Compliance Q&A's

Question: We originate loans almost exclusively through E-Sign procedures. Recently, we were cited for not providing proper disclosure to consumers regarding our E-Sign policies. What are the proper disclosures that we must provide consumers in order to ensure compliance with E-Sign?

The Electronic Signatures in Global and National Commerce Act (E-Sign Act) provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce. The E-Sign Act allows the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent.

Prior Consent is required from the consumers in order to implement the E-Sign Act procedures. Prior to obtaining their consent, financial institutions must provide consumers, a clear and conspicuous statement informing the consumer:

►Of any right or option to have the record provided or made available on paper or in a non-electronic form, and the right to withdraw consent, including any conditions, consequences, and fees in the event of such withdrawal;

►Whether the consent applies only to the particular transaction that triggered the disclosure or to identified categories of records that may be provided during the course of the parties’ relationship;

►That describes the procedures the consumer must use to withdraw consent and to update information needed to contact the consumer electronically; and

►That informs the consumer how the consumer may nonetheless request a paper copy of a record and whether any fee will be charged for that copy.

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail

Question: We are considering whether to sell our mortgage servicing rights. This has been a long, drawn out process of complicated decision-making. At this point, we are still struggling with how to determine the valuations. Perhaps there is a given set of valuation criteria that we could use. Essentially, we just want to be sure we are including the basics in our valuation. Is there a set of valuation data sets that we should be considering in our valuation approach?

Servicers Compliance Group, our affiliate, handles due diligence for virtually all aspects of mortgage servicing, so this is a subject with which we have considerable familiarity. First, it is important to define “mortgage servicing rights,” often referred to by the acronym “MSR”. At the most rudimentary level, MSRs are the capitalized value of the right to receive future cash flows from the servicing of mortgage loans. The concept of capitalized value asserts that the current value of an asset can be determined based on the total income expected to be realized over its economic life span. Those cash flow periods are the anticipated earnings, as discounted (viz., given a lower value), so they take into account the time value of money.

MSRs are considered a source of value derived from originating or acquiring mortgage loans. Because residential mortgage loans typically contain certain features, such as a prepayment option, borrowers often elect to prepay their mortgage loans by refinancing at lower rates during declining interest rate environments. But, when the refinance occurs, the cash flows generated from servicing the original mortgage loan are terminated. Thus, the market value of MSRs is extremely sensitive to changes in interest rates. For instance, the MSR market value tends to decline as market interest rates decline and increase as interest rates rise.

It is usual to capitalize MSRs on the fair market value of the servicing rights associated with the underlying mortgage loans at the time the loans are sold or securitized. Generally Accepted Accounting Principles (GAAP) requires that the value of MSRs be determined based upon market transactions for comparable servicing assets or, in the absence of representative market trade information, based upon other available market evidence and even modeled market expectations of the present value (PV) of future estimated net cash flows – such as internally developed discounted cash flow models to estimate the fair market value – that market participants would expect from servicing.

Obviously, valuation requires considerable expertise. I offer here a few of the many possible ways to process assumptions in a valuation of MSRs. This outline is by no means comprehensive. It assumes that MSRs are carried at estimated fair market value.

Prepayment: This is the most significant driver of MSR value based on the actual and anticipated portfolio prepayment behavior. Prepayment speeds, sometimes referred to as “velocity,” represent the rate at which borrowers repay their mortgage loans prior to scheduled maturity. As interest rates rise, prepayment velocity generally slows down, and as interest rates decline, prepayment velocity generally accelerates. When mortgage loans are paid off or expected to be paid earlier than originally estimated, the expected future cash flows associated with servicing such loans are reduced.

Discount Rate: The cash flows of MSRs discounted at prevailing market rates, which often include an appropriate risk-adjusted spread.

Base Mortgage Rate (BMR): This is the current market interest rate for newly originated mortgage loans. It is considered a key component in estimating prepayment speeds of a portfolio because the difference between the current BMR and the interest rates on existing loans in the portfolio is an indication of a borrower’s likelihood to refinance.

Cost to Service: Servicing costs are based on actual expenses directly related to servicing. These servicing costs are compared to market servicing costs when market information is available. It is advisable to include expenses associated with activities related to loans in default.

Volatility: This is an assumption that represents the expected rate of change of interest rates. The rate of change is often notated with this sign Δ and is referred to as “Delta”. Without getting too technical, the Delta is used in valuation methodologies to place a theoretical boundary around the potential interest rate movements from one period to the next.

As you proceed with your valuation approach, it is important to reconcile actual monthly cash flows to projections, which means reconciling actual monthly cash flows to those projected in the MSR valuation. After each such reconciliation, an assessment should be undertaken to determine the need to modify the individual assumptions used in the valuation.

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail

Question: As a result of an internal audit, we just found out about two reverse occupancies. It turns out that our investors were already aware of this happening and were about to send us repurchase requests. We received the repurchase requests and it seems we have no way out but to do the repurchases. What could we have done to prevent this from happening in the first place?

To some extent, this situation can be avoided. However, when it comes to mortgage fraud, nothing is foolproof. A “reverse occupancy” occurs where a borrower buys a home as an investment property and lists rent proceeds as income in order to qualify for the mortgage, but instead of renting the home the borrower occupies the home as a primary residence.

Typically, these schemes have certain markers. Here are the most salient:

►Subject properties are sold as investment properties;

►Purchasers are first time home buyers with minimal or no established credit;

►Purchasers have low income but significant liquid assets that are authenticated by bank statements;

►Purchasers make large down payments;

►The appraisal has a comparable rent schedule (to show expected rental income from the subject property);

►Purchasers present “rent free” letters stating they are not paying rent to live in their primary residence.

►Ethnic commonality among the purchasers and other parties to the transaction; and

►Transactions occurring in a specific geographic location.

Just because one or more of these are present in a mortgage loan transaction does not necessarily mean that the transaction is a reverse occupancy scheme.

If the financial institution is going to prevent this type of mortgage fraud, the best approach is to ensure prudent origination, processing, and underwriting practices, with an emphasis on “Red Flags” that may occur in the loan documents. For instance, closely reviewing liquid assets as compared to income and the source of qualifying income can identify a potential reverse occupancy scheme. I would further recommend that training be given not only to the operations staff but also to loan officers. In our training on Identity Theft Prevention and Anti-Money Laundering–such training being statutorily required of financial institutions–we discuss many Red Flags.

Ultimately, if this kind of mortgage fraud is to be prevented, the following initiatives would be advisable:

►Periodically conduct vendor compliance procedures of third-party originators

►Train, Train, and Train, either through in-source or out-source

►Establish a “Zero Tolerance” policy for preventing mortgage fraud

►Share information through sales and operations meetings

►Report all suspicious activity through established channels

►Perform a quarterly audit of loan transactions of investment properties

►Ensure that quality control does audits for investment property transactions

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail

Question: Thank you for these weekly FAQs! My staff and I find them very informative. I am with the compliance department of a bank. We offer a full range of loan and savings products. We are preparing for a regulatory examination that will include UDAAP compliance. I was hoping you could let us know some review areas that we should include in our risk assessment. Specifically, what documentation should we be reviewing for our UDAAP risk assessment?

We appreciate your kind words about our weekly FAQs. We receive many questions and try to choose the ones that may be broad enough for our large readership. Thank you for submitting your question!

Preparing a risk assessment for Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) requires a great deal of focus not only on the material subject to review but also a concerted effort by all stakeholders. I have written extensively on UDAAP, most recently in connection with advertising compliance. You might want to read my eBook on advertising compliance (viz.,visit our website), which includes a discussion on UDAAP.

Generally, there are four examination areas that regulators seek to audit. The examiner wants to determine whether the financial institution:

►Avoids unfairness, deception, and abuse in the context of offering and providing consumer financial products and services;
►Assesses the risk of its practices being unfair, deceptive, or abusive;
►Identifies unfair, deceptive or abusive acts or practices; and
►Understands the interplay between unfair, deceptive, or abusive acts or practices and other consumer protection statutes.

A risk assessment of the financial institution should take into account its marketing programs, product and service mix, customer base, and other factors, as appropriate. This risk assessment is extensive. In responding to the posed question, only the aspects involving certain documentation is here provided. For more information, review the CFPB’s Examination Manual on UDAAP.

The following is a list of documentation areas that should be compiled and reviewed for the purposes of a UDAAP risk assessment:

►Training materials.
►Lists of products and services, including descriptions, fee structure, disclosures, notices, agreements, and periodic and account statements.
►Procedure manuals and written policies, including those for servicing and collections.
►Minutes of the meetings of the Board of Directors and of management committees, including those related to compliance.
►Internal control monitoring and auditing materials.
►Compensation arrangements, including incentive programs for employees and third parties.
►Documentation related to new product development, including relevant meeting minutes of Board of Directors, and of compliance and new product committees.
►Marketing programs, advertisements, and other promotional material in all forms of media (including print, radio, television, telephone, Internet, or social media advertising).
►Scripts and recorded calls for telemarketing and collections.
►Organizational charts, including those related to affiliate relationships and work processes.
►Agreements with affiliates and third parties that interact with consumers on behalf of the entity.
►Consumer complaint files.
►Documentation related to software development and testing, as applicable. 

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail

Question: We are a mortgage banker. Our policy is to place limits on points and fees in our residential mortgage loan transactions. But an applicant complained to the CFPB that we denied the application because of our limits on points and fees. Our regulator has told us that a lender does have limits on points and fees based on certain guidelines. What are those guidelines?

At a rudimentary level, the CFPB expects lenders to (1) Document the loan transaction, and (2) Determine the consumer’s ability to repay the loan. Depending on the loan transaction, the ability-to-repay feature–which offers certain standards for demonstrating a good faith effort to determine that the consumer is likely to be able to pay back the loan–may have some bearing on the points and fees concern.

If a consumer does not have the ability to repay the loan, the lender may not offer the credit extension. In fact, some lenders may choose to comply with the ability-to-repay rule by making only “Qualified Mortgages,” which do have caps on upfront points and fees.

Certain loan features are not permitted in Qualified Mortgages, such as an “interest-only” period, negative amortization, balloon payments, loan terms that are longer than 30 years, a limit on how much of the consumer’s income can go towards debt, and no excess upfront points and fees. If the consumer applies for a Qualified Mortgage, there are limits on the amount of certain upfront points and fees the lender can charge. These limits will depend on the size of the loan. Not all charges, like the cost of a credit report, for example, are included in this limit. If the points and fees exceed the threshold, then the loan can’t be a Qualified Mortgage.

The reason for the CFPB’s position is clear: the consumer needs protection from paying very high fees; therefore, a lender making a Qualified Mortgage can only charge up to the following upfront points and fees:

►For a loan of $100,000 or more: Three percent of the total loan amount or less.
►For a loan of $60,000 to $100,000: $3,000 or less.
►For a loan of $20,000 to $60,000: Five percent of the total loan amount or less.
►For a loan of $12,500 to $20,000: $1,000 or less.
►For a loan of $12,500 or less: Eight percent of the total loan amount or less.

The foregoing loan amounts reflect the initial statutory base. There have been annual adjustments to these tiers. Under the CFPB’s rules, only Qualified Mortgages have a limit on points and fees. But, lenders are not required to make Qualified Mortgages, so they can charge higher points and fees if they so choose.

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail


Question: We are a lender with a client that is very passionate about NOT signing the Patriot Act Disclosure that is included in our initial closing package. He is a permanent resident alien and claims that the Patriot Act has not been in existence since June 2015 and that a lender should not be requiring him to sign the U.S. Patriot Act Information Disclosure form.  The client has no difficulties with providing the identification documents we require, but he feels that the disclosure form is a legal document which is inaccurate, as it is now the Freedom Act that governs. Is the client correct and how should we respond?  

Actually, the client is incorrect. He is operating under a common misconception that the entire USA Patriot Act expired. In reality, the vast majority of the Act, including Title III, which carries a great majority of the requirements for financial institutions, remains in effect. Thus, financial institutions are still required to (1) monitor for customers and transactions that could be related to terrorist activities through section 314(a) & (b); (2) verify the identity of customers through a customer identification program under section 326; and (3) have an established AML Program under section 352.

The sections that “expired” were section 215, which included the so-called “Lone Wolf” and “Roving Wiretap” provisions. The “Lone Wolf” provision allowed U.S. intelligence and law enforcement agencies to target surveillance at suspected terrorists who are not part of any group and without direct ties to terrorist groups. The “Roving Wiretap” provision permitted the monitoring of a specific person regardless of the devices used. The National Security Agency used section 215 as a basis for the mass collection and monitoring of phone records of millions of Americans who were not necessarily under investigation, a program Edward Snowden exposed in 2013. The USA Freedom Act essentially restored and amended section 215 through 2019.     

It is not clear which version of the USA Patriot Act Disclosure form you are using.  However, in all likelihood, just above the signature loan there is a statement to the effect of “By signing the form, you acknowledge receipt of this disclosure”. So, the client’s difficulty with acknowledging receipt of the form is difficult to grasp. If you are keeping the loan in portfolio, depending on your policies, you could have a documented exception, as there is no legal requirement that it be signed.

Joyce Wilkins Pollison is director of Legal & Regulatory Compliance for Lenders Compliance Group.

Question: We recognize the requirements of E-Sign. One subject of discussion has been its role in contractually binding our financial institution in mortgage loan originations, especially in the area of consumer disclosures. How valid are electronic signatures? Can electronic signatures be used to enforce contracts?

The Electronic Signatures in Global and National Commerce Act (E-Sign) was designed to allow greater flexibility to implement electronically signed transactions. Its requirements have been used more and more since E-Sign’s inception in 2000. E-Sign specifies that an electronic record or transaction may not be rendered invalid solely on the basis of its electronic or digital nature, but it makes no guarantees about the overall enforceability of such electronic contracts.

An electronic record is only enforceable if it meets the criteria specified in relevant contract laws as well as the language of E-Sign. It is worth noting that E-Sign applies to interstate or government interactions. With respect to in-state transactions, these are bound either by the Uniform Electronic Transactions Act (UETA) or the governing state laws relevant e-Signature laws–which, in some states, are actually more strict than E-Sign or UETA.

For an electronically signed document to be enforceable in court, it must meet certain requirements for legal contracts in addition to the electronic signature guidelines specified in the appropriate laws (such as E-Sign and UETA). According to E-Sign, an electronic signature is "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."

In contract law, signatures serve the following general purposes:

►Evidence: Authenticates agreement by identifying the signer with a mark attributable to the signer that it is capable of authentication.

►Ceremony: Act of signing calls attention to the legal significance of the act, preventing inconsiderate engagements.

►Approval: Express approval or authorization per terms of agreement.

To elucidate on factors involving authentication, broadly, authentication is defined as evidence that a given record, contract, or form is a genuine, unaltered written representation of an agreement approved by two or more parties, whether in paper or electronic form.

An authentic document contains no evidence of fraud or tampering, such that it may be reasonably concluded that the parties in agreement did indeed assent to the enclosed terms. Assent is evidenced by an attributable, authenticated signature. To be authenticable, the transaction must contain enough information uniquely attributable to the user that fraud, forgery, or validity can be reasonably proven.

For an electronic transaction to withstand scrutiny in court, it must meet the definitions and criteria stated above; that is, it must be capable of authentication and non-repudiation, call attention to the document's legal significance (viz., creation of the electronic signature), and demonstrate approval of the terms of the agreement.

Some electronic signature technologies sufficiently meet these criteria and some do not. Therefore, it is very important for businesses and government agencies to choose their electronic signature technology carefully or risk making agreements that cannot be enforced.

If interested in a review of your electronic signature technology, please contact us. We have subject matter experts who can review the technological and regulatory compliance requirements of E-Sign.

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail

Question: Our compliance group recently passed around the E-Book on Advertising Compliance, written by Jonathan Foxx. In Part II, there is a section on UDAAP. We are particularly interested in UDAPP because we are updating our policies to include new language for UDAAP conduct in debt collection. Mr. Foxx’s outline was terrific in showing the range of UDAAP issues involving Advertising Compliance, but we wonder if he would provide some examples of how debt collection is impacted by UDAAP guidelines. So, what examples of conduct related to the collection of consumer debt could constitute UDAAP violations?

Thank you for the kind words about the E-Book, entitled Advertising Compliance: Getting Ready for the Banking Examination, which compiled two of my published White Papers. I have written extensively on this subject, but the E-Book has been found useful for individuals seeking a path to understanding this very complicated area of regulatory compliance.

There are many examples of Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) violations in the context of debt collection, but any list is not going to be comprehensive. Also, please note that the obligation to avoid UDAAPs is in addition to any obligations that may arise under the Fair Debt Collection Practices Act (FDCPA).

First, what is an unfair act or practice? There are generally three components: (1) it causes or is likely to cause substantial injury to consumers; (2) the injury is not reasonably avoidable by consumers; and (3) the injury is not outweighed by countervailing benefits to consumers or to competition. [Dodd-Frank Act §§ 1031, 1036, 12 U.S.C. §§ 5531, 5536]

Second, what is a deceptive act or practice? This consists of three components: (1) it misleads or is likely to mislead the consumer; (2) the consumer’s interpretation is reasonable under the circumstances; and (3) the misleading act or practice is material. [Section 5 of the FTC Act. See CFPB Exam Manual at UDAAP 5]

Third, what is an abusive act or practice? This is more nuanced than the foregoing elements, but there are two primary factors: (1) the act or practice materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or (2) takes unreasonable advantage of (a) a consumer’s lack of understanding of the material risks, costs, or conditions of the product or service, (b) a consumer’s inability to protect his or her interests in selecting or using a consumer financial product or service, or (c) a consumer’s reasonable reliance on an institution to act in his or her interests. [Dodd-Frank Act § 1031(d), 12 U.S.C. § 5531(d). See also CFPB Exam Manual at UDAAP 9. See Stipulated Final Judgment and Order, Conclusions of Law ¶ 12, 9:13-cv-80548 and Compl. ¶¶ 55-63, CFPB v. Am. Debt Settlement Solutions, Inc., 9:13-cv-80548 (S.D. Fla. May 30, 2013)]

Given the above-outlined features of UDAAP, the following non-exhaustive list of examples of conduct related to the collection of consumer debt could constitute UDAAPs:

►Collecting or assessing a debt and/or any additional amounts in connection with a debt (including interest, fees, and charges) not expressly authorized by the agreement creating the debt or permitted by law.

►Failing to post payments timely or properly or to credit a consumer’s account with payments that the consumer submitted on time and then charging late fees to that consumer.

►Taking possession of property without the legal right to do so.

►Revealing the consumer’s debt, without the consumer’s consent, to the consumer’s employer and/or co-workers.

►Falsely representing the character, amount, or legal status of the debt.

►Misrepresenting that a debt collection communication is from an attorney.

►Misrepresenting that a communication is from a government source or that the source of the communication is affiliated with the government.

►Misrepresenting whether information about a payment or non-payment would be furnished to a credit reporting agency.

►Misrepresenting to consumers that their debts would be waived or forgiven if they accepted a settlement offer, when the company does not, in fact, forgive or waive the debt.

►Threatening any action that is not intended or the institution or service provider does not have the authorization to pursue, including false threats of lawsuits, arrest, prosecution, or imprisonment for non-payment of a debt. [CFPB Bulletin 2013-07]

Facts and circumstances will dictate the presence of a UDAAP violation; however, these examples are but a few of the many potential UDAAP acts or practices involving consumer debt collection.

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail

Question: Our compliance department has been tasked with developing a disaster recovery plan. Banking departments of several states are expecting us to ratify such a plan. However, we are not sure about what goes into this plan. What are the essential elements of a disaster recovery plan?

Although there is some variation to the features of a disaster recovery plan, we have found that there are constituent elements that are typical of this document. Sometimes “disaster recovery” is also referred to as “business continuity.” At the most rudimentary level, this plan sets forth the procedures to be followed in the event of an emergency or other disruption of a financial institution’s normal business activities. The goal is to be able to continue or to resume any operations as soon as possible with minimal disturbance to internal and external parties and certainly to recover any documentation and data required to be maintained by applicable laws and regulations.

In our development of disaster recovery plans for our clients as well as the review of their existing policies and procedures involving such aspects as information security, cybersecurity, and other features of information technology, we have found that there are several salient elements of a disaster recovery plan. I will provide them here, with the caution that the list is not meant to be comprehensive, and, to be sure, other elements may be appropriate based on an institutions size, risk profile, and complexity.

Essential Elements of a Disaster Recovery Plan
1. Identify documents, data, facilities, infrastructure, personnel and competencies essential to the continued operations of the financial institution.

2. Identify supervisory personnel who are in the chain-of-command for implementing each aspect of the disaster recovery plan and the emergency contacts required to notified. These individuals must be given authorization to make key decisions in carrying out the plan’s requirements.

3. Devise a plan to communicate with the following persons in the event of an emergency or other disruption: (a) Board of Directors; (b) Senior Management; (c) employees; (d) consumers; (e) affiliates; (f) media; (g) investors; (h) regulatory authorities; (i) data, communications and infrastructure providers and other vendors; and, (j) disaster recovery specialists and other persons involved in recovering documentation and data.

4. Ratify procedures for, and maintenance of, back-up facilities, systems, infrastructure, alternative staffing and other resources to achieve the timely recovery of data and documentation and to resume operations as soon as reasonably possible. We recommend that the resuming of operations be expected to occur within the next business day.

5. Maintain back-up facilities, systems, infrastructure and alternative staffing arrangements in one or more areas that are geographically separate from the financial institution’s primary facilities, systems, infrastructure and personnel.

6. Back up or copy, with sufficient frequency, documents and data considered essential to operations or to fulfill regulatory obligations, and store information off-site in either hard-copy or electronic format.

7. Identify potential business interruptions encountered by third parties that are necessary to the financial institution’s continued operations and devise a plan to minimize the impact of such disruptions.

8. Ensure that copies of the disaster recovery plan are placed at all accessible off-site locations, such as branches.

9. Train, and periodically drill, affected employees and support systems on applicable components of the disaster recovery plan.

10. Review and revise the disaster recovery plan at least annually or upon any material change to the financial institution. Any deficiencies or corrective actions must be documented.

11. Test the plan at least annually by qualified, independent internal personnel or a qualified third party service capable of performing a risk assessment. The testing date should be documented, such documentation describing the nature and scope of the testing, any deficiencies found, any corrective actions taken, and the dates on which corrective actions were taken. I strongly recommend testing a disaster recovery plan at least once every three years by a qualified third party service.

12. Keep detailed records of all activity involving the implementation of the disaster recovery plan and maintain such information in a form that may be made available promptly, upon request, to representatives of regulatory and enforcement authorities, Federal agencies, prudential regulators, and state banking departments.

Jonathan Foxx is managing director of Lenders Compliance Group, the first and only full-service, mortgage risk management firm in the United States, specializing exclusively in outsourced mortgage compliance and offering a suite of services in residential mortgage banking for banks and non-banks. If you would like to contact him, please e-mail

Question: We are thinking about obtaining leads from an online lead generation service. In the process of reviewing our marketing campaign, it seems pretty clear that there are different types of lead generators. What are the different types of lead generators? What are some pitfalls? Also, what is a lead?

For the most part, the Federal Trade Commission (“FTC”) has broad jurisdiction over lead generators. The FTC has used its authority to bring enforcement actions against unscrupulous actors in the lead generation industry. Examples abound, such as where the FTC successfully sued lead generators that lured consumers with promises of extremely low fixed rate mortgages or free refinancing, but then sold consumers’ information to entities that did not actually offer these deals, or where it sued payday loan lead generators that sold consumers’ sensitive bank account information to non-lenders who simply debited charges directly from consumers’ accounts without authorization.

I have written extensively on lead generation generally and lead generation companies in particular, such as my article titled, “The Lead Generation Company: Managing the Risks,” which can be found in our Articles library. This article is a good place to start your reading on lead generation companies, especially in light of the significant regulatory risks posed by them.

Lead generation is the process of identifying and cultivating individual consumers who are potentially interested in purchasing a product or service. The goal of lead generation services is to connect lead purchasing companies with the profiled consumers so that the lead purchaser can convert “leads” into sales. The FTC has defined a lead broadly as any consumer who has indicated interest – directly or indirectly – in buying a product or service by taking some action. 
Leads cover the gamut of consumer profile information. For instance, they may consist of little more than a consumer’s name and contact information. But they can contain information that has been derived by soliciting much more detailed and sensitive consumer information, like Social Security Numbers and bank account numbers; in other words, not just information in the public record.

The lead generation world is very state-of-the-art these days. Consider that consumers increasingly research and shop for products and services online, which means that lead generation has become more sophisticated, rapid, and data-intensive. 

Leads are collected from many sources. Often, leads are collected by a publisher or affiliate. This entity is encountered by the consumer through the consumer’s use of consumer-facing marketers in the lead generation ecosystem that promote products or services online. These conduits encourage consumers to submit additional information about themselves to learn more and connect with merchants or advertisers that can sell them the products or services being sought by the consumer. Many publisher websites contain marketing claims and a web form requesting consumer information. Some publishers expressly identify the merchant to which they sell consumer leads, but others do not and only make generic marketing claims.

In our reviews of client marketing strategies, we have seen where small publishers simply collect consumer information and pass it on to larger, more sophisticated actors in the lead ecosystem. We have also found that some publishers oversee networks of sub-publishers or sub-affiliates that feed them leads, often contracting with the latter to create marketing websites and web forms.

There are many types of lead sources and lead generation methods. I will mention the salient types.

►Leads Transmitted to Aggregators: These are intermediaries that take in leads collected by multiple website publishers and prepare them for sale to their clients, which may be end users or even other aggregators. Generally, the aggregator identifies the leads that would be most valuable or relevant to their clients and to package the leads accordingly. Unless an aggregator chooses to operate its own websites or engage in consumer-facing marketing, its role may be largely invisible to consumers who fill out online forms.

►Leads Sold to End-Buyer Merchants: These are leads sold to end-buyer merchants or advertisers that can sell consumers the products and services they are seeking. By using these leads, merchants will frequently contact consumers directly in order to pitch services and provide additional marketing materials about a potential transaction.

►Leads Verified or Supplemented with Additional Information: These leads stem from a pruning process, whereby merchants and others in the lead generation ecosystem seek more data about leads. Reasons for seeking additional information include further verification of the accuracy and validity of the information consumers provide in web forms, supplementation of consumer leads with additional data for a fuller picture of a consumer, or the scoring of leads based on their potential qualifications or value. The pruning process could include even contacting consumers directly, for instance, by calling them over the telephone. Some merchants, aggregators, and publishers seek supplemental information from third-party data brokers, firms that unfortunately often act without transparency and accountability. 

Finally, lead generators may sell “remnant leads” that can target consumers unlawfully. These are leads where the lead purchaser has no legitimate need for the consumer’s sensitive data. The FTC has brought enforcement actions based on the prevalence of remnant leads. Even lead generators are very cautious in how they sell remnant leads. Depending on the circumstances, they could be liable under the FTC Act if the purchaser has no legitimate need for the information, especially since privacy policies on many publisher websites provide few restrictions on the use or sale of the consumer information collected by the lead generator.

If you plan to use a lead generation company, I strongly advise that you vet it as a service provider, using the kind of due diligence review resources offered by our affiliate Vendors Compliance Group. Whatever you decide in developing your marketing campaign, keep in mind that the FTC has demonstrated significant concern about lead generators’ collection and sharing of consumer information, given that such information increases the risk of misuse and harm to consumers.

Jonathan Foxx is president and managing director of Lenders Compliance Group, Brokers Compliance Group, Servicers Compliance Group and Vendors Compliance Group, national companies devoted to providing regulatory compliance advice and counsel to the mortgage industry. He may be contacted by phone at (516) 442-3456, by e-mail at or visit