During the 2020 COVID-19 coronavirus pandemic, the world at large began to shut down most operations and businesses in an effort to try and contain the outbreak. As weeks turned into months, it was clear that qualifying industries would need to pivot to virtual workspaces in any capacity they could. The mortgage industry was no exception, and despite years of regulations around licensing offices and restricting licensees from working from home, many states issued emergency guidance allowing for business to continue remotely.
The mortgage market boomed, consumers took advantage of lower rates and lenders prospered with a flood of refinances walking in the door. The pandemic has certainly put both the mortgage industry and its regulators to the test, making stakeholders rethink how companies can continue to operate. As the industry begins to evaluate if remote work holds a permanent place in our processes, new requirements, especially on a state-by-state level are also beginning to emerge.
Industry Guidance
Fast forward to 2022, pandemic restrictions have eased in most jurisdictions and regulators are evaluating where we go from here. The Mortgage Bankers Association (MBA) has a Remote Work Policies page that includes a geomap of state legislation updates. On this page, the MBA outlines “MBA believes the time is right for state policymakers and the IMBs they supervise to review and reconsider the future of state licensing and apply lessons learned”. In an effort to try and help facilitate these changes, the MBA also released a proposed model for state legislation and regulation. Conditions outlined for lenders in this model proposal are quite straightforward, including safeguarding consumer information in compliance with the GLBA, ensuring relevant security patches are installed, and maintaining a full list of employees who work remotely. The American Association of Residential Mortgage Regulators (AARMR) also published its own Best Practices for Permitting Employees to Work Remotely. These guidance documents are some of the most useful resources lenders have today, but leave much to the lender to iron out – what exactly goes into making sure that there are “systems in place to ensure that data security and privacy requirements are met”? Regulators and industry trade groups alike are hesitant to be overly prescriptive with the nitty-gritty in their guidance. Financial institutions of different sizes may have different levels of remote work supervision needs and the level of resources available to these companies will surely vary. Though as some have said, understanding the speed limit and the rules of the road means a safer driving experience for everyone.
State-by-State Compliance
Individual states are outlining their own requirements for licensees, some more uniform, some more unique. Typical requirements include not allowing consumers to visit the licensed location and ensuring that no physical records containing private information are stored at the remote office. Some state requirements are a little more creative. Wisconsin for example indicates that the option to print documents accessible by VPN from home should be disabled. Rhode Island requires that employees be given specific remote office training around consumer protections. One of the most stringent states, California, goes so far as to regulate employee mailboxes, prohibiting the physical receipt of mail related to the licensee’s licensed business at a remote location.
The division of state guidance, or lack thereof, is listed below as of the date of this publication. Many states still have temporary guidance that remains active today from when it was first issued during the start of the pandemic. These are the states currently being watched for regulation transitions. States with no specific guidance may include states that did not require loan officers to work from a branch location to begin with. States that have rescinded their temporary guidance include West Virginia, Nevada, Nebraska, and Mississippi, though some of these states may ultimately change their guidance status in the near future.
Best Practices for Remote License Employees
Though exact requirements may vary based on the type of institution and the licenses that institution hold, below are some best practices that may be incorporated into an institution's remote work management program:
This may seem like a long (and ever-growing) list of requirements for remote work compliance, but financial institutions should keep in mind that some of these same requirements were certainly already at play for in-office employees. Faced with the burden of remote work supervision, lenders should consider incorporating technological solutions into their monitoring program, including an electronic attestation of policies, geolocation tracking, remote workspace inspection tools, etc.