As members of the financial industry prepare to meet the challenges associated with COVID-19, key government agencies have begun to offer guidance with respect to how their regulated financial institutions, including non-depositories, can meet their compliance obligations while balancing the realities of a pandemic event due to COVID-19. This blog summarizes the updates that we are aware of to date and will be updated as additional developments occur. While all these offerings may not be applicable to each financial institution or non-depository licensee, the best practices and guidance offered will help instruct your institution in moving forward, and Bradley is ready to assist with any questions you have.
FFIEC Interagency Statement on Pandemic Planning
Here are key takeaways from the FFIEC Statement and a more detailed summary follows.
Key Takeaways
- Leadership of a financial institution must either prepare or update existing business continuity plans to include all aspects of pandemic planning.
- Actions must be commensurate to the size and operations of the business.
- Financial institutions must cooperate with local governmental agencies and emergency organizations to determine how best to proceed during a pandemic. Constant monitoring of communications from those agencies is important.
- Employee and consumer safety are essential. Educating employees, including providing a thorough understanding of the pandemic planning efforts of the institution, should take place.
- Cross training of employees should take place in the event there are significant absences of employees.
- An evaluation of risk must take place, with a particular focus on company systems and dependency upon third parties. Financial institutions should be aware of the pandemic planning efforts of their critical third-party vendors and prepare back-up options in the event that a critical vendor may not adequately provide services.
- Evaluate internal systems with a focus on remote capabilities (e.g., capacity, bandwidth, and authentication mechanisms) to determine whether they can handle significant numbers of employees working from home.
Detailed Overview
Released by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the State Liaison Committee on March 6, 2020, the FFIEC Statement supplements certain previous guidance offered by certain of these agencies during March 2006.
The statement emphasizes that each institution’s business continuity plan (BCP) should “address pandemics and provide for a preventive program, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuation of critical operations, a testing program, and an overnight program to ensure the plan is reviewed and updated.” The BCP that each financial institution must have is essential and must describe how the institution will manage operations during the pandemic event.
The FFIEC Statement notes that pandemic planning presents unique challenges and is more difficult to determine because of the anticipated scale and duration resulting from a pandemic. The BCP of each institution must be tailored to reflect the institution’s size, complexity, and business activities. How the actual financial services offered by the financial institution will be impacted in a pandemic must be incorporated into the ongoing business impact analysis and risk assessment processes of the financial institution.
Each BCP must include:
- A preventative program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event. This should include monitoring of potential outbreaks, educating employees, and communicating and coordinating with critical service providers and suppliers, in addition to hygiene training and tools for employees;
- A documented strategy that ensures that the pandemic efforts of the institution are scaled consistent with the stage and severity of an outbreak. Such strategy should outline plans for how to recover from a pandemic wave and proper preparations for any subsequent waves;
- A comprehensive framework for facilities, systems, or procedures that provide the financial institution with the capability to continue its critical operations in the event large numbers of its employees are unavailable. Among others, this shall include telecommuting options, redirection of customers from branch to electronic banking services, and conducting business at alternative sites. Financial institutions should consider how customers may react to these efforts and how increased demands in other areas could impact the bank. Furthermore, financial institutions must consider guidance from public health officials and other governmental authorities in their decisions;
- A testing program to ensure the effectiveness of the financial institution’s pandemic practices in allowing critical operations to continue; and
- An oversight program to ensure ongoing review and updates to the BCP so that it is continually up to date.
The FFIEC Statement provides resources offered by the U.S. government and other industry publications that are beneficial in developing plans relating to pandemic events, including, for example, guidance from the Department of Health and Human Services Centers for Disease Control and Prevention and the Department of Homeland Security.
Each institution’s board of directors is responsible for overseeing the development of the pandemic plan. Senior management is responsible for developing the plan and operationalizing the plan into specific policies, processes, and procedures. The FFIEC Statement counsels the board and senior management to consider the pandemic as a significant risk to the entire business. Pandemic planning activities must involve senior business management from all functional business and product areas, including administrative, human resources, legal, IT support functions, and key product lines. Senior management also is responsible for communicating the plan throughout the organization and making sure that all employees understand their roles and responsibilities during any pandemic event.
Potential effects associated with a pandemic event should be a component of the financial institution’s business impact analysis (BIA). The BIA should:
- Assess and prioritize essential business functions and processes;
- Identify the potential impact on essential business functions and processes, as well as supporting resources;
- Identify the potential impact on customers, including those that could be most affected and those that could have the greatest impact on the (local) economy;
- Identify the legal and regulatory requirements for the institution’s business functions and processes;
- Estimate the maximum downtime associated with the institution’s business functions and processes that may occur during a pandemic;
- Assess cross training conducted for key business positions and processes; and
- Evaluate the plans of critical service providers for operating during a pandemic and monitor those companies during the pandemic to ensure that critical services are available. Back-up service providers may be needed in order to mitigate risk. The FFIEC Statement provides that “[s]pecial attention should be directed at the institution’s ability to access leased premises and whether sufficient internet access capacity is available if telecommuting is a key risk mitigation strategy.”
In any BIA, financial institutions should forecast employee absences and also consider family care issues that may impact business operations. In a severe pandemic, absences could rise to 40% during peak weeks of any outbreak, with lower rates during the weeks before and after the peak. Certain public health measures, such as closing schools or quarantining households or altering public transportation schedules, will likely increase the rate of absenteeism.
As any institution develops its BIA, one should consider external factors. Interdependencies among external services relied upon by financial institutions and any potential for associated disruptions should be incorporated into any BIA.
A financial institution’s risk assessment process is critical and will be critical as to whether the BCP efforts are successful. According to the FFIEC Statement, institutions should take the following steps in connection with pandemic planning:
- Prioritizing the severity of potential business disruptions resulting from a pandemic, based on the institution’s estimate of impact and probability of occurrence on operations;
- Performing a “gap analysis” that compares existing business processes and procedures with what is needed to mitigate the severity of potential business disruptions resulting from a pandemic;
- Developing a written pandemic plan to follow during a possible pandemic event;
- Reviewing and approving the pandemic plan by the board or a committee thereof and senior management at least annually; and
- Communicating and disseminating the plan and the current status of pandemic phases to employees.
While additional specific detail is included in the FFIEC Statement, the following risk management steps arising from a pandemic should be undertaken by any financial institution:
- Openly coordinate with outside groups, including critical service providers. Information should be shared, as appropriate, to develop coalitions to provide support and maintenance for vital services during a pandemic. Management should coordinate its efforts with local public health and emergency management teams and should be in a position to alert public authorities in the event of significant absenteeism caused by an outbreak.
- Communication with customers and the media is critical to ensure accurate information is available.
- Management should regularly monitor its service providers and identify potential weaknesses in the service and supply chains and develop potential alternatives for obtaining critical services and supplies.
- Management should be in a position to respond when triggering events are identified by various organizations, such as a governmental agency. For example, if a local emergency organization identifies a triggering event, management must deploy any response plans based upon the facts and circumstances. This presumably involves monitoring loan and national alerts and then being able to communicate updates to the financial institution’s employees and customers.
- Financial institutions must have employee protection strategies. Employee awareness should be heightened during any pandemic. The FFIEC Statement includes specific risk management strategies that should be considered, including, for example, publicizing the Centers for Disease Control and Prevention’s “Cover Your Cough” and “Clean Your Hands” programs.
- Financial institutions should ensure that employees are cross trained and succession plans have been developed.
- Because there may be a high reliance on employee telecommuting, there could be a strain on an institution’s remote capabilities (e.g., capacity, bandwidth, and authentication mechanisms). Institutions must understand their own infrastructure and needs and potentially make capacity upgrades if necessary.
The FFIEC Statement also provides for risk monitoring and testing suggestions so that institutions can be prepared for potential impacts associated with a pandemic.
Washington Department of Financial Institutions Issues Interim Regulatory Guidance on March 5, 2020
The Washington Department of Financial Institutions (DFI) issued its Interim Regulatory Guidance under the Consumer Loan and Mortgage Broker Practices Acts. Under its Interim Regulatory Guidance, licensed mortgage loan originators may work from their homes, even if the home is not a licensed branch location, if certain requirements are met.
To work from home without penalty, specific data security provisions must be met. Those data security provisions are:
- The Washington-licensed mortgage loan originator must be able to access the company’s secure loan origination system (including any cloud-based system) from any of the mortgage loan originator’s device(s) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- All security updates, patches, or other alterations to the security of the device(s) must be maintained.
- The Washington-licensed mortgage loan originator must not keep any physical business records of any kind at any location other than the licensed main office.
In addition, Washington-licensed mortgage loan originators are not permitted to meet with any consumers at their unlicensed home location if they elect to work from home.
As originally issued, the Interim Regulatory Guidance is effective through June 5, 2020.
Connecticut Department of Banking Issues “No Action” Position on March 9, 2020
The Connecticut Department of Banking issued a “no action” position with respect to working from home. For all consumer credit licensees, employees will be permitted to work from home through April 30, 2020, so long as specific criteria are met. Those criteria include:
- The Connecticut licensable activity must be conducted from the home of an individual working on behalf of a Connecticut consumer credit licensee;
- The individual that is working from home is electing to do so because of a reason relating to the COVID-19 outbreak and has informed the consumer credit licensee (i.e., the employer) of the reason in written correspondence;
- The individual holds the required individual licenses to perform the activities that he or she will conduct from home. Those licenses could include, for example, a mortgage loan originator license or a loan processor or under license;
- The individual, when working from home, will not meet with any borrowers or potential borrowers at his or her residence; and
- The Connecticut consumer credit licensee (i.e., the employer) must, at all times, exercise reasonable supervision of the Connecticut licensable activity being performed at the home office and ensure that appropriate safeguards and controls are established relating to consumer information and data security.
New York Department of Financial Services Issues Statement on March 10, 2020
The New York Department of Financial Services (DFS) is requiring that each regulated institution provide a response to the DFS that describes how it plans to manage the risk of disruption to its services and operations. While plans are requested as soon as possible, they must be provided to the DFS no later than 30 days from the date of the notice (April 8, 2020). Responses must be provided to banking.covid19@dfs.ny.gov.
The plan requested by the DFS is largely consistent with the FFIEC Statement’s guidance regarding BCP discussed above. The DFS is requiring each institution’s plan to be flexible and address a range of possible effects from a potential pandemic associated with COVID-19. Plans must reflect the institution’s size, complexity, and activities. At a minimum, plans must address:
- Preventative measures, tailored to the institution’s specific operations, regarding how to mitigate the risk of operational disruption, including identifying the impact on customers and counterparties;
- A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be adjusted consistent with the effects of particular stages of the outbreak. The strategy should include assessments of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak;
- An assessment of all the institution’s facilities, including alternative and back-up sites, systems, policies and procedures necessary to continue critical operations, and services if members of the staff are unavailable for long periods or are working off-site. The plan should include an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity. Such assessment should include existing information technology and systems to determine whether increased remote usage can be accommodated and handled with current resources;
- An assessment of potential increased cyberattacks and fraud;
- Employee protection strategies, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19;
- An assessment of the preparedness of critical third-party vendors;
- The development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
- Testing the plan to ensure its effectiveness; and
- Governance and oversight of the plan, including identifying the critical members of a response team. Oversight should include the ongoing review and updating of the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.
Finally, the DFS tasks the boards of directors of regulated institutions with the responsibility of having plans in place and having appropriate resources available to implement the plans. Senior management must ensure that effective policies, processes and procedures are in place to execute the plan. Senior management also is responsible for communicating the plan throughout the institution to ensure consistency in approach and so that employees understand their roles and responsibilities.
Massachusetts Division of Banks Issues Statement on March 11, 2020
The Massachusetts Division of Banks issued a reminder to its licensees that they must have business continuity plans in place and that they must be prepared for a pandemic in order to minimize business disruption. Licensees should consider the following guidelines for their pandemic preparedness policy:
- Document your strategy for responding to a pandemic that is scaled to the stages of the outbreak;
- Ensure continuance of critical operations. Licensees should identify the systems and services that are needed to continue business remotely if necessary.
- Have adequate communications with staff, service providers, customers, and regulators, including proper education to staff about company policies;
- Educate employees on strategies to minimize the risk of spreading COVID-19;
- Test the company’s pandemic planning and capabilities; and
- Ensure sufficient flexibility in the plan to address a range of possible effects that could result from the pandemic.
The division also will allow a “common sense” approach to working from home for licensed mortgage loan originators. Mortgage loan originators must not advertise the home as an office and may not meet consumers at their home. However, mortgage loan originators are permitted to work from home if they meet these requirements. In addition, other licensees of the Division of Banks are permitted to work from home, so long as the arrangement is feasible based upon their business model and license type, the home is not advertised as a branch office, and the licensee does not allow for meeting consumers at the home.
Michigan Office of Insurance and Financial Services Encourages Review of Public Health-Related Guidance on March 12, 2020
Pursuant to the licensing requirements relating to Michigan mortgage lenders, brokers, and servicers, branch locations are not licensed. However, the Michigan Office of Insurance and Financial Services has made available a bulletin from the Michigan Department of Health and Human Services. That bulletin includes interim recommendations to mitigate the spread of COVID-19. While all the information in the release is important, certain key items relating to workplaces include:
- Encouraging sick employees to stay home and notify the employer of illness.
- Communicating and reinforcing common hygiene practices, such as washing hands and covering one’s mouth during coughs and sneezes.
- Regularly cleaning and disinfecting frequently touched surfaces, such as doorknobs, keyboards, cell phones, and light switches.
- Ensuring hand hygiene supplies are available and accessible.
- Allowing teleworking to take place when feasible, with a particular sensitivity to those who are at risk of severe illness.
- Implementing social distancing measures where feasible, including limiting meetings.
- Limiting large work-related gatherings.
- Limiting non-essential work travel.
Canceling or postponing large gatherings, conferences, and sporting events (i.e., those with 100 or more in a shared space).
- Discouraging employees from eating meals in large group settings.
- ring business continuity plans to meet the COVID-19 threat.
Alabama State Banking Department, Bureau of Loans Issues Statement on March 12, 2020
The Bureau of Loans of the Alabama State Banking Department is encouraging all licensees to remain updated about COVID-19 and asks that licensees review their business continuity plans. Licensees should update their business continuity planning at this time if their business continuity plan is not able to address the current situation involving COVID-19.
The department asks that licensees communicate and work closely with customers that could be impacted by circumstances relating to COVID-19, including the possibility of deferring fees or other charges.
Licensees are instructed to take precautions to avoid the risk of exposure to COVID-19, and this may include relocating office locations or having employees work from home (meaning these efforts are allowed). However, if a change of location or working from home will take place, licensees must otherwise continue to follow other laws and regulations – including data security requirements. If licensees cannot take steps to relocate locations or work from home, they should take steps to mitigate the impact on business and customers (including proper notification and communication to consumers).
Licensees must immediately notify the department if there are any circumstances that require the closure, relocation, or remote work program and any efforts that the licensee will undertake to work with consumers.
Idaho Department of Finance Provides Guidance for Various Licensees on March 12, 2020
The Idaho Department of Finance issued Temporary Regulatory Guidance, effective through June 30, 2020, for entities that hold the following licenses: Mortgage Broker/Lender, Mortgage Loan Originators, Regulated Lender, Title Lender, Payday Lender, and Collection Agency Licensees and Registrants. The department will allow licensees, registrants, and their employees to work from home even if the home is not licensed as a branch.
In order to be eligible to work from home, an individual and their residence must meet the following criteria:
- Data security must be in place so that the employee must access company data either from the use of a VPN or another system that requires passwords or identification authentication. The company is responsible for delivering any updates that are required to keep the data secure.
- Neither the employee nor the company may commit any act that would indicate that the employee is conducting business from an unlicensed location. Such acts include:
- Advertising in any form, including business cards or social media that would include the address, landline phone number, or facsimile number associated with an unlicensed residence;
- Meeting with consumers at the employee’s unlicensed residential location;
- Holding out the residence in any manner, directly or indirectly, that would suggest or convey to the consumer that the residence is a licensed location.
- The employee and the company must safeguard company and consumer data, including paper and electronic records. The employee must guard against unauthorized or accidental access, use, modification, duplication, destruction, or disclosure of consumer information.
Nebraska Updates Guidance Regarding COVID-19 on March 12, 2020
The Nebraska Department of Banking and Finance provided guidance on mortgage banker and mortgage loan originator temporary branch relocations. This guidance is effective through December 31, 2020, but is subject to change or withdrawal by the director. Under the guidance, mortgage loan originators (MLOs) may work from an unlicensed branch location, including a home office. The sponsoring company must provide notice of the temporary branch location, and the department must approve the notification. The department has created a form to provide the required information needed for the approval of these arrangements.
The new temporary branch location cannot store any physical business records. MLOs who work from home or an unlicensed location must be able to access their employer’s secure loan origination system through a virtual private network (VPN) that requires a password or other forms of authentication. Additionally, MLOs may not meet consumers in the unlicensed branch location.
Montana Department of Banking and Financial Institutions Issues Guidance Regarding Working from Home on March 12, 2020
The Montana Department of Banking and Financial Institutions will temporarily allow Montana-licensed mortgage loan originators to work from home, whether within Montana or outside the state, even in circumstances where the home is not a licensed branch location. All other aspects of Montana law must be met if an employee will work from a non-licensed residence. Mortgage loan originators working at non-licensed home locations may not meet with consumers at their home.
Oregon Division of Financial Regulation Issued Work from Home Guidance to Multiple License Types on March 12, 2020
The Oregon Division of Financial Regulation (DFR) has authorized Oregon-licensed mortgage loan originators to work from home when certain conditions are met. In addition, other employees of Oregon-licensed mortgage lenders, mortgage loan servicers, consumer finance companies, payday/title lenders, and manufactures structure dealers may work from home when certain conditions are met. Provided that the conditions are met, the DFR will not take action against any company or individual that works from home in order to prevent the spread of COVID-19.
In instances where an individual’s home is not a licensed location, an individual will be permitted to conduct business at home if a licensed company meets the following criteria:
- The company must provide prior notice to the DFR of the intent to permit employees to work from home to prevent the spread of COVID-19. Notice should be sent to Licensing@oregon.gov.
- The company must have appropriate policies and procedures in place to supervise the activities of loan originators and employees working from home, including data security measures to protect the personal information of consumers.
- No physical business records may be kept at the home of an employee. Such records must only be kept at a licensed location.
- Consumers may not visit the home of an employee working from home unless it is licensed.
- If the company implements temporary policies and procedures related to working at home in response to COVID-19, the company must provide copies to Licensing@oregon.gov.
The aforementioned position is effective until April 30, 2020.
Alaska Department of Commerce, Community and Economic Development Provides Guidance on Mortgage Loan Originators on March 13, 2020
The Alaska Department of Commerce, Community and Economic Development has confirmed that it will not consider an individual who works from home during a quarantine of 14-30 days to be conducting licensable activity. The regulatory agency reasons that under such circumstances, an individual would not be conducting business for the majority of their time from that location, which is a requirement of the definition of licensable activity. As a result, a branch registration would not be required. The Department of Commerce, Community and Economic Development cautions that employers must appropriately supervise the individuals and ensure compliance with the Gramm-Leach-Bliley Act.
Arkansas Securities Department Issues Interim Regulatory Guidance on March 13, 2020
The Arkansas Securities Department will allow licensed mortgage loan originators to conduct business in their homes for a temporary period of time, provided that applicable federal and Arkansas data security requirements are met. In addition, licensed mortgage loan originators must be able to access their employer’s secure mortgage origination system (including a cloud-based system) directly from any out-of-office device the mortgage loan officer uses, using a virtual private network (VPN) or other similar system that requires passwords or other forms of authentication to access. All security updates, patches, or other alterations to any device that will be used to conduct business activity must be maintained. Finally, physical business records must be maintained at the books and records location that is on file with the Arkansas Securities Department.
This interim regulatory guidance is effective until June 1, 2020.
Maryland Office of the Commissioner of Financial Regulation Issues Bulletin on March 13, 2020
The Maryland Commissioner of Financial Regulation published a bulletin regarding Emergency and Disaster Preparation Information in light of the recent COVID-19 emergency. The bulletin indicates that all Maryland mortgage lender licensees should already have a disaster recovery plan in place that indicates how the company will respond to various disasters, including that of a widespread infection. The written plan should allow all employees to know their responsibilities in case of a disaster. However, with the new impact of the COVID-19 outbreak, the commissioner recommends that all licensees either draft a disaster plan if one is not in place or review their current plan if it does not cover a situation such as the health quarantines that are being put into place throughout the country.
In answering the question of whether a mortgage loan originator (MLO) can work from home during the COVID-19 emergency, the bulletin refers all licensees to COMAR 09.03.09.07. This regulation states that an MLO may take loan applications or negotiate the terms of a mortgage loan at an unlicensed location as long as it meets the following standards:
- Neither the company nor the MLO owns or leases the location for purposes of conducting mortgage lending business;
- The location does not contain signage indicating that the property is used for taking mortgage loan applications or negotiating terms of the mortgage loan;
- There are no advertisements indicating that the location is used for taking a mortgage loan application or negotiating the terms of the mortgage loan;
- The location does not maintain a work space, telephone service, or internet service in the name of the MLO for the purposes of conducting mortgage lending business;
- The location does not receive mail relating to the mortgage lending business; or
- The location does not store books or records relating to the mortgage lending business.
With regards to examinations scheduled during the time of the COVID-19 outbreak, the commissioner will be flexible with timelines involving exams or other licensing or supervisory activity. If a location is closed because of a quarantine during any part of the exam, it is the licensee’s responsibility to contact the regulator. The licensee should contact Christine Brooks, Director of Mortgage Supervision, at christine.brooks@maryland.gov. The following information must be included in the email:
- Location of office(s) affected by the quarantine order;
- Whether any branches will operate in the non-quarantined areas;
- Copy of local/state directive to close due to quarantine (links to prominent local news sources are acceptable);
- Copy of information/script that the licensee will be placing on its website to notify consumers of the office closures; and
- Direct contact information of at least two control people at the company.
New Hampshire Banking Department Issues Alert on March 13, 2020
In its alert, the Banking Commissioner of New Hampshire cautions all licensees to evaluate programs that those licensees could deploy to assist consumers during the period of disruption caused by the coronavirus. The alert encourages financial institutions to be proactive and ensure that open lines of communication are available for consumers.
The alert also notes that the department will mortgage loan originators to work from home. In order to do so, the employer licensee must ensure that protected, personal information accessed or obtained by the mortgage loan originator remains secure using customary protocol and best practices. In addition, company licensees must notify the department as soon as possible regarding business disruptions or other developments that have a significant impact on the company due to the effects of the pandemic, including any signs of erosion of consumer confidence.
North Dakota Department of Financial Institution Provides Guidance on March 5, 2020, Regarding Preparing for the Coronavirus
The Department of Financial Institutions recommends that financial institutions review their materials from the 2007 pandemic associated with avian flu and update their preparedness plans. The guidance suggests that financial institutions review the 2007 Interagency Pandemic Guidance as business continuity plans are updated.
When communicating with customers, the Department of Financial Institutions notes that institutions can focus on the fact that the financial sector was well prepared during the 2007 pandemic and that public and private sector exercises showed that while there would be a significant impact, the financial sector overall was able to continue to operate and cope with the impact.
Finally, the department asks that if a regulated institution changes its location or adjusts its hours due to an emergency or epidemic, it should notify the department to ensure open lines of communication and compliance with regulatory requirements.
Oklahoma Department of Consumer Credit Issues March 13, 2020, Alert on Licensing Requirements
Provided that specific data security provisions are met, the Oklahoma Department of Consumer Credit will not take action against companies or mortgage loan originators who work from home.
- The Oklahoma-licensed mortgage loan originator (or employees of other Oklahoma licensees) must be able to access the company’s secure loan origination system (including any cloud-based system) from any of the mortgage loan originator’s device(s) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- The Oklahoma-licensed mortgage loan originator (or employees of other Oklahoma licensees) must not keep any physical business records of any kind at any location other than the licensed main office.
- Oklahoma-licensed mortgage loan originators (or employees of other Oklahoma licensees) are not permitted to meet with any consumers at their unlicensed home location if they elect to work from home.
- All security updates, patches, or other alterations to the security of the device(s) must be maintained.
The Department of Consumer Credit also has committed to expediting address change requests due to compromised circumstances or in situations where a location is undergoing decontamination procedures. The department will consider waiving any fees associated with such address changes. To the extent a location will temporarily change its address, no operations can take place at the original address until the department is notified of the company’s intent to revert back to the original location. Requests for expedited address changes should be sent to covid19questions@okdocc.ok.gov, and brief explanations should be provided with such requests. If your company will operate from a temporary location, the original location must have a notice posted on the door at all times with the temporary location address, contact information for the licensee, as well as the phone number for the Oklahoma Department of Consumer Credit, (405) 521-3653, (800) 448-4904 (toll free).
The department encourages licensees to understand that consumers may experience challenges during this time, and licensees should work with those consumers where possible. Along those lines, the department is willing to have some flexibility with respect to examinations when licensees are disrupted by the coronavirus.
This interim regulatory guidance is effective until April 30, 2020.
South Dakota Division of Banking Issues Interim Regulatory Guidance on March 12, 2020
Provided that specific data security provisions are met under federal and state law, the South Dakota Division of Banking will not take action against companies or mortgage loan originators who work from home.
- The South Dakota-licensed mortgage loan originator (or employees of other South Dakota licensees) must be able to access the company’s secure loan origination system (including any cloud-based system) from any of the mortgage loan originator’s device(s) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- The South Dakota-licensed mortgage loan originator (or employees of other South Dakota licensees) must not keep any physical business records of any kind at any location other than the licensed main office.
- South Dakota-licensed mortgage loan originators (or employees of other South Dakota licensees) are not permitted to meet with any consumers at their unlicensed home location if they elect to work from home.
- All security updates, patches, or other alterations to the security of the device(s) must be maintained.
The interim guidance is effective through June 5, 2020.
Vermont Department of Financial Regulation Issues Alert to Licensed Lenders, Mortgage Brokers, and Mortgage Loan Originators on March 13, 2020
The Vermont Department of Financial Regulation’s Memorandum for company licensees and mortgage loan originators indicates that it will not take action against mortgage loan originator licensees or their employers who sponsor such individuals when those individuals work from home so long as specific criteria are met. Such criteria includes:
(1) The Vermont activity being conducted at home is required by the sponsoring entity;
(2) The mortgage loan originator is working from home due to the COVID-19 pandemic;
(3) The mortgage loan originator holds all necessary licenses to conduct Vermont activity;
(4) No Vermont licensable activity is conducted in person with members of the public at the individual’s home;
(5) The mortgage loan originator must be able to access their employer’s mortgage loan origination system directly from home or the company location using a virtual private network (VPN) or similar system that requires passwords or other authentication forms;
(6) All security patches, updates, or other security alterations to the computer (or other device used to access the company’s system) must be up to date; and
(7) The licensed sponsoring company must have temporary policies, procedures, and a plan for supervision in place while under the state of emergency.
Nevada Department of Business and Industry, Division of Mortgage Licensing Issues Guidance on March 13, 2020
The Division of Mortgage Lending provided guidance to assist licensed mortgage companies and their sponsored mortgage loan originators in response to the COVID-19 outbreak. The division is temporarily allowing licensed mortgage loan originators to work from home, which includes persons that are associated with and working in Nevada’s principal office locations, branch office locations, or in office locations that are located in other states but licensed with the division to conduct business in the state of Nevada.
Mortgage companies are reminded to continue to comply with the applicable supervision provisions set forth in NRS 645B.460 and 645B.310, and other applicable state and federal laws and regulations, which includes establishing and maintaining proper security protocols to ensure maximum data, records, and transaction security.
The division’s guidance remains effective through May 31, 2020.
Rhode Island Department of Business Regulation, Banking Division Issues Regulatory Guidance on March 13, 2020
The Rhode Island Department of Business Regulation is temporarily allowing licensed mortgage loan originators to work from home, whether located in Rhode Island or another state, even if the home is not a licensed branch.
So long as certain provisions are met, the department will not take administrative or other punitive action against a licensed mortgage loan originator or the sponsoring licensed company if the mortgage loan originator conducts activities requiring licensure from home. Those provisions include:
- The licensed mortgage loan originator must be able to access the company’s secure origination system (including a cloud-based system) directly from any out-of-office device the mortgage loan originator uses (laptop, phone, desktop computer, tablet, etc.) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- All security updates, patches, or other alterations to the device’s security must be maintained.
- The licensed mortgage loan originator must not keep any physical business records at any location other than the licensed main office.
- Mortgage loan originators working from an unlicensed branch home may not have consumers come to that home.
Mississippi Department of Banking and Consumer Finance Issues March 14, 2020, Memorandum Relating to Industry Pandemic Preparedness and March 16, 2020, Notice on Mortgage Loan Originators
The Mississippi Department of Banking and Consumer Finance (DBCF) issued a memorandum on March 14, 2020, to Mississippi mortgage licensees regarding industry pandemic preparedness and DBCF response. In that memo, DBCF urged licensees to review their risk management plans, specifically continuity and pandemic plans, to ensure continuity of products and services. Additionally, DBCF urged licensees to communicate and work closely with consumers impacted by COVID-19, including considering the deferral of fees and other charges.
DBCF noted that licensees should be prepared for disruptions to key personnel availability. Additionally, DBCF suggested that if necessary and appropriate, licensees may want to relocate office or have employees work from home. However, the memo cautions that compliance with all applicable laws and regulations, including security requirements, must be maintained.
Additionally, DBCF requests that licensees notify DBCF of any adverse circumstances caused by the pandemic, including staffing issues, closure, relocation or remote work programs and any efforts being undertaken to work with customers.
The memo also notes that DBCF employees will be conducting examinations offsite.
In a memorandum to licensed loan originators and the companies that sponsor them, issued on March 16, 2020, DBCF provided guidance regarding temporarily working from home. DBCF’s memo indicates that it will temporarily allow licensed mortgage loan originators to work from home, whether located in Mississippi or another state, even if the home is not a licensed branch location. However, the memorandum does not amend or waive state or federal data security requirements.
If the following data security provisions are met, DBCF will not take administrative or other punitive action against a licensed MLO or the sponsoring company if the MLO conducts licensed activities at home:
- The licensed mortgage loan originator must be able to access the company’s secure origination system (including a cloud-based system) directly from any out-of-office device the mortgage loan originator uses (laptop, phone, desktop computer, tablet, etc.) using a virtual private network (VPN) or similar system that requires passwords or a multi-authentication process.
- All security updates, patches, or other alterations to the devices must be maintained.
- The licensed mortgage loan originator must not keep any physical business records at any location other than the secure file location listed in NMLS.
If an MLO chooses to work from an unlicensed branch home, they may not meet with consumers at the home.
The guidance is subject to change and is in effect until further notice.
Kansas Office of the State Bank Commissioner Provides March 16, 2020, Update on COVID-19 Measures
The Kansas Office of the State Bank Commissioner (OSBC) provided guidance for licensees, registrants, and their employees regarding the possibility of working from unlicensed home locations during the COVID-19 pandemic. During the pandemic, the OSBC will allow licensed companies to have their Kansas MLOs work remotely from home to prevent the further spread of the virus. However, prospective or existing borrowers should not travel to the MLOs residence to conduct business. Additionally, the licensees are responsible for the supervision of the MLOs and must have temporary policies and procedures in place to ensure appropriate supervision.
The OSBC has provided the following set of best practices for remote workers to ensure the security of information:
- Computers and other devices that leave the office should be “at-rest encryption;”
- Hard copy information should not be taken offsite if it contains confidential information;
- To connect to the main office or sensitive systems, the systems should be encrypted in transit by use of a VPN or similar technology;
- Mortgage activity should be conducted in a private home environment, avoiding public areas such as coffee shops or libraries.
Wisconsin Department of Financial Institutions Allows Working from Home If Licensees Meet Certain Provisions
Due to the outbreak of COVID-19, the Wisconsin Department of Financial Institutions, Division of Banking (DFI) issued a directive stating that it will take a “no-action position” regarding licensed mortgage loan originators working from an unlicensed home, whether located in the State of Wisconsin or another state.
DFI’s no-action position is contingent on compliance with the following criteria:
- The mortgage banker, broker or registered entity sponsoring the MLO must notify DFI by sending an email to DFIMortgageBanking@wi.gov. Note that no response will be issued to the email submission due to the no-action position.
- The licensed mortgage banker, broker or registered entity sponsoring the MLO must maintain a list of MLOs who elect to work from an unlicensed home. The list should include the name of the licensed individual, address where the individual is working, and the dates during which the individual worked at that address. The list must be submitted to DFI upon request.
- The mortgage banker, broker or registered entity shall enact appropriate data security measures and reasonable supervision of the acts of the MLO.
- Physical business records are not maintained at the unlicensed location.
- Consumer may not be present at the unlicensed location.
This directive remains in place until changed or withdrawn by DFI.