Ohio Enacts the Nation's First Transitional MLO Licensing Law for Out-of-State MLOs

Ohio recently enacted a law that allows for an individual licensed as a mortgage loan originator in another state to obtain a temporary MLO license in Ohio. A temporary MLO license can be issued to an out-of-state MLO to allow that individual to engage in the business of a mortgage loan originator while completing the requirements necessary to obtain an Ohio MLO license. The temporary license will only be valid for up to 120 days, and cannot be renewed.

In order to qualify for this temporary license, an individual must have at least two years of residential mortgage lending experience in the immediately preceding five years. The individual must also not have previously applied for a temporary MLO license in Ohio. Additionally, the individual cannot have had an MLO (or comparable) license revoked. Further, the person cannot have been convicted of, or plead guilty or no contest to, a misdemeanor involving theft or a felony within the previous seven years, or any felony involving fraud, dishonesty, breach of trust, theft, or money laundering.

There will be an application fee associated with obtaining the temporary license. Applicants will also have to be registered, fingerprinted, and have a valid unique identifier through the NMLS at the time of application. Authorization must also be given for the NMLS to obtain a credit report and submit that report to the Ohio Superintendent of Financial Institutions. Individuals must also be sponsored by an employing entity in connection with their application.

There are also affirmative obligations that the new law imposes on sponsors of temporary licensees. For one, sponsors have an affirmative duty to supervise the conduct of each temporary licensee in the same manner as is required for regular MLO licensees. Additionally, sponsors must notify the Ohio Division of Financial Institutions through the NMLS upon the termination of a temporary licensee's employment or association with the sponsor. Once such notice is received, the sponsor will not be responsible for the conduct of the terminated individual.

The law also allows for rule-making to further aid in the implementation of this new licensing scheme. The law becomes effective March 19, 2013.

This transitional MLO licensing scheme is the first of its kind in the United States. It reflects Ohio's desire to create a less rigid licensing law whereby out-of-state licensed MLOs can more quickly begin engaging in the business of mortgage loan originators in Ohio. It will be interesting to see whether other states follow Ohio's lead. We will monitor similar state initiatives.

- Matthew Saunig

Noted Data Security and Privacy Attorney Amy Mushahwar Joins Ballard Spahr

Amy S. Mushahwar has joined Ballard Spahr as of counsel in our Washington, D.C., office. She is a member of our Mortgage Banking Group, as well as the firm’s nationally recognized Consumer Financial Services, E-Discovery and Data Management, and Privacy and Data Security Groups. 

Amy has developed in-house compliance policies, procedures, and training programs for Fortune 500 companies across the nation. They include businesses in the mortgage, banking, and consumer finance areas as well as other industries.

Amy’s work also includes conducting online and offline privacy assessments and information security policy audits. For more information on the data security issues that Amy helps clients confront, read her “Information Security Preparedness Checklist” (her first contribution to the Mortgage Banking Update) below.

Information Security Preparedness Checklist

Helping Your Organization Go Back to Basics with Information Risk Management

Financial services companies are under constant attack by cyber criminals to hack, skim, socially engineer, or even dumpster dive consumer data out of an organization. Given the virtually limitless ways that criminals can attack companies, information security is no longer a task that should be solely delegated to company IT departments. Effective information risk management requires a top-driven, coordinated strategy implemented across the company.

And yet, even companies constantly subject to attacks can find it difficult to have an internal dialogue regarding cyber security as a business process. This high-level checklist can be useful to help legal counsel and executives alike encourage such dialogue.

Data Mapping:
All IT assets should be mapped to identify the fields of data available on each asset. If your organization's IT assets are mapped, this will increase your internal awareness of legacy systems and the systems coming into your organization via merger or other asset purchase. At a minimum, the inventory should include: name of system/platform, DNS names, type of device, operating system, IP address(es), MAC address(es), date of installation, vendor contact (if applicable), and data owner (with up-to-date contact information). In addition, you should make sure that your company regularly updates the mapping when systems are changed, acquired, or decommissioned.

Employee Permissions and Policies:
Employees are your company's first line of defense to prevent a data security incident. Make sure your employees have the necessary tools to help the organization succeed, including:

• Effective access controls and user permissions to limit information access to those with a need to know. It is a good idea to develop a practice of reviewing individual access privileges periodically.
• Policies that are up-to-date, crisp, clear, and comprehensible to all members of your organization
• Policies that address employees bringing their own devices, remote access employees, and social media
• Do you require and document signed employee agreements to your information security policies as well as privacy and confidentiality policies?

Vendor Contracting Process:
Given that vendors are a major source of information security headaches, the vendor contracting process is crucial. For each vendor that you do business with and where the vendor has access to or collects personal consumer information on your company's behalf, ensure appropriate contractual provisions are in place to address: network security, application security, data security, data destruction, security breach notification, vendor data use, subcontractor data security requirements, and compliance audits you will conduct on such vendors. In addition, it is important to sensitize your marketing and procurement teams to the contractual risks related to free or low-cost Web services, since such providers often pose the greatest compliance risks.

Data Incident Response Plans:
In the event that your company suffers a data incident, there is no time to learn on the fly. Companies must have a clearly defined and readily available data incident response plan in place. The plan should outline:

• The team representatives from the various operational groups within your organization, including staff from the IT department, human resources, legal, and public relations, among others
• Up-to-date 24-7 contact information for all members of this team
• A standard conference line and notification procedure timeline
• A hierarchy for decision-making
• External forensics technical contacts
• Do's and don'ts tips for evidence preservation and general incident team e-mails

Disaster Recovery and Business Continuity Planning:
In addition to planning for data incidents, companies should also be prepared for disruptive events. A disaster recovery plan is a blueprint for resuming operations if your organization needs to shut down or if it suffers a data loss, whereas a business continuity plan helps your employees determine under what parameters they can continue to make money and how to do so. Companies should conduct both types of planning.

Employee Training:
Policies and procedures must be coupled with an effective organizational training program. Ensure your company is training employees regarding general security awareness and your internal corporate security policies. Consider which employees must receive mandatory training depending upon the data that they handle and how that training will be documented and deployed by HR (with periodic re-training). Also consider voluntary lunch and learns regarding information security and organizational risk management to build a company culture of security.

Security by Design:
Ongoing security dialogues are even more critical in the product development process. As an organization, do you build security into your IT and application development lifecycles? If not, now is the time to implement a comprehensive development lifecycle process that, from the start, includes security planning, review, and testing and then later touch points in the coding and deployment processes. Consider including these touch points as sign-off requirements of your company's standard development forms.

Develop and Internal Security/Date Governance Committee:
Change is inevitable! Develop a team that is tasked with reviewing security governance practices. Ensure that there is an established distribution list and a regular meeting schedule and agenda to ensure that all security policies are reviewed on an ongoing basis during appropriate times for the business units. When developing your review schedule, take into account the (1) IT audit schedule, (2) procurement/budgeting review period, and (3) business unit development "black-out" times, as well as any other company-specific timing considerations.

Become Part of the Outside Security Community:
The financial services sector has one of the most robust security communities and information sharing networks. Ask if your information security professionals are part of the broader financial services community networks, such as FS-ISAC or BITS (the Technology Policy Division of the Financial Services Roundtable) or general information security networks such as the CISO Executive Network.

This checklist is by no means exhaustive, but it should be a good starting place for your internal conversations. We are available to help customize your approach to these issues and provide expert counseling on developing all related policies, procedures, and processes. Contact Amy S. Mushahwar or Mercedes Kelley Tunstall to discuss.

- Amy S. Mushahwar

Justice Department Settles ADA Claims against Debt Collector

A recent Department of Justice settlement with a debt collection law firm that was accused of violating the Americans with Disabilities Act exemplifies the mounting federal scrutiny of the debt collection industry. The DOJ launched an investigation after two deaf individuals filed complaints claiming that the firm had violated the ADA by refusing to accept calls they made using a relay service designed to assist callers with impaired hearing.

Title III of the ADA prohibits discrimination against people with disabilities at places of public accommodation, including law firms. Title III requires public accommodations to make reasonable modifications to their policies, practices, and procedures when necessary to afford equal access to people with disabilities, unless doing so would fundamentally alter the goods or services provided. The DOJ is authorized to file civil actions under Title III seeking civil penalties and monetary relief for aggrieved persons.

Both complaints alleged Title III violations. In one complaint, a law firm employee was alleged to have violated the ADA when he hung up on the complainant, and in the other, an employee was alleged to have violated the ADA when he refused to take the complainant’s call and told her to call back at another time when a manager was present. In the settlement, the law firm acknowledged that the second employee was following the firm’s instructions.

The settlement requires the law firm to pay $30,000 in compensation to the complainants. It also requires the firm to adopt and implement a new policy (attached to the settlement agreement) for ensuring that the firm can effectively communicate with individuals with disabilities. This policy sets forth the firm’s obligation to provide, free of charge, various “auxiliary aids and services” to enable the delivery of information to individuals who are deaf, are hard of hearing, or have speech disabilities, as well as to those who are blind or have low vision.

In addition, the policy contains examples of the types of equipment, materials, and services that may serve as appropriate “auxiliary aids and services.” The firm’s employees must receive training on the firm’s ADA obligations, with the training materials to be approved in advance by the DOJ.

- Barbara S. Mishkin

Introducing Ballard Spahr's Health Care Reform Dashboard

The New Year is ushering in the launch of our Health Care Reform Dashboard, an online resource center designed to keep you informed of the latest developments in the Affordable Care Act. Many of the law's requirements will take effect in 2013, and major decisions are looming for employers.

The Dashboard will feature news, analysis, and links to critical primary sources such as agency announcements and proposed regulations and requirements. It can help you decipher and prioritize complex legislative and regulatory requirements and plan for the future.

The team behind the Dashboard includes members of our Heath Care Reform Initiative—attorneys with recognized knowledge and skill in laws affecting employee benefits, health care, labor and employment, and tax.

For more information, please contact Brian M. Pinheiro at 215.864.8511 or pinheiro@ballardspahr.com, Jean C. Hemphill at 215.864.8539 or hemphill@ballardspahr.com, or Edward I. Leeds at 215.864.8419 or leeds@ballardspahr.com.

Investment Management Update

Hedge fund managers could face critical decisions under a rule change by the Commodity Futures Trading Commission that rescinds language exempting certain entities from registration as commodity pool operators (CPOs). A federal court last month turned aside a challenge to the rule amendments by the U.S. Chamber of Commerce and the Investment Company Institute. The exemption has been widely used by hedge funds.

Other recent developments include a Financial Stability Oversight Committee (FSOC) proposal on money market reform, a complaint filed by the Securities and Exchange Commission (SEC) over a fund’s valuation of subprime mortgage-backed securities during the financial crisis, and the resignation of SEC Chair Mary Schapiro.

Click here to read the complete update from our Investment Management Group.