With US foreclosures at their lowest level in over a decade, it must be the right time to create new supervisory and enforcement authority over mortgage loan servicers, regardless of their size or type of entity or the duplicative nature of government oversight. Right? At least that is what Representative Maxine Waters (D-CA) must be thinking based on her proposed bill named the "Homeowner Mortgage Servicing Fairness Act of 2018" (the "Proposed Act"). While in the short term the Proposed Act has no chance of passage, it provides for some "safety and soundness"-type requirements that do not typically apply to state-chartered, non-depository residential mortgage loan servicers (which we will refer to as "nonbanks" or "nonbank servicers"). And though federal regulation, supervision and enforcement of mortgage lenders by the Bureau of Consumer Financial Protection (the "Bureau" or "BCFP") obviously is on the decline, nonbank servicers should keep a watchful eye on the potential federal extension of safety and soundness principles to their operations. And for federally chartered depositories, the prospect of duplicative safety and soundness exams by their provident bank regulator and the Federal Housing Finance Agency ("FHFA") probably would not be a cause for joy.

Provisions of the Proposed Act

Underlying the Proposed Act is a set of "findings" about how bad residential mortgage servicers have been and continue to be since the advent of the foreclosure crisis in 2008, relying in part on various governmental reports issued before the change in control of the House of Representatives and the Executive Branch. The articulated purposes of the Proposed Act have a decidedly consumer protection bent, consisting of the following: to ensure that mortgage borrowers are protected from abusive servicing practices, to end engagement by mortgage servicers in illegal servicing practices, to keep more people in their homes whenever possible, to promote servicers' compliance with the loss mitigation guidelines of Fannie Mae and Freddie Mac, and to minimize losses to companies and taxpayers. In order to achieve these purposes, the Proposed Act empowers the FHFA, presently the conservator for Fannie Mae and Freddie Mac (collectively, the "GSEs"), to promulgate standards by regulation for "covered servicers," which are servicers of residential mortgage loans for Fannie Mae and Freddie Mac.

The standards required to be promulgated are set forth in Section 3 of the Proposed Act and consist of:

  • Adequacy of internal controls and information systems, taking into account the nature and scale of business operations;
  • Independence and adequacy of internal audit systems;
  • Overall risk management processes, including adequacy of oversight by senior management and policies to identify, measure, monitor, and control material risks, including data protection and reputational risks;
  • Compliance with the mortgage servicing requirements under the Real Estate Settlement Procedures Act of 1974 and the implementing regulations, in consultation with the Bureau, including a system for solicitation and review of borrower complaints involving servicing of single family housing mortgage loans owned or guaranteed by an enterprise;
  • Documentation and retention of records related to borrower interactions that enable the FHFA to evaluate the quality of service given to borrowers, including borrower contact, delinquency management practices, loan modifications and foreclosure alternatives, and foreclosure timelines which shall provide that in each instance involving a default under a loan, the covered servicer shall document and retain a detailed description of the actions such servicer took to comply with the enterprises' loss mitigation review requirements, including efforts to establish borrower contact, solicit a loss mitigation application, review the application under the appropriate guidelines, and inform the borrower of the servicer's decisions; and
  • Such other operational and management standards as the FHFA director determines to be appropriate to carry out the purposes of the Proposed Act.

The Proposed Act mandates the FHFA both to conduct oversight of covered servicers on a regular and ongoing basis and in a manner designed to ensure that such servicers comply with the Proposed Act's requirements and any related regulations issued by the FHFA and to identify systemic problems and trends with such compliance. It further grants the FHFA the power and authority to examine any covered servicer whenever FHFA determines an examination of any such servicer is necessary to carry out the purposes of Section 3 of the Proposed Act; there is no distinction under the Proposed Act between federally chartered banks and nonbanks. FHFA may assess a reasonable fee on covered servicers, in an amount sufficient to cover the FHFA's reasonable costs (including administrative costs) and expenses in connection with carrying out the responsibilities under the Proposed Act.

If some of the standards and oversight authority (exclusive of the assessment authority) remind you of the Bureau's servicing regulations and its supervisory authority, you are right. In some respects these standards are duplicative, and that is intended. Section 3 expressly states that the authority it confers to FHFA does not limit the additional or concurrent power and authority of the Bureau with respect to mortgage loan servicers and their mortgage servicing practices. Moreover, federally chartered banks and some state-chartered banks already are subject to supervision and examination by federal banking agencies for some of the same corporate and risk governance standards contained in the Proposed Act to be administered by the FHFA. Yet the Proposed Act does not mention the concurrent authority of the Federal banking agencies as it does with the BCFP.

While the remedies available to the FHFA may vary in many respects to the remedial authority of the Bureau and the Federal banking agencies, both of which are derived from or modeled in part after the Federal Deposit Insurance Act ("FDI Act"), the FHFA nevertheless has an extensive arsenal of remedies at its disposal under the Proposed Act. If a servicer after notice fails to cure a cited deficiency in servicing to the applicable standards within an FHFA-established time period, the FHFA must take one or more of the following actions:

  • Impose a civil monetary penalty upon the covered servicer in an amount not to exceed $10,000 for each day during which such deficiency continues;
  • Mandate the transfer of loan servicing rights without providing compensation to the covered servicer;
  • Limit or prohibit the covered servicer from conducting business with the enterprises; and/or
  • Require the covered servicer to take any other action that the FHFA determines will better carry out the purposes of Section 3 of the Proposed Act than any of the actions described above.

Of course, under their respective Servicing Guides, Fannie Mae and Freddie Mac already have the authority to terminate a servicer with cause and seize the terminated servicer's applicable agency servicing rights. FHFA presently has statutory authority to impose civil money penalties on Fannie Mae and Freddie Mac, but neither the FHFA nor Fannie Mae and Freddie Mac presently have authority to impose civil money penalties on loan servicers. In addition, Fannie Mae and Freddie Mac have the discretion not to terminate a servicer and its servicing or otherwise impose a sanction for a Guide breach. The "nuclear option" of termination rarely is invoked by Fannie Mae or Freddie Mac and generally is reserved for the most egregious situations, but, by regulation, the FHFA would be required to impose sanctions for uncured regulatory violations.

Safety and Soundness Similarities


Unlike the federal banking agencies, with certain exceptions, the Bureau does not have explicit statutory authority to impose standards on loan servicers pertaining to adequacy of internal controls and information systems, independence and adequacy of internal audit systems and overall risk management processes, unrelated to the consumer compliance function. The Bureau does impose rules on servicers to maintain robust compliance management systems, and it might try to squeeze more fulsome requirements for risk management controls from its general UDAAP authority. Contrast this with the clear authority of federal banking agencies to supervise and examine banks under their purview for safety and soundnesstype issues.

Section 39 of the FDI Act requires each Federal banking agency to establish certain safety and soundness standards by regulation or by guideline for all insured depository institutions. Under section 39, the agencies must establish three types of standards: (1) operational and managerial standards; (2) compensation standards; and (3) such standards relating to asset quality, earnings, and stock valuation as the agencies determine to be appropriate. With respect to the first standard, Section 39(a) requires the agencies to establish operational and managerial standards relating to internal controls, information systems and internal audit systems, in accordance with section 36 of the FDI Act.

In response, the federal banking agencies jointly have issued Interagency Guidelines Establishing Standards for Safety and Soundness (12 CFR Appendix A to Part 30), which include:

  • Internal controls and information systems. An institution should have internal controls and information systems that are appropriate to the size of the institution and the nature, scope and risk of its activities and that provide for:
    • An organizational structure that establishes clear lines of authority and responsibility for monitoring adherence to established policies;
    • Effective risk assessment;
    • Timely and accurate financial, operational and regulatory reports;
    • Adequate procedures to safeguard and manage assets; and
    • Compliance with applicable laws and regulations.
  • Internal audit system. An institution should have an internal audit system that is appropriate to the size of the institution and the nature and scope of its activities and that provides for:
  • Adequate monitoring of the system of internal controls through an internal audit function. For an institution whose size, complexity or scope of operations does not warrant a full scale internal audit function, a system of independent reviews of key internal controls may be used;
  • Independence and objectivity;
  • Qualified persons;
  • Adequate testing and review of information systems;
  • Adequate documentation of tests and findings and any corrective actions;
  • Verification and review of management actions to address material weaknesses; and
  • Review by the institution's audit committee or board of directors of the effectiveness of the internal audit systems.

One can look to the Office of the Comptroller of the Currency's ("OCC") Comptroller's Handbook booklet, Corporate and Risk Governance (the "OCC Booklet"), which is prepared for use by OCC examiners in connection with their examination and supervision of national banks and federal savings associations, as a source of information about risk management in the context of "safety and soundness." The OCC Booklet specifies eight categories of risk for bank supervision purposes: credit, interest rate, liquidity, price, operational, compliance, strategic, and reputation. In terms of basic risk management, the OCC looks to both corporate governance and risk governance. The former is described in the OCC Booklet to involve the relationships among the bank's board, management, shareholders, and other stakeholders for governing the bank's operations and structure. The latter is described in the OCC Booklet as the application of the principles of sound corporate governance to the identification, measurement, monitoring, and controlling of risks to ensure that risk-taking activities are in line with the bank's strategic objectives and risk appetite. Risk governance is the bank's approach to risk management and includes the policies, processes, personnel, and control systems that support risk-related decision making.

While the first three standards enumerated in the Proposed Act sound very similar to their apparent counterparts in federal banking law and regulations, the context is very different. According to the OCC Booklet, from a supervisory perspective, risk is the potential that events will have an adverse effect on a bank's current or projected financial condition and resilience or ability to withstand periods of stress. Managing this risk related to the strength of the institution is particularly important given federal insurance of customer deposits. The purposes of the Proposed Act, however, are to protect the consumer from inappropriate servicing practices, not to shore up the institutional strength of weak mortgage servicers. In this respect, most of the eight categories of risk about which the OCC cares are not likely to be directly relevant to a consumer's mortgage servicing experience.

Protecting consumers, of course, is considered an important function of the federal banking agencies, and they have used safety and soundness standards to address home foreclosure and loss mitigation, among other consumer issues involving mortgages. But there is not a singularity of purpose to protect consumers as there is with the Bureau and as there appears to be under the Proposed Act.


The Housing and Economic Recovery Act of 2008 ("HERA"), which created FHFA, mandated the director of FHFA to promulgate by regulations or guidelines safety and soundness standards for each of Fannie Mae and Freddie Mac. These statutory standards under HERA clearly are derived from federal banking standards. Interestingly, the first three standards of the Proposed Act—the ones that invoke safety and soundness considerations—are taken right from HERA's requirements for FHFA to create standards for the GSEs relating to, among other standards.

  • Adequacy of internal controls and information systems taking into account the nature and scale of business operations;
  • Independence and adequacy of internal audit systems;
  • Overall risk management processes, including adequacy of oversight by senior management and the board of directors and of processes and policies to identify, measure, monitor, and control material risks, including reputational risks, and for adequate, well-tested business resumption plans for all major systems with remote site facilities to protect against disruptive events; and
  • Such other operational and management standards as the FHFA director determines to be appropriate.

In other words, federal banking standards of safety and soundness beget such standards for the GSEs which in turn beget similar standards for GSE-approved servicers.


Does it make sense to extend safety and soundness standards to be administered by the FHFA under the Proposed Act to servicers for the GSEs that are either federally chartered banks or nonbanks? Senators Bob Corker (RTN) and Mark Warner (D-VA), who are the leading senators on the Senate Banking Committee focusing on GSE reform, may not think so. Earlier this year, they circulated a discussion draft of a potential GSE reform bill that would end the GSE's conservatorship. Among other provisions, the draft would replace or supplement Fannie Mae and Freddie Mac with other guarantors of mortgage-backed securities issued by private issuers. Section 305 of the discussion draft directs a guarantor to manage the risks arising out its relationship with a servicer of eligible mortgage loans, including with respect to riskbased capital, leverage, net worth, and liquidity. It does not include a specific reference to safety and soundness-like requirements, but does authorize FHFA to determine other appropriate requirements or restrictions on servicers to manage risks. While perhaps such additional standards may include safety and soundness considerations, the draft explicitly states that "Nothing in this Act may be construed to authorize the Agency [FHFA] to supervise or regulate ... servicers of eligible mortgage loans."


State mortgage banking departments increasingly are looking at governance and risk management controls in their audits of licensees. New York, for example, includes the following requirements in its Mortgage Banker Guidebook in Section IV, Supervisory Oversight-Evaluation of Rating Components, relating to mortgage origination activities:

Strong internal controls are essential to a licensee's risk management. Policies and procedures are an integral part of a sound internal control environment. Licensed mortgage bankers should ensure that policies provide personnel with a consistent message regarding unauthorized activity, malfeasance, loan documentation standards and overall conduct with consumers. Furthermore, management should establish appropriate control systems and monitoring functions to ensure compliance with internal policies and procedures.

The internal control system should employ controls that are both preventative and detective. Preventative controls are designed to discourage noncompliant and fraudulent behavior, while detective controls facilitate the identification of noncompliant and fraudulent behavior after they have occurred.

Mortgage bankers should maintain a system of controls appropriate for the size, complexity and associated risk of its origination activities. Such internal controls should employ front-end policies and procedure to prevent unauthorized activity, fraud and financial loss, and backend detective measures to identify errors, unauthorized activity and fraud. Such detective measures include, but are not limited to, quality control reviews, management information systems reports, internal or external audits and information technology reviews.

As one might expect, the focus of these requirements is protecting consumers. More broadly, look at the New York Department of Financial Services' Cyber-Security Requirements for Financial Services Companies (23 NYCRR 500). It requires licensees to maintain a cybersecurity program designed to protect confidentiality, integrity, and availability of a covered entity's information system, including a requirement to conduct periodic risk assessments.

In many cases, the states do not have specific regulatory requirements for internal audit and risk management, but that doesn't stop them for looking for such controls. For example, in connection with examinations, many states now request all or some of the following materials from nonbank mortgage lenders:

  • Board and committee minutes and related presentation materials for areas beyond regulatory compliance.
  • Policies and procedures for risk management (again, beyond those pertaining solely to regulatory compliance), with evidence of testing against those policies and procedures.
  • Internal audit team composition and reporting lines, and any documentation of tests and findings and any corrective actions.
  • Data on financial strength and liquidity, including quarterly results and borrowing capacity (e.g., outstanding warehouse line amounts, excess capacity and termination dates, and other comparable assessments of liquidity).

Briefly put, examiners are putting themselves in a position to assess nonbanks' enterprise risk management capabilities broadly – covering not only compliance but also data security, internal controls, financial strength, and reputational matters – and, anecdotally, they are not just requesting materials but also following up with questions or requests for additional details on strategic plans, financial performance, and liquidity. And while these reviews are not as robust as one would find with federal banking regulators, in part because often times there are not explicit regulatory standards to be applied and instead are derived from a government's authority to evaluate the "character and fitness" of a licensee, that may change.


Even if there were a change of political direction, it is not likely that the Proposed Act is going anywhere, and the ultimate likelihood of similar reforms emerging from the GSEs or states is too difficult to predict. At the same time, it is a useful reminder that the federally required adherence to basic principles of corporate governance and risk management to which federally chartered banks are subject and for which they are supervised has not yet been formally extended to nonbank servicers. But the operative words are "not yet."

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2018. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.