Everyone working in commercial and residential real estate lending and servicing is aware of flood regulations and the complexity they bring to originating and managing a loan secured by real estate. Few think about how that complexity is very simple at the source: All eligible structures in a high-risk flood zone are required to have flood insurance, with very few exceptions. The amount of required insurance is the lesser of the outstanding balance or credit limit on any loan(s), the property’s replacement value, or the maximum amount of insurance that can be obtained for that type of structure under the National Flood Insurance Program (NFIP).
Since every transaction needs a flood determination pulled at the time of origination, flood insurance and related Flood Disaster Protection Act (FDPA) regulations come up routinely. Banks spend much time, effort, and money creating programs, policies, and procedures that will keep them on the right side of the law. Additionally, banks partner with third-party companies in order to get things right. Yet for all of this effort, and despite the fact that the program has been in existence for nearly 50 years, banks routinely receive reprimands, violations, and fines from regulators. How can this be?
Here’s the problem: The overall simplicity of flood regulations belies a great deal of complexity. When should a review of flood coverage start? Which structures need coverage, and for how much? Are contents included? When should notices be sent to customers? When is force-placed insurance required? And when should it be canceled? What refunds, if any, are banks and customers entitled to from insurance companies? When does the review need to be repeated?
All these questions and more lie at the heart of regulatory requirements and bank compliance. In this article we discuss where the data shows that banks are getting it wrong, and how to use that analysis to mitigate potential errors in your own compliance program.
Current Regulatory Atmosphere
The regulators who oversee flood insurance, including the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Board of Governors of the Federal Reserve System (FRB), National Credit Union Association (NCUA), and Consumer Financial Protection Bureau (CFPB), watch closely over all financial companies that handle flood insurance as part of their business. In Spring 2022, the FDIC said that 19 percent of their total violations were violations of the FDPA.
A review of fines and actions shows that commonly cited violations are related to so-called MIRE events. That is, when a financial institution goes to Make, Increase, Renew, or Extend a loan secured by real estate for a property that is in a federally-designated special flood hazard area, it must check the property’s current flood zone and determine if the property carries enough flood insurance to meet the NFIP’s current standard. Additionally, it must notify the borrower of the need to purchase flood insurance prior to closing. The borrower must obtain adequate and acceptable flood insurance before closing, or closing cannot occur.
Despite the seeming simplicity of these requirements, which apply to both residential and commercial loans, it is very difficult in practice to develop and maintain a consistent, high-quality program. Creating, increasing, renewing, or extending a loan can be done very quickly, particularly in the commercial world. The data would suggest that shoring up any program revolving around MIRE events will remove a great deal of risk from any bank’s lending arm or from an independent lender’s compliance concerns.
Another area where challenges are encountered is in the force-placement of flood insurance. If a borrower does not keep up its own insurance, or is underinsured, the financial institution must force-place flood insurance on the structure or structures. Force-placement of flood insurance comes with numerous timing requirements, from when the first letter informing the borrower of the lapse must be sent, to the day that force-placement of flood insurance must occur. Purchasing the right amount of insurance is also a priority for banks, since an underinsured or overinsured structure can cause a violation.
One of the more esoteric risks involves the contents of a structure. If the contents have been secured by the loan, flood insurance is required. Questions a bank should ask itself are: Does the mortgage include the contents as collateral? Has a Uniform Commercial Code (UCC) filing been made? Does the borrower own the contents? What is the value of the contents and how much insurance should be placed on them? Once these questions have been answered, which should happen simultaneously with the determination that flood insurance is required, the financial institution should move ahead with obtaining flood insurance on contents as well as on required structures.
How to Mitigate Potential Risk
The single best, but not the easiest, thing a financial institution can do to mitigate FDPA compliance risks is to have high-quality processes, policies, procedures, and controls that align with regulatory requirements. When regulators’ directives are ambiguous, the financial institution must define its own policies and procedures, demonstrating its best intention to comply with laws and regulations. These should be well thought out, documented, and supported by management. Steps include the following:
To mitigate the risk around MIRE events, financial institutions must have strong, independent pre-close departments that know and follow the guidelines for obtaining flood certifications, alerting the borrower, and obtaining proof of insurance prior to closing. Acceptable flood insurance must be a condition to close that cannot be waived or postponed. Following the directives of a knowledgeable pre-close department reduces the risk of failure to meet any of the guidelines surrounding the closing of a loan with a structure in a flood zone.
Financial institutions must have a system of record where they can track flood policies and expirations, and they need a department or third-party vendor that manages receipt of cancellation notices for flood insurance. This is a year-round responsibility and requires daily intervention—weekends and holidays included. The system should also be able to track whether contents were secured at origination, and thus if contents insurance is required. Executing a post-close flood review confirming proper set up of values and alerts ensures that monitoring will be timely.
Lender-placed insurance is a regulatory requirement if no borrower-purchased insurance is in place, or if the borrower is underinsured. Lapsed or expired insurance notices to the borrower must be timely, tracked, and retained. The system of record should be able to determine the date the force-placed insurance must be ordered and effective. A control must also be in place to cancel or amend lender-placed policies upon receipt of adequate and acceptable borrower coverage. Any refund of lender-placed premiums must be tracked to ensure a timely refund to the borrower.
Regulators focus on patterns and practices when reviewing a bank’s processes and controls. It’s likely that all financial institutions have some errors in their past, but the key is to avoid repetitive mistakes, which regulators may deem a pattern and practice. A robust compliance atmosphere and up-to-date policies and procedures will reduce this risk, but most importantly the institution must set standards for adherence to the systems it creates.
Tightening the controls, processes, and procedures around flood insurance will only do good. The process an institution follows to execute flood insurance reviews will determine the amount of risk the institution faces. Adherence to standing procedures is critical. If the process and procedures are tight, controls are good, and adherence is high, then the risk of incomplete, erroneous, or missing flood insurance is reduced.
The more comprehensive and thorough the processes and procedures are, the more they are written with regulations in mind, and the more adherence is prioritized, the more likely it is that key personnel will know and execute a good, risk-averse flood insurance program. An overall atmosphere of knowledge, compliance, and adherence will help deliver a high-quality flood program that avoids the pitfalls common to many institutions.
Although lenders and servicers have long been responsible for FDPA compliance—and many have been subject to actions, remediation, and/or fines—there is still reluctance to create the controls and processes to ensure success. Some say it is too expensive, or onerous, or that the rules do not apply to them. Some lenders are still making the mistake of waiving the flood insurance requirements or securing real estate as an abundance of caution with the expectation that those properties are exempt from compliance. But most are trying hard and with a culture of compliance, strong policies, controls, and testing, it is completely possible to get it right.