Articles & E-Books


Don’t confuse your quality control review with a regulatory compliance audit

Jul 06, 2021

By Erin Ralls

Quality control and compliance audits are vital to ensure both your investors and your regulators are satisfied.

While both assess the accuracy of your mortgage files, for the most part, they do not overlap.

Quality control reviews determine the accuracy of your underwriting in accordance with investor standards. Mortgage compliance reviews determine your compliance with applicable consumer protection laws in accordance with the regulations prescribed by your regulators.

But with both, taking your eye off the ball can result in unresolved errors, inefficiencies, time delays, investor and regulatory scrutiny and costly buybacks. 

Secondary market quality control audit

A secondary market quality control audit is a requirement of your investor, which confirms your loans meet their underwriting guidelines. Audits, which investors can require proof of, should be completed at the pre-funding and post-closing stages.

The reviews can be done by your internal staff but need to be completely independent of the loan process. In other words, whoever is originating, processing and closing the loans or managing those staff members cannot be the same person who is completing the quality control reviews. 

At minimum, 10 percent random (plus a discretionary sample) of the originated loans are tested against the investor’s guidelines during the post-closing quality control review.

Testing consists of verification of underwriting standards, with minimal review of any regulatory compliance requirements. The loans are re-underwritten to include reverifications of income, assets and any undisclosed liabilities, such as rental payments, that had been verified and required for closing the loan.

In addition, there is a field review appraisal required for 10 percent of the sample selected.

Tax transcripts are required on all loans selected for post-closing quality control, and — depending on your investor — a post-closing credit report is also required.

These verifications help validate that underwriting was completed correctly.

Not only does this give the investor a comfort level that you are meeting their requirements, but it allows you the opportunity to identify weaknesses and provide training to applicable staff. If there are habitual weaknesses identified in the process, this can lead to further investor review and ultimately to unfavorable pricing from the investor, loans not being saleable and loan buybacks.

Depending on the investor, quality control reviews may be done monthly, quarterly, bimonthly, biannually or annually. 

It is a common misinterpretation that quality control reviews include compliance.

While there are portions of the quality control review that touch on regulatory compliance topics, only limited areas specific to the file being tested are covered. Compliance topics covered during the quality control review include ensuring joint intent was properly documented, confirming timing requirements of initial disclosures were met, comparing APR values to determine whether they were within tolerance, and confirming the right of rescission was properly obtained.

If you are looking for a deeper dive into compliance, a compliance review is in order. 

Mortgage compliance audit

Compliance reviews focus on determining whether the financial institution is complying with federal consumer protection regulations.

Regulatory compliance requirements are published in the Code of Federal Regulations (CFR) and are governed by many different agencies including the Consumer Financial Protection Bureau (CFPB), the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), the National Credit Union Administration (NCUA), the Department of Housing and Urban Development (HUD) and the Federal Trade Commission (FTC). Federal regulatory compliance audits are completed to determine compliance with consumer federal regulations prior to the federal compliance examinations being conducted to allow remediation prior to your examination. 

Compliance audits are typically based on the compliance risk assessment developed by the financial institution. The risk assessment takes into consideration the risk of noncompliance with applicable regulations based on inherent risk factors and the quality of internal controls.

The more risk that is involved, the more frequent and thorough the audit is.

A majority of mortgage audits focus on Regulation Z (Truth in Lending Act) and Regulation X (Real Estate Settlement Procedures Act), as well as the Equal Credit Opportunity Act (Regulation B), Home Mortgage Disclosure Act (Regulation C), Fair Credit Reporting Act (Regulation V), Homeowners’ Protection Act and Flood Disaster Protection Act. These audits focus only on the bank’s compliance with the applicable requirements of these rules and not on investor requirements.

While quality control reviews touch on a few aspects of regulatory compliance, some high-risk calculations and completion of key disclosures are not included quality control reviews. 

How Wipfli can help

Our specialized team can help with the quality control and compliance pieces of your audit programs — and rectify any deficiencies. To learn more, visit our web page.