Advertisement
$28 Million FTC Settlement with Bear Stearns/EMC Mortgage has Significant Impact on ARM Industry
October 16, 2008
Page 1
|
Page 2
What was the punishment EMC received?
Beyond the usual FTC settlement requirements about not doing it again, informing the FTC of management changes, and informing new management of the settlement, the key points were:
- Implement a data integrity program
- FTC oversight of almost all EMC business operations for a period of 8 years. This includes providing to the FTC the following information (a – f below are taken directly from the settlement agreement).
a. Accounting records that reflect the cost of loans acquired and/or sold; revenues generated from servicing fees and/or fees paid by and/or imposed on consumers; and the disbursement of such revenues;
b. Personnel records accurately reflecting: the name, address, and telephone number of each person employed in any capacity by such business, including as an independent contractor; that person's job title or position; the date upon which the person commenced work; and the date and reason for the person's termination, if applicable;
c. Customer files containing the names, addresses, telephone numbers (if available), dollar amounts paid, and description of fees or other charges imposed;
d. Complaints, disputes, and requests from consumers (whether received directly, indirectly or through any third party) and any responses to those complaints, disputes, or requests;
e. Copies of all training materials and policy manuals; and
f. All records and documents necessary to demonstrate full compliance with each provision of this Order, including but not limited to, copies of acknowledgments of receipt of this Order, required by Section XVI, and all reports submitted to the FTC pursuant to Section XIII.
- EMC must internally audit operations to ensure compliance with the settlement which is signed off on by EMC management. EMC management will be held accountable for meeting the settlement and any false statement in these audits.
- Third party assessment of the data integrity program every two years.
- $28 million reimbursement pool to be used to compensate consumers who have been harmed by EMC’s actions.
- All costs associated with meeting the settlement requirements. The question is – how much will it cost EMC Mortgage to comply with the settlement?
Good question. We are unaware of any published standard for data integrity by any recognized standards body. Consider it a “we will know it when we see it” type of standard.
However, by reading the complaint and the settlement, it is possible to identify the characteristics of a data integrity program which the FTC is expecting to find and debt buyers and collectors should be implementing. It includes the following:
1) Data Security. Instead of looking at accounts which are bought, sold and collected in the industry as accounts or property, think of them as identities. Each entity which touches an identity must take reasonable and appropriate steps to protect the identity. What is reasonable and appropriate? It would be what is required under federal and state regulations as well as industry standards. For healthcare, the standard is HIPAA. For credit cards, the standard would be PCI DSS, etc. And, all debt collectors must meet GLBA requirements. In addition, there are over 40 states which have passed personal identification information protection legislation.
NOTE: All members of the ARM industry are also required to meet the Red Flag Rule by November 1, 2008. If a member does not meet the rule, and there is a violation, then the fines can be doubled.
2) Data Authentication. One of the biggest concerns by the FTC was Bear Stearns would purchase a mortgage and EMC would immediately start collecting on past due accounts without validating the data which they received from the seller was accurate. This includes everything from proof the seller actually owned the debt, to the data which was exchanged was accurate, to the amounts of the debt being accurate, understanding the terms and conditions of the loan agreement, accurately identifying the debtor, etc.
3) Data Accuracy. Once the data is received and authenticated, it must be maintained and updated reflecting the activity which occurred. This includes keeping records updated with bankruptcies, deaths, identity thefts, and other exceptions as defined under FDCPA.
Further, there must be a defined program for resolving disputes, all activity must be documented, and there must be a timeliness and efficiency in resolving disputes.
Further, if any amount is added to an outstanding balance (or fees the FTC may consider being an increase of the loan balance) as result of collection efforts, a new Truth In Lending Statement must be provided to the debtor.
4) Data Exchange. Data which is exchanged between debt collectors and any third party must be accurate.
Credit Bureaus. The data provided to a credit bureau must be accurate and reflect recent activity. And, conversely, the failure to report updated information to the credit bureaus is a violation of FDCPA and FCRA.
- This means portfolios and media cannot be sent as an email attachment unless the attached data is adequately encrypted.
- If sent via third party (US Mail, UPS, FedEx, DHL, etc.), it must be sent so it can be fully traced and secure from sender and recipient. Each of these carriers offers such services.
Officially? The answer is no. However, if you don’t implement steps to protect data as described above then you may be found to be in violation of Section 5 of the FTC Act as well as possible FDCPA violations.
Bottom line, what does this mean to debt buyers and sellers?
1) Each member needs to implement a data integrity program. This program should include the elements described above.
2) A method of titling debt and securing the exchange of all data needs to be adopted by the industry.
a. The current practice of relying upon account information exchanged between debt buyer and seller – especially the farther away the debt gets from the issuer - appears to be in violation of GLBA and/or FTC Section 5.
b. Debt collection agencies and attorneys need some form of proof or validation from the entity providing the information to them the data is accurate before initiating phone calls, letters, postcards, litigation, etc.
3) Changes are required in the whole process of buying/selling debt to ensure the data which is being exchanged is accurate including being able to verify the chain of title from issuer to current owner.
4) Not reporting data to the credit bureau is just as much a violation of FCRA as knowingly reporting inaccurate information.
5) Access to the media (electronic copies of loan agreements, statements, etc.) associated with debt needs to be readily accessible to the current owner of debt – whether they are the issuer or the current owner of a portfolio which has been bought and/or sold multiple times.
How will the changes called for in this settlement impact my business?
1) The data you are relying on in your business should become more accurate. As your data becomes more accurate, expenses resulting from inaccurate data – both hard and soft costs - should be reduced.
2) As data becomes more accurate, the risk premium associated with any portfolio resulting from inaccurate data should be reduced. This should result in increased value for portfolios with accurate data and decreased values for portfolios with inaccurate data.
3) Members who buy portfolios and discover the quality of data in the portfolio is misleading, fraudulent, was not adequately maintained, double sold, etc. can look at this as more than a property dispute, they can file a complaint with the FTC.
4) And, don’t be surprised when debtor’s attorneys start filing FTC complaints on behalf of their Clients against industry members which do not have data integrity programs.
5) Members should expect any settlement agreement resulting from an FTC complaint filed against them will have many of the same elements described in the Bear Stearns/EMC Mortgage settlement. We have seen this pattern over and over again in data security settlements. While the fines may not apply, the data integrity program, reporting requirements, internal audit requirements, etc. will apply.
David Mertz has over 20 years of experience in the IT and has spent the last six years focused on data security and compliance issues. Mertz has been invited to speak across the country on compliance and security issues – including issues impacting the ARM Industry; most recently at DCS 2008. In addition, Mertz has written articles for a number of trade publications and has recently started a blog on data and security issues impacting the ARM Industry at www.csp-wm.com/b2evolution. Mertz is currently the Managing Partner for Compliance Security Partners, LLC a Kansas City based data compliance and security firm. Contact David Mertz at dave@csp-mw.com for additional details.
Compliance Management Partners, LLC is a collaboration of Compliance Security Partners, LLC – a data security and compliance consulting firm - and experienced members of the credit, collection and the debt buying industry. Compliance Management Partners, LLC works with industry members to develop and implement the appropriate policies and practices required to manage and protect personal identity, protected healthcare information, and other confidential data from unauthorized access.
Page 1
|
Page 2
Care to Comment?
(Please read our comments policy first.)
Interested in more stories like this?
Tell us what topics you're interested in and we'll keep you posted. Enter your email address below.
Tell us what topics you're interested in and we'll keep you posted. Enter your email address below.
Related Resources
News
Analysis
Publications
Research
Products and Services
Advertisement
Advertisement
Comments
Comment from Sonny on October 16, 2008 at 5:12PM EST
This is a really important issue and I am anxious to hear from some of the really smart guys is the debt collection industry
Comment from sif2pif on October 20, 2008 at 7:15PM EST
this should not apply if the debtor calls in to your company and has a clear intent to pay prior to having received a validation notice.
Comment from SpyBoy on October 21, 2008 at 1:39AM EST
Since the Promissory Notes govern the actual terms and conditions under the Mortgage, and since it appears, from experience and observation, that in the world of modern mortgage securitization the Promissory Notes do not actually get transferred and delivered when the mortgages are subsequently bought and sold, there could be quite a bit of difficulty for verifying the accurateness of previous servicer records. This could be a mess of epic proportions.