Best Practices for Remote Work in the Mortgage Business

During the 2020 COVID-19 coronavirus pandemic, the world at large began to shut down most operations and businesses in an effort to try and contain the outbreak. As weeks turned into months, it was clear that qualifying industries would need to pivot to virtual workspaces in any capacity they could. The mortgage industry was no exception, and despite years of regulations around licensing offices and restricting licensees from working from home, many states issued emergency guidance allowing for business to continue remotely.

The mortgage market boomed, consumers took advantage of lower rates and lenders prospered with a flood of refinances walking in the door. The pandemic has certainly put both the mortgage industry and its regulators to the test, making stakeholders rethink how companies can continue to operate. As the industry begins to evaluate if remote work holds a permanent place in our processes, new requirements, especially on a state-by-state level are also beginning to emerge.  

Industry Guidance 

Fast forward to 2022, pandemic restrictions have eased in most jurisdictions and regulators are evaluating where we go from here. The Mortgage Bankers Association (MBA) has a Remote Work Policies page that includes a geomap of state legislation updates. On this page, the MBA outlines “MBA believes the time is right for state policymakers and the IMBs they supervise to review and reconsider the future of state licensing and apply lessons learned”. In an effort to try and help facilitate these changes, the MBA also released a proposed model for state legislation and regulation. Conditions outlined for lenders in this model proposal are quite straightforward, including safeguarding consumer information in compliance with the GLBA, ensuring relevant security patches are installed, and maintaining a full list of employees who work remotely. The American Association of Residential Mortgage Regulators (AARMR) also published its own Best Practices for Permitting Employees to Work Remotely. These guidance documents are some of the most useful resources lenders have today, but leave much to the lender to iron out – what exactly goes into making sure that there are “systems in place to ensure that data security and privacy requirements are met”? Regulators and industry trade groups alike are hesitant to be overly prescriptive with the nitty-gritty in their guidance. Financial institutions of different sizes may have different levels of remote work supervision needs and the level of resources available to these companies will surely vary. Though as some have said, understanding the speed limit and the rules of the road means a safer driving experience for everyone.   

State-by-State Compliance 

Individual states are outlining their own requirements for licensees, some more uniform, some more unique. Typical requirements include not allowing consumers to visit the licensed location and ensuring that no physical records containing private information are stored at the remote office. Some state requirements are a little more creative. Wisconsin for example indicates that the option to print documents accessible by VPN from home should be disabled. Rhode Island requires that employees be given specific remote office training around consumer protections. One of the most stringent states, California, goes so far as to regulate employee mailboxes, prohibiting the physical receipt of mail related to the licensee’s licensed business at a remote location. 

The division of state guidance, or lack thereof, is listed below as of the date of this publication. Many states still have temporary guidance that remains active today from when it was first issued during the start of the pandemic. These are the states currently being watched for regulation transitions. States with no specific guidance may include states that did not require loan officers to work from a branch location to begin with. States that have rescinded their temporary guidance include West Virginia, Nevada, Nebraska, and Mississippi, though some of these states may ultimately change their guidance status in the near future.  

• Temporary Guidance or Impending Legislation – (9) 
• Fully Enacted Laws – (30)  
• No Specific Guidance – (7) 
• Rescinded/Sunset Guidance – (4) 

Best Practices for Remote License Employees 

Though exact requirements may vary based on the type of institution and the licenses that institution hold, below are some best practices that may be incorporated into an institution's remote work management program: 

• No In-person Meetings: No in-person customer interaction will occur at an employee’s residence unless such residence is a licensed location.
• No Physical Records: As a best practice, employers should restrict the printing or storage of physical records at the remote location. 

• No Advertising for the Remote Location: The licensee should not promote the remote work location address on any marketing material, including flyers, brochures, social media, etc. In addition, no mail related to the business should be received at the remote location. 
• Attestation & Notice of Remote Work: When applicable, some states are requiring special documents to be used to affirmatively identify that permission was granted by the employer for the employee to work remotely. In addition, some states have outlined in their guidance that the state regulatory body must be informed of these changes via specific communication channels.  
• VPN & Other Data Security Safeguards: Many states outline the use of a Virtual Private Network (VPN), VPN, or similar technology for consumer data protections. Financial institutions should consider incorporating the highest levels of cyber security tools today, including two-factor authentication, One piece of this puzzle would also be ensuring that employees are using company-provided hardware and are not operating using personal devices.  
• Data Security & Remote Work Training: Lenders should provide appropriate employee remote work and data security training. Training should include a focus on keeping all conversations about, and with, consumers confidential and outline to remote employees what type of environment would be conducive and appropriate for remote work with confidentiality in mind. 
• Written Remote Work Policy: Financial institutions should have a free-standing Remote Work policy that includes all company policies and procedures for meeting state. Federal, and agency requirements. Many states want to see a "risk-based" approach to supervision - for example, the more production a LO does or the more complicated the loan products offered, the more frequent monitoring should be.

• List of Remote Employees for Regulators: Regulators will likely ask for a list of remote employees, including key information such as employee name, remote location address, provided hardware, security log of remote logins, the date the employee was permitted to work remotely, etc.  
• Data Breach Response Procedures: The financial institution should have a data breach response procedure that specifically includes provisions for data breaches at remote locations.  
• Telephone Recording when Necessary: Telephone calls with consumers should be recorded if calls are recorded in the normal course of business at a normal licensed location. 
• No Starbucks Workdays or Short-term Rentals: Employee should only work from a remote, non-public location, that only includes individuals who maintain a common household with the employee (the space should not be used for VRBO, Airbnb, etc.) 
• Update NMLS Records: The NMLS record of a mortgage loan originator that works from a remote location should designate the corporate headquarters as their registered location unless the loan officer elects to choose a licensed branch location as a registered location. 

This may seem like a long (and ever-growing) list of requirements for remote work compliance, but financial institutions should keep in mind that some of these same requirements were certainly already at play for in-office employees. Faced with the burden of remote work supervision, lenders should consider incorporating technological solutions into their monitoring program, including an electronic attestation of policies, geolocation tracking, remote workspace inspection tools, etc.