Skip to main content
Search the Guide:

A3-2-01, Compliance With Laws (09/04/2024)

Introduction
This topic contains information on compliance with laws, including:

General Obligations

The seller/servicer (any subservicer or third-party originator it uses) and any licensee of Fannie Mae technology must:


Additional Requirements Related to Compliance with Laws

The table below describes additional requirements related to a seller/servicer’s obligation regarding compliance with applicable laws.

ADDITIONAL REQUIREMENTS RELATED TO COMPLIANCE WITH LAWS
Topic Description
Obligation to monitor A seller/servicer must
  • establish appropriate policies and procedures for monitoring (and monitor) applicable legal developments,

  • demonstrate it has complied with applicable laws and regulations upon Fannie Mae’s request, 

  • advise its Fannie Mae customer account team if an applicable law or regulation conflicts with Fannie Mae’s requirements, and

  • establish policies and procedures to monitor appraisals for prohibited language to eliminate discriminatory practices and appraisals bias.

Remedy for violations Fannie Mae may enforce a remedy for all seller/servicer violations of applicable laws and regulations that may have a material effect on Fannie Mae.

For whole loans acquired on or after November 20, 2014 and for loans delivered into MBS with pool issue dates on and after December 1, 2014.

Fannie Mae considers the following to be significant defects and may require a repurchase for a breach of the seller/servicer’s representation and warranty regarding compliance with laws when:

  • the seller/servicer’s failure to comply could be expected to either

    • impair Fannie Mae’s or its servicer’s ability to enforce the note or mortgage, or

    • impose assignee liability on Fannie Mae; or

  • a court or regulatory authority has found the loan to be in violation, or Fannie Mae has made a finding based on the facts available to it that a violation may have occurred.

  • A violation may involve any one of the following:

    • laws administered or regulations implemented by the Department of the Treasury’s Office of Foreign Assets Control (OFAC);

    • the Fair Housing Act or related regulations;

    • the anti-discrimination provisions of the Equal Credit Opportunity Act or related regulations;

    • federal or state prohibitions on unfair, deceptive, or abusive acts or practices (UDAAP); or

    • the Securities Exchange Act of 1934 or regulations thereunder.

Remedy for UDAAP and ability to repay violations

With respect to UDAAP, Fannie Mae will consider published federal and state announcements of interpretations as well as all published judicial and administrative decisions and will not enforce a repurchase if:

  • the seller/servicer cures the matter by remediation to the injured party; or

  • after the third anniversary of the acquisition (or MBS pool issue date) of a loan (unless the seller/servicer self-reports), a federal or state enforcement authority has indicated, asserted, or claimed that such practice violates (or may) violate UDAAP, or a federal or state court has held that a specific practice violates UDAAP.

Fannie Mae will not make legal a determination of whether a loan complies with or is exempt from TILA, ATR, or the Revised Qualified Mortgage Rule, or whether a lender's designation of the status of a loan is correct except as required in judicial or regulatory proceedings in which Fannie Mae is a party. 

For noncompliance with the ability to repay (ATR) requirements in the TILA and its implementing regulations, which could impose assignee liability on Fannie Mae, Fannie Mae will not issue a repurchase demand on such grounds unless a court, regulator, or other authoritative body concludes that a specific loan did not comply with ATR, including the Qualified Mortgage Rule.

Repurchase demands for compliance with laws violations A repurchase demand based on compliance with laws violation will include supporting facts and findings made by Fannie Mae.

Fannie Mae’s determination that a violation has occurred must be consistent with the facts provided by the seller/servicer and any other information obtained by Fannie Mae as part of its evaluation of the situation.

If Fannie Mae issues a repurchase demand involving a failure to comply with laws when there is pending litigation underway for that same issue, or when a government agency with authority to make a determination regarding the issue has publicly stated that it is reviewing the issue, the seller/servicer is not required to repurchase the loan until 30 days after the litigation is

  • dismissed,

  • settled, or

  • concluded at trial in an adjudication, or

  • the government agency has made a final determination (collectively, the “Resolution”).

After the Resolution, the seller/servicer may request that Fannie Mae review the appropriateness of the repurchase demand in light of the Resolution. Fannie Mae will withdraw the repurchase demand where appropriate.

A seller/servicer may be required to repurchase a loan that is in breach of the requirements of this topic at any time despite the fact that the loan is otherwise eligible for enforcement relief for breaches of certain underwriting and eligibility representations and warranties in accordance with the Selling Guide.


Reporting Requirements

The seller/servicer must notify Fannie Mae if, after conducting due diligence, it determines that a breach of a selling warranty related to compliance with laws has likely occurred. The seller/servicer’s notification responsibilities depend on how many loans are affected and whether the breach could warrant a repurchase demand based on the criteria described above.

Reporting Category 1

The seller/servicer must notify Fannie Mae if both of the following conditions occur:

  • the number of loans affected by the same potential breach exceeds the lesser of 500 loans or 1% of the total number of loans delivered to Fannie Mae in the prior year, and

  • all potentially affected loans were delivered to Fannie Mae within the same calendar quarter.

The notification is required within 60 days of the later of:

  • the end of the calendar quarter in which such loans were delivered, or

  • discovery of the potential breach.

The seller/servicer must report these loans using the self-report functionality in  Loan Quality Connect.

Note: If the calculation described above results in fewer than five potentially affected loans, then the seller/servicer does not need to notify Fannie Mae.

Reporting Category 2

The following reporting requirements apply when:

  • the potential breach could warrant a repurchase demand, or

  • the number of loans affected by the same type of potential breach delivered in the same calendar quarter does not exceed the lesser of 500 loans or 1% of the total number of loans delivered to Fannie Mae in the prior year.

Reporting Requirements
If... Then...
the breach could warrant a repurchase demand and has not been remedied or will not be remedied within 60 days, the seller/servicer must notify Fannie Mae within 60 days by using the self-report functionality in Loan Quality Connect.
the breach could warrant a repurchase demand and has been remedied or will be remedied within 60 days, the seller/servicer does not need to notify Fannie Mae.
the breach would not warrant a repurchase demand, the seller/servicer does not need to notify Fannie Mae.

Examples:

Scenario 1: A lender identifies a repeated potential breach related to compliance with laws where a repurchase demand is not warranted.

The lender determines June 1 it may have failed to provide a property valuation when required under the Equal Credit Opportunity Act. This impacted 600 loans that were delivered to Fannie Mae between January 1 and March 31. The lender must report the potential breach to Fannie Mae within 60 days of June 1. In this scenario, the number of loans impacted exceeded 500 loans and the loans were delivered within the same quarter.

Scenario 2: A lender that delivered 70,000 loans to Fannie Mae the prior year identifies a repeated potential breach related to compliance with laws where a repurchase demand is not warranted.

The lender determines August 15 it may have failed to provide a property valuation when required under the Equal Credit Opportunity Act. This impacted 200 loans that were delivered to Fannie Mae between January 1 and March 31, and 400 loans that were delivered to Fannie Mae between April 1 and June 30. The lender will not be required to report the potential breach for either quarter, as the number of loans impacted in each quarter did not exceed 500 loans. In this scenario, 500 loans is less than 700 loans (1% of prior year deliveries).

Scenario 3: A lender identifies a single loan impacted by a potential breach for which a repurchase demand is a potential remedy.

The lender may have violated the Fair Housing Act. The lender must report the breach to Fannie Mae within 60 days of determination of the potential breach, unless it determines the non-compliance has been remedied or will be remedied within 60 days in accordance with applicable law.


Requirements Related to Specific Laws and Other Fannie Mae Requirements

Following is a table of additional requirements related to specific laws and other Fannie Mae requirements.

REQUIREMENTS FOR SPECIFIC LAWS AND OTHER REQUIREMENTS
Topic A seller/servicer...
IRS Reporting Requirements must report to the IRS as required by Part of this Guide, Part C of the Servicing Guide, and in accordance with the instructions of the Internal Revenue Service.
Department of Treasury Office of Foreign Assets Control (OFAC) Regulations
  • must establish and maintain an effective OFAC compliance program;

  • must report all instances of penalties (civil or criminal) or enforcement actions for compliance failures or violations related to OFAC requirements to Fannie Mae's Ethics division;

  • may not deliver a loan to Fannie Mae if any borrower is on one of the sanctions lists maintained by OFAC; and

  • must periodically screen the loans that it services for Fannie Mae against OFAC’s sanctions lists. If the servicer identifies a valid match, the servicer must

    • notify Fannie Mae Ethics via email within 24 hours of blocking or rejecting a mortgage transaction (see E-1-02, List of ContactsE-1-02, List of Contacts), including in the notice the borrower’s name, Fannie Mae loan number, and a point of contact at the servicer. Upon receipt of the notice, a representative from Fannie Mae will contact the servicer to discuss the match and any potential next steps.

    • take steps to ensure that any funds from the individual or entity on an OFAC sanctions list are blocked and segregated, including any escrow funds.

    • take steps to ensure that all servicing activities on the loan cease. This includes, but is not limited to,

      • remittance of P&I payments to Fannie Mae,

      • payments to taxing authorities,

      • payments to property and flood insurers,

      • payments to mortgage insurers,

      • collection activities, including performing property inspections,

      • loss mitigation activities, and

      • foreclosure.

Anti-money laundering Bank Secrecy Act (BSA) If subject to the anti-money laundering provisions of the BSA, the seller/servicer must report all instances of penalties (civil or criminal) or enforcement actions for compliance failures or violations related to anti-money laundering regulatory requirements to Fannie Mae’s Ethics division (see  E-1-02, List of ContactsE-1-02, List of Contacts) .

If the seller/servicer is not subject to the anti-money laundering provisions of the BSA, it must develop internal policies, procedures, and controls to identify suspicious activities that may involve money laundering, fraud, terrorist financing, or other crimes similar to those required by the anti-money laundering provisions of the BSA and its implementing regulations.

All sellers and servicers must report all instances of suspicious activity related to Fannie Mae loans using the self-report functionality in Loan Quality Connect or those related to Fannie Mae’s business activities to Fannie Mae’s Mortgage Fraud Reporting division (see E-1-02, List of ContactsE-1-02, List of Contacts) .

Fannie Mae reserves the right to make additional inquiries to the seller/servicers of any owner, including any direct, indirect, or beneficial owner that is a foreign party.

HERA Servicer Reporting Requirements
  • must comply with the Housing and Economic Recovery Act of 2008 and its regulations (together, "HERA") and specifically the Minority and Women Inclusion Rule reporting requirements and:

    • provide data regarding the diversity status of the servicer, its agents, subcontractors, and vendors;

    • complete a Fannie Mae supplier registration profile that accurately reflects its ownership status, regardless of whether it is “HERA-Inclusive, and its team composition report;

    • update its profile to reflect such ownership changes within 30 days of any change of ownership;

    • provide ownership and team composition information described in the  Existing Suppliers guidance on Fannie Mae’s website annually by November 1; and

    • provide any such additional information that Fannie Mae reasonably requests for purposes of complying with HERA, the Minority and Women Inclusion Rule, or any other diversity and inclusion requirements.

  • may develop a process to collect the ownership status of the agents, subcontractors, and vendors used by the servicer in servicing loans for Fannie Mae;

  • must commit to practice the principles of equal employment opportunity and non-discrimination in all its business activities; and

  • as required by the Minority and Women Inclusion Rule, must include, as a material condition of each contract with its agents, subcontractors, and vendors that provide services or goods to Fannie Mae, a provision that each such entity commit to practice the principles of equal employment opportunity and non-discrimination in all their business activities.

Address Confidentiality Programs (Safe at Home Laws)
  • must comply with all applicable requirements in a state Address Confidentiality Program. This includes, when required by applicable state law, giving notice to loan purchasers or assignees, and providing notice to Fannie Mae's Privacy Office (see  E-1-02, List of ContactsE-1-02, List of Contacts).

For a loan in which a borrower is enrolled in a state Address Confidentiality Program, the seller/servicer must

  • include both a property address and a legal substitute mailing address at loan delivery,
  • report Special Feature Code 877,
  • for a loan that it services, complete the post-purchase adjustment process within 5 days of receiving notification that a borrower has enrolled in, or has unenrolled in, one of these programs, and
  • provide notice of program enrollment and the borrower mailing address to any transferee servicer upon the transfer of servicing rights.

The Servicing Guide also includes the post-delivery servicing transfer requirements.

Requirements of Insurer/Guarantor
  • must comply with all requirements that FHA, VA, HUD, and RD, or the mortgage insurance companies have for loans they insure or guarantee;

  • must take all actions necessary to ensure that Fannie Mae recovers the full amount due under the guaranty or the full claim under the insurance contract; and

  • must not enter into any agreement with insurers or guarantors which has the potential to modify loss claim settlements under the terms of the guaranty or insurance contract.

Refinancing Practices
  • must include in its policies and procedures appropriate safeguards to prevent the possibilities of violating Fannie Mae’s prohibitions against questionable or prohibited refinancing practices;

  • may promote the terms it has available for refinancings by sending promotional if the servicer targets

    • borrowers of all loans in its servicing portfolio,

    • all borrowers who have specific types of loans, or

    • borrowers of loans that fall within specific interest rate ranges.

See B2-1.3-04, Prohibited Refinancing PracticesB2-1.3-04, Prohibited Refinancing Practices for additional information.

Compliance with Fannie Mae Data Breach Incident Requirements

The seller/servicer must maintain a response program consistent with the requirements of the Interagency Guide on Response Programs for Unauthorized Access to Customer Information and Customer Notice, as published in the Federal Register, for all Fannie Mae loans.

The following table outlines the seller/servicer’s actions whenever the seller/servicer determines there has been a data breach.

The seller/servicer must...
  Provide written notice to the borrowers and any state agencies or other bodies in accordance with privacy and data security breach laws.
  Maintain a copy of the notice in the individual loan file.
  Notify Fannie Mae’s Privacy Office (see  E-1-02, List of ContactsE-1-02, List of Contacts of any incident as soon as reasonably practicable via email. Notification must be within 72 hours if there is a data breach that
  • affects 10 or more borrowers,

  • requires notice to state agencies or other regulatory bodies designated by privacy and data security breach laws, or

  • involves the intentional unauthorized access or misuse of borrower NPI.

  Request permission from Fannie Mae’s Privacy Office (see  E-1-02, List of ContactsE-1-02, List of Contacts) to use Fannie Mae’s name if the seller/servicer intends to refer to a Fannie Mae in any notices sent to affected borrowers or regulatory agencies.
  Fully cooperate with Fannie Mae to enable compliance with its legal and privacy incident management obligations.

The following table outlines the requirements when notifying Fannie Mae’s Privacy Office (see  E-1-02, List of ContactsE-1-02, List of Contacts of a data breach.

The notice must include...
  A detailed description of the scope of the incident, including the number of impacted individuals and states where they reside.
  A description of the related NPI.
  The root cause (if known).
  The response plan.
  A copy of the breach notice that the seller/servicer plans to send to the borrower(s) or an explanation as to why it is not sending a breach notice.

Recent Related Announcements

The table below provides references to recently issued Announcements that are related to this topic.

Announcements Issue Date
Announcement SEL-2024-06 September 04, 2024
Announcement SEL-2023-07 August 02, 2023
Announcement SEL-2023-03 April 05, 2023
Announcement SEL-2022-06 July 06, 2022
Announcement SEL-2022-01 February 02, 2022
Announcement SEL-2021-08 September 01, 2021
Announcement SEL-2019-08 October 02, 2019
Announcement SEL-2019-06 July 03, 2019
Announcement SEL-2019-03 April 03, 2019