I. Building a New Website for Borrowers? Launching a Mobile App?
If your company is creating new technology, mobile apps, or tinkering with its existing websites and advertising, it may be asking some important questions, such as:
· How can we improve the consumer experience?
· How can we speed up the application process?
And those are great questions. But there are some other important questions your company should also be asking to prevent legal risks, such as:
· Does the information we are collecting trigger requirements under federal laws, such as TRID, HMDA, or ECOA? And, if so, at what points in time?
· How do we balance a simple borrower experience (for example, minimizing the clicks and verbiage) with required federal disclosures or consumer consent?
II. Federal Requirements Apply to Your New Technology and Websites
How lenders collect borrower information is changing, but the federal rules around the process aren’t. We are seeing many new companies enter the mortgage market or the market for other consumer financial products and services, like Fintech start-ups and new joint ventures. For these new entrants, understanding these complex requirements before setting up websites and mobile apps will be an important step in mitigating legal risk and ensuring success. And for existing companies, reviewing existing operations to make sure appropriate procedures and controls are in place is often a good idea.
So, we decided to post a brief overview of the major federal requirements that apply to soliciting and receiving loan applications. This overview is focused on mortgage loan applications, but can be useful for applications for other types of loans. Most of these laws are implemented by the Consumer Financial Protection Bureau (“CFPB”), but they may be enforced by other federal and state regulatory agencies that supervise your company.
This is intended to be a very general overview of the major requirements. There may be other laws or specific requirements that apply. If you have questions or want more detail, please contact us.
III. The Major Federal Requirements Applicable to Mortgage Advertising and Taking Mortgage Applications
1. TRID. One of the major requirements is the TILA-RESPA integrated disclosure rule, or the “TRID” rule. This rule combines the mortgage disclosures that are required under the Truth in Lending Act (“TILA”) and the Real Estate Settlement Procedures Act (“RESPA”) into a Loan Estimate (“LE”) provided at application and a Closing Disclosure (“CD”) provided in connection with the closing.
Application. The TRID rule requires a lender or mortgage broker to provide an LE within three business days after receipt of a consumer’s application. The rule also restricts how much the closing costs can increase from this initial LE, which restrictions are often called the “tolerance” requirements. Significantly, the definition of “application” for the TRID rule is different from many other rules, and may be triggered much earlier in the process than the receipt of the consumer’s full application. Under TRID, an “application” includes only six items:
1. The consumer’s name,
2. The consumer’s income,
3. The consumer’s social security number to obtain a credit report,
4. The property address,
5. An estimate of the value of the property, and
6. The mortgage loan amount sought.
Limits on Verification Requirements and Collecting Fees. The TRID rule also prohibits certain activity before receiving an application. The rule prohibits imposing fees, except a bona fide and reasonable credit report fee, before the consumer has received the LE and indicated to the lender an “intent to proceed” with the transaction (which is typically in the form of a document signed by the consumer). The rule also prohibits lenders from requiring consumers to submit documents verifying information related to their applications before providing an LE. In addition, if a lender provides a consumer with a written estimate of loan terms or costs that is specific to that consumer, it must put a specific disclaimer on the top of the estimate.
Questions. Some of the questions your company should ask regarding its compliance with TRID are:
· Are we taking applications online? If so, what information do we require consumers to submit before displaying an LE?
· Do we retain consumer information? If so, when does that information become an “application” under TRID if the consumer communicates with us?
· Are we using the required disclaimer?
2. TILA Advertising Requirements and MAP Rule Restrictions. Under TILA, there are also requirements that apply to advertisements for mortgage loans, as well as other types of consumer loans.
Trigger Terms. Generally, if an advertisement states an interest rate, the APR must be stated as or more conspicuously than the interest rate. In addition, an advertisement must contain certain additional information if it contains any of the following “trigger” terms:
· The amount or percentage of any downpayment;
· The number of payments or period of repayment;
· The amount of any payment; or
· The amount of any finance charge.
Adjustable Rates and Payments. In addition, TILA imposes requirements on advertisements of adjustable rate mortgage loans and mortgage loans with payments that will change. For example, if an advertisement states an interest rate, and more than one interest rate will apply during the loan term, the advertisement must contain each rate and the period it will apply, along with the APR. There is a similar requirement for the advertisement of payments that will change during the loan term. Under TILA there are also restrictions on using certain words like “fixed,” and representing there are any government endorsements.
MAP Rule and UDAAP. There are further restrictions on representations by lenders under the Mortgage Acts and Practices (“MAP”) rule. For example, the MAP rule prohibits misrepresentations about the potential for default, or the effectiveness of the loan in helping the consumer resolve debt problems. There are also restrictions on misrepresentations regarding ARMs, such as when using the word “fixed.” You may also have heard of the general prohibition under the Dodd-Frank Act against unfair, deceptive, or abusive acts or practices (“UDAAP”). There are also similar prohibitions under other federal and state law, which we generally refer to as UDAAP as well. UDAAP does not have precise, technical definitions for what constitutes unfair, deceptive, or abusive, and thus, UDAAP compliance requires a very nuanced review to prevent running afoul of the prohibition.
Questions. Some of the questions your company should ask regarding its advertisements and marketing materials are:
· Which online and/or mobile content is subject to these requirements?
· What kinds of reviews should we conduct to ensure compliance with the MAP rule and UDAAP?
3. RESPA Section 8 and Referrals. Many new entrants to the mortgage and real estate markets do not realize that RESPA greatly restricts the ability to enter into referral arrangements with other players in the market, which may be commonplace in other industries. And many existing companies may misunderstand or not have focused on RESPA’s prohibitions and exemptions.
RESPA Section 8’s Prohibition Against Paying for Referrals. RESPA Section 8 generally prohibits payments in exchange for referrals of settlement service business. Specifically, RESPA Section 8 states in part that, “[n]o person shall give and no person shall accept any fee, kickback, or thing of value pursuant to any agreement or understanding, oral or otherwise, that business incident to or a part of a real estate settlement service involving a federally related mortgage loan shall be referred to any person.” It’s not the clearest provision, but its effects are broad and put up hurdles in front of many arrangements companies want to make. It essentially means it is illegal to give or receive a “thing of value” with the understanding that a referral of a settlement service will be made. Arrangements that may be common in other industries, such as co-marketing with other service providers or providing meals or other gifts to colleagues in the industry, have the potential to trip up under RESPA section 8.
A few things to note are that referrals are okay as long as they are not in exchange for a thing of value. But a “thing of value” is defined very broadly, and so many things may unexpectedly fall under this provision. Also, what is considered a “referral” is an issue, because longstanding interpretations say that purchasing “leads” is okay, but the line between a lead and a referral of a consumer can be a gray area, especially considering technological advancements. In addition, “settlement service” is defined broadly to include many activities in connection with the mortgage and real estate sides of a transaction.
RESPA Section 8 Exempts Payments for Services and ABAs. Finally, there are a couple of notable exemptions from this prohibition that companies may utilize. But there are very specific criteria companies must meet to satisfy them. The first is section 8(c)(2) of RESPA, which allows companies to pay other companies in the industry for services, even if there is an understanding that referrals will also be provided (this exemption was the subject of the PHH Corp. v. CFPB case recently decided by the D.C. Circuit). This exemption is typically used to support the legality of “marketing services agreements” (or “MSAs”), in which mortgage or title insurance companies pay other companies in the mortgage and real estate markets to advertise them to their consumers, and other similar arrangements. Specifically, this exemption provides that, “[n]othing in this section shall be construed as prohibiting…the payment to any person of a bona fide salary or compensation or other payment for goods or facilities actually furnished or for services actually performed.” Regulations and the D.C. Circuit interpret this to allow payments for services, even if referrals will be provided, as long as the services are actually provided and the payments do not exceed the reasonable market value of the services. Recent enforcement actions by regulators have also looked at other factors to determine whether the exemption is satisfied, essentially setting up other “hoops” for the industry to jump through when creating these agreements and putting them into practice. Companies should pay attention to this exemption and, if they utilize it, should ensure their written agreements and practices satisfy the exemption.
The second exemption is under section 8(c)(4) of RESPA, which allows referrals between affiliated businesses that satisfy certain criteria, referred to as “affiliated business arrangements” (“ABAs”). Specifically, section 8(c)(4) exempts ABAs that meet three conditions: (1) a disclosure of the affiliation is provided to the consumer at the time of referral; (2) the consumer is not required to use any particular provider; and (3) the only thing of value that is received from the arrangement is a return on the ownership interest. The CFPB’s regulations expand on these criteria and require a specific format for the disclosure. Significantly, the previous regulator that oversaw RESPA, the Department of Housing and Urban Development (“HUD”), issued a policy statement in 1996 in response to complaints it received regarding “sham” affiliates and joint ventures that were created to circumvent the RESPA prohibition on referral fees. Although case law has cast a dark shadow on the enforceability of it, the policy statement contains a number of factors that regulators may use to evaluate whether an ABA satisfies the exemption. Companies entering into joint ventures with other companies in the mortgage and real estate markets should pay close attention to this provision and consider how the regulators will evaluate their arrangement under the regulation and HUD’s policy statement.
Questions. Some of the questions your company should ask about its RESPA compliance are:
· Does the company have any arrangements with other players in the industry that might be a problem under RESPA section 8?
· Does the company have any affiliates with which it shares referrals? If so, has the company evaluated its compliance with RESPA section 8?
· Does the company conduct co-marketing with others in the industry? If so, has it evaluated this marketing for compliance with RESPA?
4. TILA ARM Program Disclosures. Under TILA, there is a requirement that if the consumer expresses interest in a loan program under which the APR may increase after closing (an adjustable rate mortgage, or “ARM”) and the loan will be secured by the consumer’s principal dwelling, certain disclosures must be provided to the consumer at the time an application form is provided or before the consumer pays a non-refundable fee, whichever is earlier. These disclosures include the booklet titled “Consumer Handbook on Adjustable Rate Mortgages” (sometimes referred to as the “CHARM” booklet) and a specific loan program disclosure for each variable-rate program in which the consumer expresses an interest, which must include specific information on the loan terms of the program.
Questions. Some of the questions your company should ask are:
· Does the company offer any ARMs, or provide services to lenders that do?
· If so, at which point in our process is this disclosure requirement triggered?
5. HMDA Data Reporting. The Home Mortgage Disclosure Act (“HMDA”) requires lenders to report certain information regarding each mortgage loan application and closed loan it originates or purchases to the Consumer Financial Protection Bureau (“CFPB”). The CFPB will compile this information, share it with other federal regulatory agencies, and also publish it for the public to review. The general purpose of the statute is to give the regulatory agencies and the public insight into the lending patterns of covered institutions, to assess whether they are making credit available in certain communities and for fair lending purposes.
Scope. The scope of the rule generally applies to loans secured by a dwelling, and generally requires depository and non-depository institutions to report:
· Closed-end transactions, if they originated in each of the two preceding calendar years at least 25 closed-end mortgage loans, and
· Open-end transactions, if they originated in each of the two preceding calendar years at least 500 open-end lines of credit (i.e., HELOCs) (note that this threshold was temporarily increased from 100 for data collected in 2018 and 2019, and it may be changed higher or lower for future years).
Applications under HMDA. HMDA requires reporting of applications for loans, as well as closed loans. For this reason, a very important question is: when is reporting of an application triggered under HMDA? As mentioned above, TRID’s definition of “application” is specific to TRID, and HMDA has its own definition of “application,” which is a request for a loan “made in accordance with procedures used by a financial institution for the type of credit requested.” Not exactly a bright line standard here. It is largely up to the lender to determine when it has received an “application” for HMDA purposes. Note that this definition expressly includes “preapproval programs” for certain closed-end home purchase loans.
Required Data is Extensive. Recent changes to the HMDA regulations require the collection and reporting of a great deal of information about applications and closed loans, some of which is very sensitive information about the consumer. For example, HMDA requires reporting of the consumer’s age, race and ethnicity, and sex. Notably, the recent changes expand the race and ethnicity information that must be collected and reported, creating many more subcategories, as well as free form fields for consumers to enter their own information. In addition, the required data includes information about the property, such as the property address and number of dwelling units, and underwriting information, such as the amount of origination charges, the debt-to-income ratio, and the combined-loan-to-value ratio.
Check Yourself. Having a system in place to collect and report this information accurately will be very important, because regulatory agencies can impose penalties for noncompliance. In addition, having a system in place to analyze a company’s data for fair lending purposes will also be very important, because this data will be scrutinized by the regulatory agencies and the public to identify fair lending concerns. It would be prudent to mitigate such legal risks by being proactive and identifying issues early by analyzing HMDA data internally.
Questions. Some of the questions your company should ask about its HMDA compliance are:
· Is our company subject to HMDA?
· If so, when is an “application” triggered for HMDA purposes?
· What should we be doing as a service provider to lenders that are subject to HMDA?
6. ECOA. On the topic of fair lending, the Equal Credit Opportunity Act (“ECOA”) is known primarily as a fair lending statute, but it also contains an important disclosure requirement and other restrictions worth noting.
Discrimination. ECOA prohibits discrimination in lending, including mortgage lending, on prohibited bases, which include race, color, religion, national origin, sex, marital status, and age. This includes making statements that discourage consumers, on a prohibited basis, from making or pursuing an application. The Fair Housing Act (“FHA”) also has a similar prohibition against discrimination in mortgage lending. Discrimination can take the form of overt actions, disparate treatment of applicants, or a lender’s neutral policies having a disparate impact on a prohibited basis. For example, “redlining” has been a priority of the CFPB and a hot topic in recent years, which is essentially discouraging applications from or refusing to lend in certain geographic locations, which could have an impact on a prohibited basis. In addition, as described above, because of the potential for a policy to have a disparate impact on a prohibited basis, it is important to analyze HMDA data internally to discern any such disparate impact.
Adverse Action. In addition, ECOA has an “adverse action notice” requirement that applies to mortgage loan applications. Under this requirement, when taking adverse action on an application, lenders are required to provide an “adverse action notice” within 30 days after receiving a completed application, or within 30 days of taking adverse action on an incomplete application (there is an alternative procedure for notifying consumers of incomplete applications and withdrawn applications). Note that the Fair Credit Reporting Act (“FCRA”) also has its own adverse action notice requirement, and the law allows lenders to use a combined disclosure to comply with both requirements. Also note that an “adverse action” is defined broadly to generally include a denial, a change in the terms of an existing credit arrangement, or a refusal to grant credit on the same terms requested. The definition of “application” for purposes of ECOA is defined similarly to HMDA, and includes certain preapproval programs, similar to HMDA. But ECOA’s definition also includes credit inquiries if they result in a denial of the consumer, though these inquiries would generally not be reportable under HMDA. It is important for a compliance program to accurately navigate such differences between the definitions of “application” under the applicable laws.
Information and Signature Restrictions. ECOA also restricts the types of information that can be asked about in the context of a mortgage loan application. For example, a lender can ask about a consumer’s marital status, but must use the terms married, unmarried, and separated. There are also requirements concerning asking information about, or requiring certain loan documents to be signed by a consumer’s non-applicant spouse. It is important to understand these limitations to ensure a compliant application process.
Questions. Some of the questions your company should ask are:
· When does our system take adverse action on a consumer?
· Do the company’s marketing and application procedures or other content pose fair lending risks?
7. FCRA. FCRA is a statute that places restrictions and requirements on the ability to obtain “consumer reports,” as well as the companies that sell them (called “consumer reporting agencies”) and the financial institutions that use and furnish information to them. FCRA also provides consumers with certain rights with respect to consumer reports. FCRA defines “consumer report” to include the credit reports that mortgage companies and other financial companies typically use to underwrite loan applications.
Obtaining a Consumer Report. Under FCRA, a “permissible purpose” is required to obtain a consumer report, including a credit report, and FCRA sets forth a list of specific valid reasons under the definition of “permissible purpose.” Pertinent to our discussion, FCRA defines “permissible purpose” to include when the person intends to use the consumer report “in connection with a credit transaction involving the consumer,” as well as the “written instructions of the consumer.” You may also have heard of “soft pulls,” which is a term used to refer to another “permissible purpose” that allows companies to obtain lists of consumers that meet certain criteria (referred to as “prescreened” lists of consumers), but such lists are only permissible if the company provides those consumers with a “firm offer of credit or insurance.” The “firm offers” sent to consumers must contain an “opt out” notice, allowing a consumer to opt out from having their names appear on “prescreened” lists.
Adverse Action. As noted above, FCRA also has an “adverse action” disclosure requirement. FCRA requires lenders that take an “adverse action…based in whole or in part on any information contained in a consumer report” to provide an adverse action notice that contains specific information, including the consumer’s credit score. FCRA’s definition of an “adverse action” is the same as under ECOA.
Risk-Based Pricing Notice. In addition to an “adverse action” requirement, FCRA has a “risk-based pricing notice” disclosure requirement that applies to consumer loans, including mortgage loans. This requirement is triggered when a lender uses a consumer report in connection with an application and based on the credit report offers credit on “material terms that are materially less favorable than the most favorable terms available to a substantial proportion of consumers from or through that person.” The disclosure must be provided before consummation, but not earlier than the time the decision to approve an application is communicated to the consumer. Sounds clear as mud, right? Well, there are certain methods under the rule for determining when this disclosure is triggered. There is also specific rule that says to satisfy the risk-based pricing notice requirement for residential mortgage loans, a lender can simply provide a specific disclosure that includes the consumer’s credit score, with other information, for each application.
Credit Score Disclosure. There is also a separate “credit score” disclosure requirement, which says lenders must provide a disclosure with the consumer’s credit score, if used in connection with an application for a consumer-purpose mortgage loan on 1 to 4 units of residential real property. The disclosure must be provided “as soon as reasonably practicable.” Mortgage lenders can provide one disclosure to satisfy this requirement and the specific risk-based pricing credit score disclosure for residential mortgage loans described above. Note that this requirement may also apply to credit inquiries, if the lender or mortgage broker uses the consumer’s credit score in the process.
Privacy Restrictions. FCRA also restricts the sharing of “eligibility information” about a consumer between affiliates (which is information that would otherwise be a “consumer report”) to market to that consumer, unless a privacy notice is provided to the consumer and the consumer is provided an opportunity to “opt out” of the marketing. This notice may be combined with the privacy notice required under the Gramm-Leach Bliley Act (“GLBA”), which is described directly below.
Questions. Some of the questions your company should ask about its FCRA compliance are:
· When does our software obtain a credit report or other consumer report under FCRA, and do we have a permissible purpose, such as consumer authorization, at that point?
· Do we share consumer report information with affiliates or other companies?
8. GLBA Privacy Restrictions. GLBA imposes restrictions on the sharing of nonpublic personal information by financial institutions. It is worth noting that there are many state privacy restrictions as well, and new state privacy laws are being created at a faster pace each year. For example, California enacted its California Consumer Privacy Act in 2018, which broadens the rights of that state’s consumers with respect to their personal information that is obtained by certain businesses and also imposes data security obligations. The interplay between the federal and state privacy laws is complex.
Scope of GLBA. GLBA applies to organizations that meet the definition of a “financial institution,” which is actually a lot broader than it sounds. For example, the definition includes banks, non-bank lenders, title insurance companies, and appraisers. GLBA restricts the sharing of “nonpublic personal information” (“NPI”) about a consumer to nonaffiliated third parties. NPI includes “personally identifiable financial information” (“PII”), which is any information:
· A consumer provides to a financial institution to obtain a financial product or service from that institution;
· About a consumer resulting from any transaction involving a financial product or service between a financial institution and a consumer; or
· A financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.
Note that this generally includes the fact that an individual is or has been a customer of the financial institution or has obtained a financial product or service from that financial institution. GLBA also generally exempts publicly available information, but if it is combined with PII, it could become subject to the law’s restrictions.
Restrictions on Sharing NPI/Privacy Notice. GLBA allows sharing of NPI with nonaffiliated third parties only if the financial institution provides a “privacy notice” to the consumer and the consumer does not “opt out” of the sharing. There are certain statutory exceptions to this restriction, which include sharing “as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes,” “in connection with servicing or processing a financial product or service that a consumer requests or authorizes,” with the consent of the consumer, as well as other specific reasons. Note that recipients of NPI under these statutory exceptions are similarly limited in their ability to share the NPI received.
If a privacy notice and an opportunity to “opt out” are required to be provided, the rules require a financial institution to provide the initial privacy notice early in their interactions, including when the consumer provides any PII to a lender in an effort to obtain a loan, or before the institution shares the consumer’s NPI with a nonaffiliated party. And there is also an annual privacy notice requirement while the consumer has an ongoing relationship with the financial institution, though an exemption was recently added to the law that allows financial institutions to forgo the annual notice if they only share NPI about consumers under the statutory exceptions under GLBA.
Questions. Some of the questions your company should ask about its compliance with privacy laws are:
· Is our company required to provide an initial privacy notice?
· Do we share NPI with other companies?
· What other state privacy restrictions is the company subject to?
9. E-Sign Act. The Electronic Signatures in Global and National Commerce Act (“E-Sign Act”) generally enables the use of electronic signatures and records in transactions. The statute provides that electronic signatures and contracts may not be denied legal effect, validity, or enforceability solely because they are in electronic form. But it also has a disclosure and consumer consent requirement that you should know about.
Consumer Consent Required for Electronic Disclosures. The E-Sign Act allows documents that are legally required to be provided to a consumer in writing (e.g., federal disclosures) to be provided electronically, but only if the consumer has provided consent to the electronic delivery, and the consumer is provided a disclosure “prior to consenting” that contains certain specific information, such as the availability of paper disclosures and the software requirements to access the electronic documents. The consumer’s consent must be obtained in a manner that reasonably demonstrates that the consumer can access the electronic documents. The E-Sign Act also imposes certain requirements that relate to the ability to retain accurate versions of the electronic documents.
Compliance with the E-Sign Act is important when a company is providing electronic versions of required disclosures. Other laws often specify that compliance with the E-Sign Act is required, but many companies may miss these requirements or have noncompliant pre-consent disclosures. For example, the TRID rule states with respect to the requirements to provide the LE and CD that the disclosures may be provided to the consumer in electronic form, “subject to compliance with the consumer consent and other applicable provisions of the [E-Sign Act].” Importantly, the TRID rule also provides that if the lender did not fully comply with the E-Sign Act, it is considered to have not provided the disclosures at all. Also note that many states have their own laws that are applicable to electronic records and transactions. The E-Sign Act or these state laws may also affect when electronic documents are considered to be delivered to or received by the consumer, which can affect the timeliness of required disclosures.
Questions. Some of the questions your company should ask with respect to is electronic documents are:
· When does our company need to obtain E-Sign Act consent?
· Does our E-Sign Act disclosure contain the required information?
There is a lot of new technology out there in the consumer finance industry that is changing the way consumers interact with their lenders and other service providers. But the federal requirements that apply to marketing and taking loan applications have not changed to accommodate the efficiencies these new technologies can bring to a transaction. There are many federal requirements that may apply, which can put up roadblocks to a transaction for required disclosures or consumer consent, or restrict the way companies want to do business. It is important for companies to understand their compliance obligations before venturing into this heavily regulated area.
This is only a brief summary of the major federal requirements.There are other federal and state law requirements that may apply to your company’s operations.And there may be other important details that are not addressed in this overview.If you have questions, want more detail, or would like any assistance in ensuring compliance with these requirements, please contact us.