This topic contains information on compliance with laws, including:
The seller/servicer (any subservicer or third-party originator it uses) and any licensee of Fannie Mae technology must:
comply with, all federal, state, and local laws (e.g., statutes, regulations, ordinances, directives, codes, administrative rules and orders that have the effect of law, and judicial rulings and opinions) that apply to:
any of its origination, selling, or servicing practices, including laws and regulations on consumer credit, equal credit opportunity and truth-in-lending, and borrower privacy;
use of Fannie Mae licensed technology; and
other business practices that may have a material effect on Fannie Mae; and
ensure that appraisals conform to the Appraiser Independence Requirements.
The table below describes additional requirements related to a seller/servicer’s obligation regarding compliance with applicable laws.
|ADDITIONAL REQUIREMENTS RELATED TO COMPLIANCE WITH LAWS|
|Obligation to monitor||A seller/servicer must
|Remedy for violations||Fannie Mae may enforce a remedy for all seller/servicer violations of applicable laws and regulations that may have a material effect on Fannie Mae.
For whole loans acquired on or after November 20, 2014 and for loans delivered into MBS with pool issue dates on and after December 1, 2014.
Fannie Mae considers the following to be significant defects and may require a repurchase for a breach of the seller/servicer’s representation and warranty regarding compliance with laws when:
|Remedy for UDAAP and ability to repay violations||
With respect to UDAAP, Fannie Mae will consider published federal and state announcements of interpretations as well as all published judicial and administrative decisions and will not enforce a repurchase if:
For noncompliance with the ability to repay (ATR) requirements in the TILA and its implementing regulations, which could impose assignee liability on Fannie Mae, Fannie Mae will not issue a repurchase demand on such grounds unless a court, regulator, or other authoritative body concludes that a specific loan did not comply with ATR.
|Repurchase demands for compliance with laws violations||A repurchase demand based on compliance with laws violation will include supporting facts and findings made by Fannie Mae.
Fannie Mae’s determination that a violation has occurred must be consistent with the facts provided by the seller/servicer and any other information obtained by Fannie Mae as part of its evaluation of the situation.
If Fannie Mae issues a repurchase demand involving a failure to comply with laws when there is pending litigation underway for that same issue, or when a government agency with authority to make a determination regarding the issue has publicly stated that it is reviewing the issue, the seller/servicer is not required to repurchase the loan until 30 days after the litigation is
After the Resolution, the seller/servicer may request that Fannie Mae review the appropriateness of the repurchase demand in light of the Resolution. Fannie Mae will withdraw the repurchase demand where appropriate.
A seller/servicer may be required to repurchase a loan that is in breach of the requirements of this topic at any time despite the fact that the loan is otherwise eligible for enforcement relief for breaches of certain underwriting and eligibility representations and warranties in accordance with the Selling Guide.
The seller/servicer must notify Fannie Mae if, after conducting due diligence, it determines that a breach of a selling warranty related to compliance with laws has likely occurred. The seller/servicer’s notification responsibilities depend on how many loans are affected and whether the breach could warrant a repurchase demand based on the criteria described above.
Reporting Category 1
The seller/servicer must notify Fannie Mae if both of the following conditions occur:
the number of loans affected by the same potential breach exceeds the lesser of 500 loans or 1% of prior year loan deliveries to Fannie Mae, and
all potentially affected loans were delivered to Fannie Mae within the same calendar quarter.
The notification is required within 60 days of the later of:
the end of the calendar quarter in which such loans were delivered, or
discovery of the potential breach.
The seller/servicer must report these loans using the self-report functionality in Loan Quality Connect.
Reporting Category 2
The following reporting requirements apply when:
the potential breach could warrant a repurchase demand, or
the number of loans affected by the same type of potential breach delivered in the same calendar quarter does not exceed the lesser of 500 loans or 1% of prior year loan deliveries to Fannie Mae.
|the breach could warrant a repurchase demand and has not been remedied or will not be remedied within 60 days,||the seller/servicer must notify Fannie Mae within 60 days by using the self-report functionality in Loan Quality Connect.|
|the breach could warrant a repurchase demand and has been remedied or will be remedied within 60 days,||the seller/servicer does not need to notify Fannie Mae.|
|the breach would not warrant a repurchase demand,||the seller/servicer does not need to notify Fannie Mae.|
Scenario 1: A lender identifies a repeated potential breach related to compliance with laws where a repurchase demand is not warranted.
The lender determines June 1 it may have failed to provide a property valuation when required under the Equal Credit Opportunity Act. This impacted 600 loans that were delivered to Fannie Mae between January 1 and March 31. The lender must report the potential breach to Fannie Mae within 60 days of June 1. In this scenario, the number of loans impacted exceeded 500 loans and the loans were delivered within the same quarter.
Scenario 2: A lender that delivered 70,000 loans to Fannie Mae the prior year identifies a repeated potential breach related to compliance with laws where a repurchase demand is not warranted.
The lender determines August 15 it may have failed to provide a property valuation when required under the Equal Credit Opportunity Act. This impacted 200 loans that were delivered to Fannie Mae between January 1 and March 31, and 400 loans that were delivered to Fannie Mae between April 1 and June 30. The lender will not be required to report the potential breach for either quarter, as the number of loans impacted in each quarter did not exceed 500 loans. In this scenario, 500 loans is less than 700 loans (1% of prior year deliveries).
Scenario 3: A lender identifies a single loan impacted by a potential breach for which a repurchase demand is a potential remedy.
The lender may have violated the Fair Housing Act. The lender must report the breach to Fannie Mae within 60 days of determination of the potential breach, unless it determines the non-compliance has been remedied or will be remedied within 60 days in accordance with applicable law.
Following is a table of additional requirements related to specific laws and other Fannie Mae requirements.
|REQUIREMENTS FOR SPECIFIC LAWS AND OTHER REQUIREMENTS|
|IRS Reporting Requirements||must report to the IRS as required by Part of this Guide, Part C of the Servicing Guide, and in accordance with the instructions of the Internal Revenue Service.|
|Department of Treasury Office of Foreign Assets Control (OFAC) Regulations||
|Anti-money laundering Bank Secrecy Act (BSA)||If subject to the anti-money laundering provisions of the BSA, the seller/servicer must report all instances of non-compliance or sanctions to Fannie Mae’s Ethics division (see E-1-03, List of Contacts) .
If the seller/servicer is not subject to the anti-money laundering provisions of the BSA, it must develop internal policies, procedures, and controls to identify suspicious activities that may involve money laundering, fraud, terrorist financing, or other crimes similar to those required by the anti-money laundering provisions of the BSA and its implementing regulations.
All sellers and servicers must report all instances of suspicious activity related to Fannie Mae loans using the self-report functionality in Loan Quality Connect or those related to Fannie Mae’s business activities to Fannie Mae’s Mortgage Fraud Reporting division (see E-1-03, List of Contacts ) .
Fannie Mae reserves the right to make additional inquiries to the seller/servicers of any owner, including any direct, indirect, or beneficial owner that is a foreign party.
|HERA Servicer Reporting Requirements||
|Requirements of Insurer/Guarantor||
The seller/servicer must maintain a response program consistent with the requirements of the Interagency Guide on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all Fannie Mae loans.
The following table outlines the seller/servicer’s actions whenever the seller/servicer determines there has been a data breach.
|✓||The seller/servicer must...|
|Provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws.|
|Maintain a copy of the notice in the individual loan file.|
|Notify Fannie Mae’s Privacy Office (see E-1-03, List of Contacts of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that
|Request permission from Fannie Mae’s Privacy Office (see E-1-03, List of Contacts) to use Fannie Mae’s name if the seller/servicer intends to refer to a Fannie Mae in any notices sent to affected borrowers or regulatory agencies.|
|Fully cooperate with Fannie Mae to enable compliance with its legal and privacy incident management obligations.|
The following table outlines the requirements when notifying Fannie Mae’s Privacy Office (see E-1-03, List of Contacts of a data breach.
|✓||The notice must include...|
|A detailed description of the scope of the incident, including the number of impacted individuals and states where they reside.|
|A description of the related NPI.|
|The root cause (if known).|
|The response plan.|
|A copy of the breach notice that the seller/servicer plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice.|