Shattering the myth that strong internal control structures are wildly costly, mortgage firms are beginning to find many of the solutions are right in front of them.
By Vincent Spoto
Fear of runaway information technology (IT) costs is holding many mortgage bankers back from implementing strong internal control structures and related process improvement changes that might be necessary not only to remain compliant but also to remain viable. Excessive technology costs often serve as a convenient excuse for not making vital changes to strengthen operations, internal controls, and auditing. Saving money sometimes takes precedence over prudent infrastructure adjustments.
“In the past we avoided doing the right thing when it came to strengthening controls and back-end procedures because our IT staff touted the need to build robust support systems that cost mega dollars,” said one senior finance executive at a prominent residential mortgage loan provider based in the Southeast. “Never did we hesitate to invest technology monies for new business development and related loan origination volume increases. It was always the ‘back-end’ process that took a [back] seat. As time went by, we started to look at things more simplistically and began realizing that doing the right thing from an infrastructural perspective was not as costly as it seemed.”
After being fined a few times, it became clear that it might be less costly to invest money up front to make the needed internal control changes.
A Necessity, Not a Luxury
In today’s marketplace with stringent regulatory oversight and a seemingly constant flow of new regulations, brokerage firms, banks, mortgage originators, loan servicers, and other financial services firms must be ever mindful of their internal processes and procedures. Having a sound and robust internal control infrastructure is not a luxury; it’s a necessity.
Recently, a series of regulatory requirements were enacted to help reign in the “bad guys” and offer protections to consumers nationwide. Guidelines enacted by the Consumer Financial Protection Bureau (CFPB) were principally aimed at the mortgage banking industry, making it more costly for firms to partake in inefficient residential mortgage loan lending and servicing practices. However, certain CFPB guidelines and directives, such as the recently-enacted TILA-RESPA Integrated Disclosure (TRID) rule, have made it more difficult and costly for both originators and servicers to operate in a truly compliant fashion. Given all this change, an increasingly larger number of firms in today’s mortgage market have begun to realize that a certain degree of time and investment is required not only to survive, but to keep pace with the competition and remain compliant. And today, the more savvy players are no longer succumbing to the myths and fears that excessive IT spending is necessary to survive.
Keep It Simple
The solutions may be simpler than they first appear. A little out-of-the-box thinking combined with some relatively inexpensive technology tools—many of which may be resident on the office desktop—may be all that is needed.
“We realized that all these new regulations placed an increased onus on us to get in shape; spending lots of money on IT was not an option. We had no choice but to shore-up our controls and related processes,” said a senior manager at a mid-size mortgage banking firm on the West Coast. His firm was able to get the technology in place that was necessary to continue doing business and remain in control relatively inexpensively.
“We were initially told by our IT department that costs would range anywhere from $800K to $1MM to put in place the necessary tracking mechanisms, metrics, and modified forms to conduct business in line with the new regulations, and that programming and testing would take a minimum of six to eight months to complete,” he said.
However, he eventually came to the conclusion that what he needed was not rocket science, and he found a much less costly solution. “We [the senior line managers] huddled and quickly made a decision to hire into the line operation one recent college graduate who was proficient in using Microsoft Access and writing Excel macros. The all-in cost to hire this individual was $85K! And, within about one month’s time, we had the [technology] tools we needed to do business, remain in strong control, and operate in a compliant manner.”
Case in point: Some resourceful ‘out-of-the-box’ thinking helped save this firm nearly $1MM in development costs and nearly eight months lead-time.
Better with a BST
Clearly, surviving in today’s marketplace is dependent on having a strong commitment—both organizationally and financially—to a robust internal control environment designed to protect consumers. Many mortgage banking firms today have implemented formal Business Self Testing (BST) programs designed to ensure proactively that both lending and servicing functions are properly managed and tightly controlled to ensure proper consumer protection. A strong BST function has numerous benefits, including helping firms proactively identify issues, reduce process redundancies, streamline operations, and ultimately lower costs.
In addition, internal/external auditors are beginning to view strong BST programs as a helpful tool in assisting with scope modification and testing. The net effect here is an overall benefit to the business in that regulators and auditors spend less time performing transactional testing and related analysis; hence, audit and related business costs can be minimized. Having a strong BST program does indeed require some investment in the right technology tools.
Simply speaking, the purpose behind having a formal BST program is for business owners to monitor ongoing compliance with legal and regulatory requirements for certain processes and functions performed throughout the organization. An effective BST program should be designed to monitor compliance with applicable laws and regulations via periodic and continuous testing of these processes. Through a program of independent monitoring and testing that is generally performed by a designated Management Internal Control (MIC) audit utility that is part of the line’s organization, reasonable assurance can be obtained to validate that key assumptions, data sources, and procedures utilized in measuring and monitoring compliance risk can be relied upon on an ongoing basis. In the case of transaction testing, assurance can be obtained that controls are working as intended. The testing of controls and timely remediation of deficiencies are essential to proactively maintaining an effective internal control framework. To be most effective and reliable, credible MIC functions performing BST should have a dual reporting line into both the designated business head and into the chief executive’s office.
Specifically, this dual reporting structure ensures that the following two essential factors coexist:
Business Ownership: To ensure complete ownership by the business (whether it be origination, servicing, default management administration, etc.) exists to ensure that practical business concerns are taken into consideration when implementing and monitoring regulatory compliance processes necessary to balance consumer protections with goals and initiatives to grow the business; and
Independence: To ensure an appropriate level of independence is maintained in order to provide an overall sense of credibility to the function as well as to provide necessary comfort levels to all internal/external audit and external regulatory constituencies.
Minimal Investment, Maximum Results
Given today’s strong regulatory focus and scrutiny, many are beginning to realize the costs associated with this added level of internal control and oversight is an absolutely critical investment necessary to properly maintain and grow their business. There is also a growing realization among key players in the industry that spending a truckload of money is not necessary to ensure a strong BST program exists.
“We recently implemented a Business Self Testing Program, which [has thus] far been a huge success. Programming costs were kept to a minimum, as we hired a smart kid to help automate everything we needed, using some basic software tools. CFPB and TRID compliance has improved, and recently we underwent an audit where the BST program we implemented drastically cut down on audit time. It saved us time and money, and has made us a stronger company!” says a senior manager from a Texas-based, medium-size loan origination and servicing organization.
With a fairly minimal investment, this organization was able to strengthen internal controls through implementation of a BST program.
Without spending a lot of money, this servicer was able to:
Increase its organization’s operational efficiency;
Lower overall IT investment costs;
Lower the burden on its business due to IT issues;
Reduce organizational exposure to IT risk and security vulnerabilities;
Strengthen internal controls;
Ensure CFBP compliance; and
Seamlessly handle loan origination volume through implementation of new TRID guidelines.
Back to Basics
MIC serves as a collaborative partner with the business, provides subject matter expertise for legal regulatory compliance issues, and is the focal point for issue escalation. In addition, MIC would inform the business of new regulations or changes to existing regulations that warrant additional testing or changes to processes and current test routines. MIC should also independently validate BST test results and may perform sub-testing of certain activities, as deemed necessary. Based on this validation, MIC may from time-to-time make process change recommendations to the various lines of business. In addition to processes performed internally, functions performed by external third-party vendors (such as property valuation services, title service companies, property management firms, etc.) should be subject to BST as well. This is critical since processes performed by third-party vendors generally represent greater risk than processes performed in-house.
It goes without saying that BST results should be documented and formally reported to senior management on a consistent basis. From an IT perspective, solid BST programs can be supported by a combination of Microsoft Access and Excel macro programs to maintain and support a robust and fairly sophisticated initiative. By deploying these simple and relatively inexpensive technology tools, mortgage finance firms can move forward “to do the right thing” without breaking the bank. Simply speaking, strong BST programs need to consider the following six IT mechanisms when capturing and reporting testing results:
Summary of errors by regulatory/legal issue;
Error trending by process and by regulation or law;
Repeat errors that have occurred over three consecutive reporting cycles (i.e., quarterly);
Status reports by functional area;
Error tracking and corrective action status; and
Additional enhanced MIS reports, as deemed appropriate.
While in the past mortgage finance professionals may have hesitated to enhance their internal control infrastructures for fear of incurring large IT and programming costs, professionals today are slowly realizing that by stepping back, using a little common sense, and going back to basics, it is indeed possible to create a stronger internal control environment without breaking the bank!
Editor's note: This select print feature appears in the April 2016 edition of MReport magazine, available now.