BCLP Banking Blog

Main Content

CFPB Proposes New Amendments to Mortgage Servicing Rules

May 9, 2014

Authored by:


On May 6, 2014, the CFPB issued proposed amendments to the mortgage rules under the Truth in Lending Act (TILA) affecting Regulations Z and X.  The proposed amendments affect the small servicer/small creditor exceptions to the mortgage rules and the “Qualified Mortgage” determination.  The CFPB proposes to partially re-define who may qualify as a “small servicer” under § 1026.41 of Regulation Z (incorporated by cross reference in Regulation X), revise the scope of the nonprofit small creditor exemption from the ability-to-repay rule in § 1026.43(a)(3)(v)(D) of Regulation Z, and establish a limited cure procedure where a creditor inadvertently exceeds the “Qualified Mortgage” points and fees limits.

Amendment to the “Small Servicer” Definition:  The CFPB originally presumed that most nonprofits would qualify for the “small servicer” exemptions.  However, during implementation of the mortgage rules, the CFPB learned that certain nonprofits might not qualify as “small servicers” because they were part of a larger association of nonprofits that are separately incorporated but that may operate under mutual contractual obligations, share a charitable mission, and use a common name or trademark.  In order to save resources, such associations sometimes consolidate servicing activities, with one of the associated entities providing loan servicing to one or more others, for a fee.  Under current rules, such nonprofit servicers would not qualify for the “Small Servicer” exemptions because they service, for a fee, loans on behalf of a non-“affiliated” entity.  The CFPB proposes to amend the definition of “Small Servicer” so as not to exclude qualified nonprofit entities within such formal associations where certain requirements are met.  Related changes to the section’s formal comments are also proposed.

Read More

CFPB Finalizes Amendments To New Mortgage Servicing Rules

September 30, 2013

Authored by:


On September 13, 2013, the Consumer Financial Protection Bureau (“CFPB”) issued final amendments and clarifications to its mortgage servicing regulations, which go into affect January 10, 2014.  These rules were initially issued in January 2013 and have been amended based on comments received during the implementation period.  The rules relating to loss mitigation procedures are set out in Regulation X of the Real Estate Settlement Procedures Act.  (12 CFR § 1024.41.)  Among the important loss mitigation rules that go into effect on January 10, 2014:

I.    Rules Affecting Foreclosures.

  • Servicers may no longer begin a foreclosure until the borrower is more than 120 days delinquent.  In some states it is not uncommon for foreclosures to begin when borrowers are delinquent by as a little as 60 days.  It is therefore important that servicers take note of this new restriction.  Servicers must delay first legal action until the borrower is at least 121 days delinquent, unless the foreclosure is based on a due-on-sale clause or the servicer is joining the foreclosure action of a subordinate lienholder.
  • Servicers may not begin a foreclosure while considering a pending “Complete Loss Mitigation Application.”  Foreclosures may not begin until the servicer has sent the borrower written notice denying the application, and either (1) any borrower appeal has been concluded; (2) the borrower has rejected all offered loss mitigation options; or (3) the borrower has failed to perform under a loss mitigation agreement.  Facially complete applications must be treated as complete until the borrower has had a reasonable opportunity to respond after being notified that additional information is required.
  • Where first legal action has already occurred, servicers may not conduct the sale or move for an order of sale if a Complete Loss Mitigation Application is received more than 37 days before the sale.  In nonjudicial states where foreclosure sales are typically scheduled with less than 37 days notice, this rule may have little effect.
  • Servicers need only comply with these requirements for a single Complete Loss Mitigation Application.  However, if servicing is transferred to a new servicer, the transferee servicer must still comply regardless of whether the borrower received an evaluation of a complete loss mitigation application from the previous servicer.
  • Small servicers, though exempt from many requirements, remain subject to certain rules.  These include the prohibitions on starting a foreclosure where the borrowers is less than 121 days delinquent and where the borrower is performing under a loss mitigation agreement.
Read More

Many Banks Will Become Subject to HIPAA's Privacy, Security and Breach Provisions Effective February 17, 2010

February 16, 2010

Authored by:


On February 17, 2010, many banks and financial institutions will, for the first time, become directly subject to the privacy and security provisions of the Health Insurance Portability and Accountability Act (“HIPAA”), and to the enforcement powers of the United States Department of Health and Human Services (“HHS”).  The Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), passed as part of last year’s stimulus bill, extended HIPAA’s privacy and security provisions to business associates of covered entities.  Many banks and financial institutions will fall into this category by virtue of their provision of so-called medical lockboxes or medical banking services to healthcare providers or other covered entities under HIPAA that require them to handle personal health information (“PHI”).

The HITECH Act also established strict reporting requirements, allowed for increased enforcement by HHS and state attorneys general, and provided for enhanced civil and criminal penalties and statutory damages for breaches and disclosures of unprotected PHI.  A separate provision of the HITECH Act addresses entities that offer services to store individuals’ health information online, and places these “vendors” under the regulatory authority of the FTC.  Among other things, the new law’s provisions affecting business associates and covered entities:

  1. Make clear that all privacy and security provisions of HIPAA and its implementing regulations apply to business associates to the same extent as to covered entities;
  2. Require that all Business Associate Agreements (“BAAs”) be amended to incorporate HIPAA’s privacy and security rules;
  3. Impose specific notification requirements in the event of a breach;
  4. Require covered entities to provide notice to affected individuals within 60 days of discovery of a breach. In any case in which 500 or more person are affected by a breach, the covered entity must provide notices to HHS and to major local media outlets;
  5. Require business associates to notify the covered entity of any breach of confidentiality of PHI acquired from that covered entity;
  6. Subject both covered entities and business associates to enhanced civil penalties, and in some cases criminal penalties, for violation of the security regulations.  Civil penalties range from $100 to $50,000 per violation with maximum yearly penalties of up to $1.5 million.  Yearly maximums apply, however, only for violations of “identical requirement[s] or prohibition[s],” and in theory could be stacked where there are violations of multiple requirements or prohibitions;
  7. Eliminates certain affirmative defenses to civil monetary penalties;
  8. Give state attorneys general new civil enforcement authority to seek injunctions and statutory damages for violations of HIPAA on behalf of citizens of that state.  (The first such suit by a state attorney general has reportedly already been filed.  According to a report from AHA News Now, on January 20, 2010, the Connecticut Attorney General filed suit against Health Net of Connecticut, for failing to secure the PHI of approximately 446,000 plan members.) Significantly, the HITECH Act leaves in effect state laws allowing for enforcement by private attorneys general, opening the door to greater HIPAA scrutiny and enforcement;  and
  9. Imposes stronger controls on the sale of PHI.

Under regulations announced by HHS on August 24, 2009, and effective February 22, 2010, there is a “risk of harm” threshold that triggers the breach notification provisions.  HHS guidance also indicates that where PHI is properly encrypted as specified by HHS, notification to affected individuals may not be required because such information would not be “unsecured.”

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.