Survival of the Fittest: Weathering the Storm With a Robust Management Internal Control Function
In today’s marketplace, regulatory scrutiny has taken center stage. No longer can mortgage originators, loan servicers and other mortgage banking service providers take a ‘blind-eye’ to regulatory practices aimed at protecting consumers. Within the past decade, a large number of consumers have purportedly fallen prey to a host of unscrupulous lending, servicing, default management and other mortgage finance administration practices. As a result, a series of regulatory requirements have been enacted to help reign-in the ‘bad guys’ and offer protections to consumers nationwide.
In this regard, a series of guidelines have been enacted by the Consumer Financial Protection Bureau (CFPB) principally aimed at protecting consumers from firms engaging in critical residential mortgage finance activities and practices. A major fallout of these new regulations has been shrinkage as to the number of players in the industry due to an increase in costs relating to the vast organizational and personnel changes necessary to ensure compliance. This, together with a significant number of consolidations that have occurred throughout the industry has sharply reduced the number of active mortgage banking participants. Further, adding to this contraction is the weariness of investors to participate in residential mortgage-backed securities (RMBS), thereby leading to a significant reduction undertaken by issuers to package, structure and sell RMBS. Hence, today’s mortgage finance industry is merely a fraction of what it was less than 10 years ago and only the strongest and most committed players remain.
Surviving in today’s marketplace is clearly linked to having a strong commitment (both organizationally and financially) to a robust internal control environment designed to protect consumers. This commitment is also an essential cornerstone for continued growth in 2016 and beyond, and is something that more and more key players in the industry are beginning to embrace. As such, many mortgage banking firms today have begun implementing formal Management Internal Control (MIC) utilities designed to proactively ensure that key mortgage finance functions are appropriately managed and controlled to ensure proper consumer protection. Strong MIC functions are also helping many firms identify and reduce process redundancies, streamline operations and ultimately lower costs. Once outside regulators have commenced a formal audit and have identified internal control and processing inefficiencies relating to mortgage lending and/or loan servicing practices, the ‘cat is out of the bag’ so to speak and damages have already occurred to the consumer as well as to the firm’s overall marketplace reputation and cost infrastructure relating to remediation efforts.
Beginning to emerge as a critical component of robust MIC functions within mortgage finance organizations is the development and implementation of formal Business Self-Testing (BST) Programs. Such programs are being designed to monitor compliance with applicable laws and regulations for a host of mortgage banking functions. BST is slowly becoming the first line of defense in ensuring that mitigating controls are working as intended on an ongoing basis. Properly designed and implemented, BST programs can also be utilized by auditors and external regulators to reduce the scope of their testing and modify examination procedures accordingly. For 2016 and beyond, mortgage bankers can more effectively weather the storm brought on by increased regulatory scrutiny and compliance requirements by adopting a robust MIC function with a solid BST Program at its core.
Simply speaking, the purpose behind having a formal BST Program is for business owners to monitor ongoing compliance with legal and regulatory requirements for certain processes and functions performed throughout the organization. An effective BST program should be designed to monitor compliance with applicable laws and regulations via periodic and continuous testing of these processes. Through a program of independent monitoring and testing that is generally performed by a dedicated MIC utility, reasonable assurance can be obtained to validate that key assumptions, data sources and procedures utilized in measuring and monitoring compliance risk can be relied upon on an ongoing basis; in the case of transaction testing, assurance can be obtained that controls are working as intended. The testing of controls and remediation of deficiencies identified as a result of testing activities are essential to proactively maintaining an effective internal control framework.
Unlike internal audit utilities, an effective MIC function is embedded within each business line (i.e. origination, servicing, etc.). Effective and credible MIC utilities should have a dual reporting line into both the designated business head and into the CEO’s office. Some have argued that having both an internal audit function and a separate [line-driven] MIC function within a given organization is overkill, creates redundancies and increases costs. Given today’s regulatory focus and scrutiny, many are beginning to realize that the costs associated with this added level of internal control and oversight is an absolutely critical investment necessary to properly maintain and grow the business. Specifically, this dual reporting structure ensures that the following two essential factors coexist:
►Business ownership: To ensure that complete ownership by the business (whether it be origination, servicing, default management administration, etc.) exists to ensure that practical business concerns are taken into consideration when implementing and monitoring regulatory compliance processes necessary to balance consumer protections with goals and initiatives to grow the business; and
►Independence: To ensure that an appropriate level of independence is maintained in order to provide an overall sense of credibility to the function as well as to provide necessary comfort levels to all internal/external audit and external regulatory constituencies.
MIC serves as a collaborative partner with the business, provides subject matter expertise for legal regulatory compliance issues and is the focal point for issue escalation. In addition, MIC would inform the business of new regulations or changes to existing regulations which warrant additional testing or changes to processes and current test routines. MIC should also independently validate BST test results and may perform sub-testing of certain activities, as deemed necessary. Based on this validation, MIC may from time-to-time make process change recommendations to the various lines of business. In addition to processes performed internally, functions performed by external third-party vendors (such as property valuation services, title services, property management services, etc.) should be subject to BST as well. This is critical since processes performed by third-party vendors generally represent greater risk than do processes performed in-house.
By utilizing a formal BST program as its base, effective MIC utilities can partner with the business to more effectively drive growth in a controlled environment aimed at protecting consumers from improper residential mortgage finance activities and practices. The BST program should be formally documented, with critical components of a ‘winning’ program inclusive of the following:
►Sampling methodologies and related sampling criteria;
►Testing strategies, testing procedures and guidelines;
►Development of key metrics and related reporting protocols;
►Development of corrective action plans; and
►Development of training guidelines and programs.
It goes without saying that BST results should be documented and formally reported to senior management on a consistent basis. As appropriate, it is suggested that MIC choose and consider the following when capturing and reporting testing results:
►Summary of errors by regulatory/legal issue;
►Error trending by process and by regulation or law;
►Repeat errors that have occurred over three consecutive reporting cycles (i.e. quarterly);
►Status reports by functional area; and
►Additional enhanced reports, as deemed appropriate.
In order to maximize BST benefits and ensure that underlying processes and controls are effectively modified and enhanced, formal corrective action and issue escalation protocols must be established. Corrective action facilitates the definition and implementation of appropriate controls and processes to ensure that identified errors, their underlying causes and full population impacts are rectified and resolved timely to prevent reoccurrence. Corrective action also helps categorize identified test errors, risk rank the errors, detect systemic and/or historic error patterns, incorporate root cause analysis, ascertain potential broader population remediation needs (for both the tested and the full population) and create reporting to capture, track and help rectify these errors. In general, two types of errors can occur—systemic errors and isolated errors, defined as follows:
►Systemic error: An error where the root cause relates to an underlying system or process issue that consists of the same error across an entire population; and
►Isolated error: An error generally confined to a specific process or individual, and having a limited impact.
A Corrective Action Plan (CAP) is a formal document designed to outline actions to resolve identified errors and categorize the root cause of an identified issue in a complete manner. CAPs will include remediation actions which detail the approach to formally address and document the efforts that will be taken to make adversely affected consumers ‘whole,’ and also to correct/modify/enhance internal process and controls as necessary to reduce future errors and instill continuous process improvement regimens as appropriate. As a guide, BST results will identify testing errors, patterns of systemic and/or historical errors and create reporting necessary to capture, track and rectify errors identified and drive process improvements as necessary.
Clearly, growth and continued survival in today’s marketplace for 2016 and beyond is contingent upon having a strong and robust internal control infrastructure. Development of a formal MIC function, together with a robust and clearly defined BST program are essential components behind having such a ‘winning’ strategy. As one senior default management executive at a medium sized loan servicing organization in the Midwest clearly indicates, “It is no longer possible to grow and compete in today’s marketplace without having a firm commitment to a strong internal control environment targeted at enhancing processes and protecting consumers from regulatory malpractice. In the long-run, investment in establishing and maintaining a strong internal control environment is a must in order to compete and grow [in today’s marketplace].”
Yes, weathering the storm in today’s regulatory focused marketplace is a matter of ‘survival of the fittest,’ with the ‘fittest’ being those firms committed to a growth strategy predicated on a strong internal control environment.
Vincent Spoto is the founding partner of RRMS Advisors, an advisory and consulting firm specializing in servicer/vendor surveillance, risk management, compliance monitoring and default management. Prior to founding RRMS Advisors in 2008, he worked for notable firms such as JP Morgan Chase, Citigroup and Credit Suisse.
This article originally appeared in the December 2015 print edition of National Mortgage Professional Magazine.