CFPB Releases Video of “Final” Webinar on TILA-RESPA Integrated Disclosure Rule
The CFPB has posted a video of its May 26th webinar that addressed questions about the final TILA-RESPA Integrated Disclosure Rule. The webinar was the fifth in a series to address specific questions related to rule interpretation and implementation challenges that have been raised by creditors, mortgage brokers, settlement agents, software developers, and other industry stakeholders. Although currently the rule is scheduled to become effective for applications received by creditors or mortgage brokers on or after August 1, 2015, as noted above, the CFPB has proposed to delay the effective date until October 3, 2015.
A detailed discussion of the webinar prepared by Rich Andreano, a member of Ballard Spahr’s Mortgage Banking Group, can be found here.
FDIC Revises Examination Procedures To Incorporate TILA/RESPA Integrated Disclosures
The FDIC has revised its interagency examination procedures to reflect the requirements of the TILA/RESPA integrated disclosures (TRID) rule. The CFPB has issued a proposal to postpone the TRID rule’s effective date from August 1 to October 3, 2015.
The revised procedures also reflect the following amendments to other provisions of TILA Regulation Z and RESPA Regulation X:
- the alternative definition of the term “small servicer” for certain nonprofit entities in the mortgage servicing rules
- the provisions in the ability-to-repay/qualified mortgage rule that give creditors or assignees meeting certain requirements a limited period of time in which to review a transaction and “cure” excess points and fees for purposes of maintaining QM status
- additional exempt transactions under the appraisal rule for higher-priced mortgage loans
In May 2015, the OCC released revisions to the TILA and RESPA chapters of its examination manual for consumer compliance exams to incorporate the requirements of the TRID rule.
FFIEC Tool Helps You Assess Cyber Risk
The Federal Financial Institutions Examination Council (FFIEC) has released its long-awaited Cybersecurity Assessment Tool (Assessment) to help financial institutions identify the inherent risks faced by a company and determine the level of maturity of a company’s cybersecurity preparedness. The tool is the latest resource developed by the FFIEC to raise awareness among financial institutions and their critical third-party service providers regarding cybersecurity risks in light of the ever-growing volume and sophistication of cyber threats.
Although use of the Assessment is optional, the FFIEC believes the tool can “help management and directors of financial institutions understand supervisory expectations, increase awareness of cybersecurity risks, and assess and mitigate the risks facing their institutions.” The federal Office of the Comptroller of the Currency (OCC) has also announced it will incorporate the Assessment into its examinations of financial institutions subject to its jurisdiction in late 2015.
The Assessment and related materials are noteworthy for a number of reasons. First, the FFIEC materials include cybersecurity guidance addressed specifically to CEOs and Boards of Directors. Second, the Assessment provides a ready-to-use risk assessment framework, including risk areas, relevant control activities, definitions, and ratings scales, which can be easily executed by companies. Third, companies that already have an information security risk assessment framework can review their current methodology against the Assessment as a way of gauging the adequacy of that methodology. Fourth, the Assessment builds on and references all of the existing FFIEC guidance on cybersecurity-related control activities, which makes it easier to understand bank regulators’ expectations. Finally, the FFIEC has mapped the Assessment to the National Institute of Standards and Technology (NIST) Cybersecurity Framework as well as the FFIEC IT Examination Handbook.
The Assessment consists of two parts: (1) Inherent Risk Profile and (2) Cybersecurity Maturity. Part I identifies risks in the following five categories to determine a financial institution’s Inherent Risk Profile:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
The risk levels (ranging from Least Inherent Risk to Most Inherent Risk) provide insight into the type, volume, and complexity of the inherent risks identified in each category.
Part II of the Assessment determines the financial institution’s Cybersecurity Maturity levels across each of the following five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
The risk levels (ranging from “Baseline” to “Innovative”) provide financial institutions with a measurement of the controls available to manage the inherent risks identified in Part I.
According to the FFIEC, “The Assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.” The FFIEC believes that financial institutions can interpret and analyze the results of the Assessment to guide decisions about reducing inherent risk or developing a strategy to improve maturity levels. The FFIEC has also identified the following benefits to financial institutions that choose to use the Assessment:
- Identifying factors contributing to and determining the institutions’ overall cyber risk;
- Assessing the institution’s cybersecurity preparedness;
- Evaluating whether the institution’s cybersecurity preparedness is aligned with its risks;
- Determining risk management practices and controls that could be enhanced and actions that could be taken to achieve the institution’s desired state of cyber preparedness; and
- Informing risk management strategies.
OCC Identifies Safety and Soundness Risks to National Banks and Federal Savings Associations and Supervisory Priorities
A new report issued by the federal Office of the Comptroller of the Currency (OCC) identifies top safety and soundness risks to national banks and federal savings associations, as well as OCC supervisory priorities for the next 12 months.Semiannual Risk Perspective for Spring 2015reflects bank financial data as of December 31, 2014. Although the report is directed at banks supervised by the OCC, it should not be ignored by state-chartered depository institutions.
Following are key risks and supervisory priorities identified by the OCC.
Banks and their employees, customers, and third-party service providers are vulnerable to evolving cyber threats that can compromise data or systems and allow criminals to illegally obtain personally identifiable data. OCC examiners will review a bank’s program for assessing and mitigating such threats and vulnerabilities. OCC reviews will include assessments of data and network protection practices, business continuity practices, risks from vendors, and compliance with any new guidance. (The Federal Financial Institutions Examination Council recently released its Cybersecurity Assessment Tool to help financial institutions identify cybersecurity risks and determine their level of cybersecurity preparedness. The OCC announced it will incorporate the Assessment Tool into its examinations of financial institutions subject to its jurisdiction in late 2015. Ballard Spahr has scheduled an August 4, 2015 webinar on the Assessment Tool)
Use of Third Parties
To lower overhead expenses, banks are outsourcing critical functions to third-party providers without establishing the risk management processes necessary for appropriate oversight and controls to monitor associated risks. An assessment of a bank’s operational risk by OCC examiners will include a focus on third-party risk management. The OCC, the other federal banking regulators, and the Consumer Financial Protection Bureau (CFPB) have been beating this drum for several years.
Banks are subject to high compliance risk that includes:
1)Bank Secrecy Act/Anti-Money Laundering (BSA/AML) risks (with the OCC observing that “BSA programs at some banks have failed to develop or incorporate appropriate controls as products and services have evolved, and insufficient resources and expertise have been devoted to BSA/AML in some banks.”);
2)risk of unfair or deceptive practices arising from the use of third parties to conduct all or a portion of consumer credit-related product development, implementation and fulfillment (with the OCC noting the failure of a number of banks to exercise adequate risk management and controls when developing and offering add-on products to customers);
3)fair lending risk arising when banks engage a third party to conduct all or a portion of the application or underwriting process or make decisions regarding terms or pricing; and
4)risk created by the need for banks to implement significant changes to policies and procedures to comply with the new Truth in Lending Act/Real Estate Settlement Procedures Act integrated mortgage disclosure requirements that become effective October 3, 2015.
OCC examiners will review a bank’s BSA/AML program and controls and the effort of bank management to maintain an effective program. For large banks, OCC examiners will coordinate with the CFPB to determine compliance with consumer laws, regulations, and guidance, and continue to assess compliance with the Flood Protection Act and the Servicemembers Civil Relief Act. For both large and smaller banks, OCC examiners will assess a bank’s effectiveness in identifying and responding to risks created by new products, services, or terms and, with regard to fair lending, assess a bank’s “efforts to meet the needs of creditworthy borrowers” and monitor its compliance with the Community Reinvestment Act, fair lending laws, and other consumer protection laws.
Other top safety and soundness risks identified by the OCC include loosening of underwriting standards in response to competitive pressures (particularly in leveraged lending, indirect auto finance, and commercial loans) and vulnerabilities arising from the low interest rate environment.
Louisiana To Increase Licensing Fees in August
The state of Louisiana has amended its licensing fees applicable to mortgage lenders, mortgage brokers, mortgage servicers, and mortgage loan originators. Renewing licensees and new applicants will see an increase in state fees as a result. These increases will take effect on August 1, 2015.
Fees for mortgage lender, mortgage broker, and mortgage servicer applications will increase from $400 to $500. The annual license renewal fee for each person licensed as a mortgage broker, mortgage lender, or mortgage servicer will increase from $400 to $500. The application fee for a license to act as a mortgage loan originator will increase from $100 to $200. Finally, the annual license renewal fee for each originator will increase from $100 to $200.
Connecticut Adds New Licenses to NMLS
The Nationwide Mortgage Licensing System (NMLS) is now accepting new applications and transition filings for new industry licenses for the Connecticut Department of Banking (Department). The Department is requiring companies holding any of the licenses listed below to submit a license transition request through NMLS by September 30, 2015. For details on the Connecticut Transition Plan, click here.
- Check Cashing Branch License – General Facility
- Check Cashing Branch License – Limited Facility
- Check Cashing License
- Consumer Collection Agency Branch License
- Consumer Collection Agency License
- Debt Adjuster For-Profit Branch License
- Debt Adjuster For-Profit License
- Debt Adjuster Non-Profit Branch License
- Debt Adjuster Non-Profit License
- Debt Negotiation Branch License
- Debt Negotiation License
- Money Transmission License
- Sales Finance Company Branch License
- Sales Finance Company License
- Small Loan Company Branch License
- Small Loan Company License