By Paula Witt
On October 15, 2015, the Consumer Protection Financial Bureau (CPFB) issued final rules for the Home Mortgage Disclosure Act (HMDA). At first glance, the HMDA rules represent another new compliance issue to tackle, among dozens of others. Take a closer look, however, and something more worrisome jumps out.
Beginning in 2018, all home mortgage lenders will be required to post their HMDA data to the CFPB’s public website. This single requirement could pose new financial, regulatory, reputational, and litigation risks; increase competitive pressures; and raise privacy concerns. Moreover, the CFPB’s four-year implementation period, which was meant to give lenders time to comply, has inadvertently added risk by reducing perceived lender urgency.
Financial institutions are exposing themselves to great risk by underestimating the power of the proposed public disclosure, especially when combined with the granularity of HMDA’s new requirements. Meeting HMDA’s requirements will require extensive planning, preparation, testing, and validation. Most sophisticated bank systems and compliance functions will find it challenging to reach full compliance within proposed timelines. For stragglers, inability to meet the deadlines could generate a public relations effect roughly equivalent to failing a bank stress test.
For these reasons, it’s important to understand what is going on and how to reach and maintain compliance before it’s too late.
From ‘Check the Box’ Compliance to Macro Risk Analysis
The most significant HDMA change is the method by which regulators and examiners are evaluating lenders. The entire mortgage life cycle—from initial marketing and approval/rejection to refinancing and mortgage servicing—is coming under greater scrutiny.
Examiners are looking at overall client management systems, examining policies and procedures, monitoring and training, internal audit, and management oversight. Discrepancies in any one area could lead to a comprehensive review of an institution’s overall mortgage and lending practices. On the other hand, a comfort level with macro procedures could provide leniency for an isolated violation.
HMDA rule changes will provide regulators further insight into potential fair lending disparities, potentially supporting cases for discriminatory violation. Beginning January 1, 2018, HMDA’s new requirements will add 25 additional data fields, including:
- Applicant and borrower age, credit score, debt-to-income, and combined debt-to-income ratios
- Loan process, including whether the application was submitted directly to the institution, whether the loan was, or would have been, initially payable to the institution, and the name of, and results from the automated underwriting system used
- Property securing the loan, including value and type
- Loan features, such as total loan costs or total points and fees, origination charges, discount points, lender credits, interest rate, prepayment penalty term, loan term, introductory rate period, and non-amortizing features, and
- Certain unique identifiers, such as property address, legal entity identifier for financial institutions, and mortgage originator NMLSR identifier.
HMDA Implementation Dates
Legal and Competitive Pressures
Putting loan records on a public website will enable attorneys, public advocacy groups, and competitors to review lender filings on a regular basis. What’s more, site visitors will be empowered to cross-compare filings and determine who’s naughty and who’s nice from a competitive standpoint. Such insight could inspire industry analysts to develop new lender ESG governance rankings.
The Dow Jones Sustainability Indices, for example, evaluate the sustainability of the largest 2,500 companies listed on the Dow Jones Global Total Stock Market Index. The indices are the longest-running global sustainability benchmarks worldwide and are widely used to inform institutional investor decisions.
Providing applicant and borrower ages and credit scores opens the door to privacy and cybersecurity issues. Any cyberattack against an individual financial institution or the CFPB website could enable hackers to obtain private HMDA information and trace it back to individuals. The Federal Housing Finance Agency (FHFA) and CFPB also are working jointly on a comprehensive National Mortgage Database, which will house loan-specific and possibly personally identifiable data.
Disclosure of publicly identifiable information by a cyberattack could trigger penalties under the Gramm-Leach-Bliley Act. It requires the Federal Trade Commission and other government agencies to oversee the Act’s financial privacy provisions.
Five Lending Warning Signs
Bank and non-bank lenders will need to capture and report massive amounts of new data to stay in compliance with changing HMDA rules. To prepare, lenders should think though the warning signs indicating potential fair lending weaknesses.
- Data collection. Inaccurate data collection could incur financial penalties and enforcement actions. Having accurate data won’t be a safe harbor if discrimination is found.
- Data capture. Some core vendors will find it difficult to capture the new data. Their systems will need to be totally revamped.
- Hiring and training. Are there ongoing violations in certain branches or regions of the country? If so, it may indicate a problem with hiring and training.
- Lending practices. Are there disparities in your acceptance/rejection of loan applicants and the rates offered, beyond credit scores? Are certain neighborhoods excluded from direct mail offers?
- Marketing. Is your marketing compliant? Do loan offers include local minorities and non-English speakers?
Six Steps to Meeting New HMDA Requirements
- Conduct an HMDA gap analysis or risk assessment. Analyze the current HMDA compliance program, taking a fresh look at policies and procedures, training, and audit practices to determine whether systems are currently in compliance.
- Ask vendors about their plans to meet new HMDA requirements. Will they implement the rules in a timely fashion or give new meaning to the phrase “stress tests”?
- Formulate a plan to close gaps based on analysis. Should more people be included in training? Is the training curriculum robust enough? Is anything lacking?
- Conduct HMDA data reviews. Every lender should check data accuracy by performing analyses and validating data accuracy.
- Conduct ongoing monitoring. The compliance system should be checked periodically to see whether it works as intended. If not, lenders will need to find the root cause of error. Was it a system glitch? Training?
- Establish regular internal and external audits. Internal and external audits often uncover errors not found by internal monitoring. They also look at things through an examiner–rather than employee–perspective
Mortgage Lending: A Key Priority for CFPB
Mortgage lending continues to be a priority for the CFPB’s Office of Fair Lending, both in supervision and enforcement. It’s focused on HMDA data integrity and potential fair lending violations in redlining, underwriting, and payments.
Examiners generally conduct two levels of analysis: a baseline and regression analysis. If anomalies are found in the baseline, they conduct a regression analysis well before visiting a lender. HMDA rule changes will provide them with every characteristic used to underwrite and price a loan. From there, they’ll be able to drill down further to weed out or find further disparities. By the time examiners show up at the door and ask for files, they already have formed an opinion and simply are looking for confirmation.
If they can prove discrimination, the next steps include a consent order, enforcement actions, and potential Department of Justice referral. Fines, penalties, and settlements then become part of the public record, thereby creating additional reputational, legal, and financial risk. In 2015, fair lending supervisory and public enforcement actions against financial institutions generated nearly $110 million in remediation and other monetary payments.
Developing a Sustainable HMDA Strategy
Larger institutions generally have robust fair-lending systems, which sometimes can lead to complacency and inadvertent violations. These banks should stay vigilant, continually testing their data to see if examiners will see the same blue skies as the compliance team.
Smaller banks and non-traditional mortgage lenders are most at risk for HMDA violations, because they lack the expertise, systems, and staff to get up to speed quickly and conduct ongoing monitoring. When examiners find violations, these institutions find themselves blindsided and lacking a response to media or regulator inquiries.
One solution is to outsource HMDA compliance to a vendor capable of providing either a comprehensive service, or various service components depending on needs, budget, and timing. Industry leading vendors typically write policies and procedures, provide training, perform parts of the audit function, and provide monitoring. For some, it represents an alternative way to get the help and people needed, without adding to headcount or running the risk of missing compliance deadlines.
Action Steps for the Board of Directors
HMDA’s new rules pose substantial enterprise risk, requiring ongoing board attention to ensure the organization has the tools, resources, and commitment to reduce fair-lending risks and meet HMDA deadlines. Senior management should be regularly queried regarding whether the organization has an appropriate compliance system and staff in place, both to implement HMDA requirements and internally test data fields well before examiner inspections. Boards should also consider regular internal and external audits of company fair lending data and procedures, potentially relying on outside providers to comply with the law and limit compliance costs.
Paula Witt is practice management director at FIS RISC Solutions and has 20 years of banking experience, with expertise in regulatory compliance, internal audit, and operations experience.