Mortgage Banking Update - January 10, 2013

by Ballard Spahr LLP

Ohio Enacts the Nation's First Transitional MLO Licensing Law for Out-of-State MLOs

Ohio recently enacted a law that allows for an individual licensed as a mortgage loan originator in another state to obtain a temporary MLO license in Ohio. A temporary MLO license can be issued to an out-of-state MLO to allow that individual to engage in the business of a mortgage loan originator while completing the requirements necessary to obtain an Ohio MLO license. The temporary license will only be valid for up to 120 days, and cannot be renewed.

In order to qualify for this temporary license, an individual must have at least two years of residential mortgage lending experience in the immediately preceding five years. The individual must also not have previously applied for a temporary MLO license in Ohio. Additionally, the individual cannot have had an MLO (or comparable) license revoked. Further, the person cannot have been convicted of, or plead guilty or no contest to, a misdemeanor involving theft or a felony within the previous seven years, or any felony involving fraud, dishonesty, breach of trust, theft, or money laundering.

There will be an application fee associated with obtaining the temporary license. Applicants will also have to be registered, fingerprinted, and have a valid unique identifier through the NMLS at the time of application. Authorization must also be given for the NMLS to obtain a credit report and submit that report to the Ohio Superintendent of Financial Institutions. Individuals must also be sponsored by an employing entity in connection with their application.

There are also affirmative obligations that the new law imposes on sponsors of temporary licensees. For one, sponsors have an affirmative duty to supervise the conduct of each temporary licensee in the same manner as is required for regular MLO licensees. Additionally, sponsors must notify the Ohio Division of Financial Institutions through the NMLS upon the termination of a temporary licensee's employment or association with the sponsor. Once such notice is received, the sponsor will not be responsible for the conduct of the terminated individual.

The law also allows for rule-making to further aid in the implementation of this new licensing scheme. The law becomes effective March 19, 2013.

This transitional MLO licensing scheme is the first of its kind in the United States. It reflects Ohio's desire to create a less rigid licensing law whereby out-of-state licensed MLOs can more quickly begin engaging in the business of mortgage loan originators in Ohio. It will be interesting to see whether other states follow Ohio's lead. We will monitor similar state initiatives.

- Matthew Saunig

Noted Data Security and Privacy Attorney Amy Mushahwar Joins Ballard Spahr

Amy S. Mushahwar has joined Ballard Spahr as of counsel in our Washington, D.C., office. She is a member of our Mortgage Banking Group, as well as the firm’s nationally recognized Consumer Financial Services, E-Discovery and Data Management, and Privacy and Data Security Groups. 

Amy has developed in-house compliance policies, procedures, and training programs for Fortune 500 companies across the nation. They include businesses in the mortgage, banking, and consumer finance areas as well as other industries.

Amy’s work also includes conducting online and offline privacy assessments and information security policy audits. For more information on the data security issues that Amy helps clients confront, read her “Information Security Preparedness Checklist” (her first contribution to the Mortgage Banking Update) below.

Information Security Preparedness Checklist

Helping Your Organization Go Back to Basics with Information Risk Management

Financial services companies are under constant attack by cyber criminals to hack, skim, socially engineer, or even dumpster dive consumer data out of an organization. Given the virtually limitless ways that criminals can attack companies, information security is no longer a task that should be solely delegated to company IT departments. Effective information risk management requires a top-driven, coordinated strategy implemented across the company.

And yet, even companies constantly subject to attacks can find it difficult to have an internal dialogue regarding cyber security as a business process. This high-level checklist can be useful to help legal counsel and executives alike encourage such dialogue.

Data Mapping:
All IT assets should be mapped to identify the fields of data available on each asset. If your organization's IT assets are mapped, this will increase your internal awareness of legacy systems and the systems coming into your organization via merger or other asset purchase. At a minimum, the inventory should include: name of system/platform, DNS names, type of device, operating system, IP address(es), MAC address(es), date of installation, vendor contact (if applicable), and data owner (with up-to-date contact information). In addition, you should make sure that your company regularly updates the mapping when systems are changed, acquired, or decommissioned.

Employee Permissions and Policies:
Employees are your company's first line of defense to prevent a data security incident. Make sure your employees have the necessary tools to help the organization succeed, including:

  • Effective access controls and user permissions to limit information access to those with a need to know. It is a good idea to develop a practice of reviewing individual access privileges periodically.
  • Policies that are up-to-date, crisp, clear, and comprehensible to all members of your organization
  • Policies that address employees bringing their own devices, remote access employees, and social media
  • Do you require and document signed employee agreements to your information security policies as well as privacy and confidentiality policies?

Vendor Contracting Process:
Given that vendors are a major source of information security headaches, the vendor contracting process is crucial. For each vendor that you do business with and where the vendor has access to or collects personal consumer information on your company's behalf, ensure appropriate contractual provisions are in place to address: network security, application security, data security, data destruction, security breach notification, vendor data use, subcontractor data security requirements, and compliance audits you will conduct on such vendors. In addition, it is important to sensitize your marketing and procurement teams to the contractual risks related to free or low-cost Web services, since such providers often pose the greatest compliance risks.

Data Incident Response Plans:
In the event that your company suffers a data incident, there is no time to learn on the fly. Companies must have a clearly defined and readily available data incident response plan in place. The plan should outline:

  • The team representatives from the various operational groups within your organization, including staff from the IT department, human resources, legal, and public relations, among others
  • Up-to-date 24-7 contact information for all members of this team
  • A standard conference line and notification procedure timeline
  • A hierarchy for decision-making
  • External forensics technical contacts
  • Do's and don'ts tips for evidence preservation and general incident team e-mails

Disaster Recovery and Business Continuity Planning:
In addition to planning for data incidents, companies should also be prepared for disruptive events. A disaster recovery plan is a blueprint for resuming operations if your organization needs to shut down or if it suffers a data loss, whereas a business continuity plan helps your employees determine under what parameters they can continue to make money and how to do so. Companies should conduct both types of planning.

Employee Training:
Policies and procedures must be coupled with an effective organizational training program. Ensure your company is training employees regarding general security awareness and your internal corporate security policies. Consider which employees must receive mandatory training depending upon the data that they handle and how that training will be documented and deployed by HR (with periodic re-training). Also consider voluntary lunch and learns regarding information security and organizational risk management to build a company culture of security.

Security by Design:
Ongoing security dialogues are even more critical in the product development process. As an organization, do you build security into your IT and application development lifecycles? If not, now is the time to implement a comprehensive development lifecycle process that, from the start, includes security planning, review, and testing and then later touch points in the coding and deployment processes. Consider including these touch points as sign-off requirements of your company's standard development forms.

Develop and Internal Security/Date Governance Committee:
Change is inevitable! Develop a team that is tasked with reviewing security governance practices. Ensure that there is an established distribution list and a regular meeting schedule and agenda to ensure that all security policies are reviewed on an ongoing basis during appropriate times for the business units. When developing your review schedule, take into account the (1) IT audit schedule, (2) procurement/budgeting review period, and (3) business unit development "black-out" times, as well as any other company-specific timing considerations.

Become Part of the Outside Security Community:
The financial services sector has one of the most robust security communities and information sharing networks. Ask if your information security professionals are part of the broader financial services community networks, such as FS-ISAC or BITS (the Technology Policy Division of the Financial Services Roundtable) or general information security networks such as the CISO Executive Network.

This checklist is by no means exhaustive, but it should be a good starting place for your internal conversations. We are available to help customize your approach to these issues and provide expert counseling on developing all related policies, procedures, and processes. Contact Amy S. Mushahwar or Mercedes Kelley Tunstall to discuss.

- Amy S. Mushahwar

Justice Department Settles ADA Claims against Debt Collector

A recent Department of Justice settlement with a debt collection law firm that was accused of violating the Americans with Disabilities Act exemplifies the mounting federal scrutiny of the debt collection industry. The DOJ launched an investigation after two deaf individuals filed complaints claiming that the firm had violated the ADA by refusing to accept calls they made using a relay service designed to assist callers with impaired hearing.

Title III of the ADA prohibits discrimination against people with disabilities at places of public accommodation, including law firms. Title III requires public accommodations to make reasonable modifications to their policies, practices, and procedures when necessary to afford equal access to people with disabilities, unless doing so would fundamentally alter the goods or services provided. The DOJ is authorized to file civil actions under Title III seeking civil penalties and monetary relief for aggrieved persons.

Both complaints alleged Title III violations. In one complaint, a law firm employee was alleged to have violated the ADA when he hung up on the complainant, and in the other, an employee was alleged to have violated the ADA when he refused to take the complainant’s call and told her to call back at another time when a manager was present. In the settlement, the law firm acknowledged that the second employee was following the firm’s instructions.

The settlement requires the law firm to pay $30,000 in compensation to the complainants. It also requires the firm to adopt and implement a new policy (attached to the settlement agreement) for ensuring that the firm can effectively communicate with individuals with disabilities. This policy sets forth the firm’s obligation to provide, free of charge, various “auxiliary aids and services” to enable the delivery of information to individuals who are deaf, are hard of hearing, or have speech disabilities, as well as to those who are blind or have low vision.

In addition, the policy contains examples of the types of equipment, materials, and services that may serve as appropriate “auxiliary aids and services.” The firm’s employees must receive training on the firm’s ADA obligations, with the training materials to be approved in advance by the DOJ.

- Barbara S. Mishkin

Introducing Ballard Spahr's Health Care Reform Dashboard

The New Year is ushering in the launch of our Health Care Reform Dashboard, an online resource center designed to keep you informed of the latest developments in the Affordable Care Act. Many of the law's requirements will take effect in 2013, and major decisions are looming for employers.

The Dashboard will feature news, analysis, and links to critical primary sources such as agency announcements and proposed regulations and requirements. It can help you decipher and prioritize complex legislative and regulatory requirements and plan for the future.

The team behind the Dashboard includes members of our Heath Care Reform Initiative—attorneys with recognized knowledge and skill in laws affecting employee benefits, health care, labor and employment, and tax.

For more information, please contact Brian M. Pinheiro at 215.864.8511 or, Jean C. Hemphill at 215.864.8539 or, or Edward I. Leeds at 215.864.8419 or

Investment Management Update

Hedge fund managers could face critical decisions under a rule change by the Commodity Futures Trading Commission that rescinds language exempting certain entities from registration as commodity pool operators (CPOs). A federal court last month turned aside a challenge to the rule amendments by the U.S. Chamber of Commerce and the Investment Company Institute. The exemption has been widely used by hedge funds.

Other recent developments include a Financial Stability Oversight Committee (FSOC) proposal on money market reform, a complaint filed by the Securities and Exchange Commission (SEC) over a fund’s valuation of subprime mortgage-backed securities during the financial crisis, and the resignation of SEC Chair Mary Schapiro.

Click here to read the complete update from our Investment Management Group.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP

Ballard Spahr LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.