Notes on Cyber-Attacks, Getting Through TRID

A couple is lying in bed. The man says, "I am going to make you the happiest woman in the world."

The woman replies, "I'll miss you..."

If someone hacks into your system and starts taking borrower social security numbers and passwords are you going to call Ghostbusters? Research by Ponemon finds that while 81% of respondents say their company has a data breach plan, only 34% say the plan is effective or very effective. That is better than the 30% who said that in 2014, but still shows plenty of room for improvement.

 David Stein with Bricker & Eckler writes, "I have a quick comment on a recent note you had regarding cybersecurity. I am presently working with the MBA and we will be publishing a 'Compliance Essentials' guide on use of the Social Media and the Internet by financial institutions. One big risk that often is overlooked: social media. Use of social media may allow hackers to conduct phishing and 'spearphishing' plots, which are effective tools to breach an institution's cyber security precautions. Some readers may be wondering why care should be taken in using social media as suggested in the blurb. Cyber breaches caused by phishing (based on social media identity) are one of the gravest concerns. Continuous education about these issues is one of the best tools to ward off attack."

 Steve Brown with PCBB writes, "The FFIEC recently issued a warning to banks that there has been a rise in both the frequency and the severity of cyber-attacks, with many instances now involving extortion. Such attacks can harm your bank in a myriad of ways, from the straightforward loss of liquidity or capital, to reputational harm resulting from fraud or data loss, and even the disruption of service. As a result, community banks need to focus efforts on fending off and mitigating the risks of cyber-attacks even more.

 "Given how quickly malware and ransomware is evolving, protecting sensitive information has become more difficult than ever. An unfortunate reality is that virtually no company, inside or outside of the banking industry, is invulnerable to attack. After all, many attackers are state-sponsored by countries with unlimited resources. Against that onslaught, what can any community bank do? For their part, regulators have tried to provide guidance in this area. They want banks to have programs in place that can effectively "identify, protect, detect, respond to and recover from" cyber-attacks.

 "Among the steps banks are encouraged to take are the performance of routine information security risk assessments; ongoing security monitoring, prevention and risk mitigation; implementation of and routine testing of the controls around critical systems; and frequent reviews and updates on incident response and business continuity plans. Beyond this, regulators also suggest banks focus on the fact that employees can sometimes pose the biggest digital security risk.

 "Because of this, it is equally important to make sure that employees are educated about the potential for cyber-attacks and the impact that simple things, such as opening a link within an email from an unverified source can have, or the importance of encrypting sensitive data. Given how much sensitive information banks exchange and rely on during a typical day, you may also want to consider following the lead of many companies that now forbid employees from using removable USB devices or from accessing any online sites not immediately related to the job function. Just as employees can inadvertently create breaches, so too can third party vendors. So, when performing security assessments it is also important to factor in the security systems and practices of your vendors as well." A great write-up Steve!

 Edgar reminds us, "You bring up an interesting point about compliance reviews, I commonly hear "but Fannie will buy it" and that is a true statement; however what many fail to realize is that there are tremendous negative implication for banks that banks that are deemed non-compliant. If a regulator audits a bank and they see a company purchasing loans that are non-compliant they can face fines; even worse they could have their CAMEL rating negatively impacted which can drive up the cost of their FDIC insurance, this cost impacts all lines of business. The costs can be huge. In addition to increased costs/reduced margins it can cost more for capital should they need to raise it. I think you raise an important point that the GSE's do not review for compliance and that the investors that do review can be a valuable resource in helping insure their business is safe."

 I received this note from a veteran originator. "It's interesting that all the TRID issues are clerical in nature, rather than fee issues.  That leads me to believe its sloppiness or lack of training that has caused these issues."

 And Mat Ishbia, president and & CEO of United Shore, sent, "I have some quick thoughts on TRID.  And I know I am in the minority but I am so sick of hearing everyone complain about it all the time. The CFPB is doing a good job trying to do the right thing for consumers. Is it perfect? No, very few things are but the intentions of requiring originators to get their fees right up front, use new forms which are better than the most recent ones we used, get the consumers their closing numbers 3 days before closing, and put the control of the closing in the lenders hands. All of these are great decisions and the right thing for our industry.

 "NOW for all the lenders complaining about how hard it is and whining about the new rules... They can blame themselves for not being prepared. At UWM we are closing loans in the same amount of time as pre-TRID - actually 1 day faster (23 business days currently vs 24 days pre TRID) and the only difference is we prepared for 12 months for the rule and wanted to make it easy for all of our brokers. Hearing everyone's negative comments is such a downer and annoying at best. Tell everyone to blame themselves for their lower production and blame themselves for slower closing times NOT the CFPB and the new rule. If people spent more time preparing and following the rule than complaining then they would be doing great and closing plenty of loans and helping out plenty of consumers. At UWM our fourth quarter was better than the second or third quarters of 2015, so blaming TRID is the wrong answer.   Blaming yourself is the truth for lack of preparation."

 Luke from MN sent, "I don't agree with this LO's comment, 'Lastly, the CD is much tougher to understand than the final HUD, if you ask the average borrower he will not understand the CD! Also note for all loan officers the CD does not minus any pre-paids that the borrower paid for such as the appraisal fee(s) therefore it will always show short to close which adds to the confusion for the average borrower.'

 "We are a correspondent lender so maybe things are a little different and we provide the CD.  On my CDs where the borrower has pre-paid for the appraisal and credit report we just list them as POC on the CD and the cash to close is correct.  Again, it sounds like the person above works as a broker so they may not have any control over the CD but I would want mine to be accurate with the correct cash needed at closing and this is how we work it up." Thanks Luke!

 Ballard Spahr's Richard J. Andreano, Jr. sent out a write-up on the recent attempt by the CFPB to address the construction-to-permanent loan issue. "The CFPB has issued what it calls a 'fact sheet' regarding the disclosure of construction-to-permanent loans under the TILA/RESPA Integrated Disclosure (TRID) rule, which the CFPB refers to as the Know Before You Owe rule.  The fact sheet falls far short of the detailed guidance sought by the mortgage industry.

 "A construction-to-permanent loan is a single loan that has an initial construction phase while the home is being built, and then a permanent phase for when construction is complete and standard amortizing payments begin.  Although, as noted below, the TRID rule does address such loans, the rule does not provide detailed guidance on how to complete the Loan Estimate and Closing Disclosure for such loans, nor are sample disclosures included with the TRID rule.

 "In the fact sheet, the CFPB notes that Regulation Z section 1026.17(c)(6)(ii) and Appendix D to Regulation Z continue to apply in the new TRID rule world, and the CFPB specifically notes that they apply to the Loan Estimate and Closing Disclosure. The cited section provides that when a multiple-advance loan to finance the construction of a dwelling may be permanently financed by the same creditor, the construction phase and the permanent phase may be treated as either one transaction or more than one transaction. The fact sheet indicates, as the CFPB staff had informally advised in a May 2015 webinar, that a construction-to-permanent loan may be disclosed in a single Loan Estimate and single Closing Disclosure, or the construction phase and permanent phase can be disclosed separately, with the construction phase being set forth in one Loan Estimate and Closing Disclosure and the permanent phase being set forth in another Loan Estimate and Closing Disclosure.

 "Appendix D provides guidance on how to compute the amount financed, APR and finance charge for a multiple advance construction loan, when disclosed either as a single transaction or as separate transactions. The TRID rule added a commentary provision regarding Appendix D to address the disclosure of principal and interest payments in the Projected Payments sections of both the Loan Estimate and Closing Disclosure. The commentary provision does not address other elements of the Projected Payments sections. Additionally, the CFPB does not clarify in the fact sheet that Appendix D applies only when the actual timing and/or amount of the multiple advances are not known.

 "Likely realizing that this guidance would fall short of the detailed guidance, and sample disclosures, sought by the industry, the CFPB's final statement in the fact sheet is "The Bureau is considering additional guidance to facilitate compliance with the Know Before You Owe mortgage disclosure rule, including possibly a webinar on construction loan disclosures."

The industry needs and deserves more than a webinar.  It deserves detailed written guidance with sample disclosures.  The failure of the CFPB to provide written guidance on other aspects of the TRID rule has significantly contributed to the confusion and uncertainty in the industry regarding TRID rule requirements.  It is frustrating to the industry that the CFPB continues to resist providing written guidance on TRID rule matters (as well as other matters), particularly when its sister federal agencies regularly provide written guidance on important matters."

 Loren Picard writes, "With regards to your comments about mortgage REITs, I thought I'd share some insights which I've accumulated from following the sector for quite some time. Stock prices are dramatically down and stock prices as a measure to book value are way up--40%+ in some cases.  Is anybody really surprised that mortgage REITs are trading at such discounts? It is hard to make a business case for why mortgage REITs should even exist given what is going on in the changing financial landscape. The Federal Reserve buys all the net new agency paper being issued, the private MBS market is thwarted because the big banks are holding jumbo loans on their balance sheets, the FHFA put a knife in the captive insurance subsidiary loophole mortgage REITs were using to obtain below market financing, and the threat (not necessarily reality just yet) of new fintech models picking off market share in investable assets all adds up to the question...why should they exist? Mortgage REITs are not making a case for themselves. Also, activists are starting to circle some of the more steeply discounted mortgage REITs with a two pronged argument: 1) The REITs should be liquidated to free up capital for more productive purposes; 2) Mortgage REITs have become too costly to manage given the high cost of internally managed REITs (as percent of equity) and the high cost of management contracts for externally managed REITs. It is much more efficient to hold mortgage assets in an ETF or mutual fund. REITs could reinvent themselves around a technology based acquisition strategy, but I'm not sure that is a core competency of mortgage REIT managements.  Once the first REIT gets liquidated, watch out below."