Sep. 30: Notes on cybercrime & new credit card scam, private lending, closing cost accounting, NC & digital mortgages

Let’s start Saturday with something non-lending. If you think consolidation only happens in banking and lending, and airlines, think again. Three-quarters of the food for people on Earth comes from only five animal species and 12 crops. Does that mean we’re one major disease, famine or blight away from losing a major component of our food?


There aren’t many truly “digital” mortgages out there. Does the county recorder have the ability to do them? Companies – maybe Mid-America? Heck, there is plenty of confusion exactly what constitutes an entirely digital mortgage. Regardless, I received this note from Nathan Batts, SVP and Counsel for the North Carolina Bankers Association. “One thing you may or may not be aware of is that there has been a strong push in North Carolina to promote the adoption of electronic or digital mortgages. To further educate folks who may never have seen an eMortgage closing, I have written this article. I’m sharing it in case it is of any interest to you or your readers.

Fun with pricing & accounting

“Rob, my employer just recently started offering premium pricing on our FNMA products and our CFO is not sure how to treat the rebate pricing. Specifically, when the amount of lender credit we provide exceeds the actual loan costs we are left with excess rebate. In the past, I have always applied this excess to principal at the closing for an immediate principal curtailment. Our current CPA firm believes if the amount of the excess rebate exceeds $600 it should be treated as income we should issue a 1099 at year end. I have never operated that way however, I also cannot point to any regulation or rule anywhere supporting my position. I suppose it is because that’s the way the industry has always done it as far as I know. Any help?”

I turned to accountant Jeff Spiegel. “Form 1099 is used generally when someone provides services or earns some other income. In this case they did not earn anything. There are probably 2 options for the borrower. They could reduce the basis of their real property, which is the best answer. Had they paid the closing costs, those are added to basis, so in this case, it seems it would be a reduction of basis, not income. Another option, the borrower is paying a higher interest rate on the loan which created the rebate pricing to begin with. So, the excess represents interest that will be paid by the borrower over the term of the loan. With this thought process, the excess should be amortized over the loan life by the borrower as an offset to interest expense. Like points they pay is amortized, this would work in an opposite direction. The lender should consider reporting it in box 4 of the 1098 but more appropriate if they just send a letter with the rebate indicating what it is and that they should consult their tax advisor on the taxation. A 1099 does not seem appropriate.”

Dabbling in private lending

I received this note from a reader in the South. “Where would you start in exploring private lending for either individuals or setting up a company to do so? Are there any education tracks or companies/individuals you could recommend providing some legal groundwork and advice on doing private lending on a somewhat small scale but possibly also growing into a bigger scale and maybe starting a lending institution of some kind?”

I turned to California attorney Brad Hargrave for some suggestions. “There are real hurdles, in my view, to private-money lending in the consumer/residential space in light of the Ability to Repay/Qualified Mortgage rule and state analogs, but these hurdles are generally not present when lending in the commercial (or “business-purpose”) space. (The ATR/QM rule does not, however, apply to a bridge loan with a term of 12 months or less, which may create some additional opportunities for a private-money lender). As a result, I am of the view that most private-money lending should occur primarily in the commercial arena, which results in the need for counsel with solid commercial lending and licensing experience, as well as a working knowledge of applicable state and Federal law. (Most Federal consumer financial protections laws are oriented around consumer lending, but there are some Federal laws, such as ECOA, that are broader in scope, and thus some thought should be given to compliance with these laws before getting underway). There may also be an association in your state that’s oriented around private-money lending, and if so, there are likely to be lawyers attached to the association that could be of assistance.”

Identity theft & cybersecurity

My commentary had a quote from Dan Stone of The Mortgage Fee Coach. “Courts are siding with banks and making homeowners responsible for ANY loan against your property. Credit reporting won’t protect you. Credit locks won’t protect you. Lifelock is NOT enough. Who knows, Equifax might be bankrupt after this breach given their liabilities.”

This prompted attorney Brian Levy to rejoin, “Rob, while the comments from Rob Stone on Saturday were likely well intentioned and no doubt being careful with one’s credit data is always important (post Experian more than ever), it simply isn’t true that lenders who make loans to identity thieves will prevail over victims. I am unaware of any court that will enforce a fraudulently created loan against a victim of identity theft. Identity thieves can damage your credit and other aspects of your life taking time and resources to get straightened out, but with respect to your home and other assets, unless a borrower authorizes a debt/lien (and it otherwise is perfected in accordance with applicable state law) it is going to be unenforceable (when you acquire real estate that’s why you get title insurance-to make sure nothing else is affecting title of which you did not authorize).

“To be clear, if a lender makes a loan to an identity thief, the lender is at risk for loss, not the victim. Similarly, with credit card debt, Regulation E protects consumers from unauthorized card use with a maximum exposure of $50 and that’s only if you don’t report unauthorized use in a timely fashion. That’s why most credit card companies have sophisticated algorithms that catch the identity thieves before you do. Again, I’m not saying that identity theft isn’t a problem that can cause significant damage and hassle to unwind, but it’s ‘fake news’ that you can be held liable for loans you did not agree to.” Thank you, Brian!

Mitch Tanenbaum of CyberCecurity LLC, sends, “I am a cyber security consultant and we have a number of clients in the mortgage industry so am closely following the Equifax event. First, readers should know that Microsoft’s patch release occurs once a month, not every Tuesday. So yes, it is always on a Tuesday, but they only release patches monthly. Second, it is not just Microsoft patches that you have to worry about. Every piece of software installed on your computer is an attack vector and, depending on the software, it may not even require you to run the software for it to be vulnerable, so that piece of software that you installed two years ago and haven’t run since then – it could be an attack vector. The event this month with CCleaner is an example. If you installed one of the vulnerable versions, it installed a backdoor and even if you never ran CCleaner after you installed it, you are infected.

“For people who are wrestling with what to do, personally, post-Equifax, we have posted some tips on our web site.”

Research by security firm FireEye finds cyber extortion activity is increasing. Extortion attacks happen when hackers gain access to company servers, take sensitive material (embarrassing emails, intellectual property, or personal information) and threaten to expose it unless payment is made. These attacks are an offshoot of ransomware, where hackers render computer files unreadable until payment is made.

Bankers, and lenders who underwrite borrowers (don’t they all?) should be aware that the latest credit card fraud is based on criminals creating a fake identity from a variety of information rather than stealing a real one outright. The fraudsters create credit report placeholders as they attempt to open credit cards without a credit history. Eventually, one credit card application is approved, they pay the monthly charges to stay current, open more cards, max out all the cards and then dump the identity. This relatively new scam method could account for up to 20% of delinquent credit card debt according to Auriemma Consulting Group.

And don’t forget about malware threats that present a dual concern. Lenders and bankers are concerned for their own security hygiene and they are also concerned for their business customers. In fact, small- and mid-sized businesses (SMBs) experienced as much as a 500% increase in ransomware in March 2017 alone (over the previous year), according to research from Malwarebytes. Overall, SMBs experienced 165% more malware in 1Q 2017 than they did in 1Q 2016. Total malware incidents more than doubled in that time in 40 states, according to the same study.

According to the FBI, about 4000 ransomware attacks occurred every day in 2016. This is disconcerting because small businesses are more likely than their larger counterparts to be breached. A June 2016 study from Keeper Security and Ponemon finds more than 50% of SMBs were breached in the past year. Why SMBs? According to research from Ponemon, 58% of such businesses still do not consider cybercrime a big risk to their organization. Further, 44% do not consider strong security a priority. Another reason cybercriminals target SMBs is that about 66% globally do not even have a data security policy, according to FireEye research. Many SMBs seem to believe they cannot afford the “layered… or defense in depth security.”

Lenders and community bankers should communicate regularly with customers on the risks of malware and other cyberattacks. A clear and high level of communication not only helps them, but also your company.

Steve Brown with PCBB reports that, “As the banking world looks to biometrics as a way of eliminating passwords, pin numbers for ATMs and enhancing the security on customers’ accounts, it is discovering that the new authentication methods are a bit of a mixed bag. One of the biggest issues is in the process of storing customers’ individual details (such as fingerprints or iris scans), which creates its own security risks. That’s right, using fingerprints or iris scans as a security measure for ATMs, or any other device or account, creates the possibility that hackers could steal such information from the databases where it is stored.

“Unlike pin numbers, which can be easily replaced with new ones, the potential risks of hackers stealing people’s biometric information could have longer term implications. This is particularly true as many biometric measurements such as fingerprints are permanent. If hackers can steal someone’s fingerprint information for example, they could easily steal their entire identity and even potentially implicate that person in a crime.

“Even though advanced infrared cameras now measure oxygen levels to validate a living person vs. a forged fingerprint, the stakes remain high for banks. Beyond the complications of storing biometric information for customers is the cost of doing so. Here, costs can be very high because security must be very high. Such issues have even led major banks like Citibank to abandon past efforts to incorporate biometrics into ATMs. To eliminate the risks of storing biometric information, some of the industry’s largest banks have begun shifting the responsibility of protecting customers’ biometric information to customers themselves.

“Most people already keep their cell phones with them at all times, so banks are realizing this provides an opportunity. ATMs that use biometrics will rely on mobile apps and programs that will transmit a unique digital token to an ATM whenever a person tries to withdraw money. Instead of customers using their fingerprints or iris scans to access ATMs directly, people will use biometrics to access programs or apps on their phones that will then interact with the ATMs. This allows the bank to bypass direct collection of biometric data. Among the banks that have begun using such an approach at ATMs are JP Morgan and Wells Fargo. According to biometric security company HYPR, there are already more than 2B cell phones in existence that have the capability to use biometrics and 42% of retail banking customers say they would not use a banking or payment app without biometrics.”

$2.99 SPECIAL: If you deal with Seniors, this should help you understand them a little better.

We went to breakfast at a restaurant where the “Seniors Special” was two eggs, bacon, hash browns and toast for $2.99.

“Sounds good,” my wife said, “But I don’t want the eggs.”

“Then, I’ll have to charge you $3.49 because you’re ordering a la carte,” the waitress warned her.

“You mean I’d have to pay for not taking the eggs?” my wife asked incredulously.

“Yes!” stated the waitress.

“I’ll take the special then,” my wife said.

“How do you want your eggs?” the waitress asked.

“Raw and in the shell,” my wife replied.

She took the two eggs home.

Visit for more information on our industry partners, access archived commentaries, or to subscribe to the Daily Mortgage News and Commentary. If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “Will User Names and Passwords Go the Way of Thermal Fax Paper?” If you have both the time and inclination, make a comment on what I have written, or on other comments so that folks can learn what’s going on out there from the other readers.


(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. Currently there are over 300 mortgage professionals looking for operations, secondary and management roles. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to Copyright 2017 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)

Rob Chrisman