Module 1 Part C part 2
FCRA Overview
Congress enacted FCRA (15 U.S.C. §1681 et seq.) in 1970 to ensure the accuracy, fairness, and privacy of consumers' personal information that is assembled and used by consumer reporting agencies. In order to protect the rights of consumers, the law creates special obligations and restrictions for Consumer Reporting Agencies (CRAs), and for furnishers and users of consumers' personal information.
Covered Transactions
FCRA applies to any transaction that involves the use of credit reports, consumer investigatory reports, and employment background checks. The privacy requirements do not apply to disclosures of limited information to government agencies, to the FBI, and to counter-terrorism investigations (12 C.F.R. §1022.1).
Practices Prohibited by FACTA
If a consumer requests information about transactions, which were allegedly made with the unauthorized use of his/her identity, businesses (including mortgage brokers and mortgage lenders) cannot charge a fee for providing the information. Since the FACTA provisions are codified as part of FCRA, the penalty provisions of FCRA apply to violations of FACTA.
Dodd-Frank Act Overview
In July 2010, Congress enacted the Dodd-Frank Act in response to the collapse of the economy that began with the 2007 meltdown of the mortgage lending market. The law addresses a broad range of issues that relate to financial and investment activities, including mortgage lending and investing. The Dodd-Frank Act is divided into 16 titles. These titles address a range of financial issues including the improved regulation of banks, savings and loans, non-bank financial companies, hedge fund advisers, and swap dealers and participants. The titles in the law that directly impact mortgage lending and investing include: Title IX, or Investor Protections and Improvements to the Regulations of Securities, with provisions authorizing stricter regulation of investors and credit rating agencies Title X, or the Consumer Financial Protection Act of 2010, which authorizes the creation of the CFPB, provides for the transition of regulatory authority from other federal regulatory agencies to the CFPB, and outlines the Bureau's regulatory and enforcement responsibilities Title XIV, or the Mortgage Reform and Anti-Predatory Lending Act, with provisions that apply directly to mortgage originators, servicers, and appraisers These titles in the Dodd-Frank Act set the regulatory boundaries for the origination and securitization of mortgage loans. As a result of the authority extended to the CFPB under the Dodd-Frank Act, the CFPB is now the principal federal regulator for all depository and non-depository entities that offer home loans to consumers. Title XIV, the Mortgage Reform and Anti-Predatory Lending Act, is the section of the Dodd-Frank Act that poses the principal compliance concerns for loan originators who are not affiliated with depository institutions. Title XIV is divided into eight subtitles: Subtitle A addresses Residential Mortgage Loan Origination Standards and creates: A prohibition against incentives for loan originators to earn additional compensation by steering consumers towards particular loans or loans with particular lending terms, and Limitations on loan originator compensation Subtitle B addresses Minimum Standards for Mortgages, and directs the CFPB to adopt rules addressing: The establishment of standards for determining a borrower's ability to repay a home loan The creation of a rebuttable presumption of the ability of a consumer to repay a home loan if the loan meets the standards that are established for a "qualified mortgage" Subtitle C addresses High-Cost Mortgages and directs the CFPB to broaden the application of disclosure requirements and prohibited practices to a wider range of loans by: Extending the HOEPA provisions to purchase money mortgages and open-end home equity lines of credit Lowering the interest rate and points and fees thresholds for HOEPA loans Adding a prepayment penalty trigger, which provides that a loan is a high-cost home loan if it includes a prepayment penalty provision that is in force for more than 36 months after closing or if the loan allows prepayment penalties to exceed more than 2% of the amount prepaid Imposing homeownership counseling requirements Strengthening prohibited lending terms and practices Subtitle D authorizes the creation of an Office of Housing Counseling within HUD Subtitle E addresses Mortgage Servicing, and requires the CFPB to create new rules for loan servicers. The CFPB's servicing rules address the following matters that relate to loan servicing: Monthly mortgage statements Reminders to borrowers before interest rates reset Options for forced-place insurance Options for avoiding foreclosure Prompt crediting of payments Accurate recordkeeping Prompt correction of errors Delinquent borrower access to servicer personnel Evaluation of delinquent borrowers for foreclosure options Subtitle F addresses Appraisal Activities, and requires: Stricter appraisal standards for "higher risk mortgages" Stricter standards to ensure the independence of appraisers Subtitle G addresses Mortgage Resolution and Modification. With so many homeowners in trouble on their mortgages, the Home Affordable Modification Program (HAMP) was authorized under the 2008 Emergency Economic Stabilization Act. Since implementation of the HAMP program seemed unsuccessful, the Treasury Department and the Department of Housing and Urban Development tried to make it easier for consumers to obtain loan modifications by: Requiring mortgage servicers participating in the program to provide data to borrowers that is used in performing a net present value (NPV) analysis if their requests for loan modifications are denied Making a net present value calculator available on the Internet that homeowners can use to determine whether their mortgages would be accepted or rejected for modification Making reasonable efforts to provide a website that homeowners can use to apply for mortgage modifications The HAMP program ended on December 31, 2016. Subtitle H addresses Miscellaneous Provisions, which include, but are not limited to: Acknowledgment of the need to reform Fannie Mae and Freddie Mac A directive for an inter-agency study on foreclosure rescue and loan modification scams As a result of regulatory changes dictated by the Dodd-Frank Act, the CFPB's agenda for its first three years was focused on rulemaking. The Dodd-Frank Act ordered the CFPB to develop and implement the following rules: Ability-to-Repay/Qualified Mortgage Rule: Ability-to-Repay and Qualified Mortgage Standards under the Truth-in-Lending Act (Regulation Z) 2013 HOEPA Rule: High-Cost Mortgage and Homeownership Counseling Amendments to the Truth-in-Lending Act (Regulation Z) and Homeownership Counseling Amendments to the Real Estate Settlement Procedures Act (Regulation X) Loan Originator Compensation Rule: Loan Originator Compensation Requirements under the Truth-in-Lending Act (Regulation Z) ECOA Valuations: Disclosure and Delivery Requirements for Copies of Appraisals and Other Written Valuations Under the Equal Credit Opportunity Act (Regulation B) TILA HPML Appraisals: Appraisals for Higher-Priced Mortgage Loans TILA Escrow Requirements: Escrow Requirements under the Truth-in-Lending Act (Regulation Z) TILA and RESPA Servicing Rules: 2013 Real Estate Settlement Procedures Act (Regulation X) and Truth-in-Lending Act (Regulation Z) Mortgage Servicing Rules The Dodd-Frank Act also mandated the development of revised requirements for HMDA. With the exception of the TRID Rule and HMDA revisions, most of the regulatory changes related to mortgage lending were completed in 2013 and went into effect in January 2014. Now that these rules are effective, the CFPB's efforts to protect consumers in the mortgage marketplace can focus on enforcement and consumer education.
Disclosures, Notifications, and Actions Required by FACTA
Both CRAs and mortgage professionals have obligations under FACTA, including requirements related to disclosures and notifications, as well as other actions intended to protect consumers. These requirements are discussed next.
Regulatory Agency
Congress authorized The Department of Treasury to implement Title III of the PATRIOT Act. An agency within the Treasury Department known as the Financial Crimes Enforcement Network (FinCEN) has primary responsibility for investigating, identifying, and reporting information on money laundering and other financial crimes.
FACTA Overview
In 2003, Congress added additional provisions to FCRA with the enactment of FACTA (15 U.S.C. §1681 et seq.). Congress adopted these additional provisions in order to address the problem of identity theft, to facilitate consumers' access to the information retained by CRAs, and to improve the accuracy of consumer reports. Regulatory oversight and covered and exempt transactions for FACTA are the same as those for FCRA.
Regulatory Agency and Regulations
Prior to the creation of the CFPB, the implementation and enforcement of FCRA was shared by federal banking regulatory agencies and the Federal Trade Commission. The transfer of authority to the CFPB in July 2011 placed general rulemaking authority with the CFPB as well as general authority to enforce compliance with FCRA and its implementing regulations. However, the FTC retains some rulemaking and enforcement authority. In a memorandum of understanding entered between the CFPB and the FTC, the agencies have agreed to give one another a 30-day notice prior to the publication of an advance notice of proposed rulemaking and to "consult promptly" on guidance documents that address unfair, deceptive, or abusive acts or practices under FCRA. The regulations promulgated pursuant to FCRA are known as Regulation V and are found in 12 C.F.R. §1022 et seq. One section of the regulations that is of particular importance is Appendix M, which provides model forms for the notices and disclosures required by FCRA.
Illustrations of Red Flags
The Appendix A Guidelines include an extremely helpful list of "red flags" that financial institutions and creditors can use to identify threats to the security of covered accounts. Individuals responsible for the implementation of an Identity Theft Prevention Program should be acquainted with each red flag on the list. The Guidelines break these warning signs of security threats into a number of categories: Notifications or warnings from a CRA, such as a notice that there is activity on an account that is inconsistent with the account's prior history Suspicious documents, such as documents that show evidence of tampering or documents containing information that is inconsistent with prior information provided Suspicious personal identifying information, such as information that does not match the information found in the consumer report Suspicious activity related to the covered account, such as irregular payment activity Notices from customers, identity theft victims, law enforcement that fraudulent activity is associated with the account The Appendix A Guidelines include an extremely helpful list of "red flags" that financial institutions and creditors can use to identify threats to the security of covered accounts. Individuals responsible for the implementation of an Identity Theft Prevention Program should be acquainted with each red flag on the list. The Guidelines break these warning signs of security threats into a number of categories: Notifications or warnings from a CRA, such as a notice that there is activity on an account that is inconsistent with the account's prior history Suspicious documents, such as documents that show evidence of tampering or documents containing information that is inconsistent with prior information provided Suspicious personal identifying information, such as information that does not match the information found in the consumer report Suspicious activity related to the covered account, such as irregular payment activity Notices from customers, identity theft victims, law enforcement that fraudulent activity is associated with the account
Businesses and Accounts Subject to Rule
The Red Flags Rule applies to financial institutions and to creditors that offer or maintain "covered accounts." Financial institution, creditor, and covered accounts are all terms defined under the regulations, and the meanings of these terms determine the types of business entities and accounts that are subject to the Red Flags Rule. These terms are defined as follows. Financial institutions: a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. Creditor: as established under FACTA, a creditor is defined as someone who regularly extends credit or arranges for the extension of credit, including finance companies and mortgage brokers. Covered accounts: the types of accounts generated by these entities that are subject to special protection under the Red Flags Rule include accounts: Offered or maintained by a financial institution or creditor Intended for personal, family, or household purposes Designed to permit multiple payments or transactions Mortgage loans are cited in the regulations as an example of the types of accounts covered by the regulations. The Red Flags Rule protects customers, who are defined as a person who has a "covered account" with a financial institution or a creditor. In the field of mortgage lending, a customer would be a loan applicant or a borrower who applies for or obtains a mortgage from a mortgage broker or a financial institution.
Filling Out the SAR
A SAR is to be filed no later than 30 calendar days after the date of the initial detection by the reporting financial institution. This report must be filed electronically through the BSA E-Filing System using the SAR Form 111. The E-File SAR Form has five parts. Part I - Subject Information Part II - Suspicious Activity Information Part III - Information about the Financial Institution Where the Activity Occurred Part IV - Filing Institution Contact Information Part V - Narrative
Definition of Terms Related to FACTA
Active duty alert: a statement in a consumer reporting agency's file for a particular individual, stating that the consumer is on active duty for the military (15 U.S.C. §1681a(q)(1)). Creditor: FACTA and FCRA use the same definition as ECOA for creditor. It is any person who regularly extends, renews, or continues credit. Identity theft: fraud or attempted fraud using the identifying information of another person (15 U.S.C. §1681a(q)(3)). Identity theft report: the FTC defines an identity theft report as "...a report that alleges theft with as much specificity as the consumer can provide." FTC regulations list information a theft report "may" include, stating that its list is "for illustrative purposes only," and advising consumers that different companies may have different requirements when receiving identity theft reports. Generally, reports must include an affidavit stating general information about the theft and the victim and a list of the fraudulent accounts opened in the victim's name (15 U.S.C. §1681a(q)(4)).
Penalties for Violations of FCRA
Any person who violates the provisions of FCRA is liable for civil and criminal penalties, depending on the violation, as follows: Civil liability for willful noncompliance: any person who willfully fails to comply with consumer protection provisions of FCRA is liable to the injured consumer for actual damages or for damages of not less than $100 and not more than $1,000, plus punitive damages, costs of bringing the action, and attorney's fees (15 U.S.C. §1681n(a)(1)(A)). Civil liability for obtaining a consumer report under false pretenses: if a natural person obtains a consumer report under false pretenses or knowingly obtains one without a permissible purpose, he/she will be liable for actual damages or $1,000, whichever is greater (15 U.S.C. §1681n(a)(1)(B)). Civil liability for knowing noncompliance: any person who obtains a consumer report from a consumer reporting agency under false pretenses or knowingly obtains one without a permissible purpose is liable to the CRA for actual damages that the CRA incurs or $1,000, whichever is greater (15 U.S.C. §1681n(b)). Civil liability for negligent noncompliance: negligent failure to comply with the law may result in the payment of actual damages, costs, and attorney's fees to the injured consumer (15 U.S.C. §1681o). Criminal penalties for obtaining information under false pretenses: any person who obtains information about a consumer under false pretenses will be fined and/or imprisoned for not more than two years (15 U.S.C. §1681q). Criminal penalties for unauthorized disclosures by officers and employees: officers or employees of a CRA who knowingly and willfully provide information about a consumer to a person not authorized to receive the information will be fined and/or imprisoned for no more than two years (15 U.S.C. §1681r).
Overview of the PATRIOT Act
Drafted and enacted in record time, the USA PATRIOT Act became law only a few weeks after the terrorist attacks of September 11, 2001. The portions of the PATRIOT Act that impact mortgage lending transactions are contained in Title III, which is called the "International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001." Money laundering is the filtering of ill-gotten money through a series of transactions in order to prevent the tracing of the funds to their original illegal source. In the findings that it included in Title III, Congress explained how money laundering and terrorism are related, stating "...money laundering... provides the financial fuel that permits transnational criminal enterprises to conduct and expand their operations to the detriment of the safety and security of American citizens..." (H.R. 3162 §302(a)(1)). The stated purposes of Title III include Congress' goal "...to strengthen the provisions put into place by the Money Laundering Control Act of 1986..." (H.R. 3162 §302(b)(2)). Through the PATRIOT Act, Congress made amendments to the Bank Secrecy Act to strengthen these laws and the ability of the U.S. government to take action to address money laundering.
Obligations for Mortgage Professionals
FACTA creates some special disclosures, notifications, and actions for mortgage professionals: Disclosure of credit score: in mortgage lending transactions, the "person who makes or arranges loans" must provide mortgage loan applicants with information about the credit score used to evaluate their creditworthiness and must provide this information with a notice that advises them of the importance of reviewing their credit scores and of their right to contact the CRA or the lender that generated the credit score (15 U.S.C. §1681g(g)). Response to consumer's request for information on fraudulent transactions: when identity theft occurs in lending transactions, mortgage professionals must comply with the alleged victim's written request for copies of any records of transactions conducted by a person who made unauthorized use of the victim's identity. The request must include verification of the victim's identity and proof of a claim of identity theft. Response to these requests is due 30 days after receipt of the request (15 U.S.C. §1681g(e)(1)). Rule for the proper disposal of consumer information: when it was enacted, FACTA directed the FTC and the federal banking agencies to issue rules on the proper disposal of consumer information (15 U.S.C. §1681w). The rule that the FTC adopted was effective in June 2005, and it applies to all people and businesses that use consumer reports. The preamble to the rule cited mortgage brokers as an example of entities that are subject to the rule, and the stated purpose is to prevent the careless disposal of documents that can lead to identity theft and to other forms of theft and fraud. The "Disposal of Consumer Report Information and Records Rule," also known as the Disposal Rule, applies to all information in a CRA file that a lender or mortgage broker uses to establish the creditworthiness of a consumer, and requires "reasonable measures" to ensure that unauthorized access to, or use of, consumer information cannot occur as a result of its disposal. The Disposal Rule provides the following examples of reasonable measures to protect consumer information from unauthorized access or use: Burning, pulverizing, or shredding papers containing consumer information Destroying or erasing electronically-stored information Conducting due diligence to verify compliance with the Disposal Rule by any third party that is employed to dispose of consumer information (16 C.F.R. §682.3(b)) Lenders, mortgage brokers, and other mortgage professionals are subject to the Gramm-Leach-Bliley Act and must also incorporate methods for the disposal of information in their security program as required by the Safeguards Rule.
Disclosures and Notifications Required by FCRA
FCRA creates a number of obligations for users and furnishers of credit information as well as the credit reporting agencies (CRAs) which receive and report credit information. Obligations of CRAs: (examples of CRAs are Equifax, Experian, and TransUnion, which are often referred to as "The Big Three.") CRA disclosures to consumers: if requested by a consumer, CRAs must clearly and accurately disclose all information in the consumer's file, the sources of the information, and the identification of each person that procured a consumer report. The disclosure must also include a summary of the consumer's rights under FCRA. Unless otherwise authorized by the consumer, the disclosure must be in writing (15 U.S.C. §1681(g)). CRA notification to users: CRAs must provide notices to any person who regularly and in the ordinary course of business furnishes information to a CRA and to any person who receives and uses a consumer report. The notice to furnishers and users must advise them of their responsibilities under the FCRA (15 U.S.C. §1681(d)). CRAs have the burden of protecting consumer privacy when reporting credit information. Obligations of furnishers: (loan servicers, lenders, and creditors that receive loan and credit line payments are examples of furnishers of information that CRAs place in consumers' files.) Notification to CRAs of corrections: if the furnisher of information regularly and in the ordinary course of business provides information to CRAs and determines that the information provided is not complete or accurate, the furnisher has a duty to correct the information and to provide the corrections to all CRAs that received inaccurate information. Notice of dispute: if a consumer disputes the accuracy and completeness of information provided by a furnisher, the furnisher cannot report the disputed information to a CRA without providing notice of the dispute. Notice regarding delinquencies: a furnisher that reports information on a delinquent account must provide the CRA with the month and year of the commencement of the delinquency that immediately precedes an action for collection. Duties after receipt of notice of dispute: upon receipt of a notice of dispute from a CRA, a furnisher must conduct an investigation, report the results to the CRA that provided notice of the dispute, report any inaccuracies to all CRAs that received the inaccurate information, and delete the inaccurate information. Furnishers have 30 days from the CRA's receipt of a dispute to investigate the dispute and rectify any inaccuracies. Obligations of users: (a lender or mortgage broker that uses a consumer report in the process of making a mortgage loan is an example of a user of information collected by a CRA.) Certification of permissible purpose: users must provide a Consumer Reporting Agency with a certification that states the permissible purpose for which the user is requesting the consumer report. Permissible purposes include consumer requests for reports, such as a consumer's request for a credit report required by a mortgage lender. Another permissible purpose is to determine a consumer's eligibility for a license, such as the loan officer license under certain state laws. Notification of adverse action: when a user takes any type of adverse action based on information in a consumer report, the user must provide the consumer with written, oral, or electronic notification which includes contact information for the CRA that provided the report. The notification must include a statement that the CRA did not make the adverse decision and must advise the consumer of the right to obtain a free copy of the report used by the creditor in making the decision and of the right to contact the CRA to dispute the accuracy and completeness of the report. Notification of adverse action based on information from affiliates: if adverse action is based on information from an entity that is affiliated with the user by common ownership or control, the user must notify the consumer of the adverse action and of the right to obtain a disclosure of the nature of the information relied on in taking the adverse action.
Information Included in a Consumer Report
FCRA places certain requirements on information included in consumer reports. The first involves bankruptcy cases. If a consumer report indicates that the consumer has had a bankruptcy, the report should indicate which chapter the bankruptcy was filed under. If a bankruptcy case is withdrawn before completion, the consumer reporting agency must include that fact in the report. The second disclosure requirement involves credit inquiries. If a large number of credit inquiries was a key factor in adversely affecting the consumer's credit score, the consumer reporting agency is required to disclose that fact in its report. If a consumer voluntarily closes a credit account (for example, cancels a credit card), the consumer reporting agency must disclose that fact in its report. The final disclosure requirement involves address discrepancies. If the consumer reporting agency receives a request for a consumer report containing an address for the consumer that differs substantially from the address on file, the consumer reporting agency must notify the person requesting the report of the discrepancy (15 U.S.C. §1681c). FCRA also places the following restrictions on the information that is included in consumer reports, providing that consumer reports may not include: Bankruptcy cases that are more than ten years old Civil lawsuits that are more than seven years old, unless the statute of limitations has not yet expired Arrest records that are more than seven years old, unless the statute of limitations has not yet expired Tax liens that are more than seven years old Accounts placed for collection (or charged off) that are more than seven years old Any other adverse information that is more than seven years old, other than conviction of a crime (conviction of a crime can always be reported, no matter how old) The name, address, and telephone number of any medical information provider, unless either: That information does not convey information on the nature of the services (the name of a psychiatric center, for example, would not qualify because it conveys information that the consumer has mental health problems), or The report is being provided to an insurance company for purposes related to an insurance matter not involving property and casualty insurance In 2017, it was announced by the three major credit reporting agencies that a new effort to enhance the accuracy of credit reports was underway. This initiative, known as the National Consumer Assistance Plan (NCAP), aims to improve consumer experience, data accuracy, and quality. The announcement of the NCAP included the news that credit reports would no longer include information on tax liens and civil judgments, and would only include reporting of debts that arise from a contract or agreement by the consumer to pay (Fannie Mae Lender Letter LL-2017-02). FCRA also contains a list of situations in which the rules about what can be contained in a consumer report do not apply. The rules do not apply in the following situations: A credit transaction involving, or which may reasonably be expected to involve, a principal amount of at least $150,000 The underwriting of life insurance involving, or which may reasonably be expected to involve, a face amount of at least $150,000 An employment situation in which the employee is expected to receive an annual salary of at least $75,000
Practices Prohibited by FCRA
FCRA prohibits several practices, including all of the following: FCRA prohibits a CRA from furnishing a consumer report for any reason other than a permissible purpose. Permissible purposes include providing a report pursuant to the written instructions of the consumer to whom the report relates and providing a report in connection with a credit transaction involving the extension of credit to the consumer (15 U.S.C. §1681b). FCRA prohibits those who furnish information to a CRA from knowingly providing inaccurate information (15 U.S.C. §1681s-2). No CRA can write a consumer report containing outdated negative financial information such as bankruptcies over ten years old and other negative information such as paid tax liens and civil judgments that are more than seven years old unless the consumer report relates to a credit transaction involving a principal amount of $150,000 or more (15 U.S.C. §1681c(a)). CRAs cannot release disputed information in a consumer report without indicating that the consumer disputes the accuracy and completeness of the information (15 U.S.C. §1681c(f)).
BSA Requirements
Federal regulations outline the requirements for financial institutions regarding the establishment and maintenance of procedures designed to ensure compliance with the Bank Secrecy Act. Each institution must develop a written anti-money laundering compliance program, and it must be approved by the institution's board of directors. Minimum requirements for the program include: Internal controls and metrics to ensure compliance Independent auditing of compliance Individuals responsible for managing compliance Staff training for compliance Other requirements of the BSA are as follows: Report specific, large currency transactions:using a Currency Transaction Report (CTR), financial institutions must report single or structured currency transactions that exceed $10,000 to FinCEN. Here, "structured" refers to multiple transactions by or on behalf of the same person during the same business day that cumulatively total $10,000 or more Record specific, large negotiable instrument purchases: financial institutions must record single or structured cash purchases of negotiable instruments between $3,000 and $10,000 (purchases that exceed $10,000 would then require a CTR). These records must be provided to FinCEN upon request. Report suspicious activity and transactions: financial institutions must record all suspicious activities and report them using a Suspicious Activity Report (SAR) to FinCEN. Record specific, large wire transfers: financial institutions must record wire transfers that exceed $3,000, regardless of whether they are the initiating, intermediary, or receiving institution. When requested, institutions must provide these records to FinCEN. Monitor foreign account activities Cooperate with investigations: financial institutions must cooperate with all FinCEN requests for information to aid in a money laundering or suspicious activity investigation. Implement a customer identification program (CIP):financial institutions must implement a CIP that includes procedures for: Verifying customer identities Maintaining verification records Cross-checking customer identities with government lists for known or suspected terrorists or terrorist organizations Distributing CIP notices to customers Cooperating with third party financial institutions for CIP requirements Though RMLOs are not required to file CTRs, FinCEN will receive notice of home loan transactions involving cash payments exceeding $10,000. FinCEN will receive this notice on IRS Form 8300, which the IRS requires for reporting cash payments over $10,000. A copy of this notice is forwarded to FinCEN (31 C.F.R. §1010.330(A)(1)(ii)). The responsibility for filing Form 8300 and sending a copy to FinCEN is that of the provider of escrow or other settlement services.[1]
Actions Required by Title III of the PATRIOT Act
In order to comply with Title III of the PATRIOT Act, RMLOs must: Establish a consumer identification program (CIP): a CIP that complies with regulatory standards must include procedures to: Collect information, including name, date of birth, address, and an identification number, such as a Social Security Number for U.S. citizens or a taxpayer identification number, passport number, or alien identification card number (for non-U.S. citizens) Verify information, using documentation such as a driver's license or passport or alternate acceptable documents Maintain records of information used to verify the consumer's identity and retain these records for a period of five years after the date on which the account is closed Compare the identity of the consumer against any list of known or suspected terrorists or terrorist organizations Notify customers, verbally or in writing, that verification of identity is necessary to open a new account Create an anti-money laundering (AML) program: this must be a written program, approved by senior management, "...that is reasonably designed to prevent the loan or finance company from being used to facilitate money laundering or the financing of terrorist activities" (31 C.F.R. §1029.210(a)). This program must include procedures for complying with the reporting requirements of Subchapter II of the PATRIOT Act, the appointment of a compliance officer, ongoing training for employees, and independent testing to ensure maintenance of an adequate program. Make suspicious activity reports: RMLOs must file suspicious activity reports (SARs) if there is evidence that funds involved in a transaction or an attempted transaction may have derived from an illegal activity. The filing of a SAR is also required if there is evidence that a transaction or an attempted transaction was designed to evade the Bank Secrecy Act, was not the sort of transaction that the customer would normally be involved in, or involved the use of the RMLO to conduct criminal activity. SARs are filed with FinCEN. RMLOs are protected from civil liability for filing SARs. For example, if the activities of an individual are investigated and that individual believes that he or she has been wrongly named in a SAR, the individual cannot file a lawsuit against the RMLO for the wrongful submission of the SAR. Report receipt of currency in excess of $5,000: receipt of currency in excess of $5,000 is reportable. There are also deadlines, recordkeeping and information-sharing requirements under the regulations. RMLOs must file a SAR within 30 days after an "initial detection" of suspicious activity. However, if an RMLO has information that requires immediate attention, he/she/it must immediately notify "appropriate law enforcement" by telephone in addition to filing a SAR. RMLOs must retain SARs and supporting documentation for five years from the date of filing a SAR.
Practices Prohibited by Title III of the PATRIOT Act
Many of the prohibitions included in Title III concern banking issues that are not related to real estate lending transactions. Prohibitions in Title III that relate to mortgage lending transactions include prohibitions against: Opening new accounts, including accounts for a loan or other extensions of credit, without verifying the identity of the new customer Advising a suspect that a suspicious activity report has been filed with regard to their activities (31 U.S.C. §5318(g)(2)) In the preamble to the regulations that extended USA PATRIOT Act requirements to RMLOs, FinCEN has indicated that it is likely to expand its definition of "loan or finance company" to other types of businesses. It began its "incremental approach to implementation of regulations" by creating requirements for RMLOs because it has conducted studies which indicate that RMLOs "...are in a unique position to assess and identify money laundering risks and fraud while directly assisting consumers with their financial needs and protecting the sector from the abuses of financial crime" (77 FR 8150).
Obligations for CRAs
Most of the disclosures, notifications, and actions required by FACTA are the duties of consumer reporting agencies. These statutory duties include: Providing notice of consumer rights: FACTA creates requirements for the issuance of a Victim's Notice of Rights when a consumer reports identity theft to a consumer reporting agency. Issuing free credit reports: in order to encourage consumers to self-monitor their credit reports as a means of detecting identity theft, Congress requires each of the three national credit bureaus (Experian, Equifax, and TransUnion) to provide a free credit report annually, when requested by the consumer. Creating a fraud alert: at the request of a consumer who believes that he/she is or may be the victim of fraud, CRAs must create a fraud alert for the consumer's file and include it with any credit scores generated for the consumer. CRAs must keep an initial fraud alert on file for one year. Creating an extended fraud alert: after receipt of an identity theft report, CRAs must create an extended fraud alert, maintain it in the file, and include it with any credit report generated for the consumer for a period of seven years. Creating an active duty alert: at the request of an active duty consumer, CRAs must create a statement that the consumer is on active duty for the military and include the statement with any credit reports generated for the active duty consumer. CRAs must keep the active duty alert in the file for not less than 12 months. Forwarding fraud alerts and active duty alerts to other CRAs: when one of the three national credit bureaus receives a consumer's request for fraud alert or an active duty alert, it must forward the information to the other CRAs. Disclosing credit scores: consumers have a right to purchase a copy of their credit scores. With disclosure of a credit score, CRAs must explain that the CRA credit score may be different from a lender's credit score, and provide a list of factors used to compute the score and a list of factors that negatively impacted the score. Blocking information: CRAs must block the reporting of any information in a consumer's file that the consumer identifies as information that resulted from identity theft and must notify the furnisher of the information that the blocked information may be the result of identity theft. The block must be effective within four business days of receipt of copies of the consumer's identity, his/her identity theft report, and a description of the information in the consumer's file that relates to transactions that he/she did not make. Notification of decision to decline or rescind a block: in certain circumstances in which the CRA reasonably determines there is not a basis for blocking the information, it can decline the request for a block or rescind a block and must provide prompt notification to the consumer.
BSA/AML Overview
The Bank Secrecy Act (BSA), formally referred to as the Currency and Foreign Transactions Reporting Act of 1970, was designed to prevent the U.S. financial services industry from being used to launder money. The Act requires that U.S. financial institutions work with government agencies to prevent and detect money laundering through recordkeeping and reporting of specific transactions that have a higher risk of being used to launder money, evade taxes, and aid in other criminal activities. Since its original implementation in 1970, BSA has been amended, including changes caused by the passage of the USA PATRIOT Act of 2001, and it is enforced by the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN). The goals of BSA include: Preventing and detecting money laundering and criminal activity financing Documenting large currency transactions Improving reporting and aiding investigations of financial crimes
Red Flags Rule Overview
The Red Flags Rule is a measure included in FACTA to address identity theft. "Red flag" is defined under federal regulations as "...a pattern, practice, or specific activity that indicates the possible existence of identity theft" (16 C.F.R. §681.1(b)(9)). While the CFPB is primarily responsible for promulgating rules and enforcing compliance under FCRA, the federal banking regulatory agencies, the NCUA, and the FTC have retained authority to enforce the Red Flags Rule. Non-depository lenders, such as mortgage bankers and mortgage brokers, are subject to the jurisdiction of the FTC when compliance with the Red Flags Rule is an issue (15 U.S.C. §1681m(h)(8)). It is worth noting the distinctions offered regarding personal information under the Gramm-Leach-Bliley Act and its Safeguards Rule, and the protections offered under the Red Flags Rule. Both the Safeguards Rule and the Red Flags Rule are intended to prevent the release of personal financial information. The primary difference is that the Safeguards Rule focuses on the methods of securing personal information, and the Red Flags Rule focuses on the methods of detecting a security breach. The Red Flags Rule is still implemented and enforced by the FTC.
Requirements of the Red Flags Rule
The Red Flags Rule requires creditors and financial institutions to establish an Identity Theft Prevention Program. The program must have provisions for: Identifying patterns, practices, or specific activities that may indicate the possible existence of identity theft Detecting irregularities when obtaining information from a person opening an account or accepting a change of address on existing accounts Preventing and mitigating identity theft by responding appropriately to the types of risks posed by particular types of accounts Updating the identity theft program periodically to identify new risks to the security of personal information The Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation provides comprehensive information for developing an Identity Theft Prevention Program. These Guidelines are located in Appendix A of 16 C.F.R. §681. The Guidelines: Give examples of the specific types of risk factors Suggest appropriate responses when evidence of identity theft emerges Describe appropriate ways to update the program when new methods of detecting identity theft are available and when mergers and acquisitions or other business changes occur that might impact the security of customer information
Evaluating Credit Scores
The first step of evaluating a credit report is to carefully check identifying information. Multiple spellings, addresses, or Social Security Numbers clearly suggest errors in the report or possible identity theft. Next, the public records section should be checked to see if bankruptcies or outstanding judgments are reported. Mortgages and liens against the property, as well as open and closed lines of credit, should be reviewed. Each account listed should be checked for payment history and balances compared to open balances. Note any discrepancies between the report and what the applicant has disclosed. A credit score is a number designed to predict the risk represented by a given consumer - i.e., the likelihood that he or she will become seriously delinquent on credit obligations in the 24 months immediately following scoring. The most commonly-used model for computing these scores is still the one developed by Fair Isaac Corporation (FICO). There are five categories of information that make up the FICO credit score, with a percentage assigned to each category in order to show the relevance of each category to the overall score. The categories of information and the corresponding percentages are: Payment history: 35% Amounts owed: 30% Length of credit history: 15% Types of credit used: 10% New credit: 10%
Lending Institutions Covered by Title III of the PATRIOT Act
The requirements of Title III of the PATRIOT Act apply to "financial institutions," which are defined to include 24 specific types of entities including: Federally-regulated banks Branches and agencies of foreign banks located within the U.S. Credit unions Non-federally regulated private banks Persons involved in real estate closings and settlements Loan or finance companies, including: Residential mortgage lenders Residential mortgage originators The types of business and financial institutions covered by the law are extensive. The definition of "financial institution" is so broad that it includes not only traditional financial institutions, but also businesses such as casinos, pawnbrokers, and automobile salesmen. With a rule issued in 2012, FinCEN clarified the term "loan or finance company" to include residential mortgage lenders and originators. Under the regulations, a "residential mortgage lender" includes non-bank residential mortgage lenders to whom debt for a residential mortgage loan is initially payable, or the person to whom the debt obligation is initially assigned after closing. The regulations define a "residential mortgage originator" as a person who accepts, offers, or negotiates the terms of a residential mortgage loan application (31 C.F.R. §1010.100(lll)(1)). Non-bank residential mortgage lenders and mortgage originators required to comply with the USA PATRIOT Act are collectively referred to in the regulations as RMLOs. The term "residential mortgage originator" should not be confused with the term "loan originator" as it is defined under the S.A.F.E. Act. Under that law, "loan originator" means an individual who takes a mortgage loan application and/or negotiates mortgage loan terms in exchange for compensation or gain. Conversely, FinCEN expressly states that the term "loan or finance company," which includes residential mortgage originators, does not include an individual (31 C.F.R. §1010.100(lll)). Therefore, the obligations created by the rules apply to mortgage lender and broker companies, including those operating as sole proprietorships. Individual loan originators may have obligations pursuant to employment contracts to carry out certain requirements of the PATRIOT Act, but in the event of a compliance failure, it will be the mortgage lender or broker employing the loan originator that will ultimately be held liable.
Suspicious Activity Reports
Under federal law, financial institutions and others are required to report known or suspected criminal offenses or transactions of $5,000 or more that they suspect involve money laundering or violate the Bank Secrecy Act. Suspicious activity reporting focuses on financial transactions that appear to represent attempts to launder funds or violate the banking laws. All financial institutions operating in the United States are required to submit a SAR following the discovery of: Criminal violations attempted against a financial institution or transactions conducted through a financial institution involving insiders Criminal violations attempted against a financial institution or transactions conducted through a financial institution aggregating $5,000 or more when a suspect can be identified. If it is determined prior to filing this report that the identified suspect or group of suspects has used an "alias," then information regarding the true identity of the suspect or group of suspects, as well as alias identifiers such as drivers' licenses or Social Security Numbers, addresses, and telephone numbers, must be reported. Criminal violations attempted against a financial institution or transactions conducted through a financial institution aggregating $25,000 or more even though there is no substantial basis for identifying a possible suspect or group of suspects Transactions conducted or attempted by, at, or through the bank (or an affiliate) and aggregating $5,000 or more, if the bank or affiliate knows, suspects, or has reason to suspect that the transaction: May involve potential money laundering or other illegal activity (e.g., terrorism financing) Is designed to evade the BSA, or Has no business or apparent lawful purpose or is not the type of transaction that the particular customer would normally be expected to engage in, and the bank knows of no reasonable explanation for the transaction If a mortgage loan originator engages with a customer and suspects relevant suspicious activity, he or she should report the activity to the manager or other person in the company who is designated to handle SARs.
Retaining SARs and Documentation
When a financial institution files a SAR, it is required to maintain a copy of the SAR and the original or business record equivalent of any supporting documentation for a period of five years from the date of filing. "Supporting documentation" refers to all documents or records that assisted a financial institution in making the determination that certain activity required a SAR filing. The Right to Financial Privacy Act's prohibition against disclosing a customer's financial records does not apply when the financial institution provides the financial records or information to FinCEN or a supervisory agency in the exercise of its "supervisory, regulatory or monetary functions."
Application to Small Businesses
When publishing the final version of the Red Flags Rule, the FTC noted that small businesses are also vulnerable to identity theft and need to establish programs to prevent it. However, the Small Business Administration (SBA) commented that certain requirements, particularly the production of a written program, could be overly burdensome for small businesses. The SBA defines a small business as one that has assets of $165 million or less. The FTC disagreed with the assertion that the requirements are too burdensome. However, in order to facilitate compliance with the rule, the FTC delayed enforcement of the rule to give all creditors and financial institutions time to develop an Identity Theft Prevention Program. The FTC now offers guidance on its website to help businesses determine whether they are covered by the requirements of the Rule.[1]
Protecting Appraiser Independence
When the housing and lending markets were booming in the early 2000s, unethical appraisal practices led to losses in both the prime and subprime markets, but inaccurate appraisals were particularly common in the subprime market. In 2008, the Federal Reserve adopted regulations, now implemented by the CFPB, which provide that creditors and persons providing settlement services cannot directly or indirectly influence the judgment of an appraiser who is assessing the value of a principal dwelling. Illegal influence includes encouraging an appraiser to misstate or misrepresent the value of the principal dwelling used to secure a loan. The regulations provide the following examples of actions that violate this prohibition: Implying to an appraiser that current or future retention of the appraiser depends on the amount at which the appraiser values a consumer's principal dwelling Excluding an appraiser from consideration for future engagement because the appraiser reports a value of a consumer's principal dwelling that does not meet or exceed a minimum threshold Telling an appraiser a minimum reported value of a consumer's principal dwelling that is needed to approve the loan Failing to compensate an appraiser because the appraiser does not value a consumer's principal dwelling at or above a certain amount Conditioning an appraiser's compensation on loan consummation (12 C.F.R. §1026.42(c)) The regulations also include examples of actions that a creditor or settlement service provider can take without violating the prohibition against influencing the opinion of an appraiser: Asking an appraiser to consider additional information about a consumer's principal dwelling or about comparable properties Requesting that an appraiser provide additional information about the basis for a valuation Requesting that an appraiser correct errors in a valuation Obtaining multiple appraisals of a consumer's principal dwelling, so long as the creditor adheres to a policy of selecting the most reliable appraisal, rather than the appraisal that states the highest value Withholding compensation from an appraiser for breach of contract or substandard performance of services as provided by a contract Taking action permitted or required by applicable federal or state statute, regulation, or agency guidance
Definition of Terms Related to FCRA
The following definitions are important to know in order to understand the provisions of FCRA (15 U.S.C. §1681a). Consumer report: the communication of any information from a consumer reporting agency that relates to a consumer's credit worthiness, credit standing, credit capacity, character, personal characteristics, or mode of living which is used or expected to be used in order to determine the consumer's eligibility for credit or insurance to be used for personal, family, or household purposes or to evaluate a consumer for employment. Consumer reporting agency (CRA): any person who regularly engages for fees or on a cooperative nonprofit basis in the practice of assembling or evaluating of consumer credit information in order to provide consumer reports to third parties. The Dodd-Frank Act authorizes the CFPB to supervise "larger participants" in the market for consumer products and services (12 US.C. §5514(a)(1)(B)). The CFPB adopted a rule in July 2012 in which it defines "larger participants" to include CRAs with annual receipts exceeding $7 million (12 C.F.R. §1090.104(b)). Therefore, the CFPB has the authority to examine large CRAs, such as Equifax, Experian, and TransUnion, for FCRA compliance. Creditor: any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit (15 U.S.C. §1681(r)(5)). Investigative consumer report: a consumer report containing information about a consumer's character, general reputation, personal characteristics, and mode of living that is obtained through personal interviews. File: all the information about a consumer that is recorded and retained by a CRA. Fraud alert: a statement in the file of a consumer that notifies all prospective users of a consumer report relating to the consumer that the consumer may be a victim of fraud, including identity theft, and that is presented in a manner that facilitates a clear and conspicuous view of that statement. Adverse action: this term is given the same meaning under FCRA as under ECOA, meaning a denial of credit or an extension of credit in a substantially smaller amount, or for terms substantially different, than that requested by the loan applicant. It also means any denial or unfavorable change in insurance coverage, or a denial of employment based on an investigative consumer report.
