2022 MBA Regulatory Compliance Conference In Review

The Mortgage Bankers Association’s annual Regulatory Compliance Conference (MBA RCC) took place September 18th- 20th in Washington, D.C. With topics ranging widely from loan officer compensation to recent fair lending cases, we've summarized the key takeaways for anyone unable to attend. 

RESPA & Other Marketing Concerns 

It is a well-known compliance hallmark under the Real Estate Settlement Procedures Act (RESPA) that financial institutions can pay for leads, but cannot pay for referrals. A simple outline quickly becomes complicated when additional factors are introduced – can I pay for a certain quality of lead? Can the lead generator give a warm handoff to the loan officer? How do endorsements fit in? What exactly counts as a “referral”?

At the Mortgage Bankers Association Regulatory Compliance Conference, presenters gave a brief overview of RESPA and the permissible ways one can be paid under RESPA, including payment for bona fide services or goods. Then came a deep dive into the controversial nature of Marketing Service Agreements, something the CFPB has sometimes struggled to provide clear guidance on. One key case brought to the forefront in 2014 was the CFPB’s action against Lighthouse Title, a Michigan-based company, where it was outlined that a Marketing Service Agreement within itself was considered “a thing of value” under RESPA. The CFPB issued a bulletin in 2015 to provide further guidance on MSAs, but in October of 2020 the bureau rescinded that 2015 guidance.

The CFPB updates panel agreed that the recent interpretive rule on “digital marketers” was a key shot across the aisle at social media companies and other target ad providers, noting “The CFPB – they have the appetite to be the next big-tech regulator” and that related marketing vendors would likely fall under the scrutiny of RESPA and UDAAP. The use of MSAs (and the compliance headaches that come with them) was a closely evaluated topic by attendees at the RCC. Lenders are looking to technological advancements to make stronger arguments to their regulators, including photo documentation, checklist completion, and geolocation tracking to corroborate MSA compliance.  

Special Purpose Credit Programs 

At what was arguably the most well-attended session at the 2022 MBA Regulatory Compliance Conference, key compliance takeaways about Special Purpose Credit Programs (SPCPs) were a hot topic. From the beginning of the session, it was made clear that the homeownership gap is a corresponding driver for the gap in household wealth. The racial homeownership gap, in which 72% of White Americans are homeowners while only 42% of Black Americans own a home, has continued to be the trend despite the industry’s focus on fair lending for decades. A central element of Fannie Mae’s new Equitable Housing Finance Plan is the deployment of its own SPCP. Part of the RCC session included questions about what this SPCP included and how Fannie might interact with homegrown lenders' home-grown SPCP. It was outlined that Fannie’s plan would likely offer down payment assistance programs and reduced closing costs, but would not include adjustments to the credit box at this time and that loans that might be legally allowable under an SPCP would still need to meet Fannie requirements to be accepted.

One key point of conversations around SPCPs was the basis for the program – do you build a “place-based” or “trait-based” program? Place-based is centered on specific census tracks or train-based is centered on a specific demographic. Some argued that focusing on “place-based”, though simpler for marketing and execution, might not work well in diverse metro areas or could reinforce segregation. Chase Bank shared key components of their program, including no income cap, an extended credit box, confirmation that it's an owner-occupied property, the inclusion of rental history in credit decisions, and having dedicated loan officers for the SPCP.  

Shifting Data Privacy & Data Protection Landscape 

One key focus at the Regulatory Compliance Conference was consumer privacy and data security. Earlier this month, the FTC released a report showing a rise in sophisticated “dark Patterns” designed to trick and trap consumers. The dark pattern tactics detailed in the report include disguising ads to look like independent content, making it difficult for consumers to cancel subscriptions or charges, burying key terms or junk fees, and tricking consumers into sharing their data. At the RCC, the data privacy and protection panel  helped define what might be included under the dark patterns heading, including: 

• Misdirection: when the design purposefully focuses your attention on one thing to distract your focus from another. 

• Confirmshaming: the act of guilting the user into opting into something where the option to decline is worded in such a way as to shame the user into compliance. 
• Hidden costs & price comparison prevention: one example would be making the user create an account with your website before being able to compare shop pricing. 
• Nudging vs smudging: “nudging” refers to the use of user interface or design elements, sometimes referred to as “choice architecture”, to guide user behavior. “Smudging” is the practice of using nudging to trick users into clicking into something they would not actually want, such as an ad.  

The panel discussed a recent case where the FTC took action in September 2022 against credit services company Credit Karma for deploying dark patterns to misrepresent that consumers were “pre-approved” for credit card offers. According to the FTC’s complaint, Credit Karma knew that its purported “pre-approvals” conveyed false certainty to consumers, based on the results of experiments, also known as A/B testing, showing that consumers were more likely to click on offers saying “preapproved” than those saying they had “excellent” odds of being approved. When user interfaces are designed, including with the aid of A/B testing, to trick consumers into taking actions in a company’s interest and that lead to consumer harm, such design tricks fall under the FTC’s label of dark patterns. Dark patterns were the focus of a public workshop held by the FTC just last year. For data protection, the panel outlined a few standard practices for employees when considering collected consumer data: 

1. Do you need that data? 
2. Where is the data kept? 
3. Do you have an Information Security Policy? 
4. Do I have policies and procedures that I follow? 
5. Am I conducting ongoing testing & regularly training employees? 

Emerging Legislation Around Remote Work 

As the Covid-19 pandemic begins to subside, states have begun to re-evaluate executive orders granting permissions for licensed employees to work remotely away from a licensed branch. Some states, like West Virginia, extended temporary guidance into 2022, but that guidance has since expired with no further plans for extensions currently planned. Other states see this as an opportunity to modernize a piece of the mortgage process. At the end of August 2022, the California governor signed Assembly Bill No. 2001, which authorizes licensees to work remotely if certain conditions are met, including ensuring the remote employee utilizes a Virtual Private Network (VPN), provides employees with data security training, and ensures the employee may only work from a remote, non-public location, and that the space is not a rental space in any capacity (Airbnb's included).  

At the MBA Regulatory Compliance Conference, compliance professionals discussed how “flexibility for remote work is achieved through legislation change and state guidance”. Industry groups are closely monitoring state-by-state progress, such as the MBA through their Remote Work Policies Map. Nevada is closely monitored for potential upcoming legislative changes, which sunset its temporary guidance on the subject back in June of 2021. The AARMR released in June 2022 Best Practices for Employees Working Remotely, but the document is only two pages long and is not overly prescriptive.

As states begin to determine what various requirements will be for remote work, one theme is clear – consumer data protection is paramount and lender supervision of remote employees will be tested. Many states are outlining what data security safeguards are needed to prove consumer protections are in place, including remote work training for licensed employees, employee attestation of remote work policies, and technological safeguards installed and managed securely by IT departments. One key hint from attendees? Financial institutions should ensure that financial documents and disclosures are available from a secure digital location – regulators may conduct portions of audits by secret shopping the paths consumers take.