As members of the financial industry prepare to meet the challenges associated with COVID-19, key government agencies have begun to offer guidance with respect to how their regulated financial institutions, including non-depositories, can meet their compliance obligations while balancing the realities of a potential pandemic event due to COVID-19. This blog summarizes the updates that we are aware of to date and will be updated as additional developments occur. While all of these offerings may not be applicable to each financial institution or non-depository licensee, the best practices and guidance offered will help instruct your institution in moving forward, and Bradley is ready to assist with any questions you have.
FFIEC Interagency Statement on Pandemic Planning
Here are key takeaways from the FFIEC Statement and a more detailed summary follows.
Key Takeaways
- Leadership of a financial institution must either prepare or update existing business continuity plans to include all aspects of pandemic planning.
- Actions must be commensurate to the size and operations of the business.
- Financial institutions must cooperate with local governmental agencies and emergency organizations to determine how best to proceed during a pandemic. Constant monitoring of communications from those agencies is important.
- Employee and consumer safety are essential. Educating employees, including providing a thorough understanding of the pandemic planning efforts of the institution, should take place.
- Cross training of employees should take place in the event there are significant absences of employees.
- An evaluation of risk must take place, with a particular focus on company systems and dependency upon third parties. Financial institutions should be aware of the pandemic planning efforts of their critical third-party vendors and prepare back-up options in the event that a critical vendor may not adequately provide services.
- Evaluate internal systems with a focus on remote capabilities (e.g., capacity, bandwidth, and authentication mechanisms) to determine whether they can handle significant numbers of employees working from home.
Detailed Overview
Released by the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision and the State Liaison Committee on March 6, 2020, the FFIEC Statement supplements certain previous guidance offered by certain of these agencies during March 2006.
The statement emphasizes that each institution’s business continuity plan (BCP) should “address pandemics and provide for a preventive program, a documented strategy scaled to the stages of a pandemic outbreak, a comprehensive framework to ensure the continuation of critical operations, a testing program, and an overnight program to ensure the plan is reviewed and updated.” The BCP that each financial institution must have is essential and must describe how the institution will manage operations during the pandemic event.
The FFIEC Statement notes that pandemic planning presents unique challenges and is more difficult to determine because of the anticipated scale and duration resulting from a pandemic. The BCP of each institution must be tailored to reflect the institution’s size, complexity, and business activities. How the actual financial services offered by the financial institution will be impacted in a pandemic must be incorporated into the ongoing business impact analysis and risk assessment processes of the financial institution.
Each BCP must include:
- A preventative program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event. This should include monitoring of potential outbreaks, educating employees, and communicating and coordinating with critical service providers and suppliers, in addition to hygiene training and tools for employees;
- A documented strategy that ensures that the pandemic efforts of the institution are scaled consistent with the stage and severity of an outbreak. Such strategy should outline plans for how to recover from a pandemic wave and proper preparations for any subsequent waves;
- A comprehensive framework for facilities, systems, or procedures that provide the financial institution with the capability to continue its critical operations in the event large numbers of its employees are unavailable. Among others, this shall include telecommuting options, redirection of customers from branch to electronic banking services, and conducting business at alternative sites. Financial institutions should consider how customers may react to these efforts and how increased demands in other areas could impact the bank. Furthermore, financial institutions must consider guidance from public health officials and other governmental authorities in their decisions;
- A testing program to ensure the effectiveness of the financial institution’s pandemic practices in allowing critical operations to continue; and
- An oversight program to ensure ongoing review and updates to the BCP so that it is continually up to date.
The FFIEC Statement provides resources offered by the U.S. government and other industry publications that are beneficial in developing plans relating to pandemic events, including, for example, guidance from the Department of Health and Human Services Centers for Disease Control and Prevention and the Department of Homeland Security.
Each institution’s board of directors is responsible for overseeing the development of the pandemic plan. Senior management is responsible for developing the plan and operationalizing the plan into specific policies, processes, and procedures. The FFIEC Statement counsels the board and senior management to consider the pandemic as a significant risk to the entire business. Pandemic planning activities must involve senior business management from all functional business and product areas, including administrative, human resources, legal, IT support functions, and key product lines. Senior management also is responsible for communicating the plan throughout the organization and making sure that all employees understand their roles and responsibilities during any pandemic event.
Potential effects associated with a pandemic event should be a component of the financial institution’s business impact analysis (BIA). The BIA should:
- Assess and prioritize essential business functions and processes;
- Identify the potential impact on essential business functions and processes, as well as supporting resources;
- Identify the potential impact on customers, including those that could be most affected and those that could have the greatest impact on the (local) economy;
- Identify the legal and regulatory requirements for the institution’s business functions and processes;
- Estimate the maximum downtime associated with the institution’s business functions and processes that may occur during a pandemic;
- Assess cross training conducted for key business positions and processes; and
- Evaluate the plans of critical service providers for operating during a pandemic and monitor those companies during the pandemic to ensure that critical services are available. Back-up service providers may be needed in order to mitigate risk. The FFIEC Statement provides that “[s]pecial attention should be directed at the institution’s ability to access leased premises and whether sufficient internet access capacity is available if telecommuting is a key risk mitigation strategy.”
In any BIA, financial institutions should forecast employee absences and also consider family care issues that may impact business operations. In a severe pandemic, absences could rise to 40% during peak weeks of any outbreak, with lower rates during the weeks before and after the peak. Certain public health measures, such as closing schools or quarantining households or altering public transportation schedules, will likely increase the rate of absenteeism.
As any institution develops its BIA, one should consider external factors. Interdependencies among external services relied upon by financial institutions and any potential for associated disruptions should be incorporated into any BIA.
A financial institution’s risk assessment process is critical and will be critical as to whether the BCP efforts are successful. According to the FFIEC Statement, institutions should take the following steps in connection with pandemic planning:
- Prioritizing the severity of potential business disruptions resulting from a pandemic, based on the institution’s estimate of impact and probability of occurrence on operations;
- Performing a “gap analysis” that compares existing business processes and procedures with what is needed to mitigate the severity of potential business disruptions resulting from a pandemic;
- Developing a written pandemic plan to follow during a possible pandemic event;
- Reviewing and approving the pandemic plan by the board or a committee thereof and senior management at least annually; and
- Communicating and disseminating the plan and the current status of pandemic phases to employees.
While additional specific detail is included in the FFIEC Statement, the following risk management steps arising from a pandemic should be undertaken by any financial institution:
- Openly coordinate with outside groups, including critical service providers. Information should be shared, as appropriate, to develop coalitions to provide support and maintenance for vital services during a pandemic. Management should coordinate its efforts with local public health and emergency management teams and should be in a position to alert public authorities in the event of significant absenteeism caused by an outbreak.
- Communication with customers and the media is critical to ensure accurate information is available.
- Management should regularly monitor its service providers and identify potential weaknesses in the service and supply chains and develop potential alternatives for obtaining critical services and supplies.
- Management should be in a position to respond when triggering events are identified by various organizations, such as a governmental agency. For example, if a local emergency organization identifies a triggering event, management must deploy any response plans based upon the facts and circumstances. This presumably involves monitoring loan and national alerts and then being able to communicate updates to the financial institution’s employees and customers.
- Financial institutions must have employee protection strategies. Employee awareness should be heightened during any pandemic. The FFIEC Statement includes specific risk management strategies that should be considered, including, for example, publicizing the Centers for Disease Control and Prevention’s “Cover Your Cough” and “Clean Your Hands” programs.
- Financial institutions should ensure that employees are cross-trained and succession plans have been developed.
- Because there may be a high reliance on employee telecommuting, there could be a strain on an institution’s remote capabilities (e.g., capacity, bandwidth, and authentication mechanisms). Institutions must understand their own infrastructure and needs and potentially make capacity upgrades if necessary.
The FFIEC Statement also provides for risk monitoring and testing suggestions so that institutions can be prepared for potential impacts associated with a pandemic.
Washington Department of Financial Institutions Interim Regulatory Guidance Issued on March 5, 2020
The Washington Department of Financial Institutions (DFI) issued its Interim Regulatory Guidance under the Consumer Loan and Mortgage Broker Practices Acts. Under its Interim Regulatory Guidance, licensed mortgage loan originators may work from their homes, even if the home is not a licensed branch location, if certain requirements are met.
To work from home without penalty, specific data security provisions must be met. Those data security provisions are:
- The Washington-licensed mortgage loan originator must be able to access the company’s secure loan origination system (including any cloud-based system) from any of the mortgage loan originator’s device(s) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- All security updates, patches, or other alterations to the security of the device(s) must be maintained.
- The Washington-licensed mortgage loan originator must not keep any physical business records of any kind at any location other than the licensed main office.
In addition, Washington-licensed mortgage loan originators are not permitted to meet with any consumers at their unlicensed home location if they elect to work from home.
As originally issued, the Interim Regulatory Guidance is effective through June 5, 2020.
Connecticut Department of Banking Issued “No Action” Position on March 9, 2020
The Connecticut Department of Banking issued a “no action” position with respect to working from home. For all consumer credit licensees, employees will be permitted to work from home through April 30, 2020, so long as specific criteria are met. Those criteria include:
- The Connecticut licensable activity must be conducted from the home of an individual working on behalf of a Connecticut consumer credit licensee;
- The individual that is working from home is electing to do so because of a reason relating to the COVID-19 outbreak and has informed the consumer credit licensee (i.e., the employer) of the reason in written correspondence;
- The individual holds the required individual licenses to perform the activities that he or she will conduct from home. Those licenses could include, for example, a mortgage loan originator license or a loan processor or under license;
- The individual, when working from home, will not meet with any borrowers or potential borrowers at his or her residence; and
- The Connecticut consumer credit licensee (i.e., the employer) must, at all times, exercise reasonable supervision of the Connecticut licensable activity being performed at the home office and ensure that appropriate safeguards and controls are established relating to consumer information and data security.
New York Department of Financial Services Issued Statement on March 10, 2020
The New York Department of Financial Services (DFS) is requiring that each regulated institution provide a response to the DFS that describes how it plans to manage the risk of disruption to its services and operations. While plans are requested as soon as possible, they must be provided to the DFS no later than 30 days from the date of the notice (April 8, 2020). Responses must be provided to banking.covid19@dfs.ny.gov.
The plan requested by the DFS is largely consistent with the FFIEC Statement’s guidance regarding BCP discussed above. The DFS is requiring each institution’s plan to be flexible and address a range of possible effects from a potential pandemic associated with COVID-19. Plans must reflect the institution’s size, complexity, and activities. At a minimum, plans must address:
- Preventative measures, tailored to the institution’s specific operations, regarding how to mitigate the risk of operational disruption, including identifying the impact on customers and counterparties;
- A documented strategy addressing the impact of the outbreak in stages, so that the institution’s efforts can be adjusted consistent with the effects of particular stages of the outbreak. The strategy should include assessments of how quickly measures could be adopted and how long operations could be sustained under different stages of the outbreak;
- An assessment of all the institution’s facilities, including alternative and back-up sites, systems, policies and procedures necessary to continue critical operations, and services if members of the staff are unavailable for long periods or are working off-site. The plan should include an assessment and testing as to whether large scale off-site working arrangements can be activated and maintained to ensure operational continuity. Such assessment should include existing information technology and systems to determine whether increased remote usage can be accommodated and handled with current resources;
- An assessment of potential increased cyberattacks and fraud;
- Employee protection strategies, including employee awareness and steps employees can take to reduce the likelihood of contracting COVID-19;
- An assessment of the preparedness of critical third-party vendors;
- The development of a communication plan to effectively communicate with customers, counterparties and the public and to deliver important news and instructions to employees, along with establishing forums for questions to be asked and addressed;
- Testing the plan to ensure its effectiveness; and
- Governance and oversight of the plan, including identifying the critical members of a response team. Oversight should include the ongoing review and updating of the plan, including the tracking of relevant information from government sources and the institution’s own monitoring program.
Finally, the DFS tasks the boards of directors of regulated institutions with the responsibility of having plans in place and having appropriate resources available to implement the plans. Senior management must ensure that effective policies, processes and procedures are in place to execute the plan. Senior management also is responsible for communicating the plan throughout the institution to ensure consistency in approach and so that employees understand their roles and responsibilities.
Massachusetts Division of Banks Issued Statement on March 11, 2020
The Massachusetts Division of Banks issued a reminder to its licensees that they must have business continuity plans in place and that they must be prepared for a pandemic in order to minimize business disruption. Licensees should consider the following guidelines for their pandemic preparedness policy:
- Document your strategy for responding to a pandemic that is scaled to the stages of the outbreak;
- Ensure continuance of critical operations. Licensees should identify the systems and services that are needed to continue business remotely if necessary.
- Have adequate communications with staff, service providers, customers, and regulators, including proper education to staff about company policies;
- Educate employees on strategies to minimize the risk of spreading COVID-19;
- Test the company’s pandemic planning and capabilities; and
- Ensure sufficient flexibility in the plan to address a range of possible effects that could result from the pandemic.
The Division also will allow a “common sense” approach to working from home for licensed mortgage loan originators. Mortgage loan originators must not advertise the home as an office and may not meet consumers at their home. However, mortgage loan originators are permitted to work from home if they meet these requirements. In addition, other licensees of the Division of Banks are permitted to work from home, so long as the arrangement is feasible based upon their business model and license type, that the home is not advertised as a branch office, and that the licensee does not allow for meeting consumers at the home.
Michigan Office of Insurance and Financial Services Encourages Review of Public Health-related Guidance on March 12, 2020
Pursuant to the licensing requirements relating to Michigan mortgage lenders, brokers, and servicers, branch locations are not licensed. However, the Michigan Office of Insurance and Financial Services has made available a bulletin from the Michigan Department of Health and Human Services. That bulletin includes interim recommendations to mitigate the spread of COVID-19. While all information in the release are important, certain key items relating to workplaces include:
- Encouraging sick employees to stay home and notify the employer of illness;
- Communicating and reinforcing common hygiene practices, such as washing hands and covering one’s mouth during coughs and sneezes.
- Regularly cleaning and disinfecting frequently touched surfaces, such as doorknobs, keyboards, cell phones, and light switches.
- Ensuring hand hygiene supplies are available and accessible.
- Allowing teleworking to take place when feasible, with a particular sensitivity to those who are at risk of severe illness.
- Implementing social distancing measures where feasible including limiting meetings.
- Limiting large work-related gatherings.
- Limiting non-essential work travel.
- Canceling or postponing large gatherings, conferences, and sporting events (i.e., those with 100 or more in a shared space).
- Discouraging employees from eating meals in large group settings.
- Tailoring business continuity plans to meet the COVID-19 threat.
Alabama State Banking Department, Bureau of Loans Issued Statement on March 12, 2020
The Bureau of Loans of the Alabama State Banking Department is encouraging all licensees to remain updated about COVID-19 and asks that licensees review their business continuity plans. Licensees should update their business continuity planning at this time if their business continuity plan is not able to address the current situation involving COVID-19.
The department asks that licensees communicate and work closely with customers that could be impacted by circumstances relating to COVID-19, including the possibility of deferring fees or other charges.
Licensees are instructed to take precautions to avoid the risk of exposure to COVID-19, and this may include relocating office locations or having employees work from home (meaning these efforts are allowed). However, if a change of location or working from home will take place, licensees must otherwise continue to follow other laws and regulations – including data security requirements. If licensees cannot take steps to relocate locations or work from home, they should take steps to mitigate the impact on business and customers (including proper notification and communication to consumers).
Licensees must immediately notify the department if there are any circumstances that require the closure, relocation, or remote work program and any efforts that the licensee will undertake to work with consumers.
Idaho Department of Finance Provides Guidance for Various Licensees on March 12, 2020
The Idaho Department of Finance issued Temporary Regulatory Guidance, effective through June 30, 2020, for entities that hold the following licenses: mortgage broker/lender, mortgage loan originators, regulated lender, title lender, payday lender, and collection agency licensees and registrants. The department will allow licensees, registrants, and their employees to work from home even if the home is not licensed as a branch.
In order to be eligible to work from home, an individual and their residence must meet the following criteria:
- Data security must be in place, so that the employee must access company data either from the use of a VPN or another system that requires passwords or identification authentication. The company is responsible for delivering any updates that are required to keep the data secure.
- Neither the employee nor the company may commit any act that would indicate that the employee is conducting business from an unlicensed location. Such acts include:
- Advertising in any form, including business cards or social media that would include the address, landline phone number, or facsimile number associated with an unlicensed residence;
- Meeting with consumers at the employees’ unlicensed residential location;
- Holding out the residence in any manner, directly or indirectly, that would suggest or convey to the consumer that the residence is a licensed location.
- Employees and companies must safeguard company and consumer data, including paper and electronic records. Employees must guard against unauthorized or accidental access, use, modification, duplication, destruction, or disclosure of consumer information.
Nebraska Updates Guidance Regarding COVID-19 on March 12, 2020
The Nebraska Department of Banking and Finance provided guidance on mortgage banker and mortgage loan originator temporary branch relocations. This guidance is effective through December 31, 2020 but is subject to change or withdrawal by the director. Under the guidance, mortgage loan originators (MLOs) may work from an unlicensed branch location, including a home office. The sponsoring company must provide notice of the temporary branch location and the department must approve the notification. The department has created a form to provide the required information needed for the approval of these arrangement.
The new temporary branch location cannot store any physical business records. MLOs who work from home or an unlicensed location must be able to access their employer’s secure loan origination system through a VPN that requires a password or other forms of authentication. Additionally, MLOs may not meet consumers in the unlicensed branch location.
Montana Department of Banking and Financial Institutions Issues Guidance Regarding Working from Home on March 12, 2020
The Montana Department of Banking and Financial Institutions will temporarily allow Montana-licensed mortgage loan originators to work from home, whether within Montana or outside the state, even in circumstances where the home is not a licensed branch location. All other aspects of Montana law must be met if an employee will work from a non-licensed residence. Mortgage loan originators working at non-licensed home locations may not meet with consumers at their home.
Oregon Division of Financial Regulation Issued Work From Home Guidance to Multiple License Types on March 12, 2020
The Oregon Division of Financial Regulation (DFR) has authorized Oregon-licensed mortgage loan originators to work from home when certain conditions are met. In addition, other employees of Oregon-licensed mortgage lenders, mortgage loan servicers, consumer finance companies, payday/title lenders, and manufactures structure dealers may work from home when certain conditions are met. Provided that the conditions are met, the DFR will not take action against any company or individual that works from home in order to prevent the spread of COVID-19.
In instances where an individual’s home is not a licensed location, an individual will be permitted to conduct business at home if a licensed company meets the following criteria:
- The company must provide prior notice to the DFR of the intent to permit employees to work from home to prevent the spread of COVID-19. Notice should be sent to Licensing@oregon.gov.
- The company must have appropriate policies and procedures in place to supervise the activities of loan originators and employees working from home, including data security measures to protect the personal information of consumers.
- No physical business records may be kept at the home of an employee. Such records only must be kept at a licensed location.
- Consumers may not visit the home of an employee working from home unless it is licensed.
- If the company implements temporary policies and procedures related to working at home in response to COVID-19, the company must provide copies to Licensing@oregon.gov.
The aforementioned position is effective until April 30, 2020.
Alaska Department of Commerce, Community and Economic Development Provides Guidance on Mortgage Loan Originators on March 13, 2020
The Alaska Department of Commerce, Community and Economic Development has confirmed that it will not consider an individual who works from home during a quarantine of 14-30 days to be conducting licensable activity. The regulatory agency reasons that under such circumstances, an individual would not be conducting business for the majority of their time from that location, which is a requirement of the definition of licensable activity. As a result, a branch registration would not be required. The Department of Commerce, Community and Economic Development cautions that employers must appropriately supervise the individuals and ensure compliance with the Gramm-Leach-Bliley Act.
Arkansas Securities Department Issues Interim Regulatory Guidance on March 13, 2020
The Arkansas Securities Department will allow licensed mortgage loan originators to conduct business in their homes for a temporary period of time, provided that applicable federal and Arkansas data security requirements are met. In addition, licensed mortgage loan originators must be able to access their employer’s secure mortgage origination system (including a cloud-based system) directly from any out-of-office device the mortgage loan officer uses, using a virtual private network (VPN) or other similar system that requires passwords or other forms of authentication to access. All security updates, patches, or other alterations to any device that will be used to conduct business activity must be maintained. Finally, physical business records must be maintained at the books and records location that is on file with the Arkansas Securities Department.
This interim regulatory guidance is effective until June 1, 2020.
Maryland Office of the Commissioner of Financial Regulation Issues Bulletin on March 13, 2020
The Maryland Commissioner of Financial Regulation published a bulletin regarding Emergency and Disaster Preparation Information in light of the recent COVID-19 emergency. The bulletin indicates that all Maryland mortgage lender licensees should already have a disaster recovery plan in place that indicates how the company will respond to various disasters, including that of a widespread infection. The written plan should allow all employees to know their responsibilities in case of a disaster. However, with the new impact of the COVID-19 outbreak, the commissioner recommends that all licensees either draft a disaster plan if one is not in place or review their current plan if it does not cover a situation such as the health quarantines that are being put into place throughout the country.
In answering the question of whether a mortgage loan originator (MLO) can work from home during the COVID-19 emergency, the bulletin refers all licensees to COMAR 09.03.09.07. This regulation states that an MLO may take loan applications or negotiate the terms of a mortgage loan at an unlicensed location as long as it meets the following standards:
- Neither the company nor the MLO owns or leases the location for purposes of conducting mortgage lending business;
- The location does not contain signage indicating that the property is used for taking mortgage loan applications or negotiating terms of the mortgage loan;
- There are no advertisements indicating that the location is used for taking a mortgage loan application or negotiating the terms of the mortgage loan;
- The location does not maintain a work space, telephone service, or internet service in the name of the MLO for the purposes of conducting mortgage lending business;
- The location does not receive mail relating to the mortgage lending business; or
- The location does not store books or records relating to the mortgage lending business.
With regards to examinations scheduled during the time of the COVID-19 outbreak, the commissioner will be flexible with timelines involving exams or other licensing or supervisory activity. If a location is closed because of a quarantine during any part of the exam, it is the licensee’s responsibility to contact the regulator. The licensee should contact Christine Brooks, Director of Mortgage Supervision, at christine.brooks@maryland.gov. The following information must be included in the email:
- Location of office(s) affected by the quarantine order;
- Whether any branches will operate in the non-quarantined areas;
- Copy of local/state directive to close due to quarantine (links to prominent local news sources are acceptable);
- Copy of information/script that the licensee will be placing on its website to notify consumers of the office closures; and
- Direct contact information of at least two control people at the company.
New Hampshire Banking Department Issues Alert on March 13, 2020
In its alert, the Banking Commissioner of New Hampshire cautions all licensees to evaluate programs that those licensees could deploy to assist consumers during the period of disruption caused by the coronavirus. The alert encourages financial institutions to be proactive and ensure that open lines of communication are available for consumers.
The alert also notes that the department will mortgage loan originators to work from home. In order to do so, the employer licensee must ensure that protected, personal information accessed or obtained by the mortgage loan originator remains secure using customary protocol and best practices. In addition, company licensees must notify the department as soon as possible regarding business disruptions or other developments that have a significant impact on the company due to the effects of the pandemic, including any signs of erosion of consumer confidence.
North Dakota Department of Financial Institution Provides Guidance on March 5, 2020, Regarding Preparing for the Coronavirus
The Department of Financial Institutions recommends that financial institutions review their materials from the 2007 pandemic associated with avian flu and update their preparedness plans. The guidance suggests that financial institutions review the 2007 Interagency Pandemic Guidance as business continuity plans are updated.
When communicating with customers, the Department of Financial Institutions notes that institutions can focus on the fact that the financial sector was well prepared during the 2007 pandemic and that public and private sector exercises showed that while there would be a significant impact, the financial sector overall was able to continue to operate and cope with the impact.
Finally, the department asks that if a regulated institution changes its location or adjusts its hours due to an emergency or epidemic, it should notify the department to ensure open lines of communication and compliance with regulatory requirements.
Oklahoma Department of Consumer Credit Issues March 13, 2020, Alert on Licensing Requirements
Provided that specific data security provisions are met, the Oklahoma Department of Consumer Credit will not take action against companies or mortgage loan originators who work from home.
- The Oklahoma-licensed mortgage loan originator (or employees of other Oklahoma licensees) must be able to access the company’s secure loan origination system (including any cloud-based system) from any of the mortgage loan originator’s device(s) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- The Oklahoma-licensed mortgage loan originator (or employees of other Oklahoma licensees) must not keep any physical business records of any kind at any location other than the licensed main office.
- Oklahoma-licensed mortgage loan originators (or employees of other Oklahoma licensees) are not permitted to meet with any consumers at their unlicensed home location if they elect to work from home.
- All security updates, patches, or other alterations to the security of the device(s) must be maintained.
The Department of Consumer Credit also has committed to expediting address change requests due to compromised circumstances or in situations where a location is undergoing decontamination procedures. The department will consider waiving any fees associated with such address changes. To the extent a location will temporarily change its address, no operations can take place at the original address until the department is notified of the company’s intent to revert back to the original location. Requests for expedited address changes should be sent to covid19questions@okdocc.ok.gov, and brief explanations should be provided with such requests. If your company will operate from a temporary location, the original location must have a notice posted on the door at all times with the temporary location address, contact information for the licensee, as well as the phone number for the Oklahoma Department of Consumer Credit, (405) 521-3653, (800) 448-4904 (toll free).
The department encourages licensees to understand that consumers may experience challenges during this time, and licensees should work with those consumers where possible. Along those lines, the department is willing to have some flexibility with respect to examinations when licensees are disrupted by the coronavirus.
This interim regulatory guidance is effective until April 30, 2020.
South Dakota Division of Banking Issues Interim Regulatory Guidance on March 12, 2020
Provided that specific data security provisions are met under federal and state law, the South Dakota Division of Banking will not take action against companies or mortgage loan originators who work from home.
- The South Dakota-licensed mortgage loan originator (or employees of other South Dakota licensees) must be able to access the company’s secure loan origination system (including any cloud-based system) from any of the mortgage loan originator’s device(s) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- The South Dakota-licensed mortgage loan originator (or employees of other South Dakota licensees) must not keep any physical business records of any kind at any location other than the licensed main office.
- South Dakota-licensed mortgage loan originators (or employees of other South Dakota licensees) are not permitted to meet with any consumers at their unlicensed home location if they elect to work from home.
- All security updates, patches, or other alterations to the security of the device(s) must be maintained.
The interim guidance is effective through June 5, 2020.
Vermont Department of Financial Regulation Issues Alert to Licensed Lenders, Mortgage Brokers, and Mortgage Loan Originators on March 13, 2020
The Vermont Department of Financial Regulation’s Memorandum for company licensees and mortgage loan originators indicates that it will not take action against mortgage loan originator licensees or their employers who sponsor such individuals when those individuals work from home so long as specific criteria are met. Such criteria includes:
(1) The Vermont activity being conducted at home is required by the sponsoring entity;
(2) The mortgage loan originator is working from home due to the COVID-19 pandemic;
(3) The mortgage loan originator holds all necessary licenses to conduct Vermont activity;
(4) No Vermont licensable activity is conducted in person with members of the public at the individual’s home;
(5) The mortgage loan originator must be able to access their employer’s mortgage loan origination system directly from home or the company location using a virtual private network (VPN) or similar system that requires passwords or other authentication forms;
(6) All security patches, updates, or other security alterations to the computer (or other device used to access the company’s system) must be up to date; and
(7) The licensed sponsoring company must have temporary policies, procedures, and a plan for supervision in place while under the state of emergency.
Nevada Department of Business and Industry, Division of Mortgage Licensing Issues Guidance on March 13, 2020
The Division of Mortgage Lending provided guidance to assist licensed mortgage companies and their sponsored mortgage loan originators in response to the COVID-19 outbreak. The division is temporarily allowing licensed mortgage loan originators to work from home, which includes persons that are associated with and working in Nevada’s principal office locations, branch office locations, or in office locations that are located in other states but licensed with the division to conduct business in the state of Nevada.
Mortgage companies are reminded to continue to comply with the applicable supervision provisions set forth in NRS 645B.460 and 645B.310, and other applicable state and federal laws and regulations, which includes establishing and maintaining proper security protocols to ensure maximum data, records, and transaction security.
The division’s guidance remains effective through May 31, 2020.
Rhode Island Department of Business Regulation, Banking Division Issues Regulatory Guidance on March 13, 2020
The Rhode Island Department of Business Regulation is temporarily allowing licensed mortgage loan originators to work from home, whether located in Rhode Island or another state, even if the home is not a licensed branch.
So long as certain provisions are met, the department will not take administrative or other punitive action against a licensed mortgage loan originator or the sponsoring licensed company if the mortgage loan originator conducts activities requiring licensure from home. Those provisions include:
- The licensed mortgage loan originator must be able to access the company’s secure origination system (including a cloud-based system) directly from any out-of-office device the mortgage loan originator uses (laptop, phone, desktop computer, tablet, etc.) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- All security updates, patches, or other alterations to the device’s security must be maintained.
- The licensed mortgage loan originator must not keep any physical business records at any location other than the licensed main office.
- Mortgage loan originators working from an unlicensed branch home may not have consumers come to that home.
Mississippi Department of Banking and Consumer Finance Issues March 14, 2020, Memorandum Relating to Industry Pandemic Preparedness and March 16, 2020, Notice on Mortgage Loan Originators
The Mississippi Department of Banking and Consumer Finance (DBCF) issued a memorandum on March 14, 2020, to Mississippi mortgage licensees regarding industry pandemic preparedness and DBCF response. In that memo, DBCF urged licensees to review their risk management plans, specifically continuity and pandemic plans, to ensure continuity of products and services. Additionally, DBCF urged licensees to communicate and work closely with consumers impacted by COVID-19, including considering the deferral of fees and other charges.
DBCF noted that licensees should be prepared for disruptions to key personnel availability. Additionally, DBCF suggested that if necessary and appropriate, licensees may want to relocate office or have employees work from home. However, the memo cautions that compliance with all applicable laws and regulations, including security requirements, must be maintained.
Additionally, DBCF requests that licensees notify DBCF of any adverse circumstances caused by the pandemic, including staffing issues, closure, relocation or remote work programs and any efforts being undertaken to work with customers.
The memo also notes that DBCF employees will be conducting examinations offsite.
In a memorandum to licensed loan originators and the companies that sponsor them, issued on March 16, 2020, DBCF provided guidance regarding temporarily working from home. DBCF’s memo indicates that it will temporarily allow licensed mortgage loan originators to work from home, whether located in Mississippi or another state, even if the home is not a licensed branch location. However, the memorandum does not amend or waive state or federal data security requirements.
If the following data security provisions are met, DBCF will not take administrative or other punitive action against a licensed MLO or the sponsoring company if the MLO conducts licensed activities at home:
- The licensed mortgage loan originator must be able to access the company’s secure origination system (including a cloud-based system) directly from any out-of-office device the mortgage loan originator uses (laptop, phone, desktop computer, tablet, etc.) using a virtual private network (VPN) or similar system that requires passwords or a multi-authentication process.
- All security updates, patches, or other alterations to the devices must be maintained.
- The licensed mortgage loan originator must not keep any physical business records at any location other than the secure file location listed in NMLS.
If an MLO chooses to work from an unlicensed branch home, they may not meet with consumers at the home.
The guidance is subject to change and is in effect until further notice.
Kansas Office of the State Bank Commissioner Provides March 16, 2020, Update on COVID-19 Measures
The Kansas Office of the State Bank Commissioner (OSBC) provided guidance for licensees, registrants, and their employees regarding the possibility of working from unlicensed home locations during the COVID-19 pandemic. During the pandemic, the OSBC will allow licensed companies to have their Kansas MLOs work remotely from home to prevent the further spread of the virus. However, prospective or existing borrowers should not travel to the MLOs residence to conduct business. Additionally, the licensees are responsible for the supervision of the MLOs and must have temporary policies and procedures in place to ensure appropriate supervision.
The OSBC has provided the following set of best practices for remote workers to ensure the security of information:
- Computers and other devices that leave the office should be “at-rest encryption;”
- Hard copy information should not be taken offsite if it contains confidential information;
- To connect to the main office or sensitive systems, the systems should be encrypted in transit by use of a VPN or similar technology;
- Mortgage activity should be conducted in a private home environment, avoiding public areas such as coffee shops or libraries.
Wisconsin Department of Financial Institutions Allows Working from Home If Licensees Meet Certain Provisions
Due to the outbreak of COVID-19, the Wisconsin Department of Financial Institutions, Division of Banking (DFI) issued a directive stating that it will take a “no-action position” regarding licensed mortgage loan originators working from an unlicensed home, whether located in the State of Wisconsin or another state.
DFI’s no-action position is contingent on compliance with the following criteria:
- The mortgage banker, broker or registered entity sponsoring the MLO must notify DFI by sending an email to DFIMortgageBanking@wi.gov. Note that no response will be issued to the email submission due to the no-action position.
- The licensed mortgage banker, broker or registered entity sponsoring the MLO must maintain a list of MLOs who elect to work from an unlicensed home. The list should include the name of the licensed individual, address where the individual is working, and the dates during which the individual worked at that address. The list must be submitted to DFI upon request.
- The mortgage banker, broker or registered entity shall enact appropriate data security measures and reasonable supervision of the acts of the MLO.
- Physical business records are not maintained at the unlicensed location.
- Consumer may not be present at the unlicensed location.
This directive remains in place until changed or withdrawn by DFI.
Colorado Department of Regulatory Agencies, Division of Real Estate Issued an Advisory on March 16, 2020
The Division of Real Estate reminds companies that the State of Colorado does not license mortgage companies, as those entities are only required to register with the Nationwide Mortgage Licensing System and Registry (NMLS). Therefore, the Colorado Board of Mortgage Loan Originators does not have any requirements concerning the location of where a mortgage company is doing business in Colorado, as long as they are operating legally in the state in accordance with standards determined and administered by the Colorado Secretary of State.
With regard to Colorado mortgage loan originators (MLO), the Mortgage Loan Originator Licensing and Mortgage Company Registration Act and the Board of Mortgage Loan Originator administrative rules are silent regarding the location of where an MLO is required to operate their business and perform licensed activities. Therefore, an MLO is able to perform their mortgage-related activities at a location other than at their registered license location.
Iowa Division of Banking Issued Regulatory Guidance on March 18, 2020
The Iowa Division of Banking is allowing licensees, registrants, and their employees, including licensed or registered mortgage loan originators, to work remotely from their residence or another location designated by the employer during the COVID-19 pandemic, even if the residence or designated location is not a licensed or registered location.
The Division suggests the following best practices for remote workers to ensure that all licensees maintain information security even while working from remote locations:
- Computers and devices that leave a licensee’s authorized location(s) should include at-rest encryption.
- If paper records containing confidential information are taken off the premises of a licensee’s authorized location(s), procedures must be established to secure that information at the offsite location.
- Connections to the licensee’s authorized location(s) or sensitive systems via any out-of-office device (e.g., laptop, desktop, phone, tablet) should be encrypted in transit by use of a virtual private network (VPN) or similar technology that requires a password or other form of authentication.
- Activity should be conducted in a private home environment, avoiding public areas such as coffee shops or libraries.
The division reminds licensees that all other Iowa laws remain in effect, and it is still the responsibility of all licensed companies to oversee the activities of their employees and to conduct business in a manner that otherwise complies with all applicable Iowa laws during this emergency. All licensed companies must have temporary policies, procedures, and a plan for supervision of employees in place.
Louisiana Provided Guidance to Residential Mortgage Lenders/Brokers/Originators Regarding COVID-19 Procedures on March 18, 2020
The Louisiana Office of Financial Institutions issued an emergency declaration allowing Louisiana licensed companies to temporary close licensed locations, relocate licensed locations and allow mortgage loan originators (MLOs) to work from home. Any licensee whose business is materially affected by the health crisis should contact the Office of Financial Institutions immediately regarding the temporary location.
The required prior written notice for office changes is waived during this time period, and the fees associated with the location change will be considered for waiver on a case-by-case basis. Licensees should provide their temporary locations to the regulator by email (ofiland@ofi.la.gov), U.S. mail, or fax. The information should not be updated in the NMLS at this time. The notification information should include:
- Name/address of closed location
- Name/address/contact information of the new location
- Such other information that the commissioner may request
This declaration is set to expire on April 9, 2020.
Massachusetts Division of Banks Supplemented Previous Guidance on March 19, 2020
Supplementing previously provided guidance, the Division of Banks understands that business interruptions may take place as a result of COVID-19. The Division of Banks wishes to remind its licensees to minimize disruption to consumers and communicate with consumers regarding any closures. The Division of Banks also encourages re-opening locations that are impacted by COVID-19 when practicable.
The Division of Banks also requests that licensees notify their office regarding any location closures, business disruption, or other significant disruptions to the operations of the business relating to COVID-19. Such information is critical so that the Division of Banks can monitor the industry and understand local and systemic issues.
New Mexico Guidance on Working from an Unlicensed Home Residence
On March 17, 2020, the New Mexico Financial Institutions Division (FID) issued a memorandum outlining temporary regulatory guidance regarding the ability of mortgage licensees to work from an unlicensed home residence. The guidance is effective until May 31, 2020, or until modified or withdrawn.
FID will permit New Mexico mortgage licensees and their staff to work from a home residence, which may not be a licensed branch location, so long as the following standards are met:
- The company has established security protocols in place for employees to securely access systems through a VPN or other secure system;
- Security protocols are in place to protect consumer information;
- Company and employees do not advertise or hold their residence out as a place of business;
- Employees do not meet with consumers at, or have consumers come to, an unlicensed residence; and
- Companies and employees must exercise due diligence in safeguarding both company and consumer data, information and records, whether in paper or electronic format, to protect them against unauthorized or accidental access, use, modification, duplication, destruction or disclosure.
New York Department of Financial Services Granted Relief to Licensed Institutions on March 12, 2020
The New York Department of Financial Institutions has allowed the temporary relocation of any authorized place of business, as well as the closing of any such location, if adversely impacted by COVID-19, without the requisite advance notice. This relief applies to the following New York regulated institutions: New York State regulated banking organizations, foreign banking corporations, licensed lenders, check cashers, money transmitters, sales finance companies, premium finance agencies, budget planners, mortgage bankers, mortgage brokers, mortgage loan originators, mortgage loan servicers, student loan servicers, and virtual currency licensees.
Importantly, the Department of Financial Services also will allow professionals, including licensed mortgage loan originators, to work from home or other temporary locations without having first licensed those locations. To do so, however, the individual must remain subject to the full supervision and oversight of their licensed or registered employer. Those institutions must maintain appropriate safeguards and controls, including but not limited to those related to data protection and cybersecurity. Finally, if an individual will conduct licensable activity from a home that is not licensed, such individual may not meet with members of the public at their personal residence.
Pennsylvania Department of Banking Announced on March 16, 2020, That It Will Not Object to Alternate Site Arrangements
The Pennsylvania Department of Banking and Securities announced that the department had closed its offices while the Commonwealth of Pennsylvania is under a Proclamation of Disaster Emergency. The department is maintaining operations through electronic communication, and all mail must also be emailed to the department, including digital copies of checks for any paper checks that are being sent via regular mail.
The department will not object to licensees and registrants working from alternate site locations, whether licensed or not, during the time in which the Commonwealth of Pennsylvania is under a Proclamation of Disaster Emergency. Once that proclamation ceases, the expectation is that licensees will resume their traditional mode of business operations.
South Carolina Board of Financial Institutions Consumer Finance Division and South Carolina Department of Consumer Affairs Separately Issued Interim Regulatory Guidance on March 18, 2020, Regarding Working Remotely from Unlicensed Locations
The Board of Financial Institutions expressed the Consumer Finance Division’s intent to temporarily allow licensed mortgage loan originators to work from home, whether located in the State of South Carolina or another state, even if the home is not a licensed branch. The Interim Regulatory Guidance is effective through April 30, 2020. The Interim Regulatory Guidance of the South Carolina Department of Consumer Affairs is nearly identical, and the guidance in both notices follows.
If the provisions set forth below are met, the division will not take administrative or other punitive action against a licensed mortgage loan originator or the sponsoring licensed company if the mortgage loan originator conducts activities requiring licensure from home. Those provisions include:
- The sponsoring employer must have temporary policies, procedures, and a plan for supervision in place while under the state of emergency.
- The licensed mortgage loan originator must be able to access the company’s secure origination system (including a cloud-based system) directly from any out-of-office device the mortgage loan originator uses (laptop, phone, desktop computer, tablet, etc.) using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- All security updates, patches, or other alterations to the device’s security must be maintained.
- The licensed mortgage loan originator must not keep any physical business records at any location other than the licensed main office.
- Licensed mortgage loan originators working from unlicensed homes may not meet with consumers at their home.
California Department of Real Estate Released Frequently Asked Questions Relating to COVID-19
The California Department of Real Estate’s Frequently Asked Questions contain relevant information for licensees who are seeking to manage their licenses and other obligations while the coronavirus challenges exist. The Department of Real Estate has announced that it has canceled all salesperson and broker license exams in all exam centers from March 18, 2020 to April 7, 2020.
Indiana Department of Financial Institutions Posted March 20, 2020, Notice to Mortgage Lender Licensees and Mortgage Loan Originators Regarding Working from Home
The Indiana Department of Financial Institutions (DFI) does not license mortgage branch locations, and it does not have rules or requirements that would restrict where employees are permitted to work or otherwise restrict an individual’s ability to work from home. Indiana law does not require that Indiana DFI be informed of any change to MLO work locations due to the impact of COVID-19.
The Indiana DFI disclaimed any guidance for the Indiana Secretary of State, which licenses loan brokers.
Kentucky Division of Financial Institutions Announced Recommendations on March 20, 2020
The Kentucky Department of Financial Institutions (DFI) recommended that financial institutions take the following actions, including safety precautions, social distancing, and encouragement to work with customers during this crisis. The actions suggested by DFI include:
- Waive overdraft and/or minimum balance fees
- Restructure existing loans
- Extend loan repayment terms
- Ease terms for new loans
In its notice, DFI requested that institutions providing relief identify and monitor accounts and loans, and document any actions taken to assist customers.
Financial institutions should manage any temporary staff shortages in a manner that best protects the health and safety of the general public and maintains continuity of services to customers. DFI reminded banks or credit unions to notify Hailey Nolan, DFI’s Director of the Division of Depository Institutions, by email at Hailey.Nolan@ky.gov of any significantly altered in-person operations as a result of COVID-19 related staffing issues.
Lastly, DFI reminded entities that business continuity plans should include pandemic planning.
Minnesota Department of Commerce, Financial Institutions Division Provided Notice on the Coronavirus on March 17, 2020
Mortgage Loan Originators and Servicers
The Department of Commerce reminded mortgage loan originator licensees that there is no branch license requirement for licensees, only a branch registration through the NMLS. Licensees who maintain branch locations but have mortgage loan originators work from a home location on a temporary basis must maintain data security policies and standards. The licensee must register the location before directing consumers to that location or maintaining any physical records at the location.
Licensees that temporarily close branches must email the department with the anticipated time that the branch will be closed.
Non-Depository Financial Institutions
Licensees that temporarily close branches must email the department with the anticipated time that the branch will be closed and notify the department of any changes.
Licensees may allow some employees to work from home as long as transactions are tied to a licensed location and consumers are not coming to any unlicensed location during the process. No physical records may be kept at any unlicensed location, and data security policies and standards must be maintained.
Regulated Loan Companies
The Department of Commerce also reminded loan companies of branch licensing obligations and the requirement that a licensed location must be open for business and for examination purposes on the schedule provided to the commission and that schedule must be conspicuously posted at the licensed location.
Loan companies that temporarily close branches must email the department with the anticipated time that the branch will be closed and must conspicuously post the schedule at the licensed location. All loan closings must occur at a licensed branch location.
Loan companies may allow some employees to work from home as long as a branch is still offering and closing loans and consumers are not coming to any unlicensed location. No physical records may be kept at the unlicensed location, and data security policies and standards must be maintained.
New Jersey Department of Banking and Insurance Issued Multiple Bulletins on March 20, 2020 Regarding the Coronavirus
The New Jersey Department of Banking and Insurance encouraged all insurers, banks, credit unions, mortgage lenders and brokers, consumer lenders, student lenders, insurance producers, real estate brokers, and any other person or entity subject to licensure or regulation by this department to take into consideration the difficulties residents have endured and will continue to endure until the spread of COVID-19 is controlled, and those affected begin to receive regular payments and have been reimbursed for monies past due. The department specifically encouraged the entities and individuals it regulates to assist those affected by the current conditions by taking specific actions. Those actions include:
Insurance Division Regulated Entities/Individuals: Consistent with prudent insurance practices, insurers should relax due dates for premium payments and insurance policy-based payments, extending grace periods, waiving late fees and penalties, allowing forbearance with regard to the cancellation/non-renewal of policies, allowing payment plans for premium payments, extending timeframes to complete property and automobile inspections or undergo medical exams, and exercising judicious efforts to assist affected policyholders and work with them to make sure that their insurance policies do not lapse.
Banking Division Regulated Entities/Individuals: Consistent with safe-and-sound banking practices, relaxing due dates for loan payments (of all types, including mortgage, commercial, student and other consumer loans), extending grace periods, modifying terms on existing loans, casing credit card limits, extending new credit, waiving late fees and other fees, allowing customers to defer or skip payments, and delaying the submission of delinquency notices to credit bureaus.
The department requested prompt notice in cases in which operational challenges exist for licensees and any changes to operating hours of branch locations. The department also indicated that it will work with licensees in connection with scheduling examinations to minimize disruption and burden.
The Office of Consumer Finance (OCF) in the department has recognized that licensees may wish to temporarily work from home to avoid the further spread of the outbreak. Accordingly, the department is taking a no-action position concerning the requirement that activity by an OCF licensee must be conducted from a licensed branch location. The OCF’s no-action position requires that licensees first make a submission, electronically, to the OCF that contains the following information:
- A list of all individuals, working on behalf of the OCF licensee, who will be seeking noaction dispensation. The list must include the full name, home address, telephone number, email address, and, if applicable, NMLS unique identifier of the individual;
- A certification, by the OCF licensee, that these individuals are working from home due to a reason relating to the COVID-19 outbreak and have informed the OCF licensee of the reason in writing or by email (see form attached as Annex A); and
- A certification, by the OCF licensee, that the location(s) shall ensure the maintenance of a consumer’s right to privacy with respect to conversations and documents involving personal and financial information, including data privacy and cybersecurity, together with a description of the steps being taken and controls being implemented to ensure that consumer information and privacy are protected. Please see NJCCIC best practices and the Statewide Information Security Manual.
Note the OCF’s position is current until April 30, 2020.
North Carolina Office of the Commissioner of Banks Issued Guidance on March 17, 2020
The North Carolina Office of the Commissioner of Banks issued informal guidance that stressed that licensees use flexibility, patience, and practical solutions to benefit consumers that have experienced challenges as a result of the coronavirus. The office requested that licensees inform it of any changes in the operations or services offered by licensees and emphasized that licensees keep safety and security of personal information in mind. To the extent that there are operational changes, the office suggested that licensees contact Tara Malone at tmalone@nccob.gov for any mortgage-related questions.
Puerto Rico Office of Commissioner of Financial Institutions Issued March 17, 2020 Guidance
In its notice, the Puerto Rico Office of the Commissioner of Financial Institutions extended the deadlines for all reports required under the various laws subject to the jurisdiction and implementation of the office, in light of the territorial government closure.
All deadlines for the filing or submission of answers to complaints, requests for information, all types of financial reports, including quarterly and/or monthly reports, and license renewals, as well as any other deadline imposed by the office or by the laws under the office’s jurisdiction, which become due between March 16, 2020 and April 14, 2020 are continued or extended until April 15, 2020.
The documents which must be filed to comply with the aforementioned deadlines will be received by the office electronically. To the extent that there are questions, they should be submitted via email to the Deputy Commissioner of Financial Institutions, Alejandro Blanco Dalmau, Esq., at alejandrob@ocif.pr.gov.
Tennessee Department of Financial Institutions Issued Interim Guidance to All Non-Depository Financial Institutions and Individuals Licensed or Registered with the Compliance Division on March 23, 2020
The Tennessee Department of Financial Institutions (DFI) reminded licensees and registrants that business continuity plans should address the threat of pandemic outbreak and the potential impact on the delivery of financial services and include communication to employees.
The interim guidance is intended to facilitate the ability of licensees and registrants to take precautions deemed necessary to avoid the risk of exposure to or transmission of COVID-19. The DFI will allow companies to temporarily modify work assignments in order to reduce the risk of exposure to or transmission of COVID-19 during this state of emergency. Members of the public may not travel to an employee’s residence to conduct business.
The DFI recommended the following best practices in connection with employees working remotely:
- All computers and other devices that contain, or are used to access, confidential information should be encrypted and secure.
- Employees should be required to access the licensee’s or registrant’s secure data system remotely using a virtual private network (VPN) or similar system that requires passwords or other forms of authentication to access.
- All security updates, patches, or other alterations to the individual’s access device should be maintained.
- The employee should not keep any physical business records at the remote location.
- Activity should be conducted in a private environment, rather than a public area.
Texas Department of Savings and Mortgage Lending Released March 20, 2020, Guidance on Working from Home
The Department of Savings and Mortgage Lending temporarily suspended the requirement that a physical office be open to the public during posted normal business hours. In addition, they will allow Texas-licensed mortgage loan originators to work from home or other remote locations, even in instances where the location is not licensed. If a Texas-licensed mortgage loan originator or mortgage staff work remotely, their licensed or registered employers must ensure that:
- Strict security of information is maintained;
- All physical business records are maintained at licensed locations rather than an individual’s home or other remote location; and
- Consumers are not permitted to go to a mortgage loan originator’s home.
Texas Office of Consumer Credit Commission Issued Advisory Bulletin to Regulated Lenders on March 13, 2020
The Texas Office of Consumer Credit Commission (OCCC) temporarily announced that it will not take an enforcement action against a licensee that conducts regulated lending activity from unlicensed locations, so long as the licensee meets the following requirements:
- A licensee must prepare a written plan or documentation describing what steps it is taking, as well as the locations where regulated lending activity is taking place. The licensee must maintain this documentation until the OCCC’s next examination of the affected licensed location.
- A licensee’s employees must access information in accordance with the licensee’s written information security program under the federal Safeguards Rule, 16 CFR pt. 314. A licensee must continue to maintain the security of each consumer’s personal information.
- If an employee accesses secure electronic information from the company, the employee must use a virtual private network or a similar system that requires authentication to access. Any devices must have up-to-date security updates or patches.
- A licensee may not keep any physical business records at a location other than a licensed location. All records (physical or electronic) must be accessible from a licensed location.
The OCCC’s guidance is in effect through May 31, 2020.
Utah Department of Financial Institutions Sent a Coronavirus Communication on March 12, 2020
The Utah Department of Financial Institutions sent a communication to express the department’s expectation of mortgage companies in light of the evolving coronavirus pandemic. If a company determines it is in the best interest of its employees or customers to temporarily reduce or suspend operations or reduce operating hours, the company is allowed to proceed. It is not necessary to obtain the department’s approval.
If a company does take any action in this regard, the department requests that the company do the following:
- Provide adequate notice to customers.
- Send an email to the department’s contact of the action(s) taken to Andrea Staheli, Supervisor of Consumer Credit and Compliance for the Utah Department of Financial Institutions, at astaheli@utah.gov.
Virginia Bureau of Financial Institutions Provided a Policy Statement
The Bureau of Financial Institutions encouraged all supervised financial institutions to work constructively to mitigate the impacts of the coronavirus (COVID-19) pandemic on Virginia consumers and businesses.
The bureau stated that it is not in a position to unilaterally modify statutory requirements, but it is also mindful of the extraordinary extenuating circumstances presented by these recent events. Thus, the bureau will take such circumstances into account should a subsequent issue arise and will attempt to accommodate, consistent with law and sound practices, efforts made by licensees to minimize service disruptions.
The bureau cautioned licensees that data security, internal controls, and adherence to safe and sound lending practices must retain paramount importance in alternative work programs. The bureau will also work with financial institutions to reduce the burden when scheduling examinations and place an increased emphasis on off-site reviews and examinations.
The bureau’s policy statement is effective through June 1, 2020.
Washington Department of Financial Institutions Issued Guidance for Servicers on March 20, 2020
The Washington Department of Financial Institutions has issued guidance to all mortgage servicers so that they can alleviate the overall impact of COVID-19 on Washington borrowers who demonstrate that they cannot make timely payments. The department is encouraging servicers to:
- Forbear mortgage payments for 90 days from their due dates;
- Refrain from reporting late payments to credit rating agencies for 90 days;
- Offer mortgagors an additional 90-day grace period to complete trial loan modifications, and ensure that late payments during the COVID-19 pandemic do not affect their ability to obtain permanent loan modifications;
- Waive late payment fees and any online payment fees for a period of 90 days;
- Postpone foreclosures for 90 days;
- Ensure that borrowers do not experience a disruption of service if the mortgage servicer closes its office, including making available other avenues for mortgagors to continue to manage their accounts and to make inquiries; and
Proactively reach out to borrowers via app announcements, text, email or otherwise to explain the above-listed assistance being offered to mortgagors.
Blog post updated 3/27/2020.