How to prepare for the upcoming CFPB rules

There’s no avoiding it: The new Consumer Finance Protection Bureau (CFPB) rules aren’t going to go away. For lenders, particularly those with large mortgage divisions, there are many factors that boards and executives should consider while preparing for January’s new laws.

Who’s exempt from the new rules

Smaller lenders, such as small banks and credit unions (under $2 million in assets and 500 or fewer first-lien mortgages), small creditors, community development lenders, and housing stabilization programs are exempt from some provisions of the CFPB’s Ability-to-Repay rule and face modified regulations in three areas:

  • For these smaller lenders, the rule generally extends Qualified Mortgage status to certain loans they hold in their own portfolios for at least three years even if the consumers’ debt-to-income ratio exceeds 43%.
  • The final rule provides a two-year transition period during which small lenders can make balloon loans under certain conditions, and those loans will meet the definition of Qualified Mortgages.
  • The final rule allows small creditors to charge a higher annual percentage rate for certain first-lien Qualified Mortgages while maintaining a safe harbor for the Ability-to-Repay requirements.

Some areas designated “rural” or “underserved” currently may be exempt from having to hold escrow on higher-priced mortgages, but the CFPB is studying Census data and this exemption may be modified or eliminated.

What your board should know

Board members should have a general understanding of the complicated new rules, and how they affect the bank’s lending practices, IT department, training, and relationships with third-party vendors. There are four key things that boards need to consider:

  • The bank’s product mix and how each product is affected by the new CFPB rules;
  • The bank’s Compliance Management System and the in-house or outsourced experts who administer it;
  • Documented policies and procedures that help the bank remain in compliance; and
  • Periodic audits, either internal or by a third party, to measure compliance.

For an institution with one person responsible for compliance, the new rules may mean adding compliance personnel or outsourcing critical compliance functions.

Avoiding penalties and liability

To date, CFPB fines have varied based on institution size and severity of the offense, but early indications are that the CFPB is levying substantial fines.

When Mortgage Master, Inc. and Washington Federal were accused of violating the Home Mortgage Disclosure Act (HMDA) by inaccurately collecting and reporting mortgage data, Mortgage Master was fined $425,000 and Washington Federal’s penalties totaled $34,000.

Depending upon the offense, penalties can go much higher. According to the Dodd–Frank Wall Street Reform and Consumer Protection Act, the CFPB can seek to impose civil penalties of up to:

  • $5,000 per day for the violation of a CFPB rule
  • $25,000 per day for the reckless violation of a federal consumer protection law
  • $1,000,000 per day for a knowing violation of a federal consumer financial law

In addition, the CFPB can require the bank to meet additional reporting and audit requirements.

One key note: Many of the CFPB’s audits and investigations are driven by complaints; there are few reporting requirements for demonstrating compliance.

What to do now (and what you can’t do now)

For most banks, one sticking point in implementing the new CFPB mortgage rules is technology. Because the proposed rules have changed several times, software vendors may not have final versions of the mortgage processing, tracking, and reporting software that implements the new requirements. Even larger institutions that develop, maintain, and update their software in-house are behind in development.

One critical area where banks can begin implementation now is developing training and monitoring to meet the new regulations. An effective training program needs to include these components:

  • Written policies and procedures
  • Training for employees at all levels
  • Ongoing monitoring/sampling of employees’ work for quality control
  • Identification of problem areas and non-compliant employees and processes
  • Retraining of employees and policy/procedure revisions when necessary
  • Auditing, either by an internal team or an outsourced expert, to ensure continued compliance

Working with third parties

Although the CFPB rules don’t explicitly hold the bank directly responsible for the actions of outsourced functions, such as processing, the overriding premise behind all of the regulations is that the bank “owns” everything. Banks must understand how vendors conduct business and must have some way to monitor compliance with CFPB rules, such as periodic audits or reports. If the third party can’t or won’t cooperate, banks should find another vendor.

Banks should also ensure that all vendors understand and follow the bank’s internal compliance policies, and allow the bank to conduct site visits, audits, or other compliance/quality-control activities.

The costs of compliance

Compliance with the new rules will increase lending costs without a commensurate increase in revenue. Profit margin, often already thin due to low interest rates, will become even thinner. For competitive reasons banks can’t significantly increase interest rates, which probably means banks will need to add or increase certain fees. For larger banks with higher mortgage loan volumes, economies of scale will make it possible to spread compliance costs among many loans. Smaller banks may find that the increased costs of compliance will make it difficult to maintain their current profitability on mortgage lending.

Preparing for January 10

First, executives and boards of directors must become familiar with the new rules. Second, they must determine the impacts to their organization and what the costs will be. All affected banks will need to consider the resources needed to handle the soon-to-be-required additional compliance. For many banks, it may make sense to outsource key compliance strategies to an outside firm with full-time compliance experts on staff.

Third, banks must decide whether to modify their current strategy, including whether to continue making mortgage loans once the new rules take effect. Institutions that dabble in mortgage lending may decide to eliminate mortgage products entirely.

Fortunately, the CFPB has indicated that it will initially be lenient on institutions that are making good-faith efforts to come into compliance with the new rules by January 2014. Since the initial rules were proposed almost a year ago, however, the CFPB will expect banks to have made substantial progress in meeting the new regulations when the deadline arrives.