to protect against any future such hacks.

All companies that use DocuSign as a third-party service provider should be evaluating what additional steps should be taken in the wake of the breach. The Consumer Financial Protection Bureau (CFPB) has articulated clear expectations with regard to companies’ relationships with their third-party service providers. While the CFPB recognizes that the use of service providers like DocuSign is often an appropriate business decision for companies that may not have the in-house expertise with E-SIGN and other relevant laws and regulations, the CFPB will hold companies accountable for any consumer harms that may arise from the use of such service providers. Companies should consider:

  • Refreshing any employee training to recognize phishing emails that may be received following the DocuSign breach.
  • Reviewing any existing agreement with DocuSign to determine:
    • whether DocuSign is satisfying all of its breach-related obligations;
    • whether the company can audit DocuSign to confirm that the breach was isolated to just email addresses and what further security measures DocuSign has implemented since the breach;
    • whether additional monitoring of DocuSign operations may be appropriate; and
    • whether the company can exercise any appropriate and enforceable consequences arising from the DocuSign breach, up to and including terminating the DocuSign agreement.
  • Contacting the company’s cyber insurance carrier—although the breach originated at a third-party service provider, companies should review their policies to confirm whether they are covered for any breach-related costs.
  • Preparing a uniform message that the company can use with consumers that may have questions about the potential impact of the DocuSign breach.
  • Evaluating the company’s own information security programs and data breach response policies and procedures. 

 - Kim Phan

CFPB Investigating Zillow for RESPA Compliance

For years many industry participants wondered if allowing their real estate agents or loan officers to engage in co-marketing on Zillow Group applications and websites posed a risk to their companies under RESPA. The industry may soon know the answer, as Zillow Group advised in recent prepared remarks on first quarter earnings that “Over the past two years, the Consumer Financial Protection Bureau, or CFPB, has been reviewing our program for compliance with the Real Estate Settlement Procedures Act, or RESPA, which is a regulation designed to protect consumers.”

To say that the CFPB is not a fan of marketing arrangements between settlement service providers is an understatement. We previously reported on an October 2015 bulletin in which the CFPB addressed its experiences with such marketing arrangements. The CFPB stated “In sum, the Bureau’s experience in this area gives rise to grave concerns about the use of [marketing services agreements] in ways that evade the requirements of RESPA.” The recent announcement by Zillow may cause industry members to assess co-marketing arrangements.

While the Zillow announcement indicates that the CFPB investigation has occurred over the past two years, the apparent reason for the announcement is the disclosure that “Recently, the CFPB requested additional information and documents from us as part of their evaluation, which we are working with them on.” Zillow also notes that it considers its co-marketing program to be compliant, and that it has continually encouraged consumers to shop around while looking for a mortgage.

- Richard J. Andreano, Jr.

The Financial CHOICE Act, Now Closer to Passage, Would Significantly Impact the Mortgage Industry

On May 4 H.R. 10, The Financial CHOICE Act (the Act) introduced by House Financial Services Committee Chairman Jeb Hensarling, R-Texas, obtained enough votes to move the bill on to the House of Representatives floor. The Act seeks to roll back or modify many of the regulatory and supervisory requirements imposed by the Dodd-Frank Act.

On May 8, my colleague, Barbara Mishkin, blogged about provisions of the bill that would overhaul the CFPB’s structure and authority, and a variety of other provisions. I will blog about the provisions in the bill that relate to mortgage origination and servicing. The passage of the bill in its current form would result in significant changes for that industry. The most significant changes are addressed below.

S.A.F.E. Act Transitional Authority. If certain conditions are met, the Act would create, under the S.A.F.E. Mortgage Licensing Act, temporary authority for a loan originator to continue to originate loans in cases in which a registered loan originator moves from a depository institution to a non-depository institution mortgage lender and a licensed loan originator moves from a non-depository institution in one state to another non-depository institution in a different state. The temporary period would run from the date the loan originator submits an application for a license until the earlier of the date the application is withdrawn, denied, or granted, or that is 120 days after submission of the application, if the application is listed in the Nationwide Mortgage Licensing System and Registry (NMLSR) as being incomplete.

Points and Fees. The definition of points and fees for purposes of the Regulation Z ability to repay/qualified mortgage requirements and high-cost mortgage loan requirements would be revised to exclude charges for title examinations, title insurance, or similar purposes, regardless of whether the title company is affiliated with the creditor. Currently, for such charges to be excluded from points and fees, the title company must not be an affiliate of the creditor. The Act also would make a conforming change to exclude escrowed amounts for insurance from points and fees. Currently, escrowed amounts for taxes are excluded from points and fees. Both changes were included in bills introduced in prior years that never were enacted.

Ability to Repay/Qualified Mortgage. The Act would create a safe harbor against lawsuits for failure to comply with the Regulation Z ability to repay requirements for mortgage loans made by depository institutions that are held in portfolio from the time of origination and comply with a limitation on prepayment penalties. Mortgage originators working for depository institutions would have a safe harbor from a related anti-steering provision if they informed the consumer that the institution intended to hold the loan in portfolio for the life of the loan.

Higher-Priced Mortgage Loan Escrow Requirements. The Act would exempt certain small creditors from the escrow account requirements under Regulation Z for higher-priced mortgage loans if the small creditor held the loan in portfolio for at least three years after origination. A creditor would qualify for the exemption if it has consolidated assets of $10 billion or less.

Small Servicer Exemption. For purposes of the exemption for small servicers from various servicing requirements, the Act would require an increase in the limit on loans serviced to be considered a small servicer. Currently the limit is 5,000 loans serviced by the servicer and its affiliates, and the servicer and its affiliates must be the creditor or assignee of all of the serviced loans. The Act would require the adoption of a limit of 20,000 loans serviced annually. The Act does not expressly refer to loans serviced by affiliates or whether the servicer and its affiliates must be the creditor or assignee of the loans.

HMDA Reporting Threshold. The revised Home Mortgage Disclosure Act (HMDA) rule adopted by the CFPB establishes uniform volume thresholds to be a reporting institution at 25 closed-end mortgage loans in each of the prior two years or 100 open-end lines of credit in each of the prior two years. The uniform thresholds will become effective January 1, 2018, although the 25-loan threshold for closed-end mortgage loans became effective January 1, 2017, for depository institutions. The bill would increase the thresholds to 100 closed-end mortgage loans in each of the prior two years and 200 open-end lines of credit for each of the prior two years.

HMDA Information Privacy. The revised HMDA rule adopted by the CFPB significantly expands the data on the consumer and loans that must be collected and reported, including the credit score and age of the consumer. The mortgage industry has raised concerns about how much information the CFPB will make public under HMDA, as parties can use the publicly released data as well as other publicly available data to determine the identity of the consumer. The CFPB is still assessing what elements of the reported data it will release to the public. The Act would require the Comptroller General of the United States to study the issue and submit a report to Congress. The Act also would provide that reporting institutions are not required to make available to the public any information that was not required to be made available under HMDA immediately prior to the adoption of the Dodd-Frank Act. This aspect of the Act does not address that, under the revised HMDA rule, the CFPB, and not each reporting institution, would make reported information available to the public.

It is likely that the H.R. 10 as currently structured will not be adopted, but various provisions may find their way into law. We will continue to monitor developments.

- Richard J. Andreano, Jr. and Pavitra Bacon

Vision 2020: an Alternative to an OCC Fintech Charter?

On May 10, the Conference of State Bank Supervisors (CSBS) announced a series of initiatives (branded as Vision 2020) designed to modernize state regulation of nonbanks. The announcement specifically calls out financial technology firms and appears to be an attempt by state regulators to provide an alternative to the special purpose national bank charter the OCC has proposed to make available to financial technology companies (Fintech charter).

The CSBS claims that by 2020, state regulators will have adopted “an integrated, 50-state licensing and supervisory system, leveraging technology and smart regulatory policy to transform the interaction between industry, regulators, and consumers.” The CSBS further claims that the Vision 2020 initiatives “will transform the licensing process, harmonize supervision, engage [F]intech companies, assist state banking departments, make it easier for banks to provide services to nonbanks, and make supervision more efficient for third parties.” These are lofty goals to say the least, and goals that the financial services industry most certainly will support. It remains to be seen, however, whether Vision 2020, which actually includes initiatives that are already in use or have been underway for some time, will move us further toward these goals by 2020, or even later.

Among others, Vision 2020 purports to include the following:

  • a redesign of the Nationwide Multistate Licensing System (NMLS);
  • harmonization of multi-state supervision;
  • formation of a Fintech industry advisory panel focused on lending and money transmission, with the goal of identifying challenges related to licensing and multi-state regulation and providing feedback on state efforts to modernize the regulatory structure;
  • enhancing the CSBS regulatory agency accreditation program;
  • facilitate banks providing services to non-banks;
  • increasing efforts to address de-risking; and
  • supporting federal legislation facilitating coordinated supervision of bank third-party service providers by state and federal regulators.

It bears noting that the redesign of the NMLS (called NMLS 2.0) has been underway (even if not formally) for some time, and long before the OCC first proposed offering a Fintech charter. Moreover, 62 (and counting) state agencies in more than 40 states and territories already use the NMLS for the administration of non-mortgage licenses. While migration by states to the NMLS for administration of its non-mortgage licenses will no doubt continue, the driver for that was not the need to find a way to regulate Fintech companies, but rather the need for significant improvements to NMLS’s functionality and utility.

The CSBS has also been focusing on the harmonization of multi-state supervision for many years. In the mortgage industry, for example, these efforts have included formation of the Multi-State Mortgage Committee, publication of a model mortgage exam manual, publication of model examinations guidelines, and promotion of model state laws. Despite these efforts, those in the mortgage industry can attest to the fact that harmonization and uniformity is still more aspirational than a reality.

Some have suggested that Vision 2020 is intended to entice Fintech companies to elect state regulation over seeking a Fintech charter. Whether or not that is the case, Vision 2020 certainly is an attempt by the CSBS to make the case that state regulators are in the best position to regulate Fintech companies and that they are prepared to modernize and harmonize their laws and regulations. Given the significant harmonization and modernization work that still remains to be done in the mortgage industry after many years of effort, I have significant reservations about the likelihood of "an integrated, 50-state licensing and supervisory system" by 2020.

- John D. Socknat

New York DFS Announces Expanded Use of NMLS

The New York Department of Financial Services (DFS) announced last week that it is migrating the administration of its non-mortgage related licenses to the Nationwide Multistate Licensing System (NMLS), joining more than 60 other state financial services regulatory agencies that already administer their non-mortgage licenses via the NMLS. Effective July 1, new applicants for a money transmitter license will be able to apply via the NMLS, and existing licensees will be able to transition their licenses to the NMLS. DFS has indicated that ultimately it will manage all non-depository licenses via the NMLS.

The announcement also expressed support for Vision 2020, the Conference of State Bank Supervisors’ recently launched initiative to modernize state regulation for non-banks.

It is no secret that the DFS is not reluctant to launch its own initiatives if it believes that there is a gap in regulation, examination or oversight—their cybersecurity regulations—so the DFS embracing the NMLS is a positive for the industry as it relates to uniformity of the licensing application process.

- John D. Socknat

CFPB Seeks Comments On its Plan to Assess the RESPA Mortgage Servicing Rule

On May 4, the CFPB announced that as part of its impending five-year review of mortgage rules, it was proposing a plan to assess the effectiveness of the Real Estate Settlement Procedures Act (RESPA) mortgage servicing rule. The proposed assessment plan focuses on the 2013 RESPA Servicing Final Rule, which was issued in January 2013 and amended before it became effective on January 10, 2014. The CFPB intends to issue an assessment report no later than January 10, 2019. While this report will likely not include specific proposals to modify the rule, the CFPB states that the report will “help to inform the Bureau’s thinking as to whether to consider commencing a rulemaking proceeding in the future.”

The purpose of the assessment is to determine how well the 2013 RESPA Servicing Final Rule has met its objectives of responding to borrower requests and complaints in a timely manner; maintaining and providing accurate information; helping borrowers avoid unwarranted or unnecessary costs and fees; and facilitating review for foreclosure avoidance options. The proposed assessment plan seeks to compare servicer and consumer activities and outcomes to a baseline that would exist if the 2013 RESPA Servicing Rule’s requirements were not in effect. To do so, the CFPB will use loan-level data from a small number of servicers, data from the National Mortgage Database, and the American Survey of Mortgage Borrowers , consumer complaints, servicing data from a private vendor, and information obtained from supervision and enforcement activities.

The CFPB is soliciting comments on a variety of issues related to the assessment, including the feasibility and effectiveness of the assessment plan and recommendations for modifying, expanding, or eliminating the 2013 RESPA Servicing Rule. Comments must be received 60 days after the CFPB’s notice is published in the Federal Register.

- Pavitra Bacon

Did You Know?

Georgia Revises Residential Mortgage Act Provisions

Georgia revised provisions under the Residential Mortgage Act, including, but not limited to, the following:

  • An applicant for a mortgage lender license must provide a bond of $250,000, previously $150,000. This will become effective on December 31, 2017.

  • The department may now conduct an on-site examination without prior notice, with the licensee or registrant to pay the reasonably incurred costs for such examination. This will become effective on June 1, 2017

Iowa Revises Consumer Credit Code Provisions

Iowa revised provisions under the Consumer Credit Code, including, but not limited to, the following:

  • The annual notification fee shall increase to $50, previously $10.

  • The administrator may bring a civil action against a person to recover a civil penalty of no more than $10,000 for repeatedly and intentionally violating the Consumer Credit Code. The amount was previously $5,000.

  • With open-end credit, the parties may contract for a delinquency charge on any payment not paid in full when due, as originally scheduled or as deferred, in an amount up to $30, previously $15.

These provisions are effective July 1, 2017.

 - Wendy T. Novotne

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.