The RESPA compliance requirements of affiliated business arrangements (AfBAs) are pretty straightforward.
Basically, the three-part safe harbor requires the party making the referral to deliver the AfBA disclosure at or before the referral is made. The second component is you can’t require the consumer to use the affiliated business. And the third requirement is to base returns strictly on ownership interest.
However, these days, the increasing use of technology during the mortgage closing process has led to confusion on exactly how to operate a compliant joint venture (JV).
Mayer Brown LLP partners Holly Spencer Bunting and David Tallman discussed technology and compliance with RESPA AfBA requirements during a spring RESPRO session held in Las Vegas.
“There are two particular areas where I think technology can make RESPA compliance complicated,” Bunting said. “The first is electronic delivery of the affiliated business arrangement disclosure. The second is performance of core title services if you’re a joint venture title entity where your whole process is basically executed by technology.”
Under Section 8(c), payments made by one settlement service provider to another do not violate Section 8(a)’s anti-kickback provisions, even if made in connection with a captive relationship or a referral, when the payments are reasonably related to the market value of the goods, services or facilities provided.
Bunting noted there’s been little contemporary guidance from regulators to help the industry navigate RESPA compliance now that technology is used to deliver financial services and interact with consumers on an almost primary basis.
“One of the areas from an affiliated business perspective that makes compliance challenging is the affiliated business disclosure,” she said. “You’ve got to provide it, and you have to provide it at or before the time of referral. But you want to provide it electronically. So, what do you do? Are you allowed to do that from a legal perspective?”
eSign Act requirements
Tallman said electronic disclosures are compliant if they’re done in accordance with the consumer-centered versions of the eSign Act.
“Broadly speaking, you need to provide certain eSign disclosures that tell the consumer about the scope of consent,” he said. “You have a consent process in which the consumer agrees to receive electronic disclosures. And then ideally, you get an acknowledgement of receipt so that you can prove to regulators or courts that yes, the disclosure actually was provided.”
If a transaction involves a mortgage loan, the consumer is entitled to receive a particular disclosure in writing. If the law does not otherwise expressly provide for that disclosure electronically, then eSign consent provisions – which apply to both federal and state requirements - kick in.
“In order to get this consent, there must be an affirmative action by the consumer under which they are expressing their agreement to receive disclosures,” Tallman said. “The person providing the disclosure must provide these eSign Act disclosures prior to consent in a clear and conspicuous statement. And this is the tricky part- that consent must reasonably demonstrate the ability to receive documents in the format in which they are to be provided.
“So, to provide an example, if you're going to give the affiliated business disclosure in a PDF format, something about the process by which the consumer either consents or confirms their consent to receive electronic disclosures must reasonably demonstrate the ability to open and access PDFs.”
The eSign disclosures must clearly inform the consumer of: (i) any option to have the record made available in non-electronic form, (ii) the right to withdraw consent and of any consequences of such a withdrawal (with may include termination of the parties’ relationship), (iii) to which transaction, transactions, or records the consent applies, (iv) the procedures for withdrawing consent and updating the consumer’s electronic contact information, (v) how the consumer may request a paper copy of an electronic record and whether there will be any associated fee; and (vi) the hardware and software requirements for accessing and retaining the electronic records.
“It ends up being a fairly lengthy disclosure,” Tallman added, “I've seen it on a page, often extended to two pages.”
There are some requirements that apply even after you obtain that initial first consent.
For example, if there's a change in the hardware or software requirements, after you get that initial authorization, then the consumer must be part of the statement of the revised requirements that includes an opportunity to withdraw that consent if you've got an ongoing consent over time, Tallman said.
“And just to emphasize, as we're talking about how this makes compliance difficult, these requirements are just to be able to deliver an affiliated business disclosure electronically,” Bunting said.
Other legal considerations
Bunting noted that part of complying with RESPA is operating the business like a bona fide independent company.
“A bona fide independent business has privacy considerations, information and security considerations, and so forth,” she said.
Tallman suggested keeping in mind that although the Gramm-Leach-Biley Act (GLBA) generally does not require consumer consent, either opt in or opt out, to share consumer data with an affiliate, you still have to disclose in the GLBA privacy notice whether you share information with affiliates and disclose in general terms who your affiliates are.
“You also want to be careful not to share information with affiliates in a manner which could cause you to be considered a consumer reporting agency under the Fair Credit Reporting Act,” he said. “For example, if the affiliate is going to be using information that you're giving them about a consumer’s credit worthiness or other personal characteristics to make eligibility determinations about the consumer, you can avoid becoming a consumer reporting agency by first providing the consumer with an an opt out opportunity under the Fair Credit Reporting Act.”
There also are state laws to consider, including some complicated ones in California.
For instance, the California Financial Information Privacy Act imposes an opt out consent requirement before sharing information with affiliates.
“The California Consumer Privacy Act (CCPA) also might be relevant, although there are some limiting factors,” Tallman said. “One, it only applies to the extent that company has $25 million of gross revenue, has personal information about 50,000 or more California residents or derives 50 percent or more of its business with the sale of personal information about California residences. So in many circumstances, the CCPA will not apply to a joint venture, but it might apply to the affiliated partners.
“There also is a broad exemption in the CCPA for information that is covered by the GLBA. So financial information is exempt from the CCPA. But there can be circumstances where you need to share information that technically is not considered non-public personal information for the GLBA, and that information still would be subject to CCPA protections, provided the thresholds are met.”
Meanwhile, Vermont has a state version of the Fair Credit Reporting Act that requires opt-in consent for sharing credit worthiness information with an affiliate and North Dakota has a law that requires opt- in consent before depository institutions or licensed money brokers can share information with other parties.
Tallman noted there are also information security requirements under GLBA and at the state level, including New York – which has information security program requirements for companies that are subject to supervision by the state Department of Financial Services.
In addition, there are data breach notification requirements for certain types of sensitive personal information that could be misused for fraud or identity theft.
“If there is a breach that involves information in electronic form, and if there's some reasonable likelihood it's going to be misused, a company generally is required to notify the consumer of the breach, or possibly other parties, including state regulators, state agencies, and credit bureaus, in certain circumstances,” Tallman said.
“So, you want to have both an information security program to protect information that you're receiving from affiliates and have thought out in advance exactly how you're going to respond if there is a breach incident, so that you get on top of breach notification requirements quickly. Because quite often, there's a short timeframe for how quickly you need to send those notifications out,” he added.
There are also consumer outreach requirements where prior express consent is needed before contacting the consumer via auto dialer or artificial prerecorded voice text messaging, including the Telephone Consumer Protection Act (TCPA).
“Under the TCPA, it can be up to $1,500 per violation of unauthorized communication,” he said. “The liability for making multiple attempts to reach out to a person can pile up fast. Also be cognizant of the Telemarketing Sales Rule on the FTC side. And then there are state telemarketing requirements.”