June 10: Notes on "synthetic" fraud, down payment education, trends in credit scoring; the OCC weighs in vendor risks

I love it when people say we should model our home financing system after another country’s set up. Like Australia’s. To keep things in perspective, Australia, about the geographic size of the U.S., and its own continent, only has about as many people as Florida!

LOs can always add value for consumers by educating them. The latest instance is with regards to the existence of mortgage insurance. This week I noted in my commentary, “The head of Bank of America Corp. said that banks would be able to supply a bigger share of funding for home purchases if the standard down payment for buyers was cut to 10 percent from 20 percent. Huh?” From Maryland Ken Sonner sent, “Thanks for saying something about Moynihan’s comment. This type of headline misleads the public.”

And speaking of the importance of education, the MBA’s National Advocacy Conference is next week, June 20-21. This is the industry’s one time per year to visit members of congress on the Hill with you or your employees respective state delegations and advocate for what’s important to your business and your market. This is the one time of the year where the size of the group or mortgage bankers really matters! With so much at stake from regulatory reform, to FHA reform, and GSE legislation – can you please help? Register or send a few employees. We need a forceful presence. We have congressional leadership speaking to our group and other expert speakers – check the lineup here.

STRATMOR’s most recent Insight report dealt with the current credit environment. The piece prompted Michael Steer of Mortgage Quality Management & Research, LLC (MQMR) to send, “My own two cents to add. The one thing to add as a possible trend in a decrease of FICOs is the liquidity and continued ‘general’ acceptance of the non-QM market. The other thing to watch in 2017/2018 is that in a decreasing rate environment, higher FICO borrowers have the ability to refinance more frequently so if we have a rising interest rate environment then those ‘high FICO borrowers’ won’t have as much of an impact on the average FICO, therefore, first-time homebuyers (and their respective FICO scores which could be generalized as being lower) will have more of an impact on the average FICO.

Vendor management is a hot topic, and field, out there. There are some who believe vendors increase the cost of producing a loan without a proven benefit. Others believe that a residential lender couldn’t survive without using a team of various vendors. Steve Brown, the President & CEO of PCBB, writes, “In 2008, regulators introduced a concept known as third party or vendor risk (vendor risk). This concept came from lessons learned during the credit crisis and has come to encompass not only mortgage foreclosure activity conducted by third parties, but also consumer compliance, cyber risk and today includes all products, processes, systems and services supported by a vendor relationship.

“These vendor relationships include outsourcing, using subcontractors, independent consultants, networking arrangements, services provided by affiliates and subsidiaries, joint ventures, and other business arrangements in which the bank has an ongoing relationship or may have responsibility for the associated records and others. If your community bank has not yet seen pressure from regulators to get a handle on vendor risk, count yourself lucky, but get prepared because it is likely coming soon.

“To get started: 1) compile a full inventory of your vendor relationships, separately identifying those that involve critical activities, have any subcontractors with foreign affiliation or provide services storing bank data and 2) rank each vendor relationship by risk level (low, medium, high or critical). It is particularly crucial to take your vendor due diligence to a much deeper level to avoid regulatory issues. Doing so not only helps protect your bank’s reputational risk, but also serves to better control operational, compliance, strategic and business continuity risks.

“Expanding or refocusing your efforts around vendor due diligence to meet increased regulatory expectations involves specific requirements. Some may be more obvious than others and include: detailing how your bank selects, assesses and oversees third parties; being sure to conduct proper due diligence in selecting a vendor; doing ongoing monitoring of the vendor’s activities and their performance; having a contingency plan for terminating the relationship in an effective manner if needed, and independently reviewing vendor relationships to ensure your bank’s risks are well managed. This is not a complete list, but should give an idea of the areas regulators are reviewing.

“All of this should help your bank, but we are often asked about personal risk. This area is commonly assessed by regulators to see if bank staff ‘failed to perform adequate due diligence and ongoing monitoring of third-party relationships.’ Although this is a broad statement, it shows there is regulatory focus at a more personal level, so be aware and act as needed.

To set yourself and your bank up for success, you can separate stronger vendors from weaker ones by asking them such questions as: have regulators issued any orders barring you or others at your firm from working in banking; have you or anyone at your firm had any licenses or registration suspended by any regulatory organization; have you or anyone at your firm been levied civil money penalties; and others. Then, ask yourself: does the firm offer this product or service to its own clients, and if so, how difficult would it be for them to offer it directly to my target customers; would my credit team extend a loan to this company or not? These answers should provide you with a good overall assessment of each vendor.

“Of course, essential to any vendor vetting is a strong background check. It can include screenings for: a criminal record; verifying past employment; verifying education, credentials or a license; OFAC checking and other things. The key to remember is that vendor risk is both your bank’s responsibility and your responsibility individually, so be sure to take extra time to do it right. Follow all laws and regulations, hire an attorney or other expert as needed, and you are well on your way towards building a solid foundation.”

On June 7, the OCC released Bulletin 2017-21, which provides answers to frequently asked questions from national banks and federal saving associations concerning third-party procedure guidance. The Bulletin, issued to supplement to 2013’s Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” highlights the OCC’s responses to the several topics. It defines third-party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers and provides insight on how to adjust risk management practices specific to each relationship. The Bulletin discusses ways to structure third-party risk management processes and discusses advantages and disadvantages to collaboration between multiple banks when managing third-party relationships.

It outlines bank-specific requirements when using collaborative arrangements and provides information-sharing forums that offer resources to help banks monitor cyber threats. The Bulletin discusses how to determine whether a fintech relationship is a “critical activity” and covers risks associated with engaging a start-up fintech company. It addresses ways in which banks and fintech companies can partner together to serve underbanked populations and covers criteria to consider when entering a marketplace lending arrangement with a nonbank entity. Very importantly, it answers whether a bank can rely on the accuracy of a third-party’s risk management report.

Don’t forget that earlier this year the OCC released a supplement (Bulletin 2017-7) to Bulletin 2013-29 identifying steps prudential bank examiners should take when assessing banks’ third-party relationship risks.

There are several third-party vendors that specialize in IT. I continue to hear that boards of directors and senior management nearly turn a blind eye to cybersecurity. Here are a couple easy-to-read pieces from Carbonite on the topic. The first deals with phishing. They’re called “phishing” emails because the cybercriminals who send them are fishing for victims. These fraudulent emails, which may appear to come from a legitimate company or even a personal acquaintance, are designed to trick people into giving up personal information, such as credit card and social security numbers.

The second piece is how to fight ransomware. Ransomware has become the most damaging and widespread threat that internet users face. What can you do to protect yourself? Backup your files, filter out executable files, watch where you click, and run up-to-date antivirus software.

Cybersecurity experts have coined the term “synthetic fraud” to refer to schemes that make use of fake identities, often with phony social security numbers or credit histories. The Wall Street Journal recently recognized synthetic fraud as one of the top threats confronting banks and lenders and some estimate it to cost as much as $2 billion a year in losses. Much of the concern revolves around credit card scams where fake identities are used to obtain cards and then run up bills. A real social security number is often linked to a child or someone elderly who may not be paying close attention or not know. Thieves seek out social security numbers that are not being actively used by the real individual. This way, a fake identity can be created and the real holder of the social security number doesn’t realize it. Cases have turned up where an individual graduates from high school and applies for college, only to discover credit and other debt running into the tens or even hundreds of thousands of dollars.

Lenders should be particularly alert for synthetic fraud in business loan processes. Here, a fake identity can be used to create a fake credit history. That fake history is then used to trick a loan officer into approving funds for an unqualified or even fictitious loan applicant. The result is uncollectable loans.

Given the rising number of non-bank lenders that promise quick turnaround on business loan applications, there is additional pressure on community bankers to move more quickly when evaluating and approving loans. Particularly clever fraudsters are often alert to weak due diligence. When a loan is quickly approved, thieves sometimes immediately create several more fake identities and try to stack a series of loans with the bank. By the time the bank has figured out the scheme, the uncollected loans have already piled up.

One ongoing target is small businesses that lack strong detection systems. They can get ripped off by customers using credit cards obtained with fake identities. If the fraud against the business is large enough, it can damage cash flow and in turn damage outstanding loans. Cash flow can already be a challenge for many small businesses, so this issue only aggravates the problem. Community banks should be alert to potential problems synthetic fraud can cause for small business clients.

There are several ways to fight synthetic fraud, but all depend on effective diligence. Verification of loan application details is more critical than ever, so looking at everything to identify anything out of the norm or odd is important. The sophistication of synthetic fraud makes driving out these cons before they happen more difficult than ever. So, be sure to review your KYC process, tighten up due diligence on all loans and train staff so they are ready to tackle these new challenges.

Students in an advanced Biology class were taking their mid-term exam. The last question was, “Name seven advantages of Mother’s Milk.” The question was worth 70 points, or none. One student was hard put to think of seven advantages. He wrote:

1) It is perfect formula for the child.

2) It provides immunity against several diseases.

3) It is always the right temperature.

4) It is inexpensive.

5) It bonds the child to mother and vice versa.

6) It is always available as needed.

And then the student was stuck. Finally, in desperation, just before the bell rang indicating the end of the test he wrote:

7) It comes in two attractive containers and it’s high enough off the ground where the cat can’t get it.

He got an A.

Visit www.robchrisman.com for more information on our industry partners, access archived commentaries, or to subscribe to the Daily Mortgage News and Commentary. If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “Does Everyone Want a Job?” If you have both the time and inclination, make a comment on what I have written, or on other comments so that folks can learn what’s going on out there from the other readers.


(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. Currently there are over 300 mortgage professionals looking for operations, secondary and management roles. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to www.robchrisman.com. Copyright 2017 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)

Rob Chrisman