New Technology for Reaching and Taking Applications from Consumers? Take Note of These Federal Advertising and Application Requirements

I.  Building a New Website for Borrowers?  Launching a Mobile App? 

If your company is creating new technology, mobile apps, or tinkering with its existing websites and advertising, it may be asking some important questions, such as:

 ·        How can we improve the consumer experience?

·        How can we speed up the application process?

And those are great questions.  But there are some other important questions your company should also be asking to prevent legal risks, such as:

 ·        Does the information we are collecting trigger requirements under federal laws, such as TRID, HMDA, or ECOA?  And, if so, at what points in time?

·        How do we balance a simple borrower experience (for example, minimizing the clicks and verbiage) with required federal disclosures or consumer consent?

Read on to learn why.


In January 2019 the Consumer Financial Protection Bureau (“Bureau”) published its 271-page report assessing its Ability to Repay-Qualified Mortgage rule.  This Bureau must conduct this assessment under section 1022(d) of the Dodd-Frank Act, which mandates that the agency publish a report of its assessment within five years of the effective date of the rule.   You can find the report, which is entitled the “Ability-to-Repay and Qualified Mortgage Rule Assessment Report” (the “Report”), here.  We previously wrote about here.   This report finds that the market has not adopted “non-QM” lending to the extent it expected.  We believe that because of the planned sunset of a temporary safe harbor in the rule for loans approved for sale to the GSEs, the industry may need to begin looking at how to safely conduct non-QM lending. 



Recall that in July 2010, the Dodd-Frank Act amended to the federal Truth in Lending Act (“TILA”) to require lenders to make a good faith determination that borrowers have the ability to repay the loan before a loan is made, create a safe harbor for “qualified mortgages,” and require the Bureau to issue rules implementing this requirement. In response, on January 30, 2013 the Bureau published the Final Rule implementing the Ability to Repay requirements in the Federal Register (“ATR Rule”), which became effective almost one year later on January 10, 2014.

The stated purpose of the Dodd-Frank Act’s ability-to-repay requirement was to ensure “consumers are offered and receive residential mortgage loans on terms that reasonably reflect their ability to repay the loans, the loans are understandable and not unfair, deceptive or abusive.”  But Congress also stated an interest in ensuring that and consumers still had access to “responsible, affordable” credit.

To that end, the ATR Rule required mortgage lenders to ensure that all borrowers had the ability to repay their loans by considering eight specific elements:

1.      The borrower’s current or reasonably expected income or assets, other than the value of the dwelling;

2.      The borrower’s employment status;

3.      The monthly payment on the loan;

4.      The monthly payment on any simultaneous loan(s) that the creditor knows or has reason to know will be made;

5.      The monthly payment for mortgage-related obligations;

6.      The borrowers’ current debt obligations, alimony, and child support;

7.      The overall monthly debt-to-income ratio or residual income; and

8.      The borrower’s credit history.


The ATR Rule established the Qualified Mortgage loan which, by application of the ATR Rule, results in three classes of mortgage loans: The Safe Harbor Qualified Mortgage loan (“Safe Harbor Loan”), the Rebuttable Presumption Qualified Mortgage Loan (“Rebuttable Presumption Loan”)(collectively, these two are “QM Loans”), and the Non-Qualified Mortgage Loan (“Non-QM Loans”).

Safe Harbor Qualified Mortgage: Generally, a Safe Harbor Loan  is one in which the borrower has limited-to-no opportunity to  challenge the lender’s determination that the borrower had the ability to repay the loan at time of origination, provided the lender determined the borrower’s the Debt-to-Income Ratio (“DTI”) did not exceed 43% as calculated by Appendix Q to Regulation Z, and the points and fees do not exceed 3% of the total loan amount.  Here, the lender is afforded strongprotection from a claim by a borrower that the lender failed to establish the borrower’s ability to repay at the time of the loan was made.

Importantly, in the ATR Rule, the Bureau deemed any loan underwritten pursuant to Fannie Mae or Freddie Mac’s guidelines as a Safe Harbor Loan, even if the DTI exceeded 43% or the points and fees exceeded 3% of the total loan amount. This temporary QM exemption, commonly referred to as the “GSE patch”, expires by operation of rule on January 10, 2021, or whenever the GSEs come out of conservatorship, whichever comes first. Additionally, the Federal Housing Authority, the Veterans Administration, the United States Department of Agriculture and the Rural Housing Service all issued regulations pursuant to their respective regulatory authority to deem any loans insured by any of those agencies as a Safe Harbor QM Loan.

Rebuttable Presumption Qualified Mortgage: Generally, a Rebuttable Presumption Loan  is a QM loan that is “higher priced.”  For these loans, the lender is presumed to have complied with the ATR Rule, but the borrower is permitted to challenge or “rebut” that presumption by showing, for example, he lender’s underwriting practices were unsafe or unsound. The loans falling into this category are those in which the DTI did not exceed 43%, the points and fees did not exceed 3% of the total loan amount, and the loan is a Higher Priced Mortgage Loan as defined in Regulation Z (i.e., where the APR is greater than the Freddie Mac Average Prime Offer Rate plus 1.5% for first mortgages and 3.5% for second mortgages). Here, a borrower must first meet a certain legal burden of proof before the lender could be exposed to liability in such a lawsuit for failing to comply with the ATR Rule.  

Non-Qualified Mortgage:  A loan that is defined as neither a Safe Harbor Loan or a Rebuttable Presumption Loan is generally defined as a Non-QM loan. This is a loan where the lender is not afforded any legal protections regarding the quality of their underwriting and their assessment of the borrower’s ability to repay the loan. This applies to loans that did not meet the QM standard because the DTI ratio exceeded 43%, or the requirements in Appendix Q were not used to determine ability to repay, the loan contained certain attributes that disqualify it from being a QM loan, or points and fees exceeded 3% of the total loan amount. Here, the borrower need only allege – without proof - that the lender maintained unsafe and unsound underwriting practices triggering an ATR Rule violation, shifting the legal burden to the lender to prove otherwise.

The Report

Currently, there exists no single data set for the Bureau to assess the impact of the ATR Rule. To achieve its objective, the Bureau turned to different industry sources to generate the Report, including FHFA’s National Mortgage Database, Black Knight’s “McDash” data set, CoreLogic’s Loan-Level Market Analytics data, Home Mortgage Disclosure Act data, Desktop Underwriter and Loan Prospector Automated Underwriting data, the Mortgage Bankers Association’s Annual Mortgage Bankers Performance Reports, the Conference of State Bank Supervisors Public Survey data, Application data from nine unnamed lenders who provided information to the Bureau specifically for this assessment, the responses of 190 lenders who responded  to a lender survey the Bureau commissioned for this assessment, and other industry data and reports.

Armed with this data, the Bureau was able to draw conclusions about multiple facets of the ATR Rule in the Report, including the effects it had on loan performance, the impact the GSE Patch had on the intended effects of the ATR Rule, and how Non-QM loans fared during this period.

As it relates to the last – Non-QM loans – the Bureau reported that it had expected a greater presence of Non-QM loans since the ATR Rule went into effect. Between the GSE Patch and legal uncertainty associated with Non-QM loan, the Bureau postulates that this could have chilled the enthusiasm for lenders to make Non-QM loans. Based on the following statements in the Report, we gain a sense of the Bureau’s impressions of Non-QM.

·        In 2005-2007, approximately 24 to 25 percent of loans originated had DTIs exceeding 45%. After the ATR Rule came into effect, only 5 to 8 percent of conventional loans for home purchase had DTIs exceeding 45%. (Pages 9 and 82).

·        The ATR Rule displaced between 63 and 70 percent of approved applications for home purchase among Non-QM high-DTI borrowers during the period of 2014 – 2016. According to the data sources, this translates into a reduction of between 1.5 and 2.0 percent of all loans for home purchase. (Pages 10 and 117).

·        At the time the ATR Rule went into effect the Bureau expected that there would be a “robust and sizable market” for non-QM loans beyond the 43 percent threshold and structured the ATR Rule to try to ensure that this market would develop. The Bureau appears surprised this did not happen. (Page 26).

·        The extra risk associated with Non-QM loans is one of the factors that has had a chilling effect on the mass adoption of Non-QM loans; and thus, is affecting access to credit to some degree. (Pages 116 and 118).

·        The ATR Rule had at least some chilling effect on the submissions or approvals of Non-QM loans, though the Bureau was not sure if the result was an intended or unintended consequence. (Page 149).

·        The Bureau estimates that non-QM loans primarily consists of loans that are not eligible for purchase by GSEs, with DTI ratios exceeding 43 percent. Borrowers may include those with irregular income, certain self-employed borrowers, and those with little or no credit history. (Page 116)

·        Forty percent of loan applications for self-employed borrowers experienced issues in complying  with Appendix Q for income qualification (Table 22, Page 155).

·        Lack of broader adoption of Non-QM by the industry may occur because of the higher inherent risk associated with self-employed borrowers and the difficulties in complying with the income documentation requirements in Appendix Q. (Page 154).

·        [S]elf-employed borrowers who do not qualify for a loan that is eligible for purchase or guarantee by one of the GSEs or federal agencies need to qualify under the general QM standard in order to obtain a QM loan. Lenders who responded to the Bureau’s survey in preparation of the Report indicated that lenders may find it difficult to comply with Appendix Q relating to the documentation and calculation of income and debt for self-employed borrowers. (Page 11)

·        Non-QM loans are now making the way to market in greater numbers than the initial years following the effective date of the Final ATR Rule, largely targeting self-employed borrowers. (Page 197).

·        The application data show a far greater decline in high-DTI lending in the non-GSE space compared to loans purchased or guaranteed by the GSEs.. Although the Bureau expected that loans with DTI above the 43 percent threshold would increasingly be originated outside the GSE Patch(i.e., as non-QM loans), the available data suggests that the opposite is happening. (Page 191)

·        One of the reasons lenders tended to flock to Fannie and Freddie is because the underwriting guidelines are far more established than those set forth in Appendix Q, which has some perceived lack of clarity. The Bureau discovered that lenders found the information contained in Appendix Q confusing and unworkable, and is ambiguous and leads to uncertainty. (Page 192).

·        Approximately 29 percent of loans sold to Fannie Mae and 21 percent of loans sold to Freddie Mac have DTIs over 43%. (Page 195). This is greater than the Bureau had anticipated when the ATR Rule went into effect.


What This Means

The following conclusions could be drawn from this:

·        Even though Non-QM loans, particularly those made to self-employed borrowers, perform well, lenders still have limited Non-QM loan offerings.

·        Lenders seemed to favor making  Safe Harbor loans, especially those intended to be sold to the GSEs where the DTI can exceed 43%.

·        By applying the requirements of Appendix Q, self-employed borrowers have greater challenges in securing a loan approval from a lender than, for example, borrowers who evidence income via a W2. Safe Harbor Loan

·        Fannie and Freddie appear to adjust to market conditions, by adjusting their guidelines to market demands, whereas the Bureau’s Appendix Q does not offer such adjustments and has room for improvement

·        There is no evidence in the Report suggesting that the additional controls and legal impacts of the Non-QM provisions reasonably mitigates the risk to the consumer.

This means there is still opportunity to improve the ATR Rule with more clarity and adjustments to the legal impact of some of its provision, while still achieving its primary objective of ensuring consumers are offered loans that reasonably reflect their ability to repay.  Trade associations, including both the Mortgage Bankers Association and the American Bankers Association, and other stakeholders have expressed interest in working with the Bureau to discuss possible amendments to the ATR Rule.  Among other things, we expect these efforts will include discussions concerning some adjustments to Appendix Q, the GSE Patch, and the perceived risk associated with Non-QM loans.


Of primary concern for the industry should be the potential expiration of the GSE patch.  As it is evident that, because of the availability of the GSE patch, lenders have been avoiding the Non-QM space for high-DTI borrowers (and perhaps for other loan types as well) , the upcoming expiration in 2021 would have a great impact of lenders’ compliance programs and risk profiles.  The CFPB may extend the patch, or revise the ATR rule to address this issue, but the CFPB could also let the patch expire taking no further action.  It may be prudent for lenders to start considering how to safely take part in the non-QM market. 


Please contact us if you would like any assistance with your organization’s non-QM program or other issues under the ATR rule.

Consumer Financial Protection Bureau Issues ANPR for PACE Financing

In May 2018, the Economic Growth, Regulatory Relief, and Consumer Protection Act (S.2155) amended the Truth in Lending Act to require the Consumer Financial Protection Bureau (CFPB) to prescribe ability to repay related regulations, and associated penalties for violations, with respect to “Property Assessed Clean Energy” (PACE) financing.  The regulations are required to account for the unique nature of such financing.  The CFPB, on March 5, 2019, issued an Advance Notice of Proposed Rulemaking for this rulemaking.  The deadline for comments is 60 days from publication in the Federal Register.

The statute defined “Property Assessed Clean Energy financing” relatively broadly as financing to cover the costs of home improvements that result in a tax assessment on the real property of the consumer.  The 2018 provisions authorized the CFPB to collect information and data deemed necessary, and required consultation with state and local governments and bond-issuing authorities. 

In its ANPR, the CFPB requested information regarding the following:

·       written materials associated with PACE financing transactions;

·       descriptions of current standards and practices in the PACE financing origination process;

·       information relating to civil liability under TILA for violations of the ATR requirements in connection with PACE financing, as well as rescission and borrower delinquency and default;

·       information about what features of PACE financing make it unique and how the Bureau should address those unique features; and

·       views concerning the potential implications of regulating PACE financing under TILA.

In issuing the request, CFPB Director Kathleen Kraninger indicated in the Press Release that the agency will use the information to develop a later Notice of Proposed Rulemaking, and that the:

information solicited will enable the Bureau to better understand the market and unique nature of PACE financing . . . [and] help the Bureau formulate proposed regulations that not only would achieve statutory objectives but also would reflect a careful consideration of costs and benefits. 

The statutory text can be found here:

A copy of the CFPB’s ANPR can be found here:

The related press release can be found here:

Please let us know if you would like assistance with drafting a comment letter, or would like to discuss any issues related to PACE financing.    

Does Your Organization Need to Comply with the California Consumer Privacy Act of 2018?

·        The California Consumer Privacy Act of 2018 is a comprehensive new law that stands to become the most significant and far-reaching data privacy law in the nation.

·        Most businesses, including businesses located in other states, that have or use personal information of California residents must comply with substantial new requirements or face potential civil liability from Attorney General enforcement and aggrieved California residents.

·        Companies, including mortgage originators, servicers and some vendors, doing business in California may need to update their policies, procedures, training and audit functions to comply.


The California Consumer Privacy Act (“CCPA”), (AB-375 (2018), as amended by SB-1121 (2018) (codified at Cal. Civ. Code § 1798.100 et. seq.) is a groundbreaking new law to protect California residents from the potential misuse of personal information.

The CCPA, signed by Governor Jerry Brown on June 28, 2018, becomes effective on January 1, 2020 and gives California residents new rights with respect to the collection of their personal information. Under the CCPA, a consumer can require businesses to disclose what information they collect about the consumer, where they collected the information from, and with whom they have shared the information. California residents may also require businesses to delete their personal information and can opt-out of the sale of their personal information to third parties. To prevent retaliation, businesses are prohibited from discriminating against California residents for exercising their rights under the CCPA. The CCPA provides for a private right of action with attention-grabbing statutory damages for each violation, as well as for enforcement by the state’s Attorney General.

The CCPA, as enacted and subsequently amended, represents a compromise between a grass-roots coalition consisting of privacy advocates that gained influence in the wake of several high-profile incidents (such as the Facebook scandal) and competing business interests that pushed for more business-friendly provisions. This far reaching legislation has much in common with the European Union’s General Data Protection Regulation (“GDPR”) that went into effect in 2018, and could serve as bellwether for other states to follow in the years to come.

Key CCPA Exemptions

It should be noted that not all businesses will be subject to the CCPA. Many, including small businesses, non-profits, consumer reporting agencies subject to the Fair Credit Reporting Act, and health care providers regulated by the Health Insurance Portability and Accountability Act, will be partially or completely exempt from the requirements of the CCPA.

Significantly, amendments to the CCPA clarified, among other things, that certain provisions of the CCPA do not apply to information that is already protected under the Graham-Leach-Bliley Act (GLBA). These exclusions-and the provisions of the CCPA they do not apply to-are very important for the financial services industry to understand. Below we discuss the scope of the law in more detail.

Delayed Enforcement and Other Limitations

The aforementioned amendments also delayed enforcement of the CCPA by the state’s Attorney General to the earlier of six months after publication of the final implementing regulations or July 1, 2020, and limited the private right of action to situations in which data breaches involved unredacted or unencrypted personal information and the breach was caused by a failure to maintain reasonable security measures.

Implementing Regulations

The California Attorney General is not required to publish final rules until July 1, 2020. The Office of the AG has begun holding public forums in January and February, 2019 as part of the CCPA rulemaking process (see: For those of you who are based in California and potentially subject to the CCPA, I would urge you to attend and be proactive on this important new law.

Scope of the CCPA

The CCPA applies to covered “businesses”, which includes any business that collects personal information from California residents and: (1) has gross revenues exceeding $25 million annually; (2) buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derives 50% or more of its annual revenues from selling personal information. It also includes entities that are controlled by or control such businesses if they share common branding.

“Personal Information” includes a person’s name, Social Security number, driver’s license number, account numbers, medical and health insurance information, browsing or search history data, biometric data and geolocation data. The definition also includes any algorithmic or other “inferences” about a consumer that are based upon the personal information. Note that information that is lawfully made available to the general public from federal, state, or local government records falls outside of this otherwise broad definition.

Significantly, the CCPA excludes “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act”, which could mean that entities subject to the GLBA will not need to comply with the CCPA for much of the consumer information they collect. But note that the CCPA states that the exemption does not apply to a new private right of action for data breaches of “nonencrypted or nonredacted personal information” that result from an entity’s “violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information”.

It would be prudent to analyze the extent to which this exemption applies to your organization, considering that your organization may engage in activity that is not subject to the GLBA.

New Powers for California Residents

As previously mentioned, California residents will gain broad new powers that are designed to safeguard their personal information under the CCPA. Examples of the new powers include the rights to:

·        Request that a business disclose the categories and specific pieces of personal information the business has collected, and the purposes for which it shall be used;

·        Request disclosure of certain information;

·        Have personal information deleted;

·        Prohibit a third party from selling personal information that has been sold to it unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out; and

·        Direct a business that sells personal information about the consumer to third parties not to sell that information.

In addition, minors must consent to the sale of their personal information before a business can sell it.

Anti-Discrimination Requirement

Covered businesses will be saddled with numerous requirements, including providing certain disclosures in their online privacy policy. A provision of note is the CCPA’s anti-discrimination requirement - businesses may not discriminate against a consumer because the consumer exercised their rights under the bill. Examples include denying goods or services, charging different prices (including through the use of discounts unless the difference is reasonably related to the value provided to the consumer), or providing a different level or quality of services. However, businesses may offer financial incentives and a different price, rate, level, or quality of goods or services to the consumer if it is directly related to the value provided to the consumer by the consumer’s data, and so long as the business does not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

Civil Actions and Attorney General Enforcement

The CCPA grants California residents the right to sue for violations and bestows prosecutorial powers in the state’s Attorney General. A consumer whose nonencrypted or nonredacted personal information is hacked as a result of a violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action to recover damages of $100 to $750 per occurrence or actual damages, whichever is greater. As noted above, this private right of action may apply to businesses that are subject to the GLBA exemption. The Attorney General may also seek civil penalties against violators.

Protections Afforded to Covered Businesses

Fortunately, the CCPA does provide limited carve-outs for what might be described as good-faith efforts to comply. The CCPA allows covered businesses to cure any alleged violation within 30 days if it has implemented and maintained reasonable security procedures and practices. Also note that it is possible that a failure to have such security protocols, standing alone, could give rise to violations.

Pay Attention to the CCPA

Although the CCPA provides an exemption for information subject to the GLBA, banks, mortgage lenders, mortgage brokers, mortgage servicers, and other businesses operating in the financial services industry that deal with California residents should take note of the CCPA and analyze whether any of their activities would be subject to it, including performing a comprehensive data assessment. They should compile an inventory of information that may be subject to the new law, and update their internal policies and procedures, training and audit functions to ensure compliance with any duties that are deemed not exempt. Although it is not required under the CCPA, businesses may consider creating a GDPR-like “data protection officer” position to help ensure that the mandates of the law are carried out.

Please contact us if you would like assistance with understanding or implementing your obligations under the CCPA.