As published in California Mortgage Finance News, Spring 2017
The job of a general counsel (GC) at a mortgage company is challenging even in times when the regulatory landscape is static. It becomes even more challenging when that landscape changes and shifts, as it did this year with the inauguration of a new president promising to make changes that will impact the mortgage industry. Thus, the job of the GC this year requires an unprecedented amount of leadership and agility when providing advice and counsel. In preparing to write this article, I reached out to my GC colleagues within the California Mortgage Bankers Association (CMBA) to see what advice we could share that would help other GCs better navigate this year’s risks.
Continue your Compliance Management System Enhancements
While many of us anticipate a loosening of restrictions and enforcement at the federal level, we also anticipate an increase in these areas by the state regulators. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd Frank), Section 1042 (12 U.S.C. § 5552), a state attorney general (AG) or state regulator is authorized to bring a civil action to enforce provisions of Dodd-Frank Title 10 and regulations issued under it, including the broad prohibition of unfair, deceptive or abusive acts or practices (UDAAP). AGs can also bring an action against an entity to enforce any regulation promulgated by the Consumer Financial Protection Bureau (CFPB) under the authority of Title X. Ray Snytsheuvel who, like many GCs, is responsible for both the legal and compliance function at his company, Paramount Equity Mortgage LLC, offers the following recommendations to GCs, “Keep your foot on the gas pedal and don’t stop on the road to regulatory compliance.” In anticipation of continued regulatory scrutiny from the states, GCs should continue their efforts to retain their budget for compliance activities, continue to enhance their compliance management system and keep taking steps to ensure compliance monitoring of applicable regulations. Annual risk assessments are one way to measure a company’s compliance risks, react to those risks, and implement solutions to mitigate against state and federal regulatory actions and the penalties and reputation risk that accompany them.
Develop Relationships with your Regulators
Xavier Becerra, recently appointed by Governor Jerry Brown to fill the California’s AG position vacated by Kamala Harris, is expected to be an advocate on immigration issues; however it is not clear if regulatory scrutiny or enforcement of financial institutions will be a priority. GCs are encouraged to follow the AG’s actions and to build relationships with the AG’s office, in addition to the Department of Business Oversight (DBO), and to foster and nurture relationships with regulators before there is a need. Joseph Grassi, GC at Prospect Mortgage LLC, advises, “It is key to have a respectful and productive relationship with your regulators and work cooperatively to achieve common goals. You can’t develop that kind of strong working relationship overnight – you need to establish credibility over time.” This is good advice during a time of both changing regulations and regulatory priorities. GCs should make it a priority to get out of the office and visit their regulators. The Legislative Day hosted by the CMBA is scheduled for April 3rd this year and is an excellent opportunity to achieve this goal.
Be Aligned with the Business Leaders and be a Part of their Innovative Process
Our role as GC is to know the law and provide advice and counsel to the company and its business leaders so they make good decisions aligned with the company’s risk profile, while also being able to develop competitive business strategies. It is critical for the GC and the chief compliance officer to have a seat at the table when the business leaders explore new ideas, products, processes, etc. Once a new idea is approved and rolled out in a compliant manner, processes for monitoring and reporting should be part of the GC’s tools to mitigate unknown risks related to the new idea, product, or process.
Impac Mortgage Holdings’ GC, Ron Morrison, states that “people in this business are incredibly innovative in coming up with new and unique ideas that meet all legal and compliance requirements, so keep an open mind and give your personnel the opportunity to propose new ideas w w t a to you. GCs, as well as others within the firm monitoring these activities, must be able to look at these ideas with enough confidence to stand f irm against those that do not pass muster and openly accept those that we feel are appropriate. You may reject ten ideas, or even more, before one passes your scrutiny. Keep your business engaged in the process and encourage their ingenuity.”
Analyze your Home Mortgage Disclosure Act (HMDA) Data Regularly
Changes at the CFPB are anticipated, but the requirement to submit HMDA data and comply with Regulation C are unlikely to be repealed in their entirety. Prudent mortgage companies are ready, or soon to be ready, to comply with the collection and reporting of new data fields among other requirements. There is much speculation about how transparent the CFPB will be with regard to disclosure of the newly collected data, but there is little doubt that disclosure of additional information about applicants, borrowers, credit, collateral, loan type, pricing, fees, and charges will give both regulators and plaintiff’s lawyers more data with which they can identify potential discrimination and use to prompt investigations, enforcement actions and/or litigation. Due to these risks, GCs are taking a hard look at their HMDA data before filing and are including regular reviews during the year. Ann Savage, GC at Mountain West Financial, Inc. recommends, “GCs should review the HMDA data monthly, quarterly, and again annually prior to submission. This process not only saves your company time when preparing the data for submission, it allows you to intervene early if particular policies and procedures are not being properly followed.” GCs should have an action plan in place to ensure their company, and their third-party vendor assisting with data analytics, are prepared to meet the new HMDA reporting requirements well in advance of the due date.
Have a Documented Action Plan in the Event of a Cyber-Attack
Mortgage companies and their vendors collect and retain a vast amount of data that is subject to a myriad of privacy laws. The risk of having consumer confidential data hacked or being subjected to a ransomware hack is a real risk today that companies and their GCs must be prepared to handle. Technology developments allow consumers to transact on a variety of devices, sharing information is increasingly common, and mortgage lenders capture more information than ever before with cheaper cloud data storage options. It is no surprise that cyber security measures and processes are on GCs’ radar this year. Melissa Richards, chief legal and risk officer at CMG Financial, shared that “I have identified consumer financial privacy protection as one of my risk management priorities this year with a keen focus on cyber security measures and recommend other GCs do as well.” Outside counsel have developed specialties in this area and are a great resource for guidance on developing tools to mitigate cyber risks. These include obtaining cyber insurance, developing policies, procedures, training to prepare for and prevent a cyber security crisis, system penetration testing, and cyber risk assessments. It is critical that your company has adequate operational resources for cyber security protocols and safeguards, as well as a documented plan to properly manage through such an event.
These are just some of the risks that mortgage company GCs face this year. Each risk comes with a variety of controls to mitigate the risk. Every company has its own, unique risk tolerance that will no doubt be reevaluated this year. GCs at large public and smaller private lenders, and GCs of their vendors, all agree that providing timely advice and counsel is even more important as the regulatory landscape changes. The recommendations discussed above, including risk assessments, monitoring and reporting, should be part of a GC’s plan to lead and manage through the risks posed in 2017.
