July 17: Letters about lenders & AMCs, workplace equality, and cybsersecurity for small businesses & individuals; Saturday Spotlight: Usherpa

With the FHFA .5 refi news yesterday, if you’re a broker who has locked a refinance with Wholesaler A, and been charged a .5 refi hit, and Wholesaler A won’t change your lock but you can move your lock to Wholesaler B and not have the .5 hit, what will you do? It appears that most lenders are removing the hit from the locked refi loans, as long as there are no rescission issues, like the documents being already at the settlement agent. The move is welcomed but quantitatively it’s removal might not be as wonderful as some expect. The 50-basis point fee equates to about 10 bp higher mortgage rate for borrowers, so while its elimination is positive for prospective refinance volumes, few expect a material impact on volumes. Perhaps more meaningful is how this move is indicative to the change in leadership at the FHFA, and its willingness to listen to the MBA and other industry sources.

Saturday spotlight: Usherpa, creating relationships that last a lifetime using data intelligence and multi-channel marketing.

Describe your company (when was it founded and why, what it does).

When Dan Harrington founded the company in 1995, he was a Loan Officer in search of a better tool for marketing home loans. He developed a system that would allow him to stay connected with his past borrowers and Realtor business referral partners. His mortgage volume skyrocketed. After the 2008 housing market crash, Dan and Co-Founder Chris Harrington turned his system into Usherpa and evolved it into the industry’s most sophisticated, cloud-based CRM/Marketing Automation system.

Today, the Usherpa Relationship Engagement Platform has helped thousands of Loan Officers stay connected with partners and clients. Loan Officers, Marketing Directors, and CEOs rave that Usherpa is the easiest to use system on the market.

The goal was to be the universal guide to painless CRM, sales, and marketing automation for the housing industry. Because the system integrates seamlessly with the technology in use by the majority of loan originators today, many are unaware that we founded the mortgage and real estate CRM category back in the mid-90s.

What does Usherpa do to help elevate your employees’ growth?

Our core operational structure revolves around the Entrepreneurial Operating System® (EOS). EOS keeps us growth-orientated, so we can systematically concentrate on the development of employees through professional education/training, certificates, business/leadership coaching, and industry-specific seminars. Our IT Development team is very active with Microsoft Azure User Groups and Boot Camps.

Tell us how Usherpa maintains its culture in a work-from-home environment.

Usherpa has certain Core Values. Be Passionate. When our employees are passionate about what they do and the difference they make, it’s infectious. Our Cheers for Peers program gives employees a public forum to thank other co-works for their work. Do the right thing for the right reason. We’re focused on long-term results, not quick wins. Usherpa went to 100% telework at the start of the pandemic, providing staff with at-home offices so they could work comfortably and continue providing stellar service to members. And Laughter. To maintain a joyful culture, we implemented team-bonding virtual events such as one-on-one rotating coffee breaks, Thirsty Thursday cocktail hour, Bingo, Trivia Night, and a Zoom “campfire” with s’mores!

Things you are most proud of that don’t have to do with sales.

We’re proud of the tenure of our team and our customer base. We have employees who have been on our team since 1995, corporate clients that have been customers for over a decade, and individual users who have been with us for over 20 years. We are proud to report that our clients on average convert 46% more prospects, close 2x more deals, and increase their repeat business by 57%.

Fun fact about Usherpa

In 1995 our first technology was a fax machine and the databases were in Excel! We’ve come a long way since then: Usherpa’s Open REST APIs connect with 20+ FinTech services and our Relationship Engagement Platform is secured in the Microsoft Azure Cloud.

(For more information on having your firm, employee growth, and your charitable side featured, contact Chrisman LLC’s Anjelica Nixt.)

Technology and cybersecurity

It there a possibility of technology overtaking humans? A respected long-time IT person and “forward thinker” sent over a note saying that it’s already happened. “How about this Samsung washing machine app that requires access to your contacts and location? ‘A series of Samsung apps that allow customers to control their internet-connected appliances require access to all the phone’s contacts and, in some cases, the phone call app, phone’s location, and camera. A Reddit user complained that their washing machine app, the Samsung Smart Washer, wouldn’t work “unless I give it access to my contacts, location and camera.”

“Another Samsung app, called Smart Home, requires the same seemingly exaggerated permissions. ‘Why would the Samsung Smart Home app need access to my contacts?’ One user wrote, ‘This app is pointless. It asks for bogus permissions to phone, camera, contacts, location, etc. (pretty much everything needed to monitor your life), then closes when you deny permission to even one of them. What’s the point of an app that just closes when I don’t let it spy on me?’

“These situations speak to two issues: Apps that demand permissions that they don’t need, and ‘smart’ and internet of things devices that make formerly simple tasks very complicated, and open up potential privacy and security concerns. Smart TVs (Samsung included), for example, have been caught listening to users and automatically deliver ads. Tech companies have had to adapt and do better. For example, both Apple and Google allow users to see what data an app has access to, and in some cases, users can toggle the permissions individually. But none of this stops app developers from asking users to accept unnecessary permissions.” Thank you, SW.

A fly in the ointment with working from home? The spike in cyberattacks after many employees started working at home during the pandemic suggests that financial firms may have to strengthen their cyber defenses, the Financial Stability Board has said. Per the FSB there were fewer than 5,000 cyberattacks a week in February 2020, but that number soared to more than 200,000 per week at the end of April this year.

On July 6, the Connecticut governor signed HB 6607, which is intended to incentivize businesses to adopt cybersecurity standards.

On July 15, the Financial Crimes Enforcement Network (FinCEN) announced it will host a “FinCEN Exchange” in August with representatives from financial institutions, other key industry stakeholders, and federal government agencies to discuss continuing concerns regarding ransomware.

The Mortgage Bankers Association issued a white paper detailing information security risks facing the mortgage industry and the basic security practices necessary to help mitigate the risks, authored by members of the MBA Residential Technology Forum (RESTECH) Information Security Workgroup and is intended to assist small and medium sized entities.

Mitch Tanenbaum, CISO and Co-Founder, Cybercecurity, sent, “Recent tests say that anti-virus software only catches 25% of the active malware that we have seen. That means you should not count too much on that.

“Multifactor authentication is one of the more important tools in a company’s arsenal but only if it is used companywide on all applications. If, for example, the company allows legacy protocols (like POP, SMTP, and IMAP in mail), then enabling multifactor doesn’t help much… Like locking the front door but leaving the back door swinging in the breeze.

Employee training, especially anti-phishing training, is also critical. I don’t mean annual training… That is almost useless, unless your goal is to be able to check a box that says that we did some training. Anti-phishing training needs to be done very frequently, at least weekly or a couple of times a month.

“As we are seeing in many attacks, backups don’t always help much. Take Tulsa, for example. They were attacked in April, discovered the attack in May, and state that most core systems should be restored by early September. The rest of the systems won’t be back online until October. How would your company do without systems for 4-6 months?

“Or take the Kaseya attack recently. The attackers only want $70 million to decrypt the data. Let’s say you are good at negotiating and get them down to, say, $15 million. Doesn’t sound wonderful to me.

“Cyber insurance is not a magic wand either. Many have stopped reimbursing for paying ransoms and if you have, say, a million dollars of coverage, it that going to cover your costs for 6 months?

“The biggest issue is the fact that the hackers have figured out that they need more leverage to get people to pay, so they are stealing your data before they encrypt it. If you don’t pay, they start releasing the documents to the public. The Tulsa hackers have released 18,000 documents (so far).

“Tulsa’s IT systems were not up to snuff either. Tulsa says that they don’t know if the 18,000 documents that have been released so far represents 1% or 100% of the documents that the hackers stole. Some hackers have gone to individual customers and told them either to pressure the company or pay the ransom themselves.”

Mitch’s note concludes with, “Estimates are that 70% of all companies will be hacked in the next few years, so betting the odds that it won’t be you is probably not a great bet. It is definitely a case of pay me now or pay me ten times the amount later. Or, to quote Clint Eastwood/Dirty Harry, ‘You’ve got to ask yourself one question: Do I feel lucky? Well, do ya, punk?”

Even though many companies have an Information Security Office, an Information Technology Operations Center, and an Information Privacy Office that oversee cybersecurity issues involving the network architecture, operating system architecture, business applications, online sales, and internal auditing, companies still have unique compliance needs. Some questions that have arisen recently include who the stakeholders of an incident response team are, the responsibilities of the incident response team, and suggested notification levels of escalation involving a cyberattack.

When it comes to a security breach, or an unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information, protection from a security breach is guarded by various stakeholders. Companies should have a documented, clearly outlined, organized approach for handling any potential threat to computers and data, even, where necessary, taking appropriate action when the source of the intrusion or incident at a third party is traced back to the organization. For the answers to these questions and other compliance topics, check out the large bank cybersecurity challenges blog at Lenders Compliance Group.

Ransomware attacks continue to result in monetary and data loss, and critical service disruption, which could result in consumer and other customer harm. Financial institutions and their service providers are encouraged to strengthen defenses to prevent ransomware attacks, and to develop incident response plans to specifically address ransomware attacks if preventive measures fail. Lenders Compliance group recently published its new Ransomware: Policy and Procedures in response to the Cybersecurity and Infrastructure Security Agency’s release of “DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks.” Now, Lenders Compliance Group is introducing a free ransomware checklist, which details preparation, response, and recovery.

Finally, the Small Business Administration offers cyber security tips for… uh… small businesses.

Workplace equality

I received this note from a reader in the Southeast. “Rob, at the lender where I work, many, if not most, of the employees are female. And management is a mix of men and women. I don’t understand why some people claim that women don’t have any authority in our business, or don’t have a valued role at companies. What’s the situation?”


The MBA is well known for offering mPower which “promotes opportunities for women to extend their reach,” through conferences and webinars, so I turned to MBA COO Marcia Davies for the answer. “The answer lies in the workplace situation itself. There are organizations that in aggregate employ more women than men. In most cases, however, those same organizations have fewer women represented in leadership roles. Women produce results, solve problems, lead teams, win sales awards… you name it. Yet, it takes them longer to achieve positions in the leadership ranks. And some, sadly, are unable to move into senior management. As an industry, we need to ensure women have the same opportunities as their male counterparts, and mPower is here to help by increasing awareness of issues women face to help bridge the gender gap in the workplace.”

Appraisals and AMCs

Lenders and borrowers everywhere are dealing delays and expenses in the appraisal process. From Arizona I received, “I totally understand the position, as expressed in your July 10 email by one fellow said, ‘it’s totally worthless.’ As expressed by another, is that it saves lenders head counts and eliminates many compliance issues. I do believe the AMC system can work if it is managed properly and Honestly. Honestly is the important word here.

“In my experience, there is NO oversight of the AMCs in any effective way. The problems we all know about are the AMC who have closed their doors and left an IOU in the millions to banks, creditors, appraisers, employees, and other servicers.

“What I had observed was a cascade of failures from the lenders not paying the AMC in a timely and the AMC not paying the appraiser on time, (or at all!). There is no one looking into the operations or the books of AMCs. While no one wants more rules and regulations, I believe something needs to be done to force AMCs to be open and transparent in their operations and practices.

“I don’t have an answer to how this can be accomplished, but I would think the first step would be that the lenders who contract an AMC to perform on-site audits and demand independently audited financial reports.”

Michael Simmons, Co-President of AXIS AMC, commented on items that lenders have a right to expect from appraisers and AMCs. “First, communication. Most lenders do not want an originator to converse directly with the appraiser, or sometimes even the AMC. Your AMC should be able to carry any appropriate (read: compliant) question to an appraiser. That is regulatory code for ‘no questions about value’. The AMC should also have people available to answer your questions as well, even if they are busy. You need to provide information to your customers and an AMC should be your resource for that information. If your AMC cannot or will not meet those needs, you need another AMC.

“The most critical function of an AMC is to vet and select the most qualified appraiser for every assignment. Sometimes in a major metro area with an abundance of appraisers, that is a relatively uncomplicated task. But oftentimes the assignment and location require a real understanding of an appraiser’s unique experience and competency for a specific order. This is the AMC’s job: To locate and provide a qualified appraiser for that assignment. If you utilize AMCs that consistently fail at these tasks, you need to find a better AMC.

“If you believe that an appraiser has made an error in a report or overlooked including other relevant data or sales, you have a right to ask for a Reconsideration of Value (ROV). To be compliant, you cannot say that the appraiser’s value is wrong (or it should be higher) but you can offer alternative data. A good AMC can help you and your client to understand the rules of engagement. A good AMC encourages the appraiser in their response to an ROV to help all the participants better understand their opinion and conclusions – and when the data or circumstances warrant – we expect the appraiser to modify their report or value accordingly.

“Finally, I understand that AMCs, appraisals, and appraisers appear opaque and unapproachable to most. We are not. What we are is an integral part of the lending process. Appraisers are charged with protecting the public trust. That is a powerful and important role. Take some time to better understand the place we occupy and what you should expect. Demonizing AMCs in general does not instill confidence with your borrowers about your ability to help them solve their lending needs. There are good AMCs out there. Hopefully, you work with one or more of us. If you don’t think so, you owe it to your clients, your lenders, and to yourself to find out which AMCs are a true resource.” Thank you, Mike!

Forget cybersecurity… Why is it unwise to share your secrets with a clock? Well, time will tell.

Visit www.robchrisman.com for more information on our industry partners, access archived commentaries, or to subscribe to the Daily Mortgage News and Commentary. If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “A Primer on What Originators Should Know about the Fed”. The Commentary’s podcast is live and at any place you obtain your podcasts (like Apple or Spotify).


(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. This newsletter is designed for sophisticated mortgage professionals only. There are no paid endorsements by me. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to www.robchrisman.com. Copyright 2021 Chrisman LLC. All rights reserved. Occasional paid job & product listings do appear. This report or any portion hereof may not be reprinted, sold, or redistributed without the written consent of Rob Chrisman.)


Rob Chrisman