This year, in a climate of intense government scrutiny, pervasive media vilification and growing public perception of the mortgage industry as predatory, servicers must also be prepared to confront changes to the Fair and Accurate Credit Transactions Act (FACTA).
Underestimating the impact of these new requirements carries serious repercussions for servicers. This ruling and compliance obligation will alter strategic planning, budgets and business processes – and could ultimately increase the cost to service.
The host of existing privacy-compliant marketing (PCM) challenges includes information security programs, ‘opt-out’ rights, vendor relationship management, do-not-solicit and do-not-call rules, and breach notifications.
Additionally, servicers must make certain their FACTA-compliance strategies – which must soon more thoroughly monitor affiliate marketing, identity theft red flag and notice of address discrepancy regulations – are consistent with other existing laws.
With the mandatory deadline looming in the fourth quarter of this year, servicers will have to rapidly familiarize themselves with interrelated regulations, and then logistically synchronize and make changes throughout a variety of business functions. Servicers will need to reassess or modify third-party service provider relationships, consider adjustments to marketing calendars and possibly create a written program related to identity theft red flags and notices of address discrepancy.
Given the limited time to respond – and the currently shaky real estate finance and servicing markets – companies should elevate FACTA compliance to a high priority.
Assessment and action
Servicers should not panic, but rather respond quickly and apply a reasonable timetable to meet deadlines. Servicing organizations' boards of directors, executives and senior management should initiate comprehensive assessments as soon as possible.
If all affected departments (legal/compliance, operations, marketing, etc.) complete assessments and implement plans during the second quarter – and perform testing/verification by the end of the third quarter, crisis can be averted. The strategy sounds simple, but it is considerably complex.
Today, a majority of servicers have existing ties (e.g., common ownership) to parent financial corporations and/or bank holding companies, and interact with several affiliate lines of businesses. To some degree, servicers will bear direct responsibilities or experience a greater burden of compliance continuity in cooperation with parent corporations. Given the mergers and acquisitions environment, these new FACTA obligations will affect nearly every type of servicer.
Interrelated marketing functions within or across existing corporate relationships will force servicers to perform comprehensive contract review of third-party marketing and service provider relationships.
Using past experience with the Gramm Leach Bliley Act (GLBA) as a model, servicers would be wise to insert more specific FACTA language regarding affiliate marketing, identity theft red flags and notices of address discrepancy into contracts. In some cases, servicers might consider securing outside assistance with internal assessment and validation of compliance.
Some details
The original Fair Credit Reporting Act (FCRA) was amended by FACTA, and its intended purposes were to combat identity theft, increase the accuracy of credit reports, restrict the use of medical information in credit eligibility determinations, and allow consumers to exercise greater control regarding the type and number of solicitations they receive.
Regarding affiliate marketing, the Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation and other bodies issued final rulings that took effect Jan. 1. The mandatory compliance deadline is Oct 1.
Within FACTA's new affiliate marketing rules, Section 214 (replacing FCRA Section 624) specifically requires servicers' attention and can impose new opt-out treatments.
FACTA Sections 114 and 315 specifically instruct each financial institution or creditor to develop and implement a written identity theft prevention program to detect, prevent and mitigate identity theft in conjunction with the opening of certain accounts or certain existing accounts.
It has been suggested that these red-flag and notice rules have obvious implications for mortgage originators and present limited challenges to mortgage servicers. However, with the complex parent-subsidiary relationships, mortgage servicers should not be caught unaware or assume that existing controls ensure compliance.
At a minimum, the service providers classification will compel mortgage servicers to respond to a parent company's red-flag and notice requests. Therefore, servicers of all types should perform internal assessment and consider securing outside validation of compliance.
Compliance cost
Regulatory bodies project a 41-hour ‘burden estimate’ for developing a FACTA program. Considering these bodies' history of underestimating the full implications of new regulations (e.g., GLBA), this time frame seems grossly understated. It could take longer than that to simply answer who, what, where, when and how.
Historically, compliance costs – for both small and large entities – have also been underestimated. The cost of providing another opt-out, for instance, goes beyond the actual mailing costs.
Conversely, the cost of noncompliance or violation is outlined in FACTA Section 621. While no ‘private right of action’ exists, the usual plethora of ‘administrative enforcement’ penalties (e.g., cease and desist orders, civil or monetary penalties) are apparent.
Another concern relates to the authority of the states, and the chief law enforcement officer designated by a state. Attorneys general are not typically noted for their forgiving or lenient dispositions or for their lack of political ambition.
Substantial unknowns exist. How will the states react, coordinate and reconcile mandatory FACTA compliance regulations with their individual state or jurisdictional laws? What are the current information security program standards? What fines are appropriate?
Servicers should not assume that existing information security programs automatically satisfy the new requirements. In reality, many of these programs have yet to be tested by outside audits or federal or state agency examinations.
A common misunderstanding related to privacy-compliant marketing and data security is that technology is the problem and, therefore, upgrading technology is the solution. This is not so. Compliance, in general, and privacy-compliant marketing, specifically, are corporate-wide responsibilities first championed by leadership and executives, and then embraced throughout the corporate culture.
The fact is, compliance is not optional, and regulatory bodies are not known for being sympathetic. To restate the obvious: Deadlines exist, and servicers will have to meet them.
With little time left until FACTA compliance is mandatory, servicers will be under the watchful eye of federal and state regulators, consumer advocate groups and privacy professionals. If servicers understand the level of commitment required and act quickly, there is reason for optimism. After all, the mortgage servicing industry has certainly faced and surmounted its share of obstacles.
Greg Genua is a certified information privacy professional and independent consultant with over a decade of experience in the mortgage banking industry. He can be reached at greg@genua.us or (918) 451-2247.
