As published in Mortgage Compliance Magazine by Chris Ortigara and Jim Shankle, January 2016
Are you confused about quality control, compliance management system (CMS), Mortgage Origination Risk Assessment (MORA), and the internal audit function? Do you struggle with the distinctions between all these types of compliance functions? Are you unclear about whether Fannie Mae and the Consumer Financial Protection Bureau (CFPB) have the same expectations? If this describes you, you’re not alone. There has been a lot to digest these past few years. As mortgage companies move through the compliance journey, it has been challenging to figure out how all the pieces fit together.
Prior to Dodd-Frank regulations, many non-depository mortgage originators felt comfortable that all aspects of their operation adhered to regulatory guidelines because they followed Fannie Mae and/ or Freddie Mac guidelines and had an operational quality control program. They did in-depth reviews of the quality control policies and procedures, tested loans, and interviewed management and staff. They added post-purchase reviews of individual loans, and more recently initiated the required prefunding review process (1). But having a robust quality control program is only one piece of the compliance puzzle, as many are learning.
The first challenge after Dodd-Frank became effective was the realization that the CFPB requires consumer financial service companies (which all mortgage bankers are now acutely aware includes them) to establish and maintain an effective CMS. During 2014, most mortgage bankers found themselves scrambling to absorb what it meant to have an effective CMS. As they learned, an effective CMS commonly has four “pillars,” or interdependent control components: 1) board and management oversight, 2) compliance program, 3) response to consumer complaints, and 4) the compliance audit. Effective risk management will more likely occur when each of these four “pillars” are robust and in harmony with each other (2).
On numerous occasions, lenders initially implemented a CMS process by purchasing policies and procedures off the shelf only to learn that these generic documents did not adequately reflect their particular business model and 30 January 2016needed substantial revisions. As lenders realized the importance of establishing an effective compliance unit and how all the pillars of the CMS functioned, they focused on strengthening their CMS to bring it into full compliance with the CFPB. Many lenders have taken the additional steps to develop and maintain an organized and well-managed CMS to ensure that all business lines within the company comply with the regulatory requirements.
In addition to the CFPB, mortgage companies also need to comply with investor requirements. For example, Fannie Mae is conducting MORA reviews (3). Specific areas that are reviewed by Fannie Mae include organization structure and governance, origination channels, underwriting and appraisal, closing/post-closing/funding, quality control, compliance/internal audit, secondary marketing, technology, and business continuity. Each of these nine areas will be assessed as part of the process evaluation, and Fannie Mae will apply a rating. These ratings are based on all information included in the overall review. This includes the file testing, the process reviews, and the interviews.
Fannie Mae issues their final MORA report about 45 days after the completion of the counterparty interviews. This final assessment identifies the issues, the applicable corrective actions, suggestions for improvement, and functional area ratings. One of three ratings is assigned: acceptable, needs improvement, or unsatisfactory. The overall assessment of the functional area corresponds to the severity (i.e., high, medium, or low) of identified issues.
After a lender receives their final report, they will review the results and corrective actions. Fannie Mae expects to receive a proposed action plan from the lender within 30 days of the date of the final assessment. The lender submits their action plan to their Customer Account Risk Manager (CARM). Fannie Mae highly recommends the lender review their draft plan with their CARM prior to the due date. Inadequate action plans will be returned to the lender for correction. The time line will remain the same in those situations.
A number of lenders have received MORA reviews identifying compliance/internal audit as an issue. While a lender may have a functioning compliance unit as well as a robust quality control plan, this does not mean they also have a functioning internal audit unit that meets Fannie Mae requirements. Many lenders have expressed confusion about what it means to have an internal audit function. They believe that having a compliance officer or a quality control plan could be considered internal audit. They are not familiar with the structure, nature, or purpose of the internal audit function. And, perhaps most important, they do not realize the essential requirement of the independence of the internal audit function. The internal audit function must be totally free from the influence of other business units. This is true whether it is established in-house or whether using a third-party vendor as the internal auditor.
You may be asking, “How does a lender accomplish this? What are my options here?” One option for consideration is to outsource the internal audit function. Third-party auditors should be engaged by executive management or a designated chief audit executive or the board of directors. Some lenders have mistakenly thought it acceptable to have the internal audit function report to the chief financial officer, the chief compliance officer, or to a lesser degree, the operations unit. Whether the internal audit function is performed totally as an inhouse department or by a third party, it should only perform internal audit functions, which should be reflected in the reporting structure.
Are there other options besides outsourcing the internal audit or having it within the organization? Yes, there are other options—and variations of options. In many instances it can be a combination of both. Larger mortgage bankers may have the need and ability to hire an internal auditor and set up the function internally. Others, may want assistance with the process. This may involve initially utilizing a third party to perform the internal audit risk assessment resulting in a proposed annual audit plan with a strategic plan to gradually phase it in to the lender’s organization as a separate unit. Smaller lenders may opt to outsource the entire internal audit function and designate an internal audit liaison to assist with the planning and administrative tasks. Should the smaller lender opt to create the internal audit function internally, care should be given to ensure the function is structured such that no operational duties are included in the role. In-house internal audit functions typically coordinate federal/state examinations and investor exams as well as track the progress of corrective actions for deficiencies noted in the respective exam reports.
Even very large financial institutions with a well-established internal audit unit may request specific assistance from an outside source. This may be due to staff shortages, or it may be due to a lack of expertise in a specific area. For example, the internal audit unit may not feel it has the full expertise to perform an internal audit review of servicing or secondary marketing or some other unit. Sometimes, the internal audit unit decides to engage a third party for a specific project that will require a large staff for a short time frame.
Because Fannie Mae requires that the lender has a written plan to govern the auditing of all key functions throughout the company and to have initiated the internal audit function, the idea of starting from scratch may seem like an overwhelming prospect to many lenders. In addition to having the internal audit process in writing, Fannie Mae requires the plan must be comprehensive in nature and provide guidance to the staff. Some key elements include, but are not limited to, the risk assessment methodology used to identify the operational areas and functions to be audited, an organizational and reporting structure chart for the internal audit department, the process and procedures implemented to govern the reporting to senior management, and a formalized audit plan and audit schedule for a minimum of a 12-month time frame. Fannie Mae will be looking for evidence that the internal audit process has been initiated. Key risks for consideration in conducting a risk assessment include strategic, compliance, financial, operational, and reputation risks.
So, what does this say about staffing the internal audit function? You will need someone with the knowledge and expertise to develop the plan, manage the risk assessment, and communicate with the CEO, the board, or the audit committee. Keep in mind the internal auditor may also be communicating directly with the CFPB, state regulators, Fannie Mae, and other investors.
In addition to expertise about the areas being audited, there are specific designations associated with the internal audit profession and you will ideally want someone with those credentials. Look for designations like the Certified Financial Services Auditor (CFSA), Certified Internal Auditor (CIA), Certified Information System Auditor (CISA), and Certified Public Accountant (CPA). While the Certified Anti-Money Laundering Specialist (CAMS) and Certified Regulatory Compliance Manager (CRCM) do not pertain directly to the internal audit process, they are also indications of specific training and expertise.
Regardless of the options implemented for creating an internal audit function, establishing a well-defined audit charter is critical for establishing the role and responsibilities of the internal audit function. The charter should include at a minimum the overall objectives for internal audit; reporting structure; communicating results; and tracking the status of corrective/remediation efforts, as applicable.
An internal audit function can assist in documenting the company’s self-policing and remediation efforts and assessing the effectiveness of corrective actions. It should be regarded as a “partner” in the business. The ultimate objective of the initial risk assessment is to evaluate and prioritize areas to be audited based on risk and business impact.
If the approach to developing an internal audit function is that it is a necessary burden, it will probably feel like a heavy process that adds no value. However, if your attitude revolves around learning how to make the most of this process, it is much more likely your organization will benefit from an effective and hardy internal audit function. You can embrace the opportunities that an effective internal audit function can provide your organization to reduce risk—which ultimately improves your bottom line.
(1) https://www.fanniemae.com/content/guide/selling/d1/2/01.html
(2) http://www.consumerfinance.gov/guidance/supervision/manual/
(3) https://www.fanniemae.com/content/tool/mora-review-process.pdf
