Mortgage Banking Update
In This Issue:
- Freddie Mac Addresses Cryptocurrency in the Mortgage Qualification Process
- CFPB Fall 2021 Supervisory Highlights Look at Credit Cards, Debt Collection, Deposits, Fair Lending, Mortgage Servicing, Payday Lending, Prepaid Accounts, and Remittance Transfers
- CFPB Finalizes Regulation Z changes to Address Discontinuation of LIBOR Index
- Federal Financial Regulators Tighten Timelines for Reporting Ransomware Attacks
- This Week’s Podcast: A Close Look at the Final Rule Requiring Notification of Ransomware and Similar Computer-Security Incidents Issued by the Office of the Comptroller of the Currency, Federal Reserve Board, and Federal Deposit Insurance Corporation
- CFPB Publishes Annual CARD Act, HOEPA, QM Adjustments
- CFPB/Fed/OCC Increase Exemption Thresholds for Appraisal Requirement, Regs Z and M
For the latest updates on the COVID-19 pandemic visit the Ballard Spahr COVID-19 Resource Center
In Bulletin 2021-36 Freddie Mac addresses cryptocurrency in the mortgage qualification process. Freddie Mac indicated that it is providing guidance “[d]ue to the high level of uncertainty associated with cryptocurrency.”
Freddie Mac advises that the Seller/Servicer Guide is updated to include the following guidance:
- Income paid to the borrower in cryptocurrency may not be used to qualify for the mortgage.
- For income types that require evidence of sufficient remaining assets to establish likely continuance (e.g., retirement account distributions, trust income and dividend and interest income, etc.), those assets may not be in the form of cryptocurrency.
- Cryptocurrency may not be included in the calculation of assets as a basis for repayment of obligations.
- Monthly payments on debts secured by cryptocurrency must be included in the borrower’s debt payment-to-income ratio and are not subject to the guide provisions regarding installment debts secured by financial assets.
- Cryptocurrency must be exchanged for U.S. dollars if it will be needed for the mortgage transaction (i.e., any funds required to be paid by the borrower and borrower reserves).
Freddie Mac notes that it “will continue to monitor cryptocurrency developments and may update these requirements as appropriate in the future.”
The CFPB has released the Fall 2021 edition of its Supervisory Highlights. The report discusses the Bureau’s examinations in the areas of credit card account management, debt collection, deposits, fair lending, mortgage servicing, payday lending, prepaid accounts, and remittances that were completed between January 2021 and June 2021. Accordingly, the majority of examinations discussed in the report would have taken place under the leadership of former Acting Director Uejio.
The CFPB’s news release about the report carries the hyperbolic title “CFPB Report Highlights Supervisory Findings of Wide-Ranging Violations of Law in 2021.” The report does not characterize the causes of the violations found by examiners, and even consumer financial protection laws recognize that violations can occur despite good faith compliance efforts. Nevertheless, the news release includes a statement from Director Chopra indicating that the violations occurred because companies were “irresponsible or mismanaged.”
Key findings by CFPB examiners are described below.
Credit card management. In addition to finding that creditors have violated Regulation Z billing error resolution provisions, card issuers were found to have engaged in deceptive acts or practices by:
- Advertising to certain existing customers that they would receive bonus offers if they opened a new credit card account and met certain spending requirements but failing to provide the advertised bonuses to customers who satisfied these requirements
- Advertising to other customers that they would receive bonus offers if they opened a new credit card account and met certain spending requirements but failing to disclose or adequately disclose that consumers had to apply online to receive the bonus.
Debt collection. Debt collectors were found to have created a risk of a false representation or deceptive means to collect or attempt to collect a debt in violation of the FDCPA by representing to consumers that improvements to the consumers’ creditworthiness and deletion of a tradeline would occur upon making final payment under a restarted payment plan. Such payment might not, in fact, improve a consumer’s credit score because numerous factors influence an individual consumer’s credit score, including potential tradelines previously furnished by owners of the same debt.
Deposits. Financial institutions were found to have violated Regulation E error resolution provisions in connection with the provision of person-to-person digital payment network services. Errors are defined by Regulation E to include “[a]n incorrect electronic transfer to or from the consumer’s account.” Examiners found that due to inaccurate or outdated information in the digital payment network directory, consumers’ EFTs were misdirected to unintended recipients even though the consumer had accurately provided the recipient’s correct phone number or email address. Referred to as “token errors,” such errors are “incorrect” EFTs because the funds are not transferred to the correct account. Examiners found that the institutions violated Regulation E by failing to determine that token errors were “incorrect” EFTs for purposes of Regulation E and by failing to conduct reasonable error investigations when they received notices from consumers alleging that funds had not been received by the intended recipients. Reasonable investigations were not conducted because the institutions only looked at whether the EFTs had been processed in accordance with the sender’s instructions and not at whether the payment went to an unintended recipient due to a token error.
Fair lending. Examiners found instances of pricing discrimination and religious discrimination in violation of the ECOA and Regulation B as follows:
- Pricing discrimination. Mortgage lenders were found have unlawfully discriminated against African American and female borrowers in granting pricing exceptions based on competitive offers from other lenders. The lenders had policies and procedures permitting loan officers to offer pricing exceptions but did not specifically address the circumstances when a pricing exception could be offered in response to a competitive offer. Lenders instead relied on managers to adopt a verbal policy that a consumer had to initiate or request an exception. Examiners identified lenders with statistically significant disparities in the incidence of pricing exceptions for African American and female applicants compared to similarly situated non-Hispanic white and male borrowers. Examiners identified instances where lenders provided pricing exceptions for a competitive offer to non-Hispanic white and male borrowers with no evidence of customer initiation. There was also a lack of documentation to support pricing exceptions. The report cites lenders’ lack of oversight and control over mortgage loan officers’ use of exceptions and managements’ failure to take appropriate corrective action as to self-identified risks as having contributed to the disparities.
- Religious discrimination. Lenders were found to have unlawfully discriminated based on religion by improperly inquiring about the religion of small business applicants and considering an applicant’s religion in the credit decision. For applicants that were religious institutions, the lenders used a questionnaire that explicitly asked about the applicant’s religion. Lenders also denied credit to religious institution applicants because they had not responded to the questionnaire.
Mortgage servicing. Servicers were found to have engaged in unfair acts or practices by:
- Charging delinquency-related fees to borrowers in CARES Act forbearances in violation of the CARES Act prohibition
- Failing to terminate preauthorized EFTs from closed accounts after receiving notice of the closures, resulting in repeated NSF fees for failed preauthorized EFTs
- Charging more to borrowers for the cost of home inspections and broker-price opinions than the actual costs of such services
- Inaccurately describing payment and transaction information in borrowers’ online accounts
Servicers were also found to have:
- Violated Regulation X by failing to evaluate complete loss mitigation applications within 30 days
- Violated Regulation Z by applying payments in excess of the amount due to borrowers’ escrow accounts rather than handling them in accordance with the requirements for the treatment of partial payments (which required the servicers to either return the excess payment to the borrower or credit the payment to the borrower’s next regularly scheduled monthly payment).
- Violated the Homeowners Protection Act by failing to terminate private mortgage insurance on the date that the principal balance of a mortgage that was current was first scheduled to reach 78 percent loan-to-value
Payday lending. Lenders were found to have engaged in deceptive acts or practices by:
- Debiting or attempting to debit from consumers’ accounts the remaining loan balance on the original due date after the consumers had (1) applied for an extension, and (2) received a confirmation email stating that only an extension fee would be charged on the due date
- Misrepresenting in loan confirmation emails that consumers would only pay an extension fee on the original due dates of their loans
- Debiting or attempting one or more additional, identical, unauthorized debits from consumers’ bank accounts due to a coding error or after consumers called to authorize a loan payment by debit card and the lenders’ systems erroneously indicated that the payments had not processed. (These facts were also the basis for the finding that lenders had violated Regulation E by failing to retain evidence of compliance with Regulation E for the required time period.)
Prepaid accounts. Financial institutions issuing prepaid accounts were found to have violated the EFTA and Regulation E by failing to honor stop payment requests they received orally or in writing at least 3 business days before the scheduled date of the transfer. The institutions’ service providers improperly required consumers to first contact the merchant before they would process a stop-payment request. Financial institutions were also found to have violated the Regulation E error investigation provisions by failing to (1) promptly begin investigations upon receipt of an oral error notice, (2) complete investigations of disputed point-of-sale debit transactions within 90 days of receipt of the initial error notice, after issuing provisional credit when required, and (3) reporting investigation results in the determination letter sent to consumers.
Remittance transfers. Providers were found to have violated the error investigation provisions of the remittances rule by failing to (1) investigate whether a deduction imposed by a foreign recipient bank was a fee that the institutions were required to refund to the sender, and (2) refund that fee after the providers had received notices of error alleging that remitted funds had not been made available to the designated recipient by the disclosed date of availability.
The CFPB has issued a final rule amending Regulation Z to address the discontinuation of the London Inter-Bank Offered Rate (LIBOR) that is currently used by many creditors as the index for calculating the interest rate on credit cards and other variable-rate consumer credit products. In 2017, the United Kingdom’s Financial Conduct Authority (FCA), the regulator that oversees the panel of banks on whose submissions LIBOR is based, announced plans to discontinue LIBOR after 2021. The FCA subsequently announced that no LIBOR indices will be available after June 30, 2023.
The final rule is effective on April 1, 2022, with the exception of certain changes to two post-consummation disclosure forms that are effective on October 1, 2023. The mandatory compliance date for revisions to Regulation Z change-in-terms notice requirements is October 1, 2022 and the mandatory compliance date for all other provisions of the final rule is April 1, 2022.
The key Regulation Z amendments consist of the following:
Change in index. Regulation Z currently allows HELOC creditors and card issuers to change an index and margin used to set the APR on a variable-rate account when the original index “becomes unavailable” or “is no longer available.” Having determined that all parties would benefit if creditors and issuers could replace a LIBOR index before LIBOR becomes unavailable, the final rule includes a new provision that allows HELOC creditors and card issuers (subject to contractual limitations) to replace a LIBOR index with a replacement index and margin on or after April 1, 2022, which is before LIBOR is expected to become unavailable.
The replacement index must be either an established index with a history or a newly established index with no history. An established index with a history may only be used if the index’s historical fluctuations are substantially similar to those of the LIBOR index. Whether it is newly established or an established index, the replacement index and replacement margin in effect on October 18, 2021 must produce an APR that is substantially similar to the APR calculated using the LIBOR index in effect on October 18, 2021 and the previously applicable margin. (If the replacement index was not published on October 18, 2021, the creditor or issuer must base its determination on the LIBOR index and replacement index as published the next calendar day. However, if the replacement index is a spread-adjusted index based on the Secured Overnight Financing Rate (SOFR) as described below, the creditor or issuer must use the LIBOR index value on June 30, 2023 and the SOFR-based spread-adjusted index value on the first date it is published.)
The final rule includes the Bureau’s determinations that (1) the prime rate published in the Wall Street Journal has historical fluctuations substantially similar to the those of the 1- and 3-month U.S. Dollar LIBOR indices, and (2) the spread-adjusted indices based on the SOFR recommended by the Alternative Reference Rates Committee (ARRC) to replace the 1-, 3-, and 6-month and 1-year U.S. Dollar LIBOR indices have historical fluctuations substantially similar to those of the 1-, 3-, and 6-month and 1-year U.S. Dollar LIBOR indices. (The ARRC was convened by the Federal Reserve Board and the New York Fed to address the transition from LIBOR.)
Change-in-terms notices. Regulation Z currently does not require HELOC creditors or card issuers to provide a change-in-terms notice when the change involves a reduction of any component of a finance charge or other charge. The final rule creates an exception that requires creditors or issuers, on or after October 1, 2021, to provide a change-in-terms notice when the margin is reduced in conjunction with replacement of a LIBOR index. The change-in-terms notice must disclose the replacement index and new margin. From April 1, 2022 through September 30, 2022, a creditor or issuer has the option of disclosing a reduced margin in a change-in-terms notice that discloses the replacement index for a LIBOR index. The final rule also adds new commentary on how creditors can disclose information about the periodic rate and APR in change-in-terms notices when replacing a LIBOR index with the SOFR-based spread-adjusted index recommended by the ARRC.
Rate increase reviews. Regulation Z currently requires a card issuer, when increasing the rate on a credit card account, to periodically review the increased rate. The final rule creates an exception from this requirement for rate increases that result from the replacement of a LIBOR index. It also adds a provision establishing conditions for how an issuer that was already subject to a periodic review requirement before transitioning from a LIBOR index can terminate that requirement.
Closed-end credit. Regulation Z currently provides that a refinancing subject to new disclosures results if a creditor adds a variable-rate feature to a closed-end credit product but that a variable-rate feature is not added when a creditor changes the index to one that is “comparable.” The final rule adds new commentary that provides examples of the types of factors to be considered in determining whether a replacement index is a “comparable” index to a particular LIBOR index. As an example, the new commentary states that a creditor does not add a variable-rate feature by changing the index of a variable-rate transaction from the 1-, 3-, 6-month or 1-year U.S. Dollar LIBOR index to the spread-adjusted index based on the SOFR recommended by the ARRC to replace the 1-, 3-, 6-month or 1-year U.S. Dollar LIBOR index, respectively, because the replacement index is a comparable index to the corresponding U.S. Dollar LIBOR index.
FAQs. Contemporaneously with the final Regulation Z amendments, the CFPB also issued final LIBOR Transition FAQs. The CFPB indicates that the FAQs “address Bureau regulatory requirements for both existing accounts and new originations as they complete the steps necessary to discontinue the use of LIBOR.” The FAQs are divided into sections that address the following:
- All consumer financial products and services
- Adjustable-rate mortgage products
- Private student loan products
- Home equity lines of credit
- Credit card products
A category of contracts that cannot take advantage of the flexibility provided by the final rule to replace a LIBOR index before it becomes unavailable was the subject of a letter sent by the American Bankers Association and a diverse coalition of other trade groups to House leadership. The letter describes such contracts as “hard to modify financial contracts, securities, and loans that use LIBOR—known as ‘tough legacy’ contracts–that are unable, before [June 2023], to either convert to a non-LIBOR rate or amend the contracts to add adequate fallback language to another rate.” To address this problem, the trade groups urge passage of H.R. 4616, the “Adjustable Interest Rate (LIBOR) Act.” They assert that the legislation is needed to avoid “years of uncertainty, litigation, and a change in value” for investors, consumers, and issuers of securities that would “create ambiguity [and] lead to a reduction in liquidity and volatility.” According to the trade groups, H.R. 4616 would offer uniform, equitable treatment for all contracts covered by the bill and create a safe harbor from litigation.
As anticipated, the OCC, Federal Reserve Board, and FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (Final Rule). The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic. It places new reporting requirements on both U.S. banking organizations, as well as bank service providers.
The Final Rule applies to “banking organizations” as defined in the Final Rule. Covered banking organizations are required to provide notice to their relevant regulator in the event that a “Notification Incident” occurs. A Notification Incident is a computer security event that results in actual harm to the confidentiality, integrity, or availability of information or an information system, when that occurrence has—or is reasonably likely to—materially disrupt or degrade:
- a banking organization’s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base;
- business line(s), that upon failure would result in a material loss of revenue, profit, or franchise value; or
- operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The Final Rule specifically calls out ransomware and DDOS attacks as potential Notification Incident. Banking organizations that suffer a Notification Incident must provide notice to their respective regulator as soon as possible, but not later than 36 hours after the occurrence of the incident. Despite the 36-hour notification window, covered banking organizations that offer “sector critical services” are encouraged to provide same day notification. Finally, the required notice should be provided either by email, telephone, or any other similar methods later prescribed by regulators for providing notice.
The Final Rule also requires that bank service providers notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has—or is likely to—materially disrupt or degrade covered services for more than four hours. Banking organizations and service providers are required to work collaboratively to designate a method of communication that is feasible for both parties and reasonably designed to ensure that banking organizations actually receive the notice in a timely manner. This requirement is designed to enable a banking organization to promptly respond to an incident, determine whether it must notify its primary federal regulator, and take any other measures that may be appropriate.
The Final Rule is likely to impact the operations of both banking organizations and bank service providers. Banking entities should closely review the definitions in this Final Rule to determine whether they fall within its scope. Moving forward, covered entities should expect to include relevant notification provisions in new and existing service contracts. Covered entities will also want to ensure that they create internal policies and procedures for identifying when an incident requiring notification has occurred, and what steps must be taken by whom to provide notice to relevant parties in compliance with the Final Rule.
This Week’s Podcast: A Close Look at the Final Rule Requiring Notification of Ransomware and Similar Computer-Security Incidents Issued by the Office of the Comptroller of the Currency, Federal Reserve Board, and Federal Deposit Insurance Corporation
We discuss the new notification requirements that the final rule places on both U.S. banking organizations and bank service providers relating to ransomware and similar computer security incidents, including the mandated timing for providing notice, and how the final rule differs from the agencies’ proposal. We also look at the compliance challenges presented by the final rule and offer suggestions for covered entities to consider in preparing for compliance with the new requirements.
Chris Willis, Co-Chair of Ballard Spahr’s Consumer Financial Services Group, hosts the conversation, joined by Kim Phan and Phil Yannella, partners in the firm’s Privacy and Data Security Group.
Click here to listen to the podcast.
The CFPB recently published a final rule regarding various annual adjustments it is required to make under provisions of Regulation Z (TILA) that implement the CARD Act, the Home Ownership and Equity Protection Act (HOEPA), and the ability to repay/qualified mortgage provisions of Dodd-Frank. The adjustments reflect changes in the Consumer Price Index in effect on June 1, 2021 and will take effect January 1, 2022.
CARD Act. The CARD Act requires the CFPB to calculate annual adjustments of (1) the minimum interest charge threshold that triggers disclosure of the minimum interest charge in credit card applications, solicitations and account opening disclosures, and (2) the fee thresholds for the penalty fees safe harbor. The calculation did not result in a change for 2022 to the current minimum interest charge threshold (which requires disclosure of any minimum interest charge above $1.00). However, it did result in a change for 2022 to the first and subsequent violation safe harbor penalty fees. Such fees were increased to $30 and $41, respectively.
HOEPA. HOEPA requires the CFPB to annually adjust the total loan amount and fee thresholds that determine whether a transaction is a high cost mortgage. In the final rule, for 2022, the CFPB increased the total loan amount threshold to $22,969, and the current points and fees threshold to $1,148. As a result, in 2022, a transaction will be a high-cost mortgage (1) if the total loan amount is $22,969 or more and the points and fees exceed 5 percent of the total loan amount, or (2) if the total loan amount is less than $22,969 and the points and fees exceed the lesser of $1,148 or 8 percent of the total loan amount.
Ability to repay/QM rule. Pursuant to its ability to repay/QM rule, the CFPB must annually adjust the points and fees limits that a loan cannot exceed to satisfy the requirements for a QM. The CFPB must also annually adjust the related loan amount limits. In the final rule, the CFPB increased these limits for 2022 to the following:
- For a loan amount greater than or equal to $114,847, points and fees may not exceed 3 percent of the total loan amount
- For a loan amount greater than or equal to $68,908 but less than $114,847, points and fees may not exceed $3,445
- For a loan amount greater than or equal to $22,969 but less than $68,908, points and fees may not exceed 5 percent of the total loan amount
- For a loan amount greater than or equal to $14,356 but less than $22,969, points and fees may not exceed $1,148
- For a loan amount less than $14,356, points and fees may not exceed 8 percent of the total loan amount
The CFPB, Fed, and OCC have published notices in the Federal Register announcing that they are increasing three exemption thresholds that are subject to annual inflation adjustments. Effective January 1, 2022, through December 31, 2022, these exemption thresholds are increased as follows:
- Smaller loans exempt from the appraisal requirement for “higher-priced mortgage loans,” increased from $27,200 to $28,500.
- Consumer credit transactions exempt from the Truth in Lending Act/Regulation Z, increased from $58,300 to $61,000 (but loans secured by real property or personal property used or expected to be used as a consumer’s principal dwelling and private education loans are covered regardless of amount).
- Consumer leases exempt from the Consumer Leasing Act/Regulation M, increased from $58,300 to $61,000.