MQMR, a CMC Preferred Partner, guides mortgage lenders
through the complex regulatory environment.

CMC Patrons receive a 10% discount on MQMR's compliance, internal audit & advisory services as well as a 20% discount on Vendor Management software fees.

MQMR’s goal in every review is to elevate performance and promote accountability.

Vendor Management

HQ Vendor Management (HQVM) supports lenders in meeting their third party oversight requirements.

Servicing QC and Subservicer Oversight

Subsequent QC, LLC (“SQC”) is an audit solution that focuses exclusively on managing servicing risk through servicing quality control, subservicer audits, and servicing operational due diligence.

Compliance Support

MQMR assists lenders in developing, building, and maintaining a comprehensive compliance management system, including but not limited to AML audits, LO Comp review, advertising/marketing reviews, compliance audits, and developing policies & procedures.

Internal Audit

MQMR conducts internal audits to identify credit, regulatory, operational, financial, and reputational risks, and ensure seller/servicers are meeting their GSE internal audit requirements.

Frequently Asked Questions

1What is Internal Audit and is it a requirement for mortgage lender?
A: Internal Audit is a function within an organization that independently evaluates the risks to the organization and the control environment that is in place. Typically, Internal Audit reports directly to the Board of Directors or Senior Management and is separate from all other departments to ensure that the evaluation remains independent.

Internal Audit is required if you are approved or seeking approval from any of the GSEs, and it is also becoming a requirement for some states. A common deficiency in a Fannie Mae or Freddie Mac review is an inadequate or non-existent internal audit program.

Entities approved or seeking to become approved with the GSEs must have, at a minimum, the following three items:

i. Risk Assessment - an assessment that evaluates the various risks of an organization, which may include, but is not limited to, reputational risk, compliance risk, fraud, etc.; and takes into consideration various factors such as past audit results, regulatory requirements, potential for fraud, experience of personnel, growth trends, and date of the last internal audit.
ii. Policies and Procedures - an Internal Audit Policy and Procedure charter should be approved by the Board of Directors and put into place.
iii. Audit Plan - a minimum 12-month audit plan should be developed which outlines ongoing audits to be performed. The audit plan should identify low, moderate, and high-risk areas, and the timeline for auditing those areas.

2What is the difference between QC and Internal Audit?
A: A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in either their origination or servicing functions. A QC audit looks at the end product, regardless if the process is credit or compliance focused. Generally, you find that QC audits, which are basic forms of transactional testing, are narrower in scope than Internal Audits, which tend to be broader in scope. Internal Audits identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. When Internal Auditors test controls in a process, they are not necessarily looking at the end product like a QC audit, but rather looking at the controls within a process to ensure the end product is attained and all investor guidelines, laws and regulations and industry best practices are followed.
3Are both banks and nonbanks required to perform an independent audit of their anti-money laundering (“AML”) program? What are the requirements for such audit?
A: Yes, the Bank Secrecy Act (“BSA”) requires all residential mortgage lenders and originators to perform an independent review or audit of their AML program. Although the BSA does not specifically set forth the time frame for performing such testing, the Federal Financial Institutions Examination Council (“FFIEC”) indicated that sound practice is for an entity to perform an independent audit of its AML program at least every 12-18 months, commensurate with the entity’s risk profile.

Testing must be performed by both an independent and qualified party. While this does not mean the audit cannot be performed by an employee, the individual or individuals completing the audit must be fully familiar with AML requirements and cannot be involved in any of the AML functions of the Company. As such, the Company designated AML Officer would be unable to perform the audit. For this reason, many entities engage outside service providers to perform independent audits of their AML program.

Whoever performs the review should report directly to the entity’s Board of Directors or Executive Management. Testing should cover all of the entity’s activities and the results should be sufficiently detailed to assist the Board of Directors and/or Executive Management in identifying areas of weakness so that improvements may be made and additional controls may be established. Among other items, the Company’s written policies and procedures should be reviewed as well as the qualifications of the AML Officer and the Company’s training materials and attendance logs.

In recent years, state regulators have commenced examining the AML programs of their supervised entities more closely. In particular, many states now require entities to produce AML policies and procedures, as well as AML risk assessments and independent AML audit results as part of examinations. Failure to maintain these documents can oftentimes result in an adverse finding. Some states also maintain their own money laundering regulations, such as California, Florida, New Jersey, and Texas.

Most recently, on June 30, 2016, New York State’s Department of Financial Services (“NYADFS”) issued a final Anti-Terrorism Transaction Monitoring and Filtering Program regulation. The new regulation, which goes into effect January 1, 2017, requires regulated institutions (banks, check cashers and money transmitters) to maintain a Transaction Monitoring Program that monitors transactions for potential BSA/AML violations and Suspicious Activity Reporting. The regulated entities will have to annually submit a board resolution or senior officer compliance finding to the NYSDFS confirming the steps taken to ascertain compliance with this regulation. Nonbank mortgage lenders and originators are not currently covered by this regulation.

4As a Master servicer, am I required to perform loan level QC on my portfolio?
A: Yes, A lender must ensure that its sub-servicer is compliant with RESPA, TILA, investor guidelines, CFPB guidelines, FDCPA, UDAAP, and other state and federal laws and regulations. Fannie Mae and Freddie Mac require that all servicers have QC procedures in place but the decision on how to implement the QC procedures is left to the lender. FHA guidelines are much more explicit. Prior to being replaced by the HUD 4000.1 Handbook in September 2015, HUD Chapter 7-10 (page 13) outlined the servicing QC requirements for the various AOIs (areas of interest) that master servicers were required to audit on an ongoing basis. Loans selected for servicing reviews must be reviewed within 60 days from the end of the month in which the loan was selected.
5As a master servicer, am I required to perform an onsite review of my subservicer?
A: Yes. The CFPB, OCC, FDIC and GSEs require lenders to perform oversight on their vendors. As a master servicer, your subservicer should be considered a high-risk vendor and it is a best practice to perform on-site assessments on an annual basis. Operational assessments allow the master servicer to ensure that the subservicer has the proper written policies and procedures and internal controls to ensure the subservicer is complying with the various federal and state laws. In the event the master servicer does not have the servicing and vendor management subject matter experts to perform ongoing reviews, it is a best practice to outsource the oversight to third parties that do have the expertise.
6As a lender, am I required to audit my Document Custodian on a regular basis?
A: Yes, a lender should review a document custodian from a vendor management risk stand point. In addition, Ginnie Mae is explicit in its requirements for each issuer to review their Document Custodians. The Ginnie Mae MBS Guide (Chapter 6, 2000.04 Rev-2 CHG-20) requires an onsite Document Custodian audit by a seller-servicer at least annually if more than one Document Custodian is utilized. All Document Custodians must be audited within a three-year cycle. The review must be comprehensive because the Document Custodian is essentially a vendor of the pool issuer. When conducting an audit, at a minimum, the following areas should be addressed:

i. Deficiencies are identified and appropriately mitigated;
ii. Management and staff possess adequate knowledge to perform in a custodial capacity;
iii. The Document Custodian has established controls, policies and procedures;
iv. The Document Custodian meets the minimum requirements as determined by GNMA;
v. The Document Custodian is issuing Final Pool Certifications in a timely manner as required by GNMA;
vi. Recorded modified documents and reinstated loans have had documents inserted into the pool or removed from the pool; and
vii. A loan-level review from a selection of pools is conducted. Files must be reviewed to ensure that the collateral file is intact and contains all the necessary original documents and endorsements.

For most lenders, these areas are not a key area of expertise; therefore, outsourcing to third parties that have the expertise is a common practice. External auditors can be an effective way to ensure the Document Custodian is compliant with Ginnie Mae guidelines.

We understand the Government Monitoring Information (“GMI”) answer options have changed with the new HMDA rules, but can you explain our reporting obligations?
Under the new HMDA rules, if an applicant chooses not to provide information related to his/her sex, race and/or ethnicity and the application is taken in person or by electronic media with video component, you must now report how you collected such information (i.e. whether reported based on visual observation/surname or not).

If an applicant chooses to answer these questions, you must allow the applicant to provide more than one ethnicity and race and you must allow the applicant to self-identify using both aggregated categories and disaggregated ethnic and racial subcategories.

For example,

  • Aggregated Category: Hispanic or Latino
  • Disaggregated Subcategories: Mexican, Puerto Rican, Cuban, etc.

Additionally, applicants must be permitted to provide ethnicity and/or race information that is not provided for on the collection form (i.e. free form text). However, if the applicant chooses not to answer and you identify based on visual observation or surname you cannot use the disaggregated subcategories.

The HMDA Rule provides a transition provision that allows a financial institution to report the applicant’s ethnicity, race, and sex under the new HMDA rule requirements in effect at the time that the financial institution collects the information, not when the financial institution takes final action on the application. Thus, if a financial institution receives an application prior to January 1, 2018, but final action is taken on or after January 1, 2018, the financial institution complies with the new rules if it collects the information in accordance with the requirements in effect at the time the information was collected.

Many financial institutions have begun to require the collection of the new GMI information and adopted the use of the Demographic Information Addendum issued by Fannie Mae. If you intend to use this document, the Agencies advised that you should cross out or delete Section X of the Uniform Residential Loan Application (“URLA”) and replace it with the Addendum. The Addendum may be found at
Currently, the Know Before You Owe/TILA-RESPA Integrated Disclosure Rule (“TRID”) does not permit changes to a Closing Disclosure (“CD”) to cure a tolerance violation more than four (4) business days prior to consummation. Did the 2017 TILA-RESPA Rule eliminate this issue known as the “Black Hole”?
No. Although the proposed 2017 TILA-RESPA Rule included language which would have permitted a lender to reset tolerances using a CD at any time, so long as the lender issued a corrected CD within three (3) business days of learning of a valid Change of Circumstance, this language was removed from the final 2017 TILA-RESPA Rule.

Rather, the CFPB issued a separate proposal to address the “Black Hole” issue and has asked the industry to comment on various issues, including:

  1. how the current four business day timing element has prevented creditors from resetting tolerances;
  2. the costs involved when the timing element has prevented creditors from resetting tolerances; and
  3. whether creditors are providing the initial CD so that it is received “substantially before the required three business days prior to consummation with terms and costs that are nearly certain to be revised."
Lenders who have repeatedly been forced to absorb increased costs when closings are delayed will need to monitor whether this proposal is adopted by the CFPB.
I heard that the CFPB issued the final 2017 TILA –RESPA Rule which clarified and amended certain mortgage disclosure provisions under TRID. What is the effective date of the amendments?
The 2017 TILA-RESPA Rule was effective on October 10, 2017; however compliance was not mandatory on the effective date. Compliance with the 2017 TILA-RESPA Rule is mandatory for transactions for which a creditor or mortgage broker receives an application on or after October 1, 2018. It should be noted though that requirements for some post-consummation disclosures (Partial Payment Disclosure and Escrow Closing Notice) apply starting October 1, 2018 without regard to the application date.

Notwithstanding the October 1, 2018 mandatory compliance date, the 2017 TILA-RESPA Rule allows for optional compliance any time after October 10, 2017. During the optional compliance period, the provisions of the 2017 TILA-RESPA Rule can be implemented all at once or phased in over time. Given that many aspects of the 2017 TILA-RESPA Rule are favorable to creditors and mortgage brokers, it may be beneficial to phase in some of the amendments into the lending process prior to others.
How do I ensure my subservicer is following its policies and procedures?
The GSEs require all subservicers to follow GSE guidelines when servicing loans. When utilizing a subservicer, the master servicer should have an oversight policy in place to ensure compliance. The policy should establish the master servicer’s servicing Quality Control (“QC”) Program and include, at a minimum:

  • Procedures demonstrating how the master servicer verifies that the subservicer is actually following its own procedures;
  • An explanation of how the master servicer implements quality control audits and when and how often such audits will be performed;
  • A method to track subservicer servicing errors and deficiencies, as well as any remediation plans; and
  • As a best practice, an annual onsite visit that permits the master servicer to sit with key subservicing staff to understand the staff’s day-to-day process and reconcile it against the subservicer’s written policies and procedures.
Subservicer deficiencies may range from warnings to heavy fines up to and including loss of the ability to service loans, therefore, it is important to ensure proper subservicer oversight and monitoring.
Am I required to ensure that NMLS Unique Identifiers appear on my employees' LinkedIn, Facebook and other Social Media pages?

To the extent the name of your company appears on any social media utilized by a mortgage loan originator (“MLO”), the company’s NMLS Unique Identifier should be set forth in a clear and conspicuous manner. We are even aware that, most recently, some state banking departments, such as New Mexico and Oklahoma, have fined lenders where their unlicensed employees failed to list the company’s NMLS Unique Identifier on personal social media pages that listed the company’s name.

With respect to the NMLS Unique Identifier of a MLO, it is a best practice to list it on the MLO’s personal social media pages if the MLO mentions that he or she is a loan originator working on behalf of the company. It should be noted, however, that the requirement to list the NMLS Unique Identifier may depend on what is stated on the MLO’s personal social media page as well as the states in which the company and/or MLO operate. Any commercial message promoting a credit transaction must adhere to all state and federal advertising rules which exceed merely listing the company’s and MLO’s NMLS Unique Identifier.

So how do you manage this? It is a best practice to determine what social media pages a MLO utilizes at the time of onboarding, in addition to ensuring the MLO knows and understands the company’s social media and advertising rules. It is also essential that you train your MLOs and entire staff on both federal and state advertising requirements. This should be done at initial hire, follow with consistent reminders (no less than semi-annually), as well as annual recurring training. You should also perform random social media audits and monitoring to identify any possible violations and prove to regulators that you are proactive in monitoring social medial compliance. Additionally, it is a best practice to ensure any MLO departing the company (voluntarily or involuntarily) removes his or her affiliation with your company in a timely manner, so as to avoid potential UDAAP (Unfair Deceptive Abuse Acts and Practices) issues.

Case Studies & Testimonials



"We needed a solution, searched the market, and found that MQMR provided a robust platform, truly understood counterparty risk, and was willing to accommodate our needs. We are overly satisfied with MQMR and look forward to further refinement to our vendor management program."

- Jim Svinth, EVP of Enterprise Risk Management at LoanDepot


Case Study #1

Problem Statement: Lender-Placed Insurance caused a borrower’s PITI payment to double. To compound the problem, the borrower’s primary language is Spanish therefore the Lender-Placed Insurance letters (which were in English) went unanswered. The increase in the borrower’s PITI caused the borrower to default on the loan.

Approach: SQC identified the loan through a Customer Service audit. A review of the customer service call prompted an expanded review of the circumstances which lead to the Lender-Placed Insurance.

Results: The review of the Lender-Placed Insurance circumstances allowed SQC to create a “Red Flag” memo explaining the timeline of events and the circumstances that lead to the doubling of the borrower’s PITI to the client. The client was able to intervene with their Sub Servicer, obtain a less expensive hazard insurance policy for the borrower, which resulted in halting a foreclosure.

Criteria and Performance: This loan highlights SQC’s multidisciplinary approach. The loan was originally reviewed under an unrelated Area of Interest (Customer Service) but still identified Lender Placed Insurance defects. The Customer Service call was related to why the borrower’s payment increased. This prompted SQC auditors to review additional aspects of the loan which revealed a large increase in the borrower’s PITI. All SQC auditors are cross-trained on all AOIs. This additional experience allowed the SQC auditors to identify a problem in servicing that did not match any traditional servicing area, as no specific servicing guideline or compliance guideline was violated.


Collaborative Webinars


The Depth of Vendor Management

CMC and MQMR collaborated on a November, 2016 webinar discussing best practices of vendor management and third-party oversight.

Listen to Webinar Recording>>

Learn More About Our Partnership

CMC provides exclusive offerings and value-added services to mortgage lenders nationwide. Therefore, we work together with MQMR to bring tangible benefits to CMC’s cooperative membership. Our alliance with MQMR provides Patrons with a myriad of mortgage solutions, and supports CMC’s ongoing commitment to continue partnering with highly respected companies.

Have questions? Contact us for more details and information about CMC Patron pricing.

Andy Rucks

Vendor Relations Manager
T: 904.404.3557     M: 904.293.7350