Skip to main content


Navigating Recent Changes in Compliance for the Mortgage Industry

Gianna Kennedy
May 12, 2023
This mortgage industry roundtable focused on the CFPB’s advisory opinion on comparison shopping platforms, marketing compliance responsibilities, UDAAP, & more

Once a quarter, we gather mortgage leaders to discuss industry best practices for ensuring compliance and consumer protection. This was our most collaborative discussion yet—participants were chiming into the discussion left and right, sharing their questions, concerns, challenges, and insights. 

The discussion covered a wide range of topics, including the CFPB’s recent advisory opinion on comparison shopping platforms, who bears the responsibility of marketing compliance, recent examination and audits, UDAAP (specifically the CFPB’s policy statement on abusiveness), keeping loan officers RESPA compliant on social media, and more.

The Recent Advisory from the CFPB on Comparison Shopping Platforms

The conversation started out strong when one attendee asked, “How is the group navigating the recent advisory opinion from the CFPB regarding digital comparison shopping platforms?”

It’s been top-of-mind for many participants, but the overall consensus is that there hasn’t been much action taken by mortgage companies—yet.

Some participants are waiting to see what happens with the Credit Trigger Bill before taking any action. The fate of the bill will ultimately impact how the CFPB moves forward with ideas or guidance on lead generation services.

For those who aren’t familiar with the Credit Trigger Bill and its connection to the CFPB’s advisory opinion, here’s a quick background: The Credit Trigger Bill aims to limit the selling of trigger leads, including those related to mortgage applications. The CFPB recently identified trigger leads as a possible violation of the Real Estate Settlement Procedures Act (RESPA) and other consumer protection laws in its advisory opinion.

Others agreed and mentioned that they haven’t done anything specific yet, but they do keep a close eye on their loan officers and lead generation efforts. They thoroughly vet everything and keep the advisory opinion and bill top-of-mind.

Another participant stated that while they don’t use the specific platforms mentioned in the CFPB’s advisory opinion, they are preparing for the possibility of the scope being widened to include other areas, such as realtors naming preferred lenders on home listings.

Key Takeaway: Stay updated on the latest developments regarding the CFPB advisory opinion and the Credit Trigger Bill, thoroughly vet loan officers and lead generation efforts, and prepare for the possibility of the scope being widened to include other areas

Marketing Compliance Responsibilities

A common theme that was discussed is that marketing teams, individual branches, and loan officers are now being held responsible for “policing themselves” and making sure that they’re in compliance—which is a “recipe for disaster,” says one attendee.

Another attendee, who sits on their organization’s marketing team but whose sole responsibility is compliance, asked the group how they felt about:

  1. Certifying certain people or branches on marketing compliance so that they can better police themselves; and/or
  2. Developing training materials that distinguish between low-risk and high-risk content, and provide clear guidelines for determining which content can be posted without requiring compliance approval, versus which content must be submitted for approval

When marketing teams get desperate, they get more creative and push the envelope, which can lead to riskier outputs—so it’s concerning to some to pass it off to people not in compliance, said one attendee. 

Some organizations are already providing training to their marketing teams. One attendee talked about how they created a reference guide for their marketing team that outlines the “have to haves” for different marketing channels and assets for it to be compliant. They also have a database of disclaimers that the entire company can access.

Another attendee mentioned that they have created a repeatable boilerplate template for marketing materials that don’t involve products, like an announcement of servicing a new state or a new loan officer. This template doesn’t have to be approved by compliance as it follows pre-approved guidelines.

The overall consensus is that empowering marketing teams to create compliant content is helpful, but “removing oversight completely is very scary.”

Key Takeaway: Providing marketing teams with compliance training and resources is a great way to help them be more self-sufficient, but there should still be some level of compliance oversight

Examinations and Audits

One thing that’s for certain is that compliance exams and audits are still going strong—one attendee said that their company is juggling six exams at once. Another attendee has been dealing with an ongoing exam for over a year, and just got hit with 40 more requests for it. 

Social Security Audits

One attendee shared that the Social Security Office (SSO) is now auditing mortgage companies on how they verify consumers’ social security numbers. And, even if you outsource the verification process, you’re still responsible for what your third party does. They emphasized that the SSO is looking for specific procedures and record retention, especially when it comes to third parties.

It’s also worth noting that the SSO is hiring independent CPA firms to carry out these audits. So, if you get an email from a new person asking for social security info, you need to do your due diligence and make sure they’re the real deal before handing over any sensitive information.

Pandemic Planning for Business Continuity and Disaster Recovery Plan (BCDR)

One attendee warned that auditors are now requesting organizations to include pandemic planning in their Business Continuity and Disaster Recovery Plans (BCDR) if not already present. The auditors didn’t provide any specific guidance on how to add it in, besides that procedures should be clearly documented for any future instances. 

Auditors are also looking at how often organizations perform disaster recovery tests. Make sure to update your BCDR to include post-pandemic procedures and environments like remote work.

Key Takeaway: Update your Business Continuity and Disaster Recovery Plans (BCDR) to include pandemic planning and perform regular disaster recovery tests that include post-pandemic environments, such as remote work

UDAAP and the CFPB’s Policy Statement on Abusive Acts and Practices

The CFPB recently published a policy statement on abusive acts and practices that aims to clarify what’s considered “abusive.” But, attendees feel that the policy is still very subjective based on the individual who’s reading it and how they receive it.

“In all the years I’ve been in this job, there’s not much that I would consider abusive,” says one attendee. 

In his remarks, Director Chopra defined “abusive” as “company conduct that obstructs people’s ability to digest information.” It’s all about how you are sharing information—does it prohibit the consumer from being able to understand that information? 

The group agreed that it’ll be interesting to see how the CFPB continues to define and enforce it.

Key Takeaway: Take the time to be clear and upfront in marketing materials to help avoid abusive acts or practices

State Examinations and UDAAP

Compared to other regulations like the Truth in Lending Act (TILA), UDAAP is not cited as frequently in exams. And, specific to the abusiveness prong, examiners have very rarely cited “taking unreasonable advantage of the consumer” in attendees’ experiences.   

One attendee mentioned that there have been consumer complaints where they mentioned that they’ve been taken advantage of (likely due to a lack of understanding of the financial system), but they never had an examiner come back and cite for that.

Either way, attendees agreed that marketing content still needs to go through the compliance department and that they don’t feel comfortable letting them govern themselves on UDAAP. 

Key Takeaway: Proactive UDAAP compliance is key. Marketing and advertising content should always have a layer of compliance oversight

Loan Officers on Social Media: Preventing RESPA Violations When Sharing Open Houses

One attendee asked the group if they’ve had any issues with loan officers sharing social media posts from realtors promoting an open house.

Loan officers can like these posts, but reposting or making statements that could imply that they are working together could raise RESPA concerns.

One attendee said that to make it semi-compliant (noting that they shouldn’t share at all but they’re going to do it anyway), they need to turn the post around and make it about them and deflect the realtor. Writing something like, “Come see me and see how you can get pre-approved for a mortgage loan,” for example, would help avoid the implication that they are working together. 

Key Takeaway: Loan officers must use caution when sharing open houses on social media to avoid potential RESPA violations

Join the next mortgage roundtable

Want to be part of the next roundtable discussion? Request your invite to be a part of the COMPLY Mortgage Compliance Community—a community dedicated to navigating the ever-evolving world of mortgage regulatory compliance.

As a member, you’ll have access to:

  • A private and monitored Slack group where you can connect and collaborate with your peers year-round
  • Invitations to our quarterly virtual roundtable events
  • Priority access to mortgage compliance content and additional events (both in-person and virtual)

Request your invite here

author avatar
Gianna Kennedy Content Marketing Manager
Gianna is a Content Marketing Manager at PerformLine.

Stay Updated

Join thousands of other industry professionals

Subscribe to receive the latest regulatory news and updates with a focus on marketing compliance via content offers, newsletters, blog posts, and more
This field is for validation purposes and should be left unchanged.

Connect with PerformLine and see what we can do for you.