MQMR, a CMC Preferred Partner, guides mortgage lenders
through the complex regulatory environment.

CMC Patrons receive a 10% discount on MQMR's compliance, internal audit & advisory services as well as a 20% discount on Vendor Management software fees.

MQMR’s goal in every review is to elevate performance and promote accountability.

Vendor Management


HQ Vendor Management (HQVM) supports lenders in meeting their third party oversight requirements.

Servicing QC and Subservicer Oversight


Subsequent QC, LLC (“SQC”) is an audit solution that focuses exclusively on managing servicing risk through servicing quality control, subservicer audits, and servicing operational due diligence.

Compliance Support


MQMR assists lenders in developing, building, and maintaining a comprehensive compliance management system, including but not limited to AML audits, LO Comp review, advertising/marketing reviews, compliance audits, and developing policies & procedures.

Internal Audit


MQMR conducts internal audits to identify credit, regulatory, operational, financial, and reputational risks, and ensure seller/servicers are meeting their GSE internal audit requirements.

Frequently Asked Questions

1What is Internal Audit and is it a requirement for mortgage lender?
A: Internal Audit is a function within an organization that independently evaluates the risks to the organization and the control environment that is in place. Typically, Internal Audit reports directly to the Board of Directors or Senior Management and is separate from all other departments to ensure that the evaluation remains independent.


Internal Audit is required if you are approved or seeking approval from any of the GSEs, and it is also becoming a requirement for some states. A common deficiency in a Fannie Mae or Freddie Mac review is an inadequate or non-existent internal audit program.

Entities approved or seeking to become approved with the GSEs must have, at a minimum, the following three items:

i. Risk Assessment - an assessment that evaluates the various risks of an organization, which may include, but is not limited to, reputational risk, compliance risk, fraud, etc.; and takes into consideration various factors such as past audit results, regulatory requirements, potential for fraud, experience of personnel, growth trends, and date of the last internal audit.
ii. Policies and Procedures - an Internal Audit Policy and Procedure charter should be approved by the Board of Directors and put into place.
iii. Audit Plan - a minimum 12-month audit plan should be developed which outlines ongoing audits to be performed. The audit plan should identify low, moderate, and high-risk areas, and the timeline for auditing those areas.

2What is the difference between QC and Internal Audit?
A: A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in either their origination or servicing functions. A QC audit looks at the end product, regardless if the process is credit or compliance focused. Generally, you find that QC audits, which are basic forms of transactional testing, are narrower in scope than Internal Audits, which tend to be broader in scope. Internal Audits identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. When Internal Auditors test controls in a process, they are not necessarily looking at the end product like a QC audit, but rather looking at the controls within a process to ensure the end product is attained and all investor guidelines, laws and regulations and industry best practices are followed.
3Are both banks and nonbanks required to perform an independent audit of their anti-money laundering (“AML”) program? What are the requirements for such audit?
A: Yes, the Bank Secrecy Act (“BSA”) requires all residential mortgage lenders and originators to perform an independent review or audit of their AML program. Although the BSA does not specifically set forth the time frame for performing such testing, the Federal Financial Institutions Examination Council (“FFIEC”) indicated that sound practice is for an entity to perform an independent audit of its AML program at least every 12-18 months, commensurate with the entity’s risk profile.


Testing must be performed by both an independent and qualified party. While this does not mean the audit cannot be performed by an employee, the individual or individuals completing the audit must be fully familiar with AML requirements and cannot be involved in any of the AML functions of the Company. As such, the Company designated AML Officer would be unable to perform the audit. For this reason, many entities engage outside service providers to perform independent audits of their AML program.

Whoever performs the review should report directly to the entity’s Board of Directors or Executive Management. Testing should cover all of the entity’s activities and the results should be sufficiently detailed to assist the Board of Directors and/or Executive Management in identifying areas of weakness so that improvements may be made and additional controls may be established. Among other items, the Company’s written policies and procedures should be reviewed as well as the qualifications of the AML Officer and the Company’s training materials and attendance logs.

In recent years, state regulators have commenced examining the AML programs of their supervised entities more closely. In particular, many states now require entities to produce AML policies and procedures, as well as AML risk assessments and independent AML audit results as part of examinations. Failure to maintain these documents can oftentimes result in an adverse finding. Some states also maintain their own money laundering regulations, such as California, Florida, New Jersey, and Texas.

Most recently, on June 30, 2016, New York State’s Department of Financial Services (“NYADFS”) issued a final Anti-Terrorism Transaction Monitoring and Filtering Program regulation. The new regulation, which goes into effect January 1, 2017, requires regulated institutions (banks, check cashers and money transmitters) to maintain a Transaction Monitoring Program that monitors transactions for potential BSA/AML violations and Suspicious Activity Reporting. The regulated entities will have to annually submit a board resolution or senior officer compliance finding to the NYSDFS confirming the steps taken to ascertain compliance with this regulation. Nonbank mortgage lenders and originators are not currently covered by this regulation.

4As a Master servicer, am I required to perform loan level QC on my portfolio?
A: Yes, A lender must ensure that its sub-servicer is compliant with RESPA, TILA, investor guidelines, CFPB guidelines, FDCPA, UDAAP, and other state and federal laws and regulations. Fannie Mae and Freddie Mac require that all servicers have QC procedures in place but the decision on how to implement the QC procedures is left to the lender. FHA guidelines are much more explicit. Prior to being replaced by the HUD 4000.1 Handbook in September 2015, HUD Chapter 7-10 (page 13) outlined the servicing QC requirements for the various AOIs (areas of interest) that master servicers were required to audit on an ongoing basis. Loans selected for servicing reviews must be reviewed within 60 days from the end of the month in which the loan was selected.
5As a master servicer, am I required to perform an onsite review of my subservicer?
A: Yes. The CFPB, OCC, FDIC and GSEs require lenders to perform oversight on their vendors. As a master servicer, your subservicer should be considered a high-risk vendor and it is a best practice to perform on-site assessments on an annual basis. Operational assessments allow the master servicer to ensure that the subservicer has the proper written policies and procedures and internal controls to ensure the subservicer is complying with the various federal and state laws. In the event the master servicer does not have the servicing and vendor management subject matter experts to perform ongoing reviews, it is a best practice to outsource the oversight to third parties that do have the expertise.
6As a lender, am I required to audit my Document Custodian on a regular basis?
A: Yes, a lender should review a document custodian from a vendor management risk stand point. In addition, Ginnie Mae is explicit in its requirements for each issuer to review their Document Custodians. The Ginnie Mae MBS Guide (Chapter 6, 2000.04 Rev-2 CHG-20) requires an onsite Document Custodian audit by a seller-servicer at least annually if more than one Document Custodian is utilized. All Document Custodians must be audited within a three-year cycle. The review must be comprehensive because the Document Custodian is essentially a vendor of the pool issuer. When conducting an audit, at a minimum, the following areas should be addressed:

i. Deficiencies are identified and appropriately mitigated;
ii. Management and staff possess adequate knowledge to perform in a custodial capacity;
iii. The Document Custodian has established controls, policies and procedures;
iv. The Document Custodian meets the minimum requirements as determined by GNMA;
v. The Document Custodian is issuing Final Pool Certifications in a timely manner as required by GNMA;
vi. Recorded modified documents and reinstated loans have had documents inserted into the pool or removed from the pool; and
vii. A loan-level review from a selection of pools is conducted. Files must be reviewed to ensure that the collateral file is intact and contains all the necessary original documents and endorsements.

For most lenders, these areas are not a key area of expertise; therefore, outsourcing to third parties that have the expertise is a common practice. External auditors can be an effective way to ensure the Document Custodian is compliant with Ginnie Mae guidelines.

Featured Compliance Hot Topics

How do I ensure my subservicer is following its policies and procedures?
The GSEs require all subservicers to follow GSE guidelines when servicing loans. When utilizing a subservicer, the master servicer should have an oversight policy in place to ensure compliance. The policy should establish the master servicer’s servicing Quality Control (“QC”) Program and include, at a minimum:

  • Procedures demonstrating how the master servicer verifies that the subservicer is actually following its own procedures;
  • An explanation of how the master servicer implements quality control audits and when and how often such audits will be performed;
  • A method to track subservicer servicing errors and deficiencies, as well as any remediation plans; and
  • As a best practice, an annual onsite visit that permits the master servicer to sit with key subservicing staff to understand the staff’s day-to-day process and reconcile it against the subservicer’s written policies and procedures.
Subservicer deficiencies may range from warnings to heavy fines up to and including loss of the ability to service loans, therefore, it is important to ensure proper subservicer oversight and monitoring.
Can you provide clarification on the definition of “Preapproval” under the new HMDA rules and information regarding reporting requirements?
Effective January 1, 2018, the new HMDA rule expands the types of preapproval requests that are reportable. Lenders who are required to file now must report preapproval requests that are approved but not accepted (this used to be optional). However, preapproval requests regarding home purchase loans to be secured by multifamily dwellings, preapproval requests for open-end lines of credit, and preapproval requests for reverse mortgages are not reportable under the new HMDA requirements.

You must report preapproval requests for home purchase loans (not for multifamily, open-end lines of credit or reverses) if reviewed under a preapproval program.

A preapproval program is a program in which you (1) conduct a comprehensive analysis of the applicant’s creditworthiness (including income verification), resources, and other matters typically reviewed as part of your normal credit evaluation program; and then (2) issue a written commitment that: (a) is for a Home Purchase Loan; (b) is valid for a designated period of time and up to a specified amount, and (c) is subject only to specifically permitted conditions. Specifically permitted conditions include:

  • Conditions that require the identification of a suitable property;
  • Conditions that require that no material change occur regarding the applicant’s financial condition or creditworthiness prior to closing; and
  • Limited conditions that (a) are not related to the applicant’s financial condition or creditworthiness and (b) you ordinarily attach to a traditional home mortgage application (such as requiring an acceptable title insurance binder or a certificate indicating clear termite inspection and, if the applicant plans to use the proceeds from the sale of the applicant’s present home to purchase a new home, a settlement statement showing adequate proceeds from the sale of the present home).

Preapproval requests reviewed under a preapproval program are only reported if denied or approved but not accepted. The CFPB indicated if you do not regularly use procedures to consider requests but instead consider requests on an ad hoc basis, you are not required to treat the ad hoc requests as having been reviewed under a preapproval program. However, you should be generally consistent in following uniform procedures for considering such ad hoc requests.
I understand the new HMDA rules require reporting of automated underwriting system (AUS) information effective January 1, 2018, but how do you determine what to report if we use more than one AUS or pull results several times?
The new HMDA rules require the reporting of AUS information if a mortgage lender used an AUS to evaluate the application. Below are guidelines for determining which AUS or AUSs and which result or results to report in such a case:

  • Determine whether the AUS used to evaluate the application matches the loan type reported (i.e. Total Scorecard for an FHA loan). If so, determine whether you obtained only one result from that AUS. If so, report that information.
  • If you used an AUS that does not match the loan type reported or if you obtained more than one result from the AUS that matches the loan type reported, determine whether an AUS that was used to evaluate the application matches the purchaser, insurer, or guarantor (if any) for the loan (i.e. Desktop Underwriter for a loan that Fannie Mae purchased). If so, and you obtained only one result from that AUS report that information.
  • If you did not use an AUS that matches the purchaser, insurer, or guarantor or if you obtained multiple results from an AUS that matches the purchaser, insurer, or guarantor or loan type, you report the result that is closest in time to the credit decision and the AUS that generated that result.
If you simultaneously obtain multiple results closest in time to the credit decision, you report each of the multiple AUS results that you obtained and the AUSs that generated each of those results up to a total of 5 results and 5 AUSs. You should never report more than 5 results or 5 AUSs (in such case, only choose 5 AUSs and 5 results to report).
Am I required to ensure that NMLS Unique Identifiers appear on my employees' LinkedIn, Facebook and other Social Media pages?

To the extent the name of your company appears on any social media utilized by a mortgage loan originator (“MLO”), the company’s NMLS Unique Identifier should be set forth in a clear and conspicuous manner. We are even aware that, most recently, some state banking departments, such as New Mexico and Oklahoma, have fined lenders where their unlicensed employees failed to list the company’s NMLS Unique Identifier on personal social media pages that listed the company’s name.

With respect to the NMLS Unique Identifier of a MLO, it is a best practice to list it on the MLO’s personal social media pages if the MLO mentions that he or she is a loan originator working on behalf of the company. It should be noted, however, that the requirement to list the NMLS Unique Identifier may depend on what is stated on the MLO’s personal social media page as well as the states in which the company and/or MLO operate. Any commercial message promoting a credit transaction must adhere to all state and federal advertising rules which exceed merely listing the company’s and MLO’s NMLS Unique Identifier.

So how do you manage this? It is a best practice to determine what social media pages a MLO utilizes at the time of onboarding, in addition to ensuring the MLO knows and understands the company’s social media and advertising rules. It is also essential that you train your MLOs and entire staff on both federal and state advertising requirements. This should be done at initial hire, follow with consistent reminders (no less than semi-annually), as well as annual recurring training. You should also perform random social media audits and monitoring to identify any possible violations and prove to regulators that you are proactive in monitoring social medial compliance. Additionally, it is a best practice to ensure any MLO departing the company (voluntarily or involuntarily) removes his or her affiliation with your company in a timely manner, so as to avoid potential UDAAP (Unfair Deceptive Abuse Acts and Practices) issues.

Case Studies & Testimonials

 

Testimonial


"We needed a solution, searched the market, and found that MQMR provided a robust platform, truly understood counterparty risk, and was willing to accommodate our needs. We are overly satisfied with MQMR and look forward to further refinement to our vendor management program."

- Jim Svinth, EVP of Enterprise Risk Management at LoanDepot

 
 

Case Study #1


Problem Statement: Lender-Placed Insurance caused a borrower’s PITI payment to double. To compound the problem, the borrower’s primary language is Spanish therefore the Lender-Placed Insurance letters (which were in English) went unanswered. The increase in the borrower’s PITI caused the borrower to default on the loan.


Approach: SQC identified the loan through a Customer Service audit. A review of the customer service call prompted an expanded review of the circumstances which lead to the Lender-Placed Insurance.

Results: The review of the Lender-Placed Insurance circumstances allowed SQC to create a “Red Flag” memo explaining the timeline of events and the circumstances that lead to the doubling of the borrower’s PITI to the client. The client was able to intervene with their Sub Servicer, obtain a less expensive hazard insurance policy for the borrower, which resulted in halting a foreclosure.

Criteria and Performance: This loan highlights SQC’s multidisciplinary approach. The loan was originally reviewed under an unrelated Area of Interest (Customer Service) but still identified Lender Placed Insurance defects. The Customer Service call was related to why the borrower’s payment increased. This prompted SQC auditors to review additional aspects of the loan which revealed a large increase in the borrower’s PITI. All SQC auditors are cross-trained on all AOIs. This additional experience allowed the SQC auditors to identify a problem in servicing that did not match any traditional servicing area, as no specific servicing guideline or compliance guideline was violated.

 

Collaborative Webinars

 
MQMR_VM_Webinar

The Depth of Vendor Management

CMC and MQMR collaborated on a November, 2016 webinar discussing best practices of vendor management and third-party oversight.

Listen to Webinar Recording>>
 

Learn More About Our Partnership

CMC provides exclusive offerings and value-added services to mortgage lenders nationwide. Therefore, we work together with MQMR to bring tangible benefits to CMC’s cooperative membership. Our alliance with MQMR provides Patrons with a myriad of mortgage solutions, and supports CMC’s ongoing commitment to continue partnering with highly respected companies.


Have questions? Contact us for more details and information about CMC Patron pricing.

Andy Rucks

Vendor Relations Manager


arucks@capmkts.org
T: 904.404.3557     M: 904.293.7350