Credit Technologies, Inc.

Credit Technologies has been advised that effective immediately, the IRS has begun verifying the address(s) provided on all 4506T requests.  Requests that do not contain  an address that matches the current address on file with the IRS will be rejected and are subject to the standard fee. This places additional importance on the applicant including (as either the current or previous address,) the address believed to be on file with the IRS. To clarify, the logic used by the IRS is as follows,

One of the addresses provided on the 4506T form must match IRS records (typically the address used on the last filed Federal Tax Return.) If neither supplied address is matched, the request will be rejected.

Should a consumer need to update an address, IRS FORM 8822 should be completed and transmitted to the IRS 4-6 weeks prior to any request for tax documents.

We have also been advised that these additional requirements will result in delays on the part of the IRS in processing. Initial impact seems to be about an additional 24 hour delay in receiving tax transcript requests.

For additional information on IRS4506 tax transcript services, please call 800.445.4922 Option 1.

Urgent Update to Mortgage Security Breaches – Please Read The Entire Notice

 This notice contains,

• Critical information on the virus currently targeting mortgage brokers
• Steps Credit Technologies is taking to enhance security that may impact your access credit data.
• Immediate actions you should take to protect yourself from these attacks

On 4/2/2010, we issued an alert about an email based virus that was targeting mortgage brokers and lenders Nationwide. This “key logger” virus, continues to be sent to thousands of mortgage professionals. Once infected, the hackers are able to collect all information on the infected computer including access to your banking, credit card and credit reporting accounts – virtually anything that is accessed from that computer including access to your LOS and borrower files.  These attacks are continuing with alarming success. The hackers are finding that many mortgage professionals do not have adequate security in place and are able to access their computers and effect data breaches. To date, these breaches have impacted hundreds of mortgage professionals and thousands of consumers.

 Steps Credit Technologies Is Taking

 In order to assist our clients in combating these attacks, Credit Technologies is taking immediate action to enhance security procedures as it applies to protecting consumer credit data including, 

• Effective immediately – The default daily order limits have been reduced to 10 reports a day (per user login.) This can be adjusted on an as-needed basis.
• After Hours Web Access Restrictions – Effective April 12 2010, after hours web access will be available only to devices on which a security certificate has been installed (you are automatically prompted to install the security certificate the first time you access Credit Technologies.) This will not impact users that access through a LOS, FNMA or FMAC. Full web access will be available Monday-Friday, between the hours of 8:00AM and 10:00PM Eastern (5:00am-7:00PM Pacific.)

 We are currently developing additional security features including enhancements to the security certificate that will further protect your account from potential data breaches.

 Steps You Should Take immediately 

• Make sure you have anti-Virus and Anti-Spyware protection installed on EVERY computer that has access to the Internet and that it is set to automatically update not less than once per week. This simple solution will protect you from this ongoing attack. If you do not have Anti-Virus software installed, it must be installed and a full system scan completed prior to accessing consumer credit data. Credit Technologies does not endorse or require any specific brand of anti-virus software. There are numerous versions available including free versions such as Avast
• Make sure every computer with access to the Internet is protected by a Firewall. This protects your computer from hackers that scan the Internet looking for unprotected computers, then accesses your computer through an unlocked or open port. These types of intrusions can happen without you receiving any virus email or clicking on any link. Most operating systems (i.e. Microsoft Windows) have a built in Firewall, just make sure it is turned on. There are also numerous other firewall programs available, including a free version offered by ZoneAlarm
• Once you have current and up to date Anti-Virus and Spyware protection – complete a full system scan of all computers to confirm that no viruses are present. Once this scan is complete, we strongly suggest you evaluate all login credentials (not just those for accessing Credit Technologies) and select passwords that cannot be guessed or easily researched through the Internet or through background searches (the hackers are using cheap background searches to defeat security questions such as “Where Were You Born”, or “Parents Names”.)

We strongly urge you to share this information with every employee and promote the recommendations contained therein.  Credit Technologies will keep you apprised of any further developments regarding this issue.

Thank you for choosing Credit Technologies and for your swift adoption of these safeguards.

In recent days the credit bureaus and Federal law enforcement have seen a sudden and significant increase in the number of mortgage professionals falling victim to computer hackers resulting in data breaches and cases of identity theft. One example includes an e-mail claiming to be from UPS attempting to verify the user’s address for a delivery.  Here’s an example of one form of the virus email…

“UPS Delivery Problem NR.5660
UPS_Invoice_7892.zip
From: <Redacted>
Sent To: <Redacted>
Subject: Attachments:

From: Postal Manager Rogello Jewell [mallto:pan:el@ups.com] sent Sat 3/6/2010 10:27 AM
Subject: UPS Delivery Problem NR.5660

Dear Customer!

We were not able to deliver postal package you have sent on the 25th of January in time because the addressee’s address is incorrect.  Please print out the invoice copy attached and collect the package at our office. 

United Parcel Service of America.”

When the user clicks on the link, a “key logger” virus is installed (this happens in the background and is not noticeable to the user.)  This virus then tracks and records every key stroke made on that computer and sends the information to the hackers. Once the hackers have the users logins and passwords they have access to all user data including banking, credit card and credit reporting.

 These hackers appear to be specifically targeting mortgage brokers and seem to have knowledge of the mortgage banking industry and practices.  They have also been able to defeat the security certificate by “guessing” at secret questions that are far too easy or by using the Internet to research common answers to the secret question. Once they solve the secret question, they are able to gain full access to that users credit reporting account (in addition to any/all information accessible by that user.)

 To reduce the chance of falling prey to this virus and scam, (and to comply with Federal Laws and repository regulations regarding the protection of consumer credit data) Every user should immediately complete the following steps…

1.     Verify that all computers utilized are running anti-virus and anti-spyware software.
2.     Update all antivirus and anti-spyware software to insure you are using up-to-date virus detection models.
3.     Each computer should also be running an appropriate firewall service – with the default to block any unknown program or access. (i.e. Windows Defender or ZoneAlarm)
4.     Once updated, run a full antivirus/antispyware scan of your entire computer(s).
5.     Once confirmed that your computer is not infected, change your Credit Technologies password (and any other secure passwords to private information).
6.     Review any secret question/answer combination to insure the answer cannot be researched and located through the internet.

Additional best practices that can limit your risks of contracting a virus include,

 - Whenever possible limit personal internet usage on corporate computers
- Never open any e-mailed link or attachment that you were not expecting, even if you recognize the sending party.
- All computers should be set to automatically update antivirus software, and routinely install Microsoft Critical Updates (preferably automatically).

At the first sign of trouble – have your computer checked again and immediately contact your administrator or IT professional.  After an infection is found and removed a full review needs to be completed to locate any private information that may have been compromised.  Any credit card numbers should be cancelled, all passwords changed, etc immediately.

 Thank you for your immediate attention to this issue.

EasyRedFlag

The FTC has for the 4th time, issued an enforcement delay of the FACTA Red Flag rules until June 1, 2010. In fact, this is a “partial” delay. Not all entities required to comply with FACTA Red Flag benefit from the extension and not all of the FACTA requirements have been delayed. Here’s what happened… 

On October 20, 2009, the House of Representatives unanimously approved HR 3763, a bill which would exempt from the coverage of the Red Flags Rule any health care, accounting, or legal practice with twenty or fewer employees, as well as certain other businesses. For that reason, on October 29, 2009, certain members of Congress requested that the Commission further delay enforcement in order to allow Congress to finalize legislation. The Commission believes that such delay is warranted so that it does not begin to enforce a regulation that Congress plans to supersede. Accordingly, the Commission is extending its forbearance from bringing any enforcement action for violation of the Red Flags Rule against a financial institution or creditor that is subject to administrative enforcement by the FTC until June 1, 2010.

A few important notes regarding this partial enforcement delay -

• Only those governed by the FTC received the enforcment delay.  Entities such as Depository institutions (FDIC) or Credit Unions (NCUA) have been required to comply since 11/1/2008.
• Only section 114 of FACTA (pertaining to identity theft) is covered under this extension. Section 315 dealing with Reconciling addresses has been in effect since 11/1/2008
• Although the FTC granted this enforcement delay, many States (and lenders) are already including FACTA compliance in their requirements and auditing process. 

Here’s an excerpt from the FTC’s press release announcing the delay -

“At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.

 The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Commission previously delayed the enforcement of the Rule for entities under its jurisdiction until November 1, 2009. The Commission staff has continued to provide guidance to entities within its jurisdiction, both through materials posted on the dedicated Red Flags Rule Web site (www.ftc.gov/redflagsrule), and in speeches and participation in seminars, conferences and other training events to numerous groups. The Commission also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form. FTC staff has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.”

The entire release is avialable on the Federal Trade Commission website at http://www.ftc.gov/opa/2009/10/redflags.shtm

A new catch-phrase has been created in the mortgage industry “Credit Score Phishing.” This is used to describe a process whereby a mortgage broker or lender, through their Credit Reporting Agency (CRA) reviews all available FICO score models, and then selects the highest of those scores for use on mortgage loan applications.

Both GSEs (Fannie Mae and Freddie Mac) have created policies stipulating the accepted FICO score models and have recently issued multiple memos to those submitting loans to FNMA and FMAC. These notices reiterate the requirement that only approved FICO score models be used. Similar warnings were sent to all participating CRAs. At present, the only credit scoring models approved by both GSEs are,

•Equifax Beacon 5.0
•TransUnion FICO Risk Score, Classic 04
•Experian/Fair Isaac Risk Model V2

It should be noted that while GSE underwriting systems (FNMA Desktop Underwriter and FMAC Loan Prospector) do not currently have the ability to detect/reject a loan based on  the credit score model submitted, both have warned against the use of any non-approved score models.

Despite these warnings, some CRAs are still providing brokers and lenders credit reports containing prohibited scoring models, in violation of GSE policies. Those submitting tri merge credit reports containing unapproved scoring models run the risk of penalties and sanctions by the GSEs that could include loan buy back, rejection of future loans and/or refusal to accept credit reports from credit reporting agencies found in violation of GSE policies.

More information on FNMA / FMAC credit score requirements are available at,

https://www.efanniemae.com/sf/technology/ou/du/pdf/ducreditscoremodel.pdf

http://www.loanprospector.com/about/crc.html

In an effort to stem the tide of mortgage fraud associated with misstated income, Fannie Mae announcement 09-19 tightens the requirements regarding the use of IRS tax transcripts to verify mortgage borrower income.

FNMA now “highly recommends” that 4506-T transcripts be obtained from the IRS (or designee) for the transaction prior to closing and is used to validate the income documentation provided by the borrower and used in the underwriting process.

Effective, September 1, 2009, Fannie Mae requires all lenders to:

• Obtain from the borrower(s) a completed and signed Form 4506-T at both loan application and closing.
• Include the execution of Form 4506-T to the lender’s written quality control plan.
• Verify that all loans selected for quality control review, whether under the random or discretionary sampling include, in addition to all current requirements, the execution and reconciliation of the transcript information with the income documents in the loan file.

These requirements have caused a significant increase in the number of lenders requiring brokers and correspondents to include executed 4506T transcripts with every loan package.

Credit Technologies is an authorized IRS designee and IVES (Income Verification Express Service) provider. Tax return, W-2 and 1099 transcripts are typically available in about 24 hours. More information is available at http://www.credittechnologies.com/4506_Lender.asp or call 800.445.4922.

Fannie Mae Memo 09-19 can be read in its entirety at https://www.efanniemae.com/sf/guides/ssg/annltrs/pdf/2009/0919.pdf

In addition to the increase in the use of AVMs associated with the Home Valuation Code of Conduct (HVCC), we’re seeing a trend of conforming lenders requiring the submission of an AVM on the subject property.  The lender then uses the AVM to support the valuation, often in lieu of obtaining a full desk review.  If the AVM does not support the stated value, or it does not accompany the application the lender may reject the application.

An AVM is an instant, computer generated residential property valuation report.  In seconds, AVM’s provide detailed data regarding the subject property including an estimate of value at a fraction of the cost of a traditional appraisal. In most cases, this is a cost born by the mortgage broker that cannot be passed to the consumer.  (View a sample AVM report)

It makes sense for mortgage brokers and correspondents to know the AVM valuation the lender will be using prior to submitting the file – especially when considering the delay in obtaining the full appraisal (compliments of HVCC.)  CT provides instant online access to the most often utilized AVM models at minimal costs and without any account set up or monthly minimum fees.

Visit http://www.credittechnologies.com/Automated_Valuation_Models_AVM.asp to learn more including setting up your free account or activating AVM access on an existing account.

Consumers needing a fast and accurate value on their, or any property can also access to the same AVM property valuations used by mortgage lenders, appraisers, Realtors^® and attorneys nationwide without having to establish an account at http://www.credittechnologies.com/avm.asp

• Initial Fees - Lenders may only collect a fee for the reasonable cost of a credit report prior to the issuance of the initial disclosures. Disclosures must be given before the consumer pays any fee, other than a bona fide and reasonable fee for obtaining the consumer’s credit history.
• Initial Disclosure Statement - Lenders must continue to issue disclosures 3 business days from application, however, the issuance of the initial TIL Statement now extends to “any extension of credit secured by the dwelling of a consumer” which includes refinance transactions and home equity loans.
• Notice of  “No Requirements to Complete” - The MDIA requires that the early disclosures contain a clear and conspicuous notice containing the following statement: “You are  not required to complete this agreement merely because you have received these disclosures or signed a loan application.”
• Revised APR  Three Business Day Notice - If the APR is out of tolerance, lenders must re-disclosure three business days prior to consummation. 
• Seven Business Days Prior to Consummation - Lenders must allow applicants to have a 7 business day waiting period after mailing or delivering the TIL prior to closing of the loan.  This timing is not based on receipt date (or assumed receipt date) by the consumer- the timing begins with the mailing or delivery by the lender.
• Waivers - Borrowers may waive both the seven-day and three-day waiting period to meet a bona fide personal financial emergency.   However, if the TIL Statement is out of tolerance, the waiver is no longer effective.  After re-disclosure, borrowers must submit a signed statement describing the emergency. 
• Denied or withdrawn applications - Lenders may determine within the three-business-day period that the application will not or cannot be approved on the terms requested.  If the consumer withdraws the application within the three-business-day period, the creditor need not make the disclosures under this ruling.
• Written application – RESPA defines a written application as the submission of a borrower’s financial information in anticipation of a credit decision relating to a Federally related mortgage loan.  An application is considered received when it reaches the creditor by mail, hand delivery, or through an intermediary agent or broker.

• Timeshare Transactions - Lenders must comply with the initial disclosure requirements; however, both the 3- and 7-day waiting periods do not apply.

Further complicating the mortgage process, Fannie Mae announcement 9-19 tightens the credit report expiration dates…

“The maximum age of credit documents is reduced from 120 days to 90 days for existing construction and from 180 days to 120 days for new construction. Credit documents include credit reports and employment, income, and asset documentation. The age of the documents is measured from the date of the document to the date the note is signed.”

These new requirements will likely lengthen average app-to-close times resulting in more credit reports expiring.  This will require new credit reports be obtained at additional cost to the borrower(s) and risk changes occurring in the report that may result in lower FICO scores – thereby endangering the deal or at very least causing yet additional delays and potentially lock expirations.

FTC Announces Expanded Business Education Campaign on ‘Red Flags’ Rule

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the “Red Flags” Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written identity theft prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009.

The entire press release is available at http://www.ftc.gov/opa/2009/07/redflag.shtm

To learn more about Red Flag, or to register for an upcoming free EasyRedFlag webinar, please visit www.EasyRedFlag.com.

Critical data needed to help mortgage applicants improve their credit report and FICO scores is often hidden on tri-merge credit reports.

FICO^®scoring is the most misunderstood facet of credit reporting. Before undertaking any actions in an attempt to improve your borrower’s score, it’s important that you first understand “why they have the score they have.” The biggest surprise to most loan originators is that your tri merge report hides most of your borrower’s credit data.

“When reviewing a tri merge credit report, you are able to see only 1/3 of the consumer’s actual credit history.”

It’s difficult, (depending on your credit provider – it may be impossible) to accurately assess your borrower’s credit file based on reviewing a tri-merge report, as the logic used in creating the report, hides most (two thirds) of the consumer’s credit data.  Here’s an example,

Most creditors report data to all three repositories (Experian, Trans Union and Equifax.) Every tri-merge report contains data from all three sources, but you don’t want to see three examples of every trade line (three copies of each mortgage, car loan and credit card…) so CRAs employ a de-duping process we refer to as  “pick and choose logic.” Essentially, all examples of a given trade line are compared, and the most recent version containing the most derogatory data is selected and placed on your credit report. The other two versions of that item are suppressed and an abbreviation or code is added to the trade line to reflect which repositories contain data from that creditor. The problem with this method is readers assume that what they see on their tri-merge report is the same data that appears on the other “hidden” repositories – rarely is this the case.

This is why you can conduct a line-by-line review of a file that has significant differences in the FICO scores between the three repositories and be unable to determine “why” the scores are different. The answer is hidden in the 2/3rds of the data you cannot see. This is also the reason why so many rescoring attempts end in failure. Credit Technologies created a simple, free solution to this problem. With a single mouse click, we compare the data on all three repository files and highlights the variations. We call this the ability to see “the data behind the score”. This makes it simple for you to determine why the scores are different, and what steps are required to reach the needed score goals.

Adding to scoring frustration, loan originators often develop “tunnel vision’ when assessing an applicant’s credit and scores, focusing on any derogatory items that may appear. Very often, those items (especially if they are more than 24 months old) have little to do with the negative score result. The answers lie in the factors or comments listed directly below each score value. These comments are listed in order of what had the most negative impact to the score. To maximize score improvement, you should focus on the top listed items. Let’s look at an example…

SCORE: 629    Trans Union FICO Classic (04)
010 – Proportion of balances to credit limits is too high
014 – Length of time accounts have been established
005 – Too many accounts with balances
002 – Level of delinquency on accounts

This is a classic example of a file that often causes mortgage professionals to miss opportunities. This consumer has many prior delinquencies reported on their file but…they are all older (24+ months.) Because of the ages of the derogatory trade lines, they are having little impact on the consumer’s FICO score. As the factors indicate – the key to improving this consumer’s score is to avoid derogatory “tunnel vision” and focus on the issues affecting the consumer’s score – in this case, revolving ratios.

As with many things, the key to success is education – this is especially true with FICO scoring. To learn more about FICO scoring education and the advantages of rescoring, please visit http://credittechnologies.com/MortgageAlchemy.asp

Thomas P. Conwell III
President, Credit Technologies, Inc.^®
Director, National Credit Reporting Association (NCRA)

© Copyright 2009 , Credit Technologies, Inc. – All Rights Reserved.  FICO^® is a registered trademark of the Fair Isaac Company