OFFICIAL PUBLICATION OF THE AMERICAN LEGAL & FINANCIAL NETWORK VOI. III / ISSUE I
YOU’RE NOT ALONE PAGE 26
NEW STATE LAWS PAGE 8
VENDOR OVERSIGHT PAGE 34
NEW P.O.C. FORMS PAGE 22
WHEN IT COMES TO MEMBER ADVOCACY, WE STAND UNITED.
FOUR INDUSTRY-LEADING ASSOCIATIONS COMING TOGETHER WITH COMMON PURPOSE. BE A PART OF SOMETHING TRULY MONUMENTAL. REGISTER NOW FOR ADVOCACY DAY AT ALFN.ORG/ADV16
TOP LEVEL SPONSOR
6 / ANGLE
BOLD PERSPECTIVES FROM UNIQUE ANGLES Over the last year we’ve consulted with our members, seriously considered the current state and future of our industry, and taken a close look at each of our events, publications, programs and content. By doing so we have evaluated our entire approach to delivering member value and benefits. We’ve slowly rolled out a brand refresh and updates across nearly every offering of the ALFN and those efforts culminated with a brand-new ALFN.org that offers a comprehensive look at our membership benefits and the content, events, publications, education and networking the ALFN provides for its members and the larger mortgage servicing industry. We’ve upped our game on content with a shift to a quarterly magazine, the ALFN ANGLE. Our volunteer opportunities have expanded with the creation of new member-driven groups, and we are pleased to see that member volunteerism is at an all-time high. Our efforts creating new member groups have won the ALFN recognition from the association industry with an ASAE Power of A gold award for our young professionals network, JPEG. In that same vein, we’ve launched Women in Legal Leadership (WILL) and expanded our face-toface event programming with this spring’s WILLPOWER Summit in conjunction with our annual Advocacy Day. We’ve kept in place some of our most popular member services including: industry-leading webinars, member booth space at the MBA’s National Mortgage Servicing Conference, TEACH regional trainings and an expanded, robust servicer on-site training program, among many others. You’ll find information on all that at the new ALFN.org. Most exciting are the changes yet to come with a refresh of our annual conference, ANSWERS. We’re increasing our educational offerings by nearly 30% and adding networking and experiential sponsorship opportunities throughout the entire conference. This year we’re celebrating fifteen years of service to the mortgage servicing industry. To us, and our members, it’s an appropriate time to assess our noteworthy past achievements and look forward to an exciting future as we grow and expand to better serve our members and lead our industry as the go-to legal resource for creditors’ rights. As always, we appreciate and value your membership and contributions to the ALFN. MATT BARTEL PRESIDENT & CEO, ALFN
PUMP UP THE VOLUME Page 22
VENDOR MANAGEMENT STRATEGIES
PLEASE USE CORRECT CHANGE
TEXAS FORECLOSURE LAWS Page 8
FOREGONE CONCLUSION PROGRAM VS. POLICY Page 34
CYBERSECURITY BECOMES MAJOR PRIORITY Page 26
UPCOMING EVENTS #WILLPOWER
ALFN’s newest member-based group, Women in Legal Leadership (WILL), will host its inaugural summit April 18, 2016 in Washington, D.C. at the Georgetown Westin in conjunction with Advocacy Day 2016. Register online at ALFN.org.
ALFN members will return to Washington, D.C. for the association’s annual legislative & regulatory policy summit held April 18-19, 2016 at the Westin Georgetown. Registration is now open on ALFN.org. Advocacy Day 2016 is co-hosted with USFN, REOMAC and the National Creditors’ Bar Association (NARCA).
ANSWERS 2016 will be held this July 17-20 at the Omni Grove Park Inn in Asheville, North Carolina. Registration is now open and details can be found at ALFNANSWERS.org
TEACH CINCINNATI & DALLAS
Save the date for the 2016 TEACH Cincinnati, scheduled for September 7 and TEACH Dallas for November 15. Registration opens Summer 2016.
MEMBER OPPORTUNITIES NEW ALFN.ORG
In early January the ALFN launched an entirely new website and member portal. Learn more about the new site’s features on page X or visit ALFN.org to login.
ANSWERS CALL FOR PROPOSALS & SPEAKERS
On February 1 the ALFN open the 2016 call for proposals and speakers for ANSWERS 2016. Visit ALFNANSWERS.org to review details or submit a session or speaker proposal.
HOST AN ALFN WEBINAR
Each ALFN member can host one complimentary webinar on a topic of their choosing in a calendar year. Group members may participate in Group webinars at no additional cost. Login to ALFN. org to learn more about our webinar hosting policies and procedures.
JOIN AN ALFN GROUP
The ALFN offers members volunteer opportunities to expand their networks and to collaborate with other industry professionals. Join in whty any group and network with nearly 300 of your ALFN peers. Login to ALFN.org to sign-up.
PUBLICATION OPPORTUNITIES ANGLE MAGAZINE
The ANGLE is published digitally each quarter and in print twice a year (MBA National Mortgage Servicing Conference and ANSWERS). Login to ALFN.org to learn more about contributing to the ANGLE where your voice is heard by over 6,000 mortgage servicing profesionals.
ALFN.org offers a brand-new blog feature where the Association will highlight member news such as anniversaries, promotions, new hires, service additions or related announcements. Visit ALFN. org to learn more.
The Member Directory inlcudes free basic listings for all ALFN members. Members may additionally purchase enhanced half-page listings ($295); two page photo spread profile listings ($995); serve as a state editor ($1,295) or purchase full page ads ($795). The Member Directory is updated and printed twice each year and includes a searchable online database at ALFN.org.
MEMBERSHIP RENEWAL DUES REMINDER 2016 DUES INVOICED JANUARY 2
All 2016 renewal dues were invoiced January 2, 2016 and payable January 31, 2016. If you did not receive your invoice or would like to work out a payment plan, please contact us at email@example.com immediately, otherwise your membership will be at risk of cancellation.
UPGRADES AND ADDITIONS
If your firm is operating in multiple states you can add those states to your ALFN membership and promote your firm’s services in those additional states. If you’re working in more than three states the ALFN’s Enterprise Level membership category may be the most cost-effective membership category for your firm. Contact Liz Potter at firstname.lastname@example.org to learn more about adding additional states or moving up to Enterprise Level membership and its benefits for firms operating in three or more states.
MINI RECAPS OF RECENT ALFN UPDATES
NEW ALFN.ORG LAUNCHES In early January 2016 the ALFN launched a completely redesigned and brand-new website and member portal online at ALFN.org. The website includes a host of new services and functionality that makes membership easier and puts more ALFN content at your fingertips. Some highlights of the site’s new features include:
NEW MEMBER PORTAL
Once logged in, the new member portal includes quick links for members to join ALFN groups, access vital documents and policies, register for events, manage your company’s sub-account holders, and much, much more.
MEMBER UPDATES BLOG
The new homepage includes a new Member Blog where the ALFN will post member announcements like promotions, hirings, new service offerings, anniversaries, etc. Legal Updates will now get additional exposure in a blog format upon publication.
ALFN event registration is now integrated seamlessly into ALFN.org and your membership portal. Register multiple individuals from your organization with just a few clicks and access your receipts online via the member portal. Also included: a complete industry calendar of events so you can better manage and track your travel all in one place.
Our enhanced online directory now pairs enhanced listings with our print edition and is searchable by state, service, product or demographics like “women-owned”. Enhanced listings in the print edition also receive priority search result placement online. Plus: all purchases and renewals of enhanced listings are just a click away in the Directory Store.
Looking to hire industry professionals? Use the new ALFN.org job board to list your current positions and search for appropriate candidates. Postings require a nominal fee.
Event sponsorships can now be searched and purchased with just a few clicks in the ALFN Store.
With daily traffic from mortgage servicers and law firms, there’s no better place to centralize your online advertising efforts than ALFN.org. Contact Cade Holleman at email@example.com for rates or questions about any portion of the new ALFN. org, online event registration, e-commerce store or membership portal. Note: members should use the “Forgot your credentials?” link for pasword resets.
6 / ANGLE
FELTY & LEMBRIGHT, CO., LPA
During our many years representing creditors, the legal professionals at Felty and Lembright Co., L.P.A. have dealt with virtually every issue that could arise in representing a lender with regard to foreclosures, bankruptcies, real estate title and evictions. Since 2001, Freddie Mac (FHLMC) has been a representative client of Managing Partner Kriss Felty in Ohio, and the staff at Felty and Lembright Co., L.P.A., has always had delegated authority from Freddie Mac to handle default servicing and REO-related matters. Since 2011, Fannie Mae (FNMA) has also been representative client of the Firm. This experience has honed the Firm’s knowledge of industry standards, the legal processes and requirement for default-related services and REO-related services for Ohio. The Firm’s exclusive representation and experience in these areas have also developed a sophisticated understanding of the substantive legal issues lenders encounter in Ohio. Using state-of-the-art technology for process and timeline management, Felty & Lembright continues to enjoy vigorous growth and enjoys a reputation as one of Ohio’s premiere law firms representing national and local creditors, lenders and loan servicing companies. Felty & Lembright is certified by the NLGCC (National Lesbian and Gay Chamber of Commerce) as an LGBT-Owned and Operated Business Enterprise and diversity supplier. In late 2015 the Firm announced the addition of a third partner, Antonio Scarlato, Esq., (pictured, far left) who oversees the firm’s real estate default practice. Scarlato has been with the Firm since 2004 serving as the Firm’s Managing Attorney for the last seven years.
THE FIRM’S EXCLUSIVE REPRESENTATION AND EXPERIENCE IN THESE AREAS HAVE ALSO DEVELOPED A SOPHISTICATED UNDERSTANDING OF THE SUBSTANTIVE LEGAL ISSUES LENDERS ENCOUNTER IN OHIO. Felty & Lembright is also a significant supporter of the ALFN’s leadership role as an industry advocate. The firm has been a key participant for the last several years in the ALFN’s advocacy effort having participated in meetings with elected and appointed officials, and the firm’s Chief Compliance Counsel, Corey Danzig, Esq., served as the primary author of the 2015 Briefing Book, distributed to nearly 100 members of Congress, members of the Obama Administration, and regulators such as the Federal Housing Finance Agency (FHFA) and the Consumer Financial Protection Bureau (CFPB). CONTACT Mark R. Lembright, Esq. 1500 West Third St., Suite 400 Cleveland, OH 44113 (216) 588-1500, ext. 103 firstname.lastname@example.org www.feltyandlembright.com
PICTURED (L TO R) Antonio J. Scarlato, Esq., Partner (left); Leslie Detmayer, Forelcosure Manager & Director of Client Relations (center); Mark Lembright, Esq., Partner & Vice President (right).
8 / ANGLE
TWO HOUSE BILLS IMPACT TEXAS FORECLOSURE LAW CODILIS AND ASSOCIATES DISCUSSES UPDATES TO TEXAS FORECLOSURE LAWS by Adam Wilde, Esq., Codilis & Associates
2015 ENDED WITH SIGNIFICANT CHANGES TO TEXAS FORECLOSURE LAW. MOST SIGNIFICANTLY WERE HOUSE BILLS 2063 AND 2066. BELOW IS A SUMMARY OF EACH NEW LAW. HB 2063 amended the Texas Property Code to codify a new procedure allowing for a substitute trustee to be appointed through the notice of sale, changing the prior customary practice of recording a separate appointment of trustee. Under this new law, the appointment of the substitute trustee becomes effective the date of the notice, eliminating servicer’s recording costs and time delays associated with the recording of the appointment of
the substitute trustee. It also removes any ambiguities of when the appointment takes effect, thereby reducing litigation and prior confusion with recording appointments. The Bill was proposed through the Texas Real Estate Legislative Affairs Committee (“Committee”). In its final report, the Committee found that the practice of recording the substitution of trustee appointments created unnecessary confusion relating to which trustee had the authority to act in exercising the power of sale, concluding that many of the recorded substitution of trustee appointments were not received in time in order to proceed with foreclosure deadline and that only one third of properties posted for sale actually go to sale. The Committee also concluded that this practice resulted in the title records with recorded appointments related to sales that never occurred. The Com-
mittee indicated the purpose of the law was to “reduce confusion in land title records and provide a safe harbor to reduce litigation.”1 The new law sets forth a template for appointing the substitute trustee within the notice of sale. In order for the appointment to be effective through the notice of sale, the notice of sale must (1) comply with Texas Property Code 51.002 (Sale of Property) and 51.0075(e) (providing the name and street address of substitute trustee in the notice of sale); (2) be signed by an attorney or agent of the mortgagee or mortgage servicer; and (3) contain the following statement in all capital letters, boldface type to read as follows: THIS INSTRUMENT APPOINTS THE SUBSTITUTE TRUSTEE(S) IDENTIFIED TO SELL THE PROPERTY DESCRIBED IN THE SECURITY INSTRUMENT IDEN-
1 See Bill Analysis, C.S.H.B. 2063, Oliveira Business & Industry Committee Report.
TIFIED IN THIS NOTICE OF SALE THE PERSON SIGNING THIS NOTICE IS THE ATTORNEY OR AUTHORIZED AGENT OF THE MORTGAGEE OR MORTGAGE SERVICER.
HB 2066 created section 51.016 to the Texas Property Code, and establishes procedures for the rescission of a non-judicial foreclosure sale on residential property. Under prior law, in order to rescind a sale, the parties were obligated to either agree to rescind or litigate the sale’s validity. The legislative committee reports supporting the law found that certain conditions not known at the time of the sale could affect the validity of sale and encumber title such as a cure of the default, an agreement to postpone the sale was reached between the parties (most likely based on loss mitigation procedures), a bankruptcy stay was in effect, or a probate action was pending. Under the new law, 51.016 sets forth a consistent method for a mortgagee to promptly rescind a non-judicial foreclosure sale without requiring an agreement by the parties or litigation that includes the following requirements: (1) 51.016(a) The property must be residential real property; (2) 51.016(b) Reasons for rescission: a. The statutory requirements for the sale were not satisfied; b. The default was cured before the sale; c. A receivership or dependent probate administration was pending at the time of the sale; d. A condition of the sale was not met; e. The mortgagee (or mortgage servicer) agreed prior to the sale to cancel the sale based on an enforceable written agreement by the debtor to cure the default; or f. An automatic stay or court order was in effect against a person with an interest in the property. (3) 51.016(c) Notice requirement: Within 15 days after the date of sale the rescinding party must serve notice of rescission describing the reason for rescission and include recording information (if applicable). Notice shall be
sent to: a. The third party purchaser (if applicable); b. Each debtor who is obligated to pay the debt; and c. File each notice of rescission in the county recorder’s office where property is located. (4) 51.016(d) Notices must be served by certified mail and is completed when deposited and addressed to the purchased or debtor at their last known address. An affidavit of mailing serves as prima facie evidence. (5) 51.016(e) Return of funds: mort-
purchaser protection. If a mortgagee complies with the statutory requirements, a third party purchaser/mortgagor has 30 days to challenge the validity of the sale from the date the notice of rescission is recorded. The statute also limits the damages of any rescission challenge from a third party purchaser to the amount of the bid plus statutory interest at 10 percent per year and prevents any specific performance remedies from the third party purchaser. Should a mortgagee properly comply with the procedural requirements in 51.016, the rescission returns the mortgagee/mortgagor to
THE COMMITTEE ALSO CONCLUDED THAT THIS PRACTICE RESULTED IN THE TITLE RECORDS WITH RECORDED APPOINTMENTS RELATED TO SALES THAT NEVER OCCURRED. THE COMMITTEE INDICATED THE PURPOSE OF THE LAW WAS TO “REDUCE CONFUSION IN LAND TITLE RECORDS AND PROVIDE A SAFE HARBOR TO REDUCE LITIGATION.”
gagee shall return the funds within five days after the date the rescission of the foreclosure sale is recorded. Mortgagee may return funds via certified mail, wire transfer, or courier service. It is considered returned upon depositing in mail, with the courier service, or ordering the wire transfer. (6) 51.016(f) requires an affidavit of mailing (or wiring) regarding the return of funds to be recorded in the county recorder where property is located. Doing so serves as prima facie evidence. Any bona fide purchaser, lender or title insurer is entitled to rely conclusively on the record of the filed affidavit and notice and is entitled to bona fide
the state they occupied as if no sale occurred, without the necessity of a court order or additional agreement between the parties. Codilis & Associates is an ALFN member in Illinois. The Codilis affiliated firms also serve Illinois, Missouri, and Texas and provide end-to-end creditors’ rights services to mortgage lenders and servicers in the default servicing industry. Each firm’s attorneys and staff are committed to providing efficient legal services and professional, courteous, and prompt customer service. The author can be reached at email@example.com.
10 / ANGLE
ON THE BOOKS by Louis Manetti, Esq. with ALFN Illinois Member Codilis & Associates, P.C. | firstname.lastname@example.org
FROM LITIGATION WEAPON TO OVERSIGHT STATUTE: BANKRUPTCY JUDGE EXPLAINS THE CIRCUITOUS JOURNEY OF THE ILLINOIS RESIDENTIAL MORTGAGE LICENSE ACT The Illinois Residential Mortgage License Act of 1987 (the “RMLA”) has undergone a remarkable journey in the last two years. It went from a rarely litigated state statute governing licensure of residential loan providers, to a powerful litigation tool that could potentially void residential mortgages, and then, through statutory amendment, back to its prior licensure-centered focus. A recent opinion from the Central District of Illinois Bankruptcy Court, Richardson v. JPMorgan Chase Bank, N.A., 2016 Bankr. LEXIS 61, *1 (C.D. Ill. Jan. 7, 2016), thoroughly
analyzed the circuitous history of the RMLA to determine that a borrower does not have the power to void a mortgage based on alleged RMLA violations. The RMLA has existed since 1987. Its stated purpose is to protect Illinois customers seeking residential mortgage loans. 205 ILCS 635/1-2(b). Specifically, it prohibits any person or entity from originating a residential mortgage loan without first obtaining a license from the Illinois Department of Financial and Professional Regulation
(the “IDFPR”). 205 ILCS 635/1-3(a). It designates the secretary of the IDFPR to enforce the RMLA’s provisions, 205 ILCS 635/4-1(k), including the authority to levy fees and fines for violations, 205 ILCS 635/4-1(l). The expressly stated penalty for failing to obtain a license under the RMLA is a fine. 205 ILCS 635/1-3. For decades, it was infrequently invoked in litigation (it was only cited fifteen times by Illinois state and federal courts from its inception through early 2014), and did not provide any cognizable basis to void a mortgage.
The RMLA’s remedial breadth was considerably expanded in early 2014. Then, the Illinois Appellate Court issued an opinion in First Mortgage Co., LLC v. Dina, 2014 IL App (2d) 130567. The court held that the bank did not sufficiently establish that the original lender was licensed under the RMLA, and further held that if a lender was not licensed when the loan was originated it resulted in a void mortgage. Id., ¶¶ 17-18. It analogized the RMLA to statutes prohibiting the unlicensed practice of medicine and stated that courts could not support a contract made against public policy. Id., ¶ 18. Although the court conceded that the RMLA does not explicitly provide that a mortgage originated in violation of its provisions is void, it held that the mortgage was still void because it violated public policy. Id., ¶ 21. Subsequent to Dina, on July 23, 2015, the governor of Illinois signed into law Public Act 99-0113. It amended the RMLA to state that, “[a] mortgage loan brokered, funded, originated, serviced, or purchased by a party who is not licensed under this Section shall not be held to be invalid solely on the basis of a violation under this Section.” 205 ILCS 635/1-3(e). The amendment further states, “[t]he changes made to this Section by this amendatory Act of the 99th General Assembly are declarative of existing law.” Id. The clear intent of the amendment was to abrogate the Dina decision. In Richardson, the borrower had filed a Chapter 7 Bankruptcy petition. 2016 Bankr. LEXIS 61 at *2. The trustee then filed an adversary complaint against the lender. Id. at *3. Similar to Dina, he claimed that the original lender, “MONEYWORK$,” was not licensed under the RMLA, and as a result his mortgage should be voided. Id. The lender filed a Federal Rule 12(b)(6) motion to dismiss the adversary complaint arguing that the mortgage was not void under the RMLA. Id. Because it found that there was an issue of fact as to whether the original lender was licensed when the mortgage was created, the Court assumed for the purposes of the motion to dismiss that the original lender was not licensed under the RMLA. Id. at *11. The Court held that its task in analyzing Illinois law is to predict how the Illinois Supreme Court would rule, and it pointed out that the Illinois Supreme Court had itself declined to review the Dina decision directly. Id. at *12. The Court reasoned that, although the Dina decision would normally control the prediction of how the Illinois Supreme Court would rule on the issue, it pointed out that Dina was not the last word on the matter—the Illinois legislature had amended the RMLA to include specific language about invalidating mortgages. Id. at *13-14. In Richardson, the Court held that although an amendment to a statute is usually presumed to have changed the law, that presumption is rebutted when circumstances indicate that the legislature intended to interpret or clarify existing law. Richardson, 2016 Bankr. LEXIS 61 at *14-15. To determine if the amendment merely clarified the RMLA—and therefore would apply to a mortgage originated in October
THE COURT REASONED THAT, ALTHOUGH THE DINA DECISION WOULD NORMALLY CONTROL THE PREDICTION OF HOW THE ILLINOIS SUPREME COURT WOULD RULE ON THE ISSUE, IT POINTED OUT THAT DINA WAS NOT THE LAST WORD ON THE MATTER—THE ILLINOIS LEGISLATURE HAD AMENDED THE RMLA TO INCLUDE SPECIFIC LANGUAGE ABOUT INVALIDATING MORTGAGES. of 2011—the Court stated that it needed to consider: (1) whether the legislature declared its intent to clarify the existing law; (2) whether a conflict or ambiguity about the law existed at the time of the amendment; and (3) if the amendment was “consistent with a reasonable interpretation of the prior enactment and its legislative history.” Id. (quoting K. Miller Construction Co., Inc. v. McGinnis, 238 Ill. 2d 284, 299 (2010)). The Court in Richardson explained that all three factors weighed in the bank’s favor. First, the amendment specified that it was declarative of existing law. Id. at *14. Second, the amendment was undertaken after the Illinois Supreme Court declined to resolve whether the Dina decision conflicted with the original intent of the RMLA. Id. Third, it held that the amendment was consistent with a reasonable interpretation of the prior version of the RMLA because the statute itself does not mention voiding mortgages and the specific penalty for failing to license is a fine. Id. The Court concluded that the cause of action the trustee was trying to bring—that the mortgage was void due to failure of the originating lender to license under the RMLA—did not exist under Illinois law. Id. at *18-19. The Richardson opinion is the perfect analytical coda to the short-lived use of the RMLA as a civil litigation weapon.
12 / ANGLE
PROGRAM VS. POLICY
CRASH-ERA RESPONSE STILL DOESN’T JIVE WITH PRE-2008 FORECLOSURE LAWS by Amber Labrecque, Esq., McCarthy & Holthus
The recent burst of the housing bubble led to an increase in foreclosures in Oregon. In response, the legislature of the State of Oregon passed laws establishing a Foreclosure Avoidance Program to help homeowners in Oregon. The implementation of this Program has resulted in public policy conflicts between the Foreclosure Avoidance Program and pre-existing laws. The focus of this article is on the interplay of the Foreclosure Avoidance Program and the laws regulating the liens of condominium associations, specially their ability to gain priority over a first mortgage when a beneficiary has delayed initiating foreclosure. In 2012, through Senate Bill 1552, Oregon instituted the Foreclosure Avoidance Program, which established mandatory dispute resolution conferences for non-judicial foreclosures of residential trust deeds. Through Senate Bill 558, effective August 2013, the existing program was modified to be mandatory for judicial foreclosures of residential trust deeds as well. The only exception is for beneficiaries who were able to be certified as exempt by virtue of their having not commenced more than 175 foreclosures of a residential trust deed in the previous calendar year. This program requires that a certificate of compliance is acquired by a beneficiary before foreclosure can be commenced. Either the borrower (after consulting with a housing counsel or attorney) or the beneficiary can initiate the dispute resolution conference process, and once a certificate of compliance is obtained, the certificate is good for a year. In the State of Oregon if a condominium association has recorded their governing documents that recorded document constitutes record notice and perfection of their lien for assessments. ORS § 100.450 With this recording, assuming none of the rare exceptions contained in ORS 100.450 (1)(b) apply, the lien of the association becomes prior to all liens or encumbrances on the property except for a first mortgage. ORS § 100.450 (1). Due to this statute, condominium associations often do not record their
liens until they chose to move forward with either suing the borrower or foreclosing themselves. Under ORS 100.450 (7), the condominium associations are able to, through a notice process, gain priority over the lien of a first mortgage or trust deed. Under ORS 100.450 (7), the condominium association must provide written notice that the borrower is in default in payment of an assessment. Once this notice is provided, the beneficiary of the deed of trust or mortgage has 90 days in which to initiate a judicial action to foreclosure, request issuance of a trustees notice of sale, or accept a deed in lieu. If those actions do not occur within the 90 day period, and that the borrower is in default on the first mortgage, the lien of the condominium association will become senior to that of the first trust deed or mortgage. When the beneficiary initiates the dispute resolution conference process participation by the grantor(s) is not mandatory. According to the Department of Justice, the homeowner participation rate is 23%. When adjusted to account for requests made by beneficiaries where there is incorrect or outdated contact information, the participation rate jumps to 30%. The first Resolution Conference is designed to occur within 75 days. This timeline can easily go longer â€“ the service provider may postpone or reschedule a resolution conference if the beneficiary and grantor agree to a new date, if the beneficiary or grantor requests a new date in writing that is more than 30 days after the original date scheduled for the resolution conference and can show good cause for the request, or if the beneficiary does not pay the fee required by the date the fee is due. After the initial meeting parties can either agree to conclude, agree to set another meeting date, or where the parties do not agree to set another meeting date the facilitator can use his or her power to set a second Dispute Resolution Conference. Once the process is formally concluded the facilitator issues a report and a certificate of compliance (or of non-compliance) shall be issued within five days. Alternatively, if the fee is not paid by the grantor by 25 days from the date of the Notice from the Service Provider a certificate of
compliance is required to be issued within five days of cancelling the resolution conference. Once received, the Certificate of Compliance is good for one year. When ORS 100.450 was enacted the mandatory dispute resolution program did not yet exist. When Senate Bill 1552 and Senate Bill 558 were enacted, the bills creating and modifying the dispute resolution process, they failed to modify ORS 100.450 to account for the now longer timeline for commencement of a foreclosure. The design of the condominium statute encourages the beneficiary to move forward with foreclosure of the property, which if completed will get a new owner of the property who will pay the condominium assessments going forward, or alternatively payoff the lien of
process has made it difficult for servicers to move forward quickly. The practical implications of this is that a condominium association can give a 90 day notice, and unless the beneficiary is either exempt, or has already started or completed the mediation process, the condominium association is almost certainly guaranteed to become senior. The introduction of the mediation process, without addressing the condominium statutes, has made it so the condominium statutes no longer act as an impetus for the beneficiary to start foreclosure proceedings. If a beneficiary is going to be unable to satisfy the condominium statutes in time to prevent losing their priority, then they no longer have any motivation to start the process when they receive the 90 days notice. If beneficiary is working with borrower,
Going forward, the Oregon Legislature could amend the condominium statutes to account for the Foreclosure Avoidance Program, now that the program applies to both judicial and non-judicial foreclosures.
the condominium association. Alternatively, if the condominium association gains priority they can then either initiate foreclosure themselves, and then go to a sale where they either gain title to the property free of the prior first lien, or where the property is sold to a third party, thus satisfying their lien and potentially part of the lien of the beneficiary of the previous first lien depending on the amount paid by the third party purchaser. The laws which give the condominium association the ability to jump priority over a first mortgage protect the condominium associations, and their members, by allowing the condominium association the ability to become senior when a servicer is delaying in starting foreclosure on a loan that is in default. However, the introduction of the mandatory dispute resolution
or otherwise is not ready to commence foreclosure, then they are put in a hard place where they may be forced to initiate the dispute resolution process earlier than they desire, such as when they are still discussing options with a borrower, so as to avoid losing their priority position to the condominium association. Paying off the lien might be attractive if the condominium association lien is relatively small, but the reality is that many of the condominium associations are waiting for years before initiating foreclosure. Condominium associations rarely record their liens and pursue super priority for small amounts of money, as it does not make economic sense to do so. This often results in liens of $10,000.00, or even significantly more, in arrearages. This interplay of the statutes results in the purposes of the statutes often
14 / ANGLE
The laws which give the condominium association the ability to jump priority over a first mortgage protect the condominium associations, and their members, by allowing the condominium association the ability to become senior when a servicer is delaying in starting foreclosure on a loan that is in default. being frustrated. If a lender is attempting to go through the mediation process and obtain a certificate of compliance quickly to avoid a potentially large condominium lien gaining priority, then they are potentially not participating in the dispute resolution process as fully as they would have. There are several possible workable solutions. While there is an argument that the actions of the legislature, and the wordings of the laws, show the legislative intent, I believe that an opportunity was missed to create a situation where the public policy aims of both statutes could interplay in a productive manner, rather than in the way we are now left with, where grantors are hurt if the beneficiaries seek to go through the mediation process as fast as possible to avoid risking losing their lien priority, and where beneficiaries are hurt by the same, both as their haste reduces the chances of a successful foreclosure avoidance measure being negotiated, and there is potential loss of their lien priority to a potentially large condominium lien. Going forward, the Oregon Legislature could amend the condominium statutes to account for the Foreclosure Avoidance Program, now that the program applies to both judicial and non-judicial foreclosures. They could accommodate the program timeline provide more time for the beneficiaries to institute foreclosures. Once solution is extending
the timeline to 60 days for when the beneficiary has not yet started to participate in the Foreclosure Avoidance Program, and then 120 or 150 days when the grantors elect to participate. This expansion could come into effect only in the situation where the beneficiary is not exempt. This would mean that a short timeline would still apply in approximately 70-76% of the cases where the beneficiary is not exempt. Alternatively, the legislature could change the requirement of filing a judicial action from being defined as filing a foreclosure complaint, requesting issuance of a trustees notice of sale, or accepting a deed in lieu to instead be that the beneficiary has initiated the dispute resolution process (or that the grantor has initiated the process and that the beneficiary is participating). This would balance the condominiumâ€™s need to have a foreclosure moving forward in order to protect the community and other members in it. However, this would then run the risk of the beneficiary then not actually moving forward with foreclosure once they receive their Certificate of Compliance, as they are good for 1 year. Alternatively, the legislature or courts could step in and treat the dispute resolution process as a stay, much like the bankruptcy stay. The 90 days could run, and be stayed until the issuance of the Certificate of Compliance, thus both allowing the beneficiary to fully participate in the dispute resolution process without the pressure to conclude early to avoid the COA lien, and making it so the beneficiary is under pressure to move forward with foreclosure quickly once dispute resolution has failed. In conclusion, we have two statutes with different and conflicting policy objectives. When these two statutes interact all parties, the condominium associations, the grantors, and the beneficiaries of the trust deeds can be harmed. This interaction needs to be examined and re-balanced, and the legislature or courts have a few viable options for how they can choose to do this. Amber Labracque, Esq. can be reached at email@example.com.
THE MECHANICS OF
BRAND-BUILDING REQUIRE CONSTANT MAINTENANCE.
GET A TUNE UP BEFORE SERVICERS TUNE IN.
CONTACT US ABOUT A CUSTOM, YEAR-LONG PACKAGE THAT WILL SHOWCASE YOUR BRAND ACROSS ALFN EVENTS, PUBLICATIONS AND THROUGH DIGITAL CHANNELS, SUCH AS DIRECT MARKETING CAMPAIGNS AND ALFN.ORG. CONNECT WITH LIZ POTTER AT LPOTTER@ALFN.ORG
RETHOUGHT. REBRANDED. REBUILT. AND READY TO REDEFINE BUSINESS-BUILDING IN THE MORTGAGE SERVICING INDUSTRY FOR ANOTHER 15 YEARS.
REGISTER NOW AT ALFN.ORG/ANSWERS
18 / ANGLE
NEW BANKRUPTCY PROOF OF CLAIM FORMS HIT THE INDUSTRY Effective December 1, 2015, the official proof of claim forms changed. Official Form 410 replaced B10 (Official Form 10) and Official Form 410A replaced B 10, Attachment A. The purpose of the revisions was to ensure that a debtor can easily read and understand the claims and to make it easier for a creditor to complete the forms. This article will discuss the specifics of the two new forms and what creditors and servicers need to know to accurately complete a proof of claim.
Official Form 410 (aka the cover page) is required for all proofs of claim. 410 has larger fonts, which results in making the claim easier to read. The revised forms also contain more instructions than in the past, which is supposed to make the claim easier to complete by creditors. Instead of having boxes to complete, there are now conversational questions to answer. For example, prior B10 listed a box that stated “Name and address where notices should be sent:”, now the new form has a specific section for information (Item 3 of Part 1) and states “Where should notices to the Creditor be sent?”. There are 3 parts to 410 with a total of 12 questions. The information on the claim needs to be completed as of the date of filing by the debtors.
by LeAnn Covey , Esq., Managing Attorney, Bankruptcy Department The Law Offices of John D. Clunk Co., LPA
Part 1 of 410 is intended to clarify who the parties are and their respective roles. For example, there is a specific listing for “Who is the current creditor?” and a line item for “Other names the Creditor used with the debtor”. This is a new item added to the forms where servicers and creditors could include information about a name change or “doing business as” information. This line item could also be used for the servicer name, which the debtor would likely be more familiar with in the event the loan is part of a certificate series held in a trust. Please note that this is not for transfers of the loan. Part 1, item 2 of 410 has a specific listing for “Has this claim been acquired from someone else?”. This is where the creditor would list a recent service transfer that the debtor may not be aware of prior to filing the bankruptcy petition. Another interesting addition to 410 is item 5 of part 1 which lists the questions “Do you know if anyone else has filed a proof of claim for this claim?” and “Who made the earlier filing?”. This provision appears to be for the specific instance where the debtor has already filed a proof of claim on behalf of the creditor. From personal experience, I know that “trustee pay all” cases (aka conduit plans) in several districts will not begin disbursement on post-petition payments without a filed proof of claim. Debtors tend to file their own claims to begin this post-petition
disbursement to ensure the post-petition payments are being made and to avoid having the Chapter 13 Trustee disburse those funds earmarked for post-petition payments to unsecured creditors. Item 5 replaces the previous box on B10 that listed the confusing statement “Check this box if you are aware if anyone else has filed a proof of claim relating to this claim. Attach copy of statement giving particulars”. In Part 2 of 410 the creditor is asked to provide information about the claim as of the date it was filed. Box 10 asks a new question that was not previously listed in B10. Box 10 asks if this claim is based on a lease. Part 2, Box 11 asks the question “Does this claim involve a right to setoff?” which would indicate some sort of pending suit or claim against the creditor that may result in a reduction of the total amount due to creditor. The general consensus among creditors’ counsel is that this field does not apply to funds sitting in suspense. Part 3 of 410 replaces the former section 8 of B10 and includes several changes. Part 3 now contains a checkbox specifically for attorneys filing claims on behalf of creditors. The previous absence of an attorney checkbox on B10 created some controversy as creditor’s counsel were of varying opinions on whether or not this box should be checked or not. B10 included a declaration stating under penalty and perjury that the information provided in the claim is true and correct based on the filer’s knowledge, information, and reasonable belief. Much to creditor’s relief, 410 contains a revised declaration that is less binding to the preparer of the claim. The signature section is now broken down into three parts. First, the signature serves as an acknowledgement that the filing debtor has received credit for payments received by creditor. Second, its states that “I have examined the information in the POC and have a reasonable belief the information is true and correct”. Third, it states “I declare under penalty and perjury that the forgoing is true and correct”. This is different from B10 as it does not indicate that the information is actually true and correct, but
that the debtor has received a proper credit on the account, that information contained in Official Form 410 has been examined, and that there is a reasonable belief about the accuracy of the information that is contained in 410. Official Form 410A has replaced Official Form B 10A, Attachment A. This attachment form is only required if the loan is secured by the debtor’s principal residence. Creditors can continue to use any form they wish as an attachment to 410 regarding claims filed against investment properties and secondary homes. It is important to note that 410A is required regardless of whether or not the property is a first or secondary lien on the debtor’s primary residence. These new forms also apply if the lien is being treated as unsecured in the plan through an anticipated avoidance action. 410A differs from B10A in many significant ways. According to the committee notes, the new format is more transparent and capable of being more easily and accurately completed. The most interesting and challenging change was the addition of the payment history to the proof of claim in part 5. I will discuss each of the 5 parts of 410A. Part 1 requires details regarding the case number, debtor information, the last four digits of the loan number, creditor, servicer, and fixed accrual/ daily simple interest/other. Part 2 is the total debt calculation. This is a new requirement as prior B10A had no place to indicate the calculation of the total debt claim. This provides further transparency by requiring the creditor to itemize what is included in their total debt claim. The total debt calculation includes the principal balance, interest due and owing at the time of filing, any fees and costs due as of the time of filing, the escrow deficiency, minus the total funds on hand. The escrow deficiency for funds advanced includes the total amount of pre-petition payments for taxes and insurance that the creditor made out of its own funds and for which it has been reimbursed. Total funds on hand include a positive escrow balance, unapplied funds, and any other amounts held in
a suspense account. Part 3 of 410A is the arrearage as of the date of the petition filing. The amount of principal and interest payments due as of the date of filing should be included in part 3. The escrow portion of pre-petition due payments should NOT be included. Pursuant to Rule 3001(c)(2) (C), an escrow analysis is required to be run as of the date of the filing of the bankruptcy proceeding. Escrow deficiencies are extremely difficult for debtors to understand. The purpose of Rule 3001(c)(2)(C) and part 4 of 410A is to clarify that issue for debtors. Any escrow deficiency at the time of filing needs to be included in part 3 of the claim on the line entitled “Escrow deficiency for funds advanced”. This amount of escrow should be the same as the amount of the escrow deficiency listed in part 2, the total debt. This escrow amount should equal the amount of positive escrow account as listed in the last entry in part 5, column O (part 5 is explained further below). The escrow deficiency amount is usually the starting balance for the escrow analysis. The “Projected escrow shortage” line in part 3 is the difference between the actual amount in the escrow account and the required amount. Although it is not specifically listed in the instructions for completing the proof of claim, the general consensus provided by feedback from the Chapter 13 Trustees and by the United States Trustee’s offices indicate that the escrow account needs to be brought to zero prior to running the escrow analysis and any deficiency due at the time of filing needs to be included in the pre-petition arrearage claim (amount needed to fund escrow account plus the RESPA cushion). There should be no “escrow shortage” payment being collected in the post-petition payments during the first twelve months of the bankruptcy proceeding if the loan is fully escrowed for taxes and insurance at the time of filing. It is important to understand that due to these requirements, the actual escrow portion of missed pre-petition payments will not actually be recovered from the debtor. This may require programming changes on part of the creditors and/or
servicers due to the bankruptcy filing. Pre-petition fees that are due are also included in part 3 and should be the amount equal to the “Fees/Charges balance” as shown in the entry in part 5, column P. Part 4 of 410A is the first monthly mortgage payment due at the time of filing. This is the principal and interest payment, along with the new escrow payment on the account. The new escrow payment should be taking into account the receipt of any amounts that are being claimed in the pre-petition arrearage claim as “Escrow deficiency for funds advanced” and “Projected Escrow Shortage”. The new escrow payment should assume that these amounts will be paid by the Chapter 13 Trustee and provide a credit for these amounts when calculating the escrow payment. There is also item that takes into account “Private mortgage insurance”. If there are any additional amounts due each month, such as life insurance, an additional line will be need be manually entered on part 4 as there is no specific line for “other” on 410A. Part 5 of 410A is a detailed payment history starting with the first date of default. This is very first date on which the debtor failed to make a payment in accordance with the terms of the note and the mortgage, unless the note was brought completely current at some point during the life of the loan with no principal, interest, fees, escrow, or other charges due at the time. Basically, if a creditor wants to include a charge in the proof of claim, the creditor must show on the history when it occurred and all the payment history activity that caused that charge to be incurred on the account. The requirement to produce a history back to the first date of default could mean the history could span several years of the account history. If the loan has been transferred, the current creditor will need detailed information about any fees or costs incurred prior to the transfer of the loan or these fees and costs will need to be waived. Detailed information not only includes a prior servicer payment history, but paper documentation in the form of letters, policies, invoices, and cancelled checks. If the loan is
contractually delinquent as of the transfer date, the current creditor will need a detailed payment history going back to the first date of default. If this type of history is not available, the loan will need to be brought current through the date in which the detailed information is available. The loan history form has blocks for when payments are due, when the debtor made payments, how payments were applied, when fees and charges were incurred on the account, and what the balances for the various components of the loan were after payments were received or fees and charges were incurred on the account. There are total of 17 columns labeled A through Q in part 5 that must be completed in their entirety. If there are no arrearages due at the time of filing and the pre-petition balance is $0.00, part 5 should not be completed. If there are no payments and fees due, but only
an escrow shortage due to running an escrow analysis, a payment history may need to be completed. The “Projected escrow shortage” should be clearly marked in the escrow analysis and explained through documentation attached to the claim if this will not be explained through the payment history in part 5. There is currently no case law regarding this subject and I have not been made aware of any objections to claims due to failing to completed part 5 for “Projected escrow shortage”. My speculation is that a requirement to complete part 5 when there is only a “Projected escrow shortage” will vary by districts and will be clarified once more claims have been filed on the new forms. The committee notes indicate that “Because completion of the revised form can be automated, it will permit claimants to comply with Rule 3001(c) (2)(C) with efficiency and accuracy”.
UPGRADE, ENHANCE OR RENEW ONLINE IN THE ALFN STORE NOW WITH ENHANCED LISTINGS ONLINE
Despite the committee notes indicating part 5 is supposed to increase efficiency and accuracy, the new payment history is burdensome to complete. I have completed these forms using my client’s screen prints and payment histories and can attest they are time consuming. It is difficult to manually piece together the information and put it in the current format that is required in 410A. Many servicers are working on automating the process internally to have the capability to generate part 5 of 410A, as was expressed in the committee notes. Hopefully, there are easy programming tools available that can be implemented for automation available to all creditors and/or servicers so that full manual completion of the forms will no longer be required. LeAnn Covey , Esq. can be reached at firstname.lastname@example.org.
22 / ANGLE
For the millions of homeowners who turned to home equity lines of credit (HELOC) in the midst of the pre-crash housing bubble, 2016 may be a challenging year. A sudden and significant hike in payments is on tap for many, with more than 3 million homeowners projected to see their initial 10-year, interest-only loan converted to a fixed, higher interest rate between now and 2018. More worryingly, more than half of borrowers due for a HELOC reset are underwater on their property. As mortgage servicing professionals are well aware, the combination of underwater properties and a significant increase in monthly payments has the potential to increase defaults and foreclosures over the next two to three years. With a possibility of a substantial increase in foreclosure activity looming, servicing professionals would be wise to prepare now and conduct a proactive review of their policies, procedures, infrastructure, technical capacity and security protocols to ensure that they can handle an increase
in volume. With that in mind, consider the following best practices as a basic guide for keeping your systems and security posture up to date to prepare for increased foreclosure activity: CONDUCT AN INFORMATION SECURITY ASSESSMENT Conducting a comprehensive information security assessment is one of the first and most important steps any servicing organization should do ahead of a potential increase in volume. Making sure that you have no security deficiencies begins with things like reviewing the existing business continuity plan, conducting succession planning, refreshing your infosec structure, and assessing existing processes (such as client audit practices) from a security standpoint. Dig into the details to ensure that your security and compliance functionality is sufficiently robust: everything from file change protocols and procedures and documentation and dating requirements, to built-in access limitations, step-dependent processing, and data management and reporting functionality should all be carefully
reviewed. Finally, make sure all of your licensing and documentation is in place, and the content of your security awareness programs are up to date and are being administered correctlyâ€“including making certain that all employees are up to date on and have signed off on policies and procedures. REVIEW CAPACITY If you do need to expand quickly, it is important to make sure that you have the bandwidth in place to make that happen. Ensuring that your existing technical infrastructure is sufficiently robust is an important first step. Assess existing systems, platforms and equipment to make sure that they are up to date and to replace anything that is due for an upgrade (3-5 years is standard target date for technology upgrades/cycling). Be sure to include all aspects of your tech infrastructure in any such process, including server equipment, data storage units and PCs/laptops. Make contingency plans: it may make sense to have new equipment lined up and ready to go if you do need to expand quickly. It is important to remember to meet your
legal/regulatory obligations to wipe any NPPI data when you get rid of older computers. Because that can be a challenge when organizations are replacing large quantities of equipment or when changes need to be made quickly, it makes sense to have a process in place to ensure that each machine has been thoroughly wiped before it goes out the door. ENSURE OPERATIONAL READINESS A detailed review of policies and procedures, including auditing, reporting and file-handling procedures, is an important step in any self-assessment. This is a chance to be proactive, to optimize your workflow, to improve the quality of your documentation (by potentially switching to full automation instead of manual edits, for example), and to ensure that all case management systems integration is sound. While checking all of these boxes is an important part of preparedness for a potential increase in volume, it is also a good business practice. Periodic reviews and assessments of systems and processes are a great way to become more efficient and en-
sure that you are optimizing resources and streamlining your operation. BE THOUGHTFUL AND STRATEGIC It can be easy to lose focus in the midst of a systems/process review and a significant upgrade. But the pressure to make changes and increase capacity should not overwhelm the need to proceed in a thoughtful, systematic and strategic manner. Process changes should be implemented cautiously, with thorough testing and a complete understanding of how every change fits into the overall system. Hasty upgrades or â€œchange for the sake of changeâ€? can create more problems than it solves, and every change should be implemented in a logical manner, with a full and complete understanding of what it is intended to do. COORDINATE WITH YOUR TECH PROVIDER Be sure to work closely with your with tech provider throughout the review and (if necessary) upgrade process. A trusted tech partner can help you assess your existing technology needs
and provide perspective on potential changes. Additionally, it is critically important that any process/workflow changes are reflected in the technology. Cloud-based technology can facilitate the change/upgrade process by making it possible to assess potential changes while preserving the ability to roll back those changes if necessary. A comprehensive review coupled with strategic and thoughtful changes/ upgrades will ensure that you are fully prepared and well positioned not only for the potential increase in activity associated with coming HELOC resets, but for any large scale market changes in the months and years ahead. Adam Hansen is the COO and CIO of assure360, a full-service technology and outsourcing solutions company serving the mortgage default servicing industry. You can reach Adam at email@example.com.
ABOUT WILL AND WILLPOWER WILLPOWER IS THE INAUGURAL DAY-LONG SUMMIT HOSTED BY THE ALFN’S MEMBER GROUP WOMEN IN LEGAL LEADERSHIP (WILL). WILL IS FREE TO ALFN MEMBERS AND CAN BE JOINED BY NON-MEMBERS FOR $99 NOW THROUGH APRIL 18 (WITH RESTRICTIONS). LEARN MORE ONLINE AT ALFN.ORG OR CONTACT LIZ POTTER AT LPOTTER@ALFN.ORG.
WHEN THE REST OF THE INDUSTRY WON’T, ALFN WILL. JOIN US FOR THE INAUGURAL #WILLPOWER SUMMIT IN WASHINGTON.
APRIL 18, 2016 | WESTIN GEORGETOWN | WASHINGTON, D.C. $499 FOR MEMBERS AND NON-MEMBERS | INCLUDES FULL CONFERENCE PASSES TO WILLPOWER AND ADVOCACY DAY 2016 REGISTRATION NOW OPEN AT ALFN.ORG
26 / ANGLE
by Catherine Crosby Long, D. Keith Andress, and Alisa Chestler of Baker Donelson
CYBER SECURITY TAKES TOP PRIORITY AT LAW FIRMS NATIONWIDE.
Not long ago, the average American could not define terms like “data breach,” “hack,” or “cybersecurity.” However, hardly a day passed in 2015 without a reported cyberattack covered by the national news. As a result, consumers are increasingly aware of the need to ensure that their personally identifiable information (PII) is secure. This poses significant challenges for the financial services industry, which relies on the exchange of PII in connection with the products it offers to consumers. This article will take a look back at significant developments in cybersecurity during the past year, and provide a roadmap to assist financial institutions in preparing for the inevitable hack that will occur in the not-too-distant future.
2015: GROUNDHOG DAY FOR THE DATA BREACH Experts referred to 2014 as the “Year of the Data Breach.” 2015 was no different. Healthcare companies were among the first victims of 2015, when Premera Blue Cross discovered a breach in January 2015 that exposed 11 million records containing PII to hackers. Anthem followed in February, when PII from over 80 million individuals was stolen by Chinese hackers. In April, the Office of Personnel Management discovered that fingerprint information from over 5.6 million current and former federal employees had been stolen, along with personnel files from over 21.5 million employees. Excellus Blue Cross discovered a breach in August that had exposed nearly 10 million records, and October brought news that the credit monitoring service Experian had experienced a breach that led to the exposure of PII from over 15 million consumers that had applied for services from T-Mobile. The Ashley Madison hack resulted in widespread embarrassment and personal repercussions for nearly 37 million users that maintained an account on the site. From government to education, healthcare to financial services, no industry was safe from hackers. While the U.S. Government itself was not invulnerable from a cyberattack, the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) barreled forward in enforcement actions and litigation against businesses that failed to keep consumers’ PII safe. In September, the FTC settled charges against investment advisor R.T. Jones Capital Equities Management for $75,000, after the company failed to adopt written policies and procedures reasonably designed to safeguard customer information for over 100,000 individuals who were left vulnerable following a cyberattack. Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, asserted that firms “must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once
a breach occurs.” In December, the FTC announced that Lifelock would pay $100 million to settle charges that it violated a 2010 order requiring the company to secure customers’ PII and to avoid deceptive advertising, the largest-ever award obtained by the Commission in an enforcement action. Two notable FTC enforcement actions ended in 2015, including the FTC’s complaints against clinical testing laboratory LabMD and hospitality giant Wyndham Hotels & Resorts. The FTC’s 2013 case against LabMD arose following two security incidents that the FTC alleged were caused by the company’s failure to provide reasonable and appropriate security measures for consumers’ PII. The FTC asserted claims under Section 5 of the FTC Act, and argued that LabMD’s “unfair” acts or practices exposed PII of up to 10,000 customers. LabMD moved to dismiss the FTC’s case and the Administrative Law Judge agreed, finding that the FTC failed to prove LabMD’s “act or practice cause[d] or [was] likely to cause substantial injury to consumers.” Ultimately, without concrete proof of harm or substantial injury caused by the exposure, allegations of emotional distress or risk of future identity theft were not enough to save the complaint from dismissal. The judge noted, “[T]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical “risk” of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of “likely” substantial consumer injury. At best, [the FTC] has proven the “possibility” of harm, but not any “probability” or likelihood of harm. Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury under Section 5(n) requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case. The FTC has appealed the dismissal to the full Commission. LabMD is pursuing litigation against cybersecurity firm Tiversa Holding Corporation
28 / ANGLE
NOT JUST A “BIG BUSINESS” PROBLEM, BUT A BIG PROBLEM FOR BUSINESSES AND REGULAR FOLK, TOO.
10% ONE IN TEN SOCIAL MEDIA USERS REPORT BEING A VICTIM OF A CYBER ATTACK.
THE REST OF YOU (99.9% OF ALL COMPUTERS, ACTUALLY) REMAIN EXTREMELY VULNERABLE THROUGH “EXPLOIT KITS” USED VIA COMMON PROGRAMS LIKE ADOBE READER AND ADOBE FLASH.
related to the FTC investigation, and has also sued the FTC for its costs in a case currently pending in the United States District Court for the District of Columbia. Wyndham’s long-fought battle with the FTC ended via a settlement and consent order after the United States Court of Appeals for the Third Circuit found that the FTC had statutory authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act. The settlement absolved Wyndham from providing monetary relief, granted the company a “safe harbor” if it continues to meet certain requirements for “reasonable information security” as outlined in the order, and applies only to payment card information. Wyndham’s obligations under the consent order will not extend past 20 years, and in many instances will be shorter. Notably, the consent order provided the first specific guidance on what the FTC believes to be “reasonable” cybersecurity procedures to protect credit card information, including safeguards that should be used to defend against theft of payment card information and the incorporation of the Payment Card Industry Data Security Standard (“PCI DSS”) in security audits. The year did not end without significant legislative advancements in cybersecurity regulation. President Obama signed the 2016 Consolidated Appropriations Act on December 18, 2015, which included the Cybersecurity Act of 2015 – the most significant federal legislation to date addressing cybersecurity and cyber threats. Title I of the Cybersecurity Act included the Cybersecurity Information Sharing Act (CISA). The overriding intention of the CISA is to encourage private entities to report – voluntarily – any hacks, suspected hacks or other cyber threat indicators that they experience on their information systems to the Department of Homeland Security (DHS), which is now the “go-to” agency for reporting cyber threats. Once it becomes fully functioning, the CISA should create a real-time notification procedure for the dissemination of existing and potential cyber threats, and
to head them off before they reach additional targets. Financial Institutions should be prepared for continued regulatory and enforcement activity during 2016, as the responsibility for cybersecurity moves from a purely IT issue into the C-suite. SECURITY ASSESSMENTS: PREVENT THE INCEPTION Given the extensive coverage of data breach and hacking incidents over the past few years, most companies should have the basic elements of a cybersecurity policy in place: maintain an effective firewall, appropriately train employees on privacy and security principles, regularly update password and authorization requirements, encrypt credit card information, monitor networks, and limit employee access to non-essential information. Once these basic principles are implemented, periodic assessments should be performed to ensure security protocols are actually working. The SEC instructs firms that maintain individuals’ PII should: [C]onduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk. In June 2015, the Federal Financial Institutions Examination Council (FFIEC), released a Cybersecurity Assessment Tool designed to help financial institutions minimize risks and assess their cybersecurity preparedness, following the Council’s pilot assessment of 500 institutions during the preceding year. The Cybersecurity Assessment Tool incorporates
the National Institute of Standards and Technology (NIST) Cybersecurity Framework utilized by a variety of different industries and companies of every size, and begins with an assessment of five categories: 1). Technologies and Connection Types; 2). Delivery Channels; 3). Online/Mobile Products and Technology Services; 4). Organizational Characteristics; and, 5). External Threats. An institution’s “maturity” in the following five domains is then evaluated: a). Cyber Risk Management and Oversight; b). Threat Intelligence and Collaboration; c). Cybersecurity Controls; d). External Dependency Management; and, f). Cyber Incident Management and Resilience. After the assessment and evaluation have been completed, institutions should identify areas that need improvement, develop strategies to advance maturity, and address gaps in their cybersecurity preparedness. The Cybersecurity Assessment Tool’s emphasis on the exchange of threat intelligence and collaboration in response to a data breach, however, can prove complex for financial institutions. While information disclosed via a cyber-incident report to DHS may mitigate legal concerns, loose privacy protections could risk the entity’s goodwill among its customers, who may regard sharing of their private information with law enforcement as a significant breach of trust. Accordingly, entities would be wise to consult with counsel to determine the appropriate scope of any disclosure to DHS and to formulate an internal protocol for information sharing. Importantly, the FFIEC observed that, “the level of cybersecurity inherent risk varies significantly across financial institutions,” and that while most financial institutions understand the need to train employees on cybersecurity risk management, “the outcome and benefits improve when training and awareness programs are kept current and are provided on a routine basis.” Thus, each time new products are introduced or services offered, a security assessment should be performed. Employee training must continue. In-house legal departments
and company executives should clearly identify security targets and track the entity’s progress toward the stated goal. Finally, companies should ensure third-party vendors and service providers have implemented sufficient security protocols, and are also consistently evaluating their preparedness for a potential cyberattack. OUR BRAND IS CRISIS: TRANSFER RISK AND PRESERVE YOUR REPUTATION Financial institutions with effective security protocols that are designed to minimize the risk of a hack or data breach will significantly decrease their chances of experiencing a debilitating cyberattack. Given the increasingly cunning ways cyber criminals are obtaining PII, however, no individual or company is completely safe. As a result, companies should prepare a written cybersecurity incident response policy and name a dedicated incident response team that works closely with outside counsel. At a minimum, the FFIEC instructs that financial institutions “should have procedures for
notifying customers, regulators, and law enforcement when incidents affect personally identifiable customer information.” Response procedures should be specific, current, and integrated across business units. While the in-house legal team and general counsel should be at the forefront of any breach, incorporating outside counsel will help to protect attorney-client privilege and confidential information in the event litigation results following the breach. Steve F. Wood, Co-Chairman of the Business Technology Group at Baker Donelson and the law firm’s Chief Information Security Officer, concurs. “Having outside counsel in the loop removes any question that might exist as to the validity of attorney-client privilege with regard to in-house lawyers,” Wood explains, “and given the likelihood now that a data breach will result in lawsuits, that’s an important consideration.” He points out also that in-house counsel often will not be as comfortable dealing with data breach
issues as an attorney who has handled many of them. The Department of Justice Cybersecurity Unit agrees, reporting in April 2015 that the incorporation of legal counsel into cyber incident management is a “best practice” organizations should utilize when crafting a cyber incident response plan, and that legal counsel that is accustomed to addressing the types of issues that are often associated with cyber incidents will be “better prepared to provide a victim organization with timely, accurate advice.” Methods of transferring risk should also be evaluated. Cyber insurance coverage is a necessary part of a financial institution’s information security program. Companies would be prudent to consult with a cyber-insurance expert to confirm that they are fully covered for potential losses following a breach. Suzanne A. Gladle, Director of Cyber Program Operations at McGriff, Seibels & Williams, Inc., notes that “cyber insurance has evolved over the past decade and can
serve as a financial back-stop to many of the costs associated with data and system breach events.” Gladle explains that well-crafted cyber insurance can be arranged to cover a host of expenses that a financial institution may incur in connection with a security incident including: • ENTERPRISE OPERATION RISK: IT automation throughout organization (applications and network); • BUSINESS INTERRUPTION LOSS: Income loss from an inability to execute transactions or if a website is hijacked and customers are prohibited from accessing it; • ADDITIONAL BREACH EXPENSE: Isolation and containment of the intrusion, forensic analyses, recovery and restoration of compromised digital assets, and relicensing computer applications; • LEGAL LIABILITY: Litigation arising from alleged failures to meet contractual obligations, consumer class actions, and regulatory investigations; • Incident Response Costs – Notification, credit monitoring, forensic
analyses; • PAYMENT GATEWAY LIABILITY: Depending on where a breach originated and the terms of a Merchant Services Agreement, costs such as card re-issuance, PCI assessments, and in some cases, PCI fines or penalties. Gladle cautions that not all cyber insurance products are the same. “Products vary significantly in covered/not covered events, sub-limits of liability, duties with respect to breach response, and exclusions which could impair otherwise covered claims/ losses.” Gaps in coverage often fail to cover breach incidents such as the use of a company’s system to launch attacks or gain access to external third party resources, cyber-terrorisms or acts by nation states or “hactivist” groups, PCI-related costs, or even the FTC investigations discussed in this article. “Companies should work with a skilled brokerage team to build an insurance solution which addresses the risks most relevant to your business and avoid post-loss surprises. Be mindful that the least expensive of-
fers are often priced that way because the underwriter may be sub-limiting many coverage parts or may be excluding material elements of risk,” says Gladle. When confronted with a complex claim: “Cheap insurance is always expensive.” A DECEMBER 2015 GLOBAL SURVEY performed by Gemalto reported that 64 percent of consumers say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen. Adequately defending against potential security incidents by conducting regular security assessments, creating a cybersecurity incident response policy, and insuring against potential losses are the keys to maintaining this relationship and limiting reputational risk. This article was authored by Catherine Crosby Long, D. Keith Andress, and Alisa Chestler of Baker Donelson, an ALFN Enterprise Member. For inquires, contact Catherine Long at firstname.lastname@example.org.
MD & DC’s Award Winning Legal Team Cohn, Goldberg & Deutsch provides legal services in all aspects of default work. Martindale-Hubbell AV rated, our employees have an average of 12 years of experience to better serve the needs of our clients. Our staff has a unique perspective on federal, state and local laws, an understanding of their historical development and an ability to interpret complicated emerging trends.
600 Baltimore Avenue Suite 208 Towson, MD 21204-4084
(410) 296-2550 www.cgd-law.com
Covering you and the South like...Well, you know. Bull Dog Determination Cost-Effective Representation National Coverage Complicated Mortgage Resolution Southern Charm ALABAMA • FLORIDA • GEORGIA • LOUISIANA • MISSISSIPPI • TENNESSEE • TEXAS • WASHINGTON, D.C.
www.bakerdonelson.com THIS IS AN ADVERTISEMENT. Ben Adams is Chairman and CEO of Baker Donelson and is located in our Memphis office, 165 Madison Avenue, Suite 2000, Memphis, TN 38103. Phone 901.526.2000. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers. FREE BACKGROUND INFORMATION AVAILABLE UPON REQUEST. © 2015 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC
34 / ANGLE
Your Vendor Management Strategies May Need Some Attention
by Andrew J. Boylan, Esq., McCarthy & Holthus
It often makes sense to outsource certain business functions to third parties that may be better equipped to handle them; however, any financial benefits of doing so must be weighed against the potential risks and costs involved. In today’s heightened regulatory climate, it is more important than ever to fully evaluate potential vendors prior to onboarding them as approved service providers. REGULATORY GUIDANCE Financial regulators have long understood the economic necessity for their supervised entities to engage the services of authorized third party vendors. In fact, this practice is encouraged as it allows companies to focus more of their time and efforts on ensuring that their consumer goods or services fully comply with all relevant financial protection laws. Here are some excerpts from three of our industry’s major regulators: CFPB: “The CFPB recognizes that the use of service providers is often an appropriate business decision for supervised banks and nonbanks. Supervised banks and nonbanks may outsource certain functions to service providers due to resource constraints, use service providers to develop and market additional products or services, or rely on expertise from service providers that would not otherwise be available without significant investment.”1 OCC: “The OCC supports and encourages national banks’ use of third parties to take advantage of the many legitimate and safe opportunities to enhance product offerings, improve earnings, and diversify assets and revenues.”2 FDIC: “Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market globalization. To remain profitable in such an environment, financial institutions continuously assess and modify their product 1 http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf 2 http://ithandbook.ffiec.gov/media/27914/occ-bul_2001_47_third_party_relationships.pdf
and service offerings and operations in the context of a business strategy.”3 However, these regulators caution that using third parties can expose institutions to significant risk if they are not properly monitored. From the outset, the CFPB established firm expectations for service provider oversight. As discussed above, the Bureau understands the need for its supervised entities to hire third parties for certain aspects of their operations. For example, a supervised bank may utilize a default servicing company, who may retain a foreclosure law firm, who may then hire mailing and posting vendors. Regardless of how many different layers of service provider relationships exist, the CFPB expects that robust processes will be put in place to ensure full compliance with consumer financial law. “The mere fact that a financial institution enters into a business relationship with a service provider does not absolve the financial institution of responsibility for complying with Federal consumer financial law and does not give it license to “turn a blind eye” to violations of Federal consumer financial laws and regulations by the entity that is acting on its behalf. Depending upon the circumstances, responsibility for legal violations by a service provider may lie with the financial institution as well as with the service provider.”4 This has been a recurring issue found within the Bureau’s periodically published Supervisory Highlights. There have been several cited violations concerning actions performed by service providers as well as supervised entities’ failure to facilitate periodic reviews of their service providers.5 VENDOR OVERSIGHT The thought of being constantly watched and monitored is an unnerving feeling. This is true whether you are a high school teenager being subjected to parental oversight or if you are the president of a compa3 https://www.fdic.gov/news/news/ financial/2006/2cep_compliance.pdf 4 http://files.consumerfinance. gov/f/201210_cfpb_supervisory-highlights-fall-2012.pdf 5 12 CFR 1024.38(b)(3)
ny having to report to your board of directors. Unfortunately, the oversight function is a labor-intensive and expensive necessity in our industry. The CFPB specifically requires servicers to maintain policies and procedures that are reasonably designed to facilitate the oversight of, and compliance by, service providers.6 So what is “reasonable”? The short answer is: that depends. The level of vendor oversight differs greatly depending upon the relationships involved. We know that regulators are willing to take into account the size and scope of a company’s operations instead of taking a onesize-fits-all approach. We are also provided with several best practice tips to follow. For example, to help limit risks from service providers, the CFPB suggests following these steps: A. Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law; B. Requesting and reviewing the service provider’s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities; C. Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices; D. Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law; and E. Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where 6
12 CFR 1024.38(b)(3)
appropriate.7 Besides following the numerous regulatory bulletins and guides discussing third-party risk, another key area to focus on is the underlying contracts that you have with your vendors. REVIEWING VENDOR SLAs To alleviate the risks mentioned in this article, it is important to continually review your company’s service level agreements (SLA) with approved vendors. In October 2013, the OCC issued a Bulletin focusing on risk management and the importance of monitoring SLA’s. From the outset, the initial contract negotiation is essential to lay a proper foundation. It is important to ensure that the service provider has its own procedures in place to ensure compliance with all relevant laws, regulations, and any other official guidance. After the contracts have been put in place they must be continually monitored to ensure that they are being followed. According to the OCC, “After entering into a contract with a third party, bank management should dedicate sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third party commensurate with the level of risk and complexity of the relationship.”8 This is usually accomplished by implementing a vendor scorecard program and/or continuing on-site audits. As new laws and regulations are implemented, SLA’s need to be continually updated to ensure ongoing compliance. Although it may be encompassed within a catch-all provision stating that the service provider will continue to comply with any and all laws and regulations, there is still a need to ensure that the vendor is capable of doing so. One way to do this is to request that the vendor implement a compliance management system. COMPLIANCE MANAGEMENT SYSTEMS (CMS) Compliance Management Systems (CMS) are nothing new. The basic model provides for three or four
7 http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf 8 http://www.occ.gov/news-issuances/ bulletins/2013/bulletin-2013-29.html
interdependent elements usually consisting of: management oversight, a compliance program, an independent audit function, and if applicable a process for addressing consumer complaints. Sample CMS programs are readily available, but the most important part is that they are specifically tailored to the size and scope of the company’s operations. The CFPB expects every entity that it supervises to have an effective CMS adapted to its business strategy and operations; however, the Bureau does not require the entities to follow a specific structure so long as their CMS complies with federal consumer financial laws and appropriately addresses any associated risks of consumer harm. Most companies in our industry already have a CMS in place. But what about your service providers? As you conduct the ongoing monitoring of your third party vendors, it is a good idea to also ask about their CMS. Unless your service provider falls under the direct supervision of the CFPB, you probably do not need to hold them to strict compliance with the Bureau’s almost 1,000-page Supervision and Examination Manual.9 But it is a good idea to see what they have in place so that you can identify any potential weaknesses that could put you at risk. CONCLUSIONS To maximize your vendors’ performance you need to be able to manage their risks. It’s not easy, and it’s not cheap, but the failure to do so could be detrimental to your reputation and your bottom line. So remember to always keep your vendors “In sight, and on your mind.” Andrew J. Boylan, Esq. is the Chief Compliance Officer with McCarthy Holthus, an ALFN member in Arizona. Boylan can be reached at aboylan@ mccarthyholthus.com.
9 http://files.consumerfinance. gov/f/201210_cfpb_supervision-and-examination-manual-v2.pdf
38 / ANGLE
33 / ANGLE
Did you know the ALFN offers scholarships for servicers to attend events? Whatâ€™s more, you can offer this perk to your clients or potential clients and pay this value-add forward to those in your network. Ask us how @ALFN_Network
BALANCING YOUR VOLUNTEER EFFORT
Maryland, Virginia, North Carolina, South Carolina, Tennessee, Georgia and Florida With physical offices in each state, Brock & Scott provides comprehensive default services including judicial and nonjudicial foreclosure, bankruptcy, eviction, REO, title curative, litigation, collection and closing services in all of our states.
ATTENDING ONE OF OUR REGIONAL TRAINING SEMINARS PUTS YOU FACE-TO-FACE WITH LEGAL EXPERTS WHO CAN TRAIN YOUR FRONT LINE AND MANAGEMENT LEVEL STAFF
SAVE OUR 2016 DATES
REGISTRATION OPENS SUMMER 2016
SEPTEMBER 3, 2016
NOVEMBER 15, 2016
Visit us at BrockandScott.com for information on each practice area, office locations, attorney search, seminar & training offerings and our newsletter publications.
Jim Bonner email@example.com 910-392-4988 x4410 Kevin Frazier firstname.lastname@example.org 336-354-1200 x3709
“The Default Services Leader in the Southeast”
SVP, BUSINESS DEVELOPMENT & MEMBER RELATIONS LPOTTER@ALFN.ORG 513-257-9948
ARCHIVED ONLINE AT ALFN.ORG
ALFN WEBINARS NEVER STOP LEARNING CLASS ON AYS WEDNESD
HOSTING AN ALFN WEBINAR JUST MIGHT SURPRISE YOU: + AVERAGE ATTENDANCE OF 200+ INCLUDING MORTGAGE SERVICERS + PRESENTERS RECEIVE CONTACT INFORMATION FOR ALL ATTENDEES + POSITION YOURSELF AS A SUBJECT-MATTER OR STATE-SPECIFIC EXPERT + EXPOSURE TO OVER 6,000 MORTGAGE SERVICING INDUSTRY PROFESSIONALS + BUILD CREDENTIALS OF YOUR YOUNGER ASSOCIATES + EACH MEMBER RECEIVES ONE COMPLIMENTARY WEBINAR OPPORTUNITY*
*Each ALFN member has the opportunity to conduct one complimentary webinar each calendar year. Additional webinars are offered at a nominal $1,000 fee. Participants of ALFN Committees, Groups and those participating at the request of the ALFN are exempt. Log on to ALFN.org for details or contact us at email@example.com for more details.
Expanding Our Power to Serve Leveraging industry expertise and technology, ProVest is the leading national provider in managing service of process. The agility and flexibility required to meet client needs demands the continued pursuit of accuracy, speed, and responsiveness. ProVestâ€™s valued clients benefit from a commitment to upholding corporate business principles and standing behind the integrity of our service.
WE SERVE Technology fuels the foundation of all ProVest processes. Our clients reap the benefits of powerful business applications that deliver a compelling suite of technologies, including our mobile technology solution Process Server Snapshot!. The pairing of our sophisticated technical infrastructure with internal support and development teams affords capabilities that set us apart from any other service of process firm.
An industry constant with 20+ years of experience, a nationwide server network, and financial fortitude.
Our Legal, and Risk and Compliance departments reinforce a pledge to uphold all applicable laws.
We stay abreast of technology, so that we can deliver the safest, most reliable, and expedient solutions.