The Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (SAFE Act) was enacted on July 30, 2008, and mandates a nationwide licensing and registration system for residential mortgage loan originators (MLOs). The new federal law gave states one year to pass legislation requiring the licensure of mortgage loan originators according to national standards and the participation of state agencies on the Nationwide Mortgage Licensing System and Registry (NMLS).
The SAFE Act prohibits individuals from engaging in the business of a residential mortgage loan originator without first obtaining and maintaining annually:
- For individuals who are employees of covered financial institution, registration as a registered mortgage loan originator and a unique identifier (federal registration), or
- For all other individuals, a state license and registration as a state-licensed mortgage loan originator, and a unique identifier (state licensing/registration).
NMLS
The SAFE Act requires that federal registration and state licensing and registration be accomplished through the same online registration system, the Nationwide Mortgage Licensing System and Registry (NMLS). The NMLS website and registration system is here: http://mortgage.nationwidelicensingsystem.org
Federal versus State Registration and Licensing
Mortgage loan originators who work for an insured depository or its owned or controlled subsidiary that is regulated by a federal banking agency, or for an institution regulated by the Farm Credit Administration, are registered. All other mortgage loan originators are licensed by the states.
Qualification Tests, Pre-License Education Courses, Annual Continuing Education, Fingerprints, Criminal Background Checks and Credit Reports Required
The SAFE Act requires state-licensed MLOs to pass a written qualified test, to complete pre-licensure education courses, and to take annual continuing education courses. The SAFE Act also requires all MLOs to submit fingerprints to the Nationwide Mortgage Licensing System (NMLS) for submission to the FBI for a criminal background check; and state-licensed MLOs to provide authorization for NMLS to obtain an independent credit report.
The objectives of the SAFE Act include:
- aggregating and improving the flow of information to and between regulators
- providing increased accountability and tracking of MLOs
- enhancing consumer protections
- supporting anti-fraud measures
- providing consumers with easily accessible information at no charge regarding the employment history of and publicly adjudicated disciplinary and enforcement actions against MLOs
Agencies with Authority Over The SAFE Act
The SAFE Act required the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), and National Credit Union Administration (NCUA), with the Farm Credit Administration (FCA) and through the Federal Financial Institutions Examination Council (FFIEC), to develop and maintain a federal system for registering MLOs employed by covered financial institutions.
On July 28, 2010, the OCC, Board, FDIC, OTS, NCUA, and FCA (collectively the Agencies) published substantively similar regulations implementing the SAFE Act federal registration requirements for the institutions they supervise and the institutions’ MLO employees.
On July 21, 2011, pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act), the CFPB assumed:
(1) responsibility for developing and maintaining the federal registration system (including rule-making authority),
(2) supervisory and enforcement authority for SAFE Act compliance for entities under the CFPB’s jurisdiction, and
(3) authority to oversee state compliance with SAFE Act requirements that had previously been under HUD’s authority.
Who is a mortgage loan originator? An MLO is an individual who (1) takes a residential mortgage loan application and (2) offers or negotiates terms of a residential mortgage loan for compensation or gain. The term mortgage loan originator does not include:
- An individual who performs purely administrative or clerical tasks on behalf of an individual who is an MLO;
- An individual who only performs real estate brokerage activities (as defined in 12 U.S.C. Section 5102(3)(D)) and is licensed or registered as a real estate broker in accordance with applicable state law, unless the individual is compensated by a lender, a mortgage broker, or other MLO or by any agent of such lender, mortgage broker, or other MLO, and meets the MLO definition; or
- An individual or entity solely involved in extensions of credit related to time-share plans, as that term is defined in 11 U.S.C. Section 101(53D).
Unique identifier means a number or other identifier that:
- permanently identifies a registered MLO;
- is assigned by protocols established by the Registry and the Bureau to facilitate electronic tracking of MLOs, as well as uniform identification of, and public access to, the employment history of and the publicly adjudicated disciplinary and enforcement actions against MLOs; and
- must not be used for purposes other than those set forth under the SAFE Act.
De Minimis Exception
The SAFE Act regulation provides an exception to the MLO registration requirements for any employee of a covered financial institution who has never been registered or licensed through the Registry as an MLO if during the past 12 months the employee acted as an MLO for five or fewer residential mortgage loans.
When an institution relies on the de minimis exception in lieu of registration, the MLO employee must register prior to originating the sixth residential mortgage loan within 12 months. Covered financial institutions are prohibited from engaging in any acts or practices to evade the registration requirement.
Mortgage Loan Originator (MLO) Registration Requirements
Each MLO employee of a covered financial institution must:
- register with the Registry,
- obtain a “unique identifier,”
- maintain the registration by updating certain information within 30 days of specified changes, and
- annually renew the registration during the annual renewal period.
Initial Registration
Each employee of a federally regulated institution who is an MLO must submit to the Registry the following:
- identifying information, including name, home address, social security number, gender, date of birth, and principal business location;
- financial-services-related employment history for the prior 10 years;
- disclosure of specified criminal, civil, judicial, or state, federal, or foreign financial authority
- regulatory actions against the employee; and
- fingerprints, for purposes of a Federal Bureau of Investigation background check.
The employee must:
- attest to the correctness of the information submitted to the Registry;
- authorize the Registry and the institution to obtain information related to any administrative, civil, or criminal action to which the employee is a party; and
- authorize the Registry to make certain information available to the public.
Maintaining Registration-Renewal
An MLO must renew his or her registration during the annual renewal period by confirming and updating his or her registration records. This requirement does not apply to an MLO who completed his or her initial registration less than six months prior to the end of the annual renewal period. Any registration that is not renewed during this period will become inactive, and the individual cannot act as an MLO at a covered financial institution until the registration requirements are met. Individuals who fail to update their registrations during this two-month renewal period may renew their registration at any time and need not wait until the start of the next annual renewal period.
Updates to Registration
An MLO must update his or her registration within 30 days for specified significant changes, including name changes, employment termination, and reportable changes to legal or regulatory actions.
Previously Registered Employees — Change of Employment
The regulations provide streamlined registration requirements for an MLO employee previously registered or licensed through the Registry who maintained this registration or license and who changes employment. Such an employee must update certain information, provide the required attestation and authorizations, and submit new fingerprints unless the employee has fingerprints on file with the Registry that are less than three years old. There is no grace period in this situation. An employee must update his or her Registry record before acting as a loan originator for the new employer.
Previously Registered Employees — Mergers, Acquisitions, or Reorganizations
A registered or licensed MLO whose employment changes as the result of a merger, acquisition, or reorganization has 60 days from the effective date of a merger, acquisition, or reorganization to update information in the Registry.
Required Financial Institution Information
In connection with the registration of one or more MLOs, financial institutions and certain of their subsidiaries must submit certain required information to the Registry:
- contact information;
- Employer Tax Identification Number;
- Research Statistics Supervision and Discount (RSSD) number issued by the Board;
- primary Federal regulator;
- primary point of contact for the Registry;
- individuals with authority to enter information into the Registry; and
- if a subsidiary of a financial institution, indication of that fact and the RSSD number of the parent institution, as applicable.
Once registered, the institution will receive an NMLS identification number for the institution to use in attesting to MLO employment and for other Safe Act-related purposes.
Authority and Attestation
An individual with authority to enter information in the Registry must verify his or her identity and attest that he or she has that authority, that the information is correct, and that the institution will keep the information current.
An institution may designate one or more individuals to serve as the system administrator(s) who may submit required information to the Registry on behalf of employees and attest to their authority to submit information, the accuracy of information submitted, and that the institution will keep information current and submit updates on a timely basis. System administrators generally may not be MLOs; however, an institution is exempt from this regulatory requirement if it has 10 or fewer full-time employees and is not a subsidiary.
Employer must Require MLO to Register and Employment Status
A covered financial institution must require an MLO employee to register with the Registry, maintain this registration, and obtain a unique identifier. A covered financial institution must also confirm each MLO’s employment status once the MLO submits registration information to the Registry and before the registration is activated.
Within 30 days of the date an MLO ceases to be an employee of the institution, the institution must notify the Registry of that fact along with the date the MLO ceased being an employee, so that consumers searching for an MLO in the publicly available consumer access portal will know that the MLO no longer has a relationship with the institution.
Employer Renewal and Updates
A covered financial institution must update the information it submitted to the Registry during the annual registration renewal period and must confirm the registration information provided by MLO employees during this period.
An institution must update the required institution information provided to the Registry within 30 days of any change in such information.
Employer Policies and Procedures
Covered financial institutions that have one or more MLO employees must adopt and follow written policies and procedures to carry out their SAFE Act responsibilities. The requirement to adopt and follow policies and procedures applies to all covered financial institutions that employ individual MLOs, where MLOs act within the scope of their employment, and regardless of the application of any de minimis exception to their employees.
In addition, covered financial institutions must conduct annual independent compliance tests to ensure compliance with the regulation. The policies and procedures must be appropriate to the nature, size, complexity, and scope of the institution’s mortgage lending activities and apply only to those employees acting within the scope of their employment at the institution. The policies and procedures must:
- Establish a process for identifying which employees of covered financial institutions must be registered;
- Require that all employees who are MLOs be informed of the registration requirements of the SAFE Act and SAFE Act regulation and instructed on how to comply;
- Establish procedures to comply with the SAFE Act regulation's unique identifier requirements;
- Establish reasonable procedures for confirming the adequacy and accuracy of MLO employee registrations, including updates and renewals, by comparisons with its own records;
- Establish reasonable procedures and tracking systems for monitoring compliance with registration and renewal requirements and procedures;
- Provide for annual independent testing for compliance with the SAFE Act regulation by institution personnel or an outside party;
- Provide for appropriate action if an employee fails to comply with the registration requirements of the SAFE Act regulations or the institution’s related policies and procedures, including prohibiting such employees from acting as MLOs or other appropriate disciplinary actions;
- Establish a process for reviewing employee criminal history background reports received pursuant to the regulation, taking appropriate action consistent with applicable federal law and implementing regulations with respect to the reports, and maintaining records of the reports and actions taken with respect to applicable employees; and
- Establish procedures designed to ensure that any third party with which the institution has arrangements related to mortgage loan origination has policies and procedures to comply with the SAFE Act and SAFE Act regulation, including appropriate licensing and/or registration of individuals acting as MLOs.
Unique Identifier
When an MLO registers with the Registry, he or she receives a unique identifier – a series of numeric characters assigned for life. The unique identifiers allow MLOs to be tracked if they move between state and federal jurisdictions and/or change employers, and help consumers to find certain information about a particular MLO when they search on the Registry’s consumer access portal. The MLO information that is publicly available on the consumer access portal will ultimately include federal and state registrations and licenses held, the MLO’s employment history, and publicly adjudicated disciplinary and enforcement actions, if any.
To make sure that consumers have access to an MLO’s unique identifier before committing to a mortgage loan transaction, an MLO must provide the unique identifier upon request (orally or in writing), before acting as an MLO (orally or in writing), and in any initial written communication (paper or electronic) from the MLO to the consumer (such as a commitment letter, good faith estimate, or disclosure statement). MLO unique identifiers may be used on written materials or promotional items distributed by the institution for general use, for example on loan program descriptions, advertisements, business cards, stationery, notepads, and similar materials; the SAFE Act regulation does not prohibit such use.
The regulation also requires institutions to make MLO unique identifiers available to consumers in a practicable way. This could be achieved, for example, by:
- Directing consumers to a listing of registered MLOs and corresponding unique identifiers on the institution’s website;
- Posting the information prominently in a publicly accessible place, such as a branch office lobby or lending office reception area; and/or
- Establishing a process to ensure that institution personnel provide MLO unique identifiers when requested by consumers from employees other than the MLO.
CFPB SAFE Act Examination Objectives and Procedures
Below are the objectives and procedures of the Consumer Financial Protection Bureau when examining MLOs and their employers.
Objectives
- To determine whether the financial institution has adopted written policies and procedures designed to assure compliance with the SAFE Act regulation.
- To determine whether the annual independent testing of the institution’s policies and procedures for assuring compliance with the SAFE Act regulation has been conducted.
- To determine whether any violations or deficiencies identified during the independent testing have been corrected and that steps have been taken to ensure they do not recur.
CFPB Examination Procedures
1) Determine whether the financial institution, or any of its subsidiaries, has one or more MLO employees. For those institutions without any MLO employees, these examination procedures do not need to be completed. (12 CFR 1007.103(a)(2))
2) Determine for those financial institutions with MLO employees whether the institution has adopted written policies and procedures and conducts annual independent compliance tests to assure compliance with the SAFE Act regulation. If the institution has failed to adopt policies and procedures and to perform annual independent compliance tests, the examiners should address the violation in the examination report and require corrective action. (12 CFR 1007.104)
3) Review the financial institution’s written policies and procedures and the annual independent compliance tests to determine whether the institution has taken appropriate steps to assure compliance with the SAFE Act that at a minimum:
a) Establish a process for identifying which employees of the financial institution are required to be registered MLOs; (12 CFR 1007.104(a))
b) Require that all employees of the financial institution who are MLOs be informed of the registration requirements of the SAFE Act and the SAFE Act regulation and be instructed on how to comply with such requirements and procedures; (12 CFR 1007.104(b))
c) Establish procedures to comply with the unique identifier requirements in Section 105 of the SAFE Act regulation; (12 CFR 1007.104(c))
d) Establish reasonable procedures for confirming the adequacy and accuracy of employee registrations, including updates and renewals, by comparisons with its own records; (12 CFR 1007.104(d))
e) Establish procedures and tracking systems for monitoring compliance with registration and renewal requirements and procedures; (12 CFR 1007.104(e))
f) Provide for independent testing for compliance with the SAFE Act regulation conducted annually by institution personnel or by an outside party; (12 CFR 1007.104(f))
g) Provide for appropriate action in the case of an employee who fails to comply with the registration requirements of the SAFE Act, the SAFE Act regulation, or the financial institution’s policies and procedures, including prohibiting such employees from acting as an MLO or other appropriate disciplinary actions; (12 CFR 1007.104(g))
h) Establish a process for reviewing employee criminal history background reports received pursuant to the SAFE Act regulation, taking appropriate action consistent with applicable federal law, including Section 19 of the Federal Deposit Insurance Act (12 U.S.C. Section 1829) and implementing regulations with respect to these reports, and maintaining records of these reports and actions taken with respect to applicable employees; and (12 CFR 1007.104(h))
i) Establish procedures designed to ensure that any third party with which the institution has arrangements related to mortgage loan origination has policies and procedures to comply with the SAFE Act, including appropriate licensing and/or registration of individuals acting as MLOs. (12 CFR 1007.104(i))
4) Any significant deficiencies in the institution’s SAFE Act regulation policies and procedures or independent compliance tests should be documented in the workpapers and discussed in the examination report together with corrective actions taken.