By: Christianna Kersey and Richard Solomon- Cohn, Goldberg & Deutsch, LLC (DC and MD)

As Federal and Local Regulators continue to beef up policies within the mortgage industry, operational compliance is more important than ever. Due to the complex nature of the mortgage industry, we must always take into consideration the fact that our landscape is designed to protect consumers, and our compliance with local and federal law is of utmost importance to a successful business.  Minimizing liability, and litigation avoidance, are of paramount importance. Creating a compliance framework that is effective and realistic will ensure operations flow smoothly. This article will discuss the six pillars of compliance and why these philosophies should play a pivotal role in any mortgage default operation.

1. Understanding the Compliance Landscape

First, any successful operation must understand the current compliance landscape. Again, the mortgage industry operates within a very large network of intertwined ideas and organizations. Knowing the key players and how they impact the industry is imperative to compliant operations. There are Federal and Local Laws and Organizations that are at the helm of almost all of our daily operations. Knowing the relevant Organizations and Laws will foster an understanding of what the business requires. The creation of the Consumer Financial Protection Bureau (CFPB), and the recent Supreme Court decision upholding the constitutionality of its structure, show that strict government oversight of our industry is here to stay. To gather this information, you will need to recruit individuals for your compliance team that understand this framework and are eager to dig in and understand the nuts and bolts of the mortgage industry.  Familiarity with the Fair Debt Collection Practices Act (FDCPA), Real Estate Settlement Procedures Act (RESPA), Servicemembers Civil Relief Act (SCRA), US Bankruptcy Code, and a slew of other federal and local privacy acts and consumer protection statutes, are a necessary requirement to navigating the stormy waters of the mortgage default industry. The constant shifting compliance landscape requires eternal vigilance to prevent a misstep. For instance, the rewrite of the FDCPA with Regulation F, and implementation of the “Debt Collection Rule,” as well as the issuance of the “Model Validation Letter” for debt collectors, required a significant investment of time by practitioners and industry participants, in order to digest the new requirements and put sufficient practices into place to ensure compliance. Likewise, frequently, new case law is issued by the courts which alters prior practices, notwithstanding any change to the underlying law.  The recent case of Show Me State Premium Homes, LLC v. George McDonnell, No. 22-1894 (8th Cir. 2023), even though only technically binding legal authority in one federal judicial circuit, had far-reaching implications for the industry, as some of the major title insurance underwriters have applied the ruling nationwide.

2. Establish Clear Policies and Procedures

Secondly, once we have a team in place to help us understand the laws, rules, and regulations, who is creating them, and the intended public policy behind them, we then need to establish clear policies and procedures to ensure that we are compliant. To establish clear policies and procedures, we must be sure to include the following when drafting guidelines: the policy purpose and scope, outline of roles and responsibilities, primary principles of the policy, details of any procedures and guidelines that will help employees comply, and finally explain the consequences of violations, and the steps to ensure compliance. If the policies and procedures are concisely laid out, they will be easier to understand and follow. Having one person within the compliance team responsible for drafting and updating these policies is crucial. Although organizational compliance is a group effort, it is beneficial to have one writing style and method behind the policies and procedures. If there are too many individuals contributing, this can often lead to confusing piecemeal ideas, that do not have a synchronized flow, making it difficult for the reader to comprehend. 

3. Keep up to date with compliance training, reporting and monitoring.

Next, we need to be sure we keep up with training, reporting and monitoring. In the mortgage industry, many businesses are already required to keep track of training and policy and procedure updates. This is usually based off of work standards provided by clients. It is important to come up with a system that works for your operation. There should be a base standard for how often training and updating must occur, which should be at hire for new staff, and at least annually for all others, to be used for clients that do not provide a standard timeframe. Then, reporting and monitoring should be used to ensure the more restrictive client policies are being followed. An individual on the compliance team should be responsible for monitoring all of the policies and procedures to be sure they are reviewed and updated on a yearly, or more frequent, basis, for training purposes. This person would also be responsible for ensuring the more restrictive standards for training and updating are reviewed in a timely fashion. This may be tracked, in a report, within the organizations case management system or with some sort of third-party compliance tracking system. This compliance leader would also be responsible for setting up training sessions to fit within the necessary timeframes. They would also track, and document, employee completion of training.

4. Regular risk assessment and management

Once a method for training and tracking of policies and procedures is implemented, the leaders of the compliance team should come up with a robust risk assessment plan. This plan should contain the following steps to ensure effectiveness: First the plan should identify the risk in question and analyze the level of that stated risk. Identifying the level of risk will help with the next step of determining what actions might have to be taken to mitigate the risk. Obviously, the higher the risk, the more active the organization will need to be to mitigate. Any type of high-level risks should be brought to the highest level of management, within the organization and there should be a specific plan in place to handle. A determination may need to be made as to whether to escalate a matter to in-house counsel, and/or outside counsel. Keeping risk assessment procedures with your compliance leaders allows for everyone to be aware of what potential issues can arise within the business operation. Knowing is half the battle.

5. Regular reviews and audits

Now that we have developed policies and procedures based off of the current compliance environment and have reviewed and trained on these policies thoroughly, it is critical that we continually self-audit to be sure that policies and procedures are not missing any crucial steps. These self-audits can be completed by members of the compliance team, but it is sometimes beneficial to have these audits completed by managers and team leads, as these are the folks handling the day to day. It may, in some situations, be worthwhile, or necessary, to have an audit done by an outside party.  While not necessarily required, audits that meet various industry standards, such as SOC 1 (previously SAS70 or SSAE 16), SOC 2, or SOC 3, may be warranted. If there is a gap in the process, it would be beneficial for these individuals to see the issue, so they can understand how to fix it. They could then work with members of the compliance team to be sure their observations are taken into consideration, when updating the policies and procedures. Seeing the problem will also help managers train their staff on the changes that need to be implemented. Self-audits also greatly benefit the organization, as they can identify gaps and holes before there is an actual client audit. Catching the problem before a client does is one of the main reasons for having a robust compliance team.

6. Strong compliance-based community

Finally, fostering a compliance minded community, within the organization, will help tie everything we have discussed together. Having employees who are willing to “say something” if they “see something,” only makes the company stronger. The more eyes the better. Having managers and attorneys who are welcoming to individuals’ questions and concerns will help facilitate this type of community. Introducing engaging training sessions, where all employees are free to express concerns or worries may help point out issues for which the compliance team was unaware. This team environment not only builds a strong compliance web, it also builds relationships and morale within the organization. Having annual, or more frequent, tests of compliance protocols, “desktop” and otherwise, is highly recommended, in order to ensure that those protocols do not fail under real world conditions.

Working within the mortgage servicing industry has really been an eye-opening experience, as to how truly integral compliance management is to a successful organization. By adhering to the 6 pillars principles, you can be sure that you are covering your bases. Remember, the task of complying is not easy, nor is it generally “fun,” as a change in a policy or procedure usually means there was a problem to begin with. For this reason, we should all take a step back and thank our compliance heroes for keeping us on the up and up on a daily basis.