With regulatory compliance requirements rapidly on the rise, we offer a full-spectrum approach for mortgage banks for compliance risk management, combining regulatory analysis, identifying competing regulations, instituting operational process controls, effective data quality and document management strategies.
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
Mortgage Banking: A Holistic Approach to Managing Compliance Risk
1. Mortgage Banking: A Holistic Approach
to Managing Compliance Risk
To meet growing requirements for proof of regulatory compliance,
mortgage banks need a more comprehensive approach to
compliance risk management, one that combines regulatory
analysis, identifying competing regulations, instituting
operational process controls, effective data quality and
document management strategies.
Executive Summary
Mortgage banking decision-makers understand
and have likely experienced the challenges faced
when attempting to adhere to ever-changing
regulations and requirements from government
regulators, government sponsored enterprises
(GSEs) and investors. Regulatory compliance
touches nearly every aspect of originating and
servicing a mortgage loan, with particular focus
on the data quality associated with decision-
making processes, calculations and analytics, and
with every form of borrower communication.
Highlighting this point, the U.S. Consumer
Finance Protection Bureau (CFPB) Strategic
Focus 2013-2017
1
plan lists data-driven analysis
as the primary method for the realization of its
mission and vision: “To help consumer financial
markets work by making rules more effective, by
consistently and fairly enforcing those rules, and
by empowering consumers to take more control
over their economic lives.” The CFPB plan also
notes: “The CFPB is a data-driven agency. We take
in data, manage it, store it, share it appropriately,
and protect it from unauthorized access. Our aim
is to use data purposefully, to analyze and distill
data to enable informed decision-making in all
internal and external functions.” Pursuant to this
statement, the CFPB has mandated that financial
institutions not only meet all CFPB mortgage
regulations but also retain evidence of actual
compliance.
This mandate necessitates a shift in thinking and
approach for many lenders and servicers. An
organization cannot be considered in compliance
with a rule until it can provide evidence of the
activities, procedures and data specified by the
rule. To prove “evidence of compliance” (EoC),
an organization must document linkage between
compliance rules, calculations performed, data
derived, process data, system data, external data
and document metadata.
cognizant 20-20 insights | september 2015
• Cognizant 20-20 Insights
2. cognizant 20-20 insights 2
As a result, lenders and servicers must assess
their current EoC maturity level to understand
their EoC challenges and improve their EoC
programs. Many business processes and
IT systems need to undergo considerable
change to meet unfolding regulatory require-
ments, and to build new competencies to
be successful. These investment decisions
pose significant challenges to banks that are
currently operating in a business environment
of weakened demand, declining spreads and
intensifying competition. But the cost of non-
compliance can be severe. Since 2012, the top
four banks have paid more than $100 billion in
fines, penalties and settlements for violating
various mortgage regulations and for the
inability to provide evidence to regulators for
complying with industry guidelines.
2,3
This white paper identifies the best practices
and procedures for demonstrating proof of
regulatory compliance by instituting five funda-
mental aspects to evidence compliance.
Challenges in Evidencing Compliance
Historically, banks’ efforts to comply with
agency regulations and investor requirements
have lacked transparency and have focused
heavily on manual reviews of processes and
data analysis. These challenges result in non-
repeatable, one-off solutions that further
complicate the banks’ abilities to demonstrate
compliance. These challenges are revealed in the
following ways:
• The linkage to the sources of key data is
often represented without a clear definition
of the data and data relationships. A case in
point is the storage of documents by lenders
during the underwriting process. Too often,
the document relationships are maintained
at the loan level without any consideration of
the specific loan underwriting event, process,
condition or activity.
• Loan data is most often stored as a daily
snapshot within bank data warehouses,
which limits the ability to analyze any key
event that may have occurred multiple times
during the course of the day.
• Loandataiscommonlystoredacrossmultiple
systems, making it difficult for banks to
aggregate and package the requested data in
an efficient, timely and consistent manner.
Thus, the large volume of data requested to
produce a compliance package can overload
systems and delay delivery. Additionally, the
definition of a specific loan-related term may
be different across various systems and result
in exhaustive data reconciliation efforts. As
a result, regulatory agencies continue to
review a bank’s practices while the bank
searches for a better way to address
these compliance challenges.
• Compliance reporting responsibility is most
often shared across a bank’s operations
and risk and compliance functions, leading
to multiple disparate databases with limited
controls for audit trails or history.
Paradigm Shift
The manner in which regulators interact and
audit mortgage originators and servicers has
changed over the last several years. In the past,
banks provided the regulatory agency with the
requested information and the auditor tackled
the challenge of reviewing bank processes and
digging into loan files to identify noncompliance.
The ability of the agency to review regulatory
compliance was contingent upon the amount
of deployed resources, the quality of the bank’s
documented processes and access to data and
related images/loan files. This was also the case
for investors conducting due diligence to confirm
the sampled collateral was representative of the
purchased pool of loans. Banks provided access
to processes, data, information and loan files but
would not provide any additional information than
what was specifically requested by the agency.
In response to the abuses across the mortgage
industry, the CFPB is now empowered to protect
consumers by carrying out federal consumer
financial laws. Concurrently, existing bank
regulators, the Office of the Comptroller of
the Currency (OCC) and the Department of
Justice (DOJ) were conducting broad reviews
of mortgage servicing practices. These reviews
began in 2011 and included the DOJ’s National
Mortgage Settlement and the OCC’s Indepen-
dent Foreclosure Review (IFR). As regulatory
scrutiny increased, regulatory agencies realized
that a change in methodology was necessary
to improve the quality of agency reviews.
Regulators needed banks to provide an increased
level of transparency to adequately complete
The manner in which regulators
interact and audit mortgage
originators and servicers has changed
over the last several years.
3. 3
audits of banks’ compliance with mandated rules
and regulations.
As a result, the effort required to properly review a
bank’s mortgage servicing and origination practices
is placing additional demands on regulatory
agencies. The recent IFR Settlement
4
provides
an excellent example of these audit challenges:
Fourteen “large mortgage servicers were required
to correct deficiencies in their servicing and foreclo-
sure processes and to engage independent firms to
conduct a multifaceted independent review of fore-
closure actions that occurred in 2009 and 2010.” In
accordance with the IFR, the independent auditors
were instructed to review the banks’ foreclo-
sure practices, pinpoint wrongdoing by mortgage
servicers in individual foreclosure cases and then
appropriately compensate those borrowers who
had been harmed.
The lessons learned from the IFR revealed audit
challenges, which led to a shift in regulatory bank
audit practice. First to be addressed was specula-
tion regarding the number of borrowers that were
improperly foreclosed upon during the review
period. The ability to prove that a borrower was
improperly foreclosed upon was challenging due
to inadequate processes, dated default servicing
technology, poor data quality and incomplete or
inaccurate reporting.
Auditors’ practice of conducting reviews by inves-
tigating bank processes and loan files to identify
noncompliance was heavy on human resources
and time. The following questions emerged: Did
the review yield as many harmed borrowers as
anticipated? And did the reviews turn out to be
far more onerous and complex than originally
expected? Wouldn’t it be better to quickly end
the banks’ payments for these audit services and
swiftly provide relief to those borrowers who were
foreclosed on within the stated review time? After
paying the independent auditors close to $500
million in fees through 2012,
5
regulators ended the
IFR in favor of compensating the borrowers and
ending the resource-heavy reviews. Based on the
events of this particular regulatory effort, a case
can be made that factors which contributed to the
shift in compliance review methodology occurred
as a result of the IFR and the OCC’s subsequent
IFR settlement.
This shift in audit approach and practices between
the regulators and banks resulted from:
• Skepticismregardingthesystemanddata-relat-
ed challenges to identify harmed borrowers.
• Inability of the government agency and inde-
pendent auditors to identify noncompliance.
• Borrower participation in the independent
foreclosure review process.
Actual versus perceived number of borrowers
improperly foreclosed on diverged. As a result,
the burden of proof rests solely with the banks.
Banks bear the cost of showing compliance
instead of the regulatory auditors. This
paradigm shift has moved the industry from
an “innocent until proven guilty” approach to
a “guilty until proven innocent” practice, where
the banks must prove compliance through well
documentedandcommunicatedprocesses,com-
prehensive data integrity, data and document
linkages and appropriate summary and sample
reporting packages. As noted above, the CFPB
has mandated that financial institutions do not
just follow regulations but also retain evidence
that they have actually complied with such reg-
ulations. This can only be accomplished through
an EoC program that addresses fundamental
aspects of showing compliance.
Establishing a Rigorous EoC Program
There are five key components of maintaining a
compliance program that provides evidentiary
proof required to minimize compliance risk (see
Figure 1, next page).
• Regulatory interpretation: Compliance begins
with a well-documented interpretation of
all regulatory, investor, state and corporate
requirements, with direct linkage to the oper-
ational processes, data and reports affected
by each requirement. Ideally, this process is
managed by a “bridge team” to break down
walls between business and technology. The
bridge team works with the business, legal,
IT and compliance teams to interpret and
document regulatory requirements. The IT
This paradigm shift has moved the
industry from an “innocent until proven
guilty” approach to a “guilty until
proven innocent” practice, where the
banks must prove compliance through
well documented and communicated
processes, comprehensive data
integrity, data and document linkages
and appropriate summary and sample
reporting packages.
cognizant 20-20 insights
4. cognizant 20-20 insights 4
Fundamental EoC Components
Figure 1
Inside a Compliance Library
Library Guideline Guideline #
Add Reg Effective date Regulation
Description Trigger Event
Exception Event
Add Exception Event
Decision Timer Expired
Cancel
LE decision timer
expiring within 2 days
Trigger application
review
"LE delivery" timer
expired
Notify manager to
review
1026.19(a)(1)(i)
Complete application received Edit
08/01/2015 Ensure the Loan estimate is delivered within 3
business days of receiving complete loan application
Date LE sent
+ Add Trigger
U9A
U9C U9D
U9B
Save
Audit report Compliance
report
Compliance
library
Event: "LE Delivery" timer expired
Event #: U9C
Event due date: Immediate Cancel
Event type: 3 day document delivery
Add
Note: The compliance library houses regulatory requirements, source files (e.g., CFPB, Fannie Mae, state requirements,
etc.), operational processes effected, trigger events, “best practice” implementation approach, policy exceptions, etc.
Figure 2
Publication
Key
Aspects of
EoC
Publication
Regulatory
Controls &
Monitoring
Exception &
Performance
Management
Data Integrity
Regulatory
Interpretation &
Linkage to Process
teams are engaged to ensure data accuracy
and availability, system integration require-
ments, workflow tool configuration, etc.
Compliance rules and requirements are
constantly changing. An easy to reference
and maintain compliance library reduces the
impediments to keeping a firm’s EoC program
current and relevant. The library provides
a line-by-line detail of every compliance
requirement and the workflow trigger and
exception events associated with each.
Figure 2 represents a sample interface to the
compliance library.
• Regulatory controls: To ensure that the
bank’s interpretation of regulations accurately
translates to corresponding business
processes typically requires a well-document-
ed process design, control and monitoring
5. cognizant 20-20 insights 5
1.
Process
Definition
2.
Definition of
Critical Points
of Control
3.
Identify
Control Escalation
Parameters
4.
Identify
Reporting Needs
5.
Reporting
Analysis to
Verify Reporting
Accuracy & Quality
Ready for
Process
Control
Monitoring
program. Effective and proactive process
controls also require a strong definition of the
process, a sound understanding of the critical
points of control and effective reporting that
specifically addresses the critical control
points (see Figure 3).
Reliance on resources from business operations
to design effective, controllable processes
oftentimes creates a design subject to opera-
tional bias. Interorganizational processes
require an impartial approach to maximize
efficiencies, regardless of the effects of design
decisions on various departments. Experts
in business process solution design can more
easily craft efficient processes using the
objective steps indicated above.
Even the most well-designed process can be
difficult to control and subject to operational
“process creep” (unapproved change) without
the use of rules-based decision workflow tools.
Surprisingly, many banks have been slow to
adopt workflow technology that can lock down
processes and allow for better control and
exception management.
• Exception management: With properly imple-
mented process control and monitoring in
place, business process exceptions should
be minimized, quickly identified and easily
remediated with predefined exception
management procedures.
• Data integrity: The proper implementation
of the previous three components of EoC will
have a significant impact on data quality.
These components are integrated into the
lender’s overall data governance and change
management programs, specifically designed
to maintain the accuracy and consistency of
data over its entire lifecycle. The quality of data
is measured both by the integrity of the data
source as well as the technical infrastructure to
manage and control the data.
As shown in Figure 5 (next page), achieving a
higher level of data integrity and data quality
requires comprehensive data capture for all
data sources. Doing this requires the following:
>> Event data: During origination, servicing
or default management, a loan passes
through various stages and key processing
events. It is essential for the data to be
captured at the same instance when the
event occurred to prove compliance later.
For example, during the origination process,
if a particular fee is changed in excess of a
defined threshold, the updated values as
well as the event (fee change) are stored
and utilized in compliance reporting.
>> Data transfer: Identification of the true
source system for given elements and
accurately transferring these data elements
to a centralized repository are extremely
important processes. Inaccuracy during
the data transfer process is one of the
key causes of poor data quality and often
requires unproductive efforts to reconcile
the data at a later stage. Implementation
of data format standards (e.g., Mortgage
Industry Standards Maintenance Organiza-
tion (MISMO)) will align data values to what is
most widely accepted by regulators.
Interorganizational processes
require an impartial approach to
maximize efficiencies, regardless of the
effects of design decisions on
various departments.
Stringent Process Control Workflow
Figure 3
6. cognizant 20-20 insights 6
>> Keyformulas/calculations:Dataisgenerally
classified as direct data and derived data.
Proving compliance is not only restricted to
the final data values but also requires inves-
tigation of the underlying calculations to
test the accuracy of the logic and relevant
variables. Therefore, proper formula and
calculation management must include
the versions and associated business
changes in order to enable replication of the
exact output.
>> Data from documents: Mortgage processes
are still document heavy. Extraction of key
data (manual or optical character recog-
nition) available on such documents is an
integral part of the required data set and
should synchronize with the underlying
systems. The complexity of the exercise
increases when one business process
generates multiple versions of the same
document (a loan estimate or closing
disclosure in origination). Hence, validating
the linkage of correct document images to
corresponding data sets/instances becomes
fundamental for demonstrating compliance.
• Publication: The final component of EoC is
the ability to prove compliance. A lender can
accurately interpret regulations, implement
comprehensive process control and exception
remediation programs, manage data quality at
every step, and still be at risk of failing to prove
Compliance is not only restricted
to the final data values but
also requires investigation of the
underlying calculations to test
the accuracy of the logic
and relevant variables.
Troubleshooting the Process
Figure 4
Warning Signs of an Improperly Executed
Process Control Program
Potential Causes
Increasing process anomalies for a particular
process.
• Lack of an adequate exception remediation
process and/or escalation procedures.
• Breakdown in rules-based workflow tools.
• System-to-system integration failure.
New and/or unexpected process exception. • Business operations unilaterally implemented
a process change.
• Regulatory change improperly implemented.
Internal audit findings not accounted for within
business processes.
• Missing or incomplete linkage between
compliance interpretation and business
operations execution.
Identification of data quality issues. • Business operations unilaterally implemented
a process change.
• Breakdown in rules-based workflow tools.
• System-to-system integration failure.
Quality of Data Data Governance
Comprehensive data capture for all data
sources: Loan data, event data, document data,
derived data and document images.
Robust data quality program facilitated by
dedicated data stewards who have enterprise-
wide (cross-LOB) visibility into data definitions,
lineage, and relationships.
Well documented, data-driven business
decisions that are traceable to source systems
of record.
Comprehensive visibility into the potential
impact of data changes and enhancements
via data analysis, data mapping and impact
analysis.
Assessing Data Quality, Governance
Figure 5
7. EoC Maturity Curve
Competitive
Lag
Competitive
Parity
1. Most regulators/investors covered.
2. Traceability from exact doc and
application.
3. Mainstream data captured for all
sources.
4. Workflow across most functions.
5. Doc solution semi-integrated.
6. Moderately cost-efficient,
fast time-to-market.
Maturity Criteria/Factors
1. Comprehensive regulations
and investor guidelines
coverage.
2. Compliance traceability.
3. Data quality.
4. Workflow-based collaborative
environment.
5. Doc mgmt. integration.
6. Cost and time-to-market.
1. All regulations/guidelines covered.
2. Traceability from exact doc and
application with underlying formula.
3. Comprehensive data captured for
all data sources.
4. Unified workflow across functions.
5. Doc solution integrated with workflow.
6. Cost-efficient, fast time-to-market.
Competitive
Leadership
Competitive
Advantage
1. Basic regulations/guidelines covered.
2. Limited compliance traceability.
3. Higher data quality issues.
4. Limited workflow.
5. Limited doc mgmt. capabilities.
6. Medium to high cost, long time-
to-market.
1. Some regulators/investors covered.
2. Traceability from source application.
3. Selected data captured from most sources.
4. Basic workflow.
5. EoC maturity assessment.
6. Medium to high cost, long time-to-market.
compliance. The following example illustrates
this point:
In December 2013, the Justice Department
and CFPB announced a $98 million settlement
with Ally Financial over charges the lender
discriminated against minorities by charging
them higher interest rates on auto loans (non-
compliance with the Equal Opportunities Act
of 2008).6
As part of the settlement, Ally must
also improve its monitoring and compliance
systems. Ally didn’t admit wrongdoing, and
it argued: “…that a calculation of disparities
needs to compare similarly situated customers
and include relevant explanatory factors such
as creditworthiness, differences in essential
transactional details such as new/used vehicle
and the selling dealer…”7
The National Automobile Dealers Association
(NADA) said the CFPB still hasn’t explained how
discriminationistakingplace:“TheCFPB’sfailure
to reveal its approach is particularly troubling
given the repeated and recent requests from
bipartisan members of both houses of Congress
for this essential information.”8
Compliance with internal policies and
procedures may have been insufficient to
address regulation, but the evidence in this
case was lacking. Is it possible that incomplete
data analysis and publication resulted in the
CFPB’s incorrect conclusions? And wouldn’t
it have been possible for Ally Financial to
counter the CFPB’s conclusions by providing
summarized data which demonstrated the
relevance of the credit underwriting factors?
Compliance audits are expected and can be
planned for in advance. This includes planning
for the access, format, design, content and
delivery of compliance data required to
publish and therefore prove compliance. The
advanced planning is also necessitated by the
CFPB changes regarding the timeliness of a
bank’s audit response. For example, the recent
amendment to Regulation X and Regulation Z,
effective January 10, 2014, requires mortgage
servicers to send the “servicing file” within five
calendar days of the request.9
Evidence of Compliance Solution
Summary
Without a doubt, the regulatory environment will
continue to evolve. All lenders have instituted some
form of technological or organizational change
to keep pace and most are aware of the need to
continue to address the challenges of achieving
and maintaining a robust EoC program. Lenders’
needs to remain in front of potential compliance
issues vary according to their specific circum-
stances. Classifying a lender’s EoC maturity level
requires an in-depth assessment of technology,
data structures, data quality programs, operation-
al processes and more (see Figure 6).
Measuring EoC Maturity
cognizant 20-20 insights 7
Figure 6
8. cognizant 20-20 insights 8
Low Evidence of Compliance
Linkage to exact income
calculation used from
predefined formula library.
Linkage to exact data
used from exact documents.
Linkage to exact
source documents used.
Linkage from documents
to application income
sources.
Linkage from application
income sources to
specific borrower.
Compliance Rule DTI must not exceed 43% DTI must not exceed 43% DTI must not exceed 43%
Moderate Evidence of Compliance
Source
Document A
Source
Document B
Source
Document C
Source
Document A
Source
Document B
Source
Document C
Source
Document A
Source
Document B
Source
Document C
Employer X Income
Source Y Employer Z Employer X Income
Source Y Employer Z Employer X Income
Source Y Employer Z
Document A
Metadata
Document B
Metadata
Document C
Metadata
Document A
Metadata
Document B
Metadata
Document C
Metadata
Borrower 1 Borrower 2 Borrower 1 Borrower 2 Borrower 1 Borrower 2
Calculation
1a
Calculation
1bLinkage to
liabilities data
Linkage to
liabilities data
ComplianceTraceabilityHighLow
High Evidence of Compliance
Linkage
to
liabilities data
Figure 7
Process-Specific Evidence of Compliance Maturity
Maturity assessments should cover all aspects of
EoC previously discussed in this paper, starting
from a global view down to the operational
processes within the lifecycle of a loan. Figure
7 offers an example of an EOC maturity level
assessment for a very specific process step within
the mortgage origination and loss mitigation
process: debt-to-income ratio calculation.
Moving Forward
Successful maturity assessments require
an unbiased view of existing processes and
technology, likely requiring an independent third
party with expertise in process and technology
optimization as well as mortgage banking
expertise. A comprehensive assessment will
identify any compliance gaps and risks, which
should then be analyzed to determine what,
if any, steps should be taken to address those
risks.
With an accurate assessment of EoC maturity, an
EoC implementation roadmap can be developed
to identify high-risk, low-implementation-cost
steps versus those requiring more detailed
planning and ROI analysis.
Implementing an EoC program can be challenging
and requires alignment among legal, operations,
IT and various other internal groups. Leadership
of all internal organizations must come to an
understanding of the interconnectivity between
business and technology solutions required to
implement comprehensive solutions.
Footnotes
1 Consumer Financial Protection Bureau, “Consumer Financial Protection Bureau Strategic Plan FY 2013 -
FY 2017,” April 2013. http://www.consumerfinance.gov/strategic-plan/
2 Richard McGregor and Aaron Stanley, “Banks pay out $100bn in US fines,” March 25, 2014. http://www.
ft.com/intl/cms/s/0/802ae15c-9b50-11e3-946b-00144feab7de.html#axzz3eZ9xsH45
3 James Sterngold, “For Banks, 2014 Was a Year of Big Penalties,” December 30, 2014. http://www.wsj.com/
articles/no-more-regulatory-nice-guy-for-banks-1419957394
4 The Federal Reserve Board, “WHAT YOU NEED TO KNOW: Independent Foreclosure Review,” last update:
March 9, 2015. http://www.federalreserve.gov/consumerinfo/independent-foreclosure-review.htm
5 The Federal Reserve Board, Independent Foreclosure Review July 2014, July 2014. http://www.federalre-
serve.gov/publications/other-reports/files/independent-foreclosure-review-2014.pdf
6 ConsumerFinancialProtectionBureau,“CFPBandDOJOrderAllytoPay$80MilliontoConsumersHarmed
by Discriminatory Auto Loan Pricing,” December 20, 2013. http://www.consumerfinance.gov/newsroom/
cfpb-and-doj-order-ally-to-pay-80-million-to-consumers-harmed-by-discriminatory-auto-loan-pricing/
7 Department of Justice, “IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF
MICHIGAN SOUTHERN DIVISION,” December 23, 2013. http://www.justice.gov/crt/about/hce/documents/
allyco.pdf