The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
Article 2 Board Oversight
Final Pending Approval from the Compliance Committee
December 2, 2011
Privileged and Confidential
Restricted
Section 2: Board Oversight
Article 2
FRB Order Reference:
Article 2
Corresponding
XI.4
OCC Article:
Within 60 days of this Order, the boards of directors of HNAH and HBIO shall
submit to the Reserve Bank an acceptable written plan to strengthen the boards’
oversight of the Mortgage Servicing Companies, including the boards’ oversight of risk
management, internal audit, and compliance programs concerning residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities conducted by the
Mortgage Servicing Companies. The plan shall also describe the actions that the
boards of directors will take to improve the Mortgage Servicing Companies’ residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities and operations,
and a timeline for actions to be taken. The plan shall, at a minimum, address,
consider, and include:
Action Plan
HNAH has instituted the HNAH’s Board of Directors’ Plan to Improve its Oversight of
HNAH’s Compliance Risk Management Program. On June 8, 2011, the Board of
Directors of HNAH adopted a resolution to enhance the Board oversight of HNAH’s
Compliance Risk Management Program with regard to the Order.
As further detailed herein, the Board oversight plan describes the actions that the
Boards of Directors of HNAH, HBIO and the Bank have taken and will take including
actions to enhance Board oversight over ERM and Compliance programs as they
relate to residential mortgage loan servicing, Loss Mitigation and foreclosure
activities, as well as to improve the activities of the Mortgage Servicing Companies
and the Bank activities to improve the residential mortgage loan servicing, Loss
Mitigation, and foreclosure activities and operations of the Mortgage Servicing
Companies and the Bank, and a timeline for the actions to be taken. Pursuant to the
oversight plan, each Board has expanded the responsibilities of its respective
Compliance Committee to oversee the remediation programs required by the Order,
to provide on-going oversight for HNAH, HBIO, and the Bank, and to provide regular
reporting to the full Board. The plan further provides that the enhanced Board
oversight will reinforce that HNAH and its subsidiaries operate in compliance with both
the letter and spirit of applicable federal and state laws, rules, regulations and
guidance. In adopting resolutions on May 25, 2011, directing management to take all
action necessary to establish and maintain strong governance and procedural
controls over residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities and to utilize the full financial and managerial resources of HNAH, HBIO,
and the Bank to comply with the Order, the Boards have demonstrated their
commitment to executing their oversight responsibilities.
Further details regarding Board oversight are outlined in the Action Plans for Article 2,
Page 2
Privileged and Confidential
Restricted
sections (a) through (l).
An analysis by Residential Mortgage Servicing Management has been completed to
identify existing processes that address requirements of the Order and areas requiring
further enhancement. The scope of this analysis included a review of all existing
measures of Board Oversight, including those processes set forth below, against the
requirements of the Order. The analysis process and the results thereof are further
described in the Action Plan for each section of Article 2 herein. The existing
processes reviewed and required enhancements identified include, without limitation,
the following:
Existing Processes
Required Enhancements
• Formal Enterprise Risk Management
Program which provides proper risk
management of independent
contractors, consulting firms, law
firms, or other third parties who are
engaged to support residential
mortgage loan servicing, Loss
Mitigation, or foreclosure activities or
operations. (See Article 2(b))
• Enhancing the Group ORIC
framework, including the new RCA
methodology and new internal control
Target Operating Model (“TOM”).
(See Article 2(a))
• Formal Enterprise Compliance
Program, which establishes a
consistent risk-based approach and
oversight framework to manage
compliance risk and to ensure
compliance with the laws and
regulations governing the activities of
HBIO and HBUS. For further
information, see the HSBC- North
America Compliance Risk
Management Program Manual.
• New Risk and Control Assessment
(“RCA”) to replace the existing
Operational Risk Self Assessment
(“RSA”), to identify, assess, and
monitor the key internal controls that
mitigate the risks. (See Articles 2(a)
and 2(k))
• Monthly Board of Directors Report
package, which includes compliance
risk assessment results and key
• Improving the quarterly progress
reports to the Compliance
Committees of the Boards, including
metrics and on-going status of thirdparty risk management and a
summary of key risk indicators. (See
Article 2(b))
• Using the Testing and Risk
Assessment Compliance (“TRAC”)
team and
(“
”) to inventory
applicable Legal Requirements,
supervisory guidance and the
requirements of this Order across
functional areas, which will be used to
determine the MIS requirements and
define compliance metrics for
inclusion within the Compliance Risk
Assessment Dashboard. (See Article
2(d) and 2(l))
• Revising budget forecasts for
procedures and policies to put in
place to comply with the Orders. (See
Article 2(f))
Page 3
Privileged and Confidential
Restricted
mortgage loan servicing operational
metrics, as well as the development
of the Compliance Risk Assessment
Dashboard. (See Articles 2(d) and
2(l))
• Assessing the results of a Workload
Review to determine staffing needs to
support the Single Point of Contact
initiative (“SPOC”). (See Article 2(h)
and 2(j))
• Board resolution supporting funding
and managerial resources for
residential mortgage loan servicing,
Loss Mitigation, and loan
modification, detailed in the Approval
of Board Commitment of Financial
and Managerial Resources
No_NA11-11, CF11-29, US11-39
documents. (See Articles 2(e) and
2(f))
• Developing and building of Key Risk
Indicators (“KRIs”). (See Article 2(k))
• Process to evaluate resource
capacity planning and management
of workloads. (See Articles 2(e), 2(g),
2(h), and 2(j)).
• Compliance Committee Structures for
HNAH, HBIO, and HBUS, described
in the Committee Charters and
associated resolutions. (See Article
2(k))
• Enhance the Compliance Committee
Charters to include oversight for the
requirements of the Order. (See
Article 2(k))
Documents to be submitted with the Action Plan
x Approval of Board Commitment of Financial and Managerial Resources No_NA1111, CF11-29, US11-39
x HNAH'S BOARD OF DIRECTORS' PLAN TO IMPROVE ITS OVERSIGHT OF
HNAH'S RESIDENTIAL MORTGAGE SERVICING COMPANIES
x HNAH'S BOARD OF DIRECTORS' PLAN TO IMPROVE ITS OVERSIGHT OF
HNAH'S RESIDENTIAL MORTGAGE SERVICING COMPANIES_TRACKED
CHANGES
x HNAH Compliance Committee Approval of Board Oversight Plan Resolution No_
NA11-19
x HBIO Compliance Committee Approval of Board Oversight Plan Resolution No_
CF11-30
x HBUS Compliance Committee Approval of Board Oversight Plan Resolution No_
Page 4
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
x
x
US11-40
HNAH Board Approval of Board Oversight Plan Resolution No_ NA11-19
HBIO Board Approval of Board Oversight Plan Resolution No_ CF11-30
HBUS Board Approval of Board Oversight Plan Resolution No_ US11-40
HSBC NORTH AMERICA HOLDINGS INC. – Compliance Committee Report
HSBC FINANCE CORPORATION – Compliance Committee Report
HSBC USA INC. HSBC BANK USA, N.A. – Compliance Committee Report
HSBC USA INC. HSBC BANK USA, N.A. – CHARTER OF THE COMPLIANCE
COMMITTEE
HSBC FINANCE CORPORATION – CHARTER OF THE COMPLIANCE
COMMITTEE
HSBC NORTH AMERICA HOLDINGS INC. – CHARTER OF THE COMPLIANCE
COMMITTEE
Key HSBC Contacts for the Action Plan
x
CIO & Head of Relationship Management HBIO
Page 5
Privileged and Confidential
Restricted
Article 2(a)
FRB Order Reference:
Article 2(a)
Corresponding OCC
N/A
Article:
Policies to be adopted by the board of directors of HNAH that are designed to ensure
that HNAH’s enterprise-wide risk management (“ERM”) program provides proper risk
management with respect to the Bank’s and the Mortgage Servicing Companies’
residential mortgage loan servicing, Loss Mitigation, and foreclosure activities
particularly with respect to compliance with the Legal Requirements, and supervisory
standards and guidance of the Board of Governors as they develop;
Action Plan
As discussed below, the existing risk management framework ensures that HNAH’s
enterprise-wide risk management program provides proper risk management with
respect to the residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities of the Bank and the Mortgage Servicing Companies, particularly with respect
to compliance with the Legal Requirements and supervisory standards and guidance of
the Board of Governors as they develop. However, HNAH is enhancing its operational
risk assessment framework, in part to ensure full compliance with the Order. These
enhancements, as further described below, include a new Risk and Control
Assessment methodology and Internal Control Target Operating Model (“TOM”).
Residential Mortgage Servicing Management believes that the existing risk
management framework, together with the enhancements thereto, will ensure HNAH’s
ERM program provides proper risk management with respect to the residential
mortgage loan servicing, Loss Mitigation and foreclosure activities of the Bank and the
Mortgage Servicing Companies in compliance with the requirements of the Order.
The HNAH Risk Management Framework was most recently reviewed and approved
by the HNAH Board Audit Committee in December 2010. The HNAH Risk
Management Program was enhanced throughout 2010 to meet the requirements of the
Federal Reserve Board Memorandum of Understanding (“MOU”) issued in 2009. A
comprehensive risk management plan was developed per the MOU requirements, and
all elements of the risk management plan have been implemented as of February
2011. The Risk function continues to mature processes put in place during 2010 to
evidence and support sustainability. We take a continuous improvement approach to
risk management and, accordingly, establish annual objectives centered on
strengthening our risk management framework, as described in the HSBC North
America (HNAH) Risk Management Framework in its entirety.
Based on the aforementioned changes to the Risk Management framework, no
changes to the Enterprise Risk Management (“ERM”) policies were made as a result of
the Consent Order. Specific enhancements resulting from the Order were instituted at
the Business-level (see Articles 15 for additional detail related to the business-level
changes resulting from the Order and the business level adoption of the ERM policy).
The information noted below provides a top-down overview of the Risk Management
Page 6
Privileged and Confidential
Restricted
Structure beginning with the Board of Directors. Additionally, please see Articles 14
and 15 for greater detail on the specific Risk Management functions noted below.
Existing Processes / Programs:
1. Corporate Governance Structure and Reporting
Board of Directors – Board Structure The business is managed under the direction of
the Board of Directors, whose principal responsibility is to enhance the long-term value
of HSBC. The affairs of HSBC are governed by the Board of Directors, in conformity
with the Corporate Governance Standards, in the following ways:
• providing input and endorsing business strategy formulated by management and
HSBC;
• providing input and approving the annual operating, funding and capital plans
prepared by management;
• monitoring the implementation of strategy by management and HSBC North
America Holdings Inc. (“HNAH”)’s performance relative to approved operating,
funding and capital plans;
• reviewing and advising as to the adequacy of the succession plans for the Chief
Executive Officer and senior executive management;
• reviewing and providing input to HSBC concerning evaluation of the Chief
Executive Officer’s performance;
• reviewing and approving the Corporate Governance Standards and monitoring
compliance with the standards;
• assessing and monitoring the major risks facing HNAH consistent with the Board of
Director’s responsibilities to HSBC; and
• monitoring the risk management structure designed by management to ensure
compliance with HSBC policies, ethical standards and business strategies.
1.1.
Board of Directors – Committees and Charters The Board of Directors of
HNAH has standing committees which include: the Audit Committee, Risk
Committee, and the Compliance Committee. The charters of the Audit
Committee, the Risk Committee, the Compliance Committee, as well as our
Corporate Governance Standards, of HNAH’s subsidiaries, HSBC Finance
Corporation and HSBC USA Inc. are available on HSBC’s website at
www.us.hsbc.com. Information from the committees noted below is
communicated back to the respective sub-committees and the businesses, via
formal minutes and action items maintained by the board committees.
1.1.1. Audit Committee The Audit Committee, which was separated from the Risk
Committee into its own committee following the Board meeting held in May 2011
is responsible, on behalf of the Board of Directors, for oversight and advice to
the Board of Directors with respect to:
• the integrity of HNAH’s financial reporting processes and systems of internal
controls over financial reporting;
• compliance with legal and regulatory requirements that may have a material
Page 7
Privileged and Confidential
Restricted
•
impact on our financial statements;
the qualifications, independence, performance and remuneration of the
independent auditors;
1.1.2. Risk Committee The Risk Committee, which was separated from the Audit
Committee into its own committee following the Board meeting held in May
2011, is responsible, on behalf of the Board of Directors, for oversight and
advice to the Board of Directors with respect to:
• HNAH’s risk appetite, tolerance and strategy;
• our systems of management, internal control and compliance to identify,
measure, aggregate, control and report risk;
• management of capital levels and regulatory ratios, related targets, limits and
thresholds and the composition of our capital;
• alignment of strategy with our risk appetite, as defined by the Board of
Directors;
• maintenance and development of a supportive risk management culture that
is appropriately embedded through procedures, training and leadership
actions so that all employees are alert to the wider impact on the whole
organization of their actions and decisions.
Additionally, as set forth in the Risk Committee charter, the Risk Committee has the
responsibility, power, direction and authority to:
• receive regular reports from the Chief Risk Officer that enable the Audit and
Risk Committee to assess the risks involved in the business and how risks
are monitored and controlled by management;
• review and discuss with the Chief Risk Officer the adequacy and
effectiveness of our risk management framework and related reporting;
• advise the Board of Directors on all high-level risks;
• approve with HSBC the appointment and replacement of the Chief Risk
Officer (who also serves as the North America Regional Chief Risk Officer for
HSBC);
• review and approve the annual key objectives and performance review of the
Chief Risk Officer;
• seek appropriate assurance as to the Chief Risk Officer’s authority, access,
independence and reporting lines;
• review the effectiveness of our internal control and risk management
framework in relation to our core strategic objectives;
• consider the risks associated with proposed strategic acquisitions or
dispositions;
• meet periodically with representatives of HNAH’s Asset Liability
Management Committee (“ALCO”) to discuss major financial risk exposures
and the steps management has taken to monitor and control such
exposures;
• review with senior management guidelines and policies to govern the
process for assessing and managing various risk topics, including regulatory
compliance risk, litigation risk and reputation risk.
Page 8
Privileged and Confidential
Restricted
At each quarterly Risk Committee meeting, the Chief Risk Officer makes a
presentation to the committee describing key risks for HNAH, including operational and
internal controls, market, credit, information security, capital management, liquidity and
litigation. In addition the head of each Risk functional area is available to provide the
Risk Committee a review of particular potential risks to HNAH and management’s plan
for mitigating these risks.
HNAH maintains a Risk Management Committee that provides strategic and tactical
direction to risk management functions throughout HNAH, focusing on: credit, funding
and liquidity, capital, market, operational, security, fraud, reputational and compliance
risks. The Risk Management Committee is comprised of the function heads of each of
these areas, as well as other control functions within the organization. The Chief
Executive Officer is the Chair of this committee. On an annual basis, the Board reviews
the Risk Management Committee’s charter and framework. ALCO and the Operational
Risk & Internal Control Committee (the “ORIC Committee”), report to the HNAH Risk
Management Committee and, together, define the risk appetite, policies and limits;
monitor excessive exposures, trends and effectiveness of risk management; and
promulgate suitable risk management culture, focused within the parameters of their
specific areas of risk.
ALCO provides oversight and strategic guidance concerning the composition of the
balance sheet and pricing as it affects net interest income. It establishes limits of
acceptable risk and oversees maintenance and improvement of the management tools
and framework used to identify report, assess and mitigate market, interest rate and
liquidity risks.
The ORIC Committee is responsible for oversight of the identification, assessment,
monitoring, appetite for, and proactive management and control of, operational risk for
HNAH, which is defined as the risk of loss resulting from inadequate or failed internal
processes, people and systems, or from external events. The ORIC Committee is
designed to ensure that senior management fully considers and effectively manages
our operational risk in a cost-effective manner so as to reduce the level of operational
risk losses and to protect
1.1.3. Compliance Committee The Compliance Committee was established in October
2009 to monitor and oversee corrective actions in response to the Memorandum
of Understanding entered into with the Federal Reserve Bank of Chicago
(“FRB”) in October 2009. The responsibilities of the committee were expanded
in August 2010 to monitor and oversee corrective actions in HNAH’s compliance
and anti-money laundering functions. The responsibilities and authority of the
committee were again expanded following the issuance of the consent cease
and desist order with the FRB to include oversight of management with respect
to the responsibilities and deliverables of the Board of Directors as specified in
the order. In December 2010, the Board of Directors approved revisions to the
Page 9
Privileged and Confidential
Restricted
Audit and Risk Committee charter to enhance oversight of the Compliance
function and, in February 2011, delegated oversight of all compliance-related
matters to the Compliance Committee. Pursuant to this delegated oversight, the
Compliance Committee has the additional responsibilities, powers, direction and
authorities to:
• receive regular reports from the Chief Compliance Officer that enable the
Committee to assess major compliance exposures and the steps
management has taken to monitor and control such exposures, including the
manner in which the regulatory and legal requirements of pertinent
jurisdictions are evaluated and addressed;
• approve the appointment and replacement of the Chief Compliance Officer
and other statutory compliance officers (e.g., BSA Officer, Bank Security
Officer) and review and approve the annual key objectives and performance
review of the Chief Compliance Officer;
• review the budget, plan, changes in plan, activities, organization and
qualifications of the Compliance Department as necessary or advisable in
the Committee’s judgment;
• review and monitor the effectiveness of the Compliance Department and the
Compliance Program, including testing and monitoring functions, and obtain
assurances that the Compliance Department, including testing and
monitoring functions, is appropriately resourced, has appropriate standing
within the organization and is free from management or other restrictions;
• seek such assurance as it may deem appropriate that the Chief Compliance
Officer participates in the risk management and oversight process at the
highest level on an enterprise-wide basis; has total independence from
individual business units; reports to the Compliance Committee and has
internal functional reporting lines to the HSBC Head of Group Compliance;
and has direct access to the Chairman of the Compliance Committee, as
needed.
2. Risk Management Framework
The Risk Management Framework is an integral component of HNAH’s operating
environment. The HNAH Risk Management Framework provides for oversight of risk
by the HNAH Board through the HNAH Risk Management Committee, which is a
regional level risk committee that provides a forum for risk managers, functional heads,
and business unit heads to establish risk appetite, assess risk, establish risk
management policies and standards, discuss emerging risk issues and agree upon
appropriate actions, as necessary. The Mortgage Servicing Companies and the Bank
are covered by the HNAH Risk Management Framework, which incorporates all risk
categories, including operational, compliance and legal risks, and ensures that the
fundamental elements of the risk management program and any enhancements or
revisions thereto, including a comprehensive annual risk assessment which
encompasses residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities are included. Risk Management facilitated by the businesses line’s self
assessment, Enterprise Compliance’s annual risk assessment, Service Delivery
Page 10
Privileged and Confidential
Restricted
Control Adherence’s (“SDCA”) annual testing of controls and internal audit’s ongoing
testing of controls and performance.
The HNAH Risk Management Committee Framework is structured in the following
manner to provide a reporting structure from the business up through the Board of
Directors:
The operating principles of the HNAH Risk Management Framework are as follows
(and are fully identified in greater detail in section 3.3.4, pages 22 – 23, of the attached
HSBC – North America Compliance Risk Management Program Manual:
• Ensure all risks are appropriately identified, measured, managed, controlled and
Page 11
Privileged and Confidential
Restricted
•
•
•
•
•
•
•
•
•
•
•
reported;
Develop, communicate & implement appropriate risk-related policies, procedures, &
processes in collaboration with business units, functional areas and Group;
Provide an independent review and assessment of risks by regularly reviewing risk
levels and risk management practices and raising concerns to senior executive
management and the Board as necessary.;
Provide regular and ad hoc reports to senior executive management, the Board,
and Group on existing and emerging risks, with recommendations to avoid,
eliminate, or mitigate risks outside of the established risk appetite;
Ensure compliance with all relevant laws, regulations, and regulatory requirements,
including Basel II;
Assess overall capital needs and enhance capital allocation
Set risk appetite in line with capital availability and overall business strategy;
Establish and promote a risk management culture that appropriately balances risks
and rewards;
Assist the Board and senior executive management in establishing risk tolerances,
limits, and performance measurements across HNAH;
Share and leverage best practices across Group;
Continually assess and monitor the risks HNAH faces, and regularly reappraise its
risk appetite and align its risk profile accordingly; and,
Formulate an internal view of capital requirements relative to risk.
The Risk Management Framework brings together risk functions across North America
to ensure a consistent policy, process, and practice is applied across legal entities. An
overarching HNAH Risk Limits Framework, see page 12 of the attached HSBC North
America Risk Management Framework, which is employed by the North America Risk
organization in conjunction with internal business partners from Finance, Legal and
Compliance, and the business lines, provides for the identification, communication,
limitation, and management of all risks across HNAH, both for discontinued and
ongoing business lines.
2.1. Enhanced Internal Control Target Operating Model (Enterprise-wide)
In addition, the enhanced Group ORIC framework incorporates a new Internal Control
TOM. A North America impact analysis and implementation plan was completed in
1Q2011, and approved by the HNAH ORIC Committee on April 6, 2011. Periodic
updates have been provided to the HNAH Board Risk Committee on RCA and TOM
implementation progress as part of the standard quarterly Operational Risk report to
the Board Risk Committee. The new framework is centered around the Business Risk
Control Management (“BRCM”) Team (which has review responsibilities which
includes residential mortgage servicing, Loss Mitigation and foreclosure activities) that
promotes and executes on business unit ownership of monitoring of key controls. The
BRCM activities are subject to independent oversight by ORIC and other “2nd line of
defense” teams. (See attachment HNAH Operational Risk Internal Control Target
Operating Model, which in its entirety outlines the TOM, and is summarized below.)
Page 12
Privileged and Confidential
Restricted
Pursuant to the Internal Control TOM principles:
• Management of internal controls is centered around Business / Function ownership
of risk and control management and activities to support effective control
environment;
• Independent teams outside of the business identify risks, formulate policies,
procedures, and key controls, and monitor risks and controls in respective areas;
independent view of BRCM”;
• An Operational Risk Management Framework (“ORMF”) is established that
provides governance, standards, and tools to ensure risks and controls are
embedded, sustainable and value adding; and,
• Internal Audit provides management with an independent and objective review of
business activities, risk management and support functions.
For more information on the HSBC ORIC framework, refer to Section 2.2 “Operational
Risk Application & Management” on pages 10 and 11 of the attached HSBC – North
America Operational Risk and Internal Control Policy Risk Management and also see
the summary below. The following categories of risk are included under the definition
of Operational Risk and are subject to the HSBC’s ORIC management framework:
• Compliance
• Fiduciary
• Legal
• Information
• Accounting
• Tax
• External Fraud
• Internal Fraud
• People
• Political
• Physical
• Business Continuity
• Systems
• Operations
• Project
As noted in the HSBC – North America Operational Risk and Internal Control Policy
Risk Management policy, the management of Operational Risk comprises the
identification, assessment, monitoring and control of operational risk so as to maintain
losses within acceptable levels and to protect the Group from foreseeable future
losses. Management in all businesses and support functions operating in North
America, including Global Businesses, is responsible for designing controls to mitigate
operational risk and for monitoring and evidencing the effectiveness of controls in
operation. Acceptable levels of internal control are to be determined by reference to
the scale and nature of each business operation, but must remain compliant with the
minimum standards set out in Group Standards Manual and Group Functional
Instruction Manuals; ensuring appropriate levels of economic and regulatory capital in
accordance with internal and external requirements.
Page 13
Privileged and Confidential
Restricted
Additionally, as set forth in the HSBC – North America Operational Risk and Internal
Control Policy Risk Management policy, management throughout North America
follows the HSBC ORIC framework, which is comprised of the responsibilities set forth
below. The application of this framework in North America is further described in
various sections (noted below) of the HSBC – North America Operational Risk and
Internal Control Policy Risk Management
• Assignment of responsibility for the management of operational risk and the
maintenance of an appropriate internal control environment, under the oversight of
a formal governance structure. Refer to Section 3 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 14 through 24,) for details on North America’s governance structure and
organizational roles and responsibilities.
• Quarterly Top Risk and Control reporting at a Regional / Country level. In
accordance with page 1 of the FIM B.1.3 “Operational Risk Reporting”, the
Regional / Country ORIC Team reports quarterly on the North America operational
risk profile, involving the relevant business and control function experts. The report
is approved by the HNAH ORIC Committee; feedback from the committee’s review
is monitored by the Regional / Country ORIC Team. Country versions are reviewed
by the HUSI and HBCA ORIC Committees. Refer to the FIM for Operational Risk
profile reporting requirements.
• Identification, assessment, and reporting of operational risks by business and
functional managers using the Group’s standard Operational Risk and Control
Assessment (“RCA”) process. (Refer to Section 4 of the HSBC – North America
Operational Risk and Internal Control Policy Risk Management, pages 25 through
35, for details on North America’s application of the RCA methodology)
• Operational risk loss incident identification and reporting and aggregate loss
reporting. (Refer to Section 5 of the HSBC – North America Operational Risk and
Internal Control Policy Risk Management, pages 36 through 42, for details of North
America’s loss identification and reporting processes.)
• Provide assurance that key controls are designated and operating effectively
through monitoring of activities. (Refer to Section 4.7 of the HSBC – North America
Operational Risk and Internal Control Policy Risk Management, pages 31 through
35, for details of the Internal Control Monitoring program that North America is
implementing to support the Group framework. The roles and responsibilities of
business management, risk oversight functions, and ORIC teams are described in
Section 3, pages 14 through 24, of the HSBC – North America Operational Risk
and Internal Control Policy Risk Management).
In addition to components of the HSBC ORIC framework described above, North
America considers the following components as critical to the management of
operational risk and internal control and to the monitoring of North America’s
operational risk appetite.
• Key Indicators – The ongoing monitoring of key indicators of high-level risks to
ensure risk is appropriately controlled within established limits in accordance with
the Order which requires processes to document, measure, assess, and report key
Page 14
Privileged and Confidential
Restricted
•
•
risk indicators. (Refer to Section 4.4 of the HSBC – North America Operational Risk
and Internal Control Policy Risk Management, pages 29 and 30, for details.)
Capital Modeling – Development of Advanced Measurement Approach (AMA)
compliant quantification methodology and ongoing calculation of Regulatory and
Economic Capital for Operational Risk. (Refer to Section 6 of the HSBC – North
America Operational Risk and Internal Control Policy Risk Management, pages 48
and 49 for details.)
Many of the components of the Operational Risk and Internal Control Framework
described above are shown in the diagram below.
On a monthly basis the EVP HBIO, President and Chief Servicing Officer reports on
the key risk indicators to the Compliance Committee of the Board. See the attached
Foreclosure and Account Servicing Review presentation for an example of the report,
see pages 8 through 21.
As of January 2011, HSBC – North America began implementation of the new Group
Risk and Control Assessment (“RCA”) methodology. This is a new methodology
adopted by HSBC Group Operational Risk to replace the existing methodology, RSA or
Risk Self -Assessment. The RCA is a component in the Enhanced Operational Risk
Framework implemented throughout HSBC. The RCA methodology builds on the RSA
and is designed to provide businesses with a forward-looking view of operational risk
and to help them proactively determine whether their key operational risks are
controlled within acceptable levels. The RCA methodology enables the assessment of
both the typical and extreme exposure to operational risks and considers the direct
financial costs and the indirect financial impacts to the business including customer
service, reputational, and regulatory impacts.
Typical exposure to operational risk events (e.g. credit card fraud) is the total loss that
is expected to occur in the next 12 months given the effectiveness of the control
Page 15
Privileged and Confidential
Restricted
environment.
The extreme events (e.g. rogue trading) take into account the inherent nature of risks
within the business and control environment, but assume that one or more controls fail
to operate as expected.
Specific aims of the RCA methodology are to:
• Identify and assess material operational risks;
• Identify and assess the effectiveness of key controls that mitigate these risks;
• Focus management attention where controls are assessed as either “Needs
Improvement” or “Ineffective”, and
• Identify what monitoring of key controls is being undertaken in order to identify
necessary management actions.
The following activities must be undertaken as part of the RCA methodology:
• Scoping – Determine where an RCA should be undertaken (i.e. which entities or
what level within a country or business)
• Risk and Control Identification – Document the details of material risks and
associated key controls
• Risk and Control Assessment – Record the effectiveness of the key controls and
the residual risk exposure based on control assessments
• Control Monitoring – Identify the appropriate level of control monitoring required
and provide input into the internal control monitoring activity
• Issues and Actions – Implementation of action plans to address control deficiencies
and/ or specific people, process, or technology improvements
• Governance and Reporting – Review and sign off the completed RCAs.
In support of the ORIC structure noted above, HNAH’s line of business staff has
responsibilities regarding risk assessment and management as follows:
3. Business Management Operational Risk (Business-line)
Operational Risk Management activities include but are not limited to:
• Serving as single point of contact coordinating with the second and third lines of
defense – Tracking and monitoring of control weaknesses and audit findings
• Working directly with business to strengthen control gaps and assesses the
adequacy and sustainability of remediation efforts
• Conducting self assessments on key controls to determine effectiveness and
monitors KRI’s
• Facilitating quarterly and annual workshops for RCA and
• Facilitating annual certifications and reviews Group Policies to determine
compliance with GSM and FIM
• Report and maintain tracking and trending of operational losses
Business Management has responsibilities directly related to Residential Mortgage
Servicing, while adhering to the enterprise-wide oversight. Business management has
Page 16
Privileged and Confidential
Restricted
the following accountabilities:
• Identifying and assessing operational risks and controls
• Identifying and reporting incidents
• Implementing and operating internal controls and without reliance on ORIC or other
“second line of defense” control functions
• Monitoring the ongoing effectiveness of key controls to gain assurance that they are
operating in line with risk appetite and any regulatory and FIM requirements.
• Establishment of Business Risk Control Management (“BRCM”) capability to help
undertake the appropriate level of key control monitoring.
3.1. ORIC Governance Structure
The elements of Group’s ORIC Governance and organization structure are described
in the attached HSBC Group Operations FIM Section B.1.2 “Governance and
Organization of Operational Risk and Internal Control”. The structure is organized to
provide clear reporting lines up to the Board as detailed on pages 14 – 16 of the
attached HSBC – North America Operational Risk and Internal Control Policy Risk
Management Policy.
3.1.1. Board Oversight
The HNAH/HUSI/HBIO Board Risk Committee oversees the US Operational Risk
Management program and annually approves Advanced Measurement Approach
(AMA). Operational risk updates are provided to the HNAH/HUSI/HBIO Board Risk
Committee on a quarterly basis as part of the Risk Dashboard. Updates may include
current and emerging issues, risk integration and governance activities, operational
risk loss analytics, and the operational risk appetite dashboard.
HSBC North America Risk Management Committee
The HSBC North America Risk Management Committee (HNAH RMC) provides
strategic direction to various risk management functions, including operational risk,
across the region. The HSBC North America RMC reviews reports and /or meeting
minutes from subcommittees, including the North America ORIC Committee.
Responsibilities are specifically defined in the HNAH RMC Charter. The HUSI RMC
and the HBIO RMC were recently combined with the HNAH RMC; concurrent meetings
are conducted.
Additionally, at the business level, significant issues identified through BRCM
monitoring / oversight must be reported to business management and the relevant
ORIC Committee.
HSBC – North America Operational Risk and Internal Control Committee
The HSBC – North America Operational Risk and Internal Control (HNAH ORIC)
Committee provides central governance and strategic oversight of the operational risk
management framework, including identification, assessment, monitoring, and appetite
for operational risk. The HNAH ORIC Committee is an authorized subcommittee of the
HNAH Risk Management Committee and is the senior most risk committee responsible
Page 17
Privileged and Confidential
Restricted
for the oversight and management of operational risk and internal control within the
North America Region.
The HNAH ORIC Committee oversees internal controls over HNAH’s top operational
risks and creates a regional risk and control culture by embedding operational risk and
internal control management into businesses and functions and by promoting
appropriate training.
The HNAH ORIC Committee is responsible for all businesses and operations in the
U.S. and Canada. Country and Global Business ORIC Committees have been
established as subcommittees. The Regional / Country ORIC Team coordinates the
coverage of the various ORIC Committees and minimizes overlap as appropriate
3.2.
BRCM and Coordinators
Operational Risk Oversight Functions have the following accountabilities within their
functional area of expertise:
• Defining key operational risks and establishing minimum control standards and
appropriate indicators / metrics
• Undertaking oversight to verify the appropriateness of business (and functional|)
management control monitoring activity. Where oversight is conducted by these
teams, ORIC may leverage this work in carrying out its oversight responsibilities to
avoid duplication so long as it is satisfied that appropriately rigorous and sound
standards have been followed.
• Reviewing and reporting their indicators / metrics and taking action as necessary
where any business appears to be operating, or to be at risk of operating, outside
the established risk appetite.
• Gaining assurance that the minimum standards in their respective FIMs are being
met through oversight activity
Additional information related to roles and responsibilities between business
management and the BRCM is provided below:
Page 18
Privileged and Confidential
Restricted
Where BRCM undertakes control monitoring, a detailed monitoring plan that describes
the key control monitoring activities that will be completed over the next year is
established on at least an annual basis. The monitoring plan is based on consideration
of the RCA results as the basis of the annual monitoring plan, and may also consider
the following:
• New control standards issued
• Relevant local regulatory requirements
• Control issues identified in quarterly Operational Risk reporting
• Monitoring standards outlined in the FIMs
• Internal and external incident data
• Outputs of recent internal control monitoring
• Output of Group internal audit report, external auditors report and other functional
reports
• Significant changes in business structure, personnel, external environment,
products and systems
• Emerging risk issues / themes
• Controls where independent testing is mandated for SOX purposes
• The work plans of other areas (e.g. functions) carrying out control monitoring, to
maximize efficiency and avoid overlap.
The monitoring plan must be approved following an appropriate governance process
(e.g. Business Head or appropriate business committee) on an annual basis.
Significant amendments to the scope of the plan must be agreed using the same
governance process. The “appropriate governance process” will be further defined
during the implementation of internal control monitoring. Review of plans and their
approval and implementation may be subject to review by ORIC and Group Audit as
well as Business Management.
The plan will be submitted to the HNAH ORIC Committee for approval on an annual
basis. Significant amendments to the scope of the work plan must be agreed by the
ORIC Committee as required. ORIC must monitor progress against work plans on at
least a quarterly basis, and consider work plan relevance, ad-hoc oversight based on
Page 19
Privileged and Confidential
Restricted
emerging areas of risk, resource assessment (availability and capability), and any
necessary escalation of delays. Progress will also be shared with the HNAH ORIC
Committee and any delays in the execution of an activity should be adequately
justified.
Where monitoring / oversight results indicate that controls are no longer effective and
the risk is now outside of appetite, new issues and actions must be created to ensure
appropriate rectification. A process will then be in place for tracking issues and actions
and ensuring their appropriate and timely resolution.
3.3. Enterprise-wide Compliance
In addition, the HNAH Compliance organizational structure, as outlined below, detailed
in the “HSBC – North America Compliance Risk Management Program Manual”, and
illustrated in the “HNAH Corporate Compliance Organizational Structure” section, see
pages 26 and 65 of the Compliance Risk Management Program Manual, is designed to
ensure that Compliance staff have the requisite authority and status to carry out their
responsibilities:
• The Regional Compliance Officer (“RCO”) reports to the HNAH Compliance
Committee, the HSBC – North America Chief Risk Officer, the HNAH Chief
Executive Officer (“CEO”) and the Group General Manager and CEO of HSBC
Bank, N.A.
• The RCO also has an internal functional reporting line to the Head of Compliance
within the Group Management Office ("GMO") which provides oversight of the
HNAH Compliance Risk Management Program.
• The RCO is a member of the Group Compliance Executive Committee (“Group
Compliance EXCO”).
The RCO has direct access to the Chairmen of the Audit and Risk Committee and the
HNAH Compliance Committee. The HNAH Compliance Committee has been
delegated compliance related oversight responsibilities by the Board of Directors. On a
quarterly basis, the RCO will report on the status of compliance risk and the
compliance risk management framework to the HNAH Compliance Committee.
The RCO is a member of the HNAH Executive Compliance Committee (“EXCO”), the
HNAH Risk Management Committee (“RMC”) and the HNAH Operational Risk and
Control (“ORIC”) Group and participates in those scheduled committee meetings.
Meetings occur on a monthly basis. In addition, HNAH has formed a Compliance and
Risk Forum (“CaR Forum”) which is a chartered committee to facilitate the integration
of Compliance and Risk Management programs, and to help ensure the proper
identification, assessment, monitoring and reporting of risk in line with HNAH's risk
appetite. The formation of the CaR Forum was approved by the RCO and Regional
Chief Risk Officer. The first meeting was held on September 17, 2010. The forum
meets on a monthly basis.
The Compliance governance model is designed to ensure that the functional teams
and responsible areas reporting into the RCO work effectively and efficiently together
Page 20
Privileged and Confidential
Restricted
to manage the Compliance Risk Management Program. Specifically, the governance
model is designed to ensure that:
• Regulatory, Group, and other stakeholder requirements applicable to Compliance
are identified and addressed;
• Enterprise-wide initiatives are coordinated;
• Communications across functional areas are timely and effective;
• Issues are escalated in a timely manner;
• Information is effectively and appropriately shared; and,
• Compliance risks are effectively assessed and emerging trends are identified which
may impact more than one business, legal entity or geography.
3.4. Internal Audit
Group Audit North America has systems in place to track and monitor the status of the
audit findings and recommendations. These systems facilitate follow-up reviews and
are designed to track timely completion and effectiveness of the corrective measures.
For example, the Audit Issues Module includes the following:
• Detailed information about findings, including target date for resolution, next action
date for review by Group Audit North America, management response and action
plan, and commentary supporting actions to date;
• Tracking capabilities designed to ensure the information is accurate and up-to-date,
and that timely, corrective action of audit findings have been certified by
management;
• Tracking capabilities designed to ensure that all outstanding issues have been
remediated; and
• Email notifications to the responsible individuals when items are due, designed to
ensure timely follow-up on outstanding audit finding.
The Audit Issues Module is utilized to generate exception reports that list issues that
have not been remediated. Group Audit North America submits these reports monthly
to Executive Management as well as quarterly to the internal Operational Risk and
Control Committees and the Audit Committee of the HNAH Board. (See Audit Update
– HNAH Operational Risk and Internal Control Committee (ORIC) in its entirety. The
Audit Update – HNAH Operational Risk and Internal Control Committee (ORIC)
summarizes the audit issues, activities, reports, and risks of HNAH). Please see the
following documents for examples of the reports noted above:
x HBIO High Risk Outstanding Issues (PPT) - this document covers the high risk
issues of HBIO by business line and by resolution date
x HBIO High Risk Outstanding Issues - 30JUN11 (XLS) - this document gives
audit issue information based on status, pending validation, target date and
changes, and monitoring authority
x HBIO Repeat Issues - this document provides information on repeat and partial
repeat issues of HBIO
x HBIO Repeat Issues 2Q11 - this document provides information on the number
of repeat issues for 2Q11 and 1Q11 for HBIO
x HNAH All Medium 30JUN11 - this document provides information on the type of
audit issues encountered, target date, and monitoring authorities.
Page 21
Privileged and Confidential
Restricted
x
x
x
x
HNAH High Risk Issues 30JUN11 (XLS) - this document gives audit issue
information based on status, pending validation, target date and changes, and
monitoring authority
HNAH High Risk Outstanding Issues (PPT) - this document highlights the
number of high risk outstanding issues by business line and resolution date.
HNAH-wide including HTSU Repeat Issues - this document provides repeat and
partial repeat issue information for both high and medium risk outstanding
findings
HNAH Repeat Issues 2Q11 - this document provides information on the number
of repeat issues for 2Q11 and 1Q11 for HNAH
The existing risk management framework and enhancements made as part of the 2009
FRB MOU, and the recent ORIC framework enhancements, are designed to assist
HNAH’s Enterprise Risk Management (“ERM”) program provides proper risk
management for the residential mortgage loan servicing, Loss Mitigation, and
foreclosure activities of the Bank and the Mortgage Servicing Companies, particularly
with respect to compliance with the Legal Requirements, and supervisory standards
and guidance of the Board of Governors as they develop in accordance with the
requirements of the Order.
The response to Sections 7(b) and 8(d), part of the Compliance section, contain
additional Action Plans to ensure HNAH enterprise-wide risk management programs
comply with Legal requirements and supervisory standards and guidance of the FRB
as they develop.
Documents to be submitted with the Action Plan
x FIM B.1.4 Risk and Control Assessment
x FIM Appendix D.1.3 Risk and Control Assessment Guidance
x D.1.4 Risk categorisation
x HNAH Operational Risk Internal Control Target Operating Model
x HSBC North America (HNAH) Risk Management Framework
x FRB MOU Progress Letter April 28, 2011
Additional documents completed for re-submission of Action Plan
x HSBC – North America Compliance Risk Management Program Manual
x HNAH 2011 Risk Appetite Statement
x HNAH Operational Risk Internal Control Target Operating Model
x HSBC – North America Operational Risk and Internal Control Policy Risk
Management
x B.1.3 “Operational Risk Reporting”
x B.1.2 “Governance and Organization of Operational Risk and Internal Control”
x Audit Update – HNAH Operational Risk and Internal Control Committee (ORIC)
x HBIO High Risk Outstanding Issues (PPT)
x HBIO High Risk Outstanding Issues - 30JUN11 (XLS)
x HBIO Repeat Issues
Page 22
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
HBIO Repeat Issues 2Q11
HNAH All Medium 30JUN11
HNAH High Risk Issues 30JUN11 (XLS)
HNAH High Risk Outstanding Issues (PPT)
HNAH-wide including HTSU Repeat Issues
HBIO Executive Compliance Steering Committee
Foreclosure and Account Servicing Review
Key HSBC Contacts for the Action Plan
x
,
x
SVP Strategy, Operational Risk Management and Chief
Information Officer, HBIO
x
Page 23
Privileged and Confidential
Restricted
Article 2(b)
FRB Order Reference:
Article 2(b)
Corresponding
N/A
OCC Article:
policies and procedures adopted by HNAH to ensure that the ERM
program provides proper risk management of independent contractors, consulting
firms, law firms, or other third parties who are engaged to support residential
mortgage loan servicing, Loss Mitigation, or foreclosure activities or operations,
including their compliance with the Legal Requirements and HNAH’s and HBIO’s
internal policies and procedures, consistent with supervisory guidance of the Board of
Governors;
Action Plan
HNAH has existing policies and procedures in place to ensure Enterprise Risk
Management (“ERM”) programs provide proper risk management of independent
contractors, consulting firms, law firms, or other third parties who are engaged to
support residential mortgage loan servicing, Loss Mitigation, or foreclosure activities
or operations, including their compliance with the Legal Requirements and the
internal policies and procedures of HNAH and HBIO, consistent with supervisory
guidance of the Board of Governor. The Residential Mortgage Servicing, Vendor Risk
Management, and Enterprise Risk Management teams, as well as the Compliance
team reviewed the Vendor Risk Management Policies and Vendor Risk Management
Procedures (adopted in March 2011 and April 2011, respectively), which have been
recently enhanced, and determined such policies and procedures, as described below
and in the attachments hereto, ensure that the ERM program provides proper risk
management with respect to third parties engaged to support residential mortgage
loan servicing, Loss Mitigation, and foreclosure activities or operations in accordance
with the requirements of the Order and are not in need of modification at this time.
This is described in further detail in the attached HSBC - North America Vendor Risk
Management (VRM) Policy and HSBC - North America Vendor Risk Management
(VRM) Procedures.
Existing Processes / Programs:
In order to demonstrate the Board’s oversight of vendor management, the Information
Security Risk, Privacy and Vendor Risk Management Executive Steering Committee,
which meets on a monthly basis, was established as a subcommittee of the HNAH
ORIC Committee. The Information Security Risk, Privacy and Vendor Risk
Management Executive Steering Committee provides strategic and tactical direction
to key Risk Assessment and Vendor Risk Management initiatives and efforts. The
Executive Steering Committee serves as the governance and decision making
authority on the integration of the ISR Risk Assessment and Vendor Risk
Management Programs across North America. Key responsibilities, detailed in the
Information Security & Risk (ISR) – Risk Assessment - Vendor Risk Management
Executive Steering Committee Charter are as follows:
x Drive alignment of vision and resource prioritization with respect to engaging
Page 24
Privileged and Confidential
Restricted
x
x
x
third-party vendors in cross-functional areas;
Assess and hold management accountable for execution against Action Plans;
Review and provide feedback on third-party risk assessment reporting at the
North America level; and,
Provide Executive Management and the Board reasonable assurance that by
applying disciplined policies and practices to its programs and projects, HSBC
is effectively controlling third-party provider risk.
Program updates and items worthy of escalation, as determined by the Information
Security Risk, Privacy and Vendor Risk Management Executive Steering Committee,
are provided to the HNAH ORIC Committee.
As described in the attached HSBC - North America Vendor Risk Management (VRM)
Policy, adopted in March of 2011, the relationship manager (“RM”) is responsible for
overall vendor risk management and governance for their respective business,
including independent contractors, consulting firms, law firms, and other third parties
engaged to support residential mortgage loan servicing, Loss Mitigation, foreclosure
activities or operations. Vendor risks are assessed using the RCA framework. The
Vendor Risk Management Policy will be part of a comprehensive list of approved
HSBC- North America Level policies submitted to the North America Executive
Management for annual review and approval, and the Board of Directors as
necessary.
Additionally, the attached HSBC - North America Vendor Risk Management (VRM)
Procedures, adopted in April 2011 describes the policies further, including:
x Governing third-party relationships in a consistent manner across HNAH and
its subsidiaries in the U.S.;
x Providing reasonable assurance that vendor activity is conducted within the
agreed upon terms and contract;
x Establishing guidelines to properly and effectively identify, assess, monitor,
manage, and control risk associated with third-party relationships; and,
Finally, the attached FIM B2.15 Vendor Risk Management, specifically sections 3.2 to
3.7 on pages 3 to 7 provides that the business units have responsibility for:
x Conducting vendor due diligence as part of the overall risk assessment
process;
x Selecting a financially viable vendor with appropriate capability, skills and
experience;
x Establishing an on-going review process to confirm that vendors perform in
accordance with the terms of contract; and
x Engaging subject matter experts to support the due diligence process and ongoing monitoring.
Vendor Risk Management Overview
HSBC North America Vendor Risk Management (“VRM”) has in place a risk-based
Page 25
Privileged and Confidential
Restricted
framework and program to effectively identify, assess, monitor and manage risks
associated with Third-Party Provider relationships (the “VRM Program”) as set forth in
the HSBC North America Vendor Risk Management Policy and Procedures (“VRM
Policy and Procedures”). The VRM Program provides centralized governance and
requirements for North America businesses and departments. The VRM Program also
establishes accountability and corporate oversight and defines the roles and
responsibilities of the various departments and functions including VRM, Residential
Mortgage Servicing, Operational Risk Management, Information Security Risk (“ISR”),
Compliance, and Legal so that Third-Party Providers within the scope of the existing
VRM Policy and Procedures are assessed in a consistent risk-based framework. Law
Firms as well as other Third-Party Providers are managed and monitored pursuant to
the VRM Program (see Section 2 of the VRM Policy). The VRM Program has been
designed in accordance with OCC Bulletin 2001-4, as documented in additional detail
in the attached HSBC - North America Vendor Risk Management (VRM) Policy.
The HBIO and HBUS residential mortgage loan servicing, Loss Mitigation,
bankruptcy, foreclosure, and property management functions (collectively “Residential
Mortgage Servicing” or “Mortgage Servicing”) follow the VRM Policy and Procedures
and the VRM Program to manage Third-Party Providers, including Law Firms.
Additional procedures and oversight have been implemented as described below to
ensure Third-Party Providers are managed and monitored in accordance with the
VRM Program.
Third-Party Operational Risk Management Group (“TPORMG”)
To ensure consistent adherence to the VRM Policy and Procedures and provide
additional oversight of Residential Mortgage Servicing Third-Party Providers, including
Law Firms, the existing Mortgage Servicing Operational Risk Management team
expanded its structure to include a centralized, dedicated team – the Third Party
Operational Risk Management Group (“TPORMG”). The TPORMG serves as the
primary point of contact and relationship manager for Residential Mortgage Servicing
Third-Party Providers, including Law Firms. TPORMG coordinates with other
groups/functions, including the business, VRM, Information Security Risk,
Compliance, and HSBC Legal, throughout the Third-Party Provider life cycle from,
due diligence and Third-Party selection, risk assessment, negotiations, contracting,
ongoing monitoring, issue management and escalation, quality assurance,
remediation and termination (see Sections 1.1 and 1.2 on page 4 of the attached
Mortgage Servicing Third Party Operational Risk Management Procedures).
In order to staff the TPORMG department with appropriate expertise and authority,
HBIO and HBUS leveraged existing qualified personnel within HSBC to fill the
leadership roles within TPORMG. Requirements for these roles include extensive
Mortgage Servicing experience and a background in Risk Management. The
leadership personnel consist of a Senior Vice President with responsibility for
Operational Risk Management, who serves as the Chief Information Risk Officer
(CIRO) for Mortgage Servicing having twenty-two years of experience and a
Page 26
Privileged and Confidential
Restricted
concentration in mortgage operational risk and audit. Reporting to the Senior Vice
President, are two Vice Presidents with an average tenure of twenty-five years of
experience with a concentration in operational risk and mortgage servicing. One Vice
President was previously employed by
and managed its foreclosure and
bankruptcy attorney network. The other Vice President has an extensive background
in mortgage lending, servicing, risk, and compliance.
As of September 12, 2011, TPORMG has developed and implemented the Mortgage
Servicing Third Party Operational Risk Management Procedures (the “TPORMG Third
Party Procedures”) which supplement the VRM Policy and Procedures. These
Procedures define the TPORMG scope, organizational structure, associated roles and
responsibilities, and overall methodology and approach for TPORMG reviews of
Residential Mortgage Servicing Third-Party Providers, including Law Firms.
The TPORMG will ensure that Residential Mortgage Servicing departments comply
with the VRM Policy and Procedures. Key responsibilities of TPORMG are as follows:
x Initiate, renew, or terminate Third-Party Providers and coordinate the on-going
reviews, monitoring and assessments of Third-Party Providers;
x Develop and monitor Third-Party Provider performance against defined service
levels, performance levels, and contract terms; and coordinate distribution of
MSAs, including the Law Firm MSAs to be executed by approved existing and
future Law Firms (see attached MASTER SERVICES AGREEMENT (LEGAL
SERVICES));
x Schedule reviews of Third-Party Providers, including Law Firms;
x Develop and use the TPORMG Database to monitor, manage, and age ThirdParty Provider reviews and remediation efforts and SLAs and performance against
SLAs, to include Information Security Risk, Legal, and Operations’ review findings,
and for reporting to various departments and to the TPORMG Governance
Committee;
x Reporting and trending of customer complaints specific to Third-Party Providers;
and,
x As part of the Legacy Relationship Management (“LRM”) Program, performing an
in-depth review of Residential Mortgage Servicing legacy Third-Party Provider
relationships within the scope of the VRM Policy to ensure compliance with the
VRM Policy and Procedures
Residential Mortgage Servicing Third-Party Provider Governance Committee
To ensure appropriate oversight of Third Party Providers at a senior management
level, HBIO and HBUS established the Residential Mortgage Servicing Operations
Third-Party Provider Governance Committee (“Third Party Governance Committee”)
to oversee the Mortgage Servicing Third-Party Provider management process, which
includes the review of Law Firms. The Third Party Governance Committee meets
monthly with the first meeting occurring on October 31, 2011 – please see page 2 of
the attached Third Party Governance Committee Meeting document for the agenda
items discussed and the attached Servicing Operations Third Party Governance
Page 27
Privileged and Confidential
Restricted
Meeting document for minutes of the meeting. The responsibilities of the Committee
include:
x Review and assessment of performance reporting and results of Third-Party
Provider reviews;
x Decisions regarding retention, discipline, remediation and termination of ThirdParty Providers;
x Evaluation and addressing of emerging trends, risks and strategies;
x Evaluation of significant adverse litigation;
x Determining whether or not to continue doing business with Third Parties; and,
x Escalation of material issues or concerns, as appropriate, to senior management.
The Third Party Governance Committee includes participants from the business and
various functions, including TPORMG, Compliance, Risk and HSBC Legal.
Due Diligence
In order to perform appropriate due diligence, the VRM Program and section 1.2 on
pages 4 and 5 of the TPORMG Procedures provide guidance for examining financial
information, information security measures, business continuity, reputation, and other
applicable reviews of potential and existing Residential Mortgage Servicing ThirdParty Providers, including the Mortgage Electronic Registration System (“MERS”),
National Bankruptcy Services (“NBS”), and Law
Firms. The TPORMG Third Party Provider Procedures also identify the need for a
legal review for Third-Party Providers of legal services in section 2.4 on pages 12 and
13.
Additionally, the HSBC Mortgage Servicing Legal Department Law Firm Management
Procedures (“Law Firm Procedures”) outline the legal review process for Third-Party
Providers of legal services (see the Legal review process in Section 5 of the Law Firm
Procedures, pages 5 to 8). These reviews are managed by HSBC Legal in order to
provide requisite expertise for the review. More specifically, the risk-based
methodology for identifying the scope and frequency of Law Firm reviews is outlined
in Section 5.3 of the Law Firm Procedures, on pages 6 and 7:
HSBC Legal uses a Risk-Based Approach to determine the scope and frequency of
Firm reviews and Firm file reviews. The Risk-Based Approach includes the
assessment of the overall control rating from prior reviews as well as the Firm state
complexity, Firm reputational risk and issues, Firm file volume and Firm size. The
Legal Review Scorecard captures the results of prior Firm File Reviews and Firm
Reviews and calculates an overall control rating for the Firm (i.e. Highly Effective,
Effective, Moderately Effective, Limited, Ineffective). The overall control rating from
prior reviews is the primary factor that determines the frequency and scope of
subsequent reviews. Generally, Legal conducts reviews for Firms with a Highly
Effective, Effective or Moderately Effective control rating annually to every 18 months.
Firms with a Limited or Ineffective control rating are typically reviewed semi-annually
to annually.
Page 28
Privileged and Confidential
Restricted
Legal may adjust the frequency of a Firm File Review and Firm Review (to a
maximum frequency of 18 months), the type of review, or the number or type of files
to be reviewed on a Firm by Firm basis based on an evaluation of the following
criteria:
x Firm State Complexity - The complexity of state specific legal or jurisdictional
requirements and the presence of unique state specific practices.
x Firm Reputational Risk and Issues – The Firm’s exposure to reputational risks and
contested issues raised by opposing parties.
x Firm File volume – The number of active HNAH foreclosure, bankruptcy and
eviction Files handled by the Firm in a specific state as well as the total number of
files handled by the Firm.
x Firm size – The total number of Firm employees as well as the ratio of attorneys to
staff.
In addition to the scheduled Firm File Reviews and Firm Reviews outlined above,
Legal may perform ad-hoc targeted reviews on a case by case basis to assess any
concerns or deficiencies noted in Firm Reviews.
While HBIO and HBUS are committed to complying with the VRM Program, there are
anticipated circumstances where HBIO and HBUS may be required to use a ThirdParty Provider prior to completing the VRM on-boarding process, such as where
Fannie Mae or Freddie Mac mandates immediate use of a new Law Firm that is not
currently an approved HSBC Third-Party Provider. In such instances, HBIO and
HBUS follow the Fannie Mae or Freddie Mac mandate and also initiate the VRM due
diligence process and a Legal Review of the Law Firm in parallel.
Management personnel of Residential Mortgage Servicing, HSBC Legal, Compliance
and Vendor Risk Management have reviewed existing policies and procedures for
HBIO and HBUS to provide appropriate due diligence on potential and current ThirdParty Providers to ensure the existing processes, policies and procedures are
accurate and in accordance with Third-Party Provider review requirements of the
Order. These policies, procedures and processes are subject to on-going review to
determine whether revisions or enhancements are appropriate or necessary in light of
changes to Legal Requirements or supervisory guidance.
Vetting and Master Services Agreement
All material Third-Party Providers must be vetted through the VRM Program. A ThirdParty Provider is deemed “material” if it meets any one of the following specified
criteria in the VRM Policy and Procedures: expenditure levels, receipt of restricted or
highly restricted information and access to HSBC systems, providing customer facing
services, having physical access to HSBC locations, or use of HSBC brand signifiers.
HBUS and HBIO enter into agreements with all material Third-Party Providers,
including active Law Firms.
Standard Master Services Agreements (“MSAs”) have been in place and available for
Third Party Providers (excluding Law Firms which are discussed below) engaged by
Page 29
Privileged and Confidential
Restricted
HSBC North America businesses. The MSAs include service level agreements
(“SLAs”) developed by VRM and the business as appropriate for the services
provided by the Third Party Provider. Representatives from the businesses and the
Third-Party Provider negotiate the terms, conditions and applicable service levels to
be included in these agreements. For additional information, please see Section 6.1 of
the VRM Policy and Section 5 of the TPORMG Procedures.
In order to enhance oversight and control over Law Firms, the standard Master
Services Agreement (Legal Services) (“Law Firm MSA”) was developed in
collaboration with HSBC Legal, TPORMG, Information Security Risk (“ISR”), Business
Continuity Program Management (“BCPM”), as well as the impacted business areas.
SLAs are contained within Law Firm MSA, Attachment F, titled Law Firm Work
Standards.
HBIO and HBUS directly engage the active foreclosure Law Firms that use the
legal desktop network; HBIO and HBUS do not
subcontract these Law Firms through
The Law Firm MSA has been sent for
execution to active foreclosure Law Firms that provide legal services to HBIO and
HBUS Residential Mortgage Servicing. Approximately 60 percent of the active
foreclosure Firms have returned to us the executed Law Firm MSA.
Additionally, each active foreclosure Law Firm is reviewed and monitored directly by
HSBC and HBIO Legal, Information Security Risk, VRM, TPORMG and other
appropriate functions. HSBC does not rely on
o perform Law Firm monitoring on
its behalf. Further, the Law Firm MSA provides that on occasion, where the
foreclosure Law Firm needs to retain a local attorney for a court appearance for
example, the foreclosure Law Firm needs to obtain HSBC’s prior approval. In these
instances and pursuant to the Law Firm MSA, the foreclosure Firm is responsible for
the actions of the retained Firm and is required to confirm that the retained Firm will
act in accordance with the provisions of the Law Firm MSA (see Section 25 of the Law
Firm MSA).
The standard agreements for Third-Party Providers, including the standard Law Firm
MSA, also provide terms allowing HBIO and HBUS businesses to perform adequate
oversight of Provider performance, review Provider adherence to established service
levels, and escalate non-compliance with contract provisions to appropriate HBIO or
HBUS management (see Law Firm MSA, Sections 3 (Law Firm Work Standards),
Section 23 (Access & Audit Procedures), Section 24 (Consequences of Failure to
Meet Performance and Other Standards) and the Escalation Protocol Matrix attached
as Exhibit C). The agreements also include provisions that require the Provider to
perform the services in compliance with applicable Legal Requirements and HBIO
and HBUS policies and procedures (see Section 4.6 of the Law Firm MSA).
As described in more detail in the Action Plan response to Article 6(a), in addition to
the VRM Policy and Procedures, HBIO and HBUS have implemented processes
pursuant to Section 6 of the TPORMG Procedure and Section 5.4 of the Legal Law
Page 30
Privileged and Confidential
Restricted
Firm Procedure regarding Law Firms reviews. These Procedures also require the
negotiation and execution of the Law Firm MSA, (see Section 5 of the TPORMG
Procedure and Section 4 of the Legal Law Firm Procedures. In addition to the
standard Law Firm MSA mentioned above sent to active foreclosure Law firms, a Law
Firm MSA will be sent for execution to existing active bankruptcy, eviction and DIL
Law Firms following satisfactory Firm reviews. It is anticipated that all MSAs will be
distributed by the end of fourth quarter 2011.
Service level agreements (“SLAs”) for Law Firms are contained in the Law Firm MSA
Attachment F, titled Law Firm Work Standards, to ensure compliance with applicable
laws, HSBC Best Practices and HSBC procedures. These SLAs were developed in
collaboration with Legal, Information Security Risk (“ISR”), Business Continuity
Program Management, as well as the impacted areas of the business: foreclosure,
bankruptcy, and evictions. Contract Owners (“CO”) within TPORMG are responsible
for ongoing monitoring of performance of Third-Party Providers against SLAs and
other contract terms, including the Legal Requirements, supervisory guidance and
HBIO’s policies and procedures. These COs also receive feedback regarding ThirdParty Provider performance from various sources including, but not limited to, the
business, ISR, Customer Service, and Legal with respect to Law Firm legal reviews
(described in Article 6 (a), (e) (g) and (j). In addition, TPORMG reviews Scorecard
results and Third Party Provider review findings, as appropriate, with the Third Party
Governance Committee on a monthly basis, as well as having daily interactions as
appropriate with the business areas. TPORMG is subject to review by HNAH VRM
and Group Audit North America.
Upon completion of a Law Firm legal review, a Remediation Letter identifying
concerns or deficiencies is sent to the Law Firm, with designated timeframes to
respond, and the Law Firm responses are tracked to confirm response. All of these
documents are stored in, and tracked through, the TPORMG
Database.
Continued non-compliance or performance failures may result in reduction of new
referrals, removal of existing files, exercise of indemnification rights, or termination of
the Third-Party Provider. The complete termination procedure outlining the transfer of
files process is in the attached Law Firm Termination Procedures ALL. The
supplementary documents regarding the Law Firm legal review and remediation
process include SAMPLE REMEDIATION LETTER – Follow Up on recent HSBC
Audit – Non-Judicial Foreclosure, SAMPLE REMEDIATION LETTER – FOLLOW-UP
on recent HSBC Audit (Firm with multiple state offices), and SAMPLE REMEDIATION
LETTER – FOLLOW-UP on recent HSBC Audit.
Ongoing Reviews
The existing VRM Policy and Procedures require businesses, which own the contracts
with the Third-Party Providers (which includes active Law Firms), to perform reviews
to monitor adherence to the contract terms and service level agreements (“SLAs”) in
the contracts. The Law Firm Management Procedures and the TPORMG Third Party
Management Procedures require periodic reviews of Third-Party Providers including
Law Firm reviews.
Page 31
Privileged and Confidential
Restricted
HBIO and HBUS also established the Mortgage Servicing Operations Third-Party
Provider Governance Committee (“Third Party Governance Committee”) to oversee
the Mortgage Servicing Third-Party Provider management process, which includes
the review of Law Firms. The Third Party Governance Committee will meet monthly.
The responsibilities of the Committee include:
x Reviewing and assessing performance reporting and results of the Third-Party
Provider reviews;
x Determining retention, discipline, remediation and termination of Third-Party
Providers;
x Evaluating and addressing emerging trends and risks and strategies;
x Determining whether or not to continue doing business with each Law Firm; and,
x Escalating issues identified, as appropriate, to senior management.
Additionally, processes are in place to ensure that applicable legal, regulatory and
investor changes are identified and appropriate changes made to relevant documents,
procedures and practices. Changes to Legal Requirements and supervisory guidance
are monitored by the Regulatory Monitoring and Assessment group (“RMA”) and
appropriate changes to documents, procedures and practices are implemented by the
businesses with assistance from the Law Change Working Group (“LCWG”).
Changes to GSE and investor guidelines are monitored and implemented in
coordination with the Investor Change Working Group (“ICWG”) for HBIO and HBUS
(see the attached RMA, LCWG, and ICWG procedures that provide further detail
regarding the processes to monitor and implement as appropriate legal changes,
supervisory guidance and investor requirements, and see HSBC North America New
Laws and Regulations Procedure – US and Law Implementation Procedure ALL).
As stated above and as provided in the Law Firm Procedures, the TPORMG
Procedures, and VRM Policies and Procedures, all active Law Firms receiving new
referrals are reviewed in accordance with the VRM Program, and Legal along with
TPORMG coordinates and manages a legal review of the Law Firms. The reviews
are conducted to ensure that foreclosures occur in a safe and sound manner with
timeliness, competence, completeness, compliance with applicable Legal
Requirements, and the contractual obligations of HSBC to the GSEs and investors.
The requirements for engagement of a vendor under the VRM Program have been
initiated for all active foreclosure, bankruptcy and eviction Law Firms. To date, the
following has occurred with respect to Law Firm reviews:
x Active foreclosure Law Firms are being monitored consistent with the VRM
Program;
x For all active foreclosure, bankruptcy and eviction Law Firms, a
(“
that initiates the VRM process for the
engagement of a Third-Party Provider has been completed;
x A Business Analysis Report (“BA”) and Financial Analysis Report (“FA”) has been
completed for active foreclosure Law Firms and a Contract Owner and Third Party
Risk Officer (“TPRO”) has been assigned;
Page 32
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
Third-Party Security Reviews (“TPSR”) by the HNAH Information Security Risk
(“ISR”) group are nearing completion for active foreclosure Law Firms. A TPSR
rating provided by ISR is included in the Overall Service Risk Assessment
(“OSRA”) rating for each Law Firm;
An NDA has been signed by the active foreclosure Law Firms;
Best Practices have been distributed to active foreclosure, bankruptcy and
eviction Law Firms. All foreclosure Firms (but for one with which we are still
working through remediation) have acknowledged their commitment to comply
with the Best Practices;
HSBC Legal has coordinated with the assistance of outside counsel initial reviews
of active foreclosure Law Firms to assess adherence and compliance with
applicable Legal Requirements, and review of the Firm processes and practices
for document preparation and review, execution and notarization, staffing, training,
capacity and competency;
Remediation letters have been sent to active foreclosure Law Firms regarding
deficiencies or concerns and remediation expectations, including time lines for
completion. Responses are being tracked and monitored in the TPORMG
Database (see SAMPLE REMEDIATION LETTER – Follow Up on
recent HSBC Audit – Non-Judicial Foreclosure, SAMPLE REMEDIATION LETTER
– FOLLOW-UP on recent HSBC Audit (Firm with multiple state offices), and
SAMPLE REMEDIATION LETTER – FOLLOW-UP on recent HSBC Audit);
Review of significant and material findings from the Law Firm reviews are
discussed at the Legal Review Meetings (described in the Action Plan response to
Article 6(a)) and will be discussed at the Third-Party Governance Committee
meetings (see the attached Mortgage Servicing Operations Third Party Provider
Governance Charter)).
and,
Law Firm termination procedures have been developed (see the attached Law
Firm Termination Procedures ALL document).
The standard Law Firm MSA (see the MASTER SERVICES AGREEMENT (LEGAL
SERVICES)), includes provisions regarding timeliness, competence, and compliance
with all applicable Legal Requirements to ensure that foreclosures are conducted in a
safe and sound manner.
Reviews of remaining active bankruptcy and eviction Firms will be completed, and if
the reviews are satisfactory, the Law Firm MSAs will be sent for execution to these
Firms, by year-end 2011. Firms with unsatisfactory reviews will be evaluated for
termination or other remediation. On an on-going basis, active Law Firms will be
assessed in a consistent manner with the VRM OSRA risk rating (the “VRM
Scorecard”). The OSRA risk rating is comprised of a series of risk statements used to
facilitate a risk assessment of key Vendor risks using the Operational Risk Self
Except for bankruptcy Law Firms in the BVW network as BVW and its network of bankruptcy attorneys are under review.
Page 33
Privileged and Confidential
Restricted
Assessment (“RSA”) Methodology to arrive at a consolidated rating. Additionally,
HSBC Legal will manage the legal reviews to assess legal risks associated with Law
Firms and will capture results of those reviews in the Legal Review Scorecard (see
the attached Legal Review Scorecard). The Legal Review Scorecard assesses legal
risk. The nature and frequency of the on-going reviews will depend, in part, on the
OSRA ratings, as well as the Legal Review Scorecard results and other factors
described in the Action Plan response to Article 6(a) (see the OSRA process in
Section 3.5 of the VRM Policy).
Certification
The existing HNAH VRM Policy and Procedures (see Section 4 on page 16) as well
as the TPORMG Procedures (see Section 6 on page 18) and the Law Firm
Procedures (see Section 5 on pages 5 to 9 and section 6 on page 10) provide the
review and assessment process to evaluate new Law Firms and for the on-going
monitoring of existing active Law Firms. While the assessment and review processes
described in the VRM Policy and Procedures, TPORMG Procedures and Law Firm
Procedures, are not specifically defined as a certification process, they serve the
same purpose by providing guidelines to determine whether Law Firms are qualified
to serve and whether HBIO and HBUS should engage or continue doing business
with the Law Firm.
These Procedures identify the type of reviews to be performed by the business,
Information Security Risk, VRM, TPORMG, Legal and others to assess the financial,
reputational, information security, legal and other capabilities or risks of the Law
Firms.
As stated, in the Action Plan response to Article 6(a), the requirements for
engagement of a Third Party under the VRM Program have been initiated for active
foreclosure, bankruptcy and eviction Law Firms that provide legal services to HBIO
and HBUS Residential Mortgage Servicing. In addition to the various financial,
information security, reputation and other reviews performed by VRM, Information
Security Risk, TPORMG, the business, and others, HSBC Legal manages with the
assistance of outside counsel, the legal review of Law Firms to assess Firm
compliance with applicable laws, rules, regulations and judicial requirements as well
as Firm qualifications to provide the legal services. These legal assessments are
managed by HSBC Legal along with experienced outside counsel to provide the
requisite expertise for the review and evaluation of the qualifications of the Law Firms
to perform the legal services.
Law Firm reviews include:
x Assessment of Law Firm qualifications, expertise, competence, reputation,
capacity, staffing, training, work quality, workload, controls, financial viability,
organizational structures and affiliated or related service provider relationships;
Except for bankruptcy Law Firms in the BVW network as BVW and its network of bankruptcy attorneys are under review.
Page 34
Privileged and Confidential
Restricted
x
x
x
x
x
x
Assessment of compliance with applicable legal, regulatory and judicial
requirements, Best Practices, compliance with HSBC Legal escalation mandates;
Assessment of financial and information security risks;
Review of Law Firm policies and procedures and document preparation, review,
execution, and notarization practices;
Interviews with Law Firm personnel;
Review of material or significant adverse litigation and media coverage regarding
the Law Firm; and,
File reviews.
Legal is using a Risk-Based Approach to determine the scope and frequency of ongoing Firm reviews and Firm file reviews (see section 5.3, pages 6 to 8 of the Legal
Procedures and the Action Plan response to Article 6(a) and (e)). As described more
fully in the Action Plan response to Article 6(e), this risk-based approach includes the
assessment of the overall control rating from prior reviews taking into consideration
Firm state complexity, Firm reputational risk, including adverse litigation and media
coverage, Firm file volume and Firm size. Based on this approach Firm Legal
Reviews can be performed every 6 to 18 months depending on the risk rating.
HSBC Legal has managed the initial legal reviews that have been completed for
active foreclosure Law Firms to assess compliance with applicable Legal
Requirements and Best Practices. Remediation letters identifying concerns or
deficiencies have been distributed to Law Firms, and responses tracked and
monitored in the TPORMG Share Point database (see Section 1.5, page 10 of
TPORMG Procedure and page 16 of Law Firm Procedure). The results of the reviews
are captured in the Summary of Findings Memos and Legal Review Scorecards for
each Firm. On an on-going basis, Law Firm communications, Law Firm review
results, Scorecard ratings and other information will be placed in the TPORMG
Database described earlier in Article 6(a) (see Section 1.5, page 10 of TPORMG
Procedure).
Based on the reviews and Scorecard results and Law Firm responses to Remediation
Letters, evaluations and recommendations are made regarding whether to continue
doing business with the Law Firm, reduce or cease new referrals, remove existing
files or terminate the Law Firm. Law Firms with significant or material exceptions are
discussed during the Legal Review Meetings described in the Action Plan response to
Article 6(a). Such exceptions will also be reviewed with the Third-Party Governance
Committee (see the Mortgage Servicing Operations Third Party Provider Governance
Charter).
Additionally, HSBC Legal has engaged outside counsel to monitor and notify HBIO
and HBUS of any adverse litigation and media coverage concerning Law Firms, and
Legal and TPORMG receive frequent summaries, at least weekly, regarding litigation
and media coverage concerning Law Firms. Law Firms are also required to provide
notice to HSBC of significant or substantive adverse litigation and any bar grievances
and sanctions (including reprimand, censure and disbarment) against the Law Firm or
Page 35
Privileged and Confidential
Restricted
any Firm attorney pursuant to the Escalation Protocol Matrix described in the Best
Practices and Law Firm MSA (described in the Action Plan response to Article 6(a).
Compliance with these provisions will be evaluated during Law Firm reviews.
Additionally, such litigation and matters are discussed with the Law Firms as
appropriate and their feedback is considered. Moreover, significant or substantive
adverse litigation or adverse media coverage regarding Law Firms is evaluated during
the Legal Review Meetings, and will also be discussed with the Third Party
Governance Committee and the Compliance Committee, as appropriate. In the event
HSBC personnel or any of the above Committees determine that any significant or
substantive adverse litigation or media coverage may impact the ability of the Law
Firm to perform in accordance with Legal Requirements or HBIO and HBUS policies
and procedures, or presents reputational concerns for HBIO or HBUS, actions
including reduction of new referrals, removal of existing files, exercise of
indemnification rights, and/or termination of the Law Firm may occur.
Business requirements have been developed to create a TPORMG Database that will
further strengthen the monitoring and reporting regarding Third-Party Providers (see
Third Party Operational Risk Management Database Design Requirements). Note
that these requirements may be modified as business needs are refined and
circumstances change. Population of the TPORMG database has begun. Testing
and validation of the database, along with system and user manuals will be completed
by the end of fourth quarter 2011.
Enhancements to Processes / Programs:
The progress reports to the Compliance Committee of the Board will be enhanced to
include a summary of key risk indicators of the Mortgage Servicing Companies, the
Bank, and the third-party relationships in the HNAH Vendor Risk Management
Program. Improvements to the reporting process are expected to be completed by
December 31, 2011, with the first report to be provided to the Compliance Committee
in January 2012.
Documents to be submitted with the Action Plan
x Information Security & Risk (ISR) – Risk Assessment - Vendor Risk Management Executive Steering Committee Charter
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC - North America Vendor Risk Management (VRM) PROCEDURES
x FIM B.2.15 Vendor Risk Management
Additional documents completed for re-submission of Action Plan
x Mortgage Servicing Third Party Operational Risk Management Procedures
x SERVICES AGREEMENT (LEGAL SERVICES)
x HSBC Mortgage Servicing Legal Department Law Firm Management Procedures
x Law Firm Termination Procedures ALL
x SAMPLE REMEDIATION LETTER - Follow Up on recent HSBC Audit - NonJudicial Foreclosure
Page 36
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
SAMPLE REMEDIATION LETTER - FOLLOW-UP on recent HSBC Audit (Firm
with multiple state offices)
SAMPLE REMEDIATION LETTER - FOLLOW-UP on recent HSBC Audit
HSBC North America New Laws and Regulations Procedure – US and Law
Implementation Procedure ALL
Mortgage Servicing Operations Third Party Provider Governance Charter
Third Party Operational Risk Management Database Design Requirements
Third Party Governance Committee Meeting
Servicing Operations Third Party Governance Meeting
Key HSBC Contacts for the Action Plan
x
, SVP General Compliance
x
SVP Strategy, Operational Risk Management and Chief
Information Officer, HBIO
x
– SVP, General Compliance
Page 37
Privileged and Confidential
Restricted
Articles 2(c) & 2(i)
FRB Order Reference:
Article 2(c)
Corresponding
N/A
OCC Article:
steps to ensure that HNAH’s ERM, audit, and compliance programs have adequate
levels and types of officers and staff dedicated to overseeing the Bank’s and the
Mortgage Servicing Companies’ residential mortgage loan servicing, Loss Mitigation,
and foreclosure activities, and that these programs have officers and staff with the
requisite qualifications, skills, and ability to comply with the requirements of this Order;
FRB Order Reference:
Article 2(i)
Corresponding
N/A
OCC Article:
steps to ensure that the risk management, audit, and compliance programs of the
Mortgage Servicing Companies have adequate levels and types of officers and staff
and that they have officers and staff with the requisite qualifications, skills, and ability
to comply with the requirements of this Order, and a timetable for hiring any
necessary additional officers and staff;
Action Plan
HNAH has existing processes in place to ensure Enterprise Risk Management
(“ERM”), audit, and compliance of the Mortgage Servicing Companies and the Bank
have adequate levels and types of officers and staff with requisite qualifications, skills,
and abilities to comply with the requirements of the Order.
Existing Processes / Programs:
Staffing for the ERM, Audit, and Compliance programs dedicated to overseeing
residential mortgage loan servicing, Loss Mitigation, and foreclosure activities has
been addressed by Residential Mortgage Servicing, HNAH Compliance, and Group
Audit North America, respectively as part of their annual staffing analyses, detailed
below. Management of these departments has determined that current staffing levels
are adequate and the existing officers and staff possess the requisite qualifications,
skills and abilities to comply with the requirements of the Order. As such, there are no
additional hiring plans currently in place, and therefore a timetable for hiring additional
staff is not required. In addition, business-level workload reviews have occurred in
response to the Order and are detailed in Article 2(g). The basis for these
Management determinations, as well as the staffing plans for each of these groups is
as follows:
Annual Operating Plan (“AOP”) Process in response to FRB MOU
A formal staffing analysis of risk control functions was completed in late 2010 as part
of the FRB MOU, subpart I.e. requiring "an appropriate balance of resources to
ensure proper oversight of on-going business lines and the wind-down of discontinued
operations.” HNAH control functions, which include Finance, Compliance, Audit,
Information Technology, Human Resources, and Risk Management, follow a process
of reviewing resources to ensure adequacy for operating the organization. During the
Resource Operating Plan (“ROP”) process, each control function annually submits
Page 38
Privileged and Confidential
Restricted
operating plans inclusive of financial and Full-Time Employee (“FTE”) in alignment
with the objectives of the organization. Once finalized, these plans are communicated
throughout the organization and, with Resourcing Recruiting support, are deployed as
appropriate. Plans include documentation of the business case, establishment of job
responsibilities and establishment of reporting lines. Exhibit 10 of the October 10,
2011 management letter provides the resource adequacy analysis for the control
functions. Any changes in staffing required outside of the AOP ROP process can be
discussed bilaterally with the HNAH CEO or through the monthly Executive
Compliance Committee (“EXCO”) process. The April 28, 2011 FRB Supervisory letter
indicates that subpart I. e has been “met.” With respect to the Compliance
organization, further remediation will be assessed in conjunction with the October 4,
2010 Cease and Desist Order on AML, described in the attached MOU Response
Letter - October 21, 2010, FRB MOU Progress Letter April 28, 2011, and HNAH
Resource Adequacy – Control Function Analysis documents.
Additional analyses specific to ERM, audit and Compliance are described below.
ERM Staffing
ERM follows a process of reviewing resources to ensure adequacy for operating the
organization. During the ROP process noted above, ERM annually submits operating
plans inclusive of financial and FTE alignment with the organization objectives. This
is performed each December. Additionally, Based on the updates made through
previously ROP processes and responses to the MOU, ERM staffing is considered
adequate at this time and therefore no timeline is currently needed for staffing
changes.
Compliance Staffing
Central Services, a part of HNAH Compliance, conducts at least annually staffing
analyses, skills assessments, and capacity plans for the Compliance organization in
North America. These analyses, assessments and plans are intended to ensure that
the staff is maintained at appropriate levels and with the appropriate expertise to
provide oversight, timely and responsive guidance for the residential mortgage loan
servicing, Loss Mitigation, and foreclosure activities.
The HSBC North America Audit and Risk Committees of the Board of Directors are
responsible for establishing an appropriate culture of compliance and for overseeing
the implementation of a comprehensive and effective Compliance Risk Management
Program. The Board has delegated to the HNAH, HBUS and HBIO Audit and Risk
Committees primary compliance risk management and oversight responsibilities.
These oversight responsibilities include obtaining reasonable assurance that
executive management is fully qualified and properly motivated to manage
compliance risks, as well as approving appointments and replacements for the HNAH
Regional Compliance Officer (“RCO”) and other Compliance Officers.
Additionally, the Committee is responsible for monitoring the effectiveness of the
Compliance Program, including testing and monitoring functions to ensure that HNAH
Page 39
Privileged and Confidential
Restricted
Compliance has appropriate independence, authority, access, and standing within the
organization and that sufficient resources are in place to effectuate the Compliance
Program objectives. Further details can be found in section 3.3 on pages 17 and 18 of
the HSBC – North America Compliance Risk Management Program Manual and
GROUP AUDIT NORTH AMERICA AUDIT AND RISK COMMITTEE Charter.
Human Resources supports the Compliance function of maintaining adequate officers
and staff and is formalized in the Compliance Program. North America Human
Resources (“HR”) provides Compliance functions with the ability to acquire and retain
compliance resources supporting the implementation of the Compliance Program. HR
duties and responsibilities in support of the human capital planning are described in
sections 5.10 on pages 56 to 58 HSBC – North America Compliance Risk
Management Program Manual, and include:
x Facilitating talent acquisition, management, development and succession
planning;
x Guiding and supporting the Compliance Performance Management approach;
x Coordinating with HNAH Compliance management and business lines to
identify and develop appropriate balanced scorecard compliance objectives;
x Maintaining oversight and support of the compliance resources acquisition
process;
x Maintaining oversight of a centralized tracking and reporting system to
document and monitor employee compliance training fulfillment;
x Providing business units and HNAH Compliance with periodic compliance
training reports, including any training exceptions.
The Consumer Mortgage Lending (“CML”) business line Compliance management
has assigned the Compliance staff to functional areas based on subject matter
expertise and is aligned into two areas - Servicing and Default (includes loss
mitigation and foreclosure). Currently, Compliance is staffed by twelve full-time
employees including the SVP dedicated to residential mortgage loan servicing and
default compliance. Although Compliance staff has reduced by two since October,
negotiations are underway to hire a former Compliance employee with extensive legal
training for the Default area. Compliance anticipates the former employee rejoining
the department in January 2012.
The current Compliance team is staffed with personnel that possess significant tenure
within the Industry and within Compliance. The staff have an average of 16 years with
HSBC and 10 years in Compliance. Upon the re-hiring of the former Compliance
employee, Compliance will be deemed to be fully staffed. This is based upon review
of current compliance related projects and initiatives, support required for compliancerelated regulatory examinations and the on-going business as usual workloads of fulltime compliance staff. Compliance management considers work hours, workload
and work product time line commitments for assessment of staffing level. Compliance
management is committed to maintaining adequate staffing levels in compliance with
the requirements of this Order, as outlined in the (See attached HNAH Corporate
Compliance Organizational Structure document). Compliance considers itself
Page 40
Privileged and Confidential
Restricted
adequacy staffed at this time and therefore no timeline is available for additional
changes.
Additionally, the attached HSBC – North America Compliance Risk Management
Program Manual describes the duties and responsibilities of line of business staff and
other staff regarding compliance with applicable state and federal laws and
regulations (See pages 36 and 37). For example, HBIO and HBUS staff are required
to:
x follow the HSBC – North America Compliance Risk Management Program Manual
and the related HBIO and HBUS compliance policies and procedures;
x be knowledgeable of, and compliant with, regulatory and compliance requirements
that are specifically related to their positions;
x understand and manage operational risks affecting their areas of responsibility,
including by maintaining adequate internal controls;
x ask questions or express concerns if their compliance role or responsibility is not
understood;
x successfully complete the annual required compliance training;
x report matters that may involve possible compliance breaches or violations to their
supervisors and HNAH Compliance on a timely basis; and
x refrain from participating in any activity that may be perceived as dishonest or
unethical or that violates the HNAH Statement of Business Principles and Code of
Ethics.
HSBC – North America Compliance Risk Management Program Manual section 3.3,
provides detail regarding the HNAH Compliance Governance Roles and
Responsibilities. HSBC – North America Compliance Risk Management Program
Manual section 3.5.6 (page 33) states that business line management must serve as
a first line of defense and establish effective compliance programs and build
compliance policies, procedures and controls into their business delivery and
operations functions. Individuals within the business units who own the relationships
with the Third-Party Providers are responsible for ongoing monitoring of the ThirdParty Providers’ performance against Service Level Agreements (SLA) and contract
terms, which include compliance with Legal Requirements, supervisory guidance and
HBIO’s and HBUS’ policies and procedures. The attached "Third Party Operational
Risk Management Department Instruction Book (“DIB”)" provides an overview of the
roles and responsibilities of the TPORMG and business line management and
provides the policies and procedures that govern management of Third Party
Providers. Compliance related roles and responsibilities are also communicated to
employees via the following methods:
x Employees are hired into a job that is described by a job code description. This
ensures that when employees begin working, they have a broad overview of their
duties & responsibilities. New job descriptions were completed and approved on
October 26, 2011, and the employees have been assigned to those positions.
Employees receive training (both formal Compliance courses as well as functional
on-the-Job training) that helps them understand how to execute against their
duties and responsibilities
Page 41
Privileged and Confidential
Restricted
x
x
x
x
Managers hold team meetings with their employees to review duties and
responsibilities
Employees receive direct feedback from their manager on the performance
through individual coaching sessions on their performance of their duties and
responsibilities
Employees receive direct feedback on their production for any quality control
errors
Employees also have access to all relevant policies and procedures for their work
functions on CLIO (Consumer and Mortgage Lending Information On-line) residing
on the intranet
If employees have questions about their duties and responsibilities, they are in close proximity to or can
access their manager via telephone for additional clarification
Group Audit North America Staffing
The Group Audit North America team is composed of qualified individuals with
experience and knowledge of Mortgage Servicing related activities. Currently staff
assigned to complete the review of mortgage servicing operations includes different
levels and types of officers, allowing for proper coverage of requirements included in
the Order, described further in the AUN Staff Assessment and Training Program.
Consistent with prior years, staffing requirements are driven by a risk-based audit
approach. Based upon the assessment of audits that need to be conducted in 2011,
an estimate of staffing needs was obtained taking into consideration the amount of
time required to perform other audit related activities, such as continuous risk
monitoring, systems reviews, audit issue follow-up and validation, participation in key
initiatives and committees, and mandatory continuing education for all staff members.
Personal leave time approximations, a historical factor for turnover, and other time
estimates are also factored into the staffing demand forecast.
Group Audit North America completed an analysis of the review and testing in the
areas of residential mortgage loan servicing, Loss Mitigation and foreclosure
activities. Capacity of the audit team to conduct audits is based on an analysis of the
number of hours required to complete professional audit work. This analysis
considered enhancements being made to processes and controls by management,
additional compliance risks identified and addressed, and the remediation efforts
specifically undertaken to address the Order. The original audit plan was revised due
to the addition of projects and activities needed to review all areas related to the
Order. The revised 2011 Audit Plan includes a total of 520 days divided among
several audit professionals) and allocated to mortgage servicing related reviews.
Based on this analysis, Group Audit North America determined that the current
staffing levels of qualified full-time audit employees is sufficient, as detailed in the
AUN Staff Assessment and Training Program.
Group Audit North America assesses the adequacy of staff levels at least annually.
The Audit Committee has responsibilities, adopted from directives of the Board of
Directors, to monitor the effectiveness, resources and standing of internal audit and
consider major findings of investigations and the management response. At least
annually, the HNAH Senior Executive Vice President (“SEVP”) will submit to
Page 42
Privileged and Confidential
Restricted
Residential Mortgage Servicing Management and the Audit Committee an internal
audit plan for review and approval. The internal audit plan will consist of a work
schedule as well as budget and resource requirements for the next fiscal/calendar
year. The SEVP will communicate auditor qualifications, the impact of resource
limitations and significant interim changes to Residential Mortgage Servicing
Management and the Audit Committee.
Prior to developing the audit plans, the total number of available resources needs to
be determined. A spreadsheet is prepared which lists out all the auditors for an audit
team, their position and utilization percentage. This review, which is noted page 1 of
the attached Utilization and Available Resource Procedures includes components
such as:
x Utilization percentages
x Total number of days
x Turnover percentages
x Use of interns
This information is then used to calculate the total number of days per audit and used
for scheduling.
As detailed on pages 1 – 4 of the attached AUN Staff Assessment and Training
Program, the Internal Audit team is composed of qualified individuals with several
years of experience and knowledge of Mortgage Servicing related activities. Currently,
the staff assigned to complete Mortgage Servicing operations reviews includes
different levels and types of officers, allowing proper coverage of the requirements
included in the Consent Orders. Qualifications of a sample of auditors who work on
mortgage servicing audits are presented below. It is pertinent to note that this is not a
dedicated mortgage servicing team as auditors participate in other engagements
throughout the year. Refer to Appendix A within the attached AUN Staff Assessment
and Training Program for Mortgage Business Audit Organizational Chart.
Every auditor is required to complete at least 40 hours of training per calendar year.
This can include internal and external training courses, online or computer based
training, or self-study in preparation of an approved professional certification. Sixteen
of the 40 hours must be dedicated to compliance education to keep staff up-to-date
with current regulatory requirements. In addition, several core members of the
mortgage business audit team attended a training course or conference related to the
industry this year. A training strategy and plan has been established and tracked to
completion. Additionally, specific training plans are noted by auditor and provided on
pages 1 – 6 of the attached AUN Staff Qualification Assessment and 2011 Training
Program.
It is pertinent to note that the Audit team is supported by an independent group of
auditor’s specializing in IT operations and MIS reporting. They assist the general
audit team with independent exception monitoring utilized in the process reviews.
Page 43
Privileged and Confidential
Restricted
As part of the mandatory internal training requirements, auditors are required to
complete training in areas such as fair lending, operational risk and compliance
enterprise risk wide assessment process which impact and/or include residential
mortgage servicing activities.
The Chief Audit Executive of HNAH has overall responsibility for managing all audits
in the region. However, the Chief Audit Executive of HBIO has overall responsibility
for audits of the consumer and mortgage lending business for HBIO and HSBC USA
Inc. (“HUSI”). The HBIO Chief Audit Executive has over 18 years of experience in the
financial services industry and an extensive internal audit background. These
experiences include managing internal audits for financial institutions and acting in
auditing and consulting roles with a large accounting firm.
Coverage of the mortgage business unit is also included in Group Audit North
America’s enterprise-wide themed reviews, such as HMDA, Fair Lending, Service
Delivery Control Adherence (formerly known as NAQA), and GLBA Compliance.
The existing processes, as described above, ensure that adequate qualified staffing of
the audit function is provided for residential mortgage loan servicing, Loss Mitigation,
and foreclosure activities and exhibit HNAH’s commitment to ensure reviews are
performed by individuals with appropriate experience and qualifications in accordance
with the requirements of the Order.
In addition, in response to the Order, several core members of the mortgage business
audit team are required to attend a specialized training course or conference related
to the industry this year. A training strategy and plan have been established and is
tracked to completion including quarterly updates to the FRB.
Specialized training includes attendance at:
• Enterprise Risk Management Conferences
• Mortgage Risk Conference
• Compliance and Ethics Academy
• Governance, Risk and Compliance Conference
• Regulatory Compliance Conference (covering foreclosure regulatory expectations)
• MERS Seminar
Refer to AUN Staff Qualification and 2011 Training Programs chart attached hereto.
This chart includes a summary of mortgage business team core member’s
biographies, certifications, 2011 internal and external training plans, as well as status
of training as of September 30, 2011.
Based on Group Audit North America’s analysis of the review and testing that needs
to be completed in the areas of mortgage loan servicing, Loss Mitigation and
foreclosure activities in accordance with our risk-based approach, resource
requirements have been reviewed and resource allocations adjusted where
applicable. This analysis has considered the enhancements being made to
processes and controls by Residential Mortgage Servicing management, additional
Page 44
Privileged and Confidential
Restricted
compliance risks identified and addressed, and the remediation efforts specifically
undertaken to address the Order, and it has been concluded that there are adequate
number of full-time employees with the required skills and experience at this time.
Group Audit North America assesses the adequacy of its staff levels on an ongoing
basis and changes made as needed. We will consider augmenting with consultancy
resources if deemed necessary at any point. Refer to AUN Staff Assessment and
Training Programs document attached for detailed capacity assessment. Additionally
as Group Audit considers itself adequacy staffed at this time, no timeline is available
for additional changes.
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
North American HR Learning Overview
In addition to the staffing analyses noted above, training occurs to assist ERM,
Compliance and Audit as needed as summarized below
The North America HR Learning team is a functional department organized within the
Human Resources division responsible for formal training development. Learning is a
branch of the Learning, Training, Resourcing and Organizational Development
(”LTROD”) group within HR. As a centralized function, Learning provides support for
all business lines and functions within North America with a pool of Learning
employees and contains various roles within its structure (approximately 85
employees).
HSBC conducted an evaluation of its mandatory compliance and business function
courses as of July 31, 2011 (Please reference “Learning & Development Functional
Training Gap Assessment” for a draft summary of the evaluation provided). This
evaluation outlined enhancements necessary to adhere to compliance with applicable
Legal Requirements and supervisory guidance. In accordance with this evaluation,
Learning developed an execution plan for new or enhanced training programs (Refer
to slides 6-7 of “CML Consent Order Response Recommendations from Learning”).
The evaluation concluded that HSBC needed to develop a total of 18 courses, each of
which may be composed of multiple modules.
For additional detail on the overall structure of the how training is developed as well
as the evaluation noted above, please see the Action Plan response to Article 11.
Documents to be submitted with the Action Plan
x HNAH Operational Risk Internal Control Target Operating Model
x Organizational Structure - Servicing
x Organizational Structure - ORM, TPOR, BIRO, FRG
x HNAH Corporate Compliance Organizational Structure
x HSBC – North America Compliance Risk Management Program Manual
Page 45
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
AUN Staff Assessment and Training Program
GROUP AUDIT NORTH AMERICA AUDIT AND RISK COMMITTEE
B.1.2 Governance and Organization of Operational Risk and Internal Control
B.1.6 Internal Control Monitoring and Oversight
FRB MOU Progress Letter April 28, 2011
HNAH Resource Adequacy – Control Function Analysis
MOU Response Letter – October 21, 2010
Additional documents completed for re-submission of Action Plan
x HNAH Operational Risk & Internal Control
x Operational Risk Awareness WBT
x HSBC – North America Compliance Risk Management Program Manual
x Third Party Operational Risk Management Department Instruction Book (“DIB”)
x Utilization and Available Resource Procedures
x AUN Staff Assessment and Training Program
x AUN Staff Qualification Assessment and 2011 Training Program
x Learning & Development Functional Training Gap Assessment
x CML Consent Order Response Recommendations from Learning
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Officer, HBIO
x
EVP/Chief Auditor, HBIO
x
, SVP General Compliance
x
SVP Default Services
x
,
HNAH
Page 46
Privileged and Confidential
Restricted
Articles 2(d) & 2(l)
FRB Order Reference:
Article 2(d)
Corresponding
N/A
OCC Article:
steps to improve the information and reports that will be regularly reviewed by the
board of directors or authorized committee of the board of directors of HNAH
regarding residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities and operations, including, compliance risk assessments, and the status and
results of measures taken, or to be taken, to remediate deficiencies in residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities, and to comply
with this Order;
FRB Order Reference:
Article 2(l)
Corresponding
N/A
OCC Article:
steps to improve the information and reports that will be regularly reviewed by
HNAH’s and HBIO’s boards of directors to assess the performance of residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities and operations, as
well as the risk management and compliance programs and associated functions
including, compliance risk assessments, and the status and results of measures
taken, or to be taken, to remediate mortgage servicing, Loss Mitigation, and
foreclosure deficiencies, and to comply with this Order.
Action Plan
A series of design sessions were conducted with representatives from Residential
Mortgage Servicing management, Compliance and MIS to compare existing reports to
the requirements of the Order and to identify gaps in current reporting. As a result of
those design sessions, HBIO and HBUS have identified the need for and developed
over 35 key reports and continue to enhance executive reporting to include the
relevant MIS components for Residential Mortgage Servicing, Loss Mitigation, loan
modification, foreclosure, or MERS activities to meet the Order requirements.
Existing Processes / Programs:
Foreclosure Flash Report
HBIO utilizes the existing Foreclosure Flash Report and both HBIO and HBUS utilize
the Loan Modification Flash Report and the Mortgage Corporation Governance
Review Deck (See Mortgage Corporation Governance Review North America Risk
report example in its entirety to illustrate the aforementioned reports) to provide senior
management with metrics for mortgage activities. These reports are the primary
supporting documents for compilation of the monthly Board Reporting package,
further described in the Enhancements section below.
The Foreclosure Flash Report highlights performance tracking, analytics, and
financials, including but not limited to the volume of foreclosure referrals, foreclosure
inventory, foreclosure timelines, the affidavit pipeline, rescinded sales, foreclosure
outflow, short sale and deed-in-lieu volume, third-party sales, severity rates, SCRA
account volumes, and the impact of corporate advances (see CONSUMER AND
Page 47
Privileged and Confidential
Restricted
MORTGAGE LENDING AND MORTGAGE CORPORATION - FORECLOSURE
FLASH JUNE 2011).
The Loan Modification Flash Report provides a summary of modification volume,
analytics, and financials, including modification and re-aged volumes, modification
inventory, application turnaround time for HBIO's CML Foreclosure Avoidance
Program (“FAP”), CML FAP application volume and approval and activation rates,
modification recidivism, and modification payment relief rates (see CONSUMER AND
MORTGAGE LENDING MODIFICATION AND RE-AGE FLASH REPORT MAY
2011).
Mortgage Corporation Governance Reports
The Mortgage Corporation Governance Review Deck (HBUS metrics only) covers
delinquency performance, financials, productivity measures (dialer penetration and
abandon percentage) as well as a summary of loan modifications (see Mortgage
Corporation Governance Review North America Risk in its entirety). The report also
covers other metrics such as short sales, recidivism and REO.
Daily Operational Reports
In addition, HBIO and HBUS plan to maintain their existing daily operational reports
for Loss Mitigation, loan modification, foreclosure, and MERS processing activities.
These reports include but are not limited to:
x Agent Productivity Report – Tracks daily and month-to-date agent-level
performance by key metrics defined by the business.
x Inventory Report – Includes reporting on the pipeline of loans throughout
the foreclosure, Loss Mitigation, MERS and loan modification processes.
x Exception Based Reports – A control report to ensure proper adherence to
internal policy and procedures and regulatory requirements
x Mortgage Corporation Governance Review North America Risk –
summarizes key operating results highlighting performance, productivity,
loss mitigation, foreclosure, and REO on a monthly basis
x REO Dashboard and Pipeline Reports – (Foreclosure) provides state-bystate statistics for CML foreclosure inventory
x REO Inflow and Outflow Inventory – (REO) provides month-over-month
view of new REO and REO disposition by dollars and count
x Sales Analysis – (REO) details month-over-month statistics on CML and
Mortgage Corp REO disposition
x Approved Inventory Reports – (Loss Mitigation) monitors accounts in the
modification trial period for qualifying payments
x Monthly Mod CIT TAT Report – (Loss Mitigation) summarizes turnaround
time, or TAT, from modification trial completion to activation
x County Compliance Risk Outstanding Report - 10 day – (Servicing, Lien
Release) identifies paid in full loans for which lien release is pending with
the county
x Daily Escrow Team CIT Tracking Report – (Servicing) tracks outstanding
Customer Inquiry Tracking tasks assigned to the escrow team
Page 48
Privileged and Confidential
Restricted
x
Care Services Performance Summary – (Customer Service) summarizes
key performance and efficiency metrics related to customer service
Newly Developed MIS Reports
As noted above, a series of design sessions were conducted with representatives
from Residential Mortgage Servicing management, Compliance and MIS to compare
existing reports to the requirements of the Order and to identify gaps in current
reporting. As a result, the following key MIS reports were recently developed as of
September 2011 (please see attached OCC_FRB Key Reports - 09_12_11):
SPOC Reporting (8 daily reports to support the SPOC specialist team within Loss
Mitigation):
x SPOC STIP INVENTORY REPORT
ACCTS AS OF 26SEP11 - identify
accounts within the Stipulation Process, for follow-up purposes.
x MTD HMC SPOC INVENTORY BY ISSUE REPORT – provides the total
number of open/closed tasks processed during the month.
x MTD HMC SPOC INVENTORY BY DAY REPORT – provides the average
number of issues presented and managed by the SPOC Mortgage
Servicing Specialist daily.
x MTD HMC SPOC TURN AROUND TIME REPORT – details the time it
takes to work each task managed by the SPOC Mortgage Servicing
Specialist.
x MTD HMC SPOC VOLUME REPORT BY CONTACT - REASON RESOLUTION CODE REPORT – provides the number of contacts made
within the SPOC process to manage volumes and capacity.
x SPOC STIP INVENTORY REPORT MS ACCTS AS OF 25SEP11 –
identifies accounts within the Stipulation Process, for follow-up purposes.
x MS ELM SPOC WAS - IS REPORT; MS PROACTIVE SPOC WAS - IS
REPORT;
ELM SPOC WAS - IS REPORT;
PROACTIVE SPOC
WAS - IS REPORT – provide visibility to accounts that flow out of the
SPOC process.
x HMS SPOC MISSING LIQ ASSIGNMENT REPORT;
SPOC MISSING
LIQ ASSIGNMENT REPORT; CLMS SPOC MISSING LIQ ASSIGNMENT
REPORT - identify accounts that are in a Loss Mitigation and/or
Foreclosure status that were not assigned to a designated SPOC Mortgage
Servicing Specialist.
Foreclosure Reporting (12 daily reports to support the Foreclosure team):
x Affidavit Fee Exceptions - provides completed affidavits with advances that
should be classified as non-recoverable.
x
AFFIDAVIT PENDING - 26SEP11– manages document
pipeline to ensure accounts are moving through the established document
execution process.
x AFF RECEIVED OR EXECUTED - IS34718 – an exception report that
identifies non foreclosure accounts with an affidavit draft request or
Page 49
Privileged and Confidential
Restricted
x
x
x
x
x
x
executed docs to ensure proper execution of the account (i.e. proceed with
foreclosure or decline affidavit request).
EXECUTED AFFIDAVIT REPORT (EAR) – reconciles completed affidavits
in the tracking database to the system of record.
ACTIVE FCL RECON BTW INTERNAL SYS AND
MANUAL REVIEW
REQUIRED; ACTIVE FCL RECON BTW INTERNAL SYS AND
ACTIVE FCL IN INTERNAL SYS - NOT ACTIVE FCL IN
ACTIVE FCL
RECON BTW INTERNAL SYS AND
ACTIVE FCL IN INTERNAL SYS
- NOT ACTIVE FCL IN INTERNAL SYS - reconcile active foreclosure
accounts on the system of record to
AFFIDAVIT IN PROCESS REPORT– details accounts requiring legal
guidance or review prior to drafting or executing documents such as
affidavits, certifications, declarations, etc.
PEAR RECONCILIATION REPORT- reconciles pending execution of
affidavits on the system of record to
QC ACCEPTED REVIEW REPORT– monitors accounts flowing through the
pipeline as the process was designed; details documents are reviewed
within established timelines; identifies accounts pending document drafts,
which have not been sent over for quality review; and details all documents
that have been reviewed and notated by quality review
FEES WAIVED BY FCL REP WITHOUT AFFIDAVIT RECEIVED - captures
accounts where the employee has waived a fee outside of the procedural
guidelines.
Legal Entity Validation Reporting (4 daily reports to support the Records
Management team):
x
Assignment Confirmation Tracking – details assignments that have
been sent to Records but not confirmed in
is an application
used to track and prepare mortgage releases and assignments.
x
Assignment Recording Cost Report– provides a monthly summary of
recording fees disbursed on assignments for expense purposes.
x
Assignments Pipeline – identifies assignments that have not been
sent to the County or State
x
Assignments Completion Report – identifies completed assignments
in
Third Party Management Reporting (2 daily reports to support the Vendor
Management teams):
x CLMS DISBURSEMENTS-GLOBAL-ATTORNEY EXPENSE CODES 25SEP11; CLMS DISBURSEMENTS-DRM- ATTORNEY EXPENSE
CODES - 25SEP11- reviews the reasonability, recoverability and frequency
of the attorney’s fees and costs.
x
REO INVOICES ENTERED - 25SEP11- reviews the reasonability,
recoverability and frequency of the attorney’s fees and costs.
Page 50
Privileged and Confidential
Restricted
Critical Operational Reporting (1 weekly report to support the Senior Management
team):
x Affidavit Execution Summary – monitors executed affidavit volume.
Monthly Board Reporting Package
As of September 12, 2011, HBIO and HBUS have completed a monthly Board
Reporting package for the HNAH Board of Directors, the HNAH Risk Committee, and
the Executive Compliance Steering Committee of HBIO and HBUS to highlight HBIO
and HBUS foreclosure enhancement program status, compliance risk assessment
results and key operational metrics related to residential mortgage loan servicing,
Loss Mitigation, loan modification, foreclosure, and MERS activities. The Board
Reporting package was first presented on July 25, 2011, to the committees. The
Board Reporting package will continue to evolve as metrics are developed and
enhanced.
In addition to the reports mentioned above, 10 key monthly MIS reports were also
recently developed to support the Compliance metrics included in the Board
Reporting package (please see attached
& Board Deck Reporting, Foreclosure
and Account Servicing Review):
x SCRA Accounts Report (3) – identifies active SCRA accounts with an interest
rate greater than six percent, active accounts in foreclosure or REO status and
active accounts with inaccurate credit bureau reporting.
x Rescinded Foreclosure Sales Report – identifies rescinded foreclosure sales
as a percent of total foreclosure sales, by controllable, non-controllable, and
HBIO or HBUS decision
x Lost Note Affidavits – provides the number of lost note affidavits versus the
total number of note validations completed.
x Usury – analyzes the interest paid over the life of the loan to ensure the interest
amount was not excessive in regards to the state maximum.
x ARM Change Notice –ensures proper notification to borrower upon ARM rate
adjustment.
x Adverse Action – identifies accounts that have not been decisioned within 30
days or adverse action letter not sent within 30 days of application.
x Denial Letters – verifies that HSBC sends a letter to the customer within 5 days
of denial.
x Escrow Analysis – identifies accounts where escrow analysis has not been
completed on an annual basis.
In addition to the aforementioned reports, MERS Reporting is also utilized (9 reports)
– reconciles active and inactive loans between the MERS system and HSBC’s
servicing system. HSBC platforms included are
and
covering active and
inactive accounts in June and July, 2011. These platforms are used to compare
MERS accounts on the HSBC system to the MERS system of record. The following
reports, which reconcile active and inactive loans between the MERS system and
HSBC’s servicing system, are attached:
Page 51
Privileged and Confidential
Restricted
x
x
x
x
MERS OB_HMS Compare Active
MERS OB_HMS Compare Inactive
MERS OB_CLMS Compare Active
MERS OB_CLMS Compare Inactive
Enhancement to Processes / Programs:
Expanded Board Reporting Package
HBIO and HBUS will expand the Board Reporting package as new MIS reports are
developed. The eight monthly Compliance-related reports listed below are under
development for the HNAH Board of Directors at this time and were initially expected
to be completed by 11/30/11. However, the reports are related to the restart of new
foreclosure proceedings and the delay in those restarts has resulted in the following
reports expected to be put into production by the end of 1Q’12:
x Redemption Period Reporting – used to ensure adherence to redemption
period prior to transferring property into REO.
x Evictions – will identify accounts that fall outside the state time requirements
for evictions.
x BPO Fees – will identify accounts where a 2nd BPO was ordered within 90
days.
x Demand Letters – will be used to ensure accounts in foreclosure received
breach letter within state and federal guidelines.
x State Specific Letters – will be used to ensure accounts in foreclosure
received breach letter within state guidelines.
x Lender Placed Insurance (LPI) – will be used to verify customer receives
notification prior to placing insurance.
x Late Fees – will be used to identify accounts in foreclosure to ensure fees
assessed comply with state and federal guidelines.
x Modifications with no decision in 30 days – will be used to ensure all
applications for modifications receive notification of the decision within 30
days.
Additionally, the appropriate Mortgage Operations and MIS senior management have
reviewed the planned and any future MIS enhancements to ensure that they have
been created to meet the requirements of the Order.
Additional MIS Requirements
In addition, existing internal sources including the Testing and Risk Assessment
Compliance (“TRAC”) team and
(“
) are being
used to inventory applicable Legal Requirements, supervisory guidance and the
requirements of this Order across functional areas. Based on the inventory of Legal
Requirements, supervisory guidance, and requirements of this Order, Residential
Mortgage Servicing Management will determine the MIS requirements and define the
compliance metrics for inclusion within the Compliance Risk Assessment Dashboard,
described in the attached Testing and Risk Assessment Compliance Unit (TRAC)
Procedures Manual.
Page 52
Privileged and Confidential
Restricted
Monthly Compliance Committee Report
Finally, at least monthly, the EVP HBIO, President and Chief Servicing Officer a report
to the Compliance Committee of the Board regarding the status of compliance and the
budget related to the Consent Order requirements.
Documents to be submitted with the Action Plan
x Testing and Risk Assessment Compliance Unit (TRAC) Procedures Manual
Additional documents completed for re-submission of Action Plan
x ACTIVE FCL RECON BTW INTERNAL SYS AND
ACTIVE FCL IN
INTERNAL SYS - NOT ACTIVE FCL IN INTERNAL SYS
x ACTIVE FCL RECON BTW INTERNAL SYS AND
ACTIVE FCL IN
INTERNAL SYS - NOT ACTIVE FCL IN
x ACTIVE FCL RECON BTW INTERNAL SYS AND
MANUAL REVIEW
REQUIRED
x AFF RECEIVED OR EXECUTED - IS34718
x CONSUMER AND MORTGAGE LENDING AND MORTGAGE CORPORATION FORECLOSURE FLASH JUNE 2011
x CONSUMER AND MORTGAGE LENDING MODIFICATION AND RE-AGE FLASH
REPORT MAY 2011
x Mortgage Corporation Governance Review North America Risk
x FORECLOSURE AND REO PERFORMANCE DASHBOARD Default MIS
x REO Inflow Outflow Inventory
x Foreclosure and Account Servicing Review (see updated version below)
x POMONA REO SALES ANALYSIS May 2011 NorthAmericaRisk – MIS Default
Reporting
x HSBC MORTGAGE SERVICES CLMS APPROVED INVENTORY REPORT
x HSBC MORTGAGE SERVICES HMS APPROVED INVENTORY REPORT
x HSBC MORTGAGE SERVICES CLMS AND MOD PROCESSING TIME LINES
MONTHLY DASHBOARD
x County Compliance Risk Outstanding Report – 10 Days or Less Remaining HSBC
CONSUMER LENDING
x HSBC CONSUMER AND MORTGAGE LENDING INSURANCE AND ESCROW
CIT PRODUCTIVITY-MTD
x Summary of CML and MC Care Services Performance in June 2011
x Board Report - Detailed Metrics List
Key HSBC Contacts for the Action Plan
x
, Regional Head of Retail Collections
x
, SVP General Compliance
x
, SVP Compliance, HSBC Bank USA, NA
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
Page 53
Privileged and Confidential
Restricted
x
x
SVP Default Services, Mortgage Servicing
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
Page 54
Privileged and Confidential
Restricted
Article 2(e)
FRB Order Reference:
Article 2(e)
Corresponding
N/A
OCC Article:
funding for personnel, systems, and other resources as are needed to carry out the
Mortgage Servicing Companies’ residential mortgage loan servicing, Loss Mitigation,
and foreclosure activities and operations in full compliance with the Legal
Requirements and the requirements of this Order, taking into consideration the
current and expected volume of past due loans;
Action Plan
Management has existing processes to ensure that funding for personnel, systems,
and other resources as are needed to carry out the residential mortgage loan
servicing, Loss Mitigation, and foreclosure activities and operations of the Bank and
the Mortgage Servicing Companies in full compliance with the Legal Requirements
and the requirements of this Order, taking into consideration the current and expected
volume of past due loans to comply with the Order. Funding is separated into two
different budgets: that which is allocated to Residential Mortgage Servicing personnel
as well as specific funding to meet the requirements of the Order. HNAH has had
allocated
and
respectively for 2011 and increased each budget
to
and
respectively to address additional needs as required by
the Order. Additional funds will be approved as needed.
Existing Processes / Programs:
Board Commitment to Funding
The HNAH Board of Directors has adopted a resolution that commits to provide
funding for personnel, systems, and other resources, as needed, to operate risk
management and compliance programs that are safe and sound and that are
commensurate with the risk profile of the Bank and Mortgage Servicing Companies.
The attached Approval of Board Commitment of Financial and Managerial Resources
No_NA11-11, CF11-29, US11-39 provides further detail on the resolution.
Budgeting Process
HNAH control functions, which include Finance, Compliance, Audit, Information
Technology, Human Resources, and Risk Management, follow a process of reviewing
resources to ensure adequacy for operating the organization. During the Resource
Operating Plan (“ROP”) process, each control function annually submits operating
plans inclusive of financial and Full-Time Employee (“FTE”) in alignment with the
objectives of the organization. Once finalized, these plans are communicated
throughout the organization and, with Resourcing Recruiting support, are deployed as
appropriate. These financial plans are revised and submitted on a quarterly basis.
Page 55
Privileged and Confidential
Restricted
Operational Plans and Funding Requirements
The Residential Mortgage Servicing, Credit Risk, Capacity Planning and Finance
teams work together to create operational plans and establish funding requirements.
For instance, delinquency volume expectations produced by Credit Risk will be
leveraged by the Capacity Planning team and the business unit operators to
determine the resources needed to balance workload demands. Finance then uses
the capacity requirements to determine the appropriate operating budget.
Residential Mortgage Servicing Management, which is responsible for the functional
components of their organization, determines the personnel, systems, and other
resources needed to meet demand. Residential Mortgage Servicing Management
works with the HNAH capacity planning team to see that the needs of the business
are recognized and that the planning for any required resources can be initiated.
Management has and will continue to review and manage the workloads for
residential mortgage loan servicing, Loss Mitigation, loan modification, and
foreclosure personnel. Capacity modelling and planning is owned and performed by
an independent party within HSBC North America’s Credit Risk function. Analysis is
based on Credit Risk forecasts and includes planned attrition, hiring, staffing
movements, and strategy changes. The model compares expected monthly
headcount against the demand (as predicted by the risk forecast) to determine the
need for hiring, staffing movements, or utilization of overtime. In addition, the
Workload Review, detailed in Article 2(g) is also refreshed on a monthly basis which
identifies other staffing needs.
Management actively monitors and updates the planning methodology for capacity
and staff workloads based on market conditions, internal data and forecasts.
Throughout the year, the Credit Risk group communicates and coordinates staffing
requirements by department to Finance to ensure the departments receive
appropriate consideration in the budgeting process. Based on this process, analysis is
performed for the short- and long-term capacity needs of each business department.
Management actively manages staffing needs. The capacity plan is a rolling plan
continually re-examined to determine and identify needs. Presently, Management has
identified the need for incremental residential mortgage loan servicing staff increases
after the foreclosure moratorium and plans to adjust once volume expectations and
productivity impacts are finalized. In addition, Management proactively increased
capacity in the past as it anticipates increased volumes of Loss Mitigation and
foreclosure activities. Management will continue to adjust, review, and monitor the
capacity plan to drive operational efficiencies and to mitigate risk associated with
volume fluctuations and changes in market conditions. For further details, see the
attached Foreclosure Affidavit Capacity Discussion and CML Default Capacity Plan
Overview - May 2011 documents.
Residential Mortgage Servicing management and the Bi-Weekly Retail Operations
Governance (“BROG”) Committee review and discuss the long-term capacity plan.
Page 56
Privileged and Confidential
Restricted
Both short- and long-term capacity planning are on-going processes that occur within
the 90-day requirement.
Finally, at least monthly, the CIO & Head of Relationship Management HBIO provides
the attached HBIO Executive Compliance Steering Committee report which details on
pages 15 – 17 the HR capacity planning and budget related to the Consent Order
requirements to ensure that executive management has visibility into each. The EVP
HBIO, President and Chief Servicing Officer, at least monthly, provides an overview of
the progress occurring towards the Mortgage Servicing Consent Order to the
Compliance Committee of the Board, which includes an update on the budget and
resources requirements. Please see attached Foreclosure Account and Servicing
Review pages 1 – 7.
Enhancement to Processes / Programs:
Consent Order Budget
Residential Mortgage Servicing management compared this requirement of the Order
to the current processes as described above, as well as the current Corporate
Governance Structure and Reporting described in the Action Plan response to Article
2 (a), and have determined that these processes provide for the oversight of
personnel funding and the funding for systems and other resources as are needed to
carry out the residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities and operations of the Mortgage Servicing Companies and the Bank in full
compliance with Legal Requirements and the requirements of the Order, taking into
consideration the current and expected volumes of past due loans.
Through the review of these Orders and communication with the Executive Steering
and Compliance Committees of the Board, it was determined that
was
required to support the requirements of the Order. The allocation of the
is
as follows:
x Program Support of the Orders - providing project management, technology,
training and complaint processing requirements
x Foreclosure Lookback - hiring of an independent consultant to perform the
foreclosure lookback as outlined by the Order
x Law Firm Audits - creating, managing and conducting due diligence over law
firms as outlined by the Order
x Risk Assessment - hiring an independent consultant to perform the risk
assessment requirements as outlined by the Order
Additionally, a funding increase to
2012.
has been requested and approved for
Residential Mortgage Services Personnel Funding
Through the analysis noted above, Residential Mortgage Servicing also increased its
personnel budget to meet the additional requirements of the Order. The operating
Page 57
Privileged and Confidential
Restricted
budget has been increased from
in 2011 to
for 2012. This
increase is directly related to changes in processes and staffing resulting from the
requirements of the Order.
Progress against the budget is communicated at least monthly to the Executive
Steering and Compliance Committees (see attached HBIO Executive Steering
Committee document slide 17 and Foreclosure and Account Servicing Review
document slide 7).
Documents to be submitted with the Action Plan
x Foreclosure Affidavit Capacity Discussion
x CML Default Capacity Plan Overview - May 2011
Additional documents completed for re-submission of Action Plan
x HBIO Executive Compliance Steering Committee
x Foreclosure and Account Servicing Review
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP General Compliance
x
SVP Default Services
x
, SVP Default Services, Mortgage Servicing
Page 58
Privileged and Confidential
Restricted
Article 2(f)
FRB Order Reference:
Article 2(f)
Corresponding
N/A
OCC Article:
funding for personnel, systems, and other resources as are needed to operate risk
management and compliance programs that are safe and sound and that are
commensurate with the risk profile of the Mortgage Servicing Companies;
Action Plan
HNAH has taken action to ensure financial resources to develop and implement the
infrastructure for personnel support, relevant systems, and other resources needed
for operating risk management and compliance programs that are safe and sound and
commensurate with the risk profile of the Bank and Mortgage Servicing Companies in
compliance with the requirements of the Order. HNAH has initially allocated
to address the requirements of the Order and additional funds will be
approved as needed.
Existing Processes / Programs:
The HNAH Board of Directors has adopted a resolution that commits to provide
funding for personnel, systems, and other resources, as needed, to operate risk
management and compliance programs that are safe and sound and that are
commensurate with the risk profile of the Bank and Mortgage Servicing Companies.
The attached Approval of Board Commitment of Financial and Managerial Resources
No_NA11-11, CF11-29, US11-39 provides further detail on the resolution.
Enhancement to Processes / Programs:
Compliance
Compliance maintains a dedicated team of Compliance professionals focused on the
mortgage servicing operations who are part of a much larger and well staffed/funded
Compliance function. The larger Compliance function provides additional resources
and support for items such as training, risk assessment, control monitoring and
testing, reporting and overall governance. Specifically, the local compliance teams
annually complete a function-level exercise that captures the amount of time (man
hours) dedicated to each of the job duties and roles performed by the team. The
assessment captures the hours of each duty (legislative monitoring, policy
development, training, reporting, advice and guidance). This assessment is used to
determine the number of staff required to perform those activities. The resources
requirements feed to the Annual Operating Plan (“AOP”). Those requirements and
costs are reviewed with Senior Compliance management. Additionally, those
resources are reported to Business management through the AOP process as well as
on the Annual Compliance Plan presented to the Business Head by the Local
Compliance Officer.
Page 59
Privileged and Confidential
Restricted
At a minimum, on an annual basis, the Compliance Committees will review and
consider approval of the Compliance Program or when material changes occur. The
Compliance Committees will review and consider approval of the Annual Compliance
Operating Plan. Upon approval of the Annual Compliance Operating Plans, the
Compliance Committees will receive quarterly management progress reports on the
implementation of the plan. The Compliance Committees will review and approve the
Annual Compliance Operating Plans and any amendments as needed."
The overall Compliance budget for 2011 was
and 2012 AOP (as of
last submission) is
The overall increase in Compliance spend (2010
was approximately half of 2011 spend) reflects the overall increase in staff, increases
in TRAC, management, reporting, and training, necessary to improve the overall
compliance program.
Risk Management
At the corporate level, Risk Management funding is handled via the AOP process
noted above. The Risk Management business line also submits its budgets on an
annual basis and regularly reviews and resubmits budget changes as needed. As
many of the changes to the budget were implemented prior to, and not in response to,
the Consent Orders (i.e., BRCM and RCA were already factored into the budget)
there was not a significant dollar increase in budget. However the budget was
increased from
in 2011 to
in 2012. This increase was fully
supported by the Board’s commitment to provide financial and managerial resources
as needed to comply with the Order.
Documents to be submitted with the Action Plan
x Approval of Board Commitment of Financial and Managerial Resources No_NA1111, CF11-29, US11-39
Additional documents completed for re-submission of Action Plan
x Foreclosure and Account Servicing Review
Key HSBC Contacts for the Action Plan
x
CIO & Head of Relationship Management HBIO
Page 60
Privileged and Confidential
Restricted
Article 2(g)
FRB Order Reference:
Article 2(g)
Corresponding
IV.1.l, IV.1.m,
OCC Article:
IV.1.n
steps to ensure that the Mortgage Servicing Companies have adequate levels and
types of officers and staff to carry out residential mortgage loan servicing, Loss
Mitigation, and foreclosure activities in compliance with Legal Requirements and the
requirements of this Order, and taking into account the size and complexity of the
Servicing Portfolio; that they have officers and staff with the requisite qualifications,
skills, and ability to comply with the requirements of this Order; and a timetable for
hiring any necessary additional officers and staff.
Action Plan
HNAH has taken steps to ensure that the Bank and Mortgage Servicing Companies
have adequate levels and types of officers and staff to carry out residential mortgage
loan servicing, Loss Mitigation, and foreclosure activities in compliance with Legal
Requirements and the requirements of this Order. Additionally, the Bank and
Mortgage Servicing Companies will ensure that they have officers and staff with the
requisite qualifications, skills, and ability to comply with the requirements of this Order,
as well as a timetable for hiring any necessary additional officers, which will take into
account the size and complexity of the Servicing Portfolio.
Attrition is a risk because HNAH is running-off the Consumer and Mortgage Lending
portfolio and market demand for talent in loan servicing is high. This risk is being
monitored and the impact of significant attrition or loss of talent will be escalated as
needed.
Existing Processes / Programs:
Workload Review
HNAH is committed to staffing and managing the workloads of residential mortgage
loan servicing, Loss Mitigation, and foreclosure personnel to promote the goal of
providing home preservation assistance to eligible borrowers and reducing the
number of foreclosures. Management conducted a workload review in August to
summarize the current staffing needs within:
x Loss Mitigation
x Single Point of Contact (“SPOC”)
x Foreclosures
x Real Estate Owned (“REO”)
x Mortgage Electronic Registration System (“MERS”)
x Business-As-Usual Customer Complaint Processing
x Operational Risk Management (“ORM”)
x Third-Party Operational Risk Management Group (“TPORMG”)
x Law Firm Review
Page 61
Privileged and Confidential
Restricted
x Foreclosure Complaint Process
This review included the current needs, the existing staff, plans to fill vacant needs, as
well as assumptions and approach to the evaluation. Please see pages 7 – 22 of the
attached Workload Review August 11, 2011 for additional detail on the specific needs
and approaches for the areas noted above. The Workload Review is refreshed on a
monthly basis and presented to the HBIO Executive Compliance Steering Committee
and results are summarized in the quarterly progress update to the Compliance
Committee. Management continuously opens job postings as needs are identified
and makes efforts to hire as quickly as possible as appropriate candidates are
identified.
Capacity Modelling and Planning
Additionally, management has, and will continue to review and manage, the
workloads for residential mortgage loan servicing, Loss Mitigation, loan modification,
and foreclosure personnel. Capacity modelling and planning is owned and performed
by the Credit Risk function. Analysis is based on risk forecasts and includes expected
attrition, hiring, staffing movements, and strategy changes. The model compares the
expected monthly headcount against the demand as driven by the risk forecast to
determine hiring needs, staffing movements, or utilization of overtime. The planning
methodology for capacity and staff workloads is continually monitored and updated
based on market conditions, internal data, and forecasts. Throughout the year, the
Credit Risk function communicates and coordinates staffing requirements by
department to Finance to ensure that appropriate consideration in the budgeting
process is received. Based on this process, analysis is performed for the short- and
long-term capacity needs for each business department.
The short-term, or tactical, rolling capacity planning process is performed one month
in advance to determine strategy and capacity needs. Monthly tactical support is
provided at the campaign level, allowing operations to make shorter-term adjustments
to manage near-term volume fluctuations. The analysis performed allows
management to shift account volume or employees to meet or maintain productivity
and quality levels and to determine overtime and agency placements. Department
managers conduct capacity planning meetings throughout the month. The final
tactical capacity planning meeting for the upcoming month is held with business unit
management and other support functions during the last week of the month.
Long-term, or strategic, rolling capacity analysis is performed and planned based on
the estimated staffing requirements for operations. The need for employees is driven
by forecasts (i.e., delinquency) and other internal risk data. This analysis is performed
continually and assists management in developing the appropriate capacity initiatives,
account migrations or strategy changes. The strategic model, described in the CML
Default Capacity Plan Overview – May 2011, provides an expectation for staffing
excesses or shortfalls by month, and recommendations are made to mitigate any
inequities (e.g., hiring, overtime, staffing movements).
Staffing needs are managed through the review and examination of capacity plans.
Page 62
Privileged and Confidential
Restricted
Residential Mortgage Servicing Management has assessed the need for incremental
staff in anticipation of initiating foreclosure re-files as well as from the additional
backlog caused by the moratorium, discussed in further detail in the attached
Foreclosure Affidavit Capacity Discussion document.
Management has plans to add incremental staff and will deploy experienced staff into
critical areas, as it deems necessary. Management has also proactively increased
capacity when necessary in accordance with increased volumes of Loss Mitigation
and foreclosure activities. Procedural changes have been a significant factor in the
need for increased staffing levels as, for example, more employees are required to
process each foreclosure, due to the increased controls and detailed procedures that
must be followed. Management will continue to adjust, review and monitor the
capacity plan to drive operational efficiencies and mitigate risk associated with volume
fluctuations and changes in market conditions.
Residential Mortgage Servicing management and the BROG Committee review and
discuss the long-term capacity plan. Both short- and long-term capacity planning are
on-going processes that occur within the 90-day requirement for review.
In addition to these processes, management has reviewed the qualifications of current
management and supervisory personnel responsible for mortgage servicing and
foreclosure process and operations, including collections, Loss Mitigation and loan
modification, the results of which are contained in the attachments titled Review of
Management and Supervisory Personnel Qualifications – 1 and Review of
Management and Supervisory Personnel Qualifications – 2. Human Resources
performed reviews for the unit manager level and above and based on the results,
management has determined that the qualifications of current management and
supervisory personnel are appropriate for the reviews completed, and will evaluate
the remaining reviews upon completion. However, in order to accommodate recent
procedural changes related to the horizontal reviews, staffing levels are currently
being increased. For further details, please see the GLOBAL ROLE PROFILE
TEMPLATE.
Identification of Training Needs
In addition to the staffing and qualification analyses noted above, training occurs as
summarized below
The North America HR Learning team is a functional department organized within the
Human Resources division responsible for formal training development. Learning is a
branch of the Learning, Training, Resourcing and Organizational Development
(”LTROD”) group within HR. As a centralized function, Learning provides support for
all business lines and functions within North America with a pool of Learning
employees and contains various roles within its structure (approximately 85
employees).
HSBC conducted an evaluation of its mandatory compliance and business function
Page 63
Privileged and Confidential
Restricted
courses as of July 31, 2011 (Please reference “Learning & Development Functional
Training Gap Assessment” for a draft summary of the evaluation provided). This
evaluation outlined enhancements necessary to adhere to compliance with applicable
Legal Requirements and supervisory guidance. In accordance with this evaluation,
Learning developed an execution plan for new or enhanced training programs (Refer
to slides 6-7 of “CML Consent Order Response Recommendations from Learning”).
The evaluation concluded that HSBC needed to develop a total of 18 courses, each of
which may be composed of multiple modules.
For additional detail on the overall structure of the how training is identified by the
business and developed as well as the evaluation noted above, please see the Action
Plan response to Article 11.
Finally, additional capacity considerations were made based on the implementation of
SPOC. HSBC’s Resource Analytics team, who report to the Regional Head of Retail
Collections, provides long and short term planning support for CML business lines
based on periodic Resource Operational Planning (“ROP”) forecasts, which are
typically adjusted semi-annually. From this plan, recommendations are made to
Default Services based on actual volume and performance information; along with the
impact of any changes in strategy (e.g. penetration rate changes, SPOC methodology
changes, etc). When improved performance, reduced volumes, or strategy changes
result in systematic excess or deficiency to the long term plan, staff may be
reallocated from other functions in place of external hiring and/or staff reductions.
As recent regulatory changes have resulted in realignments in servicing demand, the
Resource Analytics team has re-examined the overall capacity plan to identify
capacity opportunities to support SPOC requirements.
As of September 12, 2011, there were approximately 236 SPOC Mortgage Servicing
Specialists. Nineteen additional SPOC Mortgage Servicing Specialists were added as
of September 30, 2011 resulting in approximately 255 SPOC Mortgage Servicing
Specialists. HSBC sourced collectors with an average of over eight years of
experience in the areas of Loss Mitigation and foreclosure to supplement the SPOC
team, which is housed in a new unit. For additional information regarding the SPOC
reporting line, refer to the attached HSBC Single Point of Contact (SPOC) Program
Overview and Process Flow submitted with Action Plan Article 5(a) on July 20, 2011.
The HSBC Single Point of Contact (SPOC) Program Overview and the Process Flow
includes an Executive Summary overview of the SPOC program, Communication
Strategy and Process Flow description and a SPOC Capacity Executive Update.
The volume and productivity assumptions used to formulate SPOC capacity demand
are based on historical late stage account performance data. The impact associated
with SPOC changes will be monitored on an ongoing basis to validate the
assumptions in the current plan. The long term plan may be modified and staff
reallocated if actual response or performance data is not in line with current
assumptions.
Page 64
Privileged and Confidential
Restricted
Limited testing of the volume and productivity assumptions began in July, with ongoing monthly reviews taking place along with the planned SPOC-related migrations.
Assumptions will continue to be validated with program roll out,
and any necessary adjustments will be made to ensure adequate capacity. Based on
current workloads, inbound call volume, and projected time that SPOC agents will be
spending with borrowers, each SPOC will have a target of 150-200 working accounts.
Enhancement to Processes / Programs:
Based on the introduction of imminent risk of default, defined in the introduction to
Article 5, as a triggering event into the SPOC program, a workload review will be
conducted by HBIO to determine the appropriate capacity of SPOC agents. Adding
an additional trigger for assigning a SPOC agent has created the need to revaluate
the SPOC workload and perform an analysis to determine how many more accounts
will be added into the population requiring a SPOC agent. HBIO will be conducting
an initial workload review of the SPOC Program, based upon the new November FRB
guidance, which is expected to be completed by December 23, 2011, to determine the
number of FTE SPOC agents that will be needed to service borrower’s in the SPOC
Program.
Documents to be submitted with the Action Plan
x Foreclosure Affidavit Capacity Discussion
x CML Default Capacity Plan Overview - May 2011
x Review of Management and Supervisory Personnel Qualifications - 1
x Review of Management and Supervisory Personnel Qualifications - 2
x GLOBAL ROLE PROFILE TEMPLATE
Additional documents completed for re-submission of Action Plan
x Workload Review August 11, 2011
x HSBC Single Point of Contact (SPOC) Program Overview and Process Flow
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
SVP Default Services, Mortgage Servicing
x
, Regional Head of Retail Collections
Page 65
Privileged and Confidential
Restricted
Articles 2(h) & 2(j)
FRB Order Reference:
Article 2(h)
Corresponding
IV.1.m,
OCC Article:
IV.1.n
periodic reviews of the adequacy of the levels and types of officers and staff to carry
out residential mortgage loan servicing, Loss Mitigation, and foreclosure activities in
light of changes in the Servicing Portfolio or the Legal Requirements. To conduct this
review, the plan shall establish metrics to measure and ensure the adequacy of
staffing levels relative to existing and future Loss Mitigation and foreclosure activities,
such as limits for the number of loans assigned to a Loss Mitigation employee,
including the single point of contact as hereinafter defined, and deadlines to review
loan modification documentation, make loan modification decisions, and provide
responses to borrowers;
FRB Order Reference:
Article 2(j)
Corresponding
IV.1.n
OCC Article:
workload reviews of residential mortgage loan servicing, Loss Mitigation, and
foreclosure personnel who are responsible for handling individual loan issues
(including single point of contact personnel), including an initial review within 90 days
of this Order, and then annual reviews thereafter. Such reviews, at a minimum, shall
assess whether the workload levels are appropriate to ensure compliance with the
requirements of paragraphs 2(g) and 5 of this Order. Promptly following completion of
such reviews, the Mortgage Servicing Companies shall adjust workload levels to
ensure compliance with the requirements of paragraphs 2(g) and 5 of this Order;
Action Plan
HNAH has existing processes in place to complete work loan reviews and assess
adequacy of staffing in accordance with requirements of the Order, and processes will
be enhanced to include a Single Point of Contact (“SPOC”) framework in the workload
management and review process. As SPOC is implemented across HBIO and HBUS,
Residential Mortgage Servicing management will assess the need for staffing above
the initially estimated requirements to support this new process. Initial SPOC
workload estimates were submitted to the FRB on August 11, 2011.
Existing Processes / Programs:
Residential Mortgage Servicing Management has and will continue to review and
manage the workloads for residential mortgage loan servicing, Loss Mitigation, loan
modification, and foreclosure personnel. As noted in Article 2(g), a Workload Review
was completed in August 2011 which reviews the staffing needs of multiple
businesses. This review is updated monthly. Additionally, as described in the
attached CML Default Capacity Plan Overview - May 2011 document, capacity
modelling and planning is owned and performed by the Credit Risk function. Analysis
is based on Credit Risk forecasts and includes planned attrition, hiring, staffing
movements, and strategy changes. The model compares the expected monthly
headcount against the demand as driven by the risk forecast to determine the need
for hiring, staffing movements, or utilization of overtime. The planning methodology for
Page 66
Privileged and Confidential
Restricted
capacity and staff workloads is continually monitored and updated based on market
conditions, internal data, and forecasts. Throughout the year, the Credit Risk function
communicates and coordinates staffing requirements by department to Finance to
ensure they receive appropriate consideration in the budgeting process. Based on this
process, analysis is performed for the short- and long-term capacity needs of each
department.
The short-term or tactical capacity, planning process is performed one month in
advance to determine strategy and capacity needs. Monthly tactical support is
provided at the campaign level, allowing operations to make shorter-term adjustments
to manage near-term volume fluctuations. The analysis performed allows
management to shift account volume or employees to meet or maintain productivity
levels and determine overtime and agency placements. Department managers
conduct capacity planning meetings throughout the month. The final tactical capacity
planning meeting for the upcoming month is held with business unit management and
other support functions during the last week of the month.
Long-term or strategic capacity analysis is performed and planned based on the
estimated operations requirements. The need for employees is driven by forecasts
(i.e., delinquency) and other internal risk data. This analysis is performed continually
and assists management in developing the appropriate capacity initiatives, account
migrations or strategy changes. The strategic model provides an expectation for
staffing excesses or shortfalls by month, and recommendations are made to mitigate
any inequities (e.g., hiring, overtime, staffing movements).
Staffing needs are managed through the review and examination of capacity plans.
Management has assessed the need for incremental staff in anticipation of
foreclosure re-files as well as from the additional backlog caused by the moratorium.
This is discussed in further detail in the attached Foreclosure Affidavit Capacity
Discussion document.
HBIO and HBUS enhanced their existing workload review, particularly with respect to
supervisory and operational personnel that are involved in the foreclosure and Loss
Mitigation compliance efforts. Results from a review of the current process were
completed as of August 11, 2011, and are described in detail in the Workload Review
August 11, 2011 document attached. Expected required workloads were compared to
existing workloads, and the plan to remediate any gaps was identified. Management
has plans to add incremental staff and will deploy experienced staff into critical areas,
as the business deems necessary. Management has also proactively increased
capacity when necessary in accordance with increased volumes of Loss Mitigation
and foreclosure activities. Procedural changes have been a significant factor in the
need for increased staffing levels as more employees are required to process each
foreclosure. Management will continue to adjust, review and monitor the capacity plan
to drive operational efficiencies and mitigate risk associated with volume fluctuations
and changes in market conditions.
Page 67
Privileged and Confidential
Restricted
Residential Mortgage Servicing Management and the BROG Committee review and
discuss the long-term capacity plan on a bi-weekly basis. Both short- and long-term
capacity planning are on-going processes that occur within the 90-day requirement.
Management’s existing short-term, long-term, and rolling capacity planning and
reviews meet the work-load review and staffing requirements of this Order, including
the requirement to perform a review within 90 days.
Metrics
Though staffing needs are being updated as noted above, no additional metrics have
been created; the existing HR metrics are being utilized. Examples of these metrics
are included as part of the monthly presentation to the HBIO Executive Committee,
HR provides an update on HR metrics, demand and supply. Please see pages 15 –
16 of the attached HBIO Executive Compliance Steering Committee document for an
example of the report.
Enhancement to Processes / Programs:
As SPOC is implemented across the Bank and Mortgage Servicing Companies,
Residential Mortgage Servicing management continues to evaluate the additional
workload requirements. Please see Article 2(g) for additional detail related to the
SPOC capacity planning.
Documents to be submitted with the Action Plan
x Foreclosure Affidavit Capacity Discussion
x CML Default Capacity Plan Overview - May 2011
Additional documents completed for re-submission of Action Plan
x Workload Review August 11, 2011
x HBIO Executive Compliance Steering Committee
Key HSBC Contacts for the Action Plan
x
Regional Head of Retail Collections
x
SVP Default Services
x
SVP Default Services, Mortgage Servicing
Page 68
Privileged and Confidential
Restricted
Article 2(k)
FRB Order Reference:
Article 2(k)
Corresponding
IV.1.o
OCC Article:
policies to ensure that the risk management, audit, and compliance programs have
the requisite authorities and status within the organization to effectively operate the
programs, and that there is adequate coordination with respect to these programs to
ensure that any problems or deficiencies that are identified in the Mortgage Servicing
Companies’ residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities and operations are comprehensively reviewed and remedied;
Action Plan
HNAH has processes in place to ensure that risk management, compliance, and audit
programs have the requisite authorities and status within the organization to
effectively operate the programs, and that there is adequate coordination with respect
to these programs to ensure that any problems or deficiencies that are identified in the
residential mortgage loan servicing, Loss Mitigation, and foreclosure activities and
operations of the Bank and the Mortgage Servicing Companies are comprehensively
reviewed and remedied in accordance with this requirement of the Order.
The 2009 FRB MOU, Subpart I.d requires "measures to ensure that the Risk
Management, Legal and Compliance, Finance, and Audit Areas communicate and
coordinate on a timely basis to ensure that emerging and current risks are properly
identified, communicated, and managed across business lines and legal entities."
Please refer to the October 21, 2010 management response letters for actions taken
to ensure proper coordination and communication. These actions have enhanced the
coordination with respect to these programs to ensure that problems and deficiencies
identified in the operations of the Bank and the Mortgage Servicing Companies are
comprehensively reviewed and remediated. An FRB Supervisory letter dated April 28,
2011 indicates that subpart I.d has been “met”. Further remediation will be assessed
in conjunction with the October 4, 2010 Cease and Desist Order on AML. For further
details, please see the MOU Response Letter - October 21, 2010 attached. Based on
the changes made as a result of the aforementioned MOU, management deemed that
no further enhancements were necessary to ensure that risk management, audit, and
compliance have the requisite authority and status within the organization. Though no
additional changes were made, included below is a summary for each area of how its
requisite authority is derived.
Existing Processes / Programs:
In an effort to further enhance the degree of coordination and communication between
the HNAH Risk Management and Compliance organizations, in the third quarter of
2010, management established the Compliance and Risk Management Forum (CaR
Forum). Monthly meetings are held between the Chief Risk Officer, the Chief
Compliance Officer, the Head of ORIC, and the Compliance Chief Operating Officer
(“COO”) as a forum for sharing risk issues, activities and defining an integrated
Page 69
Privileged and Confidential
Restricted
approach to identifying, assessing, mitigating and reporting risks in line with the three
lines of defense model. The CaR Forum has the objective of overseeing the
effectiveness of the integration of the Compliance and Risk functions to ensure the
proper identification, assessment, monitoring, testing and reporting of risk in line with
HNAH’s risk appetite. The CaR Forum is also a means for the two functions to share
and discuss emerging risks, current initiatives, control best practices, and necessary
management action, in a focused session outside of formal risk committee meetings.
From a Board and Residential Mortgage Servicing Management governance
perspective, the HNAH Compliance Committee is responsible for overseeing HNAH's
compliance risk management program for the Board. The HNAH Risk Management
Committee (“RMC”) is the senior-most risk governance committee with oversight of
compliance risk as part of its mission to oversee risk-related functions, processes,
policies, initiatives and information systems across HNAH and its subsidiaries.
Additionally, HNAH ORIC has primary management oversight for HNAH's firm-wide
compliance risk management program.
The Global Risk Operating Model was enhanced on June 30, 2011. The Global Risk
Operating Model is a document which defines, at a high level, who is accountable for
what within the Global Risk function. It sets out clear roles and responsibilities at
Group, region, global business / customer group and country levels. It covers teams
across the extended Risk community, including Compliance, and where appropriate it
is designed to be globally consistent. Organizational enhancements include reporting
line shifts to strengthen the enterprise-wide risk management framework. Chief
Compliance Officers have been aligned directly to Chief Risk Officers to enhance the
integration of Compliance and Risk Management to create a more cohesive risk
governance structure. Please reference attached Global Risk Operating Model for
additional information.
HNAH instituted the “HNAH’s Board of Directors’ Plan to Improve its Oversight of
HNAH’s Residential Mortgage Servicing Companies.” On June 8, 2011, the Board of
Directors adopted a resolution to enhance the Board oversight of HNAH’s Compliance
Risk Management Program with regard to the Order. For further details, please see
Resolutions – No_NA11-19, No_CF11-30, No_US11-40 attached.
The Board oversight plan describes the actions that the Boards of Directors will take
to improve the residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities and operations of the Bank and the Mortgage Servicing Companies, and a
timeline for actions to be taken.
Currently, processes that are designed to ensure that the risk oversight functions
have the requisite authority and status within the organization exist so that appropriate
reviews of residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities are conducted, and deficiencies are identified and promptly remediated. The
risk functions have authority from the Board of Directors, as derived from the Board
approved charters, to review activities and report findings through the Compliance or
Page 70
Privileged and Confidential
Restricted
Risk Committees of the Board. The programs addressing this item of the Order have
been adopted by Residential Mortgage Servicing, Service Delivery Control
Adherence, Compliance, and Group Audit North America. These four programs form
three lines of defense:
• Residential Mortgage Servicing serves as the first line of defense, providing the
Business Risk and Control Management (“BRCM”) capability and internal control
framework.
• Service Delivery Control Adherence (formerly known as NAQA) coordinates with
the Residential Mortgage Servicing BRCM teams to test the controls.
• Compliance is an additional second line of defense that provides regulatory
oversight to the Residential Mortgage Servicing teams to ensure that the controls
put in place satisfy regulatory requirements.
• Group Audit North America serves as the third line of defense by assessing the
effectiveness of Residential Mortgage Servicing controls and the functioning of the
second line of defense.
Through these three lines of defense, any deficiencies in residential mortgage loan
servicing, Loss Mitigation and foreclosure activities are identified and promptly
remediated. The specific action plans for these lines of defense are as follows:
Residential Mortgage Servicing
Residential Mortgage Servicing activities are covered by the Business Risk and
Control Management Team established by and under the direction of the SVP of
Strategy, Operational Risk Management and Chief Information Risk Officer, HBIO.
Specific details surrounding the First Line of Defense are covered in Article 15.
Operational Risk management consists of the identification, assessment, monitoring
and control of operational risk so as to maintain losses within acceptable levels and to
protect the Group from foreseeable future losses. Management in all businesses and
support functions operating in North America, including Global Businesses, are
responsible for designing controls to mitigate operational risk and for monitoring and
evidencing the effectiveness of those controls in operation. Acceptable levels of
internal control are to be determined by reference to the scale and nature of each
business operation, but must also remain compliant with the minimum standards set
out in Group Standards Manual and Group Functional Instruction Manuals; ensuring
appropriate levels of economic and regulatory capital in accordance with internal and
external requirements. Please see Articles 14 and 15 for great detail on the
Operational Risk framework.
Service Delivery Control Adherence (formerly known as NAQA) (“SDCA”)
SDCA provides an independent, objective and ongoing assessment of operational
adherence to policies, procedures, and Group Standards to Residential Mortgage
Servicing Management. To maintain independence, SDCA is managed separately
from Residential Mortgage Servicing management, reporting to a central Corporate
Quality Utility. SDCA reports its findings to the appropriate business unit executive
management. Consideration is given as to whether the findings reported by SDCA
Page 71
Privileged and Confidential
Restricted
should also be reported as a Top Control Issue in the quarterly ORIC report.
Group Audit North America issued a report on June 23, 2011 with findings about the
need to more adequately define in the SDCA charter the accountability and authority
of SDCA within the HNAH risk governance structure; the need to enhance the SDCA
risk assessment methodology; and the need for SDCA management to enhance
quality assurance reviews of SDCA staff work to validate the adequacy of the testing
scope, execution of the planned procedures (or documenting reasons for changes
thereto), and appropriateness of SDCA staff judgment applied during the reviews.
SDCA management provided their response to this report on August 17, 2011, which
addressed the actions to remediate the issues identified, as well as provide a timeline
to remediate the issues. Group Audit North America will validate the remediation
actions based on its methodology for tracking and validating issues.
Compliance
The HNAH Compliance organizational structure, as outlined below, detailed in the
“HSBC – North America Compliance Risk Management Program Manual”, and
illustrated in the “HNAH Corporate Compliance Organizational Structure” section (see
pages 26 and 65 of the Compliance Risk Management Program Manual) is designed
to ensure that Compliance staff have the requisite authority and status to carry out
their responsibilities:
• The Regional Compliance Officer (“RCO”) reports to the HNAH Compliance
Committee, the HNAH Chief Executive Officer (“CEO”) and the CEO of HSBC
Bank, N.A.
• The RCO also has an internal functional reporting line to the Head of Compliance
within the Group Management Office ("GMO") which provides oversight of the
HNAH Compliance Risk Management Program.
• The RCO is a member of the Group Compliance Executive Committee (“Group
Compliance EXCO”).
The Compliance governance model is designed to ensure that the functional teams
and responsibility areas reporting into the RCO work effectively and efficiently
together to manage the Compliance Risk Management Program. Specifically, the
governance model is designed to ensure that:
• Regulatory, Group, and other stakeholder requirements applicable to Compliance
are identified and addressed;
• Enterprise-wide initiatives are coordinated;
• Communications across functional areas are timely and effective;
• Issues are escalated in a timely manner;
• Information is effectively and appropriately shared; and,
• Compliance risks are effectively assessed and emerging trends are identified
which may impact more than one business, legal entity or geography.
In order to monitor compliance risk and identify and remediate deficiencies,
Compliance has developed Key Risk Indicators (“KRIs”) that will assist Residential
Mortgage Servicing in monitoring and evaluating the risks inherent in mortgage
Page 72
Privileged and Confidential
Restricted
servicing business lines on a monthly basis. These KRIs include metrics to measure
the mortgage servicing activities of HNAH and its subsidiaries, including Loss
Mitigation, loan modification, and foreclosure activities. Examples of KRIs that have
been developed are Rescinded Foreclosure Sales and SCRA reporting.
Group Audit North America
Group Audit North America is responsible for the internal audit activities for HNAH
and its subsidiaries. These responsibilities include evaluating the effectiveness of risk
management, control, and governance processes for residential mortgage loan
servicing, Loss Mitigation, and foreclosure activities. Group Audit North America has
assessed the identified risks for these functional areas and enhanced its audit
programs to address the requirements of the Order.
To provide for independence of Internal Audit, personnel report to the Executive Vice
President (“EVP”) Internal Audit, who functionally reports to the Senior Executive Vice
President (“SEVP”) Internal Audit HNAH and administratively to the Chief Executive
Officer – HBIO. The EVP Internal Audit has unfettered access to Senior Executive
Management and meets periodically with business and corporate function heads to
see that existing and emerging issues across the organization are effectively factored
into the internal audit plan. The EVP Internal Audit also sits as a non-voting member
on key risk management and governance committees established at HNAH. The
SEVP Internal Audit (HNAH) reports to the HSBC’s Group Head of Internal Audit
based in London, as well as to the Chairman of the Audit Committee for
HNAH/HBUS/HBIO.
In addition, the Group Audit Standards Manual (“GASM”) provides a Code of Ethics
for Group Audit, which addresses the concept of independence for every member of
the function:
The duties and responsibilities of the audit function are often highly sensitive and,
accordingly, require an attitude on the part of each auditor that constitutes an independence
of mind and a level of personal integrity greater than that required of personnel at similar
levels of authority in other areas of the Company. All members of the Audit staff have, by
the nature of their role, unique professional obligations to the Company, its customers,
stockholders, directors and the general public. These obligations are met through
adherence to a code of professional ethics (see below), the application of which requires
each auditor to conduct his or her personal and professional activities in a manner that will
not leave their personal and professional integrity open to question. Group Audit work is
expected to be performed with proficiency and due professional care.
Group Audit North America’s current structure creates independence from the entities,
business lines and functions, and systems and processes it audits in accordance with
the requirements of the Order. Copies of our Internal Audit and Audit Committee
charter are attached to provide further context on independence.
In addition to the reporting lines organization structure and Group Audit North America
charter, the independence of the audit function is evident through the fact that the
performance evaluation and compensation decisions of the Chief Auditor for HBIO,
Page 73
Privileged and Confidential
Restricted
HUSI/HNAH are also presented to the Audit Committee of the Board of Directors for
its concurrence.
See the following documents, approved annually including 2011, for additional
information:
x HSBC Finance Corporation (HBIO) Charter of the Audit Committee– this
document outlines the duties and responsibilities of the Audit Committee
appointed by the Board of Directors of HSBC Finance Corporation.
x HSBC Finance Corporation (HBIO) Internal Audit Charter - this document
outlines the mission and scope, accountability, independence, responsibility,
authority, and standards of practice for the HBIO Internal Audit.
x HSBC North America Holdings Inc. (HNAH) Charter of the Audit Committee this document outlines the duties and responsibilities of the Audit Committee
appointed by the Board of Directors of HSBC North America Holdings Inc.
x HSBC North America Holdings Inc. (HNAH) Internal Audit Charter - this
document outlines the mission and scope, accountability, independence,
responsibility, authority, and standards of practice for the HBIO Internal Audit.
Group Coordination
To assist in coordination among the three lines of defense, each quarter the HNAH
Operational Risk and Control function identifies material top and emerging risks,
significant control deficiencies, and KRI breaches across the HNAH organization. The
report is shared with the HNAH ORIC Committee for review and approval. Group
Audit North America, SDCA, Credit Review and Risk Identification (“CRRI”), Investor
Exam, independent auditors (i.e., KPMG), and the SOX group conduct on-going
testing and report their findings to Residential Mortgage Servicing. On a weekly basis,
Residential Mortgage Servicing BRCM Team tracks and monitors the testing
schedules of these groups and publishes a report called the Audit and Process
Review Schedule. If any issues or risks are identified from this testing, they are
documented in an Open Audit Findings Weekly Report for tracking and monitoring
purposes. Both reports are distributed weekly to Residential Mortgage Servicing
management.
Additionally, compliance risks and emerging trends are identified and communicated
to the business unit executive management by the RCO who reports to the
Compliance Committee, HNAH CRO, and Bank CEO.
The coordination of the programs which support the three lines of defense are
designed and have the requisite authority and status within the organization such that
appropriate reviews of the residential mortgage loan servicing, Loss Mitigation, and
foreclosure activities and operations of the Bank and the Mortgage Servicing
Companies may occur. Enhancements are being made such that deficiencies are
identified and promptly remedied to meet the requirements of this Order.
Page 74
Privileged and Confidential
Restricted
Documents to be submitted with the Action Plan
x HNAH’S BOARD OF DIRECTORS’ PLAN TO IMPROVE ITS OVERSIGHT OF
HNAH’S RESIDENTIAL MORTGAGE SERVICING COMPANIES
x HNAH'S BOARD OF DIRECTORS' PLAN TO IMPROVE ITS OVERSIGHT OF
HNAH'S RESIDENTIAL MORTGAGE SERVICING COMPANIES_TRACKED
CHANGES
x HNAH Board Approval of Board Oversight Plan Resolution No_ NA11-19
x HBIO Board Approval of Board Oversight Plan Resolution No_ CF11-30
x HBUS Board Approval of Board Oversight Plan Resolution No_ US11-40
x HSBC NORTH AMERICA HOLDINGS INC. (HNAH) INTERNAL AUDIT CHARTER
x HSBC – North America Compliance Risk Management Program Manual
x THE HSBC GROUP AUDIT STANDARDS MANUAL
x HNAH Corporate Compliance Organizational Structure
x MOU Response Letter – October 21, 2010
Additional documents completed for re-submission of Action Plan
x Global Risk Operating Model
x HSBC – North America Compliance Risk Management Program Manual
x HSBC Finance Corporation (HBIO) Charter of the Audit Committee
x HSBC Finance Corporation (HBIO) Internal Audit Charter
x HSBC North America Holdings Inc. (HNAH) Charter of the Audit Committee
x HSBC North America Holdings Inc. (HNAH) Internal Audit Charter.
Page 75
Privileged and Confidential
Restricted
Page 76
Privileged and Confidential
Restricted
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
Article 6 Third Party Management
October 10, 2011
Privileged and Confidential
Restricted
Section 5: Third Party Management
Article 6
FRB Order Reference:
Article 6
Corresponding
V.1
OCC Article:
Within 60 days of this Order, HBIO shall submit to the Reserve Bank acceptable
policies and procedures for the outsourcing of any residential mortgage loan
servicing, Loss Mitigation, or foreclosure functions, by the Mortgage Servicing
Companies to any independent contractor, consulting firm, law firm, property manager
or other third party (including any subsidiary or affiliate of HBIO) (collectively, “ThirdParty Providers”). Third-Party Providers include local counsel in foreclosure or
bankruptcy proceedings retained to represent the interests of owners of mortgages in
the Servicing Portfolio (“Foreclosure Counsel”). The policies and procedures shall, at
a minimum, address, consider, and include:
Action Plan
HBIO and HBUS have policies and procedures for outsourcing their foreclosure or
related functions, including Loss Mitigation, and property management functions for
residential real estate acquired through or in lieu of foreclosure, and bankruptcy, to
Third-Party Providers as defined by this Order, including Law Firms. As used herein,
collectively “Law Firms” or “Firms” are defined as law firms and trustees that provide
foreclosure, bankruptcy, eviction, and deed-in-lieu (“DIL”)/ short-sale (“SS”) legal
services to HBIO and HBUS Residential Mortgage Servicing personnel in accordance
with applicable laws, rules, and regulations.
HBIO and HBUS distinguish Law Firms between active and pipeline. Active Law
Firms are those to which HBIO and HBUS refer new matters and intend to continue
doing business. Pipeline Law Firms are those with which HBIO and HBUS have
ceased new referrals, but these Law Firms continue to service matters that had
previously been referred to them. By year-end 2011, pipeline Law Firms will either be
terminated and files transferred to an active Law Firm, or will be vetted through the
HNAH Vendor Risk Management process.
An analysis comparing the Article 6 requirements of the Order with existing policies,
procedures, and processes was completed by management personnel in the areas of
Residential Mortgage Servicing, Vendor Risk Management, Legal and Compliance.
The purpose of this analysis was to identify those existing policies, procedures, and
processes that address the requirements of the Order and those areas requiring
further enhancement. Further details related to these policies and procedures are
provided in the Action Plans for Article 6, Sections (a) through (j), and the results of
the analysis include, without limitation, the following:
Page 2
Privileged and Confidential
Restricted
Existing Processes
Required Enhancements
x
HNAH has an existing North America
Vendor Risk Management
infrastructure in place. As part of this
infrastructure, HNAH has established
policies and procedures which outline
the vendor due diligence and ongoing
monitoring processes associated with
Third-Party Providers engaged by
HNAH subsidiaries (collectively the
“VRM Program”) (see Article 6(a)).
x
An in-depth review of legacy third
party relationships is currently being
conducted by HBIO and HBUS
Residential Mortgage Servicing as
part of the HNAH Vendor Risk
Management Third Party Legacy
Relationship Management Program
(the “LRM Program”) (see Article 6(a)
and (e)).
x
Enhanced governance and oversight
of Third-Party Providers, including
Law Firms, is managed by a
centralized, dedicated team - the
Mortgage Servicing Third Party
Operational Risk Management Group
(“TPORMG”) (see Article 6(a)).
x
Implemented (i) Third Party
Operational Risk Management Group
Procedures, that are consistent with
x
the existing Vendor Risk
Management framework, and (ii)
Legal Department Law Firm
Management Procedures and User
Manual, to guide the management of
new and existing Third-Party
Providers, including Law Firms, used
by HBIO and HBUS Residential
Mortgage Servicing (see Article 6 (a)).
x
Distributed Best Practices for Outside
Foreclosure, Eviction and Bankruptcy
Law Firms (“Best Practices”) to, and
received acknowledgement and
x
x
By end of the fourth quarter 2011,
pipeline Law Firms will be evaluated
and a determination made to either
(i) terminate the Law Firm and
transfer files to active Law Firms, or
(ii) vet the pipeline Law Firm through
the HNAH Vendor Risk Management
process which includes a legal,
information security, financial, and
reputational review and, if
acceptable, the pipeline Law Firm
would be expected to execute the
Master Services Agreement (Legal
Services) and adopt the HSBC Best
Practices for Outside Foreclosure,
Eviction and Bankruptcy Law Firms.
For more information about the
pipeline file transfer process see the
attached Pipeline Firm Transfer
Strategy document.
By end of the fourth quarter 2011,
HSBC will terminate its relationship
with Law Firms that have been
identified as unsatisfactory and fail to
satisfy HSBC requirements, and will
transfer all files to active Law Firms.
For more information about the
termination process see the attached
Law Firm Termination Strategy
document.
Agreements with
National
Bankruptcy Services (“NBS”) and
NBS’ law firm, Brice, Vander Linden
& Wernick (“BVW”), are in the
process of being reviewed and
revised. BVW provides bankruptcy
legal services to NBS and its clients.
It is expected that amended and
restated agreements should be in
place by the end of fourth quarter
2011.
Page 3
Privileged and Confidential
Restricted
pledge to comply with the Best
Practices from, active foreclosure
Law Firms, and distributed Best
*
Practices to active bankruptcy ,
eviction and DIL Law Firms (see
Article 6(a)).
*
x
Received executed Non-Disclosure
and Confidentiality Agreements
(“NDAs”) from active foreclosure Law
Firms and sent NDAs to active
bankruptcy , eviction and DIL Law
Firms as required by Section 3.2 of
the HSBC- North America Vendor
Risk Management (VRM) Policy
(“VRM Policy”) and the HSBC North
America Vendor Risk Management
(VRM) PROCEDURES (“VRM
Procedures”) page 11 and page 7 of
the VRM Policy.
x
Active foreclosure, bankruptcy ,
eviction and DIL Law Firms are being
reviewed consistent with the HNAH
Vendor Risk Management Program,
including an assessment of risk
regarding information security,
business, financial, and reputation,
and the requirements for engagement
of a vendor under the VRM Program
have been initiated for active
foreclosure, bankruptcy , eviction and
DIL Law Firms. Additionally, legal
risk is assessed and reviewed by
HSBC Legal (see Article 6(a), (b), (f)
and (g)).
x
HSBC Legal with the assistance of
external counsel coordinated the
completion of the initial legal reviews
of active foreclosure Law Firms.
Remediation Letters were sent to the
reviewed Law Firms and their
responses have been tracked and
Except for bankruptcy Law Firms in the BVW network as BVW and its network of bankruptcy attorneys are under review.
Page 4
Privileged and Confidential
Restricted
reviewed (see Article 6(a) and (g)).
x
Distributed the standard Law Firm
Master Services Agreement to
existing active foreclosure Law Firms.
Following a satisfactory review,
including information security, legal,
business, financial and reputation, the
standard Law Firm Master Services
Agreement is also sent for execution
to new Law Firms and existing active
Law Firms that provide solely
bankruptcy, eviction, or deed-in-lieu
legal services (see Article 6(a)).
x
Other Law Firm Management tools to
be used to assess and monitor Law
Firms, in addition to the VRM,
TPORMG and Legal Law Firm
Procedures include, TPORMG
Database, TPORMG
SharePoint Database,
(“
, TPORMG
Mailboxes, HSBC Best Practices, the
Legal Department Law Firm
Management Pre-Review
Questionnaire, the Review
Questionnaire, Summary of Findings
Memo, Review Remediation Letter
and VRM Scorecard and Legal
Review Scorecard (collectively
“Scorecards”) (see Section 1.5, pages
9 to 11 of the Mortgage Servicing
Third Party Operational Risk
Management Procedures (“TPORMG
Procedures”) and Section 5.2, pages
5 to 6 and Section 9, page 11 of
Legal Law Firm Procedures HSBC
Mortgage Servicing Legal Department
Law Firm Management
PROCEDURES (“Legal Law Firm
Procedures,” the Scorecards) (see
Article 6 (a),(g) and (j)).
x
Law Firm Termination Procedure
identifies the process to be followed
upon termination of a Law Firm and
Page 5
Privileged and Confidential
Restricted
the transfer of files from the
terminated Firm to an active Law Firm
(see Article 6(f)).
x
HSBC Legal has engaged outside
counsel to monitor and notify HSBC
of any adverse litigation and media
concerning Law Firms which is also
evaluated at various meetings
described in the below Articles and
during Law Firm reviews.
x
A TPORMG
Database and a
TPORMG SharePoint Database have
been developed to monitor ThirdParty Providers and to maintain ThirdParty documents (MSAs, review
results, remediation letters,
communications), including Law
Firms, used by HBIO and HBUS for
the Residential Mortgage Servicing
operations (see Section 1.5, page 10
of TPORMG Procedure and Article 6
(a) and (j)).
x
Compliance with regulatory
requirements is monitored and
reported using existing tools such as
the
(“
database (see Article 6(a)).
Documents to be submitted with the Action Plan
x Refer to Action Plans for Article 6, sections (a) through (j)
Additional documents completed for re-submission of Action Plan
x Law Firm Termination Strategy
x Pipeline Firm Transfer Strategy
x HSBC- North America Vendor Risk Management (VRM) Policy (“VRM Policy”)
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x Mortgage Servicing Third Party Operational Risk Management Procedures
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
Page 6
Privileged and Confidential
Restricted
x
x
, EVP Chief of Staff HTSN and NA Head of Procurement
, SVP Deputy General Counsel, CML
Page 7
Privileged and Confidential
Restricted
Article 6(a)
FRB Order Reference:
Article 6(a)
Corresponding OCC V.1.a
Article:
The policies and procedures shall, at a minimum, address, consider, and include:
appropriate oversight of Third-Party Providers to ensure that they comply with the
Legal Requirements, supervisory guidance of the Board of Governors, and HBIO’s
policies and procedures;
Action Plan
As described below, existing and enhanced policies and procedures for HBIO and
HBUS provide for appropriate oversight, review and monitoring of Third-Party
Providers, including Law Firms, to ensure that they comply with applicable Legal
Requirements, supervisory guidance and HSBC policies and procedures.
Existing Processes / Programs:
HSBC North America Vendor Risk Management Department
HSBC North America Vendor Risk Management (“VRM”) has in place a risk-based
framework and program to effectively identify, assess, monitor and manage risks
associated with Third-Party Provider relationships(the “VRM Program”) as set forth in
the HSBC North America Vendor Risk Management Policy and Procedures (“VRM
Policy and Procedures”). The VRM Program provides centralized governance and
requirements for North America businesses and departments. The VRM Program also
establishes accountability and corporate oversight and defines the roles and
responsibilities of the various departments and functions including VRM, Residential
Mortgage Servicing, Operational Risk Management, Information Security Risk (“ISR”),
Compliance, and Legal so that Third-Party Providers within the scope of the existing
VRM Policy and Procedures are assessed in a consistent risk-based framework. Law
Firms as well as other Third-Party Providers are managed and monitored pursuant to
the VRM Program (see Section 2 of the VRM Policy). The VRM Program has been
designed in accordance with OCC Bulletin 2001-4, as documented in additional detail
in the attached HSBC - North America Vendor Risk Management (VRM) Policy.
The HBIO and HBUS residential mortgage loan servicing, Loss Mitigation,
bankruptcy, foreclosure, and property management functions (collectively “Residential
Mortgage Servicing” or “Mortgage Servicing”) follow the VRM Policy and Procedures
and the VRM Program to manage Third-Party Providers, including Law Firms.
Additional procedures and oversight have been implemented as described below to
ensure Third-Party Providers are managed and monitored in accordance with the
VRM Program.
Page 8
Privileged and Confidential
Restricted
Third-Party Operational Risk Management Group (“TPORMG”)
To ensure consistent adherence to the VRM Policy and Procedures and provide
additional oversight of Residential Mortgage Servicing Third-Party Providers, including
Law Firms, the existing Mortgage Servicing Operational Risk Management team
expanded its structure to include a centralized, dedicated team – the Third Party
Operational Risk Management Group (“TPORMG”). The TPORMG serves as the
primary point of contact and relationship manager for Residential Mortgage Servicing
Third-Party Providers, including Law Firms. TPORMG coordinates with other
groups/functions, including the business, VRM, Information Security Risk,
Compliance, and HSBC Legal, throughout the Third-Party Provider life cycle from,
due diligence and Third-Party selection, risk assessment, negotiations, contracting,
ongoing monitoring, issue management and escalation, quality assurance,
remediation and termination (see Sections 1.1 and 1.2 on page 4 of the attached
Mortgage Servicing Third Party Operational Risk Management Procedures).
In order to staff the TPORMG department with appropriate expertise and authority,
HBIO and HBUS leveraged existing qualified personnel within HSBC to fill the
leadership roles within TPORMG. Requirements for these roles include extensive
Mortgage Servicing experience and a background in Risk Management. The
leadership personnel consist of a Senior Vice President with responsibility for
Operational Risk Management, who serves as the Chief Information Risk Officer
(CIRO) for Mortgage Servicing having twenty-two years of experience and a
concentration in mortgage operational risk and audit. Reporting to the Senior Vice
President, are two Vice Presidents with an average tenure of twenty-five years of
experience with a concentration in operational risk and mortgage servicing. One Vice
President was previously employed by
and managed its foreclosure and
bankruptcy attorney network. The other Vice President has an extensive background
in mortgage lending, servicing, risk, and compliance.
As of September 12, 2011, TPORMG has developed and implemented the Mortgage
Servicing Third Party Operational Risk Management Procedures (the “TPORMG Third
Party Procedures”) which supplement the VRM Policy and Procedures. These
Procedures define the TPORMG scope, organizational structure, associated roles and
responsibilities, and overall methodology and approach for TPORMG reviews of
Residential Mortgage Servicing Third-Party Providers, including Law Firms.
The TPORMG will ensure that Residential Mortgage Servicing departments comply
with the VRM Policy and Procedures. Key responsibilities of TPORMG are as follows:
x
x
Initiate, renew, or terminate Third-Party Providers and coordinate the on-going
reviews, monitoring and assessments of Third-Party Providers;
Develop and monitor Third-Party Provider performance against defined service
levels, performance levels, and contract terms; and coordinate distribution of
MSAs, including the Law Firm MSAs to be executed by approved existing and
future Law Firms (see attached MASTER SERVICES AGREEMENT (LEGAL
Page 9
Privileged and Confidential
Restricted
x
x
x
x
SERVICES));
Schedule reviews of Third-Party Providers, including Law Firms;
Develop and use the TPORMG Database to monitor, manage, and age ThirdParty Provider reviews and remediation efforts and SLAs and performance against
SLAs, to include Information Security Risk, Legal, and Operations’ review findings,
and for reporting to various departments and to the TPORMG Governance
Committee;
Reporting and trending of customer complaints specific to Third-Party Providers;
and,
As part of the LRM Program, performing an in-depth review of Residential
Mortgage Servicing legacy Third-Party Provider relationships within the scope of
the VRM Policy to ensure compliance with the VRM Policy and Procedures
Residential Mortgage Servicing Third-Party Provider Governance Committee
To ensure appropriate oversight of Third Party Providers at a senior management
level, HBIO and HBUS established the Residential Mortgage Servicing Operations
Third-Party Provider Governance Committee (“Third Party Governance Committee”)
to oversee the Mortgage Servicing Third-Party Provider management process, which
includes the review of Law Firms. The Third Party Governance Committee will meet
monthly, and the responsibilities of the Committee include:
x Review and assessment of performance reporting and results of Third-Party
Provider reviews;
x Decisions regarding retention, discipline, remediation and termination of ThirdParty Providers;
x Evaluate and address emerging trends, risks and strategies;
x Evaluate significant adverse litigation;
x Determine whether or not to continue doing business with Third Parties; and,
x Escalation of material issues or concerns, as appropriate, to senior management.
The Third Party Governance Committee includes participants from the business and
various functions, including TPORMG, Compliance, Risk and HSBC Legal.
HSBC Legal Support For Third-Party Management
HSBC Legal in collaboration with TPORMG, Information Security Risk, VRM and
other departments assesses Law Firm compliance with applicable state and federal
laws, rules and regulations and judicial requirements (“Legal Requirements”) and
HSBC Best Practices described below. HSBC Legal’s role in evaluating and
monitoring Law Firms is in addition to the VRM Policy and Procedures, and is more
specifically described in the attached Legal Department Law Firm Management
Procedures (“Legal Law Firm Procedures”). These Procedures also provide
guidelines to assist HSBC Legal to identify, assess, monitor, and manage HSBC legal
risk associated with new and existing Law Firms in a consistent manner (see Section
Page 10
Privileged and Confidential
Restricted
1.2 of the Law Firm Management Procedures).
As set forth in Section 5 of the Law Firm Management Procedures, Legal along with
TPORMG, manages and coordinates a legal review of Law Firms. The legal review
evaluates a Law Firm’s compliance with Legal Requirements as well as HSBC Best
Practices for Outside Foreclosure, Eviction and Bankruptcy Law Firms (“Best
Practices”), and includes Firm file reviews.
HSBC Legal, in collaboration of TPORMG, VRM and other departments, developed
and implemented the tools listed below, which have been updated since the July 20,
2011 Action Plan submission to include bankruptcy and eviction legal services and to
maintain consistency with the standard Law Firm MSA and other Law Firm monitoring
documents and tools. These updated tools are attached to this Action Plan and will be
used go forward to conduct reviews of Law Firms (see Section 5.2 of the Legal Law
Firm Procedures and each tool for more detailed information):
x HSBC Best Practices For Outside Foreclosure, Eviction and Bankruptcy Law
Firms
o Guidelines that establish HSBC expectations to ensure compliance with
Legal Requirements, including the proper review, execution and
notarization of complaints, affidavits and other documents and
information security requirements. Best Practices also include HSBC’s
Escalation Protocol Matrix for reporting to HSBC; the Matrix identifies
events to be reported, the timing to do so and the HSBC contacts (see
Section XV and Schedule B of Best Practices)
x HSBC Mortgage Servicing Legal Department Law Firm Management PreReview Questionnaire
o A questionnaire submitted to Law Firms prior to the commencement of
the review to gain a better understanding of Firm practices and
processes
x HSBC Mortgage Servicing Legal Department Law Firm Management Review
Questionnaire
o A questionnaire used during the review as a guide of topics and types of
questions to ask to assess compliance with Legal Requirements and
Best Practices.
x Law Firm Legal Review Scorecard (the “Legal Review Scorecard”)
o A tool used to capture the results of Firm Reviews to facilitate a
consistent assessment and evaluation of Law Firm risk.
x Summary of Findings Memo
o A summary of the findings and any issues, concerns or deficiencies
identified during the Firm review (memos are completed by outside
counsel; therefore a template is not attached).
x Review Remediation letter
o A letter sent to the Law Firm to advise of issues, concerns or
deficiencies identified during the Firm review.
x Master Services Agreement (Legal Services)
Page 11
Privileged and Confidential
Restricted
x
x
o The agreement that identifies HSBC expectations and requirements
along with service level agreements and work standards.
o The MSA also includes the Escalation Protocol Matrix (see Section 1.3
and Attachment C of the MSA).
HSBC Mortgage Servicing Legal Department Law Firm Management
Procedures described above.
HSBC Mortgage Servicing Legal Department Law Firm Management User
Manual
o Manual developed to supplement the Law Firm Procedures.
HSBC Legal organizes and facilitates a periodic meeting (the “Legal Review Meeting”)
primarily to discuss the following:
o Scheduling and results of Law Firm legal reviews
o External counsel conducting Law Firm legal reviews summarize findings
and discuss general observations or concerns
o Recent adverse media coverage and recent adverse litigation concerning
HSBC Law Firms
o Status regarding Law Firm terminations and transfer of pending files.
o TPORMG provides updates on recent Law Firm terminations and the
process of transferring pending files to other HSBC approved Law Firms
o Status on Law Firm MSA distribution and execution
The Legal Review Meeting is designed to create visibility for internal HSBC
employees that either work with the Law Firms or have responsibility for monitoring
Law Firm risk. Participants include representatives from the business, TPORMG,
Compliance, Operational Risk, HSBC internal counsel and external counsel. The
Legal Review Meeting typically occurs weekly. Summary information from the Legal
Review meeting will be reported to the Third-Party Governance Committee (described
above in this Article).
Change Controls for Legal Requirements Affecting HSBC and Third Party
Providers and Investor Changes
To ensure compliance with any changes to Legal Requirements, supervisory
guidance of the Board of Governors and investor guideline or requirement changes
that impact HBIO, HBUS or Third Party Providers, HBIO and HBUS have policies and
procedures in place to identify, assess, and implement any such applicable changes.
Changes to Government Sponsored Entities (“GSEs”) and investor guidelines,
requirements and contractual obligations are collected, monitored and assessed for
impact by the Investor Accounting team and the Investor Change Working Group
(“ICWG”) Manager. Investor Accounting, the ICWG Manager, and the Director of Loss
Mitigation for Mortgage Corporation hold weekly meetings to assess the impact and
plan the implementation strategy for such investor changes. See the Implementation
Section on page 2 of the attached Investor Changes Implementation Procedure ALL
document for additional details regarding monitoring and implementation of changes
Page 12
Privileged and Confidential
Restricted
to GSE contractual obligations.
HBIO and HBUS have processes in place to identify and implement changes to Legal
Requirements and supervisory guidance that impact their business practices. The
Compliance Regulatory Monitoring and Assessment (“RMA”) group manages a
centralized regulatory monitoring and change management process to identify,
assess, and communicate changes in Legal Requirements and supervisory guidance
that impact HBIO and HBUS lines of business as well as changes that impact
services to be performed by Residential Mortgage Servicing Third Party Providers
such as Law Firms. The RMA group reports to the HNAH Compliance Chief
Operating Officer.
The RMA group uses various resources including, the Federal Register, regulatory
agency websites (OCC, FRB, FDIC, etc.), trade associations, monitoring services,
and various law firm websites to identify changes to the Legal Requirements and
supervisory guidance. The monitoring process has been enhanced to include case
law developments which may impact Residential Mortgage Servicing operations for
HBIO and HBUS.
The RMA group collaborates with Legal and Compliance to determine the applicability
of the legislation and to identify the impacted businesses. If it is determined that there
is an impact to a business, the RMA group outlines the detailed requirements in an
Impact Assessment document, which the Legal department reviews for accuracy.
The RMA group and Compliance determine the impact to the businesses. The RMA
group then publishes an executive summary, New Legislation Alert (which includes
the Impact Assessment), and distributes it to the impacted businesses. The impacted
Residential Mortgage Servicing departments work with the Law Change Working
Group (“LCWG”), Compliance, and HSBC Legal to evaluate and timely implement any
required changes to documents and updates to policies and procedures (see the New
Legislation Section on page 3 of the attached HSBC North America New Laws and
Regulations Procedure – US document).
Within 60-90 days of implementation of a law change pursuant to the processes noted
above, the Service Delivery Control Adherence (“SDCA”, formerly known as North
America Quality Assurance)unit performs a second line of defense quality review to
confirm that the law changes have been implemented as prescribed. SDCA monitors
the bi-monthly report distributed by the LCWG manager to identify law changes that
are ready for review.
After the SDCA Unit performs a post-implementation review, as outlined on page 2 in
the Post Implementation Section of the Law Implementation Procedures ALL, the
SDCA Manager does the following:
o If all items are not implemented as prescribed, SDCA presents the
necessary remediation to LCWG;
o If all items are implemented as prescribed, the implementation is
complete. The LCWG Manager posts the following in a shared site
Page 13
Privileged and Confidential
Restricted
within Lotus Notes:
x Law Memo/Impact Analysis
x Post-Implementation Review Report.
SDCA is managed separately from Residential Mortgage Servicing management, and
reports to a central quality review service delivery utility.
If a change in Legal Requirements or supervisory guidance impacts the services to be
performed on behalf of HSBC by a Third-Party Provider providing legal services, the
new requirements would be added to the TPORMG review of the Third-Party
Provider.
(“
”) Gap Analysis
HNAH Compliance completed a gap analysis of the
(“
database (see Article 7(a) for sample gaps identified by Compliance) to
ensure that risk statements were accurately documented. Once this
analysis
was complete, the TPORMG along with BRCM and business unit management,
identified gaps that impacted Third-Party Management. The objective of the gap
analysis was to identify any risk statements that did not exist in order to document a
risk inherent in a given process as well as to identify gaps in controls to address a
given risk statement. Control gaps were identified and efforts are underway, through
the Third Party Risk Management Workstream, to remediate outstanding items
applicable to Third-Party Management.
HNAH Compliance and Group Audit North America provide additional control and
oversight of the Third-Party Provider management process.
Enhancement to Processes / Programs:
In addition to the procedures in place to monitor changes to Legal Requirements that
are described above, the Law Firm MSA (described in the following paragraph)
requires Law Firms to inform HSBC of any changes in applicable laws or judicial
requirements. Moreover, and notwithstanding the professional and ethical codes of
conduct requiring attorneys to comply with Legal Requirements, the Law Firm MSAs
and Best Practices will reinforce adherence to Legal Requirements.
In order to enhance oversight and control over Law Firms, the standard Master
Services Agreement (Legal Services) (“Law Firm MSA”) was developed in
collaboration with HSBC Legal, TPORMG, Information Security Risk (“ISR”), Business
Continuity Program Management (“BCPM”), as well as the impacted business areas.
SLAs are contained within the work standards of the Law Firm MSA. The Law Firm
MSA has been distributed for execution to active foreclosure Law Firms and will be
distributed to bankruptcy, eviction and DIL Law Firms upon completion of satisfactory
reviews. If reviews are not satisfactory, the Firm will be considered for termination or
other remediation.
Page 14
Privileged and Confidential
Restricted
Reviews and monitoring of active Law Firms will be conducted on an on-going basis
consistent with TPORMG and Law Firm Management Procedures and user manuals.
A comprehensive schedule of reviews is being developed, including frequency of
reviews (See Article 6 (e) below for more detail regarding frequency of reviews).
The performance of all Third-Party Providers, including Law Firms, will be measured
against defined service levels, performance levels and contract terms (see Law Firm
MSA, SLA and Law Firm Work Standards definitions in section 1, sections 3, 4.6 and
4.2 and the Exhibit A, Statement of Work Exhibit F, Work Standards). TPORMG has
developed a database to house performance data to strengthen monitoring and
oversight. For legacy relationships and Law Firms, through December 2011, HBIO
and HBUS will be conducting a gap analysis of defined service and performance
levels against existing reporting to ensure HSBC can appropriately and effectively
measure Third-Party Provider performance and results. Where applicable new or
enhanced reporting will be developed. The defined service levels will be maintained
centrally in the TPORMG Database (see section 1.5, page 10 of TPORMG
Procedures). TPORMG will review the applicable performance reporting and update
results in the TPORMG Database
Scorecards and Dashboard reporting will be generated for review in the monthly Third
Party Governance Committee meeting. Prior to year end, it is anticipated service and
performance level data on all Law Firms and legacy relationships will be loaded to the
TPORMG Database which will allow for consistent reporting and oversight. In addition
to performance and service level standards other critical information such as the
status of due diligence, audit, risk assessments and remediation timelines will be
monitored and reported from the TPORMG Database. This collective information
including the trending of customer complaints will be reviewed and discussed by the
Third Party Governance Committee (See Third Party Governance Committee
Charter). Material and/or significant issues or exceptions are reviewed by the Third
Party Governance Committee, which makes and records decisions regarding the
reduction of new referrals, removal of existing files, or termination of a Third-Party
Provider.
Documents to be submitted with the Action Plan
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x HSBC BEST PRACTICES FOR ITS OUTSIDE FORECLOSURE FIRMS (see
updated version below)
x Investor Changes Implementation Procedure ALL
x Law Implementation Procedure ALL
x HSBC North America New Laws and Regulations Procedure - US
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES (see updated version below)
x Attorney Risk Assessment - Law Firm Management Scorecard (see updated
version below)
Page 15
Privileged and Confidential
Restricted
x
x
x
HSBC Mortgage Servicing Legal Department Law Firm Management Pre-review
Questionnaire (see updated version below)
HSBC Mortgage Servicing Legal Department Law Firm Management Review
Questionnaire (see updated version below)
DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see updated
version below)
Additional documents completed for re-submission of Action Plan
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
x Law Firm Management Legal Review Scorecard
x HSBC Mortgage Servicing Legal Department Law Firm Management Pre-Review
Questionnaire
x HSBC Mortgage Servicing Legal Department Law Firm Management Review
Questionnaire
x HSBC BEST PRACTICES FOR OUTSIDE FORECLOSURE, EVICTION AND
BANKRUPTCY LAW FIRMS
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
x Mortgage Servicing Third Party Operational Risk Management Procedures
x HSBC Mortgage Servicing Legal Department Law Firm Management Procedures
User Manual
x Mortgage Servicing Third Party Operational Risk Management Procedures
x Mortgage Servicing Operations Third Party Provider Governance Charter
x SAMPLE REMEDIATION LETTER - Follow Up on recent HSBC Audit - NonJudicial Foreclosure
x SAMPLE REMEDIATION LETTER - FOLLOW-UP on recent HSBC Audit (Firm
with multiple state offices)
x SAMPLE REMEDIATION LETTER - FOLLOW-UP on recent HSBC Audit
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
x
, EVP Chief of Staff HTSN and NA Head of Procurement
x
, SVP Deputy General Counsel, CML
Page 16
Privileged and Confidential
Restricted
Article 6(b)
FRB Order Reference:
Article 6(b)
Corresponding
V.1.h
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
processes to prepare contingency and business continuity plans that ensure the
continuing availability of critical third-party services and business continuity of the
Mortgage Servicing Companies, consistent with supervisory guidance of the Board
of Governors, both to address short-term and long-term service disruptions and to
ensure an orderly transition to new service providers should that become necessary;
Action Plan
As described below, the attached existing Business Continuity Management Policy
(“BCP”) for HBIO and HBUS provides strategies and tactics to continue or resume
critical business operations in a timely manner, should those operations be interrupted
or otherwise affected by an unexpected event.
Existing Processes / Programs:
To internally mitigate the risk of an outage or disruption of services provided by ThirdParty Providers, the business designs, implements, and maintains a business
continuity plan for the critical processes or services to address how the business
would recover from an outage or disruption caused by a critical Third-Party Provider.
Third-Party Providers providing critical processes or services for businesses are
required to have contingency plans in place. As required by the VRM Program, the
contract owner (“CO”) is responsible for monitoring material vendors including vendor
financial health and public reputation. The CO reports this information to VRM and
participates in determining the overall risk rating. Please see Section 1.5.6 on page
11 of the HSBC - North America Vendor Risk Management (VRM) Policy for
additional detail regarding the overall risk rating. For more detail regarding business
continuity plans and Third-Party Providers, refer to Section 2.3.8 on page 47 of the
HSBC North America Business Continuity Management Policy Operations.
At the time a
is submitted to VRM, a determination is made as to whether a
Third-Party Provider is deemed critical to the business. A Third-Party Provider is
defined as being critical to the business if the Third-Party Provider performs a
process, a service, or an activity which would not otherwise be undertaken by the
HNAH subsidiary that engaged the Provider, but is “mission critical” to the Line of
Business (“LOB”) in provision of service to customers or employees. A critical ThirdParty Provider undergoes a two-step process whereby the business completes a
questionnaire to help Business Continuity & Crisis Management understand the ThirdParty Provider services being provided. After review of the questionnaire by Business
Continuity & Crisis Management, if more information is deemed required, a more in
depth questionnaire is completed by the Third-Party Provider that includes requests
for supporting documentation, as well as testing results. Upon review of the
Page 17
Privileged and Confidential
Restricted
questionnaire and supporting documentation, Business Continuity & Crisis
Management completes a Vendor Risk Assessment Report with respect to the critical
Third-Party Provider which considers: program governance, crisis management
process, business continuity plans, disaster recovery and data backup, and Provider
facilities to determine whether the Third-Party Provider passes or fails the evaluation.
If the Third-Party Provider fails, remediation is implemented. Law Firms are not
deemed to be “mission critical” to the business as a delay in the litigation process
would not be detrimental to the customer. Additionally, if files need to be transferred
to another active Law Firm this can be accomplished in a reasonable time frame.
Notwithstanding, Law Firm BCP plans will be assessed as part of Law Firm reviews.
To ensure existing, legacy Third-Party Providers are subject to the same business
continuity rigor as newly-added critical Third Party Providers, as part of the LRM
Program management is reviewing the business continuity plans of critical legacy
Third-Party Providers to ensure compliance with the requirements of the Business
Continuity Management Policy Gaps identified will be remediated for any exceptions
noted. For new critical Third-Party Providers, the creation of a business continuity
plan is triggered during the on-boarding process when due diligence and contracting
is performed with respect to the Third-Party Provider.
Additionally, depending on the type and critical nature of the service, determined at
the time of the initial review of the Third-Party Provider, the standard MASTER
SERVICES AGREEMENT (LEGAL SERVICES) attached will also require the Third
Party Provider to have a satisfactory business continuity plan.
Enhancement to Processes / Programs:
Currently, Third-Party Providers are not monitored to ensure that critical
subcontractors have continuity plans. However, evaluations are underway to add to
the scope of vendor risk management that if a Third-Party Provider has been
determined to be critical, and that Provider uses subcontractors, the Provider must
notify HBIO or HBUS of the subcontracting relationship. As noted above, the critical
Third-Party Provider must provide their business continuity plan. If in that plan review
it is determined that the subcontractor plays a substantial role, then HBIO or HBUS
would require evidence of a continuity plan for the subcontractor as well. Because
neither HBIO nor HBUS have the relationship with the subcontractor and are therefore
not in a position to request the continuity plan from the subcontractor, HBIO or HBUS
will insist on evidence from the critical Third-Party Provider that they have reviewed
and accepted the continuity plan of their vendor (subcontractor to HBIO or HBUS).
Documents to be submitted with the Action Plan
x HSBC - North America Business Continuity Management Policy Operations
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
Page 18
Privileged and Confidential
Restricted
x
DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see updated
version below)
Additional documents completed for re-submission of Action Plan
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
x
, SVP Vendor Risk Management
Page 19
Privileged and Confidential
Restricted
Article 6(c)
FRB Order Reference:
Article 6(c)
Corresponding
V.1.b
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
measures to ensure that all original records transferred by the Mortgage Servicing
Companies to Third-Party Providers (including the originals of promissory notes and
mortgage documents) remain within the custody and control of the Third-Party
Provider (unless filed with the appropriate court or the loan is otherwise transferred
to another party), and are returned to the Mortgage Servicing Companies or
designated custodians at the conclusion of the performed service, along with all
other documents necessary for the Mortgage Servicing Companies’ files;
Action Plan
Existing Processes / Programs:
Original collateral documents sent to Law Firms are tracked when transferred from
and returned to HBIO and HBUS. HBIO and HBUS typically transfer only two original
collateral documents (i.e., promissory notes and allonges), when required. For
additional detail regarding custody and control of collateral documents refer to CML
FC Review Procedures Brandon External, CML FC Review Procedures Lien Release
Internal, and HBUS FC CML Assignments Procedures Records Internal.
The Summary and Overview Sections on page 1 of the Foreclosure Collateral
Retrieval Procedure CML also require that original collateral documents (i.e.,
promissory notes and allonges) remain in the custody and control of the Law Firm
unless filed with the court and will be returned to HBIO or HBUS, or designated
custodians, as appropriate, upon reinstatement, cancellation, or conclusion of the
foreclosure. Existing foreclosure document imaging procedures, detailed in the
Overview section on page 1 of the Captiva Indexing Regulatory Foreclosure
Documents Procedure CML document, include the retention of imaged copies for
documents executed by HBIO and HBUS and sent to Third-Party Providers.
In the event of reinstatement or cancelled foreclosure actions, HBIO or HBUS will
seek return from the Law Firms and the Courts of the original collateral documents
(i.e., notes and allonges). For the collateral held by the Courts, in some jurisdictions a
specific motion may be required to be filed with the Court requesting the return of the
collateral and a subsequent hearing on the motion may also be required. In such
cases, the return of the original collateral documents may be at the discretion of the
Courts.
In the event of a successful foreclosure sale, HBIO or HBUS will seek the return of
original collateral documents (i.e., notes and allonges) from the Law Firms, and will
seek the return of these documents from the Courts where it can do so without posing
an additional burden on the Court, where there is no requirement of filing a motion or
Page 20
Privileged and Confidential
Restricted
scheduling a hearing for the return of the original collateral documents, and where the
Court is willing to return such documents.
Additionally, the Law Firm MSA contains provisions regarding custody and control of
original collateral documents and provisions requiring confidentiality and security of
customer and other information. Section 4.19, page 13 of the Law Firm MSA and,
Attachment F Work Standards, Section 9.1 of General Standards on page 73 of the
Law Firm MSA provide that all Original Documents will be maintained in a secure
area, may not be provided to any third party other than the appropriate court of record
and will be returned to HSBC upon cancellation or successful completion of the
foreclosure action. These provisions also require the Law Firm to have a tracking
system for the removal and return by authorized Law Firm Personnel of Original
Documents. For confidentiality and security of customer and other confidential and
information security requirements, see Section 9 (Security), 11 (Confidentiality) and
13 (Data Protection and Security) and the related Attachment D titled Information
Security and Data protection Requirements, and Sections 7 and 9 in Attachment F
titled Law Firm Work Standards of the Law Firm MSA. Compliance with these
provisions will be monitored during ongoing Law Firm reviews.
Enhancement to Processes / Programs:
Management is developing additional procedures and processes for the transmittal
and retention of specified documents (complaint, affidavit, motion for summary
judgment, order for summary judgment and other relevant documents) filed with the
courts. Retention of specified documents will include the use of a third-party servicing
system, such as the
tracking system, which procedures will be completed, and
processes implemented, by the end of fourth quarter 2011. Section 4.1 of the Law
Firm MSA requires Law Firms to promptly upload to the designated HSBC network
copies of any and all documents, pleadings, filings, declarations, affidavits,
correspondence, notices or any other documents related to the legal services.
Reporting is being further enhanced to monitor and track outstanding documents.
HBIO and HBUS will continue to image and retain copies of affidavits and other
documents that each entity signs and sends to the Law Firms. Law firms are required
to upload all imaged documents within the given foreclosure action to
. All
enhancements will be made by the end of fourth quarter 2011.
Periodic reviews will be performed by TPORMG to monitor Law Firms adherence to
HSBC’s image and retention requirements. On-going monitoring will be conducted
and reported by TPORMG.
Documents to be submitted with the Action Plan
x Default Document Tracking and Retrieval Procedure ALL
x CML FC Review Procedures Brandon External
x CML FC Review Procedures Lien Release Internal
x HBUS FC CML Assignments Procedures Records Internal
Page 21
Privileged and Confidential
Restricted
x
x
x
Captiva Indexing Regulatory Foreclosure Documents Procedure CML
Foreclosure Collateral Retrieval Procedure CML
DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see updated
version below)
Additional documents completed for re-submission of Action Plan
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
Key HSBC Contacts for the Action Plan
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
x
SVP Default Services
Page 22
Privileged and Confidential
Restricted
Article 6(d)
FRB Order Reference:
Article 6(d)
Corresponding
V.1.c
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
measures to ensure the accuracy of all documents filed or otherwise utilized on
behalf of the Mortgage Servicing Companies or the owners of mortgages in the
Servicing Portfolio in any judicial or non-judicial foreclosure proceeding, related
bankruptcy proceeding, or in other foreclosure-related litigation, including, but not
limited to, documentation sufficient to establish ownership of the note and right to
foreclose at the time the foreclosure action is commenced;
Action Plan
Existing policies, procedures, and processes are in place regarding the review of
documents. Certain enhancements, described below, have been made to ensure the
accuracy of documents filed on behalf of HBIO or HBUS.
Existing Processes / Programs
HBIO and HBUS enhanced their processes and updated related policies, procedures,
and training to ensure the accuracy of all documents filed or otherwise utilized on
behalf of the Mortgage Servicing Companies, HBIO, HBUS, or owners of mortgages
in judicial and non-judicial foreclosure proceedings, including procedures for
document preparation, review, execution, notarization, note ownership, and right to
foreclose at the time the foreclosure action is commenced. These enhancements
include:
x Additional guidance for requirements related to acquiring knowledge of information
contained in the documents filed in foreclosure proceedings and additional
procedures to ensure the accuracy of the documents prior to initiating foreclosure,
including:
x Documentation sufficient to establish ownership
- Verification of the possession of original note (see the Summary and
Overview Sections on page 1 of the attached Pre-Foreclosure Note
Validation Procedure CML and Original Document States - Foreclosure and
Bankruptcy Procedure ALL)
- Execution of a Lost Note Affidavit, if required, upon determination that
original note is missing (see the Summary and Overview Sections on page
1 of the attached Non-Judicial States Lost Note Affidavit-Declaration
Procedure ALL
- Procedures for judicial states regarding Lost Note Affidavits are outlined in
the Summary and Overview sections of the Judicial States- Lost Note
Affidavit Procedures document. These procedures include the following:
Lost Note Affidavit – HI, IA, KY, ME, NM, NY, NC, ND, OH, OK, SC, DC
Procedure ALL, Lost Note Affidavit – IL, IN, KS, and NE Procedure ALL,
Lost Note Affidavit – CT, LA, and WI Procedure ALL, Lost Note Affidavit –
Page 23
Privileged and Confidential
Restricted
x
x
x
x
x
Vermont Procedure ALL, and FL Lost Note Affidavit Procedure ALL
- Verification of legal entity;
x Right to foreclose at the time foreclosure action is commenced (as an example
see the Summary and Overview Sections of the California 1137 Declaration
Execution Procedure ALL):
- Validation of the plaintiff for foreclosure action
- Review of Department of Defense website
- Review of the imaged Breach Letter (see the Summary and Overview
Sections of the Foreclosure Review Group C&D Re-Review Procedure
CML attached);
Development of standardized foreclosure affidavits, (as an example see the
attached Affidavit of Amount Due - Florida User Manual and the Affidavit of
Amount Due - Florida User Manual, and development of
instructions and procedures for verifying information as well as reviewing, signing,
and notarizing documents (see the attached Notary Procedure ALL, Foreclosure
Notary Maintenance and Validation Procedure ALL, and Notary Matrix Procedure
ALL);
Review and development of appropriate forms and instructions (District of
Columbia is still under review). HBIO and HBUS have been reviewing and
modifying forms where necessary and developing instructions and procedures for
reviewing, signing and notarizing documents where applicable;
Completion of user manuals prior to resuming or restarting foreclosures in a given
state;
Development and implementation of Business Records training, as described in
the Business Records Training document, which employees are required to
complete prior to executing a foreclosure affidavit (see attached Business Records
Training); and,
Implementation of quality reviews (see in the Summary and Overview Sections of
the attached Foreclosure Affidavit and Verified Complaint Quality Review
Procedure ALL).
A foreclosure checklist, is used as a means of guiding preparation and quality control
of the AOI; the checklist and corresponding evidence is imaged and retained, with
detailed information relating to imaging documents contained in the
User Manual
CML. HBIO and HBUS created this control as a first line of defense and results are
used to manage and monitor quality performance of both our employees and any
Third-Party Provider preparing an affidavit. The results will be used to drive coaching,
additional training, and corrective action, including termination, if warranted.
HBIO and HBUS also complete a monthly random sample review of affidavits
prepared and executed. Results are provided to senior management, including
Compliance and Operational Risk Management. Through the Risk Control
Assessment (“RCA”) program, material operational risks are monitored and failure to
meet service levels or quality thresholds requires action plans. Control deficiencies
are reported to Executive Management, including the HSBC Group Operational Risk
Page 24
Privileged and Confidential
Restricted
and Internal Control (“ORIC”) through RCA control monitoring.
Additionally, HBIO and HBUS enhanced their existing procedures and practices as
appropriate to comply with Legal Requirements to verify that each is in possession of
the original note before taking legal action where legally required. In all judicial states
and non-judicial states where possession of the original note is or may be required in
order to foreclose, HBIO and HBUS confirm that each, respectively, has possession
of the original note and, where required by applicable law, the original note is sent to
the Law Firm. If an original note is missing, a Lost Note Affidavit, if required, will be
executed and sent to the Law Firm. As appropriate, the terms of the note are
validated through an imaged copy of the note, and in non-judicial states, where
confirmation of possession of the original note is not required prior to commencement
of the foreclosure action, additional quarterly reviews will be conducted by the
Records Department to validate possession of these original notes. Outside legal
counsel validated the HBIO and HBUS process regarding the possession of the
original promissory note.
Enhancement to Processes / Programs:
Sections 2, 13, and 20 of the General Work Standards in the Law Firm MSA
Attachment F titled Law Firm Work Standards, also contain provisions requiring
accurate completion of affidavits, sworn statements and other documents. Law Firm
reviews will include a review of these requirements and results will be captured in
Scorecards. The TPORMG
Database will store performance and service
level data. See Article 6(j) for additional information regarding the TPORMG
Database.
HBIO and HBUS engaged outside counsel and completed a comprehensive review of
Residential Mortgage Servicing foreclosure related documents, procedures, and
processes related to document preparation, review, execution, notarization and note
ownership regarding bankruptcy proceedings. Outside counsel also performed onsite reviews of bankruptcy practices of
and
National Banking Services (“NBS”). Enhancements to bankruptcy documents,
policies, procedures, and processes regarding findings or necessary recommended
remediations identified in the reviews, will be made by the end of fourth quarter 2011.
Documents to be submitted with the Action Plan
x Universe of Documents Matrix ALL
x Affidavit of Amount Due - Florida User Manual
x Affidavit of Amount Due - Florida User Manual
x California 1137 Declaration Execution Procedure ALL
x Non-Judicial States Lost Note Affidavit-Declaration Procedure ALL
x Original Document States - Foreclosure and Bankruptcy Procedure ALL
x Foreclosure Policy ALL
x Collateral Policy ALL
Page 25
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
x
x
x
Pre Foreclosure Note Validation Procedure CML
Business Records Training
User Manual CML
Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL
Foreclosure Review Group C&D Re-Review Procedure CML
Notary Procedure ALL
Notary Matrix Procedure ALL
Foreclosure Notary Maintenance and Validation Procedure ALL
HSBC North America (HNAH) Compliance Complaint Management Procedures
Affidavit Processing Checklist
Additional documents completed for re-submission of Action Plan
x Judicial States- Lost Note Affidavit Procedures
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
x
, SVP Deputy General Counsel, CML
Page 26
Privileged and Confidential
Restricted
Article 6(e)
FRB Order Reference:
Article 6(e)
Corresponding
V.1.d
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
processes to perform appropriate due diligence on potential and current Third-Party
Provider qualifications, expertise, capacity, reputation, complaints, information
security, document custody practices, business continuity, and financial viability; and
measures to ensure the adequacy of Third-Party Provider staffing levels, training,
work quality, and workload balance;
Action Plan
Existing policies and procedures are in place for HBIO and HBUS, including
processes to perform appropriate due diligence on potential and current Third-Party
Provider qualifications, expertise, capacity, reputation, complaints, information
security, document custody practices, business continuity, and financial viability. The
due diligence process described in Section 1.4 of the Mortgage Servicing Third Party
Operational Risk Management Procedures is also designed to promote adequacy of
Third-Party Provider staffing levels, training, work quality, and workload balance as
required by the Order.
Existing Processes / Programs:
In order to perform appropriate due diligence, the VRM Program and section 1.2 on
pages 4 and 5 of the TPORMG Procedures provide guidance for examining financial
information, information security measures, business continuity, reputation, and other
applicable reviews of potential and existing Residential Mortgage Servicing ThirdParty Providers, including the Mortgage Electronic Registration System (“MERS”),
National Bankruptcy Services (“NBS”), and Law
Firms. The TPORMG Third Party Provider Procedures also identify the need for a
legal review for Third-Party Providers of legal services in section 2.4 on pages 12 and
13.
Additionally, the HSBC Mortgage Servicing Legal Department Law Firm Management
Procedures (“Law Firm Procedures”) outline the legal review process for Third-Party
Providers of legal services (see the Legal review process in Section 5 of the Law Firm
Procedures, pages 5 to 8). These reviews are managed by HSBC Legal in order to
provide requisite expertise for the review. More specifically, the risk-based
methodology for identifying the scope and frequency of Law Firm reviews is outlined
in Section 5.3 of the Law Firm Procedures, on pages 6 and 7:
HSBC Legal uses a Risk-Based Approach to determine the scope and frequency of
Firm reviews and Firm file reviews. The Risk-Based Approach includes the
assessment of the overall control rating from prior reviews as well as the Firm state
complexity, Firm reputational risk and issues, Firm file volume and Firm size. The
Page 27
Privileged and Confidential
Restricted
Legal Review Scorecard captures the results of prior Firm File Reviews and Firm
Reviews and calculates an overall control rating for the Firm (i.e. Highly Effective,
Effective, Moderately Effective, Limited, Ineffective). The overall control rating from
prior reviews is the primary factor that determines the frequency and scope of
subsequent reviews. Generally, Legal conducts reviews for Firms with a Highly
Effective, Effective or Moderately Effective control rating annually to every 18 months.
Firms with a Limited or Ineffective control rating are typically reviewed semi-annually
to annually.
Legal may adjust the frequency of a Firm File Review and Firm Review (to a
maximum frequency of 18 months), the type of review, or the number or type of files
to be reviewed on a Firm by Firm basis based on an evaluation of the following
criteria:
o Firm State Complexity - The complexity of state specific legal or jurisdictional
requirements and the presence of unique state specific practices.
o Firm Reputational Risk and Issues – The Firm’s exposure to reputational risks
and contested issues raised by opposing parties.
o Firm File volume – The number of active HNAH foreclosure, bankruptcy and
eviction Files handled by the Firm in a specific state as well as the total number
of files handled by the Firm.
o Firm size – The total number of Firm employees as well as the ratio of
attorneys to staff.
In addition to the scheduled Firm File Reviews and Firm Reviews outlined above,
Legal may perform ad-hoc targeted reviews on a case by case basis to assess any
concerns or deficiencies noted in Firm Reviews.
While HBIO and HBUS are committed to complying with the VRM Program, there are
anticipated circumstances where HBIO and HBUS may be required to use a ThirdParty Provider prior to completing the VRM on-boarding process, such as where
Fannie Mae or Freddie Mac mandates immediate use of a new Law Firm that is not
currently an approved HSBC Third-Party Provider. In such instances, HBIO and
HBUS follow the Fannie Mae or Freddie Mac mandate and also initiate the VRM due
diligence process and a Legal Review of the Law Firm in parallel.
Management personnel of Residential Mortgage Servicing, HSBC Legal, Compliance
and Vendor Risk Management have reviewed existing policies and procedures for
HBIO and HBUS to provide appropriate due diligence on potential and current ThirdParty Providers to ensure the existing processes, policies and procedures are
accurate and in accordance with Third-Party Provider review requirements of the
Order. These policies, procedures and processes are subject to on-going review to
determine whether revisions or enhancements are appropriate or necessary in light of
changes to Legal Requirements or supervisory guidance.
Page 28
Privileged and Confidential
Restricted
Enhancement to Processes / Programs:
Reviews and monitoring of existing active foreclosure, bankruptcy, and eviction Law
Firms and new Law Firms are being conducted on an on-going basis consistent with
HSBC Mortgage Servicing Legal Department Law Firm Management Procedures,
Mortgage Servicing Third Party Operational Risk Management Procedures, and user
manuals. A schedule of reviews is being developed by management. Additionally, as
reviews are completed, and as new Law Firms become active, they will be provided
the Law Firm MSA, NDA, and Best Practices, and will be included in the on-going
review schedule.
Documents to be submitted with the Action Plan
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES (see updated version below)
Additional documents completed for re-submission of Action Plan
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
x Mortgage Servicing Third Party Operational Risk Management Procedures
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
x
, EVP Chief of Staff HTSN and NA Head of Procurement
x
, SVP Deputy General Counsel, CML
Page 29
Privileged and Confidential
Restricted
Article 6(f)
FRB Order Reference:
Article 6(f)
Corresponding
V.1.e
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
processes to ensure that contracts provide for adequate oversight, including
requiring Third-Party Provider adherence to HBIO’s foreclosure processing
standards, measures to enforce Third-Party Provider contractual obligations, and
processes to ensure timely action with respect to Third-Party Provider performance
failures;
Action Plan
HBIO and HBUS have existing policies and procedures to ensure that contracts
(Master Services Agreements), with Third-Party Providers include provisions for
adequate oversight, that require Third-Party Providers to adhere to HSBC Mortgage
Servicing Processing Standards, including measures to enforce contractual
obligations, and processes to ensure timely action for performance failures for HBIO
and HBUS. The Law Firm MSAs have also been enhanced based on legacy Law
Firm reviews, existing policies and procedures, and the requirements of the Order.
Existing Processes / Programs:
All material Third-Party Providers must be vetted through the VRM Program. A ThirdParty Provider is deemed “material” if it meets any one of the following specified
criteria in the VRM Policy and Procedures: expenditure levels, receipt of restricted or
highly restricted information and access to HSBC systems, providing customer facing
services, having physical access to HSBC locations, or use of HSBC brand signifiers.
HBUS and HBIO enter into agreements with all material Third-Party Providers,
including active Law Firms.
Standard Master Services Agreements (“MSAs”) have been in place and available for
Third Party Providers (other than Law Firms) engaged by HSBC North America
businesses. The MSAs include service level agreements (“SLAs”) developed by VRM
and the business as appropriate for the services provided by the Third Party Provider.
Representatives from the businesses and the Third-Party Provider negotiate the
terms, conditions and applicable service levels to be included in these agreements.
For additional information, please see Section 6.1 of the VRM Policy and Section 5 of
the TPORMG Procedures.
In order to enhance oversight and control over Law Firms, the standard Master
Services Agreement (Legal Services) (“Law Firm MSA”) was developed in
collaboration with HSBC Legal, TPORMG, Information Security Risk (“ISR”), Business
Continuity Program Management (“BCPM”), as well as the impacted business areas.
SLAs are contained within Law Firm MSA, Attachment F, titled Law Firm Work
Standards.
HBIO and HBUS directly engage the active foreclosure Law Firms that use the
Page 30
Privileged and Confidential
Restricted
legal desktop network; HBIO and HBUS do not
subcontract these Law Firms through
The Law Firm MSA has been sent for
execution to active foreclosure Law Firms that provide legal services to HBIO and
HBUS Residential Mortgage Servicing. Approximately 60 percent of the active
foreclosure Firms have returned to us the executed Law Firm MSA.
Additionally, each active foreclosure Law Firm is reviewed and monitored directly by
HSBC and HBIO Legal, Information Security Risk, VRM, TPORMG and other
appropriate functions. HSBC does not rely on
o perform Law Firm monitoring on
its behalf. Further, the Law Firm MSA provides that on occasion, where the
foreclosure Law Firm needs to retain a local attorney for a court appearance for
example, the foreclosure Law Firm needs to obtain HSBC’s prior approval. In these
instances and pursuant to the Law Firm MSA, the foreclosure Firm is responsible for
the actions of the retained Firm and is required to confirm that the retained Firm will
act in accordance with the provisions of the Law Firm MSA (see Section 25 of the Law
Firm MSA).
The standard agreements for Third-Party Providers, including the standard Law Firm
MSA, also provide terms allowing HBIO and HBUS businesses to perform adequate
oversight of Provider performance, review Provider adherence to established service
levels, and escalate non-compliance with contract provisions to appropriate HBIO or
HBUS management (see Law Firm MSA, Sections 3 (Law Firm Work Standards),
Section 23 (Access & Audit Procedures), Section 24 (Consequences of Failure to
Meet Performance and Other Standards) and the Escalation Protocol Matrix attached
as Exhibit C). The agreements also include provisions that require the Provider to
perform the services in compliance with applicable Legal Requirements and HBIO
and HBUS policies and procedures (see Section 4.6 of the Law Firm MSA).
As described in more detail in Article 6(a) above, in addition to the VRM Policy and
Procedures, HBIO and HBUS have implemented processes pursuant to Section 6 of
the TPORMG Procedure and Section 5.4 of the Legal Law Firm Procedure regarding
Law Firms reviews. These Procedures also require the negotiation and execution of
the Law Firm MSA, (see Section 5 of the TPORMG Procedure and Section 4 of the
Legal Law Firm Procedures). The standard Law Firm MSA has been distributed to
active foreclosure Law Firms, and approximately 60 percent of those Firms have
executed and returned the Law Firm MSA. A Law Firm MSA will be sent for execution
to existing active bankruptcy, eviction and DIL Law Firms following satisfactory Firm
reviews. It is anticipated that all MSAs will be distributed by the end of fourth quarter
2011.
Service level agreements (“SLAs”) for Law Firms are contained in the Law Firm MSA
Attachment F, titled Law Firm Work Standards, to ensure compliance with applicable
laws, HSBC Best Practices and HSBC procedures. These SLAs were developed in
collaboration with Legal, Information Security Risk (“ISR”), Business Continuity
Program Management, as well as the impacted areas of the business: foreclosure,
bankruptcy, and evictions. Contract Owners (“CO”) within TPORMG are responsible
Page 31
Privileged and Confidential
Restricted
for ongoing monitoring of performance of Third-Party Providers against SLAs and
other contract terms, including the Legal Requirements, supervisory guidance and
HBIO’s policies and procedures. These COs also receive feedback regarding ThirdParty Provider performance from various sources including, but not limited to, the
business, ISR, Customer Service, and Legal with respect to Law Firm legal reviews
(described in Article 6 (a), (e) (g) and (j). In addition, TPORMG reviews Scorecard
results and Third Party Provider review findings, as appropriate, with the Third Party
Governance Committee on a monthly basis, as well as having daily interactions as
appropriate with the business areas. TPORMG is subject to review by HNAH VRM
and Group Audit North America.
Upon completion of a Law Firm legal review, a Remediation Letter identifying
concerns or deficiencies is sent to the Law Firm, with designated timeframes to
respond, and the Law Firm responses are tracked to confirm response. All of these
documents are stored in, and tracked through, the TPORMG SharePoint Database.
Continued non-compliance or performance failures may result in reduction of new
referrals, removal of existing files, exercise of indemnification rights, or termination of
the Third-Party Provider. The complete termination procedure outlining the transfer of
files process is in the attached Law Firm Termination Procedures ALL. The
supplementary documents regarding the Law Firm legal review and remediation
process include SAMPLE REMEDIATION LETTER – Follow Up on recent HSBC
Audit – Non-Judicial Foreclosure, SAMPLE REMEDIATION LETTER – FOLLOW-UP
on recent HSBC Audit (Firm with multiple state offices), and SAMPLE REMEDIATION
LETTER – FOLLOW-UP on recent HSBC Audit.
Enhancement to Processes / Programs:
An in-depth review of legacy Third-Party Provider relationships is currently being
conducted under the VRM Program as part of the LRM Program. Upon completing
this review, management will evaluate whether existing contracts with the Third-Party
Providers (including Law Firms,
and NBS) contain provisions consistent with the
requirements of VRM Policies and Procedures, or whether new agreements are
necessary. If new agreements are necessary, HBIO and HBUS will use a Risk-Based
Approach to prioritize, negotiate and execute contracts focusing first on critical ThirdParty Providers.
The agreements with
and National Bankruptcy
Services (“NBS”) are in the process of being reviewed and revised. The revised
and NBS agreements will be consistent with and will include the standard VRM
contract provisions and will accompany the current statement of work that will reflect
the current services provided by
and NBS. Quality standards and performance
metrics will also be included in the revised
and NBS agreements, which are
expected to be completed by the end of fourth quarter 2011. A revised Master
Services Agreement was sent to
for its comments. The revised Agreement is
more consistent with the standard Law Firm MSA and other HSBC standard ThirdParty agreements.
Page 32
Privileged and Confidential
Restricted
Generally, for Law Firms providing bankruptcy or eviction legal services only, we plan
to enter into the Law Firm MSA following satisfactory reviews of the Law Firms, with
the possible exception of the network of local bankruptcy attorneys engaged by the
law firm BVW. The BVW firm is associated with, and provides legal services to, NBS
and its clients. NBS provides bankruptcy administrative and processing support. We
continue to conduct due diligence on the BVW Firm along with NBS. Upon
completion of due diligence, we will determine whether to contract directly with each
bankruptcy attorney within the BVW network in addition to the MSA with BVW. The
BVW Agreement is also undergoing review and revision, and the updated agreement
is expected to be completed by the end of fourth quarter 2011.
A Law Firm MSA will be sent for execution to existing active bankruptcy, eviction and
DIL Law Firms following satisfactory Firm reviews. If the review of such Firms is not
acceptable, the Firm will be evaluated for termination or other remediation. It is
anticipated that all Law Firm MSAs will be distributed to active Law Firms by the end
of fourth quarter 2011.
As stated throughout this Action Plan as well as this Article, the monitoring of active
Law Firms is the responsibility of the TPORMG. The TPORMG will continue to
engage with Vendor Risk Management, ISR, Legal and other departments to provide
subject matter expertise for Mortgage Servicing Third Party relationships, including
Law Firms. Active Law Firms will be monitored by TPORMG through a combination
of periodic Law Firm reviews, as described in the Law Firm Management Procedures
and the TPORMG Procedures. Firm Reviews include an evaluation of Firm policies
and procedures, oversight, qualification, expertise, and training of staff, adequacy of
staffing, control of vendor relationships, remediation processes, contested litigation
management, as well as document preparation, review, and execution practices,
notary practices, and document custody controls. In addition, TPORMG will review
Law Firm quality results produced by other departments and escalated complaints
regarding Law Firms. TPORMG will capture the results in a monthly scorecard on
each Firm. Firms not performing to standard expectations will be reviewed and
discussed as part of the monthly Third-Party Governance Committee meeting (see
Section 10.1 of the Mortgage Servicing Third Party Operational Risk Management
Procedures) and during Legal Review Meetings (described in Article 6 (a).
Documents to be submitted with the Action Plan
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES (see updated version below)
x SAMPLE REMEDIATION LETTER – Follow Up on recent HSBC Audit – NonJudicial Foreclosure
x SAMPLE REMEDIATION LETTER – FOLLOW-UP on recent HSBC Audit (Firm
with multiple state officers)
x SAMPLE REMEDIATION LETTER – FOLLOW-UP on recent HSBC Audit
Page 33
Privileged and Confidential
Restricted
x
x
Law Firm Termination Procedure ALL
DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see updated
version below)
Additional documents completed for re-submission of Action Plan
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
x Mortgage Servicing Third Party Operational Risk Management Procedures
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
x
, EVP Chief of Staff HTSN and NA Head of Procurement
x
, SVP Deputy General Counsel, CML
Page 34
Privileged and Confidential
Restricted
Article 6(g)
FRB Order Reference:
Article 6(g)
Corresponding
V.1.f
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
processes to ensure periodic reviews of Third-Party Provider work for timeliness,
competence, completeness and compliance with all applicable Legal Requirements,
and HBIO’s contractual obligations to GSEs and investors, and to ensure that
foreclosures are conducted in a safe and sound manner;
Action Plan
HBIO and HBUS have policies and procedures in place to review the work of ThirdParty Providers for timeliness, competence, completeness, and compliance with
applicable Legal Requirements and contractual obligations of HBIO and HBUS to
GSEs and investors, and to ensure that foreclosures are conducted in a safe and
sound manner in accordance with the requirements of the Order (see HSBC -North
America Vendor Risk Management (VRM) Policy and HSBC North America Vendor
Risk Management (VRM) PROCEDURES).
Existing Processes / Programs:
The existing VRM Policy and Procedures require businesses, which own the contracts
with the Third-Party Providers (which includes active Law Firms), to perform reviews
to monitor adherence to the contract terms and service level agreements (“SLAs”) in
the contracts. The Law Firm Management Procedures and the TPORMG Third Party
Management Procedures require periodic reviews of Third-Party Providers including
Law Firm reviews.
HBIO and HBUS also established the Mortgage Servicing Operations Third-Party
Provider Governance Committee (“Third Party Governance Committee”) to oversee
the Mortgage Servicing Third-Party Provider management process, which includes
the review of Law Firms. The Third Party Governance Committee will meet monthly.
The responsibilities of the Committee include:
x Reviewing and assessing performance reporting and results of the Third-Party
Provider reviews;
x Determining retention, discipline, remediation and termination of Third-Party
Providers;
x Evaluating and addressing emerging trends and risks and strategies;
x Determining whether or not to continue doing business with each Law Firm; and,
x Escalating issues identified, as appropriate, to senior management.
Additionally, processes are in place to ensure that applicable legal, regulatory and
investor changes are identified and appropriate changes made to relevant documents,
procedures and practices. Changes to Legal Requirements and supervisory guidance
are monitored by the Regulatory Monitoring and Assessment group (“RMA”) and
Page 35
Privileged and Confidential
Restricted
appropriate changes to documents, procedures and practices are implemented by the
businesses with assistance from the Law Change Working Group (“LCWG”).
Changes to GSE and investor guidelines are monitored and implemented in
coordination with the Investor Change Working Group (“ICWG”) for HBIO and HBUS
(see the attached RMA, LCWG, and ICWG procedures that provide further detail
regarding the processes to monitor and implement as appropriate legal changes,
supervisory guidance and investor requirements, and see HSBC North America New
Laws and Regulations Procedure – US and Law Implementation Procedure ALL).
As stated above and as provided in the Law Firm Procedures, the TPORMG
Procedures, and VRM Policies and Procedures, all active Law Firms receiving new
referrals are reviewed in accordance with the VRM Program, and Legal along with
TPORMG coordinates and manages a legal review of the Law Firms. The reviews
are conducted to ensure that foreclosures occur in a safe and sound manner with
timeliness, competence, completeness, compliance with applicable Legal
Requirements, and the contractual obligations of HSBC to the GSEs and investors.
The requirements for engagement of a vendor under the VRM Program have been
initiated for all active foreclosure, bankruptcy and eviction Law Firms. To date, the
following has occurred with respect to Law Firm reviews:
x Active foreclosure Law Firms are being monitored consistent with the VRM
Program;
x For all active foreclosure, bankruptcy and eviction Law Firms, a
(“
that initiates the VRM process for the
engagement of a Third-Party Provider has been completed;
x A Business Analysis Report (“BA”) and Financial Analysis Report (“FA”) has been
completed for active foreclosure Law Firms and a Contract Owner and Third Party
Risk Officer (“TPRO”) has been assigned;
x Third-Party Security Reviews (“TPSR”) by the HNAH Information Security Risk
(“ISR”) group are nearing completion for active foreclosure Law Firms. A TPSR
rating provided by ISR is included in the Overall Service Risk Assessment
(“OSRA”) rating for each Law Firm;
x An NDA has been signed by the active foreclosure Law Firms;
x Best Practices have been distributed to active foreclosure, bankruptcy and
eviction Law Firms. All foreclosure Firms (but for one with which we are still
working through remediation) have acknowledged their commitment to comply
with the Best Practices;
x HSBC Legal has coordinated with the assistance of outside counsel initial reviews
of active foreclosure Law Firms to assess adherence and compliance with
applicable Legal Requirements, and review of the Firm processes and practices
for document preparation and review, execution and notarization, staffing, training,
capacity and competency;
x Remediation letters have been sent to active foreclosure Law Firms regarding
Except for bankruptcy Law Firms in the BVW network as BVW and its network of bankruptcy attorneys are under review.
Page 36
Privileged and Confidential
Restricted
x
x
deficiencies or concerns and remediation expectations, including time lines for
completion. Responses are being tracked and monitored in the TPORMG
SharePoint Database (see SAMPLE REMEDIATION LETTER – Follow Up on
recent HSBC Audit – Non-Judicial Foreclosure, SAMPLE REMEDIATION LETTER
– FOLLOW-UP on recent HSBC Audit (Firm with multiple state offices), and
SAMPLE REMEDIATION LETTER – FOLLOW-UP on recent HSBC Audit);
Review of significant and material findings from the Law Firm reviews are
discussed at the Legal Review Meetings (described in Article 6(a)) and will be
discussed at the Third-Party Governance Committee meetings (see the attached
Mortgage Servicing Operations Third Party Provider Governance Charter)).
Several terminations have been recommended and agreed upon ;and,
Law Firm termination procedures have been developed (see the attached Law
Firm Termination Procedures ALL document).
The standard Law Firm MSA (see the MASTER SERVICES AGREEMENT (LEGAL
SERVICES)), includes provisions regarding timeliness, competence, and compliance
with all applicable Legal Requirements to ensure that foreclosures are conducted in a
safe and sound manner.
Enhancement to Processes / Programs:
Reviews of remaining active bankruptcy and eviction Firms will be completed, and if
the reviews are satisfactory, the Law Firm MSAs will be sent for execution to these
Firms, by year-end 2011. Firms with unsatisfactory reviews will be evaluated for
termination or other remediation. On an on-going basis, active Law Firms will be
assessed in a consistent manner with the VRM OSRA risk rating (the “VRM
Scorecard”). The OSRA risk rating is comprised of a series of risk statements used to
facilitate a risk assessment of key Vendor risks using the Operational Risk Self
Assessment (“RSA”) Methodology to arrive at a consolidated rating. Additionally,
HSBC Legal will manage the legal reviews to assess legal risks associated with Law
Firms and will capture results of those reviews in the Legal Review Scorecard (see
the attached Legal Review Scorecard). The Legal Review Scorecard assesses legal
risk. The nature and frequency of the on-going reviews will depend, in part, on the
OSRA ratings, as well as the Legal Review Scorecard results and other factors
described in Article 6(a) (see the OSRA process in Section 3.5 of the VRM Policy).
Documents to be submitted with the Action Plan
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES (see updated version below)
x Law Implementation Procedure ALL
x HSBC North America New Laws and Regulations Procedure - US
x Attorney Risk Assessment - Law Firm Management Scorecard (see updated
version below)
x HSBC Mortgage Servicing Legal Department Law Firm Management Pre-review
Page 37
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
Questionnaire
HSBC Mortgage Servicing Legal Department Law Firm Management Review
Questionnaire
Mortgage Servicing Operations Third Party Provider Governance Charter
Law Firm Termination Procedure ALL
SAMPLE REMEDIATION LETTER – Follow Up on recent HSBC Audit – NonJudicial Foreclosure
SAMPLE REMEDIATION LETTER – FOLLOW-UP on recent HSBC Audit (Firm
with multiple state offices)
SAMPLE REMEDIATION LETTER – FOLLOW-UP on recent HSBC Audit
DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see updated
version below)
Additional documents completed for re-submission of Action Plan
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
x Law Firm Management Legal Review Scorecard
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
x
, SVP Vendor Risk Management
x
, SVP Deputy General Counsel, CML
Page 38
Privileged and Confidential
Restricted
Article 6(h)
FRB Order Reference:
Article 6(h)
Corresponding
V.1.g
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
processes to review customer complaints about Third-Party Provider services;
Action Plan
Existing customer complaint policies and procedures ensure that customer complaints
related to Third-Party Providers of HBIO and HBUS are reviewed and resolved in a
timely manner and in accordance with the requirements of the Order.
Existing Processes / Programs:
Escalated customer complaints are handled in a similar manner by HBIO and HBUS
personnel For HBUS, escalated complaints are reviewed by the
, and for HBIO, escalated complaints are reviewed by the
.
After researching the allegations in the complaint along with the assistance of
appropriate business personnel,
prepares a written
response to the customer (see the Research and Response Letter Procedure CML,
the Escalated Complaint Resolution Policy ALL, Escalated Complaint Resolution User
Manual HBUS, Escalated and Presidential Call Policy All, Escalated and Presidential
Call Procedure CML, and HSBC North America (HNAH) Compliance Complaint
Management Procedures documents).
The
or
monitors the timely and effective resolution of
customer complaints through the
(“
.
is an enterprise-wide system used to manage the progress and
handling of complaints, understand status and ownership of complaints within and
across businesses, and communicate information requests and comments to other
complaint representatives (see the Process Section on page 1 of the
Entering a
Complaint Procedure ALL). Complaints are categorized according to complaint
reason.
The Vendor Relationship Owner (“VRO”) Team tracks and provides trending on ThirdParty Provider complaints, which include complaints concerning Law Firms. The VRO
is the business representative responsible for macro-level oversight of a Third-Party
Provider relationship and provides oversight for Third Party relationships that may
cross businesses. The VRO also serves as the primary point of contact for that Third
Party Provider and oversees the Vendor Management activities of each Contract
Owner (“CO”). The CO resides in the business and is responsible for monitoring the
Third Party against the Service Level Agreement (“SLA”) terms, as well as other
provisions specified in the contract and reporting on the Vendor’s performance.
Page 39
Privileged and Confidential
Restricted
The Escalated Complaint Team has enhanced their written procedures to require
complaint tracking, which is currently in place. Reporting and trending of customer
complaints specific to Third-Party Providers is underway, and the TPORMG will be
notified of any such complaints going forward.
As described in the Escalated Complaint Resolution Policy ALL, the Regulatory
Liaison Office (“RLO”), which is a part of HNAH Compliance, maintains a process to
monitor complaint resolution to ensure that regulatory complaints are handled
expeditiously and compliance issues raised in complaints are reviewed, appropriately
responded to, and corrective actions are initiated. The RLO also receives complaints
regarding Third-Party Providers received from state or federal regulatory agencies
(see HSBC North America (HNAH) Compliance Complaint Management Procedures).
Further, HSBC Legal reviews and assesses customer complaints as requested by the
business.
Additionally, Law Firm reviews address customer complaints and material or
significant adverse litigation concerning Law Firms, including litigation involving law
enforcement agencies or regulatory authorities.
Management personnel of Residential Mortgage Servicing, Compliance and Vendor
Risk Management have reviewed the existing policies and procedures described
above to ensure accuracy and confirm adherence to the Third-Party Provider
customer complaint review requirements of the Order. Although at the present time
enhancements are not deemed necessary, processes and procedures are subject to
on-going review in the ordinary course of business to determine whether revisions or
enhancements are appropriate or necessary.
Documents to be submitted with the Action Plan
x Research and Response Letter Procedure CML
x Escalated Complaint Resolution Policy ALL
x Escalated and Presidential Call Policy All
x Escalated and Presidential Call Procedure CML
x HSBC North America (HNAH) Compliance Complaint Management Procedures
x
Entering a Complaint Procedure ALL
x Escalated Complaint Resolution User Manual HBUS
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
x
, SVP General Compliance
Page 40
Privileged and Confidential
Restricted
Article 6(i)
FRB Order Reference:
Article 6(i)
Corresponding
V.1.i
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
a review of fee structures for Third-Party Providers to ensure that the method of
compensation considers the accuracy, completeness, and legal compliance of
foreclosure filings and is not based solely on increased foreclosure volume or
meeting processing timelines; and
Action Plan
Existing Processes / Programs:
As detailed earlier, HNAH has an existing North America Vendor Risk Management
infrastructure in place. As part of this infrastructure, HNAH has established policies
and procedures which outline the vendor due diligence, ongoing monitoring processes
and provisions associated with contracting with Third-Party Providers engaged by
HNAH subsidiaries (collectively the “VRM Program”) (see Article 6(a)). Regarding
contracting and setting fee structures with vendors, TPORMG works with relevant
business departments to develop service level agreements, work standards and
associated fee parameters for services to be provided to HBIO and HBUS.
In order to enhance oversight and control over Law Firms, the standard Master
Services Agreement (Legal Services) (“Law Firm MSA”) was developed in
collaboration with HSBC Legal, TPORMG, Information Security Risk (“ISR”), Business
Continuity Program Management (“BCPM”), as well as the impacted business areas.
SLAs are contained within the work standards of the Law Firm MSA. The MSA, as
more fully described below in the Enhancement to Processes/Programs section,
contains a variety of measures relating to fees and the consequences to the Firms for
failure to comply with the service level agreements and other work standards. HBIO
and HBUS leverage GSE guidelines in setting the attorneys fees for foreclosure and
bankruptcy related services. The mortgage servicing industry has typically looked to
the GSE attorney fee guidelines as being industry standard and these guidelines have
routinely been adopted for non-GSE loans in addition to GSE loans. As described
below, controls have been developed to ensure that accuracy, completeness, and
legal compliance of foreclosure and bankruptcy filings are considered when assessing
the compensation owed to a Law Firm.
Enhancement to Processes / Programs:
The existing VRM contracts and agreements require business Contract Owners to
perform reviews of non-Legal Third-Party Providers to monitor adherence to contracts
and terms as they relate to fees. For Law Firm Third-Party Providers, to ensure that
the method of compensation considers accuracy, completeness, and legal
compliance of foreclosure filings, HBIO and HBUS began by developing a robust set
Page 41
Privileged and Confidential
Restricted
of Best Practices and the Law Firm MSA. These documents detail HBIO and HBUS
requirements concerning accuracy, completeness and compliance with Legal
Requirements for services provided by the Law Firms. The Best Practices, for
instance, require the Law Firms to ensure that their policies, procedures and practices
comply with state notarization laws and that the Law Firms periodically review
affidavits and other forms for state law compliance (See HSBC BEST PRACTICES
FOR OUTSIDE FORECLOSURE, EVICTION AND BANKRUPTCY LAW FIRMS).
The MSA contains many mandatory service levels and work standards that require
the Law Firms to comply with Legal Requirements and service levels covering
accuracy and completeness of foreclosure and bankruptcy filings in addition to
adherence to required timelines. For example, Law Firms must use HSBC approved
affidavits and forms. Law Firms must also have quality control programs designed to
identify practices that do not comply with Legal Requirements and ensure that any
deficiencies are remediated promptly. Failure of a Law Firm to comply with these
requirements can result in financial penalties including reduction of new referrals,
removal of files, exercise of indemnification rights, or termination of the Law Firm.
Additionally, HBIO and HBUS will impose a ten-thousand dollar penalty against a Law
Firm for an improper foreclosure filing if the Law Firm files a foreclosure complaint in
the name of MERS in violation of the Law Firm MSA. (See sections 3.6 on page 10;
21.1 on page 36; and 24.1 and 24.2 on page 41 of the MASTER SERVICES
AGREEMENT (LEGAL SERVICES)).
Documents to be submitted with the Action Plan
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
x DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see updated
version below)
Additional documents completed for re-submission with the Action Plans
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
x HSBC BEST PRACTICES FOR OUTSIDE FORECLOSURE, EVICTION AND
BANKRUPTCY LAW FIRMS
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
Page 42
Privileged and Confidential
Restricted
Article 6(j)
FRB Order Reference:
Article 6(j)
Corresponding
V.1.j
OCC Article:
The policies and procedures shall, at a minimum, address, consider, and include:
a periodic certification process for law firms (and recertification of existing law firm
providers,) that provide residential mortgage foreclosure and bankruptcy services for
the Mortgage Servicing Companies as qualified to serve as Third-Party Providers to
the Mortgage Servicing Companies, including that attorneys are licensed to practice
in the relevant jurisdiction and have the experience and competence necessary to
perform the services requested.
Action Plan
As described below, the existing HNAH VRM Policy and Procedures as well as the
TPORMG Procedures and the Law Firm Procedures describe the assessment and
review process for residential mortgage foreclosure, bankruptcy, and eviction Law
Firms. The assessment includes a review of Firm qualifications to provide
foreclosure, bankruptcy, and/or eviction legal services to HBIO and HBUS. These
policies and procedures, along with the standard MSAs, Best Practices, Scorecards,
Questionnaires and other tools described in this Action Plan are designed to ensure
compliance with this requirement of the Order.
Existing Processes / Programs:
The existing HNAH VRM Policy and Procedures (see Section 4 on page 16) as well
as the TPORMG Procedures (see Section 6 on page 18) and the Law Firm
Procedures (see Section 5 on pages 5 to 9 and section 6 on page 10) provide the
review and assessment process to evaluate new Law Firms and for the on-going
monitoring of existing active Law Firms. While the assessment and review processes
described in the VRM Policy and Procedures, TPORMG Procedures and Law Firm
Procedures, are not specifically defined as a certification process, they serve the
same purpose by providing guidelines to determine whether Law Firms are qualified
to serve and whether HBIO and HBUS should engage or continue doing business
with the Law Firm.
These Procedures identify the type of reviews to be performed by the business,
Information Security Risk, VRM, TPORMG, Legal and others to assess the financial,
reputational, information security, legal and other capabilities or risks of the Law
Firms.
As previously stated, in Article 6(a), the requirements for engagement of a Third Party
under the VRM Program have been initiated for active foreclosure, bankruptcy and
Except for bankruptcy Law Firms in the BVW network as BVW and its network of bankruptcy attorneys are under review.
Page 43
Privileged and Confidential
Restricted
eviction Law Firms that provide legal services to HBIO and HBUS Residential
Mortgage Servicing. In addition to the various financial, information security,
reputation and other reviews performed by VRM, Information Security Risk,
TPORMG, the business, and others, HSBC Legal manages with the assistance of
outside counsel, the legal review of Law Firms to assess Firm compliance with
applicable laws, rules, regulations and judicial requirements as well as Firm
qualifications to provide the legal services. These legal assessments are managed by
HSBC Legal along with experienced outside counsel to provide the requisite expertise
for the review and evaluation of the qualifications of the Law Firms to perform the
legal services.
Law Firm reviews include:
x Assessment of Law Firm qualifications, expertise, competence, reputation,
capacity, staffing, training, work quality, workload, controls, financial viability,
organizational structures and affiliated or related service provider relationships;
x Assessment of compliance with applicable legal, regulatory and judicial
requirements, Best Practices, compliance with HSBC Legal escalation mandates;
x Assessment of financial and information security risks;
x Review of Law Firm policies and procedures and document preparation, review,
execution, and notarization practices;
x Interviews with Law Firm personnel;
x Review of material or significant adverse litigation and media coverage regarding
the Law Firm; and,
x File reviews.
Legal is using a Risk-Based Approach to determine the scope and frequency of ongoing Firm reviews and Firm file reviews (see section 5.3, pages 6 to 8 of the Legal
Procedures and Article 6(a) and (e) above). As described more fully in Article 6(e),
this risk-based approach includes the assessment of the overall control rating from
prior reviews taking into consideration Firm state complexity, Firm reputational risk,
including adverse litigation and media coverage, Firm file volume and Firm size.
Based on this approach Firm Legal Reviews can be performed every 6 to 18 months
depending on the risk rating.
HSBC Legal has managed the initial legal reviews that have been completed for
active foreclosure Law Firms to assess compliance with applicable Legal
Requirements and Best Practices. Remediation letters identifying concerns or
deficiencies have been distributed to Law Firms, and responses tracked and
monitored in the TPORMG Share Point database (see Section 1.5, page 10 of
TPORMG Procedure and page 16 of Law Firm Procedure). The results of the reviews
are captured in the Summary of Findings Memos and Legal Review Scorecards for
each Firm. On an on-going basis, Law Firm communications, Law Firm review
results, Scorecard ratings and other information will be placed in the TPORMG
Database described earlier in Article 6(a) (see Section 1.5, page 10 of TPORMG
Procedure).
Page 44
Privileged and Confidential
Restricted
Based on the reviews and Scorecard results and Law Firm responses to Remediation
Letters, evaluations and recommendations are made regarding whether to continue
doing business with the Law Firm, reduce or cease new referrals, remove existing
files or terminate the Law Firm. Law Firms with significant or material exceptions are
discussed during the Legal Review Meetings described in Article 6(a). Such
exceptions will also be reviewed with the Third-Party Governance Committee (see the
Mortgage Servicing Operations Third Party Provider Governance Charter).
Additionally, HSBC Legal has engaged outside counsel to monitor and notify HBIO
and HBUS of any adverse litigation and media coverage concerning Law Firms, and
Legal and TPORMG receive frequent summaries, at least weekly, regarding litigation
and media coverage concerning Law Firms. Law Firms are also required to provide
notice to HSBC of significant or substantive adverse litigation and any bar grievances
and sanctions (including reprimand, censure and disbarment) against the Law Firm or
any Firm attorney pursuant to the Escalation Protocol Matrix described in the Best
Practices and Law Firm MSA (described in Article 6(a). Compliance with these
provisions will be evaluated during Law Firm reviews. Additionally, such litigation and
matters are discussed with the Law Firms as appropriate and their feedback is
considered. Moreover, significant or substantive adverse litigation or adverse media
coverage regarding Law Firms is evaluated during the Legal Review Meetings, and
will also be discussed with the Third Party Governance Committee and the
Compliance Committee, as appropriate. In the event HSBC personnel or any of the
above Committees determine that any significant or substantive adverse litigation or
media coverage may impact the ability of the Law Firm to perform in accordance with
Legal Requirements or HBIO and HBUS policies and procedures, or presents
reputational concerns for HBIO or HBUS, actions including reduction of new referrals,
removal of existing files, exercise of indemnification rights, and/or termination of the
Law Firm may occur.
Enhancement to Processes / Programs:
Business requirements have been developed to create a TPORMG Database that will
further strengthen the monitoring and reporting regarding Third-Party Providers (see
Third Party Operational Risk Management Database Design Requirements). Note
that these requirements may be modified as business needs are refined and
circumstances change. Population of the TPORMG database has begun. Testing
and validation of the database, along with system and user manuals will be completed
by the end of fourth quarter 2011.
Additional tools will be reviewed and considered to further enhance on-going Law
Firm monitoring.
Management personnel of Residential Mortgage Servicing, HSBC Legal, Compliance,
and Vendor Risk Management reviewed the processes and procedures described in
this Article, as well as the enhancements, to ensure they are accurate and in
accordance with this requirement of the Order.
Page 45
Privileged and Confidential
Restricted
Documents to be submitted with the Action Plan
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES (see updated version below)
x Mortgage Servicing Operations Third Party Provider Governance Charter
x DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see updated
version below)
Additional documents completed for re-submission with the Action Plan
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
x Mortgage Servicing Third Party Operational Risk Management Procedures
x Law Firm Management Legal Review Scorecard
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Office, HBIO
x
, SVP Vendor Risk Management
x
, SVP Deputy General Counsel, CML
Page 46
Privileged and Confidential
Restricted
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
Article 7 Enterprise Wide Compliance
Final Pending Approval from the Compliance Committee
October 19, 2011
Privileged and Confidential
Restricted
Section 6: Compliance Program
Article 7
FRB Order Reference:
Article 7
Corresponding
N/A
OCC Article:
Within 60 days of this Order, HNAH shall submit to the Reserve Bank an acceptable
written plan to enhance its enterprise-wide compliance program (“ECP”) with respect
to its oversight of residential mortgage loan servicing, Loss Mitigation, and foreclosure
activities and operations. The plan shall be based on an evaluation of the
effectiveness of HNAH’s current ECP in the areas of residential mortgage loan
servicing, Loss Mitigation, and foreclosure activities and operations, and
recommendations to strengthen the ECP in these areas. The plan shall, at a
minimum, be designed to:
Action Plan
HNAH has an Enterprise Compliance Program (“ECP” or “Program”) for oversight of
residential mortgage loan servicing and foreclosure activities and operations, as well
as Loss Mitigation, which has been enhanced as set forth herein in compliance with
the requirements of the Order. Further details regarding the Compliance Risk
Management Program, are outlined in the Action Plans for Article 7, sections (a)
through (c). ECP is a comprehensive compliance risk management program that has
been approved by the HNAH Board of Directors. The Program is structured to
proactively identify as well as quickly react to emerging issues and to assess, control,
measure, monitor and report compliance risks across HNAH.
The scope of the Program includes compliance with state and federal laws and
regulations, supervisory guidance, and self-regulatory standards or codes of conduct
that regulate certain business activities and functions of HNAH. More specifically,
HNAH maintains an inventory of the regulatory requirements that are included within
the scope of this Program. The inventory is maintained in the
("
which is linked to the
(“
As new legislation is enacted, regulatory requirements are added
to
and updated to
The compliance risk assessment process is an integral part of an effective compliance
program. Two critical components are the detailed assessment that is conducted
annually with business line management using
and
and the quarterly
General Compliance Enterprise-wide Risk Assessment (“ERA”). Enhancements have
been made to
which houses the risk statements applicable to the business.
The enhancements to the
risk statements are discussed in detail in Action Plan
Article 7(a).
The ERA is completed quarterly for all business units and gives a summary of
compliance for each business unit [e.g. CML (Consumer and Mortgage Lending)]. It
Page 2
Privileged and Confidential
Restricted
measures critical components such as: the number of MRA’s that repeat, are reopened or extended; past-due issues; and ensures policies and procedures are up to
date.
Below is a summary of existing processes, as well as planned enhancements, to
address requirements of the Order. These existing processes and enhancements are
further described below in sections 7(a) through (c).
Existing Processes
Required Enhancements
• Enterprise-wide Risk Management
(“ERM”) program that provides
oversight of HNAH’s Compliance Risk
Management Program (noted in
Article 7(a))
• The Good Governance Initiative
(currently underway) is designed to
ensure appropriate policies and
procedures are in place for all
functional areas and that all
employees understand and
consistently follow them through a
formal certification process (noted in
Article 7(c))
• Dedicated functional groups, such as
RMA, LCWG, and OQPA, have
formalized and documented
processes to ensure compliance with
existing Legal Requirements and
supervisory guidance of the Board of
Governors as well as to incorporate
changes to or new Legal
Requirements or supervisory
guidance (noted in Articles 7(b) and
7(c))
• Service Delivery Control Adherence
(formerly North America Quality
Assurance) tests controls and
ensures regulatory compliance (noted
in Article 7(b))
• Group North America Audit assesses
the effectiveness of Operational
Compliance and Service Delivery
Control Adherence (noted in Article
7(b))
Documents to be submitted with the Action Plan
x Refer to Action Plans for Article 7, sections (a) through (c)
Page 3
Privileged and Confidential
Restricted
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP General Compliance
x
SVP Default Services
Page 4
Privileged and Confidential
Restricted
Article 7(a)
FRB Order Reference:
Article 7(a)
Corresponding
N/A
OCC Article:
Ensure that the fundamental elements of the ECP and any enhancements or revisions
thereto, including a comprehensive annual risk assessment, encompass residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities;
Action Plan
HNAH has an existing Enterprise Compliance Program (“ECP” or “Program”) in place
which has been adopted by HNAH's Board of Directors (the “Board") to demonstrate
the organization's commitment to comply with laws, regulations, and regulatory
requirements applicable to HNAH and its businesses and to ensure that HNAH
establishes an effective firm-wide compliance risk management process to prevent,
detect and address compliance issues. This Program has the full support of
executive management and the Board, who has the ultimate responsibility for HNAH's
compliance and have established such as a top priority throughout HNAH. This
Program has the fundamental elements which include a comprehensive annual risk
assessment of all HNAH lines of business, including activities such as residential
mortgage loan servicing, Loss Mitigation, and foreclosure.
The Program is designed in accordance with the Group Legal and Compliance
Functional Instructional Manual ("FIM”), Group minimum compliance standards as
outlined in the Group Standards Manual ("GSM") and the principles established by the
Federal Reserve in Supervision and Regulation Letter 08-8 ("SR08-8") dated October
16, 2008, and the Basel Committee on Banking Supervision's Compliance and the
compliance function in banks ("Basel Compliance Paper") dated April 2005.
To reinforce the importance of compliance within our organization, HNAH's Board of
Directors has overseen the development of this Program and compliance standards
and processes contained in the HSBC - North America Compliance Risk Management
Program Manual. HNAH Management reviewed the HNAH Compliance Risk
Management Program Manual and has confirmed that, in line with the design of the
ECP to include all HNAH lines of business, the scope includes residential mortgage
loan servicing, foreclosure, and Loss Mitigation. More specifically, Section 1.2 of the
manual states that the ECP applies to “HSBC North America Holdings, Inc. (“HNAH”)
and its subsidiaries, including all legal entities, business units, and support functions.”
Residential mortgage servicing, Loss Mitigation, and foreclosure activities are fully
covered through the scope of the existing ECP program.
Additionally, to more fully denote the responsibilities of the HSBC North America
Compliance Committee of the Board of Directors, the ECP was updated to include
requirements of the Consent Orders as outlined in the Action Plan for Article 2, 2(d),
and 2(l) of Board Oversight. Specifically, refer to the HSBC – North America
Compliance Risk Management Program Manual, pages 18-20, for a listing of the
Page 5
Privileged and Confidential
Restricted
responsibilities.
As to the effectiveness of the ECP, it should be noted that the ECP framework and
associated governance and controls were officially rolled out on January 31, 2011.
Group Audit recently performed a general Compliance audit and found that while the
Program was still maturing, the creation of the Compliance Committee oversight with
bi-weekly scheduled meetings and subsequent reporting to the Board, was indicative
of a high level of involvement and commitment to changing the culture and tone to
one of compliance is paramount. The Executive Management oversight and
governance structure were also assessed by Audit. The level of management
participation and membership in the Compliance Committee as well as the
governance and roles established through the Program again demonstrates
management's commitment to achieving the highest levels of compliance. The
actions taken by management to address governance and compliance risk within the
ECP demonstrate that this Program has been effective in facilitating change within the
HBIO and HBUS organizations.
Existing Processes / Programs:
ERM
HNAH’s enterprise-wide risk management (“ERM”) program provides risk
management with respect to the Bank’s and the Mortgage Servicing Companies’
residential mortgage loan servicing, Loss Mitigation, and foreclosure activities,
particularly with respect to compliance with the Legal Requirements and supervisory
standards and guidance of the Board of Governors as they develop. The HNAH Risk
Management Framework was most recently reviewed and approved by the HNAH
Board Audit Committee in December 2010. The HNAH Risk Management Program
was enhanced throughout 2010 to meet the requirements of the Federal Reserve
Board Memorandum of Understanding (“MOU”) issued in 2009. A comprehensive risk
management plan was developed per the MOU requirements, and all elements of the
risk management plan have been implemented as of February 2011.
The Risk Management framework is an integral component of HNAH’s operating
environment. The HNAH Risk Management Framework provides for oversight of risk
by the HNAH Board through the HNAH Risk Management Committee. The HNAH
Risk Management Committee is a regional level risk committee that provides a forum
for risk managers, functional heads, and business unit heads to establish risk
appetite, assess risk, establish risk management policies and standards, discuss
emerging risk issues and agree upon appropriate actions, as necessary. The
Mortgage Servicing Companies and the Bank are covered by the HNAH Risk
Management Framework, which incorporates all risk categories, including operational,
compliance and legal risks. Operating principles of the HNAH Risk Management
Framework, include but are not limited to:
• Ensure all risks are appropriately identified, measured, managed, controlled and
reported;
• Develop, communicate & implement appropriate risk-related policies, procedures,
Page 6
Privileged and Confidential
Restricted
•
•
•
& processes in collaboration with business units, functional areas and Group;
Provide regular and ad hoc reports to senior executive management, the Board,
and Group on existing and emerging risks, with recommendations to avoid,
eliminate, or mitigate outsized risks;
Establish and promote a risk management culture that appropriately balances
risks and rewards;
Continually assess and monitor the risks HNAH faces, and regularly reappraise its
risk appetite and align its risk profile accordingly
The Risk Management framework brings together risk functions across North America
to ensure a consistent policy, process, and practice is applied across legal entities. An
overarching HNAH Risk Limits Framework, which is maintained by the North America
Risk organization in conjunction with internal business partners from Finance, Legal
and Compliance, and the business lines, provides for the identification,
communication, limitation, and management of all risks across HNAH, both for
discontinued and ongoing business lines.
As part of the ECP, the RMC provides strategic direction and oversight of various riskrelated functions, process, policies, initiatives and information systems across
HNAH and its subsidiaries. As part of their strategic direction, the RMC have
introduced enhancements to the risk assessment framework. HBIO and HBUS
adopted a Risk Control Assessment (“RCA”) methodology as of June 30, 2011. The
RCA is designed to:
x identify and assess material, operational, legal and reputational risks;
x identify and assess the effectiveness and monitoring of key controls that mitigate
these risks; and
x focus management attention on controls that need improvement.
The RCA process is designed to provide businesses with a forward looking view of
operational risk and to help them proactively determine whether their key operational
risks are controlled within acceptable levels. The RCA process enables the
assessment of both the typical and extreme exposure to operational risks and
considers the direct financial costs and the indirect impacts to the business including
customer service, reputational and regulatory impacts. The typical exposure to
operational risk events is the total loss that is expected to occur in the next 12 months
given the effectiveness of the control environment. The extreme events take into
account the inherent nature of risks within the business and the control environment,
but assume that one or more controls fail to operate as expected. Specific aims of the
process are to identify and assess material operational risks, identify and assess the
effectiveness of key controls that mitigate these risks, focus management attention
where controls are assessed as either “Needs Improvement” or “Ineffective”, and
identify what monitoring of key controls is being undertaken and thereby identify
necessary management actions. Where an appropriate level of control monitoring is
not currently in place an action plan must be raised to ensure that appropriate
monitoring is implemented on a timely basis. Action plans include interim solutions to
Page 7
Privileged and Confidential
Restricted
mitigate the risks and long term solutions to ensure sustainability. Action plans
developed specific to the
analysis follow the same methodology. Management
may rely on more than one control to mitigate risk and prioritizes action plans based
on the level of risk and other controls (interim and long term). The enhanced RCA
program also includes a revised methodology, operational risk management system,
and standard Key Risk Indicators (“KRIs”).
RCA workshops were conducted by the Business Control and Risk Management
team (“BRCM”- formerly known as ORM – Operations Risk Management) for the
foreclosure, loan servicing, and Loss Mitigation activities during the first quarter of
2011. RCA workshops continued for the remaining servicing and Loss Mitigation
areas and were completed by the end of the second quarter of 2011. The RCA
workshops included Senior Leadership, Business Managers, Compliance Managers,
and Operation Risk Managers. The RCA workshops identified and documented
material risks for the business, exposure to those material risks, as well as the
process for on-going Risk Management and Controls to mitigate identified risks. RCA
workshops are part of the overall risk framework within ECP to ensure that the
appropriate business risks are identified and documented and the appropriate controls
to mitigate operational risk are in place and re-evaluated on an on-going basis. See
Operational Risk and Internal Control CML HMC Servicing RCA Implementation 2011,
which provides an overview and findings of the RCA workshops. The workshops
were designed to identify material risks and mitigating controls for these risks.
Compliance
In addition, the HNAH Compliance organizational structure, as outlined below,
detailed in the “HSBC – North America Compliance Risk Management Program
Manual”, and illustrated in the “HNAH Corporate Compliance Organizational
Structure” section, see pages 26 and 65 of the Compliance Risk Management
Program Manual, is designed to ensure that Compliance staff have the requisite
authority and status to carry out their responsibilities:
• The Regional Compliance Officer (“RCO”) reports to the HNAH Compliance
Committee, the HSBC – North America Chief Risk Officer, the HNAH Chief
Executive Officer (“CEO”) and the Group General Manager and CEO of HSBC
Bank, N.A.
• The RCO also has an internal functional reporting line to the Head of Compliance
within the Group Management Office ("GMO") which provides oversight of the
HNAH Compliance Risk Management Program.
• The RCO is a member of the Group Compliance Executive Committee (“Group
Compliance EXCO”).
The RCO has direct access to the Chairmen of the Audit and Risk Committee and the
HNAH Compliance Committee. The HNAN Compliance Committee has been
delegated compliance related oversight responsibilities by the Board of Directors. On
a quarterly basis, the RCO will report on the status of compliance risk and the
compliance risk management framework to the HNAH Compliance Committee.
Page 8
Privileged and Confidential
Restricted
The RCO is a member of the HNAH Executive Compliance Committee (“EXCO”), the
HNAH Risk Management Committee (“RMC”) and the HNAH Operational Risk and
Control (“ORIC”) Group and participates in those scheduled committee meetings.
Meetings occur on a monthly basis. In addition, HNAH has formed a Compliance and
Risk Forum (“CaR Forum”) which is a chartered committee to facilitate the integration
of Compliance and Risk Management programs, and to help ensure the proper
identification, assessment, monitoring and reporting of risk in line with HNAH's risk
appetite. The formation of the CaR Forum was approved by the RCO and Regional
Chief Risk Officer. The first meeting was held on September 17, 2010. The forum
meets on a monthly basis.
The Compliance governance model is designed to ensure that the functional teams
and responsibility areas reporting into the RCO work effectively and efficiently
together to manage the Compliance Risk Management Program. Specifically, the
governance model is designed to ensure that:
• Regulatory, Group, and other stakeholder requirements applicable to Compliance
are identified and addressed;
• Enterprise-wide initiatives are coordinated;
• Communications across functional areas are timely and effective;
• Issues are escalated in a timely manner;
• Information is effectively and appropriately shared; and,
• Compliance risks are effectively assessed and emerging trends are identified
which may impact more than one business, legal entity or geography.
Central Services, a part of HNAH Compliance, maintains the HSBC – North America
Compliance Risk Management Program Manual (“Program”) and, as part of the policy
certification process, certifies annually that the Program Manual is complete and up to
date. The Program includes the framework, structure and processes for compliance
risk management across HNAH. It documents the compliance roles and
responsibilities of committees, individuals and functions throughout the organization,
including executive management and the Board of Directors. It also establishes the
standards and processes for managing compliance on a HNAH enterprise wide basis.
(See HSBC - North America Compliance Risk Management Program Manual in its
entirety. Refer to pages 9 and 10 for additional detail on the scope and objectives of
the HNAH Compliance Program.)
The HNAH Risk Management Committee (“RMC”) and the HNAH Compliance
Committee review and approve the Compliance Risk Management Program as
significant organizational or compliance program changes occur, but not less
frequently than annually.
Additionally, as indicated within the Compliance Risk Management Program Manual
(See section 5.3.2 on page 43), the Program contains requirements for an Enterprisewide Risk Assessment (“ERA”), a detailed Self-Assessment that covers the
regulations and risk statements applicable to the business along with Compliance
Page 9
Privileged and Confidential
Restricted
monitoring and testing performed by the TRAC team. What is reviewed and how
often the review occurs is determined based on a risk-based methodology that
incorporates inherent regulatory and business risk, as well as the results of prior
reviews and audits. The risk-based methodology is part of the overall RCA framework
outlined below. Business units, in consultation with Compliance Officers, are
responsible for conducting the Self Assessments using the Operational Risk
methodology. Through this process it was determined that due to the inherently
higher risk of the foreclosure process, the TRAC team would perform an in depth
Foreclosure review by year-end. Historically, the TRAC team’s Bankruptcy and
Collections review included all aspects, for example, affidavit preparation/execution,
of the foreclosure process. The scope of the last Bankruptcy and Collections review
excluded foreclosure testing due to the regulatory examination in progress at that
time. The on-going testing schedule for foreclosure activities will be on a more
frequent basis - annually.
For Servicing and Loss Mitigation activities which are deemed high risk such as State
Usury Refunding, Collections/Bankruptcy/Loss Mitigation and SCRA, TRAC reviews
will be completed annually. TRAC follows the Compliance Risk Mitigation Program
(See HSBC – North America Compliance Risk Mitigation Program pages 36 through
53) to determine both the frequency and scope of compliance reviews based on risk
grades assigned to laws and regulations by Compliance under the Compliance Risk
Management Program. (See HSBC - North America HNAH Compliance Enterprise
Wide Risk Assessment and Response to FRB Supervisory Letter - 1.31.11 pages 10
and 11). TRAC review activities generally take into consideration the planned
activities of other oversight groups (e.g. Group Audit) to avoid duplication. Although a
review of audit results from other oversight groups occur, because each function is
operating under a distinct charter and purpose, testing results are not utilized in a
cross-reliant manner, e.g. TRAC tests for compliance risk and Group Audit North
America tests for operational risk.
At a business level HNAH also utilizes a risk management tool,
to document
and ensure on-going compliance.
is a database that was implemented in 2005
to better organize legal requirements applicable to the business and the existing risk
statements with associated controls to ensure compliance.
is used to
maintain, record, and store all Compliance detail level risks and regulations identified
by business management in conjunction with the Compliance Officers.
houses
an inventory of regulatory requirements detailed as standardized risk statements that
are scored by the business in conjunction with Compliance Officers. The Operational
Risk methodology is used to score risks, assessing the Impact, Likelihood and
Exposure. Key risks (A, B and high inherent C) are also recorded in the
(“
”).
is a
management program that streamlines the processes for adding, modifying and
cancelling risks, and the associated task items, along with aligning the approval
levels, management reporting, and role expectations.
allows the user to toggle
between
and
to view the complete risk profile for any business.
Page 10
Privileged and Confidential
Restricted
allows for Controls to be entered against specific risks, thus documenting the
control environment. Controls are documented for all risks. Areas of risk in need of
attention, or additional controls, are identified and tracked through formal remediation
plans. Plans are required for all A, B, and high inherent C level risks (See HSBC –
North America HNAH Compliance Enterprise-Wide Risk Assessment Procedures,
pages 5 through 16, and HSBC – North America Compliance Risk Management
Program Manual pages 41 through 44 for an outline of the risk levels). All compliance
risks in
can be searched by business unit, by requirement/regulation/category,
or by risk statement number/title.
As of June 30, 2011, a
gap analysis was completed to ensure that risk
statements for all Legal Requirements that impacted foreclosure, Loss Mitigation, and
mortgage servicing are documented within
The objective of the gap analysis
was two-fold: (1) to identify missing risk statements and (2) to identify control gaps for
all applicable risk statements. Meetings were held with the business to walk through
all identified foreclosure, Loss Mitigation, and Mortgage Servicing processes to
confirm existing risk statements and controls, identify gaps, and address additional
risk statements and controls needed for a given process.
The gap analysis results were compiled into a final report as of July 22, 2011 (see
attached Regulations and Risk Statement Gap Analysis Results in its entirety). A
summary of the
gap analysis is also attached and was submitted to the FRB
on August 12, 2011 (see MEMORANDUM Detailed On Line Risk Assessment
(
The foregoing documents outline the Compliance Risk and Control
Assessment completed within
and contain the gap analysis results from that
assessment.
In addition to risk statements that were added to
by Compliance during the gap
analysis, the business has updated
with action plans to remediate any control
gaps and a timeline for implementing revised controls.
The Foreclosure, Loss Mitigation, and Mortgage Servicing business teams have
reviewed the control gaps identified in the
gap analysis report noted above and
have established remediation plans with associated completion dates for each control
gap as of August 12, 2011 (see the following documents in their entirety for additional
detail regarding the
gap analysis remediation plans: MEMORANDUM
(
Detail Compliance Risks With Controls & Actions
Page 11
Privileged and Confidential
Restricted
– Mtgbusadminandse, Detail Compliance Risks With Controls & Actions – CML, Detail
Compliance Risks with Actions – HMC, and Detail Compliance Risks with Actions CML).
The Detail Compliance Risks With Controls & Actions – Mtgbusadminandse and the
Detail Compliance Risks With Controls & Actions – CML documents detail the
established remediation plans with associated completion dates for each control gap
from the
gap analysis. The Detail Compliance Risks with Actions – HMC and
the Detail Compliance Risks with Actions – CML documents list the compliance risks
as well as the actions to be taken and target dates.
Compliance completed a Risk Assessment of the foreclosure process from the initial
breach letter through the foreclosure sale. This Risk Assessment included reviews of
primary source materials; reviews of business policies, procedures, and functional
manuals; and interviews of business staff involved in the foreclosure process. Risk
Assessment results were compiled and the report was completed as of August 11,
2011 (see attached Compliance Foreclosure - Risk Assessment 8.26.11 Management
Responses – “Compliance Risk Assessment”. See page 4 for the Management
Summary and pages 5 through 22 for risk assessment results). The Risk Assessment
results noted policy, procedure, reporting and other related gaps applicable to areas
of CML and HBUS Demand and State Specific Letters, SCRA, State Notary,
Affidavits, Bankruptcy, Loss Mitigation, and other related areas of foreclosure
processing. Remediation of many of the noted gaps within the Risk Assessment have
already been completed (e.g., notary and affidavit) as outlined in the Compliance Risk
Assessment. Additionally, as of August 26, 2011, Foreclosure management
completed an action plan to remediate all other gaps (e.g., bankruptcy) (see
Compliance Foreclosure Risk Assessment 8.26.11 management responses, pages 5
through 22). Additionally, as part of the quarterly Enterprise-wide Compliance Risk
Assessment, all businesses are required to certify as to the completeness and
accuracy of the Compliance Risk Assessment.
A similar Risk Assessment was completed for Mortgage Servicing as of September
12, 2011. Risk Assessment results were compiled and a final report was completed
as of September 26, 2011. Mortgage Servicing presented a response plan to
remediate noted gaps on October 10, 2011 (see Compliance Loan Servicing Risk
Assessment 10.10.11 Management Responses).
TRAC
The TRAC team will access the
database, as well as the Compliance
Detail Database (
database housing state-specific requirements), as part
of its annual Compliance monitoring and testing process for the foreclosure review
they will conduct. This foreclosure review began October 1, 2011, and will be
completed before year-end. As indicated in the responses to FRB questions
submitted on August 19, 2011, the TRAC program (as detailed in the HSBC - North
America Compliance Risk Mitigation Program Section 2.3.7 and Testing and Risk
Assessment Compliance Unit (TRAC) Procedures Manual Section H) requires annual
Page 12
Privileged and Confidential
Restricted
reviews of risks assessed as High. For risks assessed as Medium, testing is on a 24month cycle. Additionally, in conjunction with the implementation of the ERA, TRAC
reviews will be performed on emerging risks as identified through a quarterly
compliance risk certification process, or more frequently, where required. TRAC
began a review on October 1, 2011 which covers all applicable risks and controls.
Finally, TRAC Compliance has initiated a project to ensure that all controls identified
and documented through the risk assessment exercise are robust and include both
detective and preventative controls. Compliance is developing supplemental
guidance to the business about the nature of compliance risks and control
identification. The targeted completion date for the project is October 31, 2011. Once
completed, all controls will be catalogued and refreshed at least quarterly. As
new/emerging risks and controls are identified, they will be reviewed by TRAC on an
ongoing basis. The 2012 TRAC review plan will include all risks rated as High, as
well as inherently high Medium risks. Please reference the attached TRAC Mortgage
Testing Plan 2011 for additional information.
Enhancement to Processes / Programs:
While we believe these existing processes and procedures satisfy these requirements
of the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary.
Documents to be submitted with the Action Plan
x HSBC - North America HNAH Compliance Enterprise Wide Risk Assessment
Procedures
x Response to FRB Supervisory Letter - 1.31.11
x HSBC – North America Compliance Risk Management Program Manual (see
revised HSBC – North America Compliance Risk Management Program Manual
below)
x HSBC – North America Compliance Risk Mitigation Program
Additional documents completed for re-submission of Action Plan
x Regulations and Risk Statement Gap Analysis Results
x MEMORANDUM
(
x Detail Compliance Risks With Controls & Actions – Mtgbusadminandse
x Detail Compliance Risks With Controls & Actions – CML
x Detail Compliance Risks with Actions – HMC
x Detail Compliance Risks with Actions – CML
x Compliance Risk Assessment Report Inventory and Attachments
x Compliance Foreclosure Risk Assessment 8.26.11 Management Responses
x Compliance Loan Servicing Risk Assessment 10.10.11 Management Responses
x TRAC Mortgage Testing Plan 2011
Page 13
Privileged and Confidential
Restricted
x Operational Risk and Internal Control CML HMC Servicing RCA Implementation
2011
x HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP General Compliance
x
SVP Default Services
Page 14
Privileged and Confidential
Restricted
Article 7(b)
FRB Order Reference:
Article 7(b)
Corresponding
N/A
OCC Article:
ensure compliance with the Legal Requirements and supervisory guidance of the
Board of Governors; and
Action Plan
HNAH has existing processes and programs noted below that ensure compliance with
Legal Requirements and supervisory guidance of the Board of Governors.
Existing Processes / Programs:
The Central Services Regulatory Monitoring and Assessment (“RMA”) team, an
existing HNAH Compliance function, manages the regulatory monitoring and change
management processes to facilitate compliance with Legal Requirements and Board
of Governors supervisory guidance applicable to residential mortgage servicing, Loss
Mitigation and foreclosure activities, as well as the activities of other business lines.
RMA holds weekly meetings with the business, Compliance Officers, Legal and
Government Relations to review pending and enacted legislation as it becomes
known. Year to date through September 23, 2011,
legislative alerts were
issued by this team. (See attached New Legislation Alert ID HB 331 as an example
and HSBC North America New Laws and Regulations Procedure – US). The HSBC
North America New Laws and Regulations Procedure – US provides guidelines for
monitoring and tracking regulatory changes and updating processes appropriately.
The attached New Legislation Alert ID HB 331 is an example of a legislative alert
intended to communicate a high-level summary of a law or regulatory change that may
affect one or more HNAH businesses.
As RMA is a compliance function, it is audited by Group Audit along with other
compliance functions. The RMA function was within the scope of the most recent
audit of Compliance in March 2011 (report date). The scope of the audit included
RMA efforts with respect to practices of all business lines that the RMA function
supports, including residential mortgage loan servicing, Loss Mitigation, and
foreclosure practices. Included in the audit scope was verification of the following:
x Legal and Compliance are responsible for identifying and monitoring new
legislation and or changes in current legislation/regulatory requirements
affecting HNAH businesses.
x Compliance reviews pending and enacted legislation to determine impact and
applicability to HNAH businesses, collaborating with Legal and business
partners as needed.
x Compliance communicates/escalates requirements of new and/or modified
regulation to appropriate business stakeholders and ensures implementation is
completed.
x Impact Analysis is prepared by the RMA group for all new/updated laws and
Page 15
Privileged and Confidential
Restricted
regulations. The impact analysis is collaboration between RMA, the Local
Compliance Officer, and the business unit. The impact analysis is reviewed
and approved by key business stakeholders.
The findings of the report indicated that the above processes were satisfactory. In
addition, Audit selected a sample of 2010 Federal and State new/pending/proposed
legislation and regulations. The sample scope included five that were applicable to
HBIO only. The sample was evaluated to ensure the established timeline for
implementation was followed, including completion of impact analysis, communication
to business units and confirmation that processes/systems have been updated to
ensure compliance (See GENERAL COMPLIANCE AUDIT AND 2010 ANNUAL
COMPLIANCE RISK AND CONTROL ASSESSMENT for the detailed audit report).
As with other business lines RMA supports, specific roles and responsibilities of RMA
with respect to the Residential Mortgage Servicing departments include but are not
limited to:
x monitoring and tracking new and changed laws, regulations, and regulatory
guidance, and tracking legislative, judicial, and regulatory developments, to
identify potential emerging compliance risks; (See New Legislation Alert – Idaho
HB 331 as an example)
x completing impact analyses for new or changed regulatory requirements; and (See
Impact Analysis_ID HB 331 as an example)
x creating and distributing legislative alerts to appropriate Residential Mortgage
Servicing departments for action
The impacted Residential Mortgage Servicing departments will then work with the
Law Change Working Group (“LCWG”) and Compliance Officers, and Legal (as
appropriate), to update the policies, procedures and processes, and ensure
implementation prior to the effective date of the new or changed requirement. The
RMA and LCWG procedures are attached for reference (See Law Change Process
and Implementation and Law Implementation Procedure ALL in their entirety).
The Operational Quality and Process Assurance (“OQPA”)group ensures the
documented policies, procedures and processes are accurate and aligned with the
Legal Requirements and Board of Governors supervisory guidance as well as
business practices (See HSBC – North America Compliance Risk Management
Program Manual Section 3: Compliance Program Governance and Organization,
pages 22 through 26).
The
Database is a Compliance
repository of risk statements
along with state-specific requirements that fall within the risk statements, as identified
by business line compliance, based on regulatory requirements. As law changes
occur, new risk statements are added to the state-specific information housed within
the
Database. An internal procedure was completed and published on
August 24, 2011, which outlines how the database will be updated and the approval
process that must be adhered to. (see attached
Database –
Maintenance and Approval Procedure ALL).
Page 16
Privileged and Confidential
Restricted
In addition to the processes noted above, HNAH has in place the Service Delivery
Control Adherence (formerly known as NAQA) (“SDCA”) program which is managed
separately from the business lines, reporting to a central Corporate Quality Utility.
SDCA provides an independent, objective and on-going assessment to senior
management of operational adherence to policies, procedures, and Group standards,
as well as of the effectiveness of the first line of defense internal control framework for
HNAH business operations.
Once new laws are identified and implemented pursuant to the processes noted
above, the SDCA unit monitors the bi-monthly report distributed by the LCWG
manager to gather information regarding which law changes are ready for review.
Within 60-90 days post implementation, the SDCA unit schedules the law change for
review.
After the SDCA unit performs a post-implementation review (See Law Implementation
Procedures ALL):
x The SDCA Manager presents the post-implementation review results to
LCWG:
x If all items are not implemented as prescribed, SDCA presents the
necessary remediation to LCWG.
x If all items are implemented as prescribed, the implementation is
complete. The LCWG Manager posts the following in a shared site
within Lotus Notes
x Law Memo/Impact Analysis (SDCA uses this document as means to
complete a 90-day post-implementation review)
x Post-Implementation Review Report (if issues are found within the
analysis, SDCA will issue this report)
Additionally, Group Audit North America serves as a third line of defense for business
operations, assessing whether the primary controls are adequate to address relevant
risks and whether the secondary controls are operating effectively. The above two
functions (SDCA and Audit) also provide review of business processes to ensure
compliance with Legal Requirements and supervisory guidance.
TRAC also conducts on-going testing for compliance with the Legal Requirements
and supervisory guidance that is independent from business line compliance.
The processes and documentation associated with the RMA, LCWG, and OQPA
groups noted above ensure compliance with the Legal Requirements and supervisory
guidance of the Board of Governors as directed by the Order. Additionally, the
appropriate Compliance SVPs have reviewed the existing procedures to ensure they
meet the requirements of the Order.
Enhancement to Processes / Programs:
While we believe these existing processes and procedures satisfy these requirements
Page 17
Privileged and Confidential
Restricted
of the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary.
Documents to be submitted with the Action Plan
x HSBC – North America Compliance Risk Management Program Manual (see
revised HSBC – North America Compliance Risk Management Program Manual
below)
x HSBC North America New Laws and Regulations Procedure - US
x Law Change Process and Implementation
x New Legislation Alert – Idaho HB 331
x IMPACT ANALYSIS for Idaho HB 331
x GENERAL COMPLIANCE AUDIT AND 2010 ANNUAL COMPLIANCE RISK AND
CONTROL ASSESSMENT
x Law Implementation Procedure ALL
Additional documents completed for re-submission of Action Plan
x
Database – Maintenance and Approval Procedure ALL
x HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP Regulatory Monitoring and Assessment
x
, SVP General Compliance
x
, SVP Deputy General Counsel, CML
x
SVP Default Services
Page 18
Privileged and Confidential
Restricted
Articles 7(c) & 8(l)
FRB Order Reference:
Article 7(c)
Corresponding
IV.1.k
OCC Article:
ensure that policies, procedures, and processes are updated on an ongoing basis as
necessary to incorporate new or changes to the Legal Requirements and supervisory
guidance of the Board of Governors.
FRB Order Reference:
Article 8(l)
Corresponding
IV.1.k
OCC Article:
Measures to ensure that policies, procedures, and processes are updated on an
ongoing basis as necessary to incorporate new or changes to Legal Requirements
and supervisory guidance of the Board of Governors.
Action Plan
HNAH has processes in place to ensure policies, procedures, and processes are
updated on an on-going basis to incorporate new or changes to Legal Requirements
and supervisory guidance of the Board of Governors. In addition, HNAH has
implemented a Good Governance Initiative (discussed further below) to provide an
additional level of review.
Existing Processes / Programs:
Management has a process in place to identify, communicate and implement changes
to Legal Requirements and supervisory guidance into its business practices. The
RMA group manages the regulatory monitoring and change management process in
order to facilitate compliance with the applicable Legal Requirements and Board of
Governors supervisory guidance (See HSBC North America New Laws and
Regulations Procedure – US). This procedure provides guidelines for monitoring and
tracking regulatory changes and updating processes appropriately.
In its efforts to identify and communicate changes in applicable laws, rules, and
regulations, the RMA group performs the following activities (among others):
x Monitors and tracks new and changed laws, regulations, and regulatory guidance;
x Tracks legislative, judicial, and regulatory developments, to identify potential
emerging compliance risks;
o Various sources for monitoring are utilized including, but not limited to:
the Federal Register; regulatory agency websites (e.g., OCC, FRB,
FDIC); trade associations; monitoring services; and various law firm
websites
x Completes business impact analysis for new or changed regulatory requirements;
and;
x Communicates new legislative alerts to appropriate Residential Mortgage
Servicing departments for action
The RMA group collaborates with Legal and Compliance to determine the applicability
Page 19
Privileged and Confidential
Restricted
of the legislation, rule or regulation and the business areas impacted. If it is
determined that there is an impact to a business area, the RMA group outlines the
detailed requirements in an Impact Assessment document, which it then forwards to
Legal for review. The RMA group and Compliance, together with the impacted
business area, determine the impact to the business. The RMA then publishes an
executive summary, which is called the New Legislation Alert (which includes the
Impact Assessment), and distributes it to the impacted business areas. The impacted
business areas work with the LCWG, Compliance Officers, and Legal (as
appropriate), to update the policies, procedures and processes, and ensure
implementation by the effective date of the law change. The detailed RMA and
LCWG procedures are attached for reference (See Law Change Process and
Implementation and Law Implementation Procedure ALL in their entirety).
The Operational Quality and Process Assurance (“OQPA”) Team, a part of the BRCM
Team, reviews updated policies, procedures, processes, and training materials for
accuracy and alignment with the Legal Requirements and supervisory guidance as
well as business practices. Within 90 days of implementation, the SDCA group
conducts an independent review of the impacted business units’ processes for
adherence.
Residential Mortgage Servicing and business owners are required to annually certify
the accuracy and completeness of the policies, procedures, and processes, including
updates or revisions based on changes to Legal Requirements or supervisory
guidance. Revisions or updates to policies and procedures may occur on a more
frequent basis as dictated by changes in Legal Requirements or supervisory
guidance. To document that the certification process has occurred, each policy or
procedure is submitted through a change control process. A Change Control Request
Form (“CCR”) is submitted to the appropriate business owners, with the document(s)
attached that requires certification. The CCR form systemically tracks to ensure all
required approvals have been obtained. Annually, each business process owner will
certify that the policies and procedures applicable to their area of responsibility are
accurate. This annual certification will be maintained by the OQPA group. In addition,
all policies and procedures are expected to be certified as part of the Good
Governance Initiative by the end of the fourth quarter of 2011.
Residential Mortgage Servicing is subject to many Legal Requirements that vary by
state and at times at a local level, and therefore has adopted more than 100 policies
and over 3,000 procedures that address these variations. Management is committed
to revising and updating procedures as appropriate. To that end, Residential
Mortgage Servicing began reviewing its foreclosure procedures prior to the
commencement of the supervisory foreclosure practices review, and it continues to
make updates as new or changed Legal Requirements and supervisory guidance are
released. Initial procedures reviewed were notary and affidavit procedures which
identified necessary enhancements including the procedural requirement that all
signers execute the affidavit in the presence of the notary following administration of
an oath. The affidavit procedure enhancements identified included the expansion of
Page 20
Privileged and Confidential
Restricted
general affidavit procedures for all applicable states, as existing procedures were in
place only for certain states. Additional policies and procedures specific to Loss
Mitigation related activities and key processes within Residential Mortgage Servicing
such as Adverse Action Suspended Letter Procedure CML and Optional Insurance
Procedure MC are expected to be updated in accordance with the timeline outlined in
the Good Governance Initiative (See “Enhancement to Processes/Programs” section
below for additional information regarding the Good Governance program and the
attached Good Governance – Project Overview for details regarding the Good
Governance Process and Scope).
The processes performed by the RMA, LCWG, and OQPA groups described above
ensure that policies, procedures, and processes incorporate new or changes to Legal
Requirements and supervisory guidance of the Board of Governors as directed by the
Order. Additionally, Compliance SVPs have reviewed existing policies, procedures,
and processes to ensure they meet the requirements of the Order.
Enhancement to Processes / Programs:
To ensure that HNAH has fully documented policies and procedures and that all
employees understand and consistently follow them, HNAH has established the Good
Governance Initiative. Its objective is to ensure that there are proper procedures in
place within HNAH for all applicable business and operational processes, and that
these procedures are clear, concise, thorough, and accurate. Currently, HNAH is
completing the following:
x Reviewing procedures for accuracy
x Conducting a root cause / trend analysis of past procedural breaches
x Implementing improvements pertaining to areas of concern beyond the actual
procedures such as accessibility of procedures, appropriate controls and
oversight, training, etc.
HNAH is following a five step process for review of procedures, and identifying and
addressing any gaps. There is a standard template that guides the five steps of
project implementation.
x Develop Procedures and Process Inventory
x Develop Breaches Inventory
x Conduct Gap Analysis
x Define Recommendations
x Implement Recommendations
The attached “Good Governance Project US HNAH” document, which provides
additional details regarding project background, objectives, approach, governance,
and specifications, was provided as part of the answers to the FRB question
submitted on August 19, 2011. All policies and procedures are expected to be
certified as part of the Good Governance Initiative by the end of the fourth quarter of
2011.
Page 21
Privileged and Confidential
Restricted
Additionally, an annual review of policies and procedures is required and there is a
change control process in place that requires updates to policies and procedures be
reviewed in advance of operational changes by delegated senior leaders and
Compliance. In 2011, HNAH launched an initiative to reorganize procedures on
(“
and is in the process
of improving reporting. The enhancements to
were completed in July 2011.
HNAH has also committed to develop 18 functional courses which include the review
of policies and procedures and an assessment to ensure staff members are
appropriately trained and educated on key operational practices.
Please reference the attached files for examples of procedures that are housed in
x
x
x
Foreclosure Initiation Procedure CML – outlines the process on how the
Foreclosure Department initiates approved foreclosures (new referrals) on
accounts.
Short Sale and DIL Referral Procedure CML – outlines the steps for referring
an account to the Short Sale, Deed-in-Lieu of Foreclosure or Proactive
Departments.
Incoming Mail and Imaging Procedure CML – outlines how the Modification
Support Department processes incoming mail and how documentation is
prepared for the Document Image Capture Center.
The attached documents provide a list of procedures that were updated for each
respective topic:
x Consent Order_Certification_SCRA.9.7.11
x Consent Order_Certification_Notary.9.7.11
x Consent Order_Certification_Loss Mitigation.9.7.11
x Consent Order_Certification_Foreclosure.9.7.11
x Consent Order_Certification_SPOC.9.7.11
x Consent Order_Certification_Collateral Management.9.7.11
Documents to be submitted with the Action Plan
x HSBC – North America Compliance Risk Management Program Manual (see
revised HSBC – North America Compliance Risk Management Program Manual
below)
x Law Change Process and Implementation
x HSBC North America New Laws and Regulations Procedure – US
x Policy Creation and Revision Procedure ALL
x Good Governance – Project Overview
Additional documents completed for re-submission of Action Plan
x
Foreclosure Initiation Procedure CML
x Short Sale and DIL Referral Procedure CML
x Incoming Mail and Imaging Procedure CML
x Consent Order_Certification_SCRA.9.7.11
Page 22
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
Consent Order_Certification_Notary.9.7.11
Consent Order_Certification_Loss Mitigation.9.7.11
Consent Order_Certification_Foreclosure.9.7.11
Consent Order_Certification_SPOC.9.7.11
Consent Order_Certification_Collateral Management.9.7.11
Good Governance Project US HNAH
HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP Regulatory Monitoring and Assessment
x
, SVP General Compliance
x
, SVP Deputy General Counsel, CML
x
SVP Default Services
Page 23
Privileged and Confidential
Restricted
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
Article 8 Mortgage Servicing Compliance
Final Pending Approval from the Compliance Committee
October 20, 2011
Privileged and Confidential
Restricted
Article 8
FRB Order Reference:
Article 8
Corresponding
IV.1
OCC Article:
Within 60 days of this Order, HBIO shall submit to the Reserve Bank an acceptable
compliance program and timeline for implementation to ensure that the operations of
the Mortgage Servicing Companies, including, but not limited to, residential mortgage
loan servicing, Loss Mitigation, and foreclosure, comply with the Legal Requirements,
as well as the Mortgage Servicing Companies’ internal policies, procedures, and
processes and are conducted in a safe and sound manner. The program shall, at a
minimum, address, consider, and include:
Action Plan
HBIO’s and HBUS’ Compliance Program centers around the requirement that
residential mortgage loan servicing and foreclosure operations, including Loss
Mitigation practices, comply with all applicable Legal Requirements, supervisory
guidance of the Board of Governors, and the requirements of this Order. Also, all
such operations must be conducted in a safe and sound manner and in accordance
with internal policies, procedures and processes. As further detailed below, HBIO and
HBUS have existing policies and procedures which meet many requirements
contained in Article 8, sections (a) through (m). HBIO and HBUS are taking steps to
enhance their policies, procedures, and processes to address any gaps where the
requirements outlined in Article 8, sections (a) through (m) are not fully addressed.
HBIO and HBUS have been revising policies and procedures since the last quarter of
2010 prior to the start of the horizontal review. Below are examples of procedures
that have been updated:
x Foreclosure Collateral Retrieval Procedure HBUS – last revised August 24, 2011
(prior version June 10, 2011)
x Pre-foreclosure Note Validation User Manual HBUS – last revised August 31,
2011 (prior version June 10, 2011)
x Payment Reversal Policy ALL – last revised September 7, 2011 (prior version
April 8, 2010)
x Late Charge (fee) Matrix Procedure CML – October 10, 2011 (prior version
October 11, 2010)
x Chapter 11, 12, and 13 Bankruptcy Policy ALL – last revised August 23, 2010
(prior version February 4, 2010)
In addition, pursuant to the Good Governance Initiative, there will be more updates to
policies and procedures. The objective of the Good Governance Initiative is to ensure
that there are proper procedures in place within HNAH for all applicable business and
operational processes, and that these procedures are clear, concise, thorough, and
accurate. The Good Governance Initiative will be completed in the fourth quarter of
2011.
Page 2
Privileged and Confidential
Restricted
HBIO’s and HBUS’ existing Compliance Program, along with enhancements thereto,
demonstrates HBIO’s and HBUS’ commitment to ensure mortgage loan servicing,
Loss Mitigation, and foreclosure activities are performed in compliance with Legal
Requirements, supervisory guidance and internal policies and procedures, and are
conducted in a safe and sound manner.
Below is a summary of existing processes that address requirements of the Order and
areas requiring enhancement. These process and enhancements are further detailed
below in our Action Plan responses to Articles 8(a) through (m):
Existing Processes
Required Enhancements
• The HSBC – North America
Compliance Risk Management
Program Manual and Legal Entity,
and Business Unit Compliance
policies state and serve as a means
for communicating the roles, duties,
responsibilities of HBIO and HBUS,
as well as Third Parties related to
Compliance (noted in Articles 8(a)
and 8(b))
• HBIO and HBUS are enhancing
bankruptcy processes based on a
review performed by outside counsel.
Bankruptcy procedures, processes,
and training materials for document
review, execution and notarization
and note ownership in connection
with bankruptcy proceedings were in
scope for the review (noted in Articles
8(e).iii and 8(e).iv)
• HBIO and HBUS have
processes/programs in place which
ensure the ability to locate and
secure all documents, including
original promissory notes (noted in
Article 8(c))
• HBIO and HBUS are reviewing their
existing processes and will
strengthen preventive and detection
controls as applicable to ensure all
assessment of fees, expenses, and
other charges are in accordance with
the applicable Legal Requirements
(noted in Article 8(h))
• HBIO and HBUS have taken steps to
improve the quality review process to
ensure the accuracy and
completeness of all factual assertions
made in pleadings, declarations, and
affidavits (noted in Article 8(e).i)
• HBIO and HBUS have policies and
procedures in place that address
crediting payments in a prompt and
timely manner and correct the
misapplication of borrower funds
(noted in Article 8(f))
• HBIO and HBUS engaged outside
counsel to review existing and
Page 3
Privileged and Confidential
Restricted
develop new standard affidavit and
declaration forms for use in each
state and, where required, by local
practice of individual counties (noted
in Article 8(e).i), except the District of
Columbia
Documents to be submitted with the Action Plan
x Refer to Actions Plans for Article 8, sections (a) through (m)
x Foreclosure Collateral Retrieval Procedure HBUS – last revised August 24, 2011
(prior version June 10, 2011)
x Pre-foreclosure Note Validation User Manual HBUS – last revised August 31, 2011
(prior version June 10, 2011)
x Payment Reversal Policy ALL – last revised September 7, 2011 (prior version
April 8, 2010)
x Late Charge (fee) Matrix Procedure CML – October 10, 2011 (prior version
October 11, 2010)
x Chapter 11, 12, and 13 Bankruptcy Policy ALL – last revised August 23, 2010
(prior version February 4, 2010)
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
EVP/Chief Auditor, HBIO
x
, SVP Service Delivery Control Adherence
Page 4
Privileged and Confidential
Restricted
Article 8(a)
FRB Order Reference:
Article 8(a)
Corresponding
N/A
OCC Article:
The duties and responsibilities of line of business staff, other staff, and Third-Party
Providers regarding compliance;
Action Plan
HBIO and HBUS have existing programs, as described below, which address the
duties and responsibilities of line of business staff, other staff, and Third-Party
Providers regarding compliance.
Existing Processes / Programs:
The attached HSBC – North America Compliance Risk Management Program Manual
describes the duties and responsibilities of line of business staff and other staff
regarding compliance with applicable state and federal laws and regulations (See
pages 36 and 37). For example, HBIO and HBUS staff are required to:
x follow the HSBC – North America Compliance Risk Management Program Manual
and the related HBIO and HBUS compliance policies and procedures;
x be knowledgeable of, and compliant with, regulatory and compliance requirements
that are specifically related to their positions;
x understand and manage operational risks affecting their areas of responsibility,
including by maintaining adequate internal controls;
x ask questions or express concerns if their compliance role or responsibility is not
understood;
x successfully complete the annual required compliance training;
x report matters that may involve possible compliance breaches or violations to their
supervisors and HNAH Compliance on a timely basis; and
x refrain from participating in any activity that may be perceived as dishonest or
unethical or that violates the HNAH Statement of Business Principles and Code of
Ethics.
In addition, HSBC Group has a Compliance Disclosure Telephone Line which is
designed to allow employees to make disclosures of compliance matters when the
normal channels for airing grievances or concerns are unavailable or inappropriate.
As an example, breaches of legal and regulatory requirements by any Group
company, including the committal of a criminal offence, a miscarriage of justice or a
failure to comply with a legal obligation can be reported through the Compliance
Disclosure Telephone Line (Refer to Integrity Compliance Hotline Screen Shots for
additional detail).
As detailed in the Action Plan Response to Article 6(a), HNAH has specific policies in
place to address the responsibilities of Third Parties such as the Group Operations
Functional Instruction Manual (“FIM”) for Vendor Risk Management (See B.2.15
Page 5
Privileged and Confidential
Restricted
Vendor Risk Management), the HSBC - North America Vendor Risk Management
Policy (Version 1.1, March 2011), and HSBC – North America Vendor Risk
Management Procedures (Version 2.2 April 2011).
Additionally, HBIO and HBUS have established the HSBC Best Practices document
(See HSBC Best Practices for Outside Foreclosure, Eviction and Bankruptcy Law
Firms ) which contains guidelines that establish HBIO and HBUS expectations to
ensure compliance with Legal Requirements, including the proper review, execution
and notarization of complaints, affidavits and other documents, as well as information
security requirements. The HSBC Best Practices document is distributed to each of
its external Law Firms for review and reference (as used herein, collectively “Law
Firms” or “Firms” are defined as law firms and trustees directly engaged by mortgage
servicing personnel that provide foreclosure and bankruptcy related legal services to
HBIO and HBUS Mortgage Servicing personnel in accordance with applicable
foreclosure, eviction, or bankruptcy laws, rules, and regulations). The Best Practices
will be sent to Law Firms periodically, typically on an annual basis.
The HSBC – North America Compliance Risk Management Program Manual, the
North America Vendor Risk Management Policy, the North America Vendor Risk
Management Procedures, and the HSBC Best Practices document described above
are designed to ensure the duties and responsibilities of line of business staff, other
staff, and Third-Party Providers regarding compliance are well defined. Additionally,
Residential Mortgage Servicing, Vendor Management, Compliance and Legal
Management have reviewed these documents and believe the procedures and
processes contained therein meet this requirement of the Order.
As more fully described in Article 6(a), the Third Party Operational Risk Management
Group (“TPORMG”) developed the Third Party Operational Risk Management
Procedures (the “TPORMG Procedure”) to ensure consistent adherence to the VRM
Policy and Procedures and provide additional oversight for Mortgage Servicing Third
Party Providers (See Section 1 of the Mortgage Servicing Third Party Operational
Risk Management Procedures). HSBC Legal developed the HSBC Mortgage
Servicing Legal Department Law Firm Management Procedures and HSBC Mortgage
Servicing Law Firm Management User Manual, (together the “Law Firm Management
Procedures”) pursuant to which Legal manages the evaluation and monitoring of Law
Firms in collaboration with TPORMG, Information Security, Compliance, Operations
and VRM. The Law Firm Management Procedures describe the scope of Law Firm
legal reviews for new and existing Firms and the frequency for ongoing Law Firm legal
reviews.
In addition to the procedures noted above, HBIO and HBUS developed a standard
Master Services Agreement (“Law Firm MSA”) specifically for use with external Law
Firms. The Law Firm MSA was developed by HSBC Legal in collaboration with
various business and functional departments including TPORMG, Vendor Risk
Management, Foreclosure, Bankruptcy and REO. The Law Firm MSA requires that
each external Law Firm perform in compliance with applicable laws and judicial
requirements, as well as HBIO and HBUS policies and procedures, as applicable, well
Page 6
Privileged and Confidential
Restricted
as, and that such policies and procedures are fully understood by all Law Firm
personnel involved with HBIO and HBUS matters (See Master Services Agreement
(Legal Services) and in particular, the Law Firm’s Covenants and Obligations section,
pages 11 through 15, for an example of what is included in the Law Firm MSA). The
Law Firm MSA was distributed for execution to active foreclosure Law Firms in
September 2011.
TPORMG has responsibility for monitoring a Firms compliance with the requirements
contained in the Law Firm MSA. TPORMG monitors Firm compliance through a
variety of means. For example, TPORMG leverages HSBC Legal to conduct Firm
reviews designed to among other things assess Firm compliance with Legal
Requirements. The scope and frequency of these Firm reviews is described in the
HSBC Mortgage Servicing Legal Department Law Firm Management Procedures (see
section 5.3). TPORMG will also oversee and ensure that Firms are monitored for
compliance with quality, reputational, operational, and other risks consistent with
HBIO’s and HBUS’ policies, procedures, and practices, and the Vendor Risk
Management Program, as well as the terms and conditions of the Law Firm MSA.
TPORMG has developed scorecards designed to track and assess Firm performance
against service level and performance requirements contained in the Law Firm MSA.
The scorecard results, as well as the Firm’s adherence to Law Firm MSA performance
and service level requirements will be presented to the Mortgage Servicing
Operations Third Party Provider Governance Committee (Third Party Governance
Committee) described in Article 6(a).
The performance of all Third Party Providers including Law Firms will be measured
against defined service levels, performance levels, and contract terms. TPORMG has
developed the TPORMG
Database (the “TPORMG Database”) to facilitate
and strengthen the monitoring and oversight of Third Party Providers; including the
storage of performance data of Third Party Providers (see section 1.5 of the Mortgage
Servicing Third Party Operational Risk Management Procedures). For legacy
relationships and Laws Firms, through December 2011, HBIO and HBUS will be
conducting a gap analysis of defined service and performance levels against existing
reporting to ensure HBIO and HBUS can appropriately and effectively measure Third
Party performance and results and where applicable will develop new or enhanced
reporting. The defined service levels will be maintained centrally in the TPORMG
Database. TPORMG will review the applicable performance reporting and update
results in the Database. Scorecards and Dashboard reporting will be generated for
review in the monthly Third Party Governance Committee. Prior to year end, it is
anticipated service and performance level data on all Law Firms and legacy Third
Party relationships will be loaded to the Database which will allow for consistent
reporting and oversight of Mortgage Servicing Third Party Providers. In addition to
performance and service level standards other critical information such as the status
of due diligence, audit, risk assessments and remediation timelines will be stored in,
and reported from the TPORMG Database. This collective information including the
trending of customer complaints regarding Third Party Providers will be reviewed and
discussed in the Third Party Governance Committee (See Mortgage Servicing
Page 7
Privileged and Confidential
Restricted
Operations Third Party Provider Governance Charter in its entirety). Material and/or
significant issues or exceptions regarding Third Party Providers, including Law Firms,
are reviewed in this oversight committee. Based on information reported from the
TPORMG Database decisions regarding Law Firms, including whether to continue to
do business with the Law Firm, or the reduction of new referrals, removal of existing
files, and or termination will be made by this oversight committee.
The TPORMG Procedures, Law Firm Management Procedures, Best Practices, Law
Firm MSA, and TPORMG Database are some of the tools developed by HBIO and
HBUS to monitor and manage Third Party Providers with particular emphasis on the
monitoring of Law Firms, to ensure that Third Party Providers comply with applicable
law and judicial requirements and HBIO and HBUS policies and procedures.
The TPORMG is a control function embedded in Residential Mortgage Servicing
Operations as a first line of defense to monitor Third Party Provider operational risk.
The monitoring results will be reviewed and discussed during a monthly meeting with
the Third Party Governance Committee. In addition to the Governance Committee,
TPORMG is subject to review by HNAH Vendor Risk Management and Group Audit
North America.
Enhancement to Processes / Programs:
While we believe these existing processes and procedures satisfy these requirements
of the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary.
Documents to be submitted with the Action Plan
x HSBC – North America Compliance Risk Management Program Manual (see
revised HSBC – North America Compliance Risk Management Program Manual
below, last revised September 2011)
x HSBC – North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x B.2.15 Vendor Risk Management
x DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see revised
MASTER SERVICES AGREEMENT (LEGAL SERVICES) below)
x HSBC BEST PRACTICES FOR ITS OUTSIDE FORECLOSURE FIRMS (see
revised HSBC BEST PRACTICES FOR OUTSIDE FORECLOSURE, EVICTION
AND BANKRUPTCY LAW FIRMS below)
Page 8
Privileged and Confidential
Restricted
Additional documents completed for re-submission of Action Plan
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
x HSBC BEST PRACTICES FOR OUTSIDE FORECLOSURE, EVICTION AND
BANKRUPTCY LAW FIRMS
x Mortgage Servicing Operations Third Party Provider Governance Charter
x Mortgage Servicing Third Party Operational Risk Management Procedures
x HSBC Mortgage Servicing Legal Department Law Firm Management
PROCEDURES
x HSBC Mortgage Servicing Law Firm Management User Manual
x HSBC – North America Compliance Risk Management Program Manual
x Integrity Compliance Hotline Screen Shots
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP General Compliance
x
, EVP Chief of Staff HTSN and NA Head of Procurement
Page 9
Privileged and Confidential
Restricted
Article 8(b)
FRB Order Reference:
Article 8(b)
Corresponding
N/A
OCC Article:
policies for developing and communicating compliance-related roles and
responsibilities across the Mortgage Servicing Companies’ organization and to ThirdParty Providers;
Action Plan
HBIO and HBUS have existing programs in place for developing and communicating
compliance-related roles and responsibilities across HBIO and HBUS and to ThirdParty Providers. Management believes the existing programs, described below, meet
the requirements of the Order.
Existing Processes / Programs:
The Compliance Risk Management Program includes a process for the
communication of compliance roles and responsibilities across the organization by
publishing policies on the HNAH and HSBC Group intranet.
HSBC – North America Compliance Risk Management Program Manual section 3.3,
provides detail regarding the HNAH Compliance Governance Roles and
Responsibilities. HSBC – North America Compliance Risk Management Program
Manual section 3.5.6 (page 33) states that business line management must serve as
a first line of defense and establish effective compliance programs and build
compliance policies, procedures and controls into their business delivery and
operations functions. Individuals within the business units who own the relationships
with the Third-Party Providers are responsible for ongoing monitoring of the ThirdParty Providers’ performance against Service Level Agreements (SLA) and contract
terms, which include compliance with Legal Requirements, supervisory guidance and
HBIO’s and HBUS’ policies and procedures. The attached "Third Party Operational
Risk Management Department Instruction Book (“DIB”)" provides an overview of the
roles and responsibilities of the TPORMG and business line management and
provides the policies and procedures that govern management of Third Party
Providers. Compliance related roles and responsibilities are also communicated to
employees via the following methods:
x Employees are hired into a job that is described by a job code description. This
ensures that when employees begin working, they have a broad overview of their
duties & responsibilities. TPORMG is in the process of creating new job
descriptions that will specifically detail employee roles and responsibilities. These
job descriptions are targeted for completion by October 31, 2011
x Employees receive training (both formal Compliance courses as well as functional
on-the-Job training) that helps them understand how to execute against their
duties and responsibilities
x Managers hold team meetings with their employees to review duties and
Page 10
Privileged and Confidential
Restricted
x
x
x
x
responsibilities
Employees receive direct feedback from their manager on the performance
through individual coaching sessions on their performance of their duties and
responsibilities
Employees receive direct feedback on their production for any quality control
errors
Employees also have access to all relevant policies and procedures for their work
functions on
(
residing
on the intranet
If employees have questions about their duties and responsibilities, they are in
close proximity to or can access their manager via telephone for additional
clarification
As more fully described in Article 6(a), the Third Party Operational Risk Management
Group (“TPORMG”) developed the Third Party Operational Risk Management
Procedures (the “TPORMG Procedure”) to ensure consistent adherence to the VRM
Policy and Procedures and provide additional oversight for Mortgage Servicing Third
Party Providers (See Section 1 of the Mortgage Servicing Third Party Operational
Risk Management Procedures). HSBC Legal developed the HSBC Mortgage
Servicing Legal Department Law Firm Management Procedures and HSBC Mortgage
Servicing Law Firm Management User Manual (together, the “Law Firm Management
Procedures”) pursuant to which Legal manages the evaluation and monitoring of Law
Firms in collaboration with TPORMG, Information Security, Compliance, Operations
and VRM. The Law Firm Management Procedures describe the scope of Law Firm
legal reviews for new and existing Firms and the frequency for ongoing Law Firm legal
reviews.
Compliance related roles and responsibilities are communicated across the
Residential Mortgage Servicing operations staff via the mechanisms listed above.
The general job descriptions and corporate level training (both web-based and inperson) provide communication of major compliance related requirements. For
example, the entire organization receives annual training on Anti-Money Laundering
requirements. In addition, managers communicate more granular requirements (and
changes to these requirements) during their team or individual meetings. If a
compliance related error occurs (either during customer discussions or account
processing), and the error is captured by the QC review functions (e.g., SDCA), that
direct feedback is given to the employee. Compliance related roles and
responsibilities are communicated via the intranet, job descriptions, web-based
training, in-person training, team meetings, individual meetings, and performance
reviews.
Residential Mortgage Servicing and business owners are required to annually certify
the accuracy and completeness of the policies, procedures, and processes, including
updates or revisions based on changes to Legal Requirements or supervisory
guidance. Management has a comprehensive process in place to identify,
communicate and implement changes to Legal Requirements and supervisory
Page 11
Privileged and Confidential
Restricted
guidance into its business practices. The Regulatory Monitoring & Assessment
(RMA) group manages the regulatory monitoring and change management process in
order to facilitate compliance with the applicable Legal Requirements and Board of
Governors supervisory guidance (See HSBC North America New Laws and
Regulations Procedure – US). Revisions or updates to policies and procedures may
occur on a more frequent basis as dictated by changes in Legal Requirements or
supervisory guidance. To document that the certification process has occurred, each
policy or procedure is submitted through a change control process. A Change Control
Request Form (“CCR”) is submitted to the appropriate business owners, with the
document(s) attached that requires certification. The CCR form systemically tracks to
ensure all required approvals have been obtained. Annually, each business process
owner will certify that the policies and procedures applicable to their area of
responsibility are accurate. This annual certification will be maintained by the
Operational Quality and Process Assurance (“OQPA”) group.
All policies and procedures are expected to be certified as part of the Good
Governance Initiative by the end of the fourth quarter of 2011.
Compliance policies at the Group, HNAH, and business unit levels are designed to
ensure HNAH employees comply with applicable regulatory requirements. There are
various types of compliance policies in place across HNAH:
x HNAH Compliance Policies - HNAH compliance policies are regional documents
containing guiding principles that provide general direction and communicate a
clear commitment or set of expectations by the organization. HNAH compliance
policies apply across the region, including all U.S. subsidiaries. HNAH compliance
policies are also governed by the HNAH Policy Setting Standard (“Policy
Standard”), which is owned by North America Risk Governance. These
compliance policies are approved by management in accordance with the Policy
Standard. Further, certain key firm-wide policies are reviewed by the ORIC
(please see Section 2: Board Oversight for more information regarding ORIC
responsibilities) and reviewed and approved by the HNAH Compliance Committee.
These policies are centrally housed on the intranet and reviewed and approved at
least annually in accordance with the Policy Standard.
x Legal Entity Compliance Policies - Legal entity compliance policies are developed
when a regulation or subject matter is targeted at a particular legal entity within the
organization. For example, Anti-Money Laundering compliance policies are issued
at the legal entity level in order to customize requirements for employees based
upon the products, services, and primary regulators overseeing each entity. Legal
entity compliance policies are centrally housed on the intranet and are reviewed
and approved by management annually.
x Business Unit Compliance Policies - Business unit compliance policies exist when
even greater granularity of direction and expectation is required. For example,
CML, a business unit that provides residential mortgage loan services for HBIO
and HBUS, has its own compliance policies, many of which are HNAH level
policies that are adopted at the HBIO and HBUS legal entity level. These policies
are maintained by Residential Mortgage Servicing and are approved by the
Compliance Officers assigned to the business annually.
Page 12
Privileged and Confidential
Restricted
HBIO and HBUS have specific policies in place to address the responsibilities of Third
Party Providers. The three documents listed below outline the duties and
responsibilities of external Law Firms and other Third Parties to comply with
applicable laws, regulations, and HBIO and HBUS policies. Please reference the
attached documents for additional information:
x B.2.15 Vendor Risk Management – serves to identify, control and mitigate the
risks associated with the supply of goods and services by Third Party suppliers
where HSBC’s own services and operations are dependent upon such supplies
and/or in order to comply with applicable regulatory requirements.
x HSBC – North America Vendor Risk Management (VRM) Policy – establishes
consistent requirements to help protect HSBC from the risks associated with
Material Vendor relationships. See pages 6 and 7 of the HSBC – North America
Vendor Risk Management (VRM) Policy for the definition of a Material Vendor.
x HSBC – North America Vendor Risk Management (VRM) Procedures – provides
detailed information on how the Vendor Risk Management Program will identify
the roles and responsibilities of the applicable areas that support the Vendor Risk
Management process
x HSBC Mortgage Servicing Legal Department Law Firm Management Procedures
– outline the review and audit process for Law Firms
x HSBC Mortgage Servicing Law Firm Management User Manual – outlines the Law
Firm review and audit process described in the HSBC Mortgage Servicing Legal
Department Law Firm Management Procedures
x Mortgage Servicing Third Party Operational Risk Management Procedures –
outlines the practice of the Third Party Operational Risk Management Group
Additionally, HBIO and HBUS have established the HSBC Best Practices document
(See attached HSBC BEST PRACTICES FOR OUTSIDE FORECLOSURE,
EVICTION AND BANKRUPTCY LAW FIRMS) that contains a summary of Law Firm
best practices to ensure compliance with the letter and spirit of all substantive and
procedural laws and regulations, as well as HSBC policies and procedures by
foreclosure, bankruptcy, and eviction Law Firms. The HSBC Best Practices
document is distributed to each of its active Law Firms for use.
Please see the Action Plan response to Article 6(a) for a description of existing
policies and procedures that further describe practices, procedures and tools for
appropriate oversight of Third-Party Providers to ensure compliance with applicable
Legal Requirements, supervisory guidance, and HBIO’s and HBUS’ policies and
procedures.
Additionally, each Third-Party Provider is assigned a HNAH Relationship Manager.
The Relationship Manager’s responsibilities include overseeing the relationship
between the Third-Party Provider and HNAH’s lines of business ensuring compliance
with applicable policy, enforcing management controls, and identifying and mitigating
existing and potential risks.
Page 13
Privileged and Confidential
Restricted
The existing Compliance Risk Management Program described above, which includes
HNAH Compliance Policies, Legal Entity Compliance Policies, Business Unit
Compliance Policies, and Vendor Risk Management Policy, is designed to ensure the
compliance-related roles and responsibilities are developed and communicated
across the Bank’s and Mortgage Servicing Companies’ organization and to ThirdParty Providers.
In addition to the existing policies and procedures noted above, as described in earlier
Articles, HBIO and HBUS developed a Law Firm MSA to be executed by active Law
Firms that provide legal services to Mortgage Servicing. . The Law Firm MSA, more
specifically, requires that the Law Firm is in compliance with all laws and judicial
requirements, as well as HBIO and HBUS policies, as applicable, and that such
policies, procedures, and laws are fully understood by the Law Firm personnel
providing services to HBIO and HBUS (See MASTER SERVICES AGREEMENT
(LEGAL SERVICES)). The Law Firm MSA was distributed to active foreclosure Law
Firms as in September 2011.
Enhancement to Processes / Programs:
While we believe these existing processes and procedures satisfy these requirements
of the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary.
Documents to be submitted with the Action Plan
x HSBC – North America Compliance Risk Management Program Manual (see
revised HSBC – North America Compliance Risk Management Program Manual
below, last revised September 2011)
x HSBC – North America Compliance Risk Mitigation Program
x HSBC – North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
x B.2.15 Vendor Risk Management
x DRAFT MASTER SERVICES AGREEMENT (LEGAL SERVICES) (see revised
MASTER SERVICES AGREEMENT (LEGAL SERVICES) below)
x HSBC BEST PRACTICES FOR ITS OUTSIDE FORECLOSURE FIRMS (see
revised HSBC BEST PRACTICES FOR OUTSIDE FORECLOSURE, EVICTION
AND BANKRUPTCY LAW FIRMS below)
x HSBC North America New Laws and Regulations Procedure – US
Additional documents completed for re-submission of Action Plan
x MASTER SERVICES AGREEMENT (LEGAL SERVICES)
x HSBC BEST PRACTICES FOR OUTSIDE FORECLOSURE, EVICTION AND
BANKRUPTCY LAW FIRMS
x Third Party Operational Risk Management Department Instruction Book (DIB)
x HSBC – North America Compliance Risk Management Program Manual
Page 14
Privileged and Confidential
Restricted
x HSBC Mortgage Servicing Legal Department Law Firm Management Procedures
x Mortgage Servicing Third Party Operational Risk Management Procedures
x HSBC Mortgage Servicing Law Firm Management User Manual
Key HSBC Contacts for the Action Plan
x
, EVP Chief of Staff HTSN and NA Head of Procurement
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP General Compliance
x
, SVP Deputy General Counsel, CML
x
SVP Compliance, HSBC Bank USA, NA
Page 15
Privileged and Confidential
Restricted
Article 8(c)
FRB Order Reference:
Article 8(c)
Corresponding
IV.1.i
OCC Article:
policies, procedures, and processes to ensure that the Mortgage Servicing
Companies have the ability to locate and secure all documents, including original
promissory notes, necessary to perform mortgage servicing, Loss Mitigation, and
foreclosure functions and to comply with contractual obligations;
Action Plan
HBIO and HBUS have existing policies and procedures, described below, to ensure
HBIO and HBUS have the ability to locate and secure all documents, including
original promissory notes. As described below, some of HBIO’s and HBUS’ existing
policies, procedures, and processes have been strengthened to ensure full
compliance with this requirement of the Order.
Existing Processes / Programs:
HBIO and HBUS have processes for locating and securing all documents necessary
to perform residential mortgage loan servicing, Loss Mitigation, and foreclosure
functions and to comply with contractual obligations. To support these processes,
HBIO and HBUS have policies and procedures in place to ensure physical loan
records are maintained in a secure environment consistent with corporate policies and
directives and that residential mortgage loan servicing, Loss Mitigation and
foreclosure personnel can access those records as needed.
As part of the process, HBIO and HBUS image customer correspondence and
documents required to perform residential mortgage loan servicing, Loss Mitigation,
loan modification, and foreclosure functions. Documents are imaged to specific
document and folder types within the
This enables multiple internal
business users across functional areas to locate and view documents simultaneously,
to perform residential loan servicing on loans. Collateral documents are further
segmented to reflect that an original was received and retained in a secure location.
Imaged documentation is maintained on an imaging repository (“
for the life of
the loan. The
application is a web based system for managing customer
correspondence. Items are scanned into the application, indexed by loan number and
document type, and then systemically routed to the appropriate workbaskets
(queues). The attached
User Manual CML provides additional detail regarding
the imaging and routing process. This imaging process further enhances the ability
to locate and secure all customer documents, including original promissory notes.
HBIO and HBUS have a process to validate physical possession of collateral when
personal knowledge is required by law. When personal knowledge is not required by
law, HBIO and HBUS use imaged copies, as described above, to validate
documentation and perform audits that are designed to ensure possession of proper
collateral.
Page 16
Privileged and Confidential
Restricted
Additionally, documents transferred within a secure location of HBIO and HBUS are
hand-delivered, while overnight mail is used to send documents leaving a secure
location. HBIO and HBUS verify sent documents are received and receipt is certified
by the intended recipients. This process allows HBIO and HBUS to track and locate
the documents while in transit (See Default Document Tracking and Retrieval
Procedure ALL page 1 for an overview of this process).
HBIO and HBUS have strengthened their processes designed to verify possession of
notes held by third parties by establishing the four new procedures noted below. An
example of a strengthened process within these procedures is that a tracking process
is now in place for sending original notes to foreclosure counsel and possession of
original promissory notes must be verified electronically or certified by a custodian. In
all judicial states and non-judicial states where possession of the original note is
required in order to foreclose, HBIO or HBUS, as appropriate, confirm that it has
possession of the original note and, where required by applicable law, the original
note is sent to the Law Firm handling the foreclosure. The following procedures
support the strengthened processes noted above:
x Pre Foreclosure Note Validation Procedure CML – outlines how HBIO validates
possession of the original note prior to commencing a foreclosure action
x Foreclosure Collateral Retrieval Procedure HBUS – outlines how to retrieve
original documents that are sent to attorneys.
x Pre-Foreclosure Note Validation User Manual HBUS – outlines how HBUS
validates possession of the original note prior to commencing a foreclosure action
x Foreclosure Collateral Retrieval Procedure CML – outlines how to retrieve original
documents that are sent to attorneys
The HBIO and HBUS processes and procedures noted above are designed to ensure
the availability of all documents, including original promissory notes, however, in the
event an original note is missing, a Lost Note Affidavit, if required, will be executed
and sent to the Law Firm. As appropriate, the terms of the note are validated through
an imaged copy of the note, and in non-judicial states, where confirmation of
possession of the original note is not required prior to commencement of the
foreclosure action (except where required by law), additional periodic audits to
validate possession of these original notes will be conducted by the Records
Department on a quarterly basis starting with the first quarter of 2012. See attached:
x Non-Judicial States Lost Note Affidavit-Declaration Procedure ALL and Judicial
States- Lost Note Affidavit Procedures outline the steps for the Records
Administration Department when processing a Lost Note Affidavit or
Declaration of Lost Note
x Judicial States- (1) Lost Note Affidavit Procedures includes the following: Lost
Note Affidavit – HI, IA, KY, ME, NM, NY, NC, ND, OH, OK, SC, DC Procedure
ALL, (2) Lost Note Affidavit – IL, IN, KS, and NE Procedure ALL, (3) Lost Note
Affidavit – CT, LA, and WI Procedure ALL, (4) Lost Note Affidavit – Vermont
Procedure ALL, and (5) FL Lost Note Affidavit Procedure ALL
Page 17
Privileged and Confidential
Restricted
Separately, HBUS has also strengthened its processes designed to verify possession
of notes held by Third-Party Providers (e.g., a custodian). Possession of promissory
notes can be verified electronically or certified by a custodian, and execution of an
affidavit is not performed if a note cannot be located and proper ownership verified.
HBUS maintains codes on the
servicing system which identifies the custodian or
contact that is holding documents on behalf of the Investor. HBUS is authorized via
the Servicing Agreements to request documents to address specific servicing
functions (foreclosure, consolidation, payoffs). Please note this process does not
apply to HBIO as it does not have custodian accounts.
Outside counsel was engaged to review HBUS’ process of verifying possession of
original promissory notes to ensure that Legal Requirements for standing in
foreclosure actions are met. The review focused on HBUS’ relationships with its
records custodians that maintain possession of original promissory notes. Outside
counsel reviewed tri-party custodial agreements between HBUS, the custodian and
the investor. The review confirmed that HBUS has the right to obtain possession of
the original promissory notes and details the custodians’ obligations of safely and
securely maintaining the original promissory notes. The agreements also describe
the process of retrieving original notes when needed. In many instances, HBUS
retrieves the original note where required under state foreclosure law. The
custodians’ websites were also reviewed and confirmed that the custodians maintain
the original notes. As the custodial agreements provide HBUS with the right to obtain
possession of the original note and since it was confirmed that the custodians have
actual possession of the original notes, outside counsel concluded that HBUS has
constructive possession of the original notes and therefore has met the standing
requirement to initiate foreclosure proceedings. Outside counsel also reviewed and
provided guidance on HBUS’ pre-foreclosure original note validation process to
ensure that HBUS verifies that the custodian has actual possession of the original
note on a loan-by-loan basis prior to referring a loan to foreclosure counsel. Based on
this guidance, the business enhanced its pre-foreclosure original note validation
procedures which were then reviewed and approved by outside counsel.
Additionally, HBIO and HBUS enhanced their existing procedures and practices as
appropriate to comply with Legal Requirements to verify that each is in possession of
the original note where legally required before taking legal action. In all judicial states
and non-judicial states where possession of the original note is or may be required in
order to foreclose, HBIO and HBUS confirm that each, respectively, has possession
of the original note and, where required by applicable law, the original note is sent to
the Law Firm. If an original note is missing, a Lost Note Affidavit, if required, will be
executed and sent to the Law Firm. As appropriate, the terms of the note are
validated through an imaged copy of the note, and in non-judicial states, where
confirmation of possession of the original note is not required prior to commencement
of the foreclosure action, additional quarterly reviews, beginning with the first quarter
of 2012, will be conducted by the Records Department to validate possession of these
original notes. Outside legal counsel validated the HBIO and HBUS process regarding
the possession of the original promissory note.
Page 18
Privileged and Confidential
Restricted
In summary, HBIO and HBUS have existing document imaging and tracking policies,
procedures, and processes to adhere to this requirement of the Order. HBIO and
HBUS have enhanced existing policies, procedures, and processes related to the
possession of a promissory note by a Third Party. These enhancements ensure
adherence to applicable laws requiring verification of the possession of the original
note to further comply with the requirements of the Order.
Enhancement to Processes / Programs:
While we believe these existing processes and procedures, enhanced as described
above, satisfy these requirements of the Order and, at the present time, further
enhancements are not deemed necessary, processes and procedures are subject to
on-going review in the ordinary course of business to determine whether revisions or
enhancements thereto are appropriate or necessary.
Documents to be submitted with the Action Plan
x Non-Judicial States Lost Note Affidavit-Declaration Procedure ALL
x Default Document Tracking and Retrieval Procedure ALL
x
User Manual CML
x Pre Foreclosure Note Validation Procedure CML (see revised Pre Foreclosure
Note Validation Procedure CML below)
x Foreclosure Collateral Retrieval Procedure HMC (see revised Foreclosure
Collateral Retrieval Procedure HBUS below)
x Pre-Foreclosure Note Validation User Manual HMC (see revised Pre-Foreclosure
Note Validation Procedure HBUS below)
x Foreclosure Collateral Retrieval Procedure CML (see revised Foreclosure
Collateral Retrieval Procedure CML below)
Additional documents completed for re-submission of Action Plan
x Judicial States- Lost Note Affidavit Procedures
x Foreclosure Collateral Retrieval Procedure HBUS
x Pre-Foreclosure Note Validation Procedure HBUS
x Pre Foreclosure Note Validation Procedure CML
x Foreclosure Collateral Retrieval Procedure CML
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP Default Services, Mortgage Servicing
Page 19
Privileged and Confidential
Restricted
Article 8(d)
FRB Order Reference:
Article 8(d)
Corresponding
N/A
OCC Article:
compliance with supervisory guidance of the Board of Governors, including, but not
limited to, the guidance entitled, “Compliance Risk Management Programs and
Oversight at Large Banking Organizations with Complex Compliance Profiles,” dated
October 16, 2008 (SR 08-08/CA 08-11);
Action Plan
HNAH has an existing Compliance Risk Management Program in place which
ensures compliance with the supervisory guidance of the Board of Governors.
However, HNAH will continue to review and enhance this Program as necessary.
Existing Processes / Programs:
In order to ensure independence of the compliance staff, compliance staff does not
report to business management, but rather report through the HNAH Compliance
management structure. Although Compliance staff partner with their business
counterparts, the activities and priorities assigned to Compliance staff are solely
assigned by Compliance management. Additionally, although business counterparts
may be consulted, Compliance staff performance ratings and compensation are solely
determined by Compliance management. The HNAH Compliance function is
managed by the Regional Compliance Officer (“RCO”) who has a dual reporting
structure to the HNAH CEO and Head of the HSBC Global Compliance function.
HNAH has an established TRAC function, a part of HNAH Compliance, which is
consistent with the requirements of SR 08-08 and this requirement of the Order.
TRAC is responsible for conducting on-going compliance testing and risk
assessments independent of the business unit compliance.
TRAC develops and maintains a Compliance Risk Mitigation Program, which
establishes HNAH-wide consistent standards and processes to enable management
to proactively identify, measure, monitor, test, and report compliance risks and
controls. This information is used to obtain reasonable assurance that HNAH and its
subsidiaries are complying with material regulatory requirements and Group
Compliance policies and standards (See HSBC - North America Compliance Risk
Mitigation Program, pages 36 through 53, which relate specifically to the TRAC
Compliance Review Program).
Additionally, below is a listing of TRAC's specific roles and responsibilities, which are
provided in greater detail within the HSBC - North America Compliance Risk
Management Program Manual, pages 31 and 32, and include:
x developing and maintaining firm-wide compliance risk assessment processes,
methodologies and tools;
Page 20
Privileged and Confidential
Restricted
x
x
x
x
x
x
leading the execution and oversight of the General Enterprise-wide Risk
Assessment and facilitating and performing quality assurance of the results of the
Detail Self Assessment, in conjunction with business line management and
business line Compliance Officers;
developing and maintaining firm-wide compliance monitoring and review
programs, policies, procedures, processes and standards;
annually reviewing business line/Compliance Officer compliance programs and
processes, including Compliance Officer issue remediation activities;
annually reviewing the effectiveness of the HNAH Compliance Risk Management
Program;
administering the Matters Requiring Attention (“MRAs”) tracking and validation
program to include tracking of MRAs, validating remediation and reporting MRA
status to Group Compliance EXCO, senior management, Risk Governance
Committees, and Compliance Committee; and
maintaining processes to track, escalate, and report material compliance issues
and any corrective actions identified through examinations, inspections,
compliance monitoring and reviews, or other means.
Enhancement to Processes / Programs:
While we believe these existing processes and procedures satisfy these requirements
of the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary.
Documents to be submitted with the Action Plan
x HSBC - North America Compliance Risk Mitigation Program
x HSBC – North America Compliance Risk Management Program Manual (see
revised HSBC – North America Compliance Risk Management Program Manual
below, last revised September 2011)
Additional documents completed for re-submission of Action Plan
x HSBC - North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
hnston, SVP General Compliance
x
SVP Compliance, HSBC Bank USA, NA
Page 21
Privileged and Confidential
Restricted
Article 8(e).i
FRB Order Reference:
Article 8(e).i
Corresponding
IV.1.b
OCC Article:
processes to ensure that all factual assertions made in pleadings, declarations,
affidavits, or other sworn statements filed by or on behalf of the Mortgage Servicing
Companies are accurate, complete, and reliable; and that affidavits and declarations
are based on personal knowledge or a review of the Mortgage Servicing Companies’
books and records when the affidavit or declaration so states;
Action Plan
HBIO and HBUS have processes in place, as described below, that require personnel
to review pleadings, declarations, affidavits, or other sworn documents and ascertain
whether they are accurate, complete, and reliable. In addition, and as described
below, certain process were identified for enhancement to fully comply with this
requirement of the Order.
Existing Processes / Programs:
HBIO and HBUS processes are designed to ensure affidavits, declarations and
relevant pleadings are carefully reviewed, inspected and validated by experienced
staff members within Late Stage Default to ensure all factual assertions are accurate,
complete and reliable. Authorized signers are required to conduct a thorough review
of the servicing system of record and inspect loan documents in order to gain
sufficient personal knowledge (when required by law) to execute affidavits, relevant
pleadings and declarations, and other relevant documents. See the following
documents for details related to the processes noted above:
x Default Affidavits – Approval and Maintenance Procedure ALL - procedure
provides the approval process and maintenance of the state by state affidavits for
use in the foreclosure process
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL procedure describes the steps followed to perform a quality review on foreclosure
affidavits and/or Verified Complaints prior to management execution
(signed/notarized)
x Foreclosure Affidavit and Verified Complaint Overview Procedure ALL - procedure
outlines the process to accurately execute (verified/signed/notarized) foreclosure
affidavits and verified complaints
x Foreclosure Notary Maintenance and Validation Procedure ALL - procedure
provides instructions for Late Stage Default and the Late Stage Default Quality
Review Departments on how to maintain the Foreclosure Notary Tracker and
conduct regular reviews of current certified HBIO and HBUS Notaries
x Notary Matrix Procedure ALL - procedure lists HBIO and HBUS employees
authorized to notarize legal documents and the process to verify the employee's
notary status
x Notary Procedure ALL - procedure outlines the process for notarizing documents
Page 22
Privileged and Confidential
Restricted
x
x
x
Foreclosure Signing Authority List Maintenance and Validation Procedure ALL procedure provides instructions for Late Stage Default and the Late Stage Default
Quality Review Departments on how to maintain the Foreclosure signer approval
tracker and conduct regular reviews of HBIO and HBUS employees signing
Foreclosure Documents
California 1137 Declaration Execution Procedure ALL - procedure describes the
process of completing the California 1137 Declaration on accounts in California
Universe of Documents Matrix ALL - is a Microsoft Excel spreadsheet that
outlines, for every state, the documents generally used in foreclosure proceedings
HBIO’s and HBUS’ procedures address state and local variations in foreclosure
requirements, as well as the steps necessary to review and complete affidavits,
relevant pleadings and declaration forms.
HBIO and HBUS have been working to enhance policies and procedures for
foreclosure processes, and HBIO and HBUS will continue to devote considerable
efforts and resources to the governance and controls for its foreclosure function. In
October 2010, HBIO and HBUS created a late stage quality review (first line of
defence) in order to strengthen quality control measures for the accuracy and
completeness of affidavits (See Foreclosure Affidavit and Verified Complaint Quality
Review Procedure ALL). Affidavits are prepared by Foreclosure Specialists and in
some cases local foreclosure counsel, reviewed for accuracy and completeness by
the Foreclosure Quality Control team, and then reviewed again for accuracy and
completeness by the individual who will execute the affidavit. All the affidavits are
reviewed at least twice before the affidavit is forwarded to the Law Firm for use. This
late stage quality review focuses on verifying the accuracy of affidavits and verified
complaints prior to execution of the documents. The variable data within the
documents is compared to the source documents and the applicable systems to
confirm accuracy. Evidentiary information must be provided that matches the variable
data within the affidavit. If the evidentiary information does not match the variable
data, the affidavit must be corrected and re-reviewed. This quality review ensures
accuracy of the affidavits.
HBIO and HBUS have further strengthened the quality control process by expanding
the scope of their quality review to include relevant pleadings and declarations.
These reviews are designed to ensure that factual assertions are accurate and based
on personal knowledge of loan documents, financial information and key records from
the appropriate source. HBIO and HBUS correct issues noted in these reviews before
filing documents, however the issues are tracked prior to correction to facilitate
trending and determining employees’ incentive eligibility. Affidavit procedures have
been strengthened to include a daily meeting wherein the notary administers the
applicable notary oath to the affiant and the signers sign the applicable affidavits in
the presence of the notary. Affidavits are not signed until they have been reviewed at
least twice for accuracy and completeness. As laws, rules, regulations, and practices
evolve or change, documents and procedures will be modified accordingly. (See
Foreclosure Signing Authority List Maintenance and Validation Procedure ALL).
Page 23
Privileged and Confidential
Restricted
Additionally, the authorized list of notaries is validated monthly by Compliance. (See
Notary Matrix Procedure ALL).
HBIO and HBUS have taken many steps, described above, to verify that all factual
assertions made in pleadings, declarations, affidavits, or other sworn statements filed
by or on behalf of the Mortgage Servicing Companies or the Bank are accurate,
complete, and reliable; and that affidavits and declarations are based on personal
knowledge or a review of the Mortgage Servicing Companies’ or the Bank’s books
and records to comply with the Order. As outlined above HBIO and HBUS have a
detailed program in place to meet required standards which they will, as a matter of
course, continue to monitor, update and report on, as needed.
To create a more robust, consistent process regarding factual assertions made in
pleadings, declarations, affidavits, or other sworn statements, HBIO and HBUS
engaged outside counsel to review and develop standard affidavit and declaration
forms for use in each state and, where required, by local practice of individual
counties. Outside counsel has completed its review of judicial states and non-judicial
states (except for the District of Columbia, although rules have been published by the
Federal register and the comment period has passed, the D.C. City Council is still in
the rule making process). HBIO and HBUS will monitor this legislation closely and will
create the standard documentation for the District of Columbia once the rules are
finalized.
Affidavit procedure manuals were updated on a state-by-state basis, the last of which
were drafted as of August 11, 2011, and after internal review and approval by Legal,
Compliance and the appropriate business owners, were finalized as of September 12,
2011 (except Maine, which will be finalized and published by October 31, 2011).
Each state-specific foreclosure user manual has been developed to provide
instructions on various foreclosure procedures including the preparation and
execution of affidavits of amount due and indebtedness. The user manual for any
given state must be completed prior to the re-start of foreclosures for that state. (See
Affidavit of Amount Due - Florida User Manual and Affidavit of Amount Due Florida User Manual in their entirety as examples of affidavit
procedure manuals).
In addition two training modules, Affidavit Processing and Notary Training, have been
developed and were first used for training in June 2011. These two modules focus on
business records training and are designed to educate employees executing affidavits
on topics such as meeting legal requirements for personal knowledge and notary
requirements. Employees who are involved in these two processes completed the
training by the end of the third quarter 2011.
Enhancement to Processes / Programs:
HBIO and HBUS engaged outside counsel to review and develop standard affidavit
and declaration forms for use in each state and, where required, by local practice of
Page 24
Privileged and Confidential
Restricted
individual counties. This has not yet been completed for the District of Columbia as
the DC City Council is still in the rule making process.
While we believe these existing processes and procedures satisfy the requirements of
the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary to address changes in applicable Legal Requirements
Documents to be submitted with the Action Plan
x Default Affidavits – Approval and Maintenance Procedure ALL (see revised
Default Affidavits – Approval and Maintenance Procedure ALL below)
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL (see
revised Foreclosure Affidavit and Verified Complaint Quality Review Procedure
ALL below)
x Foreclosure Affidavit and Verified Complaint Overview Procedure ALL (see
revised Foreclosure Affidavit and Verified Complaint Overview Procedure ALL
below)
x Foreclosure Notary Maintenance and Validation Procedure ALL (see revised
Foreclosure Notary Maintenance and Validation Procedure ALL below)
x Notary Matrix Procedure ALL (see revised Notary Matrix Procedure ALL below)
x Notary Procedure ALL
x Foreclosure Signing Authority List Maintenance and Validation Procedure ALL
(see revised Foreclosure Signing Authority List Maintenance and Validation
Procedure ALL below)
x California 1137 Declaration Execution Procedure ALL
x Universe of Documents Matrix ALL (see revised Universe of Documents Matrix
ALL)
x Affidavit of Amount Due - Florida User Manual (see revised Affidavit of
Amount Due - Florida User Manual below)
x Affidavit of Amount Due - Florida User Manual (see revised
Affidavit of Amount Due - Florida User Manual below)
Additional documents completed for re-submission of Action Plan
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL
x Foreclosure Notary Maintenance and Validation Procedure ALL
x Default Affidavits – Approval and Maintenance Procedure ALL
x Foreclosure Affidavit and Verified Complaint Overview Procedure ALL
x Notary Matrix Procedure ALL
x Foreclosure Signing Authority List Maintenance and Validation Procedure ALL
x Universe of Documents Matrix ALL
x Affidavit of Amount Due - Florida User Manual CML
x Affidavit of Amount Due - Florida User Manual CML
Key HSBC Contacts for the Action Plan
Page 25
Privileged and Confidential
Restricted
x
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
SVP Default Services
Page 26
Privileged and Confidential
Restricted
Article 8(e).ii
FRB Order Reference:
Article 8(e).ii
Corresponding
IV.1.c
OCC Article:
processes to ensure that affidavits filed in foreclosure proceedings and other
foreclosure-related documents are executed and notarized in accordance with
applicable state legal requirements, including jurat requirements;
Action Plan
Although HBIO and HBUS have processes and procedures in place to guide the
execution and notarization, procedures for affidavits and other foreclosure-related
documents have been strengthened to better ensure execution and notarization is in
accordance with applicable state legal and jurat requirements, in accordance with the
requirements of the Order.
Existing Processes / Programs:
In mid-October 2010, HBIO and HBUS implemented revised policies and procedures
to more clearly document affidavit delivery, preparation, verification, management
review and signing, and notarization practices. For example, Late Stage Default now
holds daily meetings for signers and notaries during which notaries administer the
notary oath to the affiants as appropriate, the signers sign the applicable affidavits in
the presence of the notary, and the notaries notarize in the presence of the affiant.
Please see the following documents which evidence the procedures noted above:
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL procedure describes the steps followed to perform a quality review on foreclosure
affidavits and/or Verified Complaints prior to management execution
(signed/notarized)
x Foreclosure Affidavit and Verified Complaint Overview Procedure ALL - procedure
outlines the process to accurately execute (verified/signed/notarized) foreclosure
affidavits and verified complaints
x Foreclosure Notary Maintenance and Validation Procedure ALL - procedure
provides instructions for Late Stage Default and the Late Stage Default Quality
Review Department Departments on how to maintain the Foreclosure Notary
Tracker and conduct regular reviews of current certified HBIO and HBUS Notaries
x Foreclosure Policy ALL - provides guidelines regarding Real Estate Foreclosure
x Notary Matrix Procedure ALL - procedure lists HBIO and HBUS employees
authorized to notarize legal documents and the process to verify the employee's
notary status
x Notary Procedure ALL - procedure outlines the process for notarizing documents
HBIO and HBUS notaries and corporate signers who service foreclosure functions
have certified that they have read these procedures, they understand HBIO’s and
HBUS’ guidelines regarding these procedures, as well as their responsibilities as a
notary and/or a signer, and that they will adhere to these procedures as required.
Page 27
Privileged and Confidential
Restricted
Recertification is required on an annual basis.
HBIO and HBUS maintain a list of approved signers and notaries that is validated
monthly by Compliance. The business administers a notary verification process
designed to ensure notaries are in good standing with the state and signers are in
good standing with HBIO and HBUS. (See Foreclosure Notary Maintenance and
Validation Procedure ALL)
Among other things, HBIO’s and HBUS’ enhanced processes require proper
witnessing of execution by the notaries through daily meetings between notaries and
signers; a personal understanding of relevant notary guidelines through certification of
procedure review by notaries, including legal and jurat requirements; and that (i) only
those who have certified their knowledge and understanding of appropriate notary
practices are performing notarizations and (ii) only authorized signers are signing
affidavits, through maintenance of a list of notaries and corporate signers (See
Foreclosure Signing Authority List Maintenance and Validation Procedure ALL, pages
1 through 3, for step by step process).
Enhancement to Processes / Programs:
While we believe these existing processes and procedures satisfy the requirements of
the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary to address changes in applicable state legal requirements, including jurat
requirements.
Documents to be submitted with the Action Plan
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL (see
revised Foreclosure Affidavit and Verified Complaint Quality Review Procedure
ALL below)
x Foreclosure Affidavit and Verified Complaint Overview Procedure ALL (see
revised Foreclosure Affidavit and Verified Complaint Overview Procedure ALL
below)
x Foreclosure Notary Maintenance and Validation Procedure ALL (see revised
Foreclosure Notary Maintenance and Validation Procedure ALL below)
x Foreclosure Policy ALL
x Notary Matrix Procedure ALL (see revised Notary Matrix Procedure ALL below)
x Notary Procedure ALL
x Foreclosure Signing Authority List Maintenance and Validation Procedure ALL
(see revised Foreclosure Signing Authority List Maintenance and Validation
Procedure ALL below)
Additional documents completed for re-submission of Action Plan
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL
Page 28
Privileged and Confidential
Restricted
x
x
x
x
Foreclosure Notary Maintenance and Validation Procedure ALL
Foreclosure Signing Authority List Maintenance and Validation Procedure ALL
Foreclosure Affidavit and Verified Complaint Overview Procedure ALL
Notary Matrix Procedure ALL
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP Deputy General Counsel, CML
x
SVP Default Services
Page 29
Privileged and Confidential
Restricted
Article 8(e).iii
FRB Order Reference:
Article 8(e).iii
Corresponding
IV.1.e
OCC Article:
processes to ensure that the Mortgage Servicing Companies have properly
documented ownership of the promissory note and mortgage (or deed of trust) under
applicable state law, or are otherwise a proper party to the action (as a result of
agency or other similar status) at all stages of foreclosure and bankruptcy litigation;
and
Action Plan
HBIO and HBUS have existing processes, as described below, to ensure the
business has properly documented ownership of the promissory note and mortgage
(or deed of trust) under applicable state law or are otherwise a proper party to the
action at all stages of foreclosure and bankruptcy litigation.
Existing Processes / Programs:
HBIO and HBUS have existing processes designed to ensure proper documentation
of promissory note and mortgage ownership. HBIO and HBUS maintain a file
containing the original collateral, as well as imaged copies of these documents in an
imaging repository for loans held in its possession. Loans held by a custodian are
tracked by HBUS, and processes are designed to verify possession of a note before
legal action is taken.
HBIO and HBUS image loan documentation upon origination or acquisition of a loan.
When HBUS originates a loan, the original documentation is imaged and stored in a
secure location. HBIO and HBUS strictly monitor the documents held in these secure
locations, and limit the reasons for removing these documents from their possession.
This process allows HBIO and HBUS, respectively, to be confident it is in possession
of the notes it holds. The same process was in place for loans that were acquired by
HBIO and HBUS, however, no further loans are currently being acquired by HBIO and
HBUS. Despite no planned future loan acquisitions, no plan currently exists to delete
imaged loan documentation of previously acquired HBIO and HBUS loans. Multiple
groups can view the imaged documentation, which is maintained on an imaging
repository for the life of the loan, throughout the foreclosure or bankruptcy process.
Please see the following documents which evidence the procedures noted above:
x Foreclosure Policy ALL – policy provides guidelines regarding Real Estate
Foreclosure; policy must be followed to ensure documented history is maintained
on accounts, quality customer service, and compliance with applicable laws
x Collateral Policy ALL - policy provides guidelines regarding collateral
documentation and verification requirements
x
User Manual CML - manual provides the process for imaging documentation
x Non-Judicial States Lost Note Affidavit-Declaration Procedure ALL - procedure
outlines the steps for the Records Administration Department when processing a
Page 30
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
x
Lost Note Affidavit or Declaration of Lost Note for non judicial states
Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL procedure describes the steps followed to perform a quality review on foreclosure
affidavits and/or verified complaints prior to management execution
(signed/notarized)
Foreclosure Review Group Re-Review Procedure CML - procedure provides
instructions to the Foreclosure Review Group to review accounts for eligibility of
removal from the moratorium on foreclosure activity specific to
(servicing systems) accounts in the C and D populations
Foreclosure Review Group C&D Re-Review Procedure HBUS - procedure
provides instructions to the Foreclosure Review Group to review accounts for
eligibility of removal from the moratorium on foreclosure activity specific to
(servicing system) accounts in the C and D populations.
CML FC Review Procedures Brandon External - procedure outlines the external
lien release process
CML FC Review Procedures Lien Release Internal - procedure outlines the
internal lien release procedures
HBUS FC CML Assignments Procedures Records Internal - procedure outlines the
internal notes procedures
Indexing Regulatory Foreclosure Documents Procedure CML - procedure
outlines the steps for the
Indexing of Regulatory Foreclosure documents
Pre-Foreclosure Note Validation Procedure CML - procedure outlines how HSBC
validates possession of the original note prior to commencing a foreclosure action
If an original note is missing, a Lost Note Affidavit, if required by applicable law, will be
executed and sent to the Law Firm. As appropriate, the terms of the note are
validated through an imaged copy of the note. In non-judicial states, where
confirmation of possession of the original note is not required prior to commencement
of the foreclosure action, additional quarterly audits, beginning with the first quarter of
2012, will be conducted by the Records Department to validate possession of these
original notes. Outside legal counsel reviewed and approved HBIO’s and HBUS’
procedures for determining each has possession of the original promissory note. (See
Non-judicial States Lost Note Affidavit-Declaration Procedure ALL and Judicial StatesLost Note Affidavit Procedures)
Management also enhanced its existing procedures and practices to comply with
applicable laws to verify that it is in possession of the original note before taking legal
action. In all judicial states and non-judicial states where possession of the original
note is or may be required by law in order to foreclose, HBIO and HBUS confirms that
it has possession of the original note through verification at the vault and, where
required by applicable law, the original note is sent to the Law Firm. Prior to the
enhancements to its existing procedures the Foreclosure Team would request that the
Records Team deliver to the foreclosure Law Firm the original note as required in
those judicial and non-judicial original document states. Under the enhanced
procedures the following processes are in place:
x Validation of possession of each note (as required in applicable judicial states and
Page 31
Privileged and Confidential
Restricted
x
x
x
x
x
non-judicial original document states) and forwarding to the appropriate
foreclosure Law Firm is required.
Validation of the original note via an image of the original note is required in the
noted applicable states (only non-judicial states where the original note is not
required to start foreclosure).
A sampling to confirm possession of the original note will be conducted on a
quarterly basis beginning the first quarter of 2012 for those loans validated via an
image copy of the original.
Verify possession of notes held by Third Parties
Centralized execution and tracking of any Lost Note Affidavit by the Records
Department.
Centralized tracking by the Records Department to ensure the return of the
original Note delivered to a foreclosure Law Firm where the foreclosure action has
been completed or terminated.
HBUS has also strengthened its processes designed to verify possession of notes
held by Third-Party Providers (i.e., a custodian). Possession of promissory notes can
be verified electronically or certified by a custodian. HBUS maintains codes on the
servicing system which identifies the custodian or other Third Party Provider that
is holding documents on behalf of the Investor. HBUS is authorized via the Servicing
Agreements to request documents to address specific servicing functions
(foreclosure, consolidation, payoffs). Outside legal counsel has reviewed and
approved the HBUS procedures for determining it has possession of the original
promissory note to ensure compliance with the appropriate Legal Requirements
associated with the verification of documents held by custodians or other Third Party
Providers. Please note this process does not apply to HBIO as it does not have
custodian accounts.
Also see Third-Party Management Action Plan Article 6(d) for existing processes and
procedures to ensure the accuracy of all documents filed on behalf of HBIO and
HBUS in any judicial or non-judicial foreclosure proceeding, related bankruptcy
proceeding, or in other foreclosure-related litigation.
HBIO and HBUS engaged outside counsel to conduct a review of bankruptcy
procedures, processes, and training materials for document review, execution and
notarization and note ownership in connection with bankruptcy proceedings. This
review was completed as of August 11, 2011, with the report delivered on August 18,
2011 (see MEMORANDUM Bankruptcy Report. See pages 4 through 9 of the
MEMORANDUM Bankruptcy Report for Observations and Suggestions). In summary,
the report recommends that HBIO and HBUS take steps, if not already taken, to
improve its overall efficiency, and safeguards, with respect to its bankruptcy process,
including:
x hiring of additional staff to comply with increased workflow to service
bankruptcy loans
x continuing with its ongoing process of increasing oversight and monitoring of
Page 32
Privileged and Confidential
Restricted
x
x
x
Third Party Providers (initiative already under way as described below)
enhancing its electronic database search practices for bankruptcy filings
(initiative already under way)
implementing additional quality control and risk reduction procedures (initiative
already under way as described below)
creating additional controls around pleadings and executed documents
Enhancement to Processes / Programs:
Based on the review related to bankruptcy procedures, processes, and training
materials completed by outside counsel noted above, HBIO and HBUS have
established a dedicated workstream to make enhancements to bankruptcy policies,
procedures, processes, and training materials. These enhancements are expected to
be completed within the fourth quarter of 2011 (see attachment Bankruptcy
Workstream September 7th, 2011 in its entirety). Business requirements for specific
technology enhancements for the Bankruptcy Workstream are expected to be
completed by November 30, 2011, with the resulting technology implementation target
dates to be received in Q1 2012. In addition to the dedicated Bankruptcy
Workstream, other workstreams and functional groups, including MIS, Third Party
Management, and Training, will participate in the enhancement of bankruptcy-related
processes and documents.
Also in response to the review performed by outside counsel, HBIO and HBUS are
evaluating Bankruptcy staff needs as part of the Bankruptcy Workstream, and are
now in the process of hiring 30 additional employees by the end of the year. These
employees will be supplementing the existing Quality Control team as well as
deployed to existing Bankruptcy processes to handle increased volumes and process
changes.
Documents to be submitted with the Action Plan
x Foreclosure Policy ALL
x Collateral Policy ALL
x
User Manual CML
x Non-Judicial States Lost Note Affidavit-Declaration Procedure ALL
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL (see
Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL
below)
x Foreclosure Review Group C&D Re-Review Procedure CML (see revised
Foreclosure Review Group Re-Review Procedure CML below)
x CML FC Review Procedures Brandon External
x CML FC Review Procedures Lien Release Internal
x HBUS FC CML Assignments Procedures Records Internal
x
Indexing Regulatory Foreclosure Documents Procedure CML
x Pre Foreclosure Note Validation Procedure CML (see revised Pre Foreclosure
Note Validation Procedure CML below)
Page 33
Privileged and Confidential
Restricted
Additional documents completed for re-submission of Action Plan
x MEMORANDUM Bankruptcy Report
x Bankruptcy Workstream September 7th, 2011
x Foreclosure Review Group C&D Re-Review Procedure HBUS
x Judicial States- Lost Note Affidavit Procedures
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL
x Pre Foreclosure Note Validation Procedure CML
x Foreclosure Review Group Re-Review Procedure CML
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
Page 34
Privileged and Confidential
Restricted
Article 8(e).iv
FRB Order Reference:
Article 8(e).iv
Corresponding
IV.1.f
OCC Article:
processes to ensure that a clear and auditable trail exists for all factual information
contained in each affidavit or declaration, in support of each of the charges that are
listed, including whether the amount is chargeable to the borrower or claimable by the
investor;
Action Plan
HBIO and HBUS have existing processes (described below) which are designed to
ensure that a clear and auditable trail exists for all factual information contained in
each affidavit or declaration. Additionally, HBIO and HBUS are enhancing processes
and controls for validation of the charges that will be listed in the affidavits or
declarations to meet this requirement of the Order.
Existing Processes / Programs:
When preparing affidavits and/or declarations, rather than relying solely on
information from the servicing system of record, HBIO and HBUS require employees
to have personal knowledge of certain loan documentation based on applicable law.
To ensure a clear and auditable trail exists, all documentation required to complete
and execute an affidavit or declaration is imaged and retained on the imaging system
to support the factual assertions in the documents, including the amounts chargeable
to the borrower or claimable by the investor.
As a general rule, if data relevant to a legal filing is static (i.e., property address), that
information is retained in the system of record. If data relevant to a legal filing is
dynamic (i.e., SCRA status, amount due on a specific date, etc..), screen images of
that information are printed and retained in the
system where
they can be accessed at any point in the future. See the following documents to
support the processes noted above:
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL procedure describes the steps followed to perform a quality review on foreclosure
affidavits and/or Verified Complaints prior to management execution
(signed/notarized)
x California 1137 Declaration Execution Procedure ALL - procedure describes the
process of completing the California 1137 Declaration on accounts in California
x Affidavit of Amount Due - Florida User Manual - user manual provides
instructions on how to confirm and obtain information to complete replacement
Affidavits of Amount Due for Florida
accounts that have had an Affidavit of
Amount Due executed and are pre-judgment or without sale date
x Affidavit of Amount Due - Florida User Manual - user manual
provides instructions on how to confirm and obtain information to complete
Page 35
Privileged and Confidential
Restricted
replacement Affidavits of Amount Due for Florida
(HMS –
CLMS –
) accounts that have had an Affidavit of Amount Due executed
and are pre-judgment or without sale date
The Quality Reviews referenced above are performed by the Operations Quality
Team, which is part of the first line of defence.
See Affidavit of Amount Due – Florida –
following referenced procedural example:
User Manual page 8 for the
In regards to evidence requirements, print and print to image (to the Regulatory
Foreclosure folder in
the following (also indicated in the steps below):
The phrase “print to image” indicates that a copy is retained in the Image platform as
opposed to printing a physical hard copy. Documents must be saved to the imaging
system as evidence for the audit trail. The Affidavit of Amount Due – Florida –
User Manual, pages 8 – 17, covers each area of the affidavit, specifies
how to complete each section of the AOI For example – item #6 on page 10 of the
user manual specifies the steps required to complete the originating entity of the AOI.
This information is taken from the imaged copy of the note. Additionally, beginning
on page 18, the user manual outlines how and what fees must be waived.
HBIO and HBUS management continue to enhance their foreclosure affidavit and
declaration processes and have taken aggressive steps to resolve any identified
inconsistencies. HBIO and HBUS will continue to place considerable effort and
resources to ensure strong governance and controls are working effectively in the
Residential Mortgage Servicing foreclosure function. HBIO has elected at this time to
waive fees on borrower’s accounts until such time when technology enhancements
are available to ensure the accuracy of non-system controlled fees assessed, such as
a Broker Price Opinion (“BPO”). HBUS is still collecting fees as the HBUS system
allows for better control required to maintain affidavit evidence.
Accordingly, HBIO and HBUS have taken steps to preserve the audit trail for all
Page 36
Privileged and Confidential
Restricted
factual information contained in affidavits and declarations. HBIO and HBUS
enhanced their processes and updated related policies, procedures, and training to
ensure the accuracy of all documents filed or otherwise utilized on behalf of the
Mortgage Servicing Companies, the Bank, or owners of mortgages in judicial and
non-judicial foreclosure proceedings, including procedures for document preparation,
review, execution and notarization, note ownership and right to foreclose at the time
the foreclosure action is commenced. These enhancements and updates [(some of
which are addressed in more detail in the Action Plans for Articles 8(c) and 8(e)(i)-(iii)]
include:
x Additional guidance for requirements related to acquiring knowledge of information
contained in the documents filed in foreclosure proceedings and additional
procedures to ensure accuracy of the documents prior to initiating foreclosure,
including but not limited to:
x Documentation sufficient to establish ownership (See Default Document
Tracking, Retrieval Procedure ALL, and Collateral Policy ALL in their entirety)
- Verification of the possession of original note
- Execution of a Lost Note Affidavit, if required, upon determination that
original note is missing
- Verification of the legal entity
x Right to foreclose at the time foreclosure action is commenced
- Validation of the plaintiff for foreclosure action
- Review of Department of Defense website
- Review of the imaged Breach Letter
x For judicial foreclosure states, developed standardized foreclosure affidavits of
indebtedness (AOI) and developed instructions and procedures for verifying
information as well as signing and notarizing documents;
x For non-judicial foreclosure states, HNAH Legal has reviewed and developed
appropriate forms and instructions (except District of Columbia is under review).
HBIO and HBUS have been reviewing and modifying forms where necessary and
developing instructions and procedures for the review, signing and notarization of
documents where applicable;
x A foreclosure checklist is used to guide preparation and quality control of the AOI;
the checklist and corresponding evidence is imaged and retained;
x Completion of user manuals prior to re-starting or resuming foreclosures in a given
state;
x Development and implementation of Business Records training which the
employees are required to complete prior to executing any foreclosure affidavit;
and
x Implementation of quality reviews.
HBIO’s and HBUS’ existing audit trail and imaging procedures, along with procedural
enhancements listed above, ensure that a clear and auditable trail exists.
Also see Third-Party Management Action Plan Article 6(d) for existing processes and
procedures to ensure the accuracy of all documents filed on behalf of HBIO and
HBUS in any judicial or non-judicial foreclosure proceeding, related bankruptcy
proceeding, or in other foreclosure-related litigation. See the following documents to
Page 37
Privileged and Confidential
Restricted
support the audit trail and imaging processes noted above:
x
User Manual CML - manual provides the process for imaging
documentation
x CML FC Review Procedures Brandon External – procedure outlines the
external lien release process
x CML FC Review Procedures Lien Release Internal – procedure outlines the
internal lien release process
x HBUS FC CML Assignments Procedures Records Internal - procedure outlines
the internal notes procedures
x
Indexing Regulatory Foreclosure Documents Procedure CML procedure outlines the steps for the
Indexing of Regulatory
Foreclosure documents
Foreclosure affidavit procedure manuals were updated on a state-by-state basis, the
last of which were drafted as of August 11, 2011, and after internal review and
approval by Legal, Compliance and the appropriate business owners, were finalized
as of September 12, 2011 (except Maine, which will be finalized and published by
October 31, 2011 and for the District of Columbia where rules have been published in
the Federal register and the comment period has passed, the D.C. City Council is still
in the rule making process. HBIO and HBUS will monitor this pending legislation
closely and will create the standard documentation for the District of Columbia once
the rules are finalized).
Each state-specific foreclosure user manual has been developed to provide
instructions on various foreclosure procedures including affidavits of amount due and
indebtedness. The user manual for any given state must be completed prior to the restart of foreclosures for that state. (See Affidavit of Amount Due - Florida User
Manual and Affidavit of Amount Due - Florida User Manual for
samples)
Training was developed by the business for affidavit signers regarding the creation
and maintenance of business records and HNAH Legal developed deposition training
for potential witnesses in foreclosure actions. Said training has been conducted for
appropriate personnel and will occur in the future at least annually.
HBIO and HBUS engaged outside counsel to conduct a review of bankruptcy
procedures, processes, and training materials for document review, execution and
notarization and note ownership in connection with bankruptcy proceedings. This
review was completed as of August 11, 2011, with the report delivered on August 18,
2011 (see MEMORANDUM Bankruptcy Report. See pages 4 through 9 of the
MEMORANDUM Bankruptcy Report for Observations and Suggestions). In summary,
the report recommends that HBIO and HBUS make certain enhancements or
changes, to the extent, not already taken, to certain bankruptcy processes, including:
x hiring of additional staff to comply with increased workflow to service
bankruptcy loans
x continuing with its ongoing process of increasing oversight and monitoring of
third-party vendors (initiative already well under way as described below)
Page 38
Privileged and Confidential
Restricted
x
x
x
enhancing its electronic database search practices for bankruptcy filings
(initiative already under way as describe below)
implementing additional quality control and risk reduction procedures (initiative
already under way as described below)
creating additional controls around pleadings and executed documents
Enhancement to Processes / Programs:
Based on the review related to bankruptcy procedures, processes, and training
materials completed by outside counsel noted above, HBIO and HBUS have
established a dedicated workstream to make enhancements to bankruptcy policies,
procedures, processes, and training materials. These enhancements are expected to
be completed within the fourth quarter of 2011 (see attachment Bankruptcy
Workstream September 7th, 2011 in its entirety). Business requirements for specific
technology enhancements for the Bankruptcy Workstream are expected to be
completed by November 30, 2011, with the resulting technology implementation target
dates to be received in Q1 2012. In addition to the dedicated Bankruptcy
Workstream, other workstreams and functional groups, including MIS, Third Party
Management, and Training, will participate in the enhancement of bankruptcy-related
processes and documents.
HBIO and HBUS engaged outside counsel to review and develop standard affidavit
and declaration forms for use in each state and, where required, by local practice of
individual counties. This has not yet been completed, except as mentioned above for
Maine and the District of Columbia.
Documents to be submitted with the Action Plan
x Foreclosure Policy ALL
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL (see
revised Foreclosure Affidavit and Verified Complaint Quality Review Procedure
ALL below)
x
User Manual CML
x California 1137 Declaration Execution Procedure ALL
x CML FC Review Procedures Brandon External
x CML FC Review Procedures Lien Release Internal
x HBUS FC CML Assignments Procedures Records Internal
x
Indexing Regulatory Foreclosure Documents Procedure CML
x Universe of Documents Matrix ALL (see revised Universe of Documents Matrix
ALL below)
x Affidavit of Amount Due - Florida User Manual (see revised Affidavit of
Amount Due - Florida User Manual below)
x Affidavit of Amount Due - Florida User Manual (see revised
Affidavit of Amount Due - Florida User Manual below)
x Default Document Tracking and Retrieval Procedure ALL
x Collateral Policy ALL
Page 39
Privileged and Confidential
Restricted
Additional documents completed for re-submission of Action Plan
x MEMORANDUM Bankruptcy Report
x Foreclosure Affidavit and Verified Complaint Quality Review Procedure ALL
x Universe of Documents Matrix ALL
x Affidavit of Amount Due - Florida User Manual CML
x Affidavit of Amount Due - Florida User Manual CML
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP Deputy General Counsel, CML
Page 40
Privileged and Confidential
Restricted
Article 8(f)
FRB Order Reference:
Article 8(f)
Corresponding
IX.1.k
OCC Article:
policies and procedures to ensure that payments are credited in a prompt and timely
manner; that payments, including partial payments to the extent permissible under the
terms of applicable legal instruments, are applied to scheduled principal, interest, and
escrow before fees, and that any misapplication of borrower funds is corrected in a
prompt and timely manner;
Action Plan
As described below, HBIO and HBUS have policies and procedures in place that
address crediting payments in a prompt and timely manner and correct the
misapplication of borrower funds. For all loans except for partial reinstatements (only
applicable for HBIO), HBIO and HBUS have policies and procedures that apply
payments generally to scheduled principal, interest, and escrow before fees. For
loans serviced on the
(
– HBIO - HFC and Beneficial Portfolio) system
payments are applied to the current interest due first before application to principal (as
per the Note). Any interest shortage is deferred. HBIO and HBUS also follow a
widely accepted industry practice of holding partial payments in suspense accounts
until enough funds are received from a borrower to constitute a full payment, at which
point the payment is applied to the principal, interest and escrow, before fees.
Existing Processes / Programs:
Both HBIO and HBUS practices are governed by two comprehensive policies which
include the Payment Processing (Cashiering) Policy ALL and the Payment Reversal
Policy ALL. These policies guide employees on payment application exceptions,
correction of misapplied payments, and ensure that payments are applied in
accordance with the applicable contract.
HBIO and HBUS have policies and procedures in place that address crediting
payments in a prompt and timely manner and correcting the misapplication of
borrower funds. For all loans except for partial reinstatements (for partial
reinstatement, which only apply to HBIO, taxes and insurance are satisfied first),
HBIO and HBUS have policies and procedures that apply payments to scheduled
principal, interest, and escrow before fees.
HBIO and HBUS have systemic controls to ensure appropriate and timely application
of funds. HBIO and HBUS have an established payment hierarchy for application of
funds and systems are periodically tested to ensure automated controls are working
as designed. In addition, Quality Control processes are in place to ensure manual
payments are applied utilizing the correct effective date and are applied in accordance
with the payment hierarchy, which includes both full and partial reinstatements. On a
monthly basis, Payment Services completes a review of approximately 800-900
Page 41
Privileged and Confidential
Restricted
manual payment transactions to ensure compliance with HBIO and HBUS policies.
Results are tracked through a database and reporting is provided to management for
review and action as needed on a monthly basis.
HBIO and HBUS also follow a widely accepted industry practice of holding partial
payments in suspense accounts until enough funds are received from a borrower to
constitute a full payment, at which point the payment is applied to the principal,
interest and escrow, before fees. The holding of partial payments is a common
mortgage practice utilized throughout the industry. More specifically, this practice is
facilitated through the
servicing system utilized by many mortgage
service providers. This process is also documented within the Note provided to
customers.
The following content was copied from a Fannie Mae Mortgage / Deed of Trust as
evidence of and clarification of the industry practice noted above: “Section 15. Lender
may return any payment or partial payment if the payment or partial payments are
insufficient to bring the Loan current. Lender may accept any payment or partial
payment insufficient to bring the Loan current, without waiver of any rights hereunder
or prejudice to its rights to refuse such payment or partial payments in the future, but
Lender is not obligated to apply such payments at the time such payments are
accepted. If each Periodic Payment is applied as of its scheduled due date, then
Lender need not pay interest on unapplied funds. Lender may hold such unapplied
funds until Borrower makes payment to bring the Loan current. If Borrower does not
do so within a reasonable period of time, Lender shall either apply such funds or
return them to Borrower. If not applied earlier, such funds will be applied to the
outstanding principal balance under the Note immediately prior to foreclosure. No
offset or claim which Borrower might have now or in the future against Lender shall
relieve Borrower from making payments due under the Note and this Security
Instrument or performing the covenants and agreements secured by this Security
Instrument.”
The guidance from the Fannie Mae Mortgage/Deed of Trust does not apply to loans
serviced on the
portfolio. Payments received on
are applied directly to the
customer’s accounts as there is no suspense or unapplied functionality. Payment
application for
complies with the terms of the loan agreement.
HBIO has an established policy to assist borrowers by offering partial reinstatements
of loans (CML only). Payments for partially reinstated loans are applied to past-due
taxes and insurance before principal and interest. Additionally, when the customer is
sent the reinstatement letter, it is disclosed within the letter that past due taxes and
insurance are paid first. This payment hierarchy and application of funds has been
reviewed and approved by HBIO Management.
The CML Reinstatement process was approved through the Bi-Weekly Retail
Operations Governance Committee (“BROG”). The BROG is comprised of senior
leadership that is responsible for ensuring that business models and strategies are
Page 42
Privileged and Confidential
Restricted
established, approved, documented, and all governing policies and procedures are in
place to support business operations. The BROG is intended to ensure that certain
functions within business unit operations are managed in accordance with all
applicable laws and regulations, Group standards, applicable Functional Instructional
Manuals, and safe and sound business practices. External counsel and HSBC
internal legal counsel reviewed the CML reinstatement and provided legal guidance.
Enhancement to Processes / Programs:
While we believe these existing processes and procedures satisfy these requirements
of the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary.
Documents to be submitted with the Action Plan
x Payment Processing (Cashiering) Policy ALL (see revised Payment Processing
(Cashiering) Policy ALL below)
x Payment Reversal Policy ALL
Additional documents completed for re-submission of Action Plan
x Disbursements Project Plan 10142011
x Payment Processing (Cashiering) Policy ALL
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
Page 43
Privileged and Confidential
Restricted
Article 8(g)
FRB Order Reference:
Article 8(g)
Corresponding
N/A
OCC Article:
compliance with contractual obligations to the owners of the mortgages in the
Servicing Portfolio;
Action Plan
Existing Processes / Programs:
With respect to HBIO, the vast majority of loans serviced are owned by HBIO and
therefore there are no contractual obligations to owners of the related mortgages.
With respect to the one investor for which HBIO does service loans, the investor has
agreed to have the loans serviced in accordance with HBIO servicing policies,
procedures, and guidelines referred to in this Article and the control processes
described in the Action Plans are adhered to with respect to both the HBIO owned
and investor segments of the portfolio.
With respect to HBUS, certain loans are serviced for Fannie Mae and Freddie Mac
and other investors. For these loans, HBUS follows the standard GSE guidelines or
other investor guidelines for servicing loans as well as contractual obligations. As part
of the Investor Change Working Group (“ICWG”), changes to the GSE servicing
guidelines are reviewed, business process changes are implemented and the
resulting changes are tested.
Changes to GSE and investor guidelines, requirements and contractual obligations
are collected, monitored and assessed for impact by the ICWG Manager. Investor
Accounting, the ICWG Manager, and the Director of Loss Mitigation for Mortgage
Corporation hold weekly meetings to assess the impact and plan the implementation
strategy for such GSE and other investor changes. See the Implementation Section
on page 2 of the attached Investor Changes Implementation Procedure ALL
document for additional details regarding monitoring and implementation of changes
to GSE and other investor contractual obligations.
Enhancement to Processes / Programs:
While we believe these existing processes and procedures satisfy these requirements
of the Order and, at the present time, enhancements are not deemed necessary,
processes and procedures are subject to on-going review in the ordinary course of
business to determine whether revisions or enhancements thereto are appropriate or
necessary.
Documents to be submitted with the Action Plan
Not Applicable
Page 44
Privileged and Confidential
Restricted
Additional documents completed for re-submission of Action Plan
x Investor Changes Implementation Procedure ALL
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
Page 45
Privileged and Confidential
Restricted
Article 8(h)
FRB Order Reference:
Article 8(h)
Corresponding
IV.1.h
OCC Article:
compliance with the contractual limitations in the underlying mortgage note, mortgage,
or other customer authorization with respect to the imposition of fees, charges and
expenses, and compliance with Legal Requirements concerning the imposition of
fees, charges, and expenses;
Action Plan
Policies and procedures exist that govern the fees, expenses, and other charges
imposed on the borrower and ensure that they are in accordance with the terms of the
underlying mortgage note, mortgage, or other customer authorization and in
compliance with all applicable Legal Requirements and supervisory guidance.
However, HBIO and HBUS are enhancing processes to strengthen controls relative to
the imposition of charges to the borrower and will modify policies and procedures, as
necessary, to reflect the enhancements to the processes.
Existing Processes / Programs:
HBIO and HBUS have existing processes that are designed to ensure that fees,
expenses, and other charges imposed on the borrower are assessed in accordance
with the Legal Requirements, supervisory guidance and contractual limitations or
other customer authorization and supervisory guidance. However, as noted below,
HBIO and HBUS reviewed these processes in order to enhance quality controls.
Late charges and NSF fees are controlled and assessed through the
and
systems at the account level. For example, when the payment is
applied to these systems, the system will automatically apply a late fee based on the
Legal Requirements regarding late fees. (See Late Fee Enforcement Thresholds
Policy ALL and Late Charge (Fee) Matrix Procedure MS). The Late Charge (Fee)
Matrix Procedure
details state statutes governing the assessment and collection
of late charges on loans originated by state chartered lenders. HBIO has elected at
this time to waive all fees on borrower’s accounts until such time as technology
enhancements are available to ensure the accuracy of non-system controlled fees
assessed such as a BPO. HBUS is still collecting fees as the HBUS system allows
for better control required to maintain affidavit evidence.
HBIO and HBUS generally follow the Fannie Mae Fee Guidelines. HBUS utilizes an
automated system for processing fees and costs (New Invoice) which assesses the
adherence to the Fannie Mae guidelines. Exceptions to FNMA guidelines are
reviewed and approved by authorized personnel. Any amounts exceeding the FNMA
guidelines are reviewed and approved by Foreclosure Unit Manager and Department
Managers. This process is facilitated through New Invoice.
Representatives authorized to review and process fees and costs are monitored for
Page 46
Privileged and Confidential
Restricted
adherence to policies and procedures. Unit Managers are required to conduct a
review of 20 accounts per representative per month.
HBIO and HBUS reviewed existing processes to identify any necessary
enhancements to preventive and detective controls (as well as enhancements to
quality controls) as applicable to ensure all assessment of fees, expenses, and other
charges are in accordance with the applicable Legal Requirements, supervisory
guidance, contractual limitations or other customer authorization. As of September
12, 2011, an RCA review was completed and identified controls that needed
improvement. To address the controls in the RCA review a project plan was created
(see Disbursements Project Plan 10142011 and RCA Report for Fees and
Disbursements in their entirety) to enhance processes including the frequency of fee
assessments, documentation supporting relevant services performed, and systemic
controls designed to ensure duplicate charges are not assessed.
The planned enhancements, noted above and further described below, will provide
assurance in addition to existing procedures that HBIO and HBUS are in compliance
with contractual and legal limitations, customer authorization, as well as supervisory
guidance, relative to the imposition of fees, charges, and expenses to the borrower.
Enhancement to Processes / Programs:
Since completion of the review noted above, HBIO and HBUS are in the process of
assessing how controls requiring enhancements may impact changes to the current
technology environment. As such, a plan for implementation will be developed based
on the quantity of controls requiring enhancement. Depending on the quantity of
controls requiring enhancements, implementation efforts will commence in the fourth
quarter of 2011 and may continue into 2012.
HBIO and HBUS are enhancing its process and controls for assessing fees and costs.
The following key deliverables and timelines have been established for implementing
enhancements:
x Publish Secured Default Fees and Cost Policy which outlines use of FNMA
guidelines and provides guidance on recoverable and non recoverable fees and
costs – completed September 28, 2011
x Update controls and business rules within Invoice Management, which is the tool
used to ensure invoices meet HBIO and HBUS fee guidelines - October 14, 2011
x Perform User Acceptance Testing on fee guidelines within New Invoice November 30, 2011
x Update procedural documentation based on changes to business rules and
business policy - October 31, 2011
x Enhance quality control regiment by creating exception reporting for New Invoice
(
attorney firms, and invoices paid by HBIO and HBUS personnel - October
31, 2011
x Complete MIS reporting requirements for monitoring exceptions - November 30,
2011
Page 47
Privileged and Confidential
Restricted
In an effort to enhance automation and reduce manual controls, a technology project
has been implemented. Business requirements were completed on September 16,
2011. Implementation timeline for the technology enhancements is scheduled for
March 2012. Business requirements for the
platform are targeted for completion
by December 31, 2011
Documents to be submitted with the Action Plan
x MEMORANDUM - Business Risk and Control Assessment
x Late Charge (Fee) Matrix Procedure MS
Additional documents completed for re-submission of Action Plan
x Disbursements Project Plan 10142011
x Late Fee Enforcement Thresholds Policy ALL
x Secured Default Fees and Costs Policy ALL
x RCA Report for Fees and Disbursements
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
Page 48
Privileged and Confidential
Restricted
Article 8(i)
FRB Order Reference:
Article 8(i)
Corresponding
IV.1.g
OCC Article:
processes to ensure that foreclosure sales (including the calculation of the default
period, the amounts due, and compliance with notice requirements) and post-sale
confirmation are in accordance with the terms of the mortgage loan and applicable
state and federal law requirements;
Action Plan
HBIO and HBUS have existing processes, as described below, to ensure that
foreclosure sales (including the calculation of the default period, the amounts due,
and compliance with notice requirements) and post-sale confirmation are in
accordance with the terms of the mortgage loan and applicable state and federal law
requirements.
Existing Processes / Programs:
HBIO and HBUS have designed a foreclosure review process to ensure legal actions
are taken only when accounts have met the pre-foreclosure requirements, as
described in the attached Foreclosure Review Group C&D Re-Review Procedure
CML document which includes, among other items, steps to ensure that foreclosure
sales (including the calculation of the default period, the amounts due, and
compliance with notice requirements) and post-sale confirmation are in accordance
with the terms of the mortgage loan and applicable state and federal law
requirements.
HBIO and HBUS have recently enhanced these processes to require the viewing of
imaged collateral documents and other applicable documents (including demand /
breach letters) to initiate foreclosures. This enhancement, made April 17, 2011,
updates the previous checklist which did not require viewing imaged documents.
HBIO and HBUS have a systematic process to calculate amounts due which are
incorporated in the breach letter. The systems (
) also have pre-defined criteria to create breach letters in accordance with
applicable state and federal law requirements. In the event of a change in law or a
new law that impacts the breach letters, breach letter templates will be updated to be
in compliance with the new or changed law, uploaded into the system, and tested to
ensure the change is reflected in the new systematically generated letter. Any
changes in law or new laws are identified through the law change monitoring process
outlined in the Action Plan in response to Article 7(b). Management reviewed the
process noted above in conjunction with the Order requirements to ensure that the
process complies with the Order.
Individual state foreclosure tracking templates are established on the servicing system
and used to monitor post-redemption/confirmation periods. HBIO and HBUS monitor
Page 49
Privileged and Confidential
Restricted
these templates and have reporting in place to ensure post-sale requirements are
appropriately met. Checklists are generated at the account level and completed by a
Foreclosure employee to ensure compliance with applicable state and federal law
requirements specific to a loan’s jurisdiction. Sales results and confirmations are
tracked and sent to Late Stage Default management for review.
Both the breach letter templates and the foreclosure tracking templates are updated
by Enterprise Business Solutions team (“EBS”). The Law Change Working Group
(“LCWG” - Refer to Article 7(b) for additional information regarding the Law Change
Working Group or Late Stage Default management identifies any required template
changes and works with EBS to design, test, and implement these changes.
Foreclosure sale and post-sale confirmation are managed through tasks that reside
on the servicing system. These tasks are defined by the courts & foreclosure
attorneys or applicable state law. The Foreclosure Team and the Real Estate Owned
(“REO”) team manage the execution of foreclosure sales and post-sale confirmations
by these tasks on the servicing system. For example, a task date is set for expiration
of the redemption period after a foreclosure sale has been executed. The timing of
this task is set by state law, the court that provides judgment and/or the foreclosure
attorney. Once this task date arrives, it queues the REO agent to contact the
foreclosure attorney and confirm that all redemption and confirmation requirements
(both due to loan terms and court order/state & federal law) are met. The agent then
is allowed to set up additional tasks to process the account as an REO. Post-sale
task reporting is the responsibility of Foreclosure and REO management.
Compliance completed a review of redemption periods as part of the Foreclosure Risk
Assessment (detailed in Article 7(a)). As a result, state specific requirements were
added to the procedure "REO During Redemption Period ALL". Additionally, MIS
enhancements are underway to create an exception report to ensure the redemption
period has expired prior to taking possession of the property. For further details on
redemption see the attached HSBC Consumer Mortgage Lending REO in
Redemption Process in its entirety.
HBIO and HBUS completed a review of their existing controls for the processes noted
above to ensure compliance with applicable state and federal laws. Specifically,
Compliance reviewed the Nationwide Foreclosure Summary procedure which outlines
HBIO and HBUS pre-foreclosure business practices and regulatory requirements by
state (see Nationwide Foreclosure Summary and Nationwide Foreclosure Summary
ALL). HBIO and HBUS have enhanced their processes to review source documents
in the foreclosure review process versus relying only on the system of record.
Additionally, a checklist is required on all portfolios and all systems to reinforce
foreclosure review requirements (see Foreclosure Review Group Re-Review
Procedure CML, Foreclosure Review Group C&D Re-Review Procedure HBUS).
Documents to be submitted with the Action Plan
x Foreclosure Review Group C&D Re-Review Procedure CML (see revised
Page 50
Privileged and Confidential
Restricted
x
x
x
x
Foreclosure Review Group Re-Review Procedure CML below)
Foreclosure Policy ALL
Foreclosure Sales Results Procedure ALL
Real Estate Owned (REO) Policy ALL
REO During Redemption Procedure ALL
Additional documents completed for re-submission of Action Plan
x HSBC Consumer & Mortgage Lending REO in Redemption Process
x Nationwide Foreclosure Summary
x Nationwide Foreclosure Summary ALL
x Foreclosure Review Group C&D Re-Review Procedure HBUS
x Foreclosure Review Group Re-Review Procedure CML
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
Page 51
Privileged and Confidential
Restricted
Article 8(j)
FRB Order Reference:
Article 8(j)
Corresponding
IV.1.q
OCC Article:
procedures to ensure compliance with bankruptcy law requirements, including a
prohibition on collection of fees in violation of bankruptcy’s automatic stay (11 U.S.C.
§ 362), the discharge injunction (11 U.S.C. § 524), or any applicable court order;
Action Plan
HBIO and HBUS have an existing process which prohibits the collection of fees in
violation of bankruptcy’s automatic stay, however associated policies, procedures,
and training are being enhanced to ensure full compliance with the Order.
Existing Processes / Programs:
It is HBIO’s and HBUS’ policy that collection activity will cease, in compliance with the
automatic stay, when HBIO and HBUS are notified that a bankruptcy case has been
filed. (See Chapter 11_12 and 13 Bankruptcy Policy ALL, pages 1 through 4, and
Chapter 7 Bankruptcy Policy, pages 1 through 4).
To fully ensure compliance with bankruptcy law requirements, including a prohibition
on collection of fees in violation of bankruptcy’s automatic stay (11 U.S.C. § 362), the
discharge injunction (11 U.S.C. § 524), or any applicable court order, HBIO and
HBUS engaged outside counsel to assist with and conduct a review of bankruptcy
procedures, processes, and training materials for document review, execution, and
notarization and note ownership in connection with bankruptcy proceedings. This
review was completed as of August 11, 2011, and is the same review referenced in
Action Plan Article 8(e).iii (see MEMORANDUM Bankruptcy Report).
HBIO has existing Quality Control functions as part of the first line of defense to
monitor for compliance with applicable bankruptcy laws. Within the Bankruptcy
Department, there are dedicated resources responsible for conducting quality reviews
to ensure adherence to policies, procedures and business practices. This team
provides quality review results to the Senior Vice President Default Management.
Additionally, Service Delivery Control Adherence (“SDCA”) reviews bankruptcy
processes in the course of their work, and provides a second line of defense for
bankruptcy functions. SDCA is managed separately from Residential Mortgage
Servicing management and reports to a central quality review Service Delivery
function. Bankruptcy processes are also reviewed by Compliance, TRAC, and Group
Audit North America. A review of the Bankruptcy processes by TRAC and Group
Audit North America is scheduled in the fourth quarter of 2011. The existing functions
are being reviewed as part of the bankruptcy review described above.
Enhancement to Processes / Programs:
Based on the review related to bankruptcy procedures, processes, and training
Page 52
Privileged and Confidential
Restricted
materials completed by outside counsel noted above, HBIO and HBUS will make
enhancements to documents, policies, procedures, processes, and training materials
which are expected to be completed within the fourth quarter of 2011 (see attachment
Bankruptcy Workstream September 7th, 2011 in its entirety). Business requirements
for specific technology enhancements for the Bankruptcy Workstream are expected to
be completed by November 30, 2011, with the resulting technology implementation
target dates to be received in Q1 2012.
Documents to be submitted with the Action Plan
x Chapter 11, 12, and 13 Bankruptcy Policy ALL
x Chapter 7 Bankruptcy Policy
Additional documents completed for re-submission of Action Plan
x MEMORANDUM Bankruptcy Report
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP Deputy General Counsel, CML
Page 53
Privileged and Confidential
Restricted
Article 8(k)
FRB Order Reference:
Article 8(k)
Corresponding
IV.1.j
OCC Article:
the scope and frequency of independent testing for compliance with the Legal
Requirements, supervisory guidance of the Board of Governors, and the requirements
of the Mortgage Servicing Companies’ internal policies, procedures, and processes by
qualified parties with requisite knowledge and ability (which may include internal audit)
who are independent of the Mortgage Servicing Companies’ business lines and
compliance function;
Action Plan
HBIO and HBUS have existing processes, as described below, to ensure the scope
and frequency of independent testing for compliance with the Legal Requirements,
supervisory guidance of the Board of Governors, and the requirements of the
Mortgage Servicing Companies’ and Bank’s internal policies, procedures, and
processes and that such independent testing is performed by qualified parties with
requisite knowledge and ability who are independent of HBIO’s and HBUS’ business
lines and compliance function.
Existing Processes / Programs:
HBIO and HBUS have existing processes whereby testing is completed independent
of the lines of business through second and third line of defense functions by qualified
persons with requisite knowledge and ability in order to maintain HBIO’s and HBUS’
ongoing compliance with Legal Requirements, supervisory guidance, as well as
adherence to internal policies, procedures, and processes. Management in each of
the second and third line of defense functions reviewed the policies and procedures
for the respective areas and confirmed (subject to the planned second line of defense
remediation described below) that the existing functions and processes noted below
exist and are believed to meet this requirement of the Order. The existing
independent testing processes are as follows:
x TRAC, a part of HNAH Compliance, conducts ongoing testing for compliance with
the Legal Requirements and supervisory guidance that is independent from
business line compliance.
x SDCA serves as a second line of defense which is managed separately from the
business lines, reporting to a central Corporate Quality Utility. SDCA provides an
independent, objective and ongoing assessment to senior management of
operational adherence to policies, procedures, and Group standards, as well as of
the effectiveness of the first line of defense internal control framework for HNAH
business operations.
x Group Audit North America serves as a third line of defense for business
operations, assessing whether the primary controls are adequate to address
relevant risks and whether the secondary controls are operating effectively.
Page 54
Privileged and Confidential
Restricted
In addition to these processes, HNAH requires that every employee, including those
in Group Audit North America, complete Ethics Awareness and Certification training.
Furthermore, the Audit and Risk Committee is comprised completely of independent
members or non-employees.
Compliance
TRAC is a separate and independent function that is responsible for monitoring the
business units and is comprised of compliance personnel with specialized knowledge
of each business functional area. Formalizing a centralized testing team within HNAH
Compliance reinforces the independence of risk measurement, risk assessment, risk
monitoring and testing, and enhances the effectiveness and objectivity of these
processes.
On an annual basis, TRAC validates the line of business risk assessment results and,
in accordance with the HSBC Group Standards, performs assessments of the
effectiveness of the line of business compliance program activities.
TRAC's specific roles and responsibilities, which are provided in greater detail within
the HSBC - North America Compliance Risk Management Program Manual, include:
x developing and maintaining firm-wide compliance risk assessment processes,
methodologies and tools;
x leading the execution and oversight of the General Enterprise-wide Risk
Assessment and facilitating and performing quality assurance of the results of the
Detail Self Assessment, in conjunction with business line management and
business line compliance officers;
x developing and maintaining firm-wide compliance monitoring and review
programs, policies, procedures, processes and standards;
x annually reviewing business line/Compliance Officer compliance programs and
processes, including Compliance Officer issue remediation activities;
x annually reviewing the effectiveness of the HNAH Compliance Risk Management
Program;
x administering the Matters Requiring Attention (“MRAs”) tracking and validation
program to include tracking of MRAs, validating remediation and reporting MRA
status to Group Compliance EXCO, senior management, Risk Governance
Committees, and Compliance Committee; and
x Maintaining processes to track, escalate and report material compliance issues
and any corrective actions identified through examinations, inspections,
compliance monitoring and reviews, or other means.
Service Delivery Control Adherence
SDCA provides an independent, objective and ongoing assessment of operational
adherence to policies, procedures, and Group Standards to Residential Mortgage
Servicing Management. To maintain independence, SDCA is managed separately
from Residential Mortgage Servicing management, reporting to a central Corporate
Quality Utility. SDCA reports its findings to the appropriate business unit executive
management. Consideration is given as to whether the findings reported by SDCA
should also be reported as a Top Control Issue in the quarterly ORIC report.
Page 55
Privileged and Confidential
Restricted
SDCA conducted a gap analysis, completed April 15, 2011, to identify: 1) areas that
were not previously covered in the SDCA scope, 2) new controls to be implemented
by business operations, and 3) areas that require more detailed testing by SDCA.
SDCA created new process reviews for
and MERS (as these were not previously
in scope) and identified testing gaps relating to key controls in existing reviews for
Loss Mitigation, loan modifications and foreclosures.
As a
result of the gap analysis, SDCA is in the process of enhancing and/or creating
additional quality assurance test plans to perform additional testing of foreclosure
activities. SDCA completed a draft of the revised and new test plans as of August 11,
2011, and after internal review and approval, the new test plans were implemented as
of September 12, 2011. The attached SDCA QA Proposed Test Plan for Mortgage
Electronic Registration System (MERS), SDCA QA Proposed Test Plan for
(
and SDCA QA Proposed Test Plan for Foreclosure
provide the Criteria, Test Steps, and Desired Results for each of these reviews.
Group Audit North America recently conducted a review of SDCA and identified
issues which were set forth in a final report completed on June 24, 2011, and is
provided as support with this Action Plan (See Group Audit North America – Themed
Review of HNAH Quality Assurance in its entirety for details regarding the SDCA
activities that were reviewed, issues that were identified, and conclusions of this
review - please note that more than just CML is included in this report). Issues
identified in the report include the need to more adequately define in the SDCA
charter the accountability and authority of SDCA within the HNAH risk governance
structure; the need to enhance the SDCA risk assessment methodology; and the
need for SDCA management to enhance quality assurance reviews of SDCA staff
work to validate the adequacy of the testing scope, execution of the planned
procedures (or documenting reasons for changes thereto), and appropriateness
of SDCA staff judgment applied during the reviews.
As of August 17, 2011, SDCA responded to Audit with a plan to take immediate
actions to remediate the issues identified. SDCA has developed an enhanced Risk
Assessment, improved the manager review process, and updated procedures to
require that flow charts or process flow descriptions are included as standard work
papers on every process review completed by SDCA staff. For additional detail
regarding the SDCA response, see Themed Review of:
x HNAH Quality Assurance - AUN RTA 11002 (SDCA responses throughout the
document in blue text)
x Themed Review of HNAH Quality Assurance – Medium Risk Findings and
Efficiencies and Best Practices Summary (SDCA responses throughout the
document in blue text)
x Service Delivery Control Adherence Remediation Summary CMLCRS Related
Matters (status of remediation steps throughout the presentation), and SDCA
Page 56
Privileged and Confidential
Restricted
Remediation_090811 (spreadsheet that provides the Findings Summary,
Remediation Actions, and Status for SDCA remediation efforts)
Group Audit North America will validate the remediation actions based on its
methodology for tracking and validating issues. Remediation is targeted for
completion October 31, 2011.
Group Audit North America
Group Audit North America has assessed identified risks and enhanced its audit
programs to address requirements of the Order. Please refer to the Internal Audit
Program and the Action Plans for Article 16 and Article 17 of the Order for further
information. Additionally, please see the detailed audit plans noted below in their
entirety:
x AUDIT INFORMATION SYSTEM WORKING PAPER MODULE ICQ-PROGRAM
FORM - BACK-END
x AUDIT INFORMATION SYSTEM WORKING PAPER MODULE ICQ-PROGRAM
FORM - FRONT-END
x AUDIT INFORMATION SYSTEM WORKING PAPER MODULE ICQ-PROGRAM
FORM - STANDARD
x AUN RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE
DEFAULT SERVICES
x AUN GAP ANALYSIS – FRB CONSENT ORDER vs AUDIT PROGRAMS
To establish independence of Group Audit, personnel report to the Executive Vice
President (“EVP”) Internal Audit, who functionally reports to the Senior Executive Vice
President (“SEVP”) Internal Audit HNAH and administratively to the Chief Executive
Officer – HBIO. The EVP Internal Audit has unfettered access to Senior Executive
Management and meets periodically with business and corporate function heads to
see that existing and emerging issues across the organization are effectively factored
into the internal audit plan. The EVP Internal Audit also sits as a non-voting member
on key risk management and governance committees established at HNAH. Please
refer to the attached THE HSBC GROUP AUDIT STANDARDS MANUAL which
provides a Code of Ethics for Group Audit, which addresses the concept of
independence for every member of the function:
“The duties and responsibilities of the audit function are often highly sensitive
and, accordingly, require an attitude on the part of each auditor that constitutes
an independence of mind and a level of personal integrity greater than that
required of personnel at similar levels of authority in other areas of the
Company. All members of the Audit staff have, by the nature of their role,
unique professional obligations to the Company, its customers, stockholders,
directors and the general public. These obligations are met through adherence
to a code of professional ethics (see below), the application of which requires
each auditor to conduct his or her personal and professional activities in a
manner that will not leave their personal and professional integrity open to
Page 57
Privileged and Confidential
Restricted
question. Group Audit work is expected to be performed with proficiency and
due professional care.”
HBIO and HBUS rely upon Compliance, SDCA, and Group Audit North America to
provide several levels of on-going testing for compliance with the Legal
Requirements, supervisory guidance of the Board of Governors, and the requirements
of the Mortgage Servicing Companies’ and Bank’s internal policies, procedures, and
processes to meet this requirement of the Order. Compliance, SDCA (subject to the
planned remediation described above), and Group Audit North America management
believe the policies and procedures for their respective areas, as described above,
satisfy the requirements of the Order. Notwithstanding, processes and procedures
are subject to on-going review in the ordinary course of business to determine
whether revisions or enhancements thereto are appropriate or necessary,
Enhancement to Processes / Programs:
The TRAC team will be conducting its annual Compliance monitoring and testing
process for foreclosure review. The review has commenced as of October 3, 2011,
and is expected to be completed before year-end. Please refer to Article 7(a) for
additional information.
Group Audit North America began an audit of the foreclosure, Loss Mitigation, and
mortgage servicing areas on October 3, 2011. The audit consists of three phases:
Planning, Field Work, and Report Creation. The “Planning Phase” of the audit is
expected to last from October 3, 2011, through October 14, 2011, and will focus on
updating audit test plans to ensure testing coverage based on changes to processes,
procedures, and other related changes that have occurred as a result of the Consent
Orders (e.g., affidavit and notary processing, changes to bankruptcy processes, etc.).
Field Work is expected to begin on October 17, 2011, which will include the testing of
controls through transactional walk-throughs, review of policies and procedures,
detailed sample testing, etc. For this specific audit, fieldwork will be completed by
Audit staff with the assistance of two SDCA FTEs who will work under Audit's
supervision. Group North America Audit is targeting finalizing the Audit Report by
December 19, 2011.
Additionally, TRAC and Group Audit North America are coordinating their reviews to
ensure full coverage from both the compliance and operational perspective. It has not
yet been determined if two separate reports will be issued.
Documents to be submitted with the Action Plan
x AUN BACK-END RESECURED DEFAULT SERVICES AUDIT (This document
has been combined with other previously submitted documents. See revised
“AUN GAP ANALYSIS - FRB CONSENT ORDER vs AUDIT PROGRAMS” below)
x AUDIT INFORMATION SYSTEM WORKING PAPER MODULE ICQ-PROGRAM
FORM - BACK-END
Page 58
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
x
x
x
x
FRONT-END COLLECTIONS NRE SECURED DEFAULT SERVICES (This
document has been combined with other previously submitted documents. See
revised “AUN GAP ANALYSIS - FRB CONSENT ORDER vs AUDIT PROGRAMS”
below)
AUDIT INFORMATION SYSTEM WORKING PAPER MODULE ICQ-PROGRAM
FORM - FRONT-END
AUN STANDARD RISKS, CONTROLS & AUDIT PROGRAMS (This document
has been combined with other previously submitted documents. See revised
"AUN RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE
DEFAULT SERVICES" below)
AUDIT INFORMATION SYSTEM WORKING PAPER MODULE ICQ-PROGRAM
FORM - STANDARD
AUN GAP ANALYSIS - CONSENT ORDERS (This document has been combined
with other previously submitted documents. See revised “AUN GAP ANALYSIS FRB CONSENT ORDER vs AUDIT PROGRAMS” below)
HSBC - North America Compliance Risk Management Program Manual (see
revised HSBC – North America Compliance Risk Management Program Manual
below, last revised September 2011)
AUN RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE
DEFAULT SERVICES
Testing and Risk Assessment Compliance Unit (TRAC) Procedures Manual
HSBC – North America Compliance Risk Mitigation Program
Group Audit North America – Themed Review of HNAH Quality Assurance
AUN GAP ANALYSIS – FRB CONSENT ORDER vs AUDIT PROGRAMS
Additional documents completed for re-submission of Action Plan
x SDCA QA Proposed Test Plan for Mortgage Electronic Registration System
(MERS)
x SDCA QA Proposed Test Plan for
(
x SDCA QA Proposed Test Plan for Foreclosure
x Themed Review of HNAH Quality Assurance - AUN RTA 11002
x THEMED REVIEW OF HNAH QUALITY ASSURANCE - MEDIUM RISK
FINDINGS AND EFFICIENCIES AND BEST PRACTICES SUMMARY
x Service Delivery Control Adherence Remediation Summary CMLCRS Related
Matters
x SDCA Remediation_090811
x Disbursements Project Plan 10142011
x THE HSBC GROUP AUDIT STANDARDS MANUAL
x HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
x
, SVP General Compliance
x
SVP Service Delivery Control Adherence
x
SVP General Compliance
Page 59
Privileged and Confidential
Restricted
Page 60
Privileged and Confidential
Restricted
Article 8(l)
FRB Order Reference:
Article 8(l)
Corresponding
IV.1.k
OCC Article:
measures to ensure that policies, procedures, and processes are updated on an
ongoing basis as necessary to incorporate new or changes to Legal Requirements
and supervisory guidance of the Board of Governors;
Action Plan
HNAH has processes in place to ensure policies, procedures, and processes are
updated on an on-going basis to incorporate new or changes to Legal Requirements
and supervisory guidance of the Board of Governors. In addition, HNAH has
implemented a Good Governance Initiative (discussed further below) to provide an
additional level of review.
Existing Processes / Programs:
Management has a comprehensive process in place to identify, communicate and
implement changes to Legal Requirements and supervisory guidance into its business
practices. The RMA group manages the regulatory monitoring and change
management process in order to facilitate compliance with the applicable Legal
Requirements and Board of Governors supervisory guidance (See HSBC North
America New Laws and Regulations Procedure – US). This procedure provides
guidelines for monitoring and tracking regulatory changes and updating processes
appropriately.
In its efforts to identify and communicate changes in applicable laws, rules, and
regulations, the RMA group performs the following activities (among others):
x Monitor and track new and changed laws, regulations, and regulatory guidance;
x Track legislative, judicial, and regulatory developments, to identify potential
emerging compliance risks;
o Various sources for monitoring are utilized including, but not limited to:
the Federal Register; regulatory agency websites (e.g., OCC, FRB,
FDIC); trade associations; monitoring services; and various law firm
websites
x Complete business impact analysis for new or changed regulatory requirements;
and;
x Communicate new legislative alerts to appropriate Residential Mortgage Servicing
departments for action
The RMA group collaborates with Legal and Compliance to determine the applicability
of the legislation, rule or regulation and the business areas impacted. If it is
determined that there is an impact to a business area, the RMA group outlines the
detailed requirements in an Impact Assessment document, which it then forwards to
Legal for review. The RMA group and Compliance, together with the impacted
Page 61
Privileged and Confidential
Restricted
business area, determine the impact to the business. The RMA then publishes an
executive summary, which is called the New Legislation Alert (which includes the
Impact Assessment), and distributes it to the impacted business areas. The impacted
business areas work with the LCWG, Compliance Officers, and Legal (as
appropriate), to update the policies, procedures and processes, and ensure
implementation by the effective date of the law change. The detailed RMA and
LCWG procedures are attached for reference (See Law Change Process and
Implementation and Law Implementation Procedure ALL in their entirety).
The Operational Quality and Process Assurance (“OQPA”) group reviews updated
policies, procedures, processes, and training materials for accuracy and alignment
with the Legal Requirements and supervisory guidance as well as business practices.
Within 90 days of implementation, the SDCA group conducts an independent review
of the impacted business units’ processes for adherence.
Residential Mortgage Servicing and business owners are required to annually certify
the accuracy and completeness of the policies, procedures, and processes, including
updates or revisions based on changes to Legal Requirements or supervisory
guidance. Revisions or updates to policies and procedures may occur on a more
frequent basis as dictated by changes in Legal Requirements or supervisory
guidance. To document that the certification process has occurred, each policy or
procedure is submitted through a change control process. A Change Control Request
Form (“CCR”) is submitted to the appropriate business owners, with the document(s)
attached that requires certification. The CCR form systemically tracks to ensure all
required approvals have been obtained. Annually, each business process owner will
certify that the policies and procedures applicable to their area of responsibility are
accurate. This annual certification will be maintained by the OQPA group. All policies
and procedures are expected to be certified as part of the Good Governance Initiative
by the end of the fourth quarter of 2011.
Residential Mortgage Servicing is subject to many Legal Requirements that vary by
state and at times at a local level, and therefore has adopted more than 100 policies
and over 3,000 procedures that address these variations. Management is committed
to revising and updating procedures as appropriate. To that end, Residential
Mortgage Servicing began reviewing its foreclosure procedures prior to the
commencement of the supervisory foreclosure practices review, and it continues to
make updates as new or changed Legal Requirements and supervisory guidance are
released. Initial procedures reviewed were notary and affidavit procedures which
identified necessary enhancements including the procedural requirement that all
signers sign in the presence of the notary following administration of an oath. The
affidavit procedure enhancements identified included the expansion of general
affidavit procedures for all applicable states, as existing procedures were in place only
for certain states. Additional policies and procedures specific to Loss Mitigation
related activities and key processes within Residential Mortgage Servicing such as
Adverse Action Suspended Letter Procedure CML and Optional Insurance Procedure
MC are expected to be updated in accordance with the timeline outlined in the Good
Page 62
Privileged and Confidential
Restricted
Governance Initiative (See “Enhancement to Processes/Programs” section below for
additional information regarding the Good Governance program and the attached
Good Governance – Project Overview for details regarding the Good Governance
Process and Scope).
The processes performed by the RMA, LCWG, and OQPA groups described above
ensure that policies, procedures, and processes incorporate new or changes to Legal
Requirements and supervisory guidance of the Board of Governors as directed by the
Order. Additionally, Compliance SVPs have reviewed existing policies, procedures,
and processes to ensure they meet the requirements of the Order.
Enhancement to Processes / Programs:
To ensure that HNAH has fully documented policies and procedures and that all
employees understand and consistently follow them, HNAH has established the Good
Governance Initiative. Its objective is to ensure that there are proper procedures in
place within HNAH for all applicable business and operational processes, and that
these procedures are clear, concise, thorough, and accurate. Currently, HNAH is
completing the following:
x Reviewing procedures for accuracy
x Conducting a root cause / trend analysis of past procedural breaches
x Implementing improvements pertaining to areas of concern beyond the actual
procedures such as accessibility of procedures, appropriate controls and
oversight, training, etc.
HNAH is following a five step process for review of procedures, and identifying and
addressing any gaps. There is a standard template that guides the five steps of
project implementation.
x Develop Procedures and Process Inventory
x Develop Breaches Inventory
x Conduct Gap Analysis
x Define Recommendations
x Implement Recommendations
The attached “Good Governance Project US HNAH” document, which provides
additional details regarding project background, objectives, approach, governance,
and specifications, was provided as part of the answers to the FRB question
submitted on August 19, 2011. All policies and procedures are expected to be
certified as part of the Good Governance Initiative by the end of the fourth quarter of
2011.
Additionally, an annual review of policies and procedures is required and there is a
change control process in place that requires updates to policies and procedures be
reviewed in advance of operational changes by delegated senior leaders and
Compliance. In 2011, HNAH launched an initiative to reorganize procedures on
(“
and is in the process
Page 63
Privileged and Confidential
Restricted
of improving reporting. The enhancements to
were completed in July 2011.
HNAH has also committed to develop 18 functional courses which include the review
of policies and procedures and an assessment to ensure staff members are
appropriately trained and educated on key operational practices.
Please reference the attached files for examples of procedures that are housed in
x
x
x
Foreclosure Initiation Procedure CML – outlines the process on how the
Foreclosure Department initiates approved foreclosures (new referrals) on
accounts.
Short Sale and DIL Referral Procedure CML – outlines the steps for referring
an account to the Short Sale, Deed-in-Lieu of Foreclosure or Proactive
Departments.
Incoming Mail and Imaging Procedure CML – outlines how the Modification
Support Department processes incoming mail and how documentation is
prepared for the Document Image Capture Center.
The attached documents provide a list of procedures that were updated for each
respective topic:
x Consent Order_Certification_SCRA.9.7.11
x Consent Order_Certification_Notary.9.7.11
x Consent Order_Certification_Loss Mitigation.9.7.11
x Consent Order_Certification_Foreclosure.9.7.11
x Consent Order_Certification_SPOC.9.7.11
x Consent Order_Certification_Collateral Management.9.7.11
Documents to be submitted with the Action Plan
x HSBC – North America Compliance Risk Management Program Manual (see
revised HSBC – North America Compliance Risk Management Program Manual
below, last revised September 2011)
x Law Change Process and Implementation
x HSBC North America New Laws and Regulations Procedure – US
x Policy Creation and Revision Procedure ALL
x Good Governance – Project Overview
Additional documents completed for re-submission of Action Plan
x
Foreclosure Initiation Procedure CML
x Short Sale and DIL Referral Procedure CML
x Incoming Mail and Imaging Procedure CML
x Consent Order_Certification_SCRA.9.7.11
x Consent Order_Certification_Notary.9.7.11
x Consent Order_Certification_Loss Mitigation.9.7.11
x Consent Order_Certification_Foreclosure.9.7.11
Page 64
Privileged and Confidential
Restricted
x
x
x
x
Consent Order_Certification_SPOC.9.7.11
Consent Order_Certification_Collateral Management.9.7.11
Good Governance Project US HNAH
HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP Regulatory Monitoring and Assessment
x
, SVP General Compliance
x
, SVP Deputy General Counsel, CML
x
SVP Default Services
Page 65
Privileged and Confidential
Restricted
Article 8(m)
FRB Order Reference:
Article 8(m)
Corresponding
N/A
OCC Article:
the findings, and conclusions, of the independent consultant(s) engaged by HNAH
and HBIO under paragraph 3 to review the Mortgage Servicing Companies’
foreclosure processes.
Action Plan
Pursuant to the Foreclosure Report, which shall include the findings and conclusions
of the independent consultant’s review of HNAH’s and HBIO’s foreclosure processes,
HNAH and HBIO shall, within 45 days, provide a compliance program that addresses
these findings.
The program may include, but not be limited to:
x remediation of errors in any foreclosure filing;
x remediation to borrower for any impermissible penalties or fees; and
x remediation when any unauthorized foreclosure sale occurred.
Documents to be submitted with the Action Plan
None at this time.
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP General Compliance
Page 66
Privileged and Confidential
Restricted
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
MERS
October 4, 2011
Privileged and Confidential
Restricted
Section 7: Mortgage Electronic Registration System
Article 9
VI.1
Corresponding
OCC Article:
Within 60 days of this Order, HBIO shall submit an acceptable plan to ensure
appropriate controls and oversight of the Mortgage Servicing Companies’ activities
with respect to MERS and compliance with MERS’ membership rules, terms, and
conditions (“MERS Requirements”) (“MERS Plan”). The MERS Plan shall include, at a
minimum:
FRB Order Reference:
Article 9
Action Plan
HBIO and HBUS have designed a plan for appropriate controls and oversight of the
Mortgage Servicing Companies’ and Bank’s activities with respect to compliance with
Mortgage Electronic Systems (“MERS”) Requirements. Further details regarding the
MERS Plan are outlined in the Action Plans for Article 9, sections (a) through (g).
A review was completed by HBIO and HBUS in February 2011 to evaluate
compliance with MERS Requirements and to identify processes requiring further
enhancement. The review resulted in updating the MERS HSBC Consumer Mortgage
Lending Quality Assurance Plan (“QA Plan”), and will be ongoing as MERS
requirements change. Since conducting this review, MERS announced a
reassessment of many policies. MERS issued an Announcement 2011-06 on June
17, 2011 which describes the procedural changes taking place between now and
February 27, 2012, in the Transitional Procedures Manual and the Transitional Quality
Assurance Procedures Manual. Additionally, MERS issued a Training Bulletin 201103, on July 1, 2011, which outlines the amendments MERSCORP is making to these
procedures based on Member feedback received at the MERS 2011 User
Conference, which was attended by HSBC representatives. In accordance with
MERS Announcement 2011-06 and MERS Training Bulletin Number 2011-03, HBIO
and HBUS intend to update policies and procedures to comply with newly established
MERS Requirements and timelines.
In accordance with MERS Announcement 2011-06, HBIO and HBUS are developing
enhanced reconciliation reporting to support the Transitional Quality Assurance (“QA”)
Procedures Manual and new reconciliation components. The QA Plan conducted by
the business is discussed in further detail in sections (a) through (g). In addition,
enhancements are being made to the reconciliation reports to align with updated
MERS Requirements.
HBIO and HBUS, led by the Senior Vice President of Servicing Administration, have
identified existing processes that address requirements of the Order and areas
requiring further enhancement. The results of this analysis include, without limitation,
Page 2
Privileged and Confidential
Restricted
the following:
Existing Processes
Required Enhancements
• Processes which provide control and
oversight regarding membership
registration and approval of HBIO
and HBUS employees and third-party
vendors through the MERS Corporate
Resolution process (see Articles 9(a),
9(c), 9(d))
• Updating MERS QA Plan to ensure
compliance with newly established
MERS Requirements (see Articles
9(a)-(g))
• Enhanced the MERS Quality
Assurance (“QA”) Plan as of May 13,
2011, to include a quarterly validation
of all MERS Corporate Resolution
Management System (“CRMS”)
authorized Certifying Officers.
• Enhance reconciliation reporting to
comply with updated MERS
Requirements
• Enhance Data reviews in accordance
with MERS Training Bulletin Number
2011-03, to identify and correct
exceptions found in reviews of
MERS,
and
• Validating and updating existing
MERS operating procedures to
ensure compliance with MERS
Requirements, (see Articles 9(a),
9(c), 9(d), 9(e))
Documents to be submitted with the Action Plan
x Refer to Action Plans for Article 9, sections (a) through (g)
Key HSBC Contacts for the Action Plan
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
Page 3
Privileged and Confidential
Restricted
Articles 9(a), 9(c), 9(d)
VI.1.a
Corresponding
OCC Article:
Processes to ensure that all mortgage assignments and endorsements with respect to
mortgage loans serviced or owned by the Mortgage Servicing Companies out of
MERS’ name are executed only by a certifying officer authorized by MERS and
approved by the Mortgage Servicing Companies;
Article 9(c)
VI.1.c
FRB Order Reference:
Corresponding
OCC Article:
processes to ensure that the Mortgage Servicing Companies maintain up-to-date
corporate resolutions from MERS for all Mortgage Servicing Companies employees
and third-parties who are certifying officers authorized by MERS, and up-to-date lists
of MERS certifying officers;
Article 9(d)
VI.1.d
FRB Order Reference:
Corresponding
OCC Article:
processes to ensure compliance with all MERS Requirements and with the
requirements of the MERS Corporate Resolution Management System;
FRB Order Reference:
Article 9(a)
Action Plan
The Mortgage Servicing Companies and HBUS have existing processes in place to
ensure that all mortgage assignments (out of MERS name) and endorsements with
respect to mortgage loans serviced or owned by the Mortgage Servicing Companies
or the Bank are executed only by a certifying officer authorized by MERS and
approved by HBIO or HBUS, as appropriate. Additionally, HBIO and HBUS have
existing processes to ensure that they maintain (1) up-to-date corporate resolutions
from MERS for all HBIO and HBUS employees and third-parties who are certifying
officers authorized by MERS, (2) up-to-date lists of MERS certifying officers, and (3)
compliance with the requirements of the MERS Corporate Resolution Management
System. Also, HBIO and HBUS have enhanced the QA Plan, as discussed below and
identified throughout the Action Plan in response to Article 9, in order to comply with
the requirements of the Order and MERS quality standards.
The QA Plan is a first line of defense pursuant to which quarterly audits are conducted
to ensure MERS quality standards are maintained. Processes and validations within
the QA Plan are conducted by HSBC MERS personnel (MERS analyst), reporting to
the VP of Records Administration. The MERS analyst utilizes a quality review
checklist for the multiple section audits. The reviews cover the following areas:
x MOM Registration (“MERS as Original Mortgagee”) – validates accurate
registration of MOM loans
x Non-MOM Registration (“Non MERS as Original Mortgagee”) – validates
accurate registration of Non-MOM loans and possession of an assignment
to MERS
Page 4
Privileged and Confidential
Restricted
x
Registration Reversals - validates removal of loans improperly registered
with MERS or required to address Agency Investor updates (Fannie Mae)
x Lien Release - validates issuance of a lien release out of MERS and Paid in
Full status on MERS
x Modifications and Assumptions - validates CEMA and MERS information on
recorded modification agreements
x Foreclosure - validates legacy process on Foreclosure Option 1 and Option
2 loans on MERS
x Business Initiated Deactivation - validates assignment out of MERS and
deactivation on the Servicing System and MERS system for loans in Default
x Transfer of Beneficial Rights - validates transfer of data to a new Investor
x Transfer of Servicing Rights - validates transfer of data to a new Servicer
x Transfer to Non-MERS member - validates assignment out of MERS and
deactivation on the Servicing System and MERS system for loans in Default
x Deactivation Pay-off - validates issuance of a lien release on a short sale,
charge off. Legacy practice was to deactivate a Deed in Lieu via a lien
release
x Administration – validate the addition and removal of MERS Certifying
Officers, in addition to reviewing MERS view and update system access
x Monthly Reconciliation - note that this component of the Quality Assurance
Plan will not be implemented until the new reconciliation reports become
available in October 2011 and are implemented into the overall program in
the 4Q2011. This reconciliation will be a comparison of data from the
HSBC servicing system to the MERS system, as well as a loan count
validation
The audit and validation results are documented and reviewed by MERS senior
management. Please see MERS HSBC Consumer Mortgage Lending Quality
Assurance Plan in its entirety for all of the steps performed during the MERS QA Plan.
As a result of MERS’ policy reassessment, some of the MERS Requirements will
change from now through February 2012. The MERS QA Plan and procedures will
be updated accordingly, as MERS continues to enhance and update business
operations and requirements.
Existing Processes / Programs:
HBIO and HBUS have procedures in place designed such that mortgage assignments
(out of MERS’ name) with respect to mortgage loans serviced or owned by the
Mortgage Servicing Companies or the Bank are executed only by a certifying officer
authorized by MERS and approved by HBIO or HBUS, as appropriate. HBIO and
HBUS enhanced and centralized this function, so that the appropriate MERS
certifying officers are solely responsible for executing these documents.
As part of the enhanced MERS QA Plan, noted above, completed as of May 13, 2011,
HBIO and HBUS completed a quarterly validation of all MERS Corporate Resolution
Management System (“CRMS”) authorized Certifying Officers. As this was a new
Page 5
Privileged and Confidential
Restricted
process, the initial audits and validations conducted by HSBC were completed
monthly for April, May, and June. However for future audits, HSBC will sample the
loan population on a quarterly basis as indicated within the QA Plan (page 5) by
aggregating a random sample of loans for the months of July through September.
HBIO and HBUS created a Legal Entity Review and Assignment/Lien Validation
process in March 2011 to review all loans in preparation for submission to the
foreclosure referral team. The Legal Entity Review (“LER”) Team reviews the chain of
title for the mortgages or deeds of trusts to transfer applicable security instruments out
of the name of the lien holders of record (e.g., MERS) into the appropriate legal entity.
The assignment validation process is completed to ensure that the documents have
been executed by approved MERS Certifying Officers. An additional control to ensure
the execution of the assignment by a MERS Certifying Officer is the entry of these
authorized individuals into the
which generates the assignments and
lien releases. Please see Legal Entity Review and Assignment Validation (C & D)
Population Procedure CML, pages 1 through 24, for the detailed process about the
centralized execution of assignments.
HBIO and HBUS implemented a daily reconciliation review of key reports to ensure
compliance with MERS requirements and to resolve any exceptions cited. Please see
MERS Daily Reports Handling Procedure All for all of the steps required during the
MERS team’s review and working of all activity related to MERS transactions. The
QA team monitors transactions as defined in the QA Plan. The results of these
reviews are summarized, with exception rates and remediation steps defined, and
presented to the SVP – Servicing Administration. Please see page 3 of 8 of the MERS
Administration Procedure All, attached hereto, for more detailed procedures related to
ensuring that only authorized certifying officers execute mortgage assignments.
HBIO and HBUS also have processes in place to maintain up-to-date corporate
resolutions and lists of MERS certifying officers. As a part of the QA process, HBIO
and HBUS maintain a comprehensive list of the MERS certifying officers and
applicable corporate resolutions, both internally and within the MERS Corporate
Resolution Management System (“CRMS”). The CRMS Validation includes validation
of HBIO and HBUS Certifying Officers as well as ensuring that Third-Party vendors
are registered on CRMS have successfully passed the MERS test, and the third-party
vendors have executed new Tri-Party Agreements with MERS and HBIO and HBUS.
Also, CRMS Validation includes ensuring that MERS has provided a Corporate
Resolution confirming that the individuals who passed the MERS test on CRMS are
authorized to sign on behalf of MERS as a Certifying Officer. The MERS Certifying
Officer List is validated quarterly by the QA Analyst, who reports to the Vice President
of MERS Operations. Additions and deletions are submitted to MERS via CRMS to
ensure it is up-to-date (see MERS Administrative Procedure ALL– subsection Monthly
Validation of MERS Certified Officers, page 3 of 8, attached hereto). HBIO and
HBUS, via the MERS centralized administration function, also receive updated
corporate resolutions via CRMS. Once received, HBIO and HBUS maintain the
corporate resolutions in electronic and paper form for reference.
Page 6
Privileged and Confidential
Restricted
As of June 13, 2011, HBUS notified their MERS CRMS approved third-party vendors
that they were no longer authorized to execute documents on behalf of HSBC. On
June 20, 2011, HSBC cancelled the tri-party agreements with the third-party vendors.
HBUS received confirmation from MERS on July 13, 2011 that MERS had updated
their CRMS systems to remove the signing authority of these third-party vendors.
Currently, HBIO and HBUS employees are in compliance with the MERS certifying
officer approval procedures. Employees must first be appointed to be a certifying
officer, register on CRMS, pass the appropriate tests, and then have a corporate
resolution issued by MERS. Additionally, employees leaving HBIO or HBUS have
their signing authority removed through CRMS. Refer to MERS Administration
Procedure ALL pages 2 and 3 for the steps performed for removing signing authority
of employees leaving HBIO or HBUS through CRMS.
HBIO and HBUS have taken steps designed to comply with all MERS requirements
by revalidating and updating existing MERS operating procedures with the latest
CRMS requirements related to third-party management (see MERS Administrative
Procedure ALL – subsection Adding and Deleting USERS in the CRMS System,
pages 2 and 3 for the steps performed for adding and deleting employees signing
authority through CRMS). HBIO and HBUS are in compliance with the CRMS
requirements based on senior management’s review of the procedures and the
CRMS requirements.
To achieve and maintain compliance, in February 2011 HBIO and HBUS completed a
review of MERS’ policies and procedures that focused on the QA Plan and
operational procedures. As a result of the review, HBIO and HBUS have updated the
MERS operational procedures and QA Plan (see MERS HSBC Consumer Mortgage
Lending Quality Assurance Plan pages 6 through 18 and Article 9(a) which outlines
the QA Plan as a first line of defense) for the following areas:
x MERS daily and monthly reconciliations
o Although reconciliation procedures previously existed, management
determined that enhancements were required to fully comply with MERS
Requirements. See reconciliation procedures in MERS Monthly
Reconciliation Procedure ALL, and pages 29 through 32 of the MERS
HSBC Consumer Mortgage Lending Quality Assurance Plan
o The daily and monthly procedures were enhanced and additional reporting
requirements were identified. These additional reconciliation reports are
expected to be available for review by October 14, 2011. See
Enhancement to Processes / Programs below for additional detail on the
enhanced additional reporting. In addition, dedicated resources (MERS
Analysts) have been assigned to key MERS functions (i.e., operations and
QA Support). MERS Analysts are not certifying officers, nor must they
undergo a special certification process.
o Errors and open items are more formally tracked and monitored for
resolution. See page 32 of the MERS HSBC Consumer Mortgage Lending
Page 7
Privileged and Confidential
Restricted
Quality Assurance Plan for the reconciliation reports.
x Group Audit North America (“Group Audit”)
o Group Audit will complete its first annual independent testing of the control
structure of the system-to-system reconciliation process, the reject/warning
error correction process, and adherence to the company’s MERS Quality
Assurance Plan by December 31, 2011. (Please see Action Plans for
Articles 16(a), 17(d), and 17(e) for additional detail).
Procedures and validations within the QA Plan are conducted by HSBC MERS
personnel as a first line of defense for business operations. MERS personnel
responsible for fulfilling the QA Plan report to the SVP Servicing Administration.
Furthermore, HBIO and HBUS have enhanced the MERS QA Plan to incorporate the
validation of a sample of assignments to verify that they have been properly executed
by authorized HBIO and HBUS MERS certifying officers. This validation will be
completed quarterly. Requirements to produce the validation report have been
defined, and the report was delivered to the MERS QA team in June 2011.
Please see attached MERS Daily Reports Handling Procedure ALL and MERS
Monthly Reconciliation Procedure ALL for additional detail on the steps taken to
handle daily reports and perform monthly reconciliations. The MERS Daily Reports
Handling Procedure ALL details the processes to retrieve, archive, work, and save the
report information in order to confirm that the
system is maintained
daily according to standard. The MERS Monthly Reconciliation Procedure ALL
defines the requirements established by MERS as it relates to the monthly
reconciliation of the MERS accounts by MERS Org ID to HSBC’s servicing platform.
Enhancement to Processes / Programs:
As of September 12, 2011, to comply with new MERS Requirements submitted to
HBIO and HBUS in April 2011, HBIO and HBUS are enhancing three (3) reconciliation
reports. HBIO and HBUS are working with MERS to ensure compliance with HSBC
information security requirements, and as a result the enhanced reconciliation reports
are now targeted for implementation on October 14, 2011. The reports include the
following:
x MERS Monthly Reconciliation Report - Comparison of MERS accounts and
required MERS data elements on the HBIO and HBUS Servicing Platforms
(
to the MERS system of record.
x MERS One Time Audit/Reconciliation PCR23 - One Time update on the
MERS system to appropriately reflect the correct foreclosure option –
foreclose in the name of the legal entity (FC Opt 1) or foreclosure in the name
of MERS (FC Opt 2)
x MERS Monthly Deactivated Report PCR23 - Monthly reports of all
deactivated loans (Paid in Full, Charge-off, Deed in Lieu, short sales) which
will be utilized to support the Quality Assurance plan
Page 8
Privileged and Confidential
Restricted
A review was completed by HBIO and HBUS in February 2011 to evaluate
compliance with MERS Requirements and to identify processes requiring further
enhancement. Since conducting this review, MERS announced a reassessment of
many policies based on Member feedback received at the MERS 2011 User
Conference, which was attended by HBIO and HBUS representatives. More
specifically, based on MERS Announcement 2011-06 and Training Bulletin Number
2011-03, HBIO and HBUS are in the process of updating policies and procedures to
comply with the new MERS Requirements which will be ongoing through February
2012. To comply with any new MERS Requirements, HBIO and HBUS are
performing a gap analysis, to be completed by December 31, 2011, between existing
requirements and the new requirements, to identify necessary technology
enhancements, and update policies and procedures in accordance with MERS
timelines (February 2012).
Documents to be submitted with the Action Plan
x MERS Administration Procedure All
x MERS HSBC Consumer Mortgage Lending Quality Assurance Plan
x MERS Daily Reports Handling Procedure ALL
x MERS Monthly Reconciliation Procedure ALL
x Legal Entity Review and Assignment Validation (C & D) Population Procedure
CML
Key HSBC Contacts for the Action Plan
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
Page 9
Privileged and Confidential
Restricted
Article 9(b)
VI.1.b
Corresponding
OCC Article:
processes to ensure that all other actions that may be taken by MERS certifying
officers (with respect to mortgage loans serviced or owned by the Mortgage Servicing
Companies) are executed by a certifying officer authorized by MERS and approved by
the Mortgage Servicing Companies;
Action Plan
FRB Order Reference:
Article 9(b)
HBIO and HBUS enhanced existing processes in a manner designed to ensure that
actions taken by MERS certifying officers are executed only by a certifying officer that
is authorized by MERS and approved by HBIO or HBUS, as appropriate.
Existing Processes / Programs:
HBIO and HBUS have enhanced the MERS QA Plan to ensure compliance with
enhanced MERS procedures as of the second quarter of 2011. The enhanced QA
plan incorporates the validation of a sample population of loans to verify the accounts
have been properly executed as defined in the procedures. Newly implemented
procedures support the following processes (See MERS HSBC Consumer Mortgage
Lending Quality Assurance Plan pages 6 through 18 and Article 9(a) which outlines
the QA Plan as a first line of defense):
x releasing the lien of any mortgage loan registered on MERS that is shown to
be registered to HBIO or HBUS;
x assigning the lien of any mortgage loan on MERS to the appropriate legal
entity prior to the initiation of a foreclosure action or the filing of a bankruptcy
proof of claim;
x assigning any mortgage loan to a non-MERS member; and
x executing those documents required to subordinate or modify any mortgage
loan registered on MERS that is shown to be registered to HBIO or HBUS.
The updated QA Plan was approved by MERS on May 13, 2011, and as detailed in
the MERS HSBC Consumer Mortgage Lending Quality Assurance Plan, each section
of the QA Plan contains validation steps for the MERS analyst to conduct in order to
comply with the MERS program requirements. For an example of an audit and
validation process that occurs during the quarterly QA Plan, see Modification
Agreements and Assumptions section, pages 13 and 14. The testing will occur on a
quarterly basis using standard checklists. Testing results will be documented and
reviewed by the SVP – Servicing Administration, and HBIO and HBUS will develop
corrective action plans as necessary
MERS QA testing for loan samples during the months of April, May, and June have
been completed and is currently under review by HBIO and HBUS management. The
findings and recommendations of the 2Q2011 MERS Quality Assurance Reviews will
be summarized for distribution to the regulators by October 31, 2011. Based on
Page 10
Privileged and Confidential
Restricted
testing results and findings, the MERS QA plan will be revised as appropriate.
Enhancement to Processes / Programs:
As a result of MERS’ policy reassessment, some of the MERS Requirements will
change from now through February 2012. To comply with any newly established
MERS Requirements, HBIO and HBUS intend to perform a gap analysis, to be
completed by December 31, 2011, between existing requirements and the new
requirements, to identify necessary technology enhancements, and update policies
and procedures in accordance with MERS timelines.
Documents to be submitted with the Action Plan
x MERS Administration Procedure All
x MERS HSBC Consumer Mortgage Lending Quality Assurance Plan
Key HSBC Contacts for the Action Plan
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
Page 11
Privileged and Confidential
Restricted
Article 9(e)
VI.1.e
Corresponding
OCC Article:
processes to ensure the accuracy and reliability of data reported to MERS, including
monthly system-to-system reconciliations for all MERS mandatory reporting fields,
and daily capture of all rejects/warnings reports associated with registrations,
transfers, and status updates on open-item aging reports. Unresolved items must be
maintained on open-item aging reports and tracked until resolution. The Mortgage
Servicing Companies shall determine and report whether the foreclosures for loans
serviced by the Mortgage Servicing Companies that are currently pending in MERS’
name are accurate and how many are listed in error, and describe how and by when
the data on the MERS system will be corrected;
Action Plan
FRB Order Reference:
Article 9(e)
HBIO and HBUS reviewed and identified enhancements to processes in order to
ensure accurate and reliable data reports to MERSCORP, including monthly systemto-system reconciliations and daily capture of all rejects/warnings reports associated
with registrations, transfers, and status updates on open-item aging reports. They
have also reviewed and identified enhancements to processes to determine and
accurately report the appropriate foreclosure status for current and inactive loans on
the MERS system.
Also, HBIO
and HBUS are enhancing, as necessary, procedures related to the transmission of
accurate and reliable data to MERSCORP, as required by the Order.
Existing Processes / Programs:
In an effort to better identify errors, HBIO and HBUS have enhanced operating
procedures defining MERS’ reconciliation requirements and the related exception
reporting. These enhancements are being implemented in phases, as personnel are
being trained and reporting requirements are defined and developed. Please see
attached MERS Daily Reports Handling Procedure ALL, MERS Monthly
Reconciliation Procedure ALL, and MERS HSBC Consumer Mortgage Lending
Quality Assurance Plan for a complete description of the procedures personnel utilize
for MERS reconciliation. The MERS Daily Reports Handling Procedure ALL details
the processes to retrieve, archive, work, and save the report information in order to
confirm that the
system is maintained according to standard. See
pages 1 through 6 of the MERS Daily Reports Handling Procedure ALL. The MERS
Monthly Reconciliation Procedure ALL defines the requirements established by MERS
as it relates to the monthly reconciliation of the MERS accounts by MERS Org ID to
HSBC’s servicing platform. See Article 9(a) and The MERS HSBC Consumer
Mortgage Lending Quality Assurance Plan in its entirety for all of the steps performed
in the QA Plan. For an example of an audit and validation process that occurs during
the quarterly QA Plan, see Lien Release section, pages 11 and 12.
Page 12
Privileged and Confidential
Restricted
In accordance with MERS Training Bulletin Number 2011-03, issued on July 1, 2011,
data reviews will only be applicable to active MERS loans. When the Draft Action
Plan was submitted, MERS had not yet defined the final requirements for the Inactive
(Deactivated) Loans, so HSBC used the preliminary feedback from MERS which was
a two year period (January 2009 – January 2011). In accordance with MERS
Training Bulletin Number 2011-03, data reviews will only be applicable to Active
MERS loans. Document reviews will now only include loans no more than one year
post-deactivation which encompass the Inactive (Deactivated) Loans. As a result of
this notification, HSBC will comply with MERS’s requirements as to which Active and
Inactive (Deactivated) Loans require validation. HBIO and HBUS plan completion of
the steps necessary to correct the identified exceptions on both MERS and the
Page 13
Privileged and Confidential
Restricted
applicable Servicing System no later than the first quarter of 2012. To meet this
deadline, HBIO and HBUS are dependent on the ability to obtain legacy data related
to the foreclosure assignments. Legacy data is dependent upon a process that
requires a review of state foreclosure documents, validation of an assignment out of
MERS, and a determination of whether an assignment out of MERS needs to be
created. In addition, management has identified charge offs, short sales, deed-in-lieu,
and servicing transfer transactions where a lien release, assignment, or MERS update
will need to be created and/or recorded. HBIO and HBUS have engaged outside
vendor Core Logic as of August 16, 2011, to assist in researching segments of the
overall exception population related to second lien loans. HBIO and HBUS have
delivered a test file of approximately
loans as of August 17, 2011. HBIO and
HBUS conducted a quality review of the Core Logic results. The results validated that
loans targeted for deactivation due to the foreclosure of the first lien were appropriate.
Loans remaining on the Core Logic report are in the process of being assigned out of
MERS and deactivated on the MERS system. A second file of
second lien loans
was delivered to Core Logic on September 9, 2011. A third file of approximately
loans was delivered to Core Logic on September 20, 2011. A fourth file of
approximately
loans was delivered to Core Logic on September 27, 2011.
The details regarding the status of these files are conveyed in the bi-weekly MERS
Reconciliation Update dated September 30, 2011.
HBIO and HBUS have and will continue to provide bi-weekly progress updates to the
FRB related to the Article 9(e) MERS reconciliation. Management reviewed its
reconciliation process in the context of the Order requirements to obtain comfort that
the current processes meet the requirements or implemented enhancements
accordingly.
Enhancement to Processes / Programs:
As of September 12, 2011, operational procedures to address the handling of charge
offs, short sales, deed-in-lieu and servicing transfer transactions where a lien release,
assignment or MERS system update is required are in the process of being reviewed
and updated to ensure compliance with MERS requirements. Legacy matters are
under review and will be addressed by the first quarter of 2012
As a result of MERS’ policy reassessment, some of the MERS Requirements will
change from now through February 2012. To comply with any newly established
MERS Requirements, HBIO and HBUS intend to perform a gap analysis, to be
completed by December 31, 2011, between existing requirements and the new
requirements, to identify necessary technology enhancements, and update policies
and procedures in accordance with MERS timelines.
Documents to be submitted with the Action Plan
x MERS Daily Reports Handling Procedure ALL
x MERS Monthly Reconciliation Procedure ALL
x MERS HSBC Mortgage Corporation Quality Assurance Plan
Page 14
Privileged and Confidential
Restricted
x
MERS HSBC Consumer Mortgage Lending Quality Assurance Plan
Additional documents completed for re-submission of Action Plan
x MERS Reconciliation Update – June 27, 2011
x MERS Reconciliation Update – July 11, 2011
x MERS Reconciliation Update – July 22, 2011
x MERS Reconciliation Update – August 5, 2011
x MERS Reconciliation Update – August 22, 2011
x MERS Reconciliation Update – September 6, 2011
x MERS Reconciliation Update – September 16, 2011
Key HSBC Contacts for the Action Plan
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
Page 15
Privileged and Confidential
Restricted
Article 9(f)
VI.1.f
Corresponding
OCC Article:
an appropriate MERS quality assurance workplan, which clearly describes all tests,
test frequency, sampling methods, responsible parties, and the expected process for
open-item follow-up, and includes an annual independent test of the control structure
of the system-to-system reconciliation process, the reject/warning error correction
process, and adherence to the MERS Plan; and
Action Plan
FRB Order Reference:
Article 9(f)
HBIO and HBUS have enhanced the QA Plan as noted in Article 9(a) (See MERS
HSBC Consumer Mortgage Lending Quality Assurance Plan), which describes all
tests, test frequency, sampling methods, responsible parties, and the expected
process for open-item follow-up. Also, the QA Plan includes an annual independent
test of the control structure of the system-to-system reconciliation process and the
reject/warning error correction process, as required by the Order.
Existing Processes / Programs:
HBIO and HBUS have enhanced the MERS QA Plan to address the corrective actions
described in the Order. The updated QA Plan was approved by MERS on May 13,
2011. As detailed in Article 9(a) and the attached MERS HSBC Consumer Mortgage
Lending Quality Assurance Plan, each section of the QA Plan contains validation
steps for the MERS analyst to conduct in order to comply with the MERS program
requirements. The testing, which will occur on a quarterly basis using standard
checklists, will include the examination of a statistical sample of loans. Testing results
will be documented and reviewed by the SVP – Servicing Administration, and HBIO
and HBUS will develop corrective action plans as necessary.
Group Audit North America was consulted to ensure that the approach and framework
of the enhanced MERS QA Plan is reasonable. Group Audit will complete its first
annual independent testing of the control structure of the system-to-system
reconciliation process, the reject/warning error correction process, and adherence to
the company’s MERS QA Plan by December 31, 2011. As noted above in Article
9(b), HSBC MERS Management will provide an update of overall findings and actions
through 2Q2011 by October 31, 2011 to the regulators. The QA Plan was submitted
to MERS on April 18, 2011 for ORG ID
and on April 27, 2011, for ORG ID
and
MERS provided feedback on May 12, 2011,
Updates were provided to MERS
on May 13, 2011. MERS approved the QA Plan on May 13, 2011.
Management reviewed the QA Plan to ensure the aforementioned processes were
accurate and also compared the plan to the requirements of the Order to ensure that
the existing and enhanced processes fulfilled the requirements of the Order.
Page 16
Privileged and Confidential
Restricted
Enhancement to Processes / Programs:
As a result of MERS’ policy reassessment, some of the MERS Requirements will
change from now through February 2012. To comply with any newly established
MERS Requirements, HBIO and HBUS intend to perform a gap analysis, identify
necessary technology enhancements, and update policies and procedures in
accordance with MERS timelines.
Documents to be submitted with the Action Plan
x MERS HSBC Consumer Mortgage Lending Quality Assurance Plan
Key HSBC Contacts for the Action Plan
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
Page 17
Privileged and Confidential
Restricted
Article 9(g)
VI.2
Corresponding
OCC Article:
inclusion of MERS in the Mortgage Servicing Companies’ third-party vendor
management process, which shall include a detailed analysis of potential
vulnerabilities, including information security, business continuity, and vendor viability
assessments.
Action Plan
FRB Order Reference:
Article 9(g)
MERS and MERSCORP are included in the HNAH third-party vendor management
process, which includes a detailed analysis of potential vulnerabilities, including
information security, business continuity, and vendor viability assessments, as
required by the Order.
Existing Processes / Programs:
In May 2011, a
(“
was initiated as
part of the Legacy Relationship Management Project (“LRM”). The
consists of
a list of questions to determine if a vendor such as MERS has the potential to access
restricted or highly restricted data, HBIO and HBUS systems, contracts for the
disposal of restricted/highly restricted information (secure waste), and/or has access
to the brand or logo by means of hosting a website. Depending on the answers to
these questions, Information Security Risk (“ISR”) will assess whether a Third Party
Security Review (“TPSR”) is required with respect to the vendor.
Additionally, the
following assessments were completed on MERS as of September 12, 2011, in
accordance with the Consent Order Action Plans:
x Financial Analysis (FA) and Business Analysis (BA) – Reviews completed to
ensure HBIO and HBUS understand the business reputation and financial
health of MERS post-contract which are updated over the life of the
relationship (see DB Comprehensive Report MORTGAGE ELECTRONIC
REGISTRATION and World Check MORTGAGE ELECTRONIC
REGISTRATION SYSTEMS INC).
x Business Continuity Planning (BCP) – HBIO and HBUS will assign all
mortgages out of MERS should MERS be permanently unable to provide the
services agreed upon in the contract (see Vendor Third Party Service
Provider Business Risk Assessment Survey and Vendor Risk Management Business Continuity Disaster Recovery). Preparation of assignments can be
obtained from alternate vendors.
x Agreement Review – The MERS membership agreements and MERS rules
and procedures were reviewed by internal counsel. The agreements and the
Page 18
Privileged and Confidential
Restricted
rules and procedures are standard and generally the same for all MERS
members. Internal counsel also participates in calls where proposed
amendments to MERS rules, if any, are discussed. Additionally, internal
counsel participates in a weekly call where developments and issues arising
out of litigation affecting MERS and its members are discussed. Business
and internal counsel also participate in regularly scheduled calls with MERS
management where a variety of topics, including operations, are discussed.
HNAH Compliance and Group Audit North America provide additional control and
oversight over the third-party management processes.
For additional details related to the third-party vendor management process, refer to
the Action Plans for Article 6.
Enhancement to Processes / Programs:
HSBC business and internal counsel will continue to participate in the regularly
scheduled calls with MERS management. As noted above, discussions will include
but are not limited to arising litigation affecting MERS and its members, as well as
business operations between MERS and HSBC.
Existing processes and programs are currently in place to comply with this
requirement of the Order and, at this time, further enhancements are not deemed
necessary.
Documents to be submitted with the Action Plan
x HSBC - North America Business Continuity Management Policy Operations
x HSBC - North America Information Security Risk Policy Risk Management
x HSBC - North America Vendor Risk Management (VRM) Policy
x HSBC North America Vendor Risk Management (VRM) PROCEDURES
Additional documents completed for re-submission of Action Plan
x DB Comprehensive Report MORTGAGE ELECTRONIC REGISTRATION
x World Check MORTGAGE ELECTRONIC REGISTRATION SYSTEMS INC
x Vendor Third Party Service Provider Business Risk Assessment Survey
x Vendor Risk Management - Business Continuity Disaster Recovery
x
PT-001805 (MERS)
x Assessment Summary (TPSR)
Key HSBC Contacts for the Action Plan
x
, SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
, SVP Vendor Risk Management
Page 19
Privileged and Confidential
Restricted
Page 20
Privileged and Confidential
Restricted
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
MIS
Final Pending Approval from the Compliance Committee
September 30, 2011
Privileged and Confidential
Restricted
Section 8: Management Information System
Article 10
FRB Order Reference:
Article 10
Corresponding
VIII.1
OCC Article:
Within 60 days of this Order, HBIO shall submit to the Reserve Bank an acceptable
plan and timeline for the review and remediation, as necessary, of the Mortgage
Servicing Companies’ management information systems (“MIS”) for their residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities to ensure the
timely delivery of complete and accurate information to permit effective decisionmaking. The plan shall, at a minimum, provide for:
Action Plan
HBIO and HBUS have created more than 35 key reports and continue to enhance
executive reporting to include MIS for Loss Mitigation, foreclosure, MERS, Residential
Mortgage Servicing, and bankruptcy to improve visibility into processing, monitor
compliance with applicable Legal Requirements and supervisory guidance (including
requirements of the Order), and to ensure ongoing accuracy of records for all serviced
mortgages. HBIO and HBUS are also enhancing testing to ensure the integrity and
accuracy of MIS reporting to fully comply with the Order. HBIO and HBUS have
designed a plan for enhancing MIS for Residential Mortgage Servicing, Loss
Mitigation, loan modification, foreclosure, and MERS activities. The plan is intended to
ensure timely delivery of complete and accurate information to permit effective
decision-making. Further details regarding the MIS plan are outlined in the Action
Plans for Article 10, sections (a) through (e).
As of September 12, 2011, HBIO and HBUS have completed key deliverables
outlined in the Action Plans for Article 10, sections (a) through (e). Supplemental
reporting is targeted for completion by November 30, 2011, to be updated as design
sessions are completed.
A comparison of existing reporting to the requirements of the Order was performed to
identify where existing MIS processes satisfy the requirements of the Order and
identify areas where enhancement is necessary. While the analysis is described
further in Articles 10(a)-(e), the results of this analysis include, without limitation, the
following (please see the next page):
Page 2
Privileged and Confidential
Restricted
Existing Processes
Required Enhancements
• High-level reporting on performance
tracking, volume, analytics and
financials
• Enhancing business reporting to
provide greater visibility into
Foreclosure, MERS activities, Fees,
Bankruptcy and Quality Control
Reviews
• Daily agent productivity, inventory
and exception-based reporting
• Monthly Board of Directors reporting
package which includes eight new
key Compliance reports detailed in
Article 10(a) and key mortgage loan
servicing operational metrics
• Developed over 35 key MIS reports
providing greater visibility into
Foreclosure Affidavit Processing,
MERS, Single Point of Contact
(SPOC), Legal Entity Validation and
Third Party Management
Documents to be submitted with the Action Plan
x Also refer to Action Plans for Article 10, sections (a) through (e)
x
Regional Head of Retail Collections
Page 3
Privileged and Confidential
Restricted
Article 10(a)
FRB Order Reference:
Article 10(a)
Corresponding
VIII.1.a
OCC Article:
A description of the various MIS used or to be used by the Mortgage Servicing
Companies;
Action Plan
A series of design sessions were conducted with representatives from Residential
Mortgage Servicing management, Compliance and MIS to compare existing reports to
the requirements of the Order and to identify gaps in current reporting. As a result of
those design sessions, HBIO and HBUS have identified the need for and developed
over 35 key reports and continue to enhance executive reporting to include the
relevant MIS components for Residential Mortgage Servicing, Loss Mitigation, loan
modification, foreclosure, or MERS activities to meet the Order requirements.
Existing Processes / Programs:
HBIO utilizes the existing Foreclosure Flash Report and both HBIO and HBUS utilize
the Loan Modification Flash Report and the Mortgage Corporation Governance
Review Deck (See Mortgage Corporation Governance Review North America Risk
report example in its entirety to illustrate the aforementioned reports) to provide senior
management with metrics for mortgage activities. These reports are the primary
supporting documents for compilation of the monthly Board Reporting package,
further described in the Enhancements section below.
The Foreclosure Flash Report highlights performance tracking, analytics, and
financials, including but not limited to the volume of foreclosure referrals, foreclosure
inventory, foreclosure timelines, the affidavit pipeline, rescinded sales, foreclosure
outflow, short sale and deed-in-lieu volume, third-party sales, severity rates, SCRA
account volumes, and the impact of corporate advances (see CONSUMER AND
MORTGAGE LENDING AND MORTGAGE CORPORATION - FORECLOSURE
FLASH JUNE 2011).
The Loan Modification Flash Report provides a summary of modification volume,
analytics, and financials, including modification and re-aged volumes, modification
inventory, application turnaround time for HBIO's CML Foreclosure Avoidance
Program (“FAP”), CML FAP application volume and approval and activation rates,
modification recidivism, and modification payment relief rates (see CONSUMER AND
MORTGAGE LENDING MODIFICATION AND RE-AGE FLASH REPORT MAY
2011).
The Mortgage Corporation Governance Review Deck (HBUS metrics only) covers
delinquency performance, financials, productivity measures (dialer penetration and
abandon percentage) as well as a summary of loan modifications (see Mortgage
Corporation Governance Review North America Risk in its entirety). The report also
Page 4
Privileged and Confidential
Restricted
covers other metrics such as short sales, recidivism and REO.
In addition, HBIO and HBUS plan to maintain their existing daily operational reports
for Loss Mitigation, loan modification, foreclosure, and MERS processing activities.
These reports include but are not limited to:
x Agent Productivity Report – Tracks daily and month-to-date agent-level
performance by key metrics defined by the business.
x Inventory Report – Includes reporting on the pipeline of loans throughout
the foreclosure, Loss Mitigation, MERS and loan modification processes.
x Exception Based Reports – A control report to ensure proper adherence to
internal policy and procedures and regulatory requirements
x Mortgage Corporation Governance Review North America Risk –
summarizes key operating results highlighting performance, productivity,
loss mitigation, foreclosure, and REO on a monthly basis
x REO Dashboard and Pipeline Reports – (Foreclosure) provides state-bystate statistics for CML foreclosure inventory
x REO Inflow and Outflow Inventory – (REO) provides month-over-month
view of new REO and REO disposition by dollars and count
x Sales Analysis – (REO) details month-over-month statistics on CML and
Mortgage Corp REO disposition
x Approved Inventory Reports – (Loss Mitigation) monitors accounts in the
modification trial period for qualifying payments
x Monthly Mod CIT TAT Report – (Loss Mitigation) summarizes turnaround
time, or TAT, from modification trial completion to activation
x County Compliance Risk Outstanding Report - 10 day – (Servicing, Lien
Release) identifies paid in full loans for which lien release is pending with
the county
x Daily Escrow Team CIT Tracking Report – (Servicing) tracks outstanding
Customer Inquiry Tracking tasks assigned to the escrow team
x Care Services Performance Summary – (Customer Service) summarizes
key performance and efficiency metrics related to customer service
As noted above, a series of design sessions were conducted with representatives
from Residential Mortgage Servicing management, Compliance and MIS to compare
existing reports to the requirements of the Order and to identify gaps in current
reporting. As a result, the following key MIS reports were recently developed as of
September 2011 (please see attached OCC_FRB Key Reports - 09_12_11):
SPOC Reporting (8 daily reports to support the SPOC specialist team within Loss
Mitigation):
x SPOC STIP INVENTORY REPORT
ACCTS AS OF 26SEP11 - identify
accounts within the Stipulation Process, for follow-up purposes.
x MTD HMC SPOC INVENTORY BY ISSUE REPORT – provides the total
number of open/closed tasks processed during the month.
x MTD HMC SPOC INVENTORY BY DAY REPORT – provides the average
Page 5
Privileged and Confidential
Restricted
x
x
x
x
x
number of issues presented and managed by the SPOC Mortgage
Servicing Specialist daily.
MTD HMC SPOC TURN AROUND TIME REPORT – details the time it
takes to work each task managed by the SPOC Mortgage Servicing
Specialist.
MTD HMC SPOC VOLUME REPORT BY CONTACT - REASON RESOLUTION CODE REPORT – provides the number of contacts made
within the SPOC process to manage volumes and capacity.
SPOC STIP INVENTORY REPORT
ACCTS AS OF 25SEP11 –
identifies accounts within the Stipulation Process, for follow-up purposes.
ELM SPOC WAS - IS REPORT;
PROACTIVE SPOC WAS - IS
REPORT;
ELM SPOC WAS - IS REPORT;
PROACTIVE SPOC
WAS - IS REPORT – provide visibility to accounts that flow out of the
SPOC process.
HMS SPOC MISSING LIQ ASSIGNMENT REPORT;
SPOC MISSING
LIQ ASSIGNMENT REPORT; CLMS SPOC MISSING LIQ ASSIGNMENT
REPORT - identify accounts that are in a Loss Mitigation and/or
Foreclosure status that were not assigned to a designated SPOC Mortgage
Servicing Specialist.
Foreclosure Reporting (12 daily reports to support the Foreclosure team):
x Affidavit Fee Exceptions - provides completed affidavits with advances that
should be classified as non-recoverable.
x
AFFIDAVIT PENDING - 26SEP11– manages document
pipeline to ensure accounts are moving through the established document
execution process.
x AFF RECEIVED OR EXECUTED - IS34718 – an exception report that
identifies non foreclosure accounts with an affidavit draft request or
executed docs to ensure proper execution of the account (i.e. proceed with
foreclosure or decline affidavit request).
x EXECUTED AFFIDAVIT REPORT (EAR) – reconciles completed affidavits
in the tracking database to the system of record.
x ACTIVE FCL RECON BTW INTERNAL SYS AND
MANUAL REVIEW
REQUIRED; ACTIVE FCL RECON BTW INTERNAL SYS AND
ACTIVE FCL IN INTERNAL SYS - NOT ACTIVE FCL IN
ACTIVE FCL
RECON BTW INTERNAL SYS AND
ACTIVE FCL IN INTERNAL SYS
- NOT ACTIVE FCL IN INTERNAL SYS - reconcile active foreclosure
accounts on the system of record to
x AFFIDAVIT IN PROCESS REPORT– details accounts requiring legal
guidance or review prior to drafting or executing documents such as
affidavits, certifications, declarations, etc.
x PEAR RECONCILIATION REPORT- reconciles pending execution of
affidavits on the system of record to
x QC ACCEPTED REVIEW REPORT– monitors accounts flowing through the
pipeline as the process was designed; details documents are reviewed
Page 6
Privileged and Confidential
Restricted
x
within established timelines; identifies accounts pending document drafts,
which have not been sent over for quality review; and details all documents
that have been reviewed and notated by quality review
FEES WAIVED BY FCL REP WITHOUT AFFIDAVIT RECEIVED - captures
accounts where the employee has waived a fee outside of the procedural
guidelines.
Legal Entity Validation Reporting (4 daily reports to support the Records
Management team):
x
Assignment Confirmation Tracking – details assignments that have
been sent to Records but not confirmed in
is an application
used to track and prepare mortgage releases and assignments.
x
Assignment Recording Cost Report– provides a monthly summary of
recording fees disbursed on assignments for expense purposes.
x
Assignments Pipeline – identifies assignments that have not been
sent to the County or State
x
Assignments Completion Report – identifies completed assignments
in
Third Party Management Reporting (2 daily reports to support the Vendor
Management teams):
x CLMS DISBURSEMENTS-GLOBAL-ATTORNEY EXPENSE CODES 25SEP11; CLMS DISBURSEMENTS-DRM- ATTORNEY EXPENSE
CODES - 25SEP11- reviews the reasonability, recoverability and frequency
of the attorney’s fees and costs.
x
REO INVOICES ENTERED - 25SEP11- reviews the reasonability,
recoverability and frequency of the attorney’s fees and costs.
Critical Operational Reporting (1 weekly report to support the Senior Management
team):
x Affidavit Execution Summary – monitors executed affidavit volume.
As of September 12, 2011, HBIO and HBUS have completed a monthly Board
Reporting package for the HNAH Board of Directors, the HNAH Risk Committee, and
the Executive Compliance Steering Committee of HBIO and HBUS to highlight HBIO
and HBUS foreclosure enhancement program status, compliance risk assessment
results and key operational metrics related to residential mortgage loan servicing,
Loss Mitigation, loan modification, foreclosure, and MERS activities. The Board
Reporting package was first presented on July 25, 2011, to the committees. The
Board Reporting package will continue to evolve as metrics are developed and
enhanced.
In addition to the reports mentioned above, 10 key monthly MIS reports were also
recently developed to support the Compliance metrics included in the Board
Reporting package (please see attached
& Board Deck Reporting, Foreclosure
Page 7
Privileged and Confidential
Restricted
and Account Servicing Review):
x SCRA Accounts Report (3) – identifies active SCRA accounts with an interest
rate greater than six percent, active accounts in foreclosure or REO status and
active accounts with inaccurate credit bureau reporting.
x Rescinded Foreclosure Sales Report – identifies rescinded foreclosure sales
as a percent of total foreclosure sales, by controllable, non-controllable, and
HBIO or HBUS decision
x Lost Note Affidavits – provides the number of lost note affidavits versus the
total number of note validations completed.
x Usury – analyzes the interest paid over the life of the loan to ensure the interest
amount was not excessive in regards to the state maximum.
x ARM Change Notice –ensures proper notification to borrower upon ARM rate
adjustment.
x Adverse Action – identifies accounts that have not been decisioned within 30
days or adverse action letter not sent within 30 days of application.
x Denial Letters – verifies that HSBC sends a letter to the customer within 5 days
of denial.
x Escrow Analysis – identifies accounts where escrow analysis has not been
completed on an annual basis.
In addition to the aforementioned reports, MERS Reporting is also utilized (9 reports)
– reconciles active and inactive loans between the MERS system and HSBC’s
servicing system. HSBC platforms included are
and
covering active and
inactive accounts in June and July, 2011. These platforms are used to compare
MERS accounts on the HSBC system to the MERS system of record. The following
reports, which reconcile active and inactive loans between the MERS system and
HSBC’s servicing system, are attached:
x MERS OB_HMS Compare Active
x MERS OB_HMS Compare Inactive
x MERS OB_CLMS Compare Active
x MERS OB_CLMS Compare Inactive
Enhancement to Processes / Programs:
HBIO and HBUS will expand the Board Reporting package as new MIS reports are
developed. Additional supplemental reporting will be in place by November 30,
2011.The following eight monthly Compliance-related reports are under
development for the HNAH Board of Directors at this time:
x Redemption Period Reporting – used to ensure adherence to redemption
period prior to transferring property into REO.
x Evictions – will identify accounts that fall outside the state time requirements
for evictions.
x BPO Fees – will identify accounts where a 2nd BPO was ordered within 90
days.
x Demand Letters – will be used to ensure accounts in foreclosure received
Page 8
Privileged and Confidential
Restricted
x
x
x
x
breach letter within state and federal guidelines.
State Specific Letters – will be used to ensure accounts in foreclosure
received breach letter within state guidelines.
Lender Placed Insurance (LPI) – will be used to verify customer receives
notification prior to placing insurance.
Late Fees – will be used to identify accounts in foreclosure to ensure fees
assessed comply with state and federal guidelines.
Modifications with no decision in 30 days – will be used to ensure all
applications for modifications receive notification of the decision within 30
days.
Additionally, the appropriate Mortgage Operations and MIS senior management have
reviewed the planned and any future MIS enhancements to ensure that they have
been created to meet the requirements of the Order.
Documents to be submitted with the Action Plan
x CONSUMER AND MORTGAGE LENDING AND MORTGAGE CORPORATION FORECLOSURE FLASH JUNE 2011
x CONSUMER AND MORTGAGE LENDING MODIFICATION AND RE-AGE FLASH
REPORT MAY 2011
x Mortgage Corporation Governance Review North America Risk
x FORECLOSURE AND REO PERFORMANCE DASHBOARD Default MIS
x REO Inflow Outflow Inventory
x Foreclosure and Account Servicing Review (see updated version below)
x POMONA REO SALES ANALYSIS May 2011 NorthAmericaRisk – MIS Default
Reporting
x HSBC MORTGAGE SERVICES CLMS APPROVED INVENTORY REPORT
x HSBC MORTGAGE SERVICES HMS APPROVED INVENTORY REPORT
x HSBC MORTGAGE SERVICES CLMS AND MOD PROCESSING TIME LINES
MONTHLY DASHBOARD
x County Compliance Risk Outstanding Report – 10 Days or Less Remaining HSBC
CONSUMER LENDING
x HSBC CONSUMER AND MORTGAGE LENDING INSURANCE AND ESCROW
CIT PRODUCTIVITY-MTD
x Summary of CML and MC Care Services Performance in June 2011
x Board Report - Detailed Metrics List
Additional documents completed for re-submission of Action Plan
x ACTIVE FCL RECON BTW INTERNAL SYS AND
ACTIVE FCL IN
INTERNAL SYS - NOT ACTIVE FCL IN INTERNAL SYS
x ACTIVE FCL RECON BTW INTERNAL SYS AND
ACTIVE FCL IN
INTERNAL SYS - NOT ACTIVE FCL IN
x ACTIVE FCL RECON BTW INTERNAL SYS AND
MANUAL REVIEW
REQUIRED
x AFF RECEIVED OR EXECUTED - IS34718
Page 9
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Affidavit Execution Summary
Affidavit Fee Exceptions
AFFIDAVIT IN PROCESS REPORT
ELM SPOC WAS - IS REPORT
PROACTIVE SPOC WAS - IS REPORT
REO INVOICES ENTERED - 25SEP11
SPOC MISSING LIQ ASSIGNMENT REPORT
CLMS DISBURSEMENTS-DRM- ATTORNEY EXPENSE CODES - 25SEP11
CLMS DISBURSEMENTS-GLOBAL-ATTORNEY EXPENSE CODES - 25SEP11
CLMS SPOC MISSING LIQ ASSIGNMENT REPORT
& Board Deck Reporting
EXECUTED AFFIDAVIT REPORT (EAR)
FEES WAIVED BY FCL REP WITHOUT AFFIDAVIT RECEIVED
Foreclosure and Account Servicing Review
HMS SPOC MISSING LIQ ASSIGNMENT REPORT
HSBC Consumer and Mortgage Lending Regulations and Risk Statement Gap
Analysis Results
MERS OB_CLMS Compare Active
MERS OB_CLMS Compare Inactive
MERS OB_HMS Compare Active
MERS OB_HMS Compare Inactive
AFFIDAVIT PENDING - 26SEP11
ELM SPOC WAS - IS REPORT
PROACTIVE SPOC WAS - IS REPORT
MTD HMC SPOC INVENTORY BY DAY
MTD HMC SPOC INVENTORY BY ISSUE REPORT
MTD HMC SPOC TURN AROUND TIME REPORT
MTD HMC SPOC VOLUME REPORT BY CONTACT - REASON - RESOLUTION
CODE REPORT
OCC_FRB Key Reports - 09_12_11
PEAR RECONCILIATION REPORT
QC ACCEPTED REVIEW REPORT
Assignment Confirmation Tracking
Assignment Recording Cost Report
Assignments Completion Report
Assignments Pipeline
SPOC STIP INVENTORY REPORT
ACCTS AS OF 26SEP11
SPOC STIP INVENTORY REPORT
ACCTS AS OF 25SEP11
Key HSBC Contacts for the Action Plan
x
Regional Head of Retail Collections
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
Page 10
Privileged and Confidential
Restricted
x
x
SVP Default Services, Mortgage Servicing
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
x
, SVP General Compliance
Page 11
Privileged and Confidential
Restricted
Articles 10(b), 10(c), 10(d), 10(d).i
FRB Order Reference:
Article 10(b)
Corresponding
OCC Article:
N/A
a timetable for completion of the review;
FRB Order Reference:
Article 10(c)
Corresponding
OCC Article:
a timetable for the remediation of any identified deficiencies;
VIII.1.b.i
FRB Order Reference:
Article 10(d)
VIII.1.b.i
Corresponding
OCC Article:
new systems or enhancements to the MIS to:
FRB Order Reference:
Article 10(d).i
Corresponding
VIII.1.b.i
OCC Article:
monitor compliance with the Legal Requirements, supervisory guidance of the Board
of Governors, and the requirements of this Order;
Action Plan
HBIO and HBUS have processes in place to evaluate the MIS changes, upgrades,
and associated timetables necessary to monitor compliance with all applicable Legal
Requirements, supervisory guidance of the Board of Governors, and the requirements
of this Order.
Existing Processes / Programs:
The
(“
tool is currently utilized to store and
track applicable Legal Requirements and supervisory guidance.
is a database
implemented in 2005 to better organize Legal Requirements and the existing risk
statements and controls to ensure compliance with the noted requirements.
is
used to maintain record and store all Compliance detail level risks and regulations
identified by business management in conjunction with the Compliance Officers.
As of June 30, 2011, a
gap analysis was completed to ensure that risk
statements for all Legal Requirements that impact foreclosure, Loss Mitigation, and
mortgage servicing are documented within
The objective of the gap analysis
was two-fold: (1) to identify missing risk statements and (2) to identify control gaps for
all applicable risk statements. The final gap analysis report was published on August,
26, 2011. All gaps related to Default have been identified and updated into the
system. MIS report requirements were defined leveraging the
gap analysis
and conducting discussions with business owners. As of September 12, 2011, HBIO
and HBUS have developed four reports to support the additional risk statements
documented in
x
Reports (4 daily reports to support the Servicing and Foreclosure teams):
PIF Report (Escrow) - identifies loans that have paid in full and require a short
Page 12
Privileged and Confidential
Restricted
x
x
x
year escrow statement.
Interest on Escrow (IOE) Report - monitors our compliance with state
requirements for interest on escrow and confirms that interest is credited to the
escrow balance.
Enhanced Usury Report – analyzes the interest paid over the life of the loan to
ensure the interest amount was not excessive in regards to the state maximum
Short Sale/Deed in Lieu new BK filings Report (CML) – identifies loans with a
new bankruptcy filing within active Short Sale and Deed in Lieu populations.
Furthermore, business owners across the four major functional areas – Residential
Mortgage Servicing, Loss Mitigation, foreclosure and bankruptcy – initiated a review
to determine whether sufficient MIS reports exist (reports identified are listed within
article 10(a)) to monitor compliance with the Legal Requirements and supervisory
guidance (including the requirements of this Order). Residential Mortgage Servicing
business owners completed the review for Loss Mitigation and foreclosure in June
2011. The review for bankruptcy was completed by September 12, 2011. As an
output of the review completed for Loss Mitigation, foreclosure and bankruptcy, the
following MIS milestones have been completed:
x Identify applicable Legal Requirements in
– Complete
o Review, reconciliation, and approval of reporting enhancements were
completed as of September 12, 2011.
x Perform reporting gap analysis – Complete
o Based upon business review, twenty (20) of the initial twenty-five (25)
reporting needs are required to monitor compliance with the Legal
Requirements and supervisory guidance (please see attached HSBC
Consumer and Mortgage Lending Regulations and Risk Statement Gap
Analysis Results).
x 98% of reporting requirements have been identified as of September 12, 2011.
Two of the three
reports are pending requirements as part of the
Disbursements workstream.
x Over 35 key reports were developed as of September 12, 2011. Article 10(a)
above, outlines the enhanced reports.
Enhancement to Processes / Programs:
HBIO and HBUS continue to enhance MIS reporting to monitor compliance with the
applicable Legal Requirements, supervisory guidance and the requirements of the
Order. As described above, HBIO and HBUS use an existing internal source –
– to identify the applicable Legal Requirements and supervisory guidance (including
the requirements of the Order) across functional areas. As a result of the
gap
analysis that was conducted, three (3)
and eight (8) Compliance related
reports are under development and are expected to be completed by November 30,
2011.
Reports (3 daily reports to support the Foreclosure, Bankruptcy, and
Page 13
Privileged and Confidential
Restricted
Operational Risk teams):
x Short Sale/Deed in Lieu new BK filings Report (HBUS) – identifies loans with a
new bankruptcy filing within active Short Sale and Deed in Lieu populations.
x BK Fees post filing - identifies all loans with fees charged post proof of claim
(POC) filing, and whether the fees are listed as Recoverable vs. Nonrecoverable
x Total Fees – ensures fees are assessed to the borrower within state and
federal guidelines.
Compliance Reports (8 monthly reports to support the Board reporting package as
well as the Foreclosure, Loss Mitigation and Operational Risk teams):
x Redemption Period Reporting - used to ensure adherence to redemption
period prior to transferring property into REO
x Evictions - will identify accounts that fall outside the state time requirements
for evictions
x BPO Fees - identifies accounts that have ordered a 2nd BPO within 90 days.
x Demand Letters - will be used to ensure accounts in foreclosure received
breach letter within state and federal guidelines
x State Specific Letters - will be used to ensure accounts in foreclosure received
breach letter within state guidelines
x Lender Placed Insurance (LPI) - will be used to verify customer receives
notification prior to placing insurance.
x Late Fees - will be used to identify accounts in foreclosure to ensure fees
assessed comply with state and federal guidelines.
x Modifications with no decision in 30 days - will be used to ensure all
applications for modifications receive notification of the decision within 30
days.
Using results from the bankruptcy review, five reports required enhancement or
creation. These reports will be developed by no later than December 31, 2011.
Bankruptcy Reports (Reports 1-4 are daily and report 5 will be monthly to support the
Bankruptcy Operations team):
x Filing Identification (HSBC
platform) – identifies new bankruptcy filings
segmented by systemic versus manual.
x MFR (Motion For Relief) Reporting (HSBC
platform) – identification of
motion for relief
x Agreed Order (HSBC
platform) – identification of agreed order
x Discharge/Dismissal (HSBC
platform) – identification of
discharge/dismissals
x Automated Key Metrics (CML and HBUS) - Performance & Risk Indicators
(Bankruptcy Status Report) – executive summary report highlighting key
bankruptcy metrics (i.e. inventory, productivity, and exception)
The following MIS milestones and timelines have been defined for implementing
Page 14
Privileged and Confidential
Restricted
reporting enhancements and development:
x Supplemental report development – September 13, 2011 through October 28,
2011
x Supplemental report testing and implementation – September 13, 2011 through
November 30, 2011
Documents to be submitted with the Action Plan
x Testing and Risk Assessment Compliance Unit (TRAC) Procedures Manual
x HSBC – North America Compliance Risk Mitigation Program
Key HSBC Contacts for the Action Plan
x
Regional Head of Retail Collections
x
, SVP General Compliance
x
SVP Default Services
x
SVP Default Services, Mortgage Servicing
x
SVP Servicing Administration, HSBC Consumer and Mortgage
Lending
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
Page 15
Privileged and Confidential
Restricted
Article 10(d).ii
FRB Order Reference:
Article 10(b)
Corresponding
OCC Article:
N/A
a timetable for completion of the review;
FRB Order Reference:
Article 10(c)
Corresponding
OCC Article:
a timetable for the remediation of any identified deficiencies;
VIII.1.b.i
FRB Order Reference:
Article 10(d)
VIII.1.b.i
Corresponding
OCC Article:
new systems or enhancements to the MIS to:
FRB Order Reference:
Article 10(d).ii
Corresponding
VIII.1.b.ii
OCC Article:
ensure the ongoing accuracy of records for all serviced mortgages, including, but not
limited to, records necessary to establish ownership and the right to foreclose by the
appropriate party for all serviced mortgages, outstanding balances, and fees
assessed to the borrower;
Action Plan
As described below, HBIO and HBUS have enhanced their reporting, within an
established timetable (set forth below), to ensure the ongoing accuracy of records for
all serviced mortgages, including, but not limited to, records necessary to establish
ownership and the right to foreclose by the appropriate party for all serviced
mortgages, outstanding balances and fees assessed to the borrower to meet the
requirements of the Order.
Existing Processes / Programs:
HBIO and HBUS have existing MIS reports (see Action Plan for Article 10(a), above)
related to Residential Mortgage Servicing activities.
Business owners across the key functional areas – Residential Mortgage Servicing,
Loss Mitigation, foreclosure, and bankruptcy – have worked with the MIS team to
perform a review of the Order to identify additional reports that would be useful in
ensuring the ongoing accuracy of records (reports identified are listed within article
10(a)) to monitor compliance with the Legal Requirements and supervisory guidance
(including the requirements of this Order). As of September 12, 2011, Residential
Mortgage Servicing business owners completed the review for Loss Mitigation,
foreclosure and bankruptcy. As an output of the review completed for Loss
Mitigation, foreclosure and bankruptcy, the following MIS milestones have been
completed:
x Identify applicable Legal Requirements in
– Complete
o Review, reconciliation, and approval of reporting enhancements were
Page 16
Privileged and Confidential
Restricted
x
x
x
completed as of September 12, 2011.
Perform reporting gap analysis – Complete
o Based upon business review, twenty (20) of the initial twenty-five (25)
reporting needs are required to monitor compliance with the Legal
Requirements and supervisory guidance.
98% of reporting requirements have been identified as of September 12, 2011.
Two of the three
reports are pending requirements as part of the
Disbursements workstream.
As noted above, over 35 key reports were developed as of September 12,
2011
Enhancement to Processes / Programs:
HBIO and HBUS continue to enhance MIS reporting to monitor compliance with the
applicable Legal Requirements, supervisory guidance and the requirements of the
Order. Three (3)
and eight (8) Compliance related reports are expected to be
completed by November 30, 2011.
Reports (3 daily reports to support the Foreclosure, Bankruptcy, and
Operational Risk teams):
x Short Sale/Deed in Lieu new BK filings Report (HBUS) – identifies loans with a
new bankruptcy filing within active Short Sale and Deed in Lieu populations.
x BK Fees post filing - identifies all loans with fees charged post proof of claim
(POC) filing, and whether the fees are listed as Recoverable vs. Nonrecoverable
x Total Fees – ensures fees are assessed to the borrower within state and
federal guidelines.
Compliance Reports (8 monthly reports to support the Board reporting package as
well as the Foreclosure, Loss Mitigation and Operational Risk teams):
x Redemption Period Reporting - used to ensure adherence to redemption
period prior to transferring property into REO
x Evictions - will identify accounts that fall outside the state time requirements for
evictions
x BPO Fees - identifies accounts that have ordered a 2nd BPO within 90 days.
x Demand Letters - will be used to ensure accounts in foreclosure received
breach letter within state and federal guidelines
x State Specific Letters - will be used to ensure accounts in foreclosure received
breach letter within state guidelines
x Lender Placed Insurance (LPI) - will be used to verify customer receives
notification prior to placing insurance.
x Late Fees - will be used to identify accounts in foreclosure to ensure fees
assessed comply with state and federal guidelines.
x Modifications with no decision in 30 days - will be used to ensure all
applications for modifications receive notification of the decision within 30 days.
Page 17
Privileged and Confidential
Restricted
The following MIS milestones and timelines have been defined for implementing
reporting enhancements and development:
x Supplemental report development – September 13, 2011 through October 28,
2011
x Supplemental report testing and implementation – September 13, 2011 through
November 30, 2011
As described above, as a result of the MIS gap analysis, HBIO and HBUS continue to
develop additional MIS reports (as needed) to provide metrics regarding the ongoing
accuracy of records for all serviced mortgages, including records necessary to
establish ownership and the right to foreclose, outstanding balances, and fees
assessed to the borrower, in accordance with the MIS requirements of the Order.
Documents to be submitted with the Action Plan
Not Applicable
Key HSBC Contacts for the Action Plan
x
Regional Head of Retail Collections
Page 18
Privileged and Confidential
Restricted
Article 10(d).iii
FRB Order Reference:
Article 10(d).iii
Corresponding
VIII.1.b.iii
OCC Article:
ensure that the Loss Mitigation and foreclosure staffs have sufficient and timely
access to information provided by the borrower regarding Loss Mitigation and
foreclosure activities; and
Action Plan
HBIO and HBUS have and will continue to have a process in place that allows
multiple functional areas timely access to documentation and information for Loss
Mitigation and foreclosure activities. HBIO and HBUS systems and processes allow
multiple functional areas to access documentation and information for Loss Mitigation
and foreclosure activities, thereby enabling departments to communicate borrowerrelated actions and identify the need for additional borrower information, as well as
make and communicate decisions on loan modifications, postponement or hold of
foreclosure activities.
A key component of this information management process is the use of imaging
software. Multiple groups can view imaged documentation, which is maintained on an
imaging repository for the life of the loan.
As further detailed in the Action Plan to Article 5, all customer contact is documented
on the system of record which is designed to allow Loss Mitigation and foreclosure
staff sufficient and timely access to the current status and comments regarding a
borrower’s account (See page 3 of Account Level Documentation Policy ALL, which
states, “Any customer contact or account activity, depending on the materiality of the
conversation, must be documented at the account level on the appropriate servicing
system”). The requirement to document customer account activity on the system of
record provides Loss Mitigation and foreclosure staff with sufficient and timely access
to current status and comments regarding a borrower’s account.
Documents to be submitted with the Action Plan
x Account Level Documentation Policy ALL
Key HSBC Contacts for the Action Plan
x Action Plan for Article 5, Section (e)
Page 19
Privileged and Confidential
Restricted
Article 10(d).iv
FRB Order Reference:
Article 10(d).iv
Corresponding
N/A
OCC Article:
ensure that the single point of contact has sufficient and timely access to information
provided by the borrower regarding Loss Mitigation and foreclosure activities; and
Action Plan
HBIO and HBUS have and will continue to have a process in place that allows
multiple functional areas timely access to documentation and information for Loss
Mitigation and foreclosure activities. HBIO and HBUS systems and processes allow
multiple functional areas, including the single point of contact, to access
documentation and information for Loss Mitigation and foreclosure activities, thereby
enabling departments to communicate borrower-related actions and identify the need
for additional borrower information, as well as make and communicate decisions on
loan modifications, postponement or hold of foreclosure activities. Pursuant to the
Account Level Documentation Policy, attached, all customer contact must be
documented on the system of record which will ensure that any authorized employee,
including SPOC agents, is able to view the current status and comments regarding a
customer’s account (See page 3 within the Account Level Documentation Policy ALL,
which states, “Any customer contact or account activity, depending on the materiality
of the conversation, must be documented at the account level on the appropriate
servicing system”).
As further detailed in the Action Plan to Article 5, SPOC agents will have access to
relevant borrower information via existing systems and processes, including
information for Loss Mitigation and foreclosure activities.
Documents to be submitted with the Action Plan
x Account Level Documentation Policy ALL
Key HSBC Contacts for the Action Plan
x Action Plan for Article 5, Section (e)
Page 20
Privileged and Confidential
Restricted
Article 10(e)
FRB Order Reference:
Article 10(b)
Corresponding
OCC Article:
N/A
a timetable for completion of the review;
FRB Order Reference:
Article 10(c)
Corresponding
OCC Article:
a timetable for the remediation of any identified deficiencies;
VIII.1.b.i
FRB Order Reference:
Article 10(d)
VIII.1.b.i
Corresponding
OCC Article:
new systems or enhancements to the MIS to:
FRB Order Reference:
Article 10(e)
Corresponding
VIII.1.c
OCC Article:
testing the integrity and accuracy of the new or enhanced MIS to ensure that reports
generated by the system provide necessary information for adequate monitoring and
quality controls.
Action Plan
As described below, HBIO and HBUS have existing processes and procedures to test
the integrity and accuracy of new or enhanced MIS, but will enhance control
procedures to fully meet the requirements of the Order.
Existing Processes / Programs:
HBIO and HBUS have internal control procedures for on-going testing of the integrity
and accuracy of the enhanced MIS to verify that reports generated by the system
provide necessary information for adequate monitoring and quality controls. The
current control environment for reporting includes an initial validation intended to
ensure that reporting requests from the business are defined accurately. Other
controls include tests for validation against similar existing reports and loan-level
audits. Once MIS completes a quality control review of the reports, the reports are
provided to the business for user acceptance testing and management sign-off.
Reports will not go into production if business owner approval is not received through
a sign-off. Any remediation efforts to resolve issues will go through normal MIS
processes. The MIS quality control review is a first line of defense. The quality
review is conducted by MIS personnel and results are reviewed by internal MIS
management. For additional detail, see the aforementioned procedures and
processes documented on page 11, Section 5.0 of the North America Risk – Servicing
MIS Procedures Manual.
HBIO and HBUS utilize the TRAC function to complete independent testing and
compliance reviews. As a normal part of their review, TRAC reviews MIS reporting to
ensure it adequately covers the risks (See Testing and Risk Assessment Compliance
Page 21
Privileged and Confidential
Restricted
Unit (TRAC) Procedures Manual which details the TRAC unit, responsibilities and
provides an explanation of compliance review procedures. Additionally, see page 31
of the HSBC – North America Compliance Risk Management Program Manual,
specifically section “3.5.4 HSBC - North America Testing and Risk Assessment
("TRAC") Unit” where TRAC-specific roles and responsibilities are depicted).
In addition, the MIS team has instituted a process in November, 2010 whereby a
report is generated that identifies reports that are approaching their 12-month
recertification deadline. The MIS management team receives and reviews an
automated monthly report that identifies any current reports that require recertification.
Recertification is defined as report criteria that has not been reviewed or updated in
the last twelve months. Upon review of the recertification report, MIS submits a
request to the business owner. The business owner is required to review the existing
criteria and certify the report output is accurate. The certification is stored within a
workflow tool with User Acceptance Testing approval.
Enhancement to Processes / Programs:
Group Audit North America will incorporate MIS and Management Reporting into the
scope of the 2011 Default Services Audit to perform detailed testing and validation of
reports. Although MIS is already included in existing audits, it will be expanded to
include reports monitoring short sales and deed in lieu settlement activity, compliance
with regulatory requirements and accuracy of records, among others. (See Internal
Audit action plans, Articles 16 and 17 for further details on HSBC audit program).
As outlined above and detailed on page 11 of the North America Risk - Servicing MIS
Procedures Manual Section 5.0 Reporting Audit Procedures, the MIS group within
HBIO and HBUS currently completes a quality review on new or enhanced MIS
reports to test the integrity and accuracy of the reports to ensure they provide
necessary information for adequate monitoring and quality controls. Additionally, the
business must also perform user acceptance testing to provide management sign-off
on the integrity and accuracy of the developed report. To further ensure integrity and
accuracy of new or enhanced reports in accordance with the requirements of the
Order, Group Audit North America will also incorporate detail testing and validation of
the reports into its 2011 Default Services Audit. (See Internal Audit action plans,
Articles 16 and 17 for further details on HSBC audit program)
Documents to be submitted with the Action Plan
x North America Risk - Servicing MIS Procedures Manual
x HSBC – North America Compliance Risk Management Program Manual
x Testing and Risk Assessment Compliance Unit (TRAC) Procedures Manual
Key HSBC Contacts for the Action Plan
x
, Regional Head of Retail Collections
Page 22
Privileged and Confidential
Restricted
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
Training
November 16, 2011
Page 2
Privileged and Confidential
Restricted
Section 9: Training
Article 11, 11(a), 11(b)
FRB Order Reference:
Article 11
Corresponding
IV.1.p
OCC Article:
Within 60 days of this Order, HBIO shall submit to the Reserve Bank an acceptable
written plan, and timeline for implementation, to improve the training of all appropriate
officers and staff of the Mortgage Servicing Companies regarding the Legal
Requirements, supervisory guidance of the Board of Governors, and the Mortgage
Servicing Companies’ internal policies and procedures regarding residential mortgage
loan servicing, Loss Mitigation, and foreclosure, and the policies and procedures
adopted regarding a single point of contact described in paragraph 5 of this Order.
The plan shall also include:
FRB Order Reference:
Article 11(a)
Corresponding
N/A
OCC Article:
A requirement that training be conducted and documented no less frequently than
annually; and
FRB Order Reference:
Article 11(b)
Corresponding
N/A
OCC Article:
procedures to timely inform appropriate officers and staff of any new or changes to
the Legal Requirements and supervisory guidance of the Board of Governors related
to residential mortgage loan servicing, Loss Mitigation, or foreclosure.
Action Plan
HBIO and HBUS have training in place for personnel involved in Residential Mortgage
Loan Servicing and foreclosure processes and operations, including collections, Loss
Mitigation, and loan modification, to ensure compliance with applicable Legal
Requirements and supervisory guidance. In addition, as referenced below, in April
2011, HBIO and HBUS engaged North America HR Learning (“Learning”) to enhance
foreclosure training, as required by the Order. HBIO and HBUS will continue to
develop new training courses to remain in compliance with the Order.
On-the-job Coaching vs. Training
HSBC defines two categories of “training” methods. The first training method is
informal, on-the-job coaching, which occurs on an ad-hoc basis, and is identified,
developed, and implemented by the business without leveraging the Learning
process. For example, training materials are developed and training is conducted
outside of the Learning process (which is discussed below) by the Skill Qualification
Training (“SQT”) team. The SQT team is a support function within the business that
reports up through the President and CEO of the Servicing Company, and is
dedicated to enhancing employee skill sets by creating and delivering on-the-job
coaching. On-the-job coaching does not have the formal structure and does not
typically have the formal evaluations/assessments/tracking as the training facilitated
Page 3
Privileged and Confidential
Restricted
by the Learning team.
The second method of training is the training facilitated by the Learning team, which is
monitored and tracked in the
(“
All Design,
Delivery and Maintenance requests made to the Learning Team from the business
line or function for support to create learning are managed via a demand
management intake process with compliance initiatives receiving the highest priority.
For training to be facilitated by the Learning team, the learning material must contain
the following elements (Reference slide 6 of the attached “North America HR Learning
Organization”):
x Overview of learning material with associated laws and regulations
x Relevant internal policy and procedures
x Applicable system and tool information
x Potential risks associated with failure to comply with relevant policies and
procedures
x Practical application to the employee’s role
x Knowledge assessment of the learning material presented
Structure of North America HR Learning Organization
The North America HR Learning team is a functional department organized within the
Human Resources division. Learning is a branch of the Learning, Training,
Resourcing and Organizational Development (”LTROD”) group within HR. As a
centralized function, Learning provides support for all business lines and functions
within North America with a pool of Learning employees and contains various roles
within its structure (approximately 85 employees).
The Regional SVP Head of Learning reports to the Regional EVP Head of LTROD.
The Regional EVP Head of LTROD reports to the SEVP North America Head of HR.
There are also dotted line reporting relationships into HSBC Global HR and Learning
Structure, based in the UK.
The Learning team is comprised of employees within the following key roles:
x Design Project Managers (“DPM”) - Responsible for the management of
individual learning projects, day-to-day project activities, service delivery and
editorial standards. DPM’s partner with learning specialists and business
stakeholders on assigned projects and build project and resourcing plans.
x Instructional Designers (“ID”) – Responsible for conducting learning needs
analysis, and further outline and structure the learning content for Instructor
Led Training (“ILT”) (face-to-face and virtual), Web Based Training (“WBT”),
job aids, reference guides and blended solutions. These individuals consult on
the learning solution design and development, and build learning assessments.
x Developers – Translate and structure learning content for web-based training
and other training not conducted in person. Developers troubleshoot content
related issues in the
commonly referred to as “
Page 4
Privileged and Confidential
Restricted
(“
x
and the
(“
Learning Facilitation – Provide subject matter expertise to the design team
during training design and development efforts and further conduct instructor
led and virtually led classroom function training and Leadership and
Professional skills development training.
Training Development Process Overview
The Learning Design team, a function within the Learning team, as well as contracted
vendors, are tasked with designing and developing functional training modules. At
each stage in the design process, feedback and approval are requested from
designated Subject Matter Experts (“SMEs”) and stakeholders (process owners,
Compliance, Legal, etc.) to ensure that the course is developing in alignment with
expectations. Throughout this process, Compliance and the requesting business(es)
provide subject matter expertise and input into the design. HR Learning is responsible
for the facilitation and oversight of training within the business. (Refer to slides 3-10 of
“North America HR Learning Organization” for additional details regarding the
organization, design and delivery of the North America HR Learning Organization).
Review and final sign-off of learning material is obtained from the functional Senior
Vice President(s) within the business as well as Legal and Compliance teams.
Content development includes Assistant Vice President and Vice President level
business personnel that assist with defining business processes, and Compliance to
ensure materials cover applicable regulatory requirements as outlined in the
(“
Training review cycles are integrated throughout
the Learning process to ensure the business, Legal, and Compliance have the
opportunity to review and provide feedback for training materials. As a part of the
Learning process, Legal and Compliance approval is obtained prior to launch. Legal
and Compliance feedback supersedes business feedback. Learning is responsible for
resolution of any conflicting feedback amongst the parties involved by coordinating
meetings amongst the business unit(s), Legal and Compliance and discussing until a
resolution is reached.
Detailed Training Design Steps
As summarized in the previous section, Learning follows a standard process for
training creation and approval. The specific steps are noted below and also
documented in detail in slides 9 – 11 of “North America HR Learning Organization”:
x Analysis Phase
o Confirm learning solution and approve Terms of Reference
o Identify project team and time commitments for team
o Project plan timeline defined
o Content SMEs engaged: Business participants, Compliance, and Legal
o Business representative will review and provide feedback
Page 5
Privileged and Confidential
Restricted
x
x
x
Design Phase
o Validate the Content Outline by compiling the learning points from the
source documents/business
o Define Learning Objectives and Sequences, content and timing
o Course Owner validates/approves learning objectives, sequence,
content and timing
o Defines success measurement
o Design Document shows instruction methods
o Final sign-off received from the business representative
o Delivery Guide, Leader Guide and supplemental materials drafted
o Dry-Run and/or Pilot performed. (Due to time constraints and/or
learning complexity, Dry-Run and Pilot activities may be combined)
Dry-Run: Given to stakeholders and SMEs identified from the
project and the business. Generally does not include business
participants and is used to assess content, lessons,
exercise/activities and additions and changes that will need to be
made to the Learning Guide
Pilot: Generally facilitated by the Delivery team. Pilot target
learners to be determined by the project team and business
stakeholders. Target learners engaged in the pilot program will
provide feedback/review and suggestions for adjustments to the
learning activity. Business participants are typically included in
this session.
o Edits will be made to learning content based upon Dry-Run and Pilot
feedback
o Stakeholders and Compliance/Legal review and sign off on the learning
activity. Business representative validates/approves.
Development Phase
o Post Pilot activities
o Designer applies pilot feedback to final documents.
o Business and Compliance/Legal reviews again for final sign off and
approval
o Delivery prepares and rehearses their instruction
o Train the Trainer: Certification for modules
Implementation (Note: These steps may be performed by Learning or the
business as appropriate)
o Communication
o Scheduling
o Launch the training
o Request reports
Identification of Legal and Regulatory Changes
Management has a process in place to identify, communicate and implement changes
to Legal Requirements and supervisory guidance into its business practices. The
Regulatory Monitoring & Assessment (“RMA”) manages the regulatory monitoring and
Page 6
Privileged and Confidential
Restricted
change management process in order to facilitate compliance with the applicable
Legal Requirements and Board of Governors supervisory guidance (See HSBC North
America New Laws and Regulations Procedure – US). This procedure provides
guidelines for monitoring and tracking regulatory changes and updating processes
appropriately.
In its efforts to identify and communicate changes in applicable laws, rules, and
regulations, the RMA group performs the following activities (among others):
x Monitor and track new and changed laws, regulations, and regulatory guidance;
x Track legislative, judicial, and regulatory developments, to identify potential
emerging compliance risks;
o Various sources for monitoring are utilized including, but not limited to:
the Federal Register; regulatory agency websites (e.g., OCC, FRB,
FDIC); trade associations; monitoring services; and various law firm
websites
x Complete business impact analysis for new or changed regulatory requirements;
and;
x Communicate new legislative alerts to appropriate Residential Mortgage Servicing
departments for action
The RMA group collaborates with Legal and Compliance to determine the applicability
of the legislation, rule or regulation and the business areas impacted. If it is
determined that there is an impact to a business area, the RMA group outlines the
detailed requirements in an Impact Assessment document, which it then forwards to
Legal for review. The RMA group and Compliance, together with the impacted
business area, determine the impact to the business. The RMA then publishes an
executive summary, which is called the New Legislation Alert (which includes the
Impact Assessment), and distributes it to the impacted business areas. The impacted
business areas work with the Law Change Working Group (“LCWG”), Compliance
Officers, and Legal (as appropriate), to update the policies, procedures and
processes. The LCWG is comprised of multiple representatives from various
functional areas responsible for identifying updates in legal requirements and alerting
the business of necessary changes as well as monitoring the progress of these
changes until implementation.
Communication/Training Related to Legal and Regulatory Changes
When policy and/or procedure updates are made, communication of any operational
changes to employees is performed within the business by the business
management, as well as via a Breaking News channel where procedural updates are
electronically communicated via
(“
In addition to the communication of procedural changes, the impacted business area
works with the LCWG, Compliance Officers and Legal (as appropriate) to ensure
Page 7
Privileged and Confidential
Restricted
implementation of any legal changes by the effective date of the change. The
significance of the legal change to day-to-day business operations and the scope of
the business impact will determine the method of communication and/or training
needed for employees. (Note: this is not a formal process and is based on business
management’s review of the significance of the change). Communication and/or
training to the business may be conveyed in one of the following ways:
x Informally, by on-the-job coaching or “whiteboard sessions” – Incorporated into
team meetings as necessary and created/distributed by the line of business
without Learning’s involvement
x Formally documented and communicated via information deck created and
distributed by the business as on-the-job training/coaching without Learning’s
involvement
x Through training developed in conjunction with the Learning process outlined
above. When Learning is engaged to conduct formal training, Compliance
representation and feedback are required to assist in the creation of functional
training courses and materials to ensure adherence to current Legal
Requirements. All training material requires Business, Compliance and Legal
approval. In addition, the Learning team will collaborate with the business and the
LCWG to define stricter governance around the ownership and maintenance of the
execution of change to existing training modules when appropriate.
Mandatory and non-Mandatory Training
HBIO and HBUS have both mandatory and non-mandatory training courses.
A Mandatory Training Calendar is provided (see tab “CML (Including AutoTFS)” of the
attached “2011 Mandatory Training Calendar”) for compliance topics such as Anti
Money Laundering, Fair Lending, FDCPA, for all Residential Mortgage Servicing
employees. All training is housed and tracked in
Courses are classified
based upon the role of the employee as either mandatory or non mandatory based on
direction from the requesting party (e.g. primarily Compliance, business owner and/or
legal as appropriate), and in either case, tracking is available via the
Reporting
is available on a bi-weekly basis, and
provides managers with access to
view and monitor mandatory training completions for their direct reports..
Mandatory Operational Training Remediation Process
While managers are ultimately accountable for the completion of training within their
departments or functions, the following Training Remediation Process has been
proposed to address failure of employees to comply with mandatory training
requirements. Finalization and publication of this process is scheduled for October 31,
2011, with a scheduled implementation date of December 31, 2011. Employees are
required to successfully complete training specific to the department in which they
work on an annual basis. Courses are delivered in either a WBT or ILT format. WBT
courses are accessed through
and consist of online content with an
assessment at the conclusion of the course. ILT course consists of classroom style
attendance and passing an online assessment. For both WBT and ILT courses
Page 8
Privileged and Confidential
Restricted
individual certification requires the successful completion the course and passing the
online assessment with at least an 80% grade. Employees failing to successfully
complete the annual training requirements with the timelines below will be subject to
disciplinary action up to and including termination.
x Failure of certification testing on the first attempt requires coaching assistance
by the manager which may include support from other areas such as SQT.
Employee must retest within 10 calendar days.
x Failure of certification testing on the second attempt requires the employee be
placed on final written corrective action, the manager coaching, and the
employee must retest within 10 calendar days.
x Failure of certification testing on the third attempt results in employee
termination for failure to perform the roles and responsibilities of the job.
NOTE: The employee’s immediate manager is responsible for ensuring follow up
testing occurs within the required 10 calendar days
NOTE: If the 10th calendar day falls on a weekend, holiday, or previously scheduled
TOP day, testing must occur the following business day.
Examples of current mandatory trainings include compliance courses such as:
x Fair Debt Collections Practices Act
x Fair Lending
x Anti-Money Laundering
x Ethics Awareness and Certification
x Security Awareness and Privacy Data
Examples of non-mandatory courses include;
x The Power of Coaching
x Developing High Performing Teams
x Leading through Change
x Foundations of Communicating for Success
New hire functional training exists in Collections and Customer Care phone teams,
which was developed and is delivered by the Learning team.In the future, functional
training developed and administrated by Learning will be available to new and existing
employees and the content will not differ. HBIO and HBUS have expanded functional
training to include areas such as Foreclosure, Loss Mitigation, and Mortgage
Servicing. The proposed functional training will be both mandatory and nonmandatory and will be driven by job responsibilities. For example, Foreclosure training
will be mandatory for Foreclosure personnel on an annual basis. Foreclosure Training
is not mandatory for employees performing Escrow duties, but is optional and
participation will be encouraged to further educate our workforce. The Learning team
is working to centralize training courses for Loss Mitigation, as this is currently
handled informally by the Skill Qualification Training (“SQT”) team.
Page 9
Privileged and Confidential
Restricted
Reporting
Currently, reporting for mandatory compliance training activities (Refer to “2011
Mandatory Training Calendar”) is housed in
HSBC’s North America
Reporting tool. Data is refreshed in
weekly, and is available at any time for
business review. Managers are responsible for ensuring all staff is trained in
accordance with established training plans, and Managers can review staff statuses
via
Additionally, standard messages are sent as follows:
x System generated messages advising of mandatory courses to complete and
timeline to complete are sent to the employee weekly starting 28 days before
completion date
x Manual notifications from Central Services (function that helps facilitate
reporting for various pieces of the company and ultimately reports through the
Compliance function) advising of the course to complete and timeline to
complete support the completion of compliance training at various points in
time:
o To direct manager – one week before completion date and on due date
o To direct manager / Copy Local Compliance Officer (“LCO”) (Global
Career Band 3 (“GCB3” or “SVPs”)) – 2 weeks prior to completion date
o To business leads/LCOs/Regional Compliance Officers (“RCO”) – 2
weeks after due date
HBIO and HBUS will leverage the existing framework for the proposed functional
training and will have dedicated resources within HR for tracking and monitoring
reports outlining attendance and results. Results will be reported and provided to the
functional Senior Vice President in the business.
General Mortgage Training
HSBC servicing employees will be required to take two general mortgage courses,
“Life of the loan training” and “Terminology and regulations training.” Key topics
covered in the “Life of the loan training” include but are not limited to: key loan
documents, mortgage types, title, escrow, collections, default and mortgage serving,
modifications, where each department fits in, and customer impact. Key topics
covered in the “Terminology and regulations training”, include but are not limited to:
federal regulations such as RESPA, SCRA, as well as industry terminology such as
SPOC and Short Sale. (For a summary of these two courses, refer to slide 4 of “CML
Consent Order Response Recommendations from Learning”).
Loss Mitigation Training Modules
HBIO and HBUS have several business-developed Loss Mitigation training modules
in place for Residential Mortgage Servicing personnel. These modules are primarily
voluntary, instructor-led sessions offered to both new hires and as on-going training.
Additionally, web-based training sessions are offered to qualify for certifications. To
date, the primary Loss Mitigation training modules are Collections Call Model training
Page 10
Privileged and Confidential
Restricted
and instruction for the HBIO loan modification tool. The Collections Call Model
training prepares employees to interface with customers involved in the Loss
Mitigation process. Loan modification tool training helps employees navigate the
Foreclosure Avoidance Program (“FAP”), the primary technology used for
modifications.
Foreclosure Training
In April 2011, HBIO and HBUS engaged Learning to enhance foreclosure training, to
comply with the requirements of the Order. Affidavit Processing Training and Notary
Training were developed and are included in this Action Plan submission. The
Affidavit Processing documents are titled “Foreclosure Learning Activity – Specialized
Affidavit and Document Processing” and “Foreclosure Learning Activity – Specialized
Affidavit and Document Processing (for instructors)”. The Affidavit Processing
Training documents outline the process to accurately execute a foreclosure affidavit,
which is one part of the overall foreclosure process. There are twelve (12) Notary
Training materials included in this Action Plan submission. The Notary training
materials describe state law requirements when acting as a Notary Public and outline
the responsibilities and high-level process of acting as a Notary on behalf of HSBC.
Trainings for Affidavit Processing and Notary were executed as of the end of the third
quarter of 2011.
New Training Created within the Learning Process
HSBC finalized the content for two additional new training modules, Foreclosure
Introduction and Foreclosure Processing. The content for the additional two training
modules include the basics of foreclosures and foreclosure processing. The table
below indicates the dates each of these training sessions were completed, as well as
make-up session completion dates.
Training Sessions
Date
Class
Location
Type
July 11
Foreclosure Overview
Florida
ILT
July 11
Foreclosure Processing
Florida
ILT
July 12
Foreclosure Overview
Florida
ILT
July 12
Foreclosure Processing
Florida
ILT
July 14
Foreclosure Overview
Illinois
ILT
July 14
Foreclosure Processing
Illinois
ILT
Make-up Sessions
Date
September 13
Class
Foreclosure Overview
Location
Illinois
Type
WebEx
Page 11
Privileged and Confidential
Restricted
September 14
Foreclosure Processing
Illinois
WebEx
See below materials for additional detail for the Foreclosure Introduction and
Foreclosure Processing modules:
x Foreclosure Overview July 2011
x Foreclosure Overview Delivery Guide
x Foreclosure Overview Learner Guide
x Foreclosure Training Foreclosure Processing
x Foreclosure Processing Delivery Guide
x Foreclosure Processing Learner Guide
x Foreclosure Processing Assessment Questions
x CML Consent Order Response Recommendations from Learning
x Foreclosure Training Test Results 7-28-11
Each module has a learning assessment to ensure comprehension of materials.
Learning supplies a manual report for each class taken and the corresponding
assessment score. It is the responsibility of the business to monitor for compliance,
and the previously mentioned Training Remediation Process may be implemented
when appropriate.
In addition, HSBC conducted an evaluation of its mandatory compliance and business
function courses as of July 31, 2011 (Please reference “Learning & Development
Functional Training Gap Assessment” for a draft summary of the evaluation provided).
This evaluation outlined enhancements necessary to adhere to compliance with
applicable Legal Requirements and supervisory guidance. In accordance with this
evaluation, Learning developed an execution plan for new or enhanced training
programs (Refer to slides 6-7 of “CML Consent Order Response Recommendations
from Learning”). The evaluation concluded that HSBC needed to develop a total of 18
courses, each of which may be composed of multiple modules.
Per the evaluation of HSBC’s mandatory compliance and business function courses,
HBIO and HBUS have developed or are developing 18 training courses for other
areas of mortgage services and default, with various dates for design and deployment
as noted in on slides 6-7 of “CML Consent Order Response Recommendations from
Learning” and as outlined below:
Course
Estimated Start / Complete
Estimated Start/Complete
Design
Deployment
Foreclosure
COMPLETE August 2011
COMPLETE August 2011
SPOC
September – December 2011
January 2012
Page 12
Privileged and Confidential
Restricted
Loss Mitigation – Modification,
Retention and Exit Strategy
September – December 2011
January 2012
Foreclosure Review
September – December 2011
January 2012
Bankruptcy
September – December 2011
January 2012
Mortgage Servicing – SCRA
October – December 2011
December 2011
Business Record Training
October – December 2011
January 2012
Records Management – Note
October – December 2011
December 2011
MERS
October – December 2011
December 2011
Imaging
November – January 2012
February 2012
Invoice Processing – Fees,
Expenses and Costs
November – January 2012
February 2012
Collections
December – March 2012
March 2012
REO
January – March 2012
April 2012
Charge Off & Lien Release
January – March 2012
April 2012
Payment Processing
January – March 2012
June 2012
Escrow
February – June 2012
June 2012
Customer Service
March – June 2012
June 2012
Mortgage Servicing – Special
March – May 2012
June 2012
Validation
Loans, Payoffs, Research
New Trainings Created Outside of the Learning Process
In addition to the trainings noted above, two trainings were developed in response to
the Order which did not go through the Learning process due to the need for an
accelerated delivery to comply with the Order and business needs. The trainings did,
however, go through appropriate levels of internal review as noted below.
The current SPOC training program was developed separately from the Learning
Page 13
Privileged and Confidential
Restricted
team, within the business by an Assistant Vice President and Vice President.
Approval of the materials was completed by the Senior Vice President, Default
Management and Compliance personnel, and was also reviewed by Learning to
ensure adherence to current Legal Requirements.
The SPOC training program was designed for employees who are part of the SPOC
operating model. This classroom curriculum includes a SPOC Overview, specific
SPOC processes and procedures, and SPOC system tools that are used by the
SPOC Agent. SPOC agents completed training from July 1, 2011, through
September 12, 2011, with make-up sessions completed as of September, 30, 2011
(See SPOC Database Training, Single Point of Contact SPOC General, Single Point
of Contact SPOC Queue Owner, SPOC Database Training General, SPOC
Certification Training for additional details on the SPOC training program). By
December 2011, SPOC training will be transitioned to the Learning team, which will
provide enhanced materials, technology for attendance tracking and other features.
Until the December transition, SPOC training will continue to be managed by the
business. SPOC training has been established based on the current processes,
procedures, and other key elements of the SPOC program and will be revised and/or
supplemented in the event changes to the SPOC program are made. Additionally,
SPOC agents will be required to complete SPOC training again should changes be
made to the SPOC training modules (as necessary).
Additionally, Business Records Training was developed separately from the Learning
team with input from the business, outside counsel, legal and compliance. By January
2012, Business Records Training will be transitioned to the Learning team, and will be
administered by either web based or instructor led training courses (Please see the
attached Business Records Training and Business Records Training Summary for
additional details on this training program). Until this transition to the Learning team
has occurred, the business will continue to take responsibility for the training.
Included below is a summary of the aforementioned existing processes and required
enhancements are a result of the Order:
Existing Processes
Required Enhancements
• Web-based, instructor-led, and
function-specific training programs
covering Loss Mitigation, foreclosure
and parts of Residential Mortgage
Loan Servicing processes for both
new-hire and on-going training for
existing employees
• Developed training modules for
affidavit and notary processes that
are tracked, monitored and certified
on an annual basis
• Continue to develop and implement
foreclosure training and Loss
Mitigation modules that will be
tracked, monitored and certified on an
annual basis
• Create and implement additional
default and mortgage servicing
training that will be tracked,
monitored and certified on an annual
basis
Page 14
Privileged and Confidential
Restricted
• Transition SPOC and Business
Records trainings to Learning
Documents to be submitted with the Action Plan
x Collections Call Model Training
x Business Records Training
x Business Records Training Summary
x Notary Requirements and Responsibilities (Florida) Assessment Questions
x Notary Requirements and Responsibilities (Florida) Delivery Guide
x Notary Requirements and Responsibilities (Florida) Foreclosure Training
x Notary Requirements and Responsibilities (Florida) Learner Guide
x Notary Requirements and Responsibilities (Illinois) Assessment Questions
x Notary Requirements and Responsibilities (Illinois) Delivery Guide
x Notary Requirements and Responsibilities (Illinois) Foreclosure Training
x Notary Requirements and Responsibilities (Illinois) Learner Guide
x Notary Requirements and Responsibilities (New York) Assessment Questions
x Notary Requirements and Responsibilities (New York) Delivery Guide
x Notary Requirements and Responsibilities (New York) Foreclosure Training
x Notary Requirements and Responsibilities (New York) Learner Guide
x Foreclosure Learning Activity - Specialized Affidavit and Document Processing
x Foreclosure Learning Activity - Specialized Affidavit and Document Processing
(for instructors)
x Learning and Development Functional Training Gap Assessment
Additional documents completed for re-submission of Action Plan
x North America HR Learning Organization
x 2011 Mandatory Training Calendar
x HSBC North America New Laws and Regulations Procedure – US
x Foreclosure Overview July 2011
x Foreclosure Overview Delivery Guide
x Foreclosure Overview Learner Guide
x Foreclosure Training Foreclosure Processing
x Foreclosure Processing Delivery Guide
x Foreclosure Processing Learner Guide
x Foreclosure Processing Assessment Questions
x CML Consent Order Response Recommendations from Learning
x Foreclosure Training Test Results 7-28-11
x SPOC Database Training
x Single Point of Contact SPOC General
x Single Point of Contact SPOC Queue Owner
x SPOC Database Training General
x SPOC Certification Training
Key HSBC Contacts for the Action Plan
Page 15
Privileged and Confidential
Restricted
x
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
SVP Default Services
Page 16
Privileged and Confidential
Restricted
Page 17
Privileged and Confidential
Restricted
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
Risk Management
Final Pending Approval from the Compliance Committee
November 16, 2011
Page 2
Privileged and Confidential
Restricted
Section 11: Risk Management
Article 14
FRB Order Reference:
Article 14
Corresponding
N/A
OCC Article:
Within 60 days of submission of the comprehensive risk assessment conducted
pursuant to paragraph 12 of this Order, HNAH shall submit to the Reserve Bank an
acceptable written plan to enhance its ERM program with respect to its oversight of
residential mortgage loan servicing, Loss Mitigation, and foreclosure activities and
operations. The plan shall be based on an evaluation of the effectiveness of HNAH’s
current ERM program in the areas of residential mortgage loan servicing, Loss
Mitigation, and foreclosure activities and operations, and recommendations to
strengthen the risk management program in these areas. The plan shall, at a
minimum, be designed to:
Action Plan
As a result of the risk assessment, Ernst & Young (“EY”) provided findings related to
the design and operating effectiveness of controls. With respect to the design of
controls, EY identified enterprise-level observations and
in the design of specific
controls.
Page 3
Privileged and Confidential
Restricted
Management has considered and incorporated these themes as appropriate
throughout its responses to the enterprise observations as well as the specific test
findings.
HNAH considers EY’s observations and detailed testing results to warrant specific
process and control changes (documented further in Article 15(l)) at the business
level as opposed to changes to the enterprise-wide risk management structure.
Enhancements and modifications to the Enterprise Risk Function were already
underway based on guidance provided within the Matters Requiring Attention
(“MRAs”) and Matters Requiring Immediate Attention (“MRIAs”), and did not change
as a result of the risk assessment.
HNAH’s risk management framework begins with governance at the enterprise-wide
level and is supported by three lines of defense to provide specific processes,
policies, and procedures to monitor Residential Mortgage Servicing operations. The
Enterprise Risk Management (“ERM’) structure and the three lines of defense are
introduced and discussed at a summary level in this section and the ERM is
discussed in more detail later within Articles 14 and 15.
The Enterprise Risk Management framework itself does not provide specific policies
and procedures for Residential Mortgage Servicing, Loss Mitigation and foreclosure
activities; instead it provides overall governance and works in conjunction with the
specific programs that provide Residential Mortgage Servicing risk management. The
programs providing the support are Residential Mortgage Servicing, Service Delivery
Control Adherence, Compliance, and Group Audit North America. These four
programs form three lines of defense:
• Residential Mortgage Servicing serves as the first line of defense, providing the
Business Risk and Control Management (“BRCM”) capability and internal control
framework.
• Service Delivery Control Adherence (formerly known as NAQA) coordinates with
the Residential Mortgage Servicing BRCM teams to test the controls.
• Compliance is an additional second line of defense that provides regulatory
oversight to the Residential Mortgage Servicing teams to ensure that the controls
put in place satisfy regulatory requirements.
• Group Audit North America serves as the third line of defense by assessing the
effectiveness of Residential Mortgage Servicing controls and the functioning of the
second line of defense.
Through these three lines of defense, deficiencies in mortgage servicing, Loss
Mitigation and foreclosure activities are identified and promptly remediated. More
specifics related to these programs are provided in the subsequent articles and the
table below.
Page 4
Privileged and Confidential
Restricted
Existing Processes
Required Enhancements
• ERM providing risk management
governance for HNAH supported by
“three lines of defense”
• Ongoing implementation and
monitoring of remediation resulting
from independent risk assessment’s
enterprise and control testing results
and management’s responses.
• Residential Mortgage Servicing
serves as the first line of defense,
providing the Business Risk Control
Management (“BRCM”) capability and
internal control framework.
• Service Delivery Control Adherence
(formerly known as NAQA) serves as
a second line of defense and
coordinates with the Residential
Mortgage Servicing BRCM teams to
test the controls.
• Compliance is an additional second
line of defense that provides
regulatory oversight to the Residential
Mortgage Servicing teams to ensure
that the controls put in place satisfy
regulatory requirements.
• Group Audit North America serves as
the third line of defense by assessing
the effectiveness of Residential
Mortgage Servicing controls and the
functioning of the second line of
defense.
• Management responses developed in
response to the independent risk
assessment’s enterprise and control
testing results
Page 5
Privileged and Confidential
Restricted
Documents to be submitted with the Action Plan
Not applicable.
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP General Compliance
x
,
Risk
Governance and Administration, HNAH
Page 6
Privileged and Confidential
Restricted
Article 14(a)
FRB Order Reference:
Article 14(a)
Corresponding
N/A
OCC Article:
Ensure that the fundamental elements of the risk management program and any
enhancements or revisions thereto, including a comprehensive annual risk
assessment, encompass residential mortgage loan servicing, Loss Mitigation, and
foreclosure activities;
Action Plan
HNAH’s risk management framework begins with governance at the enterprise-wide
level and is supported by three lines of defense to provide specific processes,
policies, and procedures to monitor Residential Mortgage Servicing, Loss Mitigation
and foreclosure activities and includes a comprehensive annual risk assessment
which encompasses Residential Mortgage Servicing, Loss Mitigation, and foreclosure
activities.
The Enterprise Risk Management framework itself does not provide specific policies
and procedures for Residential Mortgage Servicing, Loss Mitigation and foreclosure
activities; instead it provides overall governance and works in conjunction with the
specific programs that provide Residential Mortgage Servicing risk management. The
programs providing the support are Residential Mortgage Servicing, Service Delivery
Control Adherence, Compliance, and Group Audit North America. These four
programs form three lines of defense:
• Residential Mortgage Servicing serves as the first line of defense, providing the
Business Risk and Control Management (“BRCM”) capability and internal control
framework.
• Service Delivery Control Adherence (formerly known as NAQA) coordinates with
the Residential Mortgage Servicing BRCM teams to test the controls.
• Compliance is an additional second line of defense that provides regulatory
oversight to the Residential Mortgage Servicing teams to ensure that the controls
put in place satisfy regulatory requirements.
• Group Audit North America serves as the third line of defense by assessing the
effectiveness of Residential Mortgage Servicing controls and the functioning of the
second line of defense.
Through these three lines of defense, deficiencies in mortgage servicing, Loss
Mitigation and foreclosure activities are identified and promptly remediated.
Three Lines of Defense
Residential Mortgage Servicing (First Line of Defense)
Residential Mortgage Servicing activities are covered by the Business Risk and
Control Management Team established by and under the direction of the SVP of
Strategy, Operational Risk Management and Chief Information Risk Officer, HBIO.
Page 7
Privileged and Confidential
Restricted
Specific details surrounding the First Line of Defense are covered in Article 15.
Service Delivery Control Adherence (formerly known as NAQA) (“SDCA”) (Second
Line of Defense)
SDCA provides an independent, objective and ongoing assessment of operational
adherence to policies, procedures, and Group Standards to Residential Mortgage
Servicing Management. To maintain independence, SDCA is managed separately
from Residential Mortgage Servicing management, reporting to a central Corporate
Quality Utility. SDCA reports its findings to the appropriate business unit executive
management. Consideration is given as to whether the findings reported by SDCA
should also be reported as a Top Control Issue in the quarterly ORIC report.
Compliance (Second Line of Defense)
The HNAH Compliance organizational structure, as outlined below, detailed in the
“HSBC – North America Compliance Risk Management Program Manual”, and
illustrated in the “HNAH Corporate Compliance Organizational Structure” section (see
pages 26 and 65 of the Compliance Risk Management Program Manual) is designed
to ensure that Compliance staff have the requisite authority and status to carry out
their responsibilities:
• The Regional Compliance Officer (“RCO”) reports to the HNAH Compliance
Committee, the HNAH Chief Executive Officer (“CEO”) and the CEO of HSBC
Bank, N.A.
• The RCO also has an internal functional reporting line to the Head of Compliance
within the Group Management Office ("GMO") which provides oversight of the
HNAH Compliance Risk Management Program.
• The RCO is a member of the Group Compliance Executive Committee (“Group
Compliance EXCO”).
The Compliance governance model is designed to ensure that the functional teams
and responsibility areas reporting into the RCO work effectively and efficiently
together to manage the Compliance Risk Management Program. Specifically, the
governance model is designed to ensure that:
• Regulatory, Group, and other stakeholder requirements applicable to Compliance
are identified and addressed;
• Enterprise-wide initiatives are coordinated;
• Communications across functional areas are timely and effective;
• Issues are escalated in a timely manner;
• Information is effectively and appropriately shared; and,
• Compliance risks are effectively assessed and emerging trends are identified
which may impact more than one business, legal entity or geography.
In order to monitor compliance risk and identify and remediate deficiencies,
Compliance has developed Key Risk Indicators (“KRIs”) that will assist Residential
Mortgage Servicing in monitoring and evaluating the risks inherent in mortgage
Page 8
Privileged and Confidential
Restricted
servicing business lines on a monthly basis. These KRIs include metrics to measure
the mortgage servicing activities of HNAH and its subsidiaries, including Loss
Mitigation, loan modification, and foreclosure activities. Examples of KRIs that have
been developed are Rescinded Foreclosure Sales and SCRA reporting.
Group Audit North America (Third Line of Defense)
Group Audit North America is responsible for the internal audit activities for HNAH
and its subsidiaries. These responsibilities include evaluating the effectiveness of risk
management, control, and governance processes for residential mortgage loan
servicing, Loss Mitigation, and foreclosure activities. Group Audit North America has
assessed the identified risks for these functional areas and enhanced its audit
programs to address the requirements of the Order.
HNAH Risk Management Framework
HNAH’s enterprise-wide risk management (“ERM”) program provides proper risk
management with respect to the Bank’s and the Mortgage Servicing Companies’
residential mortgage loan servicing, Loss Mitigation, and foreclosure activities,
particularly with respect to compliance with the Legal Requirements and supervisory
standards and guidance of the Board of Governors as they develop. The HNAH Risk
Management Framework was most recently reviewed and approved by the HNAH
Board Audit Committee in December 2010. The HNAH Risk Management Program
was enhanced throughout 2010 to meet the requirements of the Federal Reserve
Board Memorandum of Understanding (“MOU”) issued in 2009. A comprehensive risk
management plan was developed per the MOU requirements, and all elements of the
risk management plan have been implemented as of February 2011.
HSBC also enhanced its operational risk assessment framework globally through the
rollout of the RCA process, which was designed to provide the business with a
forward looking view of material operational risks and to help them proactively identify
and assess the key controls to mitigate risks within acceptable levels, which has been
rolled out across HNAH in order to comply with the Order. These enhancements
include a new Risk and Control Assessment methodology and Internal Control Target
Operating Model. HNAH takes a continuous improvement approach to risk
management and, accordingly, establishes annual objectives centered on
strengthening its risk management framework. (See attachment HSBC North America
(HNAH) Risk Management Framework in its entirety which details HSBC’s risk
management approach).
The Risk Management Framework is an integral component of HNAH’s operating
environment. The HNAH Risk Management Framework provides for oversight of risk
by the HNAH Board through the HNAH Risk Management Committee. The HNAH
Risk Management Committee is a regional level risk committee that provides a forum
for risk managers, functional heads, and business unit heads to establish risk
appetite, assess risk, establish risk management policies and standards, discuss
Page 9
Privileged and Confidential
Restricted
emerging risk issues and agree upon appropriate actions, as necessary. The
Mortgage Servicing Companies and the Bank are covered by the HNAH Risk
Management Framework, which incorporates all risk categories, including operational,
compliance and legal risks as well ensuring that the fundamental elements of the risk
management program and any enhancements or revisions thereto, including a
comprehensive annual risk assessment which encompasses residential mortgage
loan servicing, Loss Mitigation, and foreclosure activities. This is facilitated by the
businesses line’s self assessement, Enterprise Compliance’s annual risk assessment,
SDCA’s annual testing of controls and internal audit’s ongoing testing of controls and
performance.
The results of the risk assessment did not identify the need for further enhancement
to or modification of the HNAH Risk Management Framework beyond those
enhancements already completed or underway in order to comply with the
requirements of this Article..
Documents to be submitted with the Action Plan
x HSBC North America (HNAH) Risk Management Framework
x HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP General Compliance
x
EVP/Chief Auditor, HBIO
x
,
Risk
Governance and Administration, HNAH
Page 10
Privileged and Confidential
Restricted
Article 14(b)
FRB Order Reference:
Article 14(b)
Corresponding
N/A
OCC Article:
ensure that the risk management program complies with supervisory guidance of the
Board of Governors, including, but not limited to, the guidance entitled, “Compliance
Risk Management Programs and Oversight at Large Banking Organizations with
Complex Compliance Profiles,” dated October 16, 2008 (SR 08-08/CA 08-11); and
Action Plan
HNAH has an Enterprise Compliance Program (“ECP” or “Program”) which includes
oversight of residential mortgage loan servicing and foreclosure activities and
operations, as well as Loss Mitigation, which has been enhanced as set forth herein in
compliance with the requirements of the Order. ECP is a comprehensive compliance
risk management program that has been approved by the HNAH Board of Directors.
The Program is structured to proactively identify as well as quickly react to emerging
issues and to assess, control, measure, monitor and report compliance risks across
HNAH and complies with supervisory guidance of the Board of Governors, including,
but not limited to, the guidance entitled, “Compliance Risk Management Programs
and Oversight at Large Banking Organizations with Complex Compliance Profiles,”
dated October 16, 2008 (SR 08-08/CA 08-11).
The scope of the Program includes compliance with state and federal laws and
regulations, supervisory guidance, and self-regulatory standards or codes of conduct
that regulate certain business activities and functions of HNAH. More specifically,
HNAH maintains an inventory of the regulatory requirements that are included within
the scope of this Program. The inventory is maintained in the
("
which is linked to the
(“
As new legislation is enacted, regulatory requirements are added
to
and updated to
The compliance risk assessment process is an integral part of an effective compliance
program. Two critical components are the detailed assessment that is conducted
annually with business line management using
and
systems and the
quarterly General Compliance Enterprise-wide Risk Assessment (“ERA”).
Enhancements have been made to
which houses the risk statements
applicable to the business. The enhancements to the
risk statements are
discussed below in further detail.
The ERA is completed quarterly for all business units and gives a summary of
compliance for each business unit [e.g. CML (Consumer and Mortgage Lending)]. It
measures critical components such as: the number of MRA’s that repeat, are reopened or extended; past-due issues; and ensures policies and procedures are up to
Page 11
Privileged and Confidential
Restricted
date.
HNAH’s ECP is designed in accordance with the Group Legal and Compliance
Functional Instructional Manual ("FIM”), Group minimum compliance standards as
outlined in the Group Standards Manual ("GSM") and the principles established by the
Federal Reserve in Supervision and Regulation Letter 08-8 ("SR08-8") dated October
16, 2008, and the Basel Committee on Banking Supervision's Compliance and the
compliance function in banks ("Basel Compliance Paper") dated April 2005 as
required by the Order.
HNAH's Board of Directors has overseen the development of this Program and
compliance standards and processes contained in the HSBC - North America
Compliance Risk Management Program Manual. HNAH Management reviewed the
HNAH Compliance Risk Management Program Manual and has confirmed that, in line
with the design of the ECP to include all HNAH lines of business, the scope includes
residential mortgage loan servicing, foreclosure, and Loss Mitigation. More
specifically, Section 1.2 of the manual states that the ECP applies to “HSBC North
America Holdings, Inc. (“HNAH”) and its subsidiaries, including all legal entities,
business units, and support functions.” Residential mortgage servicing, Loss
Mitigation, and foreclosure activities are fully covered through the scope of the
existing ECP program.
Additionally, to more fully denote the responsibilities of the HSBC North America
Compliance Committee of the Board of Directors, the ECP was updated to include
requirements of the Consent Orders as outlined in the Action Plan for Article 2, 2(d),
and 2(l) of Board Oversight. Specifically, refer to the HSBC – North America
Compliance Risk Management Program Manual, pages 18-20, for a listing of the
responsibilities.
In addition to the ECP, the HNAH Compliance function also encompasses the Central
Services Regulatory Monitoring and Assessment (“RMA”) team, which manages the
regulatory monitoring and change management processes to facilitate compliance
with Legal Requirements and Board of Governors supervisory guidance applicable to
residential mortgage servicing, Loss Mitigation and foreclosure activities, as well as
the activities of other business lines. RMA holds weekly meetings with the business,
Compliance Officers, Legal and Government Relations to review pending and enacted
legislation as it becomes known. Year to date through September 23, 2011, 95
legislative alerts were issued by this team. (See attached New Legislation Alert ID HB
331 as an example and HSBC North America New Laws and Regulations Procedure
– US.) HSBC North America New Laws and Regulations Procedure – US, pages 1
through 6 provides guidelines for monitoring and tracking regulatory changes that may
impact business processes and procedures. The attached New Legislation Alert ID
HB 331 is an example of a legislative alert intended to communicate a high-level
summary of a law or regulatory change that may affect one or more HNAH businesses.
Page 12
Privileged and Confidential
Restricted
As law changes occur, new risk statements will be added to the Detailed Risk
Assessment or will be added to the state specific information housed within the
Database. Compliance is in the process of finalizing an internal procedure to
document this process. An internal procedure was completed and published on
August 24, 2011, which outlines how the database will be updated (see
Database – Maintenance and Approval Procedure ALL, pages 1 through
4).
Once new laws are identified and implemented pursuant to the processes noted
above, the SDCA unit monitors the bi-monthly report distributed by the Law Change
Working Group (“LCWG”) manager to gather information regarding which law
changes are ready for review. Within 60-90 days post implementation, the SDCA unit
schedules the law change for review.
In addition to the processes noted above, HNAH has in place the Service Delivery
Control Adherence (formerly known as NAQA) (“SDCA”) program which is managed
separately from the business lines, reporting to a central Corporate Quality Utility.
SDCA provides an independent, objective, and on-going assessment to senior
management of operational adherence to policies, procedures, and Group standards,
as well as of the effectiveness of the first line of defense internal control framework for
HNAH business operations.
As of June 30, 2011, a
gap analysis was completed to ensure that risk
statements for all Legal Requirements that impacted foreclosure, Loss Mitigation, and
mortgage servicing were documented within
The objective of the gap analysis
was two-fold: (1) to identify missing risk statements and (2) to identify control gaps for
all applicable risk statements. Meetings were held with the business to walk through
all identified foreclosure, Loss Mitigation, and Mortgage Servicing processes to
confirm existing risk statements and controls, identify gaps, and address additional
risk statements and controls needed for a given process.
The gap analysis results were compiled into a final report as of July 22, 2011 (see
attached Regulations and Risk Statement Gap Analysis Results in its entirety). A
summary of the
gap analysis is also attached and was submitted to the FRB
on August 12, 2011 (see MEMORANDUM
). The foregoing documents outline the Compliance Risk and Control
Assessment completed within
and contain the gap analysis results from that
assessment.
Page 13
Privileged and Confidential
Restricted
In addition to risk statements that were added to
by Compliance during the gap
analysis, the business has updated
with action plans to remediate any control
gaps and a timeline for implementing revised controls.
The Foreclosure, Loss Mitigation, and Mortgage Servicing business teams have
reviewed the control gaps identified in the
gap analysis report noted above and
have established remediation plans with associated completion dates for each control
gap as of August 12, 2011 (see the following documents in their entirety for additional
detail regarding the
gap analysis remediation plans: MEMORANDUM
Detail Compliance Risks With Controls & Actions
– Mtgbusadminandse, Detail Compliance Risks With Controls & Actions – CML, Detail
Compliance Risks with Actions – HMC, and Detail Compliance Risks with Actions CML).
Compliance completed a Risk Assessment of the foreclosure process from the initial
breach letter through the foreclosure sale. This Risk Assessment included reviews of
primary source materials; reviews of business policies, procedures, and functional
manuals; and interviews of business staff involved in the foreclosure process. Risk
Assessment results were compiled and the report was completed as of August 11,
2011 (see attached Compliance Foreclosure - Risk Assessment 8.26.11 Management
Responses – “Compliance Risk Assessment”. See page 4 for the Management
Summary and pages 5 through 22 for risk assessment results). The Risk Assessment
results noted policy, procedure, reporting and other related gap
Remediation of many of the noted gaps within the Risk Assessment have
already been completed (e.g.,
as outlined in the Compliance Risk
Assessment. Additionally, as of August 26, 2011, Foreclosure management
completed an action plan to remediate all other gaps (e.g.,
(see
Compliance Foreclosure Risk Assessment 8.26.11 management responses, pages 5
through 22). Additionally, as part of the quarterly Enterprise-wide Compliance Risk
Assessment, all businesses are required to certify as to the completeness and
accuracy of the Compliance Risk Assessment.
A similar Risk Assessment was completed for Mortgage Servicing as of September
12, 2011. Risk Assessment results were compiled and a final report was completed
as of September 26, 2011. Mortgage Servicing presented a response plan to
remediate noted gaps on October 10, 2011 (see Compliance Loan Servicing Risk
Assessment 10.10.11 Management Responses).
Page 14
Privileged and Confidential
Restricted
Also, to ensure that HNAH has fully documented policies and procedures and that all
employees understand and consistently follow them, HNAH has established the Good
Governance Initiative. Its objective is to ensure that there are proper procedures in
place within HNAH for all applicable business and operational processes, and that
these procedures are clear, concise, thorough, accurate, and reflect compliance with
Legal Requirements. Currently, HNAH is completing the following:
• Reviewing procedures for accuracy
• Conducting a root cause / trend analysis of past procedural breaches
TRAC
HNAH has an established Testing and Risk Assessment Compliance Group (“TRAC”)
function as a second line of defense, a part of HNAH Compliance, which is consistent
with the requirements of “Compliance Risk Management Programs and Oversight at
Large Banking Organizations with Complex Compliance Profiles,” dated October 16,
2008 (SR 08-08/CA 08-11) as required by the Order. TRAC is responsible for
conducting on-going compliance testing and risk assessments independent of the
business unit compliance.
TRAC develops and maintains a Compliance Risk Mitigation Program, which
establishes HNAH-wide consistent standards and processes to enable management
to proactively identify, measure, monitor, test, and report compliance risks and
controls as noted on page 6 of the HSBC - North America Compliance Risk Mitigation
Program. This information is used to obtain reasonable assurance that HNAH and its
subsidiaries are complying with material regulatory requirements and Group
Compliance policies and standards.
Additionally, below is a listing of TRAC's specific roles and responsibilities, which are
provided in greater detail within the HSBC - North America Compliance Risk
Management Program Manual on page 31 and include:
• developing and maintaining firm-wide compliance risk assessment processes,
methodologies and tools;
• leading the execution and oversight of the General Enterprise-wide Risk
Assessment and facilitating and performing quality assurance of the results of the
Detail Self Assessment, in conjunction with business line management and
business line Compliance Officers;
• developing and maintaining firm-wide compliance monitoring and review
programs, policies, procedures, processes and standards;
• annually reviewing business line/Compliance Officer compliance programs and
processes, including Compliance Officer issue remediation activities;
• annually reviewing the effectiveness of the HNAH Compliance Risk Management
Page 15
Privileged and Confidential
Restricted
•
•
Program;
administering the Matters Requiring Attention (“MRAs”) tracking and validation
program to include tracking of MRAs, validating remediation and reporting MRA
status to Group Compliance EXCO, senior management, Risk Governance
Committees, and Compliance Committee; and
maintaining processes to track, escalate, and report material compliance issues
and any corrective actions identified through examinations, inspections,
compliance monitoring and reviews, or other means.
Based on the enhancements put in place from the
Gap Analysis and the
Compliance Foreclosure and Mortgage Servicing Risk Assessments, the ECP
Program did not require further modification as a result of the EY Risk Assessment.
Documents to be submitted with the Action Plan
x HSBC - North America Compliance Risk Management Program Manual
x New Legislation Alert - Idaho HB 331
x HSBC North America New Laws and Regulations Procedure – US
x
Database – Maintenance and Approval Procedure ALL
x Regulations and Risk Statement Gap Analysis Results
x MEMORANDUM
x Detail Compliance Risks With Controls & Actions – Mtgbusadminandse
x Detail Compliance Risks With Controls & Actions – CML
x Detail Compliance Risks with Actions – HMC
x Detail Compliance Risks with Actions - CML
x Compliance Foreclosure - Risk Assessment 8.26.11 Management Responses
x Compliance Loan Servicing Risk Assessment 10.10.11 Management Responses
x HSBC - North America Compliance Risk Mitigation Program
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP General Compliance
Page 16
Privileged and Confidential
Restricted
Article 14(c)
FRB Order Reference:
Article 14(c)
Corresponding
N/A
OCC Article:
establish limits for compliance, legal, and reputational risks and provide for regular
review of risk limits by appropriate senior management and the board of directors or
an authorized committee of the board of directors.
Action Plan
The operating principles of the HNAH Risk Framework requires processes to
adequately identify risk levels, requires a method to ensure effective communication
of established risk management policies, procedures, and standards to all appropriate
business line and other staff, establish limits for compliance, legal, and reputational
risks and provide for regular review of risk limits by appropriate senior management
and the board of directors or an authorized committee of the board of directors. The
operating principles are as follows (and also noted fully in section 3.3.4, pages 22 –
23, of the attached HSBC – North America Compliance Risk Management Program
Manual):
• Ensure all risks are appropriately identified, measured, managed, controlled and
reported;
• Develop, communicate & implement appropriate risk-related policies, procedures,
& processes in collaboration with business units, functional areas and Group;
• Provide an independent review and assessment of risks by regularly reviewing risk
levels and risk management practices and raising concerns to senior executive
management and the Board as necessary.;
• Provide regular and ad hoc reports to senior executive management, the Board,
and Group on existing and emerging risks, with recommendations to avoid,
eliminate, or mitigate outsized risks;
• Ensure compliance with all relevant laws, regulations, and regulatory
requirements, including Basel II;
• Assess overall capital needs and enhance capital allocation
• Set risk appetite in line with capital availability and overall business strategy;
• Establish and promote a risk management culture that appropriately balances
risks and rewards;
• Assist the Board and senior executive management in establishing risk tolerances,
limits, and performance measurements across HNAH;
• Share and leverage best practices across Group;
• Continually assess and monitor the risks HNAH faces, and regularly reappraise its
risk appetite and align its risk profile accordingly; and,
• Formulate an internal view of capital requirements relative to risk.
The Risk Management Framework brings together risk functions across North
America to ensure a consistent policy, process, and practice is applied across legal
entities. An overarching HNAH Risk Limits Framework, which is maintained by the
North America Risk organization in conjunction with internal business partners from
Page 17
Privileged and Confidential
Restricted
Finance, Legal and Compliance, and the business lines, provides for the identification,
communication, limitation, and management of all risks across HNAH, both for
discontinued and ongoing business lines.
The results of the risk assessment did not identify the need for further enhancement
to or modification of the HNAH Risk Management Framework beyond those
enhancements already completed or underway in order to comply with the
requirements of this Article.
Documents to be submitted with the Action Plan
x HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
,
Risk
Governance and Administration, HNAH
x
, SVP General Compliance
Page 18
Privileged and Confidential
Restricted
Article 15
FRB Order Reference:
Article 15
Corresponding
N/A
OCC Article:
Within 60 days of submission of the comprehensive risk assessment conducted
pursuant to paragraph 12 of this Order, HNAH and HBIO shall jointly submit to the
Reserve Bank an acceptable, comprehensive risk management program for the
Mortgage Servicing Companies. The program shall provide for the oversight by
HNAH’s senior risk managers and HBIO’s board of directors and senior management
of the development and implementation of formalized policies and mitigation
processes for all identified risks to the Mortgage Servicing Companies. The program
shall, at a minimum, address, consider, and include:
Action Plan
Please see responses included below in Articles 15(a) – 15 (l)
Documents to be submitted with the Action Plan
Not applicable.
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
Page 19
Privileged and Confidential
Restricted
Article 15(a)
FRB Order Reference:
Article 15(a)
Corresponding OCC
N/A
Article:
The structure and composition of HBIO’s board risk management committees and a
determination of the optimum structure and composition needed to provide adequate
oversight of Mortgage Servicing Companies’ firm-wide risk management;
Action Plan
The Risk Management Framework is an integral component of HNAH’s operating
environment. The HNAH Risk Management Framework provides for oversight of risk
by the HNAH Board through the HNAH Risk Management Committee. The HNAH
Risk Management Committee is a regional level risk committee that provides a forum
for risk managers, functional heads, and business unit heads to establish risk appetite,
assess risk, establish risk management policies and standards, discuss emerging risk
issues and agree upon appropriate actions, as necessary. The Mortgage Servicing
Companies and the Bank are covered by the HNAH Risk Management Framework,
which incorporates all risk categories, including operational, compliance and legal
risks.
The HNAH Risk Management Committee Framework is structured in the following
manner:
Page 20
Privileged and Confidential
Restricted
The operating principles of the HNAH Risk Framework requires processes to
adequately identify risk levels and trends requires a method to ensure effective
communication of established risk management policies, procedures, and standards to
all appropriate business line and other staff. The operating principles are as follows:
• Ensure all risks are appropriately identified, measured, managed, controlled and
reported;
• Develop, communicate & implement appropriate risk-related policies, procedures, &
processes in collaboration with business units, functional areas and Group;
• Provide an independent review and assessment of risks by regularly reviewing risk
levels and risk management practices and raising concerns to senior executive
management and the Board as necessary.;
Page 21
Privileged and Confidential
Restricted
•
•
•
•
•
•
•
•
•
Provide regular and ad hoc reports to senior executive management, the Board,
and Group on existing and emerging risks, with recommendations to avoid,
eliminate, or mitigate outsized risks;
Ensure compliance with all relevant laws, regulations, and regulatory requirements,
including Basel II;
Assess overall capital needs and enhance capital allocation
Set risk appetite in line with capital availability and overall business strategy;
Establish and promote a risk management culture that appropriately balances risks
and rewards;
Assist the Board and senior executive management in establishing risk tolerances,
limits, and performance measurements across HNAH;
Share and leverage best practices across Group;
Continually assess and monitor the risks HNAH faces, and regularly reappraise its
risk appetite and align its risk profile accordingly; and,
Formulate an internal view of capital requirements relative to risk.
The Risk Management Framework brings together risk functions across North America
to ensure a consistent policy, process, and practice is applied across legal entities. An
overarching HNAH Risk Limits Framework, which is maintained by the North America
Risk organization in conjunction with internal business partners from Finance, Legal
and Compliance, and the business lines, provides for the identification, communication,
limitation, and management of all risks across HNAH, both for discontinued and
ongoing business lines.
As depicted in the “HSBC North America (HNAH) Risk Management Framework”
diagram above, the risk management framework is designed such that the business
and functional risk committees (e.g., Mortgage Lending) report up through the
enterprise-wide risk functions to provide consistent methodologies for the assessment
of risk throughout the organization.
The results of the risk assessment did not identify the need for further enhancement to
or modification of the HNAH Risk Management Framework beyond those
enhancements already completed or underway in order to comply with the
requirements of this Article.
Documents to be submitted with the Action Plan
Not applicable.
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
,
Risk
Governance and Administration, HNAH
Page 22
Privileged and Confidential
Restricted
Article 15(b)
FRB Order Reference:
Article 15(b)
Corresponding OCC
N/A
Article:
a detailed description of the responsibilities of the line-of-business staff, legal
department, and internal audit department regarding risk assessment and
management, including, but not limited to, compliance and legal risks;
Action Plan
HNAH’s line of business staff, legal department and internal audit have responsibilities
regarding risk assessment and management as follows:
Business Management Operational Risk (Business-line)
Operational Risk Management activities include but are not limited to:
• Serves as single point of contact coordinating with the second and third lines of
defense – Tracks and monitors control weaknesses and audit findings
• Works directly with business to strengthen control gaps and assesses the
adequacy and sustainability of remediation efforts
• Conducts self assessments on key controls to determine effectiveness and
monitors KRI’s
• Facilitates quarterly and annual workshops for RCA and
• Facilitates annual certifications and reviews Group Policies to determine
compliance with GSM and FIM
• Reports and maintains tracking and trending of operational losses
Business Management has responsibilities directly related to Residential Mortgage
Servicing, while adhering to the enterprise-wide oversight. Business management has
the following accountabilities:
•
•
•
•
•
Identifying and assessing operational risks and controls
Identifying and reporting incidents
Implementing and operating internal controls and cannot rely on ORIC or other
“second line of defense” control functions
Monitoring the ongoing effectiveness of key controls to gain assurance that they are
operating in line with risk appetite and any regulatory and FIM requirements.
Establishment of Business Risk Control Management (“BRCM”) capability to help
undertake the appropriate level of key control monitoring.
BRCM and Coordinators
Operational Risk Oversight Functions have the following accountabilities within their
functional area of expertise:
• Defining key operational risks and establishing minimum control standards and
appropriate indicators / metrics
Page 23
Privileged and Confidential
Restricted
•
•
•
Undertaking oversight to verify the appropriateness of business (and functional|)
management control monitoring activity. Where oversight is conducted by these
teams, ORIC may leverage this work in carrying out its oversight responsibilities to
avoid duplication so long as it is satisfied that appropriately rigorous and sound
standards have been followed.
Reviewing and reporting their indicators / metrics and taking action as necessary
where any business appears to be operating, or to be at risk of operating, outside
the established risk appetite.
Gaining assurance that the minimum standards in their respective FIMs are being
met through oversight activity as outlined in GSM.
Additional information related to roles and responsibilities between business
management and the BRCM is provided below:
Where BRCM undertakes control monitoring, a detailed monitoring plan that describes
the key control monitoring activities that will be completed over the next year is
established on at least annually. The monitoring plan is based on consideration of the
RCA results as the basis of the annual monitoring plan, and also the following should
be considered:
• New control standards issued
• Relevant local regulatory requirements
• Control issues identified in quarterly Operational Risk reporting
• Monitoring standards outlined in the FIMs
• Internal and external incident data
• Outputs of recent internal control monitoring
• Output of Group internal audit report, external auditors report and other functional
reports
• Significant changes in business structure, personnel, external environment,
products and systems
• Emerging risk issues / themes
• Controls where independent testing is mandated for SOX purposes
• The work plans of other areas (e.g. functions) carrying out control monitoring, to
Page 24
Privileged and Confidential
Restricted
maximize efficiency and avoid overlap.
The monitoring plan must be approved following an appropriate governance process
(e.g. Business Head or appropriate business committee) on an annual basis.
Significant amendments to the scope of the work plan must be agreed using the same
governance process. The “appropriate governance process” will be further defined
during the implementation of internal control monitoring. Review of plans and their
approval and implementation may be subject to review by ORIC and Group Audit as
well as Business Management.
The work plan will be submitted to the HNAH ORIC Committee for approval on an
annual basis. Significant amendments to the scope of the work plan must be agreed by
the ORIC Committee as required. ORIC must monitor progress against work plans on
at least a quarterly basis, and consider work plan relevance, ad-hoc oversight based
on emerging areas of risk, resource assessment (availability and capability), and any
necessary escalation of delays. Progress will also be shared with the HNAH ORIC
Committee and any delays in the execution of an activity should be adequately
justified.
Where monitoring / oversight results indicate that controls are no longer effective and
the risk is now outside of appetite, new issues and actions must be created to ensure
appropriate rectification. A process must be in place for tracking issues and actions
and ensuring their appropriate and timely resolution.
Significant issues identified through monitoring / oversight must be reported to
business management and the relevant ORIC Committee.
Legal
The North America Legal Function undertakes to manage the Legal risk of HNAH and
supports the risk control functions in their management of risks The North America
Legal function's duties and responsibilities relative to the support of the Compliance
Function in managing compliance risk include (see pages 35 and 36 of the attached
HSBC – North America Compliance Risk Management Program Manual for additional
detail):
• Provide legal advice to the HNAH Compliance function and business units on
regulatory compliance matters;
• Prepare and/or review standard forms and contracts which may impact regulatory
compliance, including agreements that delegate or assume compliance
responsibilities;
• Work with HNAH Compliance to monitor and track both new and changed laws,
regulations and regulatory guidance;
• Assess legislative, judicial, and regulatory activities and developments that may
impact the Financial Services industry as a whole to identify potential emerging
compliance risks and developments;
• Participate in business unit-aligned working group meetings with HNAH
Page 25
Privileged and Confidential
Restricted
•
•
•
•
•
Compliance Central Services, Government Relations and other HNAH Compliance
functions to discuss legislative and regulatory activities and developments;
Provide legal advice on new or changed laws or other requirements;
Review and approve impact analyses prepared by HNAH Compliance Central
Services;
Along with HNAH Compliance, advise executive management on new or changed
compliance requirements and potential impacts;
Along with HNAH Compliance, advise executive management on compliance and
legal risks associated with certain business decisions; and
Provide information to HNAH Compliance regarding litigation matters that may
involve HSBC and may have a regulatory compliance impact.
Internal Audit
Group Audit North America (“AUN”) is an integral part of the Group and HNAH control
environment. It provides management and the Board with an independent and
objective review of business activities, risk management and support functions.
AUN’s compliance-related duties and responsibilities include (see pages 34 and 35 of
the attached HSBC – North America Compliance Risk Management Program Manual
for additional detail):
• Maintain a dynamic auditable universe of compliance risk entities which are
evaluated and updated as business or regulatory conditions change;
• Utilize compliance risk assessments as the baseline for the annual audit plan and
the development of compliance audit programs;
• Validate compliance risk assessments performed by business units and HNAH
Compliance;
• Maintain and execute compliance audit programs and procedures;
• Ensure that the auditors performing compliance audits possess and maintain
required skill sets and knowledge of current regulatory requirements;
• Integrate compliance risk reviews and testing into business unit operational audits.
This includes testing the effectiveness of business unit compliance processes and
adherence with compliance requirements;
• Evaluate the design and operating effectiveness of business unit and HNAH
compliance programs;
• Assess the HNAH Compliance function and RCO’s effectiveness in managing
compliance risk and overseeing and supporting the implementation of the Program;
• Render an annual assessment of the overall effectiveness of the HNAH compliance
program to senior management and the HNAH Compliance Committee;
• Provide the HNAH Compliance Committee with status updates and results on
compliance relate audits;
• Provide timely reports to line management, executive management and compliance
management on the results of risk evaluations and testing activities; and
• Monitor resolution of issues raised in previous audits and report to executive
management monthly and RMC and ORIC quarterly.
Page 26
Privileged and Confidential
Restricted
Role in Organization / Description
Group Audit North America is responsible for all of the internal audit activities of the
U.S. mortgage business, including HBIO and HBUS. This includes audits of the
effectiveness of risk management, control, and governance processes for Residential
Mortgage Loan Servicing, Loss Mitigation, and foreclosure activities. Group Audit
North America has performed a review, based on the Order, of its approach for these
audits. Complete audit programs for Default Services have been implemented with
enhancements and additions based on the Order, and Payment Services and
Customer Services are in process. Additional changes will be made to audit programs
as management finalizes implementation of revised procedures and controls over
applicable servicing activities, Audit completes transaction walk-throughs of the revised
processes and based on the independent consultant’s risk assessment. The AUN
RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE DEFAULT
SERVICES document details the back-end real estate and front-end non-real estate
secured default services audit, payment services, and customer services audit. In
addition, the AUN RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE
DEFAULT document includes a combination of following five audit programs:
• AUN RESIDENTIAL MORTGAGE DEFAULT SERVICES BACK- END REAL
ESTATE SECURED ACCOUNTS
• AUN RESIDENTIAL MORTGAGE FRONT END COLLECTIONS AND NON REAL
ESTATE SECURED DEFAULT SERVICES
• AUN STANDARD RISKS, CONTROLS & AUDIT PROGRAMS
• AUN RESIDENTIAL MORTGAGE PAYMENT SERVICES SPECIALIZED AUDIT
PROGRAMS
• AUN RESIDENTIAL MORTGAGE CUSTOMER SERVICES SPECIALIZED AUDIT
PROGRAMS
In addition, effectiveness of the control functions is evaluated through audits of ECP
and ERM functions. Group Audit North America provides an annual assessment of the
adequacy and effectiveness of the ECP to the HNAH Board of Directors, through the
Audit and Risk Committee and Compliance Committee as well as senior management.
Results of the ECP assessment are summarized in the GROUP AUDIT NORTH
AMERICA – HNAH REGULATORY COMPLIANCE PROGRAM, pages 20 through 38).
This assessment summarizes how Audit assesses compliance risk and provides
details on compliance coverage as part of the audits completed during the year. A
regulatory matrix is in place to assist auditors in identifying key regulations and
including them in the scope of each audit as necessary. In addition, Group Audit North
America completes a regulatory compliance review as part of every operational audit
using a standard regulatory compliance audit program.
To address ERM, Group Audit North America completes risk assessments for every
audit. Those assessments are designed to include all aspects of ERM, including, but
not limited to, credit risk, compliance risk, operational risk, legal risk, and financial risk
(See AUN BACK-END RE SECURED DEFAULT SERVICES AUDIT as an example of
Page 27
Privileged and Confidential
Restricted
an audit risk assessment conducted). In addition, Group Audit verifies the
effectiveness of operational risk management activities by assessing whether
management has completed an operational risk assessment and recorded risks in the
(“
with appropriate
action plans. Any missing or incomplete risks or divergence in risk assessments are
reported to management.
Group Audit North America conducts periodic reviews of major Residential Mortgage
Servicing business processes including Default Services, Customer Services, and
Payment Services. The reviews assess the effectiveness of the compliance and risk
management processes for loan servicing, Loss Mitigation, and foreclosure activities.
These reviews include enhanced coverage of compliance with the Legal Requirements
and supervisory guidance.
The 2011 Group Audit Plan has been designed to provide holistic risk assurance to
Executive Management, Audit and Risk Committees and regulators that material risks
are being managed effectively within the North American region and in line with
Group’s stated risk appetite. Group Audit has evaluated risk assessment results for
the audit universe and its prioritization of areas to be audited on a global basis to
account for changes that have occurred in the US businesses during 2010. With these
changes in mind, the Group audit plan has been designed to provide comprehensive
audit coverage of internal controls in order to mitigate business risks, such as
compliance and operational risk. Consistent with prior years, the audit plan has been
compiled using a risk-based audit approach and have been continuously reviewed and
revised during the course of the year for emerging risks (See 2011 AUDIT PLAN
PRESENTATION. See pages 2 and 3 of the attached document that discuss the Audit
Approach and 2011 Internal Audit Plan and Key Themes).
The audits scheduled for 2011 broadly fall into three categories: Group-Wide RiskBased Audits designed to provide clear line-of-sight to the effectiveness of risk
management around key risks; Governance Audits designed to assess the
effectiveness of the oversight process at the Group-level and validate the second line
of defense's work; and Project Audits designed to provide assurance around on-going
flagship change programs across the Group. On an annual basis, the Audit Plan
continues to be reviewed with the Federal Reserve, OCC, and KPMG prior to being
submitted to the HNAH Group Audit Committee for approval (See Board Resolution for
Audit Plan Approval).
The scope and frequency of audits is based on the internal audit’s assessment of risks.
The scheduling of audits is an on-going dynamic process reflecting changes in internal
audit’s assessment of the inherent risk of the auditable entities within the audit
population. A risk calculator model is used in the Annual Operating Plan (“AOP”)
process and on-going scheduling of audits. The risk calculator seeks to identify and
measure entity level risks across the audit population to determine the prioritization of
audits. Resourcing and staffing needs are accordingly adjusted to enable audit
Page 28
Privileged and Confidential
Restricted
resources be directed to the most appropriate areas. However, the risk calculator is a
guide for senior audit management and does not preclude audits being scheduled
differently. It is pertinent to mention that there are established controls that require
entities with a high risk score to be audited within 12 months. As such, some of the
mortgage business areas are audited on an annual basis (as described below).
Medium-risk entities are audited every 18 to 24 months and low-risk entities are
audited every 24 to 36 months. The Group Audit Standard Manual is the primary
instruction manual for Group Audit and details all key policies and procedures (See
THE HSBC GROUP AUDIT STANDARDS MANUAL). The HSBC GROUP AUDIT
STANDARDS MANUAL is a detailed manual that outlines the standards and practices
adopted by the Audit function, which comply with the International Standards for the
Professional Practice of Internal Auditing and Code of Ethics.
The Consumer Mortgage Lending Default Services audit entity is reviewed on an
annual cycle. Audits covering activities pertaining to front-end, mid-range, and backend collections are rotated every other year. However, certain activities, such as loan
modifications and foreclosures, are reviewed every year based on loan volume and
regulatory considerations. In addition, Group Audit North America conducts annual
audits of second line of defense functions (i.e., Service Delivery Control Adherence
(formerly known as NAQA), TRAC) to validate that they are operating effectively.
Group Audit North America also performs ad hoc audits and reviews outside the
normal audit activities on behalf of senior management. These include special reviews
of changes in policy, compliance with new Group or regulatory requirements,
consultancy, and investigations at the request of the Audit and Risk Committee and the
Chief Executive Officers See pages 2 and 3 of the attached 2011 AUDIT PLAN
PRESENTATION document which notes the Audit Approach, 2011 Internal Audit Plan,
and key themes. Additionally, see the 2011 AUN AUDIT PLAN – STATUS document
which outlines residential mortgage servicing and non-real estate default services audit
actions, their schedule, and status.
In addition, Group Audit North America prepares and maintains a matrix of regulatory
requirements to assist its auditors in identifying key regulations and including them in
the scope of each audit as applicable. The Compliance Risk Assessment completed
by HNAH Compliance is used to update the matrix on a semi-annual basis. Audit
management ensures that staff identifies and understands the regulations that apply to
the audit they are performing by using the regulatory matrix. In addition, Internal Audit
monitors coverage of compliance risks during the year to ensure that there is adequate
internal audit coverage of compliance risks to support the assessment at the end of the
year. In addition, Group Audit North America completes a regulatory compliance
review as part of every operational audit using a standard regulatory compliance audit
program.
Group Audit North America employs a risk-based approach to reporting and monitoring
audit findings, which is designed to ensure critical matters or exposures are escalated
and addressed in a timely and comprehensive manner. For high risk findings, Group
Page 29
Privileged and Confidential
Restricted
Audit North America verifies implementation of corrective measures through detailed
testing. Low risk audit findings are communicated to management, and it is the
business unit’s responsibility to ensure corrective measures have been taken and
reported. Group Audit North America management conducts on-going monitoring of
aging audit issues – which are restricted to high-and medium-risk issues – to verify
whether findings have been resolved, and it regularly reports stale (greater than 180
days old) high or medium risk findings to the Audit and Risk Committee. Repeat and
partial repeat findings also receive separate reporting and tracking, and management
has scorecard goals to keep both stale and repeat findings at low levels.
Group Audit North America has systems in place to track and monitor the status of the
audit findings and recommendations. These systems facilitate follow-up reviews and
are designed to track timely completion and effectiveness of the corrective measures.
For example, the Audit Issues Module includes the following:
• Detailed information about findings, including target date for resolution, next action
date for review by Group Audit North America, management response and action
plan, and commentary supporting actions to date;
• Tracking capabilities designed to ensure the information is accurate and up-to-date,
and that timely, corrective action of audit findings have been certified by
management;
• Tracking capabilities designed to ensure that all outstanding issues have been
remediated; and
• Email notifications to the responsible individuals when items are due, designed to
ensure timely follow-up on outstanding audit finding.
The Audit Issues Module is utilized to generate exception reports that list issues that
have not been remediated. Group Audit North America submits these reports monthly
to Executive Management as well as quarterly (See Audit Update – HNAH Operational
Risk and Internal Control Committee (ORIC) as an example to the reporting) to the
internal Operational Risk and Control Committees and the Audit and Risk Committee
of the HNAH Board. Please see the following sample reports:
• HBIO High Risk Outstanding Issues (PPT)
• HBIO High Risk Outstanding Issues - 30JUN11 (XLS)
• HBIO Repeat Issues
• HBIO Repeat Issues 2Q11
• HNAH All Medium 30JUN11
• HNAH High Risk Issues 30JUN11 (XLS)
• HNAH High Risk Outstanding Issues (PPT)
• HNAH-wide including HTSU Repeat Issues
• HNAH Repeat Issues 2Q11
Group Audit North America has procedures to escalate and resolve differences of
opinion between audit staff and management concerning audit exceptions and
recommendations. Upon completion of audit reviews, Group Audit North America
holds exit meetings with senior management to discuss audit findings and confirm that
Page 30
Privileged and Confidential
Restricted
no disagreements with the facts of the audit findings exist. Minutes from these
meetings are circulated to the relevant members of management and concerns, if any,
are escalated to Executive Management. It is important to note that while every
attempt is made to agree on the factual accuracy of the audit findings with
Management, Group Audit North America is, however, ultimately responsible for the
overall control risk rating and risk rating of findings in the audit report.
Process Changes
Group Audit North America conducted a gap analysis for every item in the Order,
completed on April 15, 2011, to identify: 1) areas that were not previously covered in
the audit scope, 2) new controls to be implemented by Residential Mortgage Servicing,
and 3) areas that require more detailed review by Internal Audit. Refer to attached
AUN GAP ANALYSIS – FRB CONSENT ORDERS vs. AUDIT PROGRAMS file, which
has separate tabs for OCC and FRB items. The column labeled “Gap Analysis”
(column E) specifically identifies enhancements to existent audit programs or new
requirements. Further, there are tabs for 1) ARA – Back End RE Default Services and
2) ARA – Front End Collections & NRE Default Services. The Audit Risk Assessment
(ARA) documents have new and updated controls highlighted in yellow.
As a result of the gap analysis, numerous audit programs were enhanced. (See ARA
tabs in AUN GAP ANALYSIS – FRB CONSENT ORDERS vs. AUDIT PROGRAMS file,
where updated controls are highlighted in yellow.) These enhancements include a
more robust review of the foreclosure affidavit execution processes, notarization
processes, MERS oversight, SPOC controls and attorney network oversight controls.
To the extent possible, audit programs have been enhanced to include new business
processes such as those pertaining to the affidavit process and MERS. However, as
the independent consultants complete the risk assessment required by the Order,
additional controls may be identified and audit programs will be enhanced accordingly.
For Loss Mitigation, and foreclosure activities, Group Audit North America enhanced or
developed certain specialized audit programs in light of the Order described above.
Further, Group Audit North America is reviewing the results of the Independent Risk
Assessment to determine any audit changes required.
Additionally, the Mortgage Default Servicing Operations Audit is on an annual review
cycle
This audit, scheduled to begin in
October 2011, includes the following key areas:
• Collection and Default Services
o Front-End Activities in the first 59 days overdue (e.g., ARM resets, Internal
Hardship, Collection Queue Management, and Dialer Strategies)
o Mid-Range Activities from 60 to 119 days overdue (e.g., Skip Tracing and use of
Page 31
Privileged and Confidential
Restricted
external collection agencies)
o Back-end Operations beyond 120 days overdue (e.g., Loss Mitigation
Strategies, Loan Modifications, Charge-off, Real Estate Owned and,
Foreclosures)
Other audits of the mortgage business include:
• Payment Services
• Customer Services
Collection and Default Services
Audit coverage of the Collection and Default Services includes the review of collections
activities on contractually delinquent accounts serviced by the Mortgage Servicing
Companies and HBUS. Activities included in scope consist of front-end, mid-range
and back-end collections for secured and unsecured loans. Audit coverage extends to
governance and strategy and processes for restructuring (e.g., modifications and reages), bankruptcy, foreclosure, and Loss Mitigation activities (e.g., short-sales, deed in
lieu, forbearance). Dialer management is also reviewed to ensure that telephonic
customer collection dialer setting queues are systemically restricted to authorized
personnel, policies and procedures are adhered to, and regulatory requirements are
considered. The reviews also cover Real Estate Owned (REO) activities and
monitoring of external agencies (e.g., debt management). (See ARA in AUN GAP
ANALYSIS – FRB CONSENT ORDERS vs AUDIT PROGRAMS)
Payment Services
The Mortgage Servicing Payment Services audit includes the review of activities
related to the receiving, tracking and posting of cash payments, cash exception
processing (i.e., bankruptcy payment processing), verification that payment algorithms
comply with State regulatory requirements, and validation of payment posting.
Customer Services
The Customer Services audit includes the review of activities related to the handling of
customer correspondence (whether received by phone, letter, or e-mail), forecasting
call volumes and routing via the Voice Response Unit (“VRU”), and management of
complaints. Responsibilities for maintaining escrow accounts, monitoring accounts
requiring special handling, and maintaining required property insurance are also
reviewed as part of this audit.
A review of compliance with the applicable` federal and state regulatory requirements
is included in each of the mortgage servicing audit programs. In addition, Group Audit
North America includes the review of applicable mortgage servicing activities as part
Page 32
Privileged and Confidential
Restricted
other audits, such as Remittance Processing Center, Loan Loss Reserve, Business
Unit Financial Control, State Regulatory Administration, and Sarbanes Oxley.
Documents to be submitted with the Action Plan
x HSBC – North America Compliance Risk Management Program Manual
x AUN RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE
DEFAULT SERVICES
x GROUP AUDIT NORTH AMERICA – HNAH REGULATORY COMPLIANCE
PROGRAM
x AUN BACK-END RE SECURED DEFAULT SERVICES AUDIT
x Board Resolution for Audit Plan Approval
x THE HSBC GROUP AUDIT STANDARDS MANUAL
x Audit Update – HNAH Operational Risk and Internal Control Committee (ORIC)
x HBIO High Risk Outstanding Issues (PPT)
x HBIO High Risk Outstanding Issues - 30JUN11 (XLS)
x HBIO Repeat Issues
x HBIO Repeat Issues 2Q11
x HNAH All Medium 30JUN11
x HNAH High Risk Issues 30JUN11 (XLS)
x HNAH High Risk Outstanding Issues (PPT)
x HNAH-wide including HTSU Repeat Issues
x HNAH Repeat Issues 2Q11
x AUN GAP ANALYSIS – FRB CONSENT ORDERS vs. AUDIT PROGRAMS
x 2011 AUN AUDIT PLAN – STATUS
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP General Compliance
x
EVP/Chief Auditor, HBIO
Page 33
Privileged and Confidential
Restricted
Article 15(c)
FRB Order Reference:
Article 15(c)
Corresponding
OCC Article:
written policies, procedures, and risk management standards;
N/A
Action Plan
The HSBC ORIC framework covers all businesses and operations of the Group. The
following categories of risk are included under the definition of operational risk (the
risk of loss resulting from inadequate or failed internal processes, people, and
systems or from external events) and are subject to the HSBC’s ORIC management
framework:
• Compliance
• Fiduciary
• Legal
• Information
• Accounting
• Tax
• External Fraud
• Internal Fraud
• People
• Political
• Physical
• Business Continuity
• Systems
• Operations
• Project
Operational Risk management consists of the identification, assessment, monitoring
and control of operational risk so as to maintain losses within acceptable levels and to
protect the Group from foreseeable future losses. Management in all businesses and
support functions operating in North America, including Global Businesses, are
responsible for designing controls to mitigate operational risk and for monitoring and
evidencing the effectiveness of those controls in operation. Acceptable levels of
internal control should be determined by reference to the scale and nature of each
business operation, but must also remain compliant with the minimum standards set
out in Group Standards Manual and Group Functional Instruction Manuals; ensuring
appropriate levels of economic and regulatory capital in accordance with internal and
external requirements.
As of January 2011, HSBC – North America began implementation of the new Group
Risk and Control Assessment (RCA) methodology. This is a new methodology
adopted by HSBC Group Operational Risk to replace the existing methodology, RSA
or Risk Self -Assessment. The RCA is a component in the Enhanced Operational Risk
Page 34
Privileged and Confidential
Restricted
Framework implemented throughout HSBC. The RCA methodology builds on the RSA
and is designed to provide businesses with a forward-looking view of operational risk
and to help them proactively determine whether their key operational risks are
controlled within acceptable levels. The RCA methodology enables the assessment of
both the typical and extreme exposure to operational risks and considers the direct
financial costs and the indirect financial impacts to the business including customer
service, reputational, and regulatory impacts.
Typical exposure to operational risk events (e.g. credit card fraud) is the total loss that
is expected to occur in the next 12 months given the effectiveness of the control
environment.
The extreme events (e.g. rogue trading) take into account the inherent nature of risks
within the business and control environment, but assume that one or more controls
fail to operate as expected.
Specific aims of the RCA methodology are to:
• Identify and assess material operational risks;
• Identify and assess the effectiveness of key controls that mitigate these risks;
• Focus management attention where controls are assessed as either “Needs
Improvement” or “Ineffective”, and
• Identify what monitoring of key controls is being undertaken and thereby to identify
necessary management actions.
The following activities must be undertaken as part of the RCA methodology:
• Scoping – Determine where an RCA should be undertaken (i.e. which entities or
what level within a country or business)
• Risk and Control Identification – Document the details of material risks and
associated key controls
• Risk and Control Assessment – Record the effectiveness of the key controls and
the residual risk exposure based on control assessments
• Control Monitoring – Identify the appropriate level of control monitoring required
and provide input into the internal control monitoring activity
• Issues and Actions – Implementation of action plans to address control
deficiencies and/ or specific people, process or technology improvements
• Governance and Reporting – Review and sign off the completed RCAs.
Roles and Responsibilities
Operational Risk and Internal Control
The HSBC – North America Operational Risk and Internal Control (HNAH ORIC)
Committee provides central governance and strategic oversight of the operational risk
management framework, including identification, assessment, monitoring, and
appetite for operational risk. The HNAH ORIC Committee is an authorized
Page 35
Privileged and Confidential
Restricted
subcommittee of the HNAH Risk Management Committee and is the senior most risk
committee responsible for the oversight and management of operational risk and
internal control within the North America Region.
The HNAH ORIC Committee oversees internal controls over HNAH’s top operational
risks and creates a regional risk and control culture by embedding operational risk
and internal control management into businesses and functions and by promoting
appropriate training.
The HNAH ORIC Committee is responsible for all businesses and operations in the
U.S. and Canada. Country and Global Business ORIC Committees have been
established as subcommittees. The Regional / Country ORIC Team coordinates the
coverage of the various ORIC Committees and minimizes overlap as appropriate.
Business Management
Business Management has the following responsibilities:
• Identifying and assessing operational risks and controls in accordance with HSBC
Group Operations FIM.
• Identifying and reporting incidents in accordance with HSBC Group Operations
FIM B.1.5 “Operational Risk Incident Management” (See attached page 1 of the
attached B.1.5 Operational Risk Incident Management document for additional
detail related to the definition and management of Operational Risk Incidents
• Implementing and operating their internal controls (i.e. the business cannot rely on
ORIC or other “second line of defense” control functions for this).
• Monitoring the ongoing effectiveness of key controls to gain assurance that they
are operating in line with risk appetite and any regulatory and FIM requirements.
• Establishment of Business Risk Control Management (“BRCM”) capability to help
undertake the appropriate level of key control monitoring.
Business Risk Control Manger and Coordinators
Operational Risk Oversight Functions have the following accountabilities within their
functional areas of expertise:
• Defining key operational risks and establishing minimum control standards and
appropriate indicators / metrics
• Undertaking oversight to verify the appropriateness of business (and functional|)
management control monitoring activity. Where oversight is conducted, ORIC may
leverage this work in carrying out its oversight responsibilities to avoid duplication
so long as it is satisfied that appropriately rigorous and sound standards have
been followed.
• Reviewing and reporting their indicators / metrics and taking action as necessary
where the business appears to be operating, or to be at risk of operating, outside
the established risk appetite.
Page 36
Privileged and Confidential
Restricted
•
Gaining assurance that the minimum standards in their respective FIMs are being
met through oversight activity as outlined in GSM.
Within HBIO and HBUS, the BRCM has additional responsibilities with respect to the
business as outlined below:
The BRCM is the central point of contact for second and third lines of defense such as
Group Audit North America (“AUN”), Service Delivery Control Adherence (“SDCA”)
Credit Review & Risk Identification (“CRRI”) and TRAC. See pages 4 and 5 of the
attached Business Risk Control Management Departmental Instruction Book for
additional details regarding an overview, roles and responsibilities of the BRCM. At
the onset of any audit or review conducted by a second or third line of defense the
BRCM is engaged and actively participates. In the event findings are issued to the
business the BRCM will work with the business to develop management responses
and action plans to remediate operational deficiencies. The BRCM is responsible for
providing reports to management on a weekly basis which outlines the inventory of
findings and the status of action plans. The BRCM and risk coordinators work closely
with the business to ensure findings are appropriately remediated and that controls
implemented are sustainable. The BRCM escalates issues aged over 180 days and
repeat findings to the Business Unit’s Senior Leadership Team and regular updates
are provided at the Bi-Weekly Retail Operations Governance Meetings as detailed on
pages 1 – 4 of the attached BROG Deck Prep Procedure ALL. Also please see
pages 1 – 3 of the attached Executive Reporting Preparation Procedure ALL for
procedures for reports prepared by the BRCM Business Analyst for usage by the
BRCM Senior Vice President and the Executive Vice President
The BRCM sponsors Annual Risk Workshops within the business unit. The purpose of
the workshops is to reinforce HSBC’s Operational Risk framework. Following these
education sessions, all existing risks are reviewed, emerging risks are discussed and
updates are made to controls and action plans as necessary. Workshop attendance
is required for the organizations’ Senior Vice President and Vice President. See the
attached Consumer & Mortgage Lending RCA Workshop One document for an
example of the presentation which includes objectives of providing a brief overview of
RCA methodology and defining how it differs from the RSA framework, identifying and
documenting material risks (in line with the risk categorization matrix), and assessing
the typical and extreme risk exposures, by business unit.
As detailed on pages 3 – 6 of the attached Business Risk Control Management
Departmental Instruction Book document, it is the responsibility of every SVP within
Residential Mortgage Servicing to submit loss events timely for operational risk
reporting. The BRCM facilitates the process to certify losses on a monthly basis.
Losses are reviewed by the BU Operational Risk, Senior Vice President on a monthly
basis to review trends and ensure action plans are in place to improve controls to
minimize repeat incidents.
Page 37
Privileged and Confidential
Restricted
With the implementation of RCA, the BRCM will undertake control monitoring. The
BRCM is required to review the RCA output, including the assessment of key controls.
The 2012 Internal Control Monitoring Work Plan must be completed and approved by
the President and CEO of the Servicing Company no later than January 15, 2012.
Independent Control testing will commence in 1Q12. Reporting and performance
data will be provided to management and other committees such as ORIC and BROG
as needed. The BRCM will provide oversight of the remediation of issues arising from
control monitoring and testing. Procedures outlining detailed monitoring activities are
targeted to be completed no later than February 28, 2012.
Internal Control Monitoring Plan
Where BRCM are undertaking control monitoring, business management must
develop an appropriately detailed monitoring plan on at least an annual basis that sets
out the key control monitoring activities that will be completed over the next year. The
monitoring plan should include RCA output detail as the basis of the annual
monitoring plan, and also the following should be considered:
• New control standards issued
• Relevant local regulatory requirements
• Control issues identified in quarterly Operational Risk reporting
• Monitoring standards outlined in the FIMs
• Internal and external incident data
• Outputs of recent internal control monitoring
• Output of Group internal audit report, external auditors report and other functional
reports
• Significant changes in business structure, personnel, external environment,
products and systems
• Emerging risk issues / themes
• Controls where independent testing is mandated for SOX purposes
• The work plans of other areas (e.g. functions) carrying out control monitoring, to
maximize efficiency and avoid overlap.
The monitoring plan must be approved following an appropriate governance process
(e.g. President and CEO of the Servicing Company or appropriate business
committee) on an annual basis. Significant amendments to the scope of the
monitoring plan must be agreed using the same governance process. The appropriate
governance process will be further defined during the implementation of internal
control monitoring. Review of plans and their approval and implementation may be
subject to review by ORIC and Group Audit as well as Business Management.
The monitoring plan will be submitted to the HNAH ORIC Committee for approval on
an annual basis. Significant amendments to the scope of the monitoring plan must be
agreed by the ORIC Committee as required. ORIC must monitor progress against
Page 38
Privileged and Confidential
Restricted
monitoring plans on at least a quarterly basis, and consider monitoring plan
relevance, ad-hoc oversight based on emerging areas of risk, resource assessment
(availability and capability), and any necessary escalation of delays. Progress will also
be shared with the HNAH ORIC Committee and any delays in the execution of an
activity should be adequately justified.
Where monitoring / oversight results indicate that controls are no longer effective and
the risk is now outside of appetite, or new issues are identified, actions plans must be
created to ensure appropriate remediation. A process must be in place for tracking
issues and actions and ensuring their appropriate and timely resolution.
Significant issues identified through monitoring / oversight must be reported to
business management and the relevant ORIC Committee.
BRCM Training
ORIC oversees the Operational Risk Management Framework, along with the new
RCA process. Training on the new RCA was provided to BRCM in 3Q11. See page 2
of the attached HNAH Operational Risk & Internal Control document for specific topics
covered in the overview which include Internal Control Monitoring Activity, Roles and
Responsibilities, and Types of Monitoring Activities. In addition, the Business Unit
BRCM and Risk Coordinators have access to the Operations Functional Instructions
Manual, the North America Risk Policy and Mandatory Operational Risk Awareness
Web-based Training (“WBT”). The purpose of the Operational Risk Awareness WBT
is to reinforce the value of Operational Risk and the part that the staff plays in its
management. The course emphasizes the importance of vigilance, thinking ahead
and educating staff about the impact (direct and indirect) of Operational Risk losses to
the business. See the page 2 of the attached Operational Risk Awareness WBT
document which summarizes the operational risk categories included in the WBT (i.e.,
Physical, Group Security and Fraud, Information, etc.). All new joiners are required to
complete this training within three months of joining HSBC. The on-line learning is
followed by an assessment that requires a score of at least 80 percent to complete
the training.
Good Governance Initiative
To ensure that written policies, procedures, and risk management standards are
maintained, HNAH also established the Good Governance Initiative to maintain
documented policies and procedures.
To ensure that HNAH has fully documented policies and procedures and that all
employees understand and consistently follow them, HNAH has established the Good
Governance Initiative. Its objective is to ensure that there are proper procedures in
place within HNAH for all applicable business and operational processes, and that
Page 39
Privileged and Confidential
Restricted
these procedures are clear, concise, thorough, and accurate. Currently, HNAH is
completing the following:
• Reviewing procedures for accuracy
• Conducting a root cause / trend analysis of past procedural breaches
• Implementing improvements pertaining to areas of concern beyond the actual
procedures such as accessibility of procedures, appropriate controls and
oversight, training, etc.
HNAH is following a five step process for review of procedures, and identifying and
addressing any gaps. There is a standard template that guides the five steps of
project implementation.
• Develop Procedures and Process Inventory
• Develop Breaches Inventory
• Conduct Gap Analysis
• Define Recommendations
• Implement Recommendations
The attached “Good Governance Project US HNAH” document provides additional
details regarding project background, objectives, approach, governance, and
specifications. All policies and procedures are expected to be certified as part of the
Good Governance Initiative by the end of the fourth quarter of 2011.
Updates Based upon Independent Risk Assessment
Residential Mortgage Services and Compliance have received the results of Ernst &
Young’s Independent Risk Assessment. The Residential Mortgage Services has
created action plans (see Article 15(l) for the full population of action plans) for each
finding. Based on the action plans as well as review of the findings, the Residential
Mortgage Services and Compliance will update its respective policies, procedures
and/or risk management standards as it deems necessary.
Documents to be submitted with the Action Plan
x Good Governance Project US HNAH
x Audit Tracking and Management Reporting Procedure ALL
x BROG Deck Prep Procedure ALL
x Executive Reporting Preparation Procedure ALL
x Consumer & Mortgage Lending RCA Workshop One
x Business Risk Control Management Departmental Instruction Book (BRCM DIB)
x HNAH Operational Risk & Internal Control
x Operational Risk Awareness WBT
x B.1.5 Operational Risk Incident Management
Page 40
Privileged and Confidential
Restricted
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP General Compliance
x
,
Risk
Governance and Administration, HNAH
Page 41
Privileged and Confidential
Restricted
Article 15(d)
FRB Order Reference:
Article 15(d)
Corresponding
OCC Article:
processes to adequately identify risk levels and trends;
N/A
Action Plan
The operating principles of the HNAH Risk Framework requires processes to
adequately identify risk levels, requires a method to ensure effective communication
of established risk management policies, procedures, and standards to all appropriate
business line and other staff, establish limits for compliance, legal, and reputational
risks and provide for regular review of risk limits by appropriate senior management
and the board of directors or an authorized committee of the board of directors. The
operating principles are as follows:
• Ensure all risks are appropriately identified, measured, managed, controlled and
reported;
• Develop, communicate & implement appropriate risk-related policies, procedures,
& processes in collaboration with business units, functional areas and Group;
• Provide an independent review and assessment of risks by regularly reviewing risk
levels and risk management practices and raising concerns to senior executive
management and the Board as necessary.;
• Provide regular and ad hoc reports to senior executive management, the Board,
and Group on existing and emerging risks, with recommendations to avoid,
eliminate, or mitigate outsized risks;
• Ensure compliance with all relevant laws, regulations, and regulatory
requirements, including Basel II;
• Assess overall capital needs and enhance capital allocation
• Set risk appetite in line with capital availability and overall business strategy;
• Establish and promote a risk management culture that appropriately balances
risks and rewards;
• Assist the Board and senior executive management in establishing risk tolerances,
limits, and performance measurements across HNAH;
• Share and leverage best practices across Group;
• Continually assess and monitor the risks HNAH faces, and regularly reappraise its
risk appetite and align its risk profile accordingly; and,
• Formulate an internal view of capital requirements relative to risk.
This Risk Management Framework brings together risk functions across North
America to ensure a consistent policy, process, and practice is applied across legal
entities. An overarching HNAH Risk Limits Framework, which is maintained by the
North America Risk organization in conjunction with internal business partners from
Finance, Legal and Compliance, and the business lines, provides for the identification,
communication, limitation, and management of all risks across HNAH, both for
discontinued and ongoing business lines.
Page 42
Privileged and Confidential
Restricted
In addition to the aforementioned Risk Management framework, the three levels of
defense, as well as the Dark Corners Exercise, work in conjunction to adequately
identify risk levels and trends.
The Enterprise Risk Management framework provides overall governance and works
in conjunction with the specific programs that provide Residential Mortgage Servicing
risk management. The programs providing the support are Residential Mortgage
Servicing, Service Delivery Control Adherence, Compliance, and Group Audit North
America. These four programs form three lines of defense:
• Residential Mortgage Servicing serves as the first line of defense, providing the
Business Risk and Control Management (“BRCM”) capability and internal control
framework.
• Service Delivery Control Adherence (formerly known as NAQA) coordinates with
the Residential Mortgage Servicing BRCM teams to test the controls.
• Compliance is an additional second line of defense that provides regulatory
oversight to the Residential Mortgage Servicing teams to ensure that the controls
put in place satisfy regulatory requirements.
• Group Audit North America serves as the third line of defense by assessing the
effectiveness of Residential Mortgage Servicing controls and the functioning of the
second line of defense.
Through these three lines of defense, deficiencies in mortgage servicing, Loss
Mitigation and foreclosure activities are identified and promptly remediated.
Three Lines of Defense
Residential Mortgage Servicing (First Line of Defense)
Residential Mortgage Servicing activities are covered by the Business Risk and
Control Management Team established by and under the direction of the SVP of
Strategy, Operational Risk Management and Chief Information Risk Officer, HBIO.
The BRCM Team will assist in the design of key controls identified through the
implementation of the Risk and Control Assessment (“RCA”) methodology. This
includes controls to mitigate risk (expanded upon in the following paragraph) and
monitor the effectiveness of these controls, including the key controls that mitigate
material risks assessed in the areas of residential loan servicing, Loss Mitigation, and
foreclosure activities. In addition, the BRCM Team will ensure that policies and
procedures related to these material risks are well-designed, effective, and aligned
with Group and local standards and regulations. The BRCM Team supports the
business in controlling its activities and in ensuring that the business has a welldesigned and effective framework of policies and procedures, as well as monitoring of
controls, to mitigate operational risk impacting the business.
To expand on the existing Risk Self Assessment, Residential Mortgage Servicing
adopted a new RCA in 2011 which is overseen by the HNAH Operational Risk and
Internal Control (“ORIC”) Team. The RCA is designed to provide the business with a
Page 43
Privileged and Confidential
Restricted
forward looking view of material operational risks and to help them proactively identify
and assess the key controls to mitigate risks within acceptable levels. In addition to
identifying and assessing material operational risks, the RCA methodology supported
by the Internal Control Target Operating Model requires the business to monitor these
key internal controls. Issues and actions noted in the BRCM internal control
monitoring program must be documented and progress must be monitored.
The Operational Risk and Internal Control Framework is expected to improve first line
of defense management of operational risk by:
• Reducing operational events/losses;
• Reducing the occurrence of unexpected events;
• Increasing the resilience of HNAH and its subsidiaries;
• Safeguarding HSBC's reputation and regulatory standing; and,
• Setting minimum Operational Risk Management (“ORM”) standards across
HSBC's businesses.
Service Delivery Control Adherence (formerly known as NAQA) (“SDCA”) (Second
Line of Defense)
Please see responses included above in Article 14(a).
Compliance (Second Line of Defense)
Please see responses included above in Article 14(a).
Group Audit North America (Third Line of Defense)
Please see responses included above in Article 14(a).
Dark Corners Exercise
In January 2011, HNAH ORIC Committee commenced the Dark Corners exercise.
The objectives of the exercise are:
• Self-identify latent or emerging operational risks and control issues that will benefit
from management’s attention and scrutiny
• Stay in front of emerging risks and control issues with early identification and
coordinated response efforts
• ORIC, EXCO, or other appropriate committees within the businesses and support
functions should drive timely remediation and revaluation of operational risk profile
(as noted in the RCA) as it relates to “dark corners” risks and controls
• Escalation to HNAH ORIC Committee – assess regional impact, track progress of
actions to manage risk and issues, and report as appropriate (supports the new
Internal Audit management assessment grade)
• Share information and experiences across businesses and support functions to
avoid like risk sand issues from resurfacing and to leverage remediation efforts
Page 44
Privileged and Confidential
Restricted
The businesses are asked to identify emerging risk, which are then categorized,
tracked, and distributed to all business to determine if the risk are horizontally
relevant. Themes are identified and formally presented on a quarterly to the HNAH
ORIC Committee.
Documents to be submitted with the Action Plan
x HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP General Compliance
x
,
Risk
Governance and Administration, HNAH
x
EVP/Chief Auditor, HBIO
Page 45
Privileged and Confidential
Restricted
Article 15(e)
FRB Order Reference:
Article 15(e)
Corresponding
N/A
OCC Article:
processes to adequately identify and control risks arising from incentive compensation
programs;
Action Plan
HNAH has in place policies and processes to adequately identify and control risks
arising from incentive compensation programs. Please see pages 1 and 2 of the
attached Incentive Compensation Plan Approval Procedure ALL for the procedures
detailed below).
Overview
HSBC periodically creates or amends its incentive plans. The request typically comes
from a Global Career Band (“GCB”) Level 3 (i.e., senior vice president) and above.
Changes made to the business compensation plans require a written proposal
outlining revisions needed to the plan.
Changes include:
• Additions
• Revisions
• Discontinuance of compensation plan
Process
A GCB Level 3 (senior vice president) or above identifies the need to create a new
incentive plan, amend, or terminate an existing plan. All proposed incentive plan
changes must initially be reviewed by the Strategy and Development Department,
which reports directly into the President and CEO of the Servicing Company, The
Strategy and Development Department which will engage any additional resources
needed to assess the request, including Performance and Rewards, and the HR
Relationship manager. Any department reporting to the President and CEO of the
Servicing Company must submit incentive compensation requests through the
Strategy and Development Department as a point of control.
Approvals
Prior to implementation, any new or revised incentive compensation plans may be
reviewed and approved by the business unit governance committee. If a committee
review is not required (that is, for minor plan adjustments), the impacted GCB 3 level
Business Functional Head approval is required.
Final review and approval by business management, HR, HNAH Performance and
Reward, Compliance, Finance, Risk and Legal (and Information Technology [IT], if
Page 46
Privileged and Confidential
Restricted
applicable) is required prior to implementation of any and all changes.
As one of the approvers, Compliance reviews incentive plans to ensure the design
and measurement criteria do not influence the treatment of customers by employees.
As an example, the incentive plan should not drive employees to offer a customer one
loss mitigation option over others. Additionally, the Compliance review confirms that
incentive plans include a compliance/quality component. This component is
considered a minimum qualifier to earn incentive compensation. As such, it is
designed to ensure that compliance violations have some impact on an employee's
incentive.
As another approver, Risk reviews incentive plans In accordance with HSBC policy
and regulatory requirements to conduct an annual review and approve all formulaic
incentive plans to ensure compensation arrangements appropriately balance risk and
reward and do not incentivize excessive risk-taking. Risk participates in incentive
compensation plan design working groups with Human Resources and the Business
to ensure risk management perspectives are appropriately considered and guiding
principles are established. These guiding principles form the risk evaluation which is a
part of the overall Incentive Governance template that is required to be completed and
addressed for each incentive compensation plan.
Note: Although many highly leveraged employees are compensated via formulaic
plans, Risk is also involved in a much broader capacity with variable discretionary
plans for senior level executives.
Internal Audit
In addition to the processes noted above, Group Audit North America includes
compensation practices in its audit programs. As noted on pages 11 and 12 of AUN
RESIDENTIAL MORTGAGE SERVICING & NON REAL ESTATE DEFAULT
SERVICES - AUDIT RISK ASSESSMENT AND AUDIT PROGRAMS REVIEW, the
standard audit program is designed to evaluate incentive compensation plans and
processes. Key areas considered are appropriateness of plans, alignment with
business objectives and principles, and potential for conflict of interests. The
compensation plans should balance risk and reward; should not encourage either in
spirit or practice assumption of excessive risk to the organization or encourage
practices that are detrimental to customer interest.
Key controls reviewed as part of this program include, but are not limited to, the
following:
• Management reporting exists to provide objective measure for performance
management and incentive goals.
• Incentive plan payments are approved by the finance department and HBIO SVP
of HR.
• Incentive plans are balanced to achieve the desired results in an ethical manner.
• Goals / objectives established relate specifically to the employee's functions and
Page 47
Privileged and Confidential
Restricted
responsibilities and are structured in line with senior management and Group
objectives.
Documents to be submitted with the Action Plan
x Incentive Compensation Plan Approval Procedure ALL
x AUN RESIDENTIAL MORTGAGE SERVICING & NON REAL ESTATE DEFAULT
Key HSBC Contacts for the Action Plan
x
, SVP General Compliance
x
, SVP Risk
x
EVP/Chief Auditor, HBIO
Page 48
Privileged and Confidential
Restricted
Article 15(f)
FRB Order Reference:
Article 15(f)
Corresponding
N/A
OCC Article:
processes to document, measure, assess, and report key risk indicators;
Action Plan
Operational risk functions includes both enterprise-wide operational risk as well as
business-line (that practiced at the Residential Mortgage Servicing level) which
include processes to document, measure, assess, and report key risk indicators.
Each is discussed in detail below
Enhanced HSBC Group Operational Risk and Internal Control Framework
(Enterprise-wide)
An enhanced HSBC Group Operational Risk and Internal Control (“Group ORIC”)
Framework is in the process of being rolled out across North America. The framework
has been enhanced to include a new Risk and Control Assessment (“RCA”)
methodology. The new RCA enhances the prior risk assessment process and has
been implemented within the Residential Mortgage Servicing framework. The RCA
framework process assists in the identification and assessment of material operational
risks as well as the effectiveness of key controls that mitigate these risks. Additional
emphasis is placed on control identification and assessment, as well as the
associated monitoring and testing of key controls.
The new RCA methodology and associated guidelines were published in an updated
HSBC Group Operations Functional Instruction Manual (“FIM”), dated April 2010 (See
FIM B.1.4 Risk and Control Assessment, FIM Appendix D.1.3 Risk and Control
Assessment Guidance, and D.1.4 Risk Categorization documents). The FIM B.1.4
Risk and Control Assessment sets out the minimum requirements for the annual Risk
and Control Assessment. This is designed to provide business with a forward looking
view of operational risk and to help the business proactively determine whether their
key operational risks are controlled within acceptable levels. The FIM Appendix D.1.3
provides guidance to support the Operations Functional Instruction Manual through a
multiple step process. The D.1.4 Risk categorization identifies the different categories
of operational risk. The RCA methodology implementation in North America began in
January 2011, and was executed within the business units on June 30, 2011. Full
implementation and quality assurance review of the new RCA methodology is
expected to be completed by December 31, 2011.
Enhanced Internal Control Target Operating Model (Enterprise-wide)
In addition, the enhanced Group ORIC framework incorporates a new Internal Control
Target Operating Model (“TOM”). A North America impact analysis and
implementation plan was completed in 1Q2011, and approved by the HNAH ORIC
Page 49
Privileged and Confidential
Restricted
Committee on April 6, 2011. The new framework is centered around the Business
Risk Control Management (“BRCM”) Team that promotes and executes on business
unit ownership of monitoring of key controls. The BRCM activities are subject to
independent oversight by ORIC and other “2nd line of defense” teams. (See
attachment HNAH Operational Risk Internal Control Target Operating Model, which in
its entirety outlines the TOM, and is summarized below.)
Pursuant to the Internal Control TOM principles:
• Management of internal controls is centered around Business / Function
ownership of risk and control management and activities to support effective
control environment;
• Independent teams outside of the business identify risks, formulate policies,
procedures, and key controls, and monitor risks and controls in respective areas;
independent view of business / function risk and control management (“BRCM”);
• Operational Risk Management Framework (“ORMF”) provides governance,
standards, and tools to ensure risks and controls are embedded, sustainable and
value adding; and,
• Internal Audit provides management with an independent and objective review of
business activities, risk management and support functions.
The HSBC ORIC framework covers all businesses and operations of the Group. For
more information on the HSBC ORIC framework, refer to Section 2.2 “Operational
Risk Application & Management” on pages 10 and 11 of the attached HSBC – North
America Operational Risk and Internal Control Policy Risk Management and also see
the summary below. The following categories of risk are included under the definition
of Operational Risk and are subject to the HSBC’s ORIC management framework:
• Compliance
• Fiduciary
• Legal
• Information
• Accounting
• Tax
• External Fraud
• Internal Fraud
• People
• Political
• Physical
• Business Continuity
• Systems
• Operations
• Project
As noted in the policy, the management of Operational Risk comprises the
identification, assessment, monitoring and control of operational risk so as to maintain
losses within acceptable levels and to protect the Group from foreseeable future
losses. Management in all businesses and support functions operating in North
Page 50
Privileged and Confidential
Restricted
America, including Global Businesses, is responsible for designing controls to mitigate
operational risk and for monitoring and evidencing the effectiveness of controls in
operation. Acceptable levels of internal control should be determined by reference to
the scale and nature of each business operation, but must remain compliant with the
minimum standards set out in Group Standards Manual and Group Functional
Instruction Manuals; ensuring appropriate levels of economic and regulatory capital in
accordance with internal and external requirements.
Additionally noted in the policy, management throughout North America follows the
HSBC ORIC framework, which is comprised of the following responsibilities. The
application of this framework in North America is further described in various sections
of the Policy (see the HSBC – North America Operational Risk and Internal Control
Policy Risk Management) as referenced below.
• Assignment of responsibility for the management of operational risk and the
maintenance of an appropriate internal control environment, under the oversight of
a formal governance structure. Refer to Section 3 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 14 through 24,) for details on North America’s governance structure and
organizational roles and responsibilities.
• Quarterly Top Risk and Control reporting at a Regional / Country level. In
accordance with page 1 of the B.1.3 “Operational Risk Reporting”, the Regional /
Country ORIC Team reports quarterly on the North America operational risk
profile, involving the relevant business and control function experts. The report is
approved by the HNAH ORIC Committee; feedback from the committee’s review is
monitored by the Regional / Country ORIC Team. Country versions are reviewed
by the HUSI and HBCA ORIC Committees. Refer to the FIM for Operational Risk
profile reporting requirements.
• Identification, assessment, and reporting of operational risks by business and
functional managers using the Group’s standard Operational Risk and Control
Assessment (“RCA”) process. Refer to Section 4 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 25 through 35) for details on North America’s application of the RCA
methodology
• Operational risk loss incident identification and reporting and aggregate loss
reporting. Refer to Section 5 of the Policy (see the HSBC – North America
Operational Risk and Internal Control Policy Risk Management, pages 36 through
42) for details of North America’s loss identification and reporting processes.
• Provide assurance that key controls are designated and operating effectively
through monitoring of activities. Refer to Section 4.7 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 31 through 35) for details of the Internal Control Monitoring program that
North America is implementing to support the Group framework. The roles and
responsibilities of business management, risk oversight functions, and ORIC
teams are described in Section 3 of the Policy (see the HSBC – North America
Operational Risk and Internal Control Policy Risk Management, see pages 14
through 24).
Page 51
Privileged and Confidential
Restricted
In addition to components of the HSBC ORIC framework described above, North
America considers the following components as critical to the management of
operational risk and internal control and to the monitoring of North America’s
operational risk appetite.
• Key Indicators – The ongoing monitoring of key indicators of high-level risks to
ensure risk is appropriately controlled within established limits in accordance with
the Order which requires processes to document, measure, assess, and report
key risk indicators. Refer to Section 4.4 of the Policy (see the HSBC – North
America Operational Risk and Internal Control Policy Risk Management, pages 29
and 30) for details.
• Capital Modelling – Development of Advanced Measurement Approach (AMA)
compliant quantification methodology and ongoing calculation of Regulatory and
Economic Capital for Operational Risk. Regulatory Capital for HBCA is calculated
under The Standardized Approach (TSA). Refer to Section 6 of the Policy (see
the HSBC – North America Operational Risk and Internal Control Policy Risk
Management, pages 48 and 49) for details.
• Many of the components of the Operational Risk and Internal Control Framework
described above are shown in the diagram below.
Identification of Emerging Risks (Enterprise-wide and Business-level)
In January 2011, HNAH ORIC Committee commenced the Dark Corners exercise.
The objectives of the exercise are:
• Self-identify latent or emerging operational risks and control issues that will benefit
from management’s attention and scrutiny
Page 52
Privileged and Confidential
Restricted
•
•
•
•
Stay in front of emerging risks and control issues with early identification and
coordinated response efforts
ORIC, EXCO, or other appropriate committees within the businesses and support
functions should drive timely remediation and revaluation of operational risk profile
(as noted in the RCA) as it relates to “dark corners” risks and controls
Escalation to HNAH ORIC Committee – assess regional impact, track progress of
actions to manage risk and issues, and report as appropriate (supports the new
Internal Audit management assessment grade)
Share information and experiences across businesses and support functions to
avoid like risk sand issues from resurfacing and to leverage remediation efforts
The businesses are asked to identify emerging risk, which are then categorized,
tracked, and distributed to all business to determine if the risk are horizontally
relevant. Themes are identified and formally presented on a quarterly basis to the
HNAH ORIC Committee.
Business Management Operational Risk (Business-line)
Please refer to article 15(b) for additional detail related to BRCM and additional
business-level processes.
Documents to be submitted with the Action Plan
x FIM B.1.4 Risk and Control Assessment
x FIM Appendix D.1.3 Risk and Control Assessment Guidance
x D.1.4 Risk Categorization documents
x HNAH Operational Risk Internal Control Target Operating Model
x HSBC – North America Operational Risk and Internal Control Policy Risk
Management
x B.1.3 “Operational Risk Reporting”
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
,
Risk
Governance and Administration, HNAH
Page 53
Privileged and Confidential
Restricted
Article 15(g)
FRB Order Reference:
Article 15(g)
Corresponding
OCC Article:
N/A
controls to mitigate risks;
Action Plan
Residential Mortgage Servicing activities are covered by the Business Risk and
Control Management Team established by and under the direction of the SVP of
Strategy, Operational Risk Management and Chief Information Risk Officer, HBIO.
The BRCM Team assists in the design of key controls identified through the
implementation of the Risk and Control Assessment (“RCA”) methodology. This is
consistent with the requirements of the Order which require that processes include
controls to mitigate risk (expanded upon in the following paragraph) and monitor the
effectiveness of these controls, including the key controls that mitigate material risks
assessed in the areas of residential loan servicing, Loss Mitigation, and foreclosure
activities. In addition, the BRCM Team will ensure that policies and procedures
related to these material risks are well-designed, effective, and aligned with Group
and local standards and regulations. The BRCM Team supports the business in
controlling its activities and in ensuring that the business has a well-designed and
effective framework of policies and procedures, as well as monitoring of controls, to
mitigate operational risk impacting the business.
To expand on the existing Risk Self Assessment, Residential Mortgage Servicing
adopted a new RCA in 2011 which is overseen by the HNAH Operational Risk and
Internal Control (“ORIC”) Team. The RCA is designed to provide the business with a
forward looking view of material operational risks and to help them proactively identify
and assess the key controls to mitigate risks within acceptable levels. In addition to
identifying and assessing material operational risks, the RCA methodology supported
by the Internal Control Target Operating Model requires the business to monitor these
key internal controls. Issues and actions noted in the BRCM internal control
monitoring program must be documented and progress must be monitored.
The Operational Risk and Internal Control Framework is expected to improve first line
of defense management of operational risk by:
• Reducing operational events/losses;
• Reducing the occurrence of unexpected events;
• Increasing the resilience of HNAH and its subsidiaries;
• Safeguarding HSBC's reputation and regulatory standing; and,
• Setting minimum Operational Risk Management (“ORM”) standards across
HSBC's businesses.
Page 54
Privileged and Confidential
Restricted
Updates Based upon Independent Risk Assessment
Finally, Residential Mortgage Services has received the results of Ernst & Young’s
Independent Risk Assessment. Residential Mortgage Services has created action
plans (see Article 15(l) for the full population of action plans) for each finding. Based
on the action plans as well as review of the findings, Residential Mortgage Services
will update its respective policies, procedures and processes throughout 2012 to
ensure that any new controls to mitigate risk are created and documented if
appropriate.
Documents to be submitted with the Action Plan
Not applicable.
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
Page 55
Privileged and Confidential
Restricted
Article 15(h)
FRB Order Reference:
Article 15(h)
Corresponding
N/A
OCC Article:
procedures for the escalation of significant matters related to risks to appropriate
senior officers and board committees;
Action Plan
Operational risk functions includes both enterprise-wide operational risk as well as
business-line (that practiced at the Residential Mortgage Servicing level) which
include procedures for the escalation of significant matters related to risks to
appropriate senior officers and board committees. Each is discussed in detail below
Enhanced HSBC Group Operational Risk and Internal Control Framework
(Enterprise-wide)
An enhanced HSBC Group Operational Risk and Internal Control (“Group ORIC”)
Framework is in the process of being rolled out across North America. The framework
has been enhanced to include a new Risk and Control Assessment (“RCA”)
methodology. The new RCA enhances the prior risk assessment process and has
been implemented within the Residential Mortgage Servicing framework. The RCA
framework process assists in the identification and assessment of material operational
risks as well as the effectiveness of key controls that mitigate these risks. Additional
emphasis is placed on control identification and assessment, as well as the
associated monitoring and testing of key controls.
The new RCA methodology and associated guidelines were published in an updated
HSBC Group Operations Functional Instruction Manual (“FIM”), dated April 2010 (See
FIM B.1.4 Risk and Control Assessment, FIM Appendix D.1.3 Risk and Control
Assessment Guidance, and D.1.4 Risk Categorization documents). The FIM B.1.4
Risk and Control Assessment sets out the minimum requirements for the annual Risk
and Control Assessment. This is designed to provide business with a forward looking
view of operational risk and to help the business proactively determine whether their
key operational risks are controlled within acceptable levels. The FIM Appendix D.1.3
provides guidance to support the Operations Functional Instruction Manual through a
multiple step process. The D.1.4 Risk categorization identifies the different categories
of operational risk. The RCA methodology implementation in North America began in
January 2011, and was executed within the business units on June 30, 2011. Full
implementation and quality assurance review of the new RCA methodology is
expected to be completed by December 31, 2011.
Enhanced Internal Control Target Operating Model (Enterprise-wide)
In addition, the enhanced Group ORIC framework incorporates a new Internal Control
Target Operating Model (“TOM”). A North America impact analysis and
implementation plan was completed in 1Q2011, and approved by the HNAH ORIC
Page 56
Privileged and Confidential
Restricted
Committee on April 6, 2011. The new framework is centered around the Business
Risk Control Management (“BRCM”) Team that promotes and executes on business
unit ownership of monitoring of key controls. The BRCM activities are subject to
independent oversight by ORIC and other “2nd line of defense” teams. (See
attachment HNAH Operational Risk Internal Control Target Operating Model, which in
its entirety outlines the TOM, and is summarized below.)
Pursuant to the Internal Control TOM principles:
• Management of internal controls is centered around Business / Function
ownership of risk and control management and activities to support effective
control environment;
• Independent teams outside of the business identify risks, formulate policies,
procedures, and key controls, and monitor risks and controls in respective areas;
independent view of business / function risk and control management (“BRCM”);
• Operational Risk Management Framework (“ORMF”) provides governance,
standards, and tools to ensure risks and controls are embedded, sustainable and
value adding; and,
• Internal Audit provides management with an independent and objective review of
business activities, risk management and support functions.
The HSBC ORIC framework covers all businesses and operations of the Group. For
more information on the HSBC ORIC framework, refer to Section 2.2 “Operational
Risk Application & Management” on pages 10 and 11 of the attached HSBC – North
America Operational Risk and Internal Control Policy Risk Management and also see
the summary below. The following categories of risk are included under the definition
of Operational Risk and are subject to the HSBC’s ORIC management framework:
• Compliance
• Fiduciary
• Legal
• Information
• Tax
• External Fraud
• Internal Fraud
• People
• Political
• Physical
• Business Continuity
• Systems
• Operations
• Project
As noted in the policy, the management of Operational Risk comprises the
identification, assessment, monitoring and control of operational risk so as to maintain
losses within acceptable levels and to protect the Group from foreseeable future
losses. Management in all businesses and support functions operating in North
America, including Global Businesses, is responsible for designing controls to mitigate
Page 57
Privileged and Confidential
Restricted
operational risk and for monitoring and evidencing the effectiveness of controls in
operation. Acceptable levels of internal control should be determined by reference to
the scale and nature of each business operation, but must remain compliant with the
minimum standards set out in Group Standards Manual and Group Functional
Instruction Manuals; ensuring appropriate levels of economic and regulatory capital in
accordance with internal and external requirements.
Additionally noted in the policy, management throughout North America follows the
HSBC ORIC framework, which is comprised of the following responsibilities. The
application of this framework in North America is further described in various sections
of the Policy (see the HSBC – North America Operational Risk and Internal Control
Policy Risk Management) as referenced below.
• Assignment of responsibility for the management of operational risk and the
maintenance of an appropriate internal control environment, under the oversight of
a formal governance structure. Refer to Section 3 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 14 through 24,) for details on North America’s governance structure and
organizational roles and responsibilities.
• Quarterly Top Risk and Control reporting at a Regional / Country level. In
accordance with page 1 of the B.1.3 “Operational Risk Reporting”, the Regional /
Country ORIC Team reports quarterly on the North America operational risk
profile, involving the relevant business and control function experts. The report is
approved by the HNAH ORIC Committee; feedback from the committee’s review is
monitored by the Regional / Country ORIC Team. Country versions are reviewed
by the HUSI and HBCA ORIC Committees. Refer to the FIM for Operational Risk
profile reporting requirements.
• Identification, assessment, and reporting of operational risks by business and
functional managers using the Group’s standard Operational Risk and Control
Assessment (“RCA”) process. Refer to Section 4 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 25 through 35) for details on North America’s application of the RCA
methodology
• Operational risk loss incident identification and reporting and aggregate loss
reporting. Refer to Section 5 of the Policy (see the HSBC – North America
Operational Risk and Internal Control Policy Risk Management, pages 36 through
42) for details of North America’s loss identification and reporting processes.
• Provide assurance that key controls are designated and operating effectively
through monitoring of activities. Refer to Section 4.7 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 31 through 35) for details of the Internal Control Monitoring program that
North America is implementing to support the Group framework. The roles and
responsibilities of business management, risk oversight functions, and ORIC
teams are described in Section 3 of the Policy (see the HSBC – North America
Operational Risk and Internal Control Policy Risk Management, see pages 14
through 24).
Page 58
Privileged and Confidential
Restricted
In addition to components of the HSBC ORIC framework described above, North
America considers the following components as critical to the management of
operational risk and internal control and to the monitoring of North America’s
operational risk appetite.
• Key Indicators – The ongoing monitoring of key indicators of high-level risks to
ensure risk is appropriately controlled within established limits. Refer to Section
4.4 of the Policy (see the HSBC – North America Operational Risk and Internal
Control Policy Risk Management, pages 29 and 30) for details.
• Capital Modelling – Development of Advanced Measurement Approach (AMA)
compliant quantification methodology and ongoing calculation of Regulatory and
Economic Capital for Operational Risk. Regulatory Capital for HBCA is calculated
under The Standardized Approach (TSA). Refer to Section 6 of the Policy (see
the HSBC – North America Operational Risk and Internal Control Policy Risk
Management, pages 48 and 49) for details.
• Many of the components of the Operational Risk and Internal Control Framework
described above are shown in the diagram below.
Identification of Emerging Risks (Enterprise-wide and Business-wide)
In January 2011, HNAH ORIC Committee commenced the Dark Corners exercise.
The objectives of the exercise are:
• Self-identify latent or emerging operational risks and control issues that will benefit
from management’s attention and scrutiny
• Stay in front of emerging risks and control issues with early identification and
coordinated response efforts
• ORIC, EXCO, or other appropriate committees within the businesses and support
Page 59
Privileged and Confidential
Restricted
•
•
functions should drive timely remediation and revaluation of operational risk profile
(as noted in the RCA) as it relates to “dark corners” risks and controls
Escalation to HNAH ORIC Committee – assess regional impact, track progress of
actions to manage risk and issues, and report as appropriate (supports the new
Internal Audit management assessment grade) in accordance with the
requirements of the Order to have procedures for the escalation of significant
matters related to risks to appropriate senior officers and board committees
Share information and experiences across businesses and support functions to
avoid like risk sand issues from resurfacing and to leverage remediation efforts
The businesses are asked to identify emerging risk, which are then categorized,
tracked, and distributed to all business to determine if the risk are horizontally
relevant. Themes are identified and formally presented on a quarterly to the HNAH
ORIC Committee.
Documents to be submitted with the Action Plan
x FIM B.1.4 Risk and Control Assessment
x FIM Appendix D.1.3 Risk and Control Assessment Guidance
x D.1.4 Risk Categorization documents
x HNAH Operational Risk Internal Control Target Operating Model
x HSBC – North America Operational Risk and Internal Control Policy Risk
Management
x B.1.3 “Operational Risk Reporting”.
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
,
Risk
Governance and Administration, HNAH
Page 60
Privileged and Confidential
Restricted
Article 15(i)
FRB Order Reference:
Article 15(i)
Corresponding
OCC Article:
the scope and frequency of comprehensive risk assessments;
N/A
Action Plan
Operational risk includes both enterprise-wide operational risk as well as businessline (that practiced at the Residential Mortgage Servicing level) which includes the
scope and frequency of comprehensive risk assessments. Each is discussed in detail
below
Enhanced HSBC Group Operational Risk and Internal Control Framework
(Enterprise-wide)
An enhanced HSBC Group Operational Risk and Internal Control (“Group ORIC”)
Framework is in the process of being rolled out across North America. The framework
has been enhanced to include a new Risk and Control Assessment (“RCA”)
methodology. The new RCA enhances the prior risk assessment process and has
been implemented within the Residential Mortgage Servicing framework. The RCA
framework process assists in the identification and assessment of material operational
risks as well as the effectiveness of key controls that mitigate these risks. Additional
emphasis is placed on control identification and assessment, as well as the
associated monitoring and testing of key controls.
The new RCA methodology and associated guidelines were published in an updated
HSBC Group Operations Functional Instruction Manual (“FIM”), dated April 2010 (See
FIM B.1.4 Risk and Control Assessment, FIM Appendix D.1.3 Risk and Control
Assessment Guidance, and D.1.4 Risk Categorization documents). The FIM B.1.4
Risk and Control Assessment sets out the minimum requirements for the Risk and
Control Assessment which is performed annually in accordance with the requirements
of the Order.
This annual review is designed to provide business with a forward looking view of
operational risk and to help the business proactively determine whether their key
operational risks are controlled within acceptable levels. The FIM Appendix D.1.3
provides guidance to support the Operations Functional Instruction Manual through a
multiple step process. The D.1.4 Risk categorization identifies the different categories
of operational risk. The RCA methodology implementation in North America began in
January 2011, and was executed within the business units on June 30, 2011. Full
implementation and quality assurance review of the new RCA methodology is
expected to be completed by December 31, 2011.
Page 61
Privileged and Confidential
Restricted
Enhanced Internal Control Target Operating Model (Enterprise-wide)
In addition, the enhanced Group ORIC framework incorporates a new Internal Control
(“
A North America impact analysis and
implementation plan was completed in 1Q2011, and approved by the HNAH ORIC
Committee on April 6, 2011. The new framework is centered around the Business
Risk Control Management (“BRCM”) Team that promotes and executes on business
unit ownership of monitoring of key controls. The BRCM activities are subject to
independent oversight by ORIC and other “2nd line of defense” teams. (See
attachment HNAH Operational Risk Internal Control Target Operating Model, which in
its entirety outlines the TOM, and is summarized below.)
Pursuant to the Internal Control TOM principles:
• Management of internal controls is centered around Business / Function
ownership of risk and control management and activities to support effective
control environment;
• Independent teams outside of the business identify risks, formulate policies,
procedures, and key controls, and monitor risks and controls in respective areas;
independent view of business / function risk and control management (“BRCM”);
• Operational Risk Management Framework (“ORMF”) provides governance,
standards, and tools to ensure risks and controls are embedded, sustainable and
value adding; and,
• Internal Audit provides management with an independent and objective review of
business activities, risk management and support functions.
The HSBC ORIC framework covers all businesses and operations of the Group. For
more information on the HSBC ORIC framework, refer to Section 2.2 “Operational
Risk Application & Management” on pages 10 and 11 of the attached HSBC – North
America Operational Risk and Internal Control Policy Risk Management and also see
the summary below. The following categories of risk are included under the definition
of Operational Risk and are subject to the HSBC’s ORIC management framework:
• Compliance
• Fiduciary
• Legal
• Information
• Tax
• External Fraud
• Internal Fraud
• People
• Political
• Physical
• Business Continuity
• Systems
• Operations
• Project
Page 62
Privileged and Confidential
Restricted
As noted in the policy, the management of Operational Risk comprises the
identification, assessment, monitoring and control of operational risk so as to maintain
losses within acceptable levels and to protect the Group from foreseeable future
losses. Management in all businesses and support functions operating in North
America, including Global Businesses, is responsible for designing controls to mitigate
operational risk and for monitoring and evidencing the effectiveness of controls in
operation. Acceptable levels of internal control should be determined by reference to
the scale and nature of each business operation, but must remain compliant with the
minimum standards set out in Group Standards Manual and Group Functional
Instruction Manuals; ensuring appropriate levels of economic and regulatory capital in
accordance with internal and external requirements.
Additionally noted in the policy, management throughout North America follows the
HSBC ORIC framework, which is comprised of the following responsibilities. The
application of this framework in North America is further described in various sections
of the Policy (see the HSBC – North America Operational Risk and Internal Control
Policy Risk Management) as referenced below.
• Assignment of responsibility for the management of operational risk and the
maintenance of an appropriate internal control environment, under the oversight of
a formal governance structure. Refer to Section 3 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 14 through 24,) for details on North America’s governance structure and
organizational roles and responsibilities.
• Quarterly Top Risk and Control reporting at a Regional / Country level. In
accordance with page 1 of the B.1.3 “Operational Risk Reporting”, the Regional /
Country ORIC Team reports quarterly on the North America operational risk
profile, involving the relevant business and control function experts. The report is
approved by the HNAH ORIC Committee; feedback from the committee’s review is
monitored by the Regional / Country ORIC Team. Country versions are reviewed
by the HUSI and HBCA ORIC Committees. Refer to the FIM for Operational Risk
profile reporting requirements.
• Identification, assessment, and reporting of operational risks by business and
functional managers using the Group’s standard Operational Risk and Control
Assessment (“RCA”) process. Refer to Section 4 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 25 through 35) for details on North America’s application of the RCA
methodology
• Operational risk loss incident identification and reporting and aggregate loss
reporting. Refer to Section 5 of the Policy (see the HSBC – North America
Operational Risk and Internal Control Policy Risk Management, pages 36 through
42) for details of North America’s loss identification and reporting processes.
• Provide assurance that key controls are designated and operating effectively
through monitoring of activities. Refer to Section 4.7 of the Policy (see the HSBC –
North America Operational Risk and Internal Control Policy Risk Management,
pages 31 through 35) for details of the Internal Control Monitoring program that
North America is implementing to support the Group framework. The roles and
Page 63
Privileged and Confidential
Restricted
responsibilities of business management, risk oversight functions, and ORIC
teams are described in Section 3 of the Policy (see the HSBC – North America
Operational Risk and Internal Control Policy Risk Management, see pages 14
through 24).
In addition to components of the HSBC ORIC framework described above, North
America considers the following components as critical to the management of
operational risk and internal control and to the monitoring of North America’s
operational risk appetite.
• Key Indicators – The ongoing monitoring of key indicators of high-level risks to
ensure risk is appropriately controlled within established limits. Refer to Section
4.4 of the Policy (see the HSBC – North America Operational Risk and Internal
Control Policy Risk Management, pages 29 and 30) for details.
• Capital Modelling – Development of Advanced Measurement Approach (AMA)
compliant quantification methodology and ongoing calculation of Regulatory and
Economic Capital for Operational Risk. Regulatory Capital for HBCA is calculated
under The Standardized Approach (TSA). Refer to Section 6 of the Policy (see
the HSBC – North America Operational Risk and Internal Control Policy Risk
Management, pages 48 and 49) for details.
• Many of the components of the Operational Risk and Internal Control Framework
described above are shown in the diagram below.
Page 64
Privileged and Confidential
Restricted
Updates Based upon Independent Risk Assessment
Finally, each of the lines of defense (i.e., Residential Mortgage Services, Compliance
SDCA, Internal Audit, TRAC) has received the results of Ernst & Young’s Independent
Risk Assessment. Each team will review the findings (see Article 15(l) for the
complete list of findings and management’s response) and determine whether any
changes are required to each team’s risk assessment scope.
Documents to be submitted with the Action Plan
x FIM B.1.4 Risk and Control Assessment
x FIM Appendix D.1.3 Risk and Control Assessment Guidance
x D.1.4 Risk Categorization
x HNAH Operational Risk Internal Control Target Operating Model
x HSBC – North America Operational Risk and Internal Control Policy Risk
Management
x B.1.3 Operational Risk Reporting
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
Page 65
Privileged and Confidential
Restricted
Article 15(j)
FRB Order Reference:
Article 15(j)
Corresponding
N/A
OCC Article:
a formal method to ensure effective communication of established risk management
policies, procedures, and standards to all appropriate business line and other staff;
Action Plan
The operating principles of the HNAH Risk Framework requires processes to
adequately identify risk levels, requires a method to ensure effective communication
of established risk management policies, procedures, and standards to all appropriate
business line and other staff, establish limits for compliance, legal, and reputational
risks and provide for regular review of risk limits by appropriate senior management
and the board of directors or an authorized committee of the board of directors. The
operating principles are as follows:
• Ensure all risks are appropriately identified, measured, managed, controlled and
reported;
• Develop, communicate & implement appropriate risk-related policies, procedures,
& processes in collaboration with business units, functional areas and Group;
• Provide an independent review and assessment of risks by regularly reviewing risk
levels and risk management practices and raising concerns to senior executive
management and the Board as necessary.;
• Provide regular and ad hoc reports to senior executive management, the Board,
and Group on existing and emerging risks, with recommendations to avoid,
eliminate, or mitigate outsized risks;
• Ensure compliance with all relevant laws, regulations, and regulatory
requirements, including Basel II;
• Assess overall capital needs and enhance capital allocation
• Set risk appetite in line with capital availability and overall business strategy;
• Establish and promote a risk management culture that appropriately balances
risks and rewards;
• Assist the Board and senior executive management in establishing risk tolerances,
limits, and performance measurements across HNAH;
• Share and leverage best practices across Group;
• Continually assess and monitor the risks HNAH faces, and regularly reappraise its
risk appetite and align its risk profile accordingly; and,
• Formulate an internal view of capital requirements relative to risk.
This framework brings together risk functions across North America to ensure a
consistent policy, process, and practice is applied across legal entities. An
overarching HNAH Risk Limits Framework, which is maintained by the North America
Risk organization in conjunction with internal business partners from Finance, Legal
and Compliance, and the business lines, provides for the identification,
communication, limitation, and management of all risks across HNAH, both for
discontinued and ongoing business lines.
Page 66
Privileged and Confidential
Restricted
Updates Based upon Independent Risk Assessment
Additionally, Residential Mortgage Services has received the results of Ernst &
Young’s Independent Risk Assessment. Residential Mortgage Services has created
action plans (see Article 15(l) for the full population of action plans) for each finding.
Based on the action plans as well as review of the findings, the Residential Mortgage
Services team will update its respective policies, procedures and/or risk management
standards as it deems necessary and determine the best means to communicate
changes.
When policy and/or procedure updates are made, communication of any operational
changes to employees is performed within the business by the business
management, as well as via a Breaking News channel where procedural updates are
electronically communicated via
(“
Finally, communication and/or training to the business may be conveyed in one of the
following ways:
x Informally, by on-the-job coaching or “whiteboard sessions” – Incorporated into
team meetings as necessary and created/distributed by the line of business
x Formally documented and communicated via information deck created and
distributed by the business
x Through training developed in conjunction with the North America HR Learning
Team (see Article 11 for a complete description of the training program).
Documents to be submitted with the Action Plan
Not applicable.
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
x
, SVP General Compliance
x
,
Risk
Governance and Administration, HNAH
Page 67
Privileged and Confidential
Restricted
Article 15(k)
FRB Order Reference:
Article 15(k)
Corresponding
N/A
OCC Article:
periodic testing of the effectiveness of the risk management program; and
Action Plan
HNAH has an established Testing and Risk Assessment Compliance Group (“TRAC”)
function as a second line of defense, a part of HNAH Compliance, which is consistent
with the requirements of “Compliance Risk Management Programs and Oversight at
Large Banking Organizations with Complex Compliance Profiles,” dated October 16,
2008 (SR 08-08/CA 08-11). TRAC is responsible for conducting on-going compliance
testing and risk assessments independent of the business unit compliance as well as
the HNAH Risk Management Framework.
TRAC develops and maintains a Compliance Risk Mitigation Program, which
establishes HNAH-wide consistent standards and processes to enable management
to proactively identify, measure, monitor, test, and report compliance risks and
controls as noted on page 6 of the HSBC - North America Compliance Risk Mitigation
Program. This information is used to obtain reasonable assurance that HNAH and its
subsidiaries are complying with material regulatory requirements and Group
Compliance policies and standards.
Additionally, below is a listing of TRAC's specific roles and responsibilities, which are
provided in greater detail within the HSBC - North America Compliance Risk
Management Program Manual on page 31 and include:
• developing and maintaining firm-wide compliance risk assessment processes,
methodologies and tools;
• leading the execution and oversight of the General Enterprise-wide Risk
Assessment and facilitating and performing quality assurance of the results of the
Detail Self Assessment, in conjunction with business line management and
business line Compliance Officers;
• developing and maintaining firm-wide compliance monitoring and review
programs, policies, procedures, processes and standards;
• annually reviewing business line/Compliance Officer compliance programs and
processes, including Compliance Officer issue remediation activities;
• annually reviewing the effectiveness of the HNAH Compliance Risk Management
Program;
• administering the Matters Requiring Attention (“MRAs”) tracking and validation
program to include tracking of MRAs, validating remediation and reporting MRA
status to Group Compliance EXCO, senior management, Risk Governance
Committees, and Compliance Committee; and
• maintaining processes to track, escalate, and report material compliance issues
and any corrective actions identified through examinations, inspections,
Page 68
Privileged and Confidential
Restricted
compliance monitoring and reviews, or other means.
In addition to TRAC, Group Audit North America (“AUN”) is an integral part of the
Group and HNAH control environment and provides periodic testing of risk functions.
It provides management and the Board with an independent and objective review of
business activities, risk management and support functions. AUN’s compliancerelated duties and responsibilities include (see pages 34 and 35 of the attached
HSBC – North America Compliance Risk Management Program Manual for additional
detail):
• Maintain a dynamic auditable universe of compliance risk entities which are
evaluated and updated as business or regulatory conditions change;
• Utilize compliance risk assessments as the baseline for the annual audit plan and
the development of compliance audit programs;
• Validate compliance risk assessments performed by business units and HNAH
Compliance;
• Maintain and execute compliance audit programs and procedures;
• Ensure that the auditors performing compliance audits possess and maintain
required skill sets and knowledge of current regulatory requirements;
• Integrate compliance risk reviews and testing into business unit operational audits.
This includes testing the effectiveness of business unit compliance processes and
adherence with compliance requirements;
• Evaluate the design and operating effectiveness of business unit and HNAH
compliance programs;
• Assess the HNAH Compliance function and RCO’s effectiveness in managing
compliance risk and overseeing and supporting the implementation of the
Program;
• Render an annual assessment of the overall effectiveness of the HNAH
compliance program to senior management and the HNAH Compliance
Committee;
• Provide the HNAH Compliance Committee with status updates and results on
compliance relate audits;
• Provide timely reports to line management, executive management and
compliance management on the results of risk evaluations and testing activities;
and
• Monitor resolution of issues raised in previous audits and report to executive
management monthly and RMC and ORIC quarterly.
Finally, TRAC has received the results of Ernst & Young’s Independent Risk
Assessment (see Article 15(l) for the full population of action plans) and will be
enhancing the TRAC Testing Plan for 2012 taking into consideration management’s
response to each Compliance related EY Independent Risk Assessment test finding.
As part of HNAH Compliance and as a second line of defense function, TRAC will
ensure the business unit’s compliance risk assessment is current and accurate on an
annual basis. In addition, TRAC will also ensure through regular compliance reviews
that the business lines have implemented appropriate testing and monitoring
programs designed to ensure the effectiveness of controls in place to facilitate
Page 69
Privileged and Confidential
Restricted
adherence to applicable laws and regulation
Documents to be submitted with the Action Plan
x HSBC - North America Compliance Risk Mitigation Program
x HSBC – North America Compliance Risk Management Program Manual
Key HSBC Contacts for the Action Plan
x
, SVP General Compliance
x
– SVP General Compliance (TRAC)
Page 70
Privileged and Confidential
Restricted
Article 15(l)
FRB Order Reference:
Article 15(l)
Corresponding OCC
N/A
Article:
the findings and recommendations of the independent consultant described in
paragraph 12 of this Order regarding risk management.
Action Plan
Section 12 of the Order required HSBC to retain an independent consultant to conduct
a written, comprehensive assessment of HSBC’s risk in mortgage servicing operations,
particularly in the area of loss mitigation, foreclosure, and administration and disposal
of other real estate owned, including but not limited to operations, compliance, and
transaction, legal and reputational risk. Ernst and Young (“EY”) was the independent
consult selected to complete the risk assessment.
While there are no changes to the Operational Risk Management framework, the
Business Unit BRCM will focus on observations from the assessment and incorporate
into the Internal Control Monitoring Plan. As previously expected, RCA, which is the
starting point for the internal control monitoring activities, was completed by North
America in June 2011. Thus, implementation and adherence with the internal control
standards was initiated in the second half of 2011 and full implementation is scheduled
to commence in 2012.
Best Practices that will be incorporated into the 2012 ICM Plan are as follows:
Information Technology – The BRCM understands that as manual processes are
relied upon, it increases the risk of potential human error. The Operational Risk
Management framework requires that controls be assessed as either preventative or
detective. In addition to these requirements, the business unit is enhancing their
process to identify controls as either automated or manual. Adhoc reporting will be
developed to capture this information and will be used during control monitoring
testing. Where appropriate and warranted, the BRCM will recommend technology
enhancements to enhance or sustain operational controls. Identification and reporting
of automated and manual controls will be completed prior to the end of 1Q12.
Evidence of Controls – As part of the Internal Control Monitoring and Testing, the
BRCM will review for direct or derived evidence of consistent functioning of controls.
The BRCM will review the control activity trail and will retain testing results in the
Operational Risk Share Point. Detailed Procedures on how testing will be conducted
and tools used in the assessment of controls will be completed prior to February 28,
2012.
Quality Control – Where a quality control review is being conducted within the
Page 71
Privileged and Confidential
Restricted
functional areas of Servicing, and where the quality control is being relied upon as a
key control, the BRCM will report the measures and results in a dashboard to senior
management. These Key Indictors will be reviewed monthly to ensure results are
satisfactory and or action plans are established as appropriate. Additionally, as part of
the Internal Control Monitoring Plan, the BRCM will schedule control testing to
determine the controls are working as intended. Dashboards and retention of quality
control results within BRCM will be completed no later than the end of 1Q12.
In addition to the best practices noted above, management responded to both EY’s
enterprise observations as well as specific test findings. The full set of enterprise
observations and management’s responses are provided below. Management
responses for all testing results categorized as “Needs Improvement”, “Unsatisfactory”,
“No Evidence of Control Activity” or “Non-Testable” are provided on pages 23 – 81 of
the attached Management Response to Risk Assessment Testing Results.
Enterprise Observation – Key Employee Retention
Management Response as of August 11, 2011
As described below, Residential Mortgage Servicing has processes and procedures in
place, which it will continue to use, to mitigate key employee retention risk. Capacity
management / resource planning, along with succession and retention plans, are in
place to manage the employees’ workloads and address key employee retention risk.
Capacity management and resource planning
Residential Mortgage Servicing management has and will continue to review and
manage employees’ workloads. As described below, Residential Mortgage Servicing
currently has several capacity management / resource planning processes in place.
The HNAH Risk Management function is responsible for conducting capacity
management / resource planning for, but not limited to, loan modification, Loss
Mitigation, and foreclosure areas. The tactical and strategic analyses for these areas
are based on the risk forecasts and include planned attrition, hiring, staffing
Page 72
Privileged and Confidential
Restricted
movements, and strategy changes. The model, which is used by the HNAH Risk
Management function to conduct capacity management / resource planning, compares
the expected monthly headcount against the demand as driven by the risk forecast to
determine the need for hiring, staffing movements, or utilization of overtime. The
planning methodology for capacity and staff workloads is continually monitored and
updated based on market conditions, internal data, and forecasts. Throughout the
year, the HNAH Risk Management function communicates and coordinates staffing
requirements by department to HNAH Finance to ensure they receive appropriate
consideration in the budgeting process. Based on this process, analysis is performed
for each department’s short- and long-term capacity needs.
Short-term, or tactical, rolling capacity planning process is performed one month in
advance to determine strategy and capacity needs. Department managers conduct
capacity planning meetings throughout the month. The final tactical capacity planning
meeting for the upcoming month is held with business unit management and other
support functions during the last week of the month. Long-term, or strategic, rolling
capacity analyses for the aforementioned areas are performed and planned based on
the estimated operations staffing requirements. These analyses are performed
continually and assist management in developing the appropriate capacity initiatives,
account migrations, or strategy changes. Senior management and the Bi-Weekly Retail
Operations Governance (“BROG”) Committee review and discuss the long-term
capacity plans during the third week of the month and bi-weekly, respectively.
Capacity management / resource planning processes for areas outside of default
operations differ from the process described above. Operational Risk Management
(“ORM”) capacity management / resource planning is performed in conjunction with
HNAH Finance. As part of this process, HNAH Finance provides, long and short-term
planning support based on periodic Rolling Operating Plan (“ROP”) forecasts, which
are typically adjusted semi-annually. Short and long-term decisions and
recommendations are made based on actual data, historical trends, and feedback from
the business partners.
For Mortgage Electronic Registration System (“MERS”) Reconciliation, capacity
management / resource planning is performed by MERS management. On an annual
basis, the MERS Reconciliation function creates a ROP, to define overall resourcing
needs and allocations. The MERS Reconciliation management team monitors and
reviews resource needs based on the actual and historical benchmarks and
productivity measures. In addition, an employee Standard Per Hour (“SPH”)
benchmark has been defined based on time study analysis by the MERS management
team. Each employee’s actual productivity is measured against the SPH through a
productivity database managed by the MERS team. Historic productivity data from the
database is used as a key input into the ROP. Decisions and strategies for resource
planning are discussed amongst MERS management team and business partners to
identify resource needs.
Page 73
Privileged and Confidential
Restricted
Succession and retention plans
In addition to capacity planning, Residential Mortgage Servicing has in place
succession and retention plans for key employees. Specifically, HSBC has in place a
Resourcing-Led Talent Strategy aimed substantially to improve the ability to provide a
ready, high-quality, internal pipeline to fill key positions against immediate and future
business needs. In accordance with the Resourcing-Led Talent Strategy, Residential
Mortgage Servicing conducts Talent Management Review sessions on a semi-annual
basis to discuss, debate, and confirm decisions based on merit of those employees
identified by senior management, line managers, and the HNAH talent identification
module in the talent pipeline. The most current talent management session for
Residential Mortgage Servicing was conducted in July 2011.
The results of the Talent Management Review sessions are leveraged by Residential
Mortgage Servicing management and business areas to develop succession plans.
The succession plan process identifies individuals who have the potential to fill key
roles and vacancies as defined by the business. It supports the business strategy by
ensuring a strong and realistic pipeline of potential candidates is available for key
vacancies and, more broadly, supports business continuity and risk management.
Refer to Attachment 1 – “Talent Review Guidelines for HR and line managers 2011,”
pages 3 through 7, and Attachment 2 – “Succession Planning Guidelines for HR and
line managers 2011,” pages 3 through 8,- for further details.
Individual risk assessment and mitigation plans are also developed in an effort to retain
key talent. Residential Mortgage Servicing management evaluates both quantitative
and qualitative factors, such as financial compensation and rewards, career
development and goals, and additional roles and responsibilities within the institution
that may interest the individual. Risk mitigation plans of senior management and other
identified key employees are reviewed on an as needed basis, based on industry or
organization events, but not less than annually. The last retention planning for
Residential Mortgage Servicing was performed in June 2011.
Management Update as of October 10, 2011
Observation closed by HSBC - No further action deemed necessary
Enterprise Observation – Information Technology
Page 74
Privileged and Confidential
Restricted
Management Response as of August 11, 2011
Currently, Residential Mortgage Servicing utilizes three key applications –
and
- for residential mortgage servicing. Both
and
are widely used within the mortgage servicing industry and include automated
functionalities which, when combined with Residential Mortgage Servicing’s existing
processes, results in a sound control environment. HBIO management, however,
acknowledges and understands that
which is a proprietary system used by HBIO,
has limited automated functionalities and places more reliance on manually intensive
controls. Given that HBIO residential mortgage business is a liquidating business,
HBIO management is taking several steps, as described below, to determine which
technology enhancements can provide the most benefits in risk mitigation.
HBIO management is reviewing and prioritizing the list of key controls provided by E&Y
(as a result of the risk assessment review) to determine which
related controls
would benefit the most from automation and is working with the HSBC Technology and
Services (“HTS”) to evaluate the feasibility of implementation. Additionally, HBIO
management is reviewing the
detective controls maintained by the Operational Risk
and Control (“ORIC”) Committee to determine which key controls can provide the most
benefit if automated. Currently, ORIC requires that controls be classified as
preventative or detective but does not require identifying which controls are automated.
Management Update as of October 10, 2011
No further update at this time
Enterprise Observation– Policies and Procedures
o
Collections/Care, Disbursements, Lien Release and formalized updated procedure
Page 75
Privileged and Confidential
Restricted
Management Response as of August 11, 2011
Residential Mortgage Servicing is enhancing its policies and procedures related to
residential mortgage loan servicing, Loss Mitigation, loan modification, and foreclosure
operations. Every department is responsible for ensuring that internal controls are
sufficient to protect Residential Mortgage Servicing’s interests and reputation.
Fundamental to this process is ensuring that the policies and procedures are readily
available for employees’ reference. Policies and procedures are required to be kept up
to date and be sufficiently comprehensive. This ensures that Residential Mortgage
Servicing consistently treats its customers and employees in a fair and ethical manner.
Residential Mortgage Servicing is subject to many legal requirements that vary by state
and local municipality. As a result, it has adopted more than 100 policies and over 3,
000 procedures that address these variations. Management is committed to revising
and updating procedures as necessary (e.g., to reflect changes in legal requirements
or supervisory guidance). To that end, Residential Mortgage Servicing began reviewing
its foreclosure procedures prior to the commencement of the interagency horizontal
review of mortgage foreclosure policies and practices conducted in the fourth quarter
of 2010, and it continues to make updates as processes are strengthened. Procedures
are being updated on a rolling basis, and foreclosures will not resume in a particular
state before the applicable procedures have been completed for that state. As noted in
the Mortgage Servicing and Foreclosure Practices Consent Order Progress Reports,
which were submitted to the OCC and FRB on July 29, 2011, policies and procedures
specific to foreclosure related activities, Loss Mitigation and key processes within
residential mortgage servicing such as Collateral Management and Servicemembers
Civil Relief Act (“SCRA”) are expected to be updated by September 12, 2011.
Additional Residential Mortgage Servicing policies and procedures specific to Loss
Mitigation related activities and key processes such as Adverse Action Suspended
Letter Procedure - Consumer Mortgage Lending (“CML”) and Optional Insurance
Procedure –MortgageCorp (“MC”) are expected to be updated in accordance with the
timeline outlined in the Good Governance Initiative, which is described below (refer to
Attachment 3 – “Good Governance – Project Overview,” pages 2 through 5 for details).
Furthermore, to ensure that Residential Mortgage Servicing has fully documented
policies and procedures and that employees understand and follow them consistently,
management has established the Good Governance Initiative. This initiative aims to
ensure that there are proper procedures in place for applicable residential mortgage
servicing processes, and that these procedures are clear, concise, thorough, accurate
and well-understood by employees. In coordination with this initiative, policies and
procedures are expected to be certified by the end of the fourth quarter of 2011 by the
Page 76
Privileged and Confidential
Restricted
business process owners.
Management Update as of October 10, 2011
Residential Mortgage Servicing continues to move forward with policy and procedure
remediation. Foreclosure and Loss Mitigation policies and procedures identified as
requiring revision as a result of the mortgage foreclosure policies and practices review
are at 100% complete, with additional revisions along with new procedures being
addressed as they are identified. Through the efforts of the Good Governance
Initiative, all existing policies and procedures are being reviewed to ensure compliance
with applicable governing documents and to ensure all documentation is thorough,
clear, and effective. The business is on track to certify all policies and procedures by
the end of the fourth quarter of 2011.
Enterprise Observation – Training
Management Response as of August 11, 2011
As described below, HBIO and HBUS have existing training in place for personnel
involved in residential mortgage servicing and foreclosure processes and operations,
including collections, Loss Mitigation, and loan modification. In addition, HBIO and
HBUS enhanced training in April 2011 and will continue to develop new training
courses, as needed.
HBIO and HBUS currently have several Loss Mitigation training modules in place for
residential mortgage servicing personnel. These modules are primarily voluntary,
instructor-led sessions offered to both new hires and as on-going training. Additionally,
web-based training sessions are offered to qualify for certifications. To date, the
primary Loss Mitigation training modules are Collections Call Model training and
instruction for the HBIO loan modification tool. The Collections Call Model training
prepares employees to interface with customers involved in the Loss Mitigation
process. Loan modification tool training helps employees navigate the
Page 77
Privileged and Confidential
Restricted
(“
the primary technology used for modifications. Additional
training materials are developed and conducted informally by the Skill Qualification
Training (“SQT”) team, which is a support function dedicated to enhancing employee
skill sets by creating and delivering process training.
In April 2011, HBUS and HBIO engaged the Learning and Development (“L&D”)
Department to enhance its foreclosure training. The enhanced foreclosure training is
comprised of 4 modules: Foreclosure Introduction, Foreclosure Processing, Affidavit
Processing and Notary Training. Two of the four modules (Affidavit Processing and
Notary Training), focus on business records training and are designed to educate
employees executing affidavits on topics such as meeting legal requirements for
personal knowledge and notary requirements. Training classes for these modules
commenced in June 2011. It is expected that foreclosure employees will complete the
required Instructor Lead Training no later than the end of the third quarter. The content
for the remaining two modules, Foreclosure Introduction and Foreclosure Processing,
were developed and approved internally. Training sessions for the new modules were
conducted between July 11- 14, 2011, with make-up sessions to be scheduled no later
than the end of the third quarter of 2011, as noted in the Mortgage Servicing and
Foreclosure Practices Consent Order Progress Reports, which were submitted to the
OCC and FRB on July 29, 2011. Each module is designed with an assessment to
ensure comprehension of materials and reporting is in place to monitor compliance
with the training requirements.
Additionally, HBUS and HBIO have developed a training framework to educate
employees on the Single Point of Contact (“SPOC”) policies and procedures. The
framework consists of classroom training sessions, and has been developed and
approved by appropriate parties. After completing the training sessions, participants
are required to pass an assessment. Existing employees to be assigned as SPOC
Agents will receive this training as part of the on-boarding process.
Furthermore, HBUS and HBIO are developing further training courses for other areas
of residential mortgage servicing and default, including the following:
x Default
Bankruptcy
Charge-off
Collections
Foreclosure
Loss Mitigation Retention
Loss Mitigation Exit Strategies
Loan Modification
Real Estate Owned
Invoice Processing
x Mortgage Servicing
Customer Service Phones
Escrow Administration
Page 78
Privileged and Confidential
Restricted
Lien Release
MERS
Payment Services
Records Administration
General Servicing (Research, Payoffs, Special Loans, SCRA)
These modules have been prioritized and are targeted for completion from December
2011 through June 2012. By December 31, 2011, a more detailed deployment timeline
will be developed. New modules will be developed concurrently with the L&D
Department to produce a more formalized structure, including attendance tracking,
exam history, and certification requirements. Refer to Attachment 4 – “Learning and
Development Functional Training Gap Analysis” for additional detail.
Management Update as of October 10, 2011
The Foreclosure team has created the training platform and conducted the training
sessions in August 2011. In addition, there are 18 training courses on the schedule to
be designed through a total of seven phases with a completion of the design and
rollout scheduled for June 2012.
Management Response to Control Design Findings
As part of the risk assessment, prior to performing the control testing, EY performed a
control design assessment. The observations from the control design assessment and
HSBC management’s responses thereto are stated below.
Escrow, Taxes and Insurance
The escrow process captures the servicing of escrow / non-escrow accounts and
management of the relationship with the third-party escrow servicing vendor
(Corelogic). The escrow process covers activities from receipt of customer payment
through remittance to the appropriate tax or insurance agency.
Risk
Observation
Page 79
Privileged and Confidential
Restricted
Management Response as of August 11, 2011
Management is already aware of the issue noted in this observation and, as described
below, based on the strategic evaluation and cost / benefit analysis conducted,
management has determined that it is willing to accept the risk of not implementing
systemic controls in
to mitigate this risk.
Currently, a third party provider, Corelogic, is used to provide tax information and
perform proactive searches on delinquent taxes for non-escrowed borrower’s real
estate tax accounts maintained on
and
Corelogic performs
searches of tax status with the applicable counties in an effort to identify any
delinquent tax balances prior to a loss of lien at tax sale or an expired redemption date,
and advances payment based upon established disbursement guidelines. While
Corelogic is not used to perform proactive search on non-escrowed borrower accounts
maintained on
the Escrow Department personnel monitor and review for payment
the tax bills and/or notifications from taxing authorities, and process disbursements
according to the documented Business Unit policies and procedures.
Residential Mortgage Servicing continually evaluates and reviews its policies,
procedures, and processes, and in connection with a review conducted in the fourth
quarter of 2010, HBIO evaluated its practices of monitoring and paying taxes on nonescrowed borrower accounts maintained in the
system. The Credit Risk function,
HNAH Finance, and the Servicing Organizations (i.e., mortgage servicing and default)
performed a cost benefit analysis of non-escrowed borrower accounts within
This
analysis was documented and reported to HBIO’s senior management in the fourth
quarter of 2010 and it was decided that the costs of completing proactive searches
outweigh the benefits due to the number of complex system changes which would be
required to be made to
Additionally, it was determined by senior management that
the timeline required to enhance the system used by the HBIO residential mortgage
business, which is a liquidating business, was not feasible. HBIO’s management
acknowledges and understands the potential risk of financial loss with this decision.
Refer to Attachment 5 – “Tax Search for
for additional information on the analysis
performed.
Management Update as of October 10, 2011
Page 80
Privileged and Confidential
Restricted
Observation closed by HSBC - No further action deemed necessary
Disbursements
The disbursements process includes payments made on behalf of loans in default
status for expenses including Broker Price Opinions (“BPO”), attorney fees, property
preservation, and property inspection. Invoices received directly from vendors are
either handled internally or routed to HBIO’s offshore team for processing.
Risk
Observation
Management Response as of August 11, 2011
HBIO is committed to evaluating its policies and procedures regarding the assessment
of fees and charges, recoverable and non-recoverable and/or claimable by the
investor. HBIO is currently reviewing these processes and will strengthen preventive
and detection controls (and enhance quality controls) as applicable.
To date, HBIO has engaged internal and external legal counsel to review its existing
practices specific to fees and charges assessed by the foreclosure firms. In addition,
to ensure compliance with state requirements, Compliance has completed a 50 state
review of default related fees such as Property Preservation and BPO. A
comprehensive review is underway and includes the frequency of fee assessments,
documentation supporting relevant services performed, and systemic controls
designed to ensure duplicate charges are not assessed. This detailed review will be
completed by September 12, 2011. After the detailed review is complete, the control
Page 81
Privileged and Confidential
Restricted
enhancements may require changes to the current technology environment and as
such, a plan for implementation will be developed based on the quantity of controls
requiring enhancement. Implementation efforts will commence in the fourth quarter of
2011 and may continue into 2012 depending on the quantity of controls requiring
enhancements.
Management Update as of October 10, 2011
The comprehensive review has been amended and enhanced with an updated
completion date of September 30, 2011. Control enhancements for reporting and QC
will be completed early in the fourth quarter 2011 with a target of IT implementation
towards the end of first quarter 2012.
Special Loans
Special loans include, but are not limited to Usury loans, Adjustable Rate Mortgage
(“ARM”) loans, balloon loans, and SCRA loans. A dedicated team of analysts are
assigned to service special loans.
Risk
Observation
Management Response as of August 11, 2011
Page 82
Privileged and Confidential
Restricted
Residential Mortgage Servicing has a number of preventative and detective controls to
ensure ARM loans on
and
are adjusted appropriately. These
controls include restricted system access, a report to identify accounts on which rates
need to be adjusted, and management review of a sample of adjusted loans.
Residential Mortgage Servicing has a dedicated Special Loans team, which is
comprised of 27 individuals, to monitor and manage rate adjustments on ARM loans.
System access to adjust rates and indices is restricted to members of the Special
Loans team. Access entitlements are given only to members of the Special Loans
team. System access is administered and monitored by the Business Information
Risk Officer (“BIRO”).
Currently, a daily ARM loan exception report is generated from the system that
identifies only accounts whose rates need to be updated. The Special Loans analysts
utilize this report to make adjustments to the applicable loans. Once loans are
adjusted, management performs a quality assurance check by sampling and reviewing
10% of ARM adjustments.
However, as explained above, the access to adjust ARM
loans is restricted to the individuals within the Special Loans team and is administered
by BIRO.
However, management
will implement a detective control which will include creating a report (generated from
the applicable systems) to identify adjustments outside the current adjustment period.
This report will be generated no less than monthly and the management of the Special
Loans team will review and follow up on the loans noted in the report. Based on
prioritization, it is estimated that this report will be in place on or before the end of
November 2011.
Management Update as of October 10, 2011
The Special Loans management team is currently working with MIS to create reporting
that identifies adjustments to ARM loans that happen outside of contract time periods.
Foreclosure
Various third party attorneys are engaged in the execution of foreclosure actions to
assist in compliance with specific state and local laws and regulations.
Page 83
Privileged and Confidential
Restricted
Risk
Observation
Management Response as of August 11, 2011
Residential Mortgage Servicing is enhancing its vendor management processes within
residential mortgage loan servicing and is investing in significant resources to ensure
appropriate oversight and monitoring of Third-Party Providers, which includes law
firms. The existing Operational Risk Management team is expanding and a centralized
dedicated team, the Third Party Operational Risk Management Group (“TPORMG”),
has been formed. The TPORMG will engage with VRM to provide oversight,
management and subject matter expertise for residential mortgage loan servicing
vendor relationships, including law firms and trustees that provide foreclosure and
bankruptcy related services to Residential Mortgage Servicing in accordance with
applicable foreclosure or bankruptcy laws, rules, and regulations (collectively the
“Firms” or “Law Firms”). This centralized dedicated team, while working closely with
VRM, Legal, and Information Security Risk, will serve as the primary point of contact
and relationship manager for material vendors and will review, evaluate and take
appropriate actions on any relevant risk assessment requirements for these vendors.
The TPORMG will develop and implement the necessary tools, including a database
and related user manuals to monitor Third-Party Providers by September 12, 2011.
The TPORMG will ensure that Residential Mortgage Servicing departments comply
with the VRM Policy and Procedures and adhere to the Group Operations Functional
Instruction Manual (“FIM”). Specifically, TPORMG is focusing on the following:
Page 84
Privileged and Confidential
Restricted
x
x
x
x
x
x
x
Controls to initiate, renew, or terminate Third-Party Providers and coordination of
the ongoing periodic reviews, monitoring and assessment of Third-Party Providers;
Development and monitoring of vendor performance against defined service levels,
performance levels, and contract terms and coordinate the distribution of a Master
Services Agreement (“MSA”) to be executed by approved existing and future Law
Firms;
Comprehensive schedule of periodic audits and reviews to include prescribed
timeframes;
Dashboard reporting used to monitor, manage and age Third-Party Provider
remediation efforts to include Information Security Risk, Legal and Operations’
audit findings;
Improved reporting and oversight of relevant vendor related documentation and the
accurate capture and reporting of inventory;
Reporting and trending of customer complaints specific to third parties; and
An in-depth review of legacy relationships to ensure compliance with the VRM
Policy and Procedures.
A Governance Oversight Committee (“Committee”) comprised of individuals from
Operations, TPORMG, Compliance and Legal has been established and a charter for
the Committee has been developed. One of the key objectives of the Committee is to
evaluate and make decisions regarding Third-Party Providers based on the results of
the periodic Third-Party Provider reviews.
In addition to the establishment and centralization of the TPORMG, HNAH Legal has
developed specific procedures for the review and management of Law Firms (the “Law
Firm Procedures”) to assess the legal risk. Management is finalizing a user manual to
supplement the Law Firm Procedures and expects to complete it by September 12,
2011. The Legal department has been and will continue to oversee and manage
reviews of Law Firm compliance with applicable laws, rules and regulations, and
TPORMG will also oversee and ensure that reviews of Third-Party Providers are
completed to monitor compliance with quality, reputational, operational and other risks
consistent with Residential Mortgage Servicing policies, procedures and practices and
the VRM Program.
Additionally, Residential Mortgage Servicing management, together with HNAH Legal,
is developing the standard Master Services Agreement for Law Firms that includes
performance metrics and work standards. This agreement will be completed by August
11, 2011, and distributed to Law Firms by September 12, 2011. Also, the HSBC Best
Practices for Its Outside Foreclosure Firms (“Best Practices”), which contains
guidelines to ensure compliance with the letter and spirit of foreclosure, procedural and
other laws, rules and regulations, and applicable HSBC policies and procedures have
been developed and were distributed to active foreclosure Law Firms along with the
HSBC Standard Non-Disclosure Agreement (“NDA”). To date, all Law Firms have
executed the Non-Disclosure Agreement and all but one Law Firm have formally
acknowledged the Best Practices requirements. Adherence to the Best Practices will
Page 85
Privileged and Confidential
Restricted
be validated during the periodic review of the Firms.
For additional information on the progress related to third party management, refer to
the Mortgage Servicing and Foreclosure Practices Consent Order Progress Reports,
which were submitted to the OCC and FRB on July 29, 2011.
Management Update as of October 10, 2011
TPORMG accomplishments:
1. Implementation of the TPORMG database by 9/12/11. Database will allow for
dashboard reporting to monitor, manage and age Third party Provider remediation
efforts, track review schedules, communication to attorney firms as well as
escalated complaints. Currently in the process of mapping vendor data into
database as well as transferring contracts, reviews and any available scorecards
into TPORMG Sharepoint database.
2. Completed Third Part Risk Management Procedures as well as Law Firm
Termination Procedures.
3. Distributed MSA and revised Best Practices to 81 law firms which contain defined
service levels. Following up for return from each firm. Assessing current
measurements in place on
for monitoring vendor performance and prioritizing
future enhancements to improve monitoring of attorney firms.
4. Completing gap analysis on MSA work standards and current scorecards for all
non-attorney Third Party Vendors.
5. Completed in depth review of legacy relationships to ensure compliance with VRM
Policy and Procedures.
Research
The account research process includes the receipt and resolution of customer
research requests including: credit bureau, demographic changes, payment histories,
loan documents, cease and desist, and fee waivers. Upon resolution, the appropriate
response is sent back to the customer and logged in a tracking tool.
Risk
Page 86
Privileged and Confidential
Restricted
Observation
Management Response as of August 11, 2011
Residential Mortgage Servicing management is aware of the issue noted in this
observation and is in the process of remediation. For
and
the
turnaround time for customer inquiries can be tracked and monitoring within those
systems or in the
(“
solution, which is a system in which
incoming and outgoing correspondence is imaged and retained.
Previously the Research Department generated a Turnaround Time Report from the
to track and monitor the turnaround times for customer inquiries related to the
accounts maintained on
As
set forth below, a system enhancement was implemented to address this matter.
However, in the interim, as a mitigating control, the Research Department team
tracked customer inquiries, including volumes and managed turnaround times, through
a manual reporting process. In addition, managers performed quality assurance
checks by reviewing a minimum of 10 responses per Research Department
representative each month.
Management engaged the HTS to re-engineer the process and enhance the
functionality. Refer to Attachment 6 – 4013 – “CML RESPA QWR – Functional
Design,” pages 7 through 16 for additional details regarding the system enhancement.
The system enhancement will be able to handle the increased reporting needs and
allow users to track that responses or acknowledgement letters are sent to customers
timely to comply with the Real Estate Settlement Procedures Act (“RESPA”) and Dodd
Page 87
Privileged and Confidential
Restricted
Frank Act requirements. This technology enhancement was implemented on August 7,
2011.
Management Update as of October 10, 2011
The Research team has validated that the reporting to ensure proper monitoring of
non-standard customer responses has been remediated and is currently being utilized
by the business.
Technology
The Technology section comprised an evaluation of the general IT general control
environment (security, change management, logical access, operations, etc.,) as it
relates to the key operational areas.
Risk
Observation
Management Response as of August 11, 2011
Residential Mortgage Servicing management is aware of the issue noted in this
observation and remediation is in process. In the 2010 CML Line of Business Risk
Assessment dated February 17, 2011, which also includes MC residential mortgage
Page 88
Privileged and Confidential
Restricted
servicing functions, Residential Mortgage Servicing management acknowledged and
self-identified that Residential Mortgage Servicing has a partial inventory of their key
information assets. The report recommended that Residential Mortgage Servicing
should complete the inventory of key information assets (i.e., applications, vendors,
data transmissions, projects, and Local Area Network directories). This will assist the
prioritization of activities and initiatives necessary to evaluate exposure or compromise
to the confidentiality, integrity and availability of those information assets.
Currently, HSBC has a two pronged approach to managing the risk of its inventory of
applications and systems. At the organizational level, HSBC North America maintains
an inventory of key applications and systems which are critical to its business
functions. The single inventory of North American applications is stored in a single,
global repository, also containing the inventories for other regions within HSBC. This
inventory is monitored and updated according to the business application and system
requirements. The applications and systems included in the list are prioritized and
ranked using a risk-based approach, resulting in ratings from two areas: the business
owner via Information Security Risk (“ISR”) and technology via Disaster Recovery
(“DR”). Assigning and identifying priority of the applications and systems is dependent
upon but not limited to the business unit, application and/or system importance to the
business, application and system dependency, business continuity plans, and run time
objectives. In addition, during this process, the application to business services and
business services to application relationships are identified to understand the multiple
technology dependencies across North America. This continuous effort is enforced by
the HSBC DR team with assistance from Information Security and Business
Information Risk Officers of the North American business units. Each application and
system in the inventory is also aligned to an owner(s) within information technology
and business unit(s).
When managing the risk of its inventory of applications and systems, HSBC utilizes
two scoring methods to define risk. First, ISR performs a process called Group
Application Security Risk Assessment (“GASRA”) against the applications in the HSBC
North America inventory, which results in a rating from 1 to 5 (5 representing the
greatest risk). This rating is referred to as the Business Impact Assessment (“BIA”)
score.
Second, the GASRA information, combined with the Service Level Agreements
(“SLAs”) for the services provided by the underlying applications, and a resulting
Recovery Time Objective (“RTO”) results in a DR plan in which the applications are
given a letter grade of A thru D. A letter grade of A indicates the application must
return to service followed by the remaining subsequent letter grades. The combination
of Business Criticality and System interdependency determines the order in which the
systems are returned to service in the event of a disaster. Each selected application is
tested once or more per year to validate the RTO.
Page 89
Privileged and Confidential
Restricted
The process by which North America Software Delivery keeps the application inventory
in synch with the GASRA process and with the DR process is an ongoing effort with
ISR and BIRO on the business side, and DR and Quality Delivery on the technology
side.
At the business unit level, management also maintains an inventory of applications and
systems which it risk ranks based on established criteria including but not limited to
business importance, system dependency, and risk. As noted above, Residential
Mortgage Servicing management has self identified that it has only a partial inventory
of key information assets. Residential Mortgage Servicing management is currently in
the process of documenting, reviewing, and risk ranking the key business applications
and systems. This process is expected to be completed by February 2012.
Management Update as of October 10, 2011
The HSBC BIRO team is on target to complete the process of documenting, reviewing,
and risk ranking the key business applications and systems by the February 2012
delivery date.
Risk
Observation
Management Response as of August 11, 2011
Residential Mortgage Servicing management acknowledges and understands the need
to enhance the monitoring of DBA activities to mitigate the risk of unauthorized access.
This observation was previously identified by Group Audit North America and is noted
by management as an area of improvement across HSBC globally.
HSBC has undertaken an exercise to select, implement and utilize a database
monitoring tool. HSBC began implementing a database activity monitoring software,
in the third quarter of 2009.
supports database activity
monitoring along with the ability to monitor privileged users.
Page 90
Privileged and Confidential
Restricted
Implementation of
was initiated following a risk based approach with a focus
on Sarbanes-Oxley (“SOX”) related databases. Implementation proceeded until the
second quarter of 2010 when IBM acquired
and imposed a significant cost
increase to HSBC. The implementation was placed on hold while HSBC and IBM
negotiated new terms. Negotiations concluded in the second quarter of 2011, and the
contract is expected to be finalized by mid-September 2011. Once the contract is
executed, licensing and hardware requirements will be finalized and a risk based
deployment plan will be developed to implement
across HSBC.
Management Update as of October 10, 2011
No update at this time
Risk
Observation
Management Response as of August 11, 2011
Residential Mortgage Servicing management is aware of the issue noted in this
observation and remediation is in process. In the 2010 CML Line of Business Risk
Assessment dated February 17, 2011, which also includes MC residential mortgage
servicing functions, Residential Mortgage Servicing management acknowledged and
self-identified that Residential Mortgage Servicing needs to strengthen the access
controls over its applications and supporting infrastructure to mitigate the risk of
unauthorized access to information.
Currently, Residential Mortgage Servicing participates in the
Program, supported by HSBC North America
Information Security Risk, which provides an automated solution to certifying high risk
Page 91
Privileged and Confidential
Restricted
applications. Five high risk applications (i.e.,
and
1 which support Residential Mortgage Servicing are included in the
Program. The automated certification is performed on an annual basis by the line
managers with direct reports that have high risk access to in-scope systems.
Additionally, individuals that own IT system accounts are also asked to recertify the
need for those accounts and associated entitlements during the recertification process.
In addition to the automated annual certification process explained above, each
business is required to conduct a periodic entitlement review on a risk-based approach
for applications and supporting infrastructure which are key to its business. As noted
above, Residential Mortgage Servicing management has self identified that Residential
Mortgage Servicing should continue to strengthen access controls. Residential
Mortgage Servicing management acknowledges that to strengthen access controls,
including conducting periodic entitlement review, it first needs to create an inventory of
key applications and systems (including supporting infrastructure) and risk rank them
to determine the frequency of the entitlement review. As noted above, the Residential
Mortgage Servicing management is currently in the process of documenting, reviewing,
and risk ranking the key business applications and systems. Residential Mortgage
Servicing management will utilize this risk ranked application and system inventory list
to determine the frequency of the entitlement review. This process is expected to be
completed by February 2012.
Management Update as of October 10, 2011
The HSBC BIRO team is on target to complete the process of documenting, reviewing,
and risk ranking the key business applications and systems by the February 2012
delivery date.
Documents to be submitted with the Action Plan
x Management Response to Risk Assessment Testing Results
x Talent Review Guidelines for HR and line managers 2011
x Succession Planning Guidelines for HR and line managers 2011
x Good Governance - Project Overview
x Learning and Development Functional Training Gap Analysis
x Tax Search for
x 4013 - CML RESPA QWR - Functional Design
Key HSBC Contacts for the Action Plan
x
SVP Strategy, Operational Risk Management and Chief
Information Risk Officer, HBIO
x
SVP Default Services
1
Only
and
were in scope for the purpose of E&Y risk assessment review.
Page 92
Privileged and Confidential
Restricted
Page 93
Privileged and Confidential
Restricted
Mortgage Enhancements
HSBC North America Holdings, Inc.
HSBC Finance Corporation
Action Plan Response to FRB Consent Order
Article 16 & 17 Audit
Final Pending Approval from the Compliance Committee
October 31, 2011
Privileged and Confidential
Restricted
Article 16
FRB Order Reference:
Article 16
Corresponding
N/A
OCC Article:
Within 60 days of this Order, HNAH shall submit to the Reserve Bank an acceptable
written plan to enhance the internal audit program with respect to residential mortgage
loan servicing, Loss Mitigation, and foreclosure activities and operations. The plan
shall be based on an evaluation of the effectiveness of HNAH’s current internal audit
program in the areas of residential mortgage loan servicing, Loss Mitigation, and
foreclosure activities and operations, and shall include recommendations to
strengthen the internal audit program in these areas. The plan shall, at a minimum, be
designed to:
Action Plan
Audit Management has developed a plan to submit to the Reserve Bank which
evaluates the effectiveness of HNAH’s current internal audit program in the areas of
residential mortgage loan servicing, Loss Mitigation, and foreclosure activities and
operations, and includes recommendations to strengthen the internal audit program.
In response to the Order, Group Audit North America completed a thorough review to
evaluate the Internal Audit program scope.
Steps to Enhance Audit Programs (Audit Risk Assessments)
Group Audit North America conducted a gap analysis for every item in the Order to
identify:
1) Areas that were not previously covered in the audit scope,
2) New controls implemented by Residential Mortgage Servicing management in
response to the requirements expected and specified in the Order, and
3) Areas previously included in audit programs that require more detailed review
based on the Order requirements.
Controls included in existing Audit Risk Assessments (“ARAs”) were compared to
those expected and specified in the Orders. In addition, Group Audit North America
obtained the Ernst & Young, LLP (“E&Y”) independent consultant risk assessment
results and identified those risks and controls not previously included in applicable
ARAs and revised them accordingly.
Refer to attached AUN GAP Analysis Consent Orders vs. Audit Programs file, which
has separate tabs for OCC and FRB Order GAP analyses. The column labelled “Gap
Analysis” (column E) specifically identifies enhancements to existing audit programs
or new audit programs.
Further, there are two tabs for:
1) ARA – Back End RE Secured Default Services, and
2) ARA – Front End Collections & NRE Secured Default Services
Page 2
Privileged and Confidential
Restricted
Both ARAs – which define the audit scope - include revised and new controls
identified in the GAP analysis. Specific enhancements and/or new controls included
in ARAs as a result of the Consent Order gap analysis and the analysis of the
independent consultant risk assessment results have been highlighted.
The results of this analysis include, without limitation, the following:
Entities
Consumer
Mortgage
Lending
(CML) &
Mortgage
Corporation
(HMC)
Existing Audit
Programs
New/Enhanced Audit Programs
1) Front-End Collections
& NRE Secured Default
Services, which
includes but is not
limited, to:
- Governance
- Strategy
- Modification
Restructures
- Bankruptcy
- Dialer management
- Telephone
Collections
- Loss mitigation
- Agency
management
- Charge-off
processing
- Bad debt recovery
operations and debt
sales
- Capacity planning
- Incentive
Compensations
- Regulatory
Compliance
- MIS
- Vendor
Management
Enhancements:
• Residential Mortgage MIS
presented to the Board of
Directors and Governance
committees – including MIS to
monitor compliance with
regulatory requirements
• Governance framework
• Compliance with state
requirements related to the
identification and assessment
of residential mortgage
servicing compliance risks by
management.
• Employee compensation
practices
• Staff qualification assessment
and workload monitoring
• Process is in place to locate
and secure all documents
(including original promissory
note) necessary to perform
residential servicing and loss
mitigation functions.
• Affidavit execution process for
the unsecured portfolio
• Notarization process for the
unsecured portfolio.
New audit programs:
• Third party attorney oversight
(management of law firms)
• Single Point of Contact
Refer to attached AUN Residential
Mortgage Servicing and NRE Default
Services Program Summary file (pages
15 through 23) for overview of audit
programs coverage. Enhancements and
Page 3
Privileged and Confidential
Restricted
new controls to prior audit programs are
indicated with bold font.)
CML & HMC
2) Back-end RE
Secured Default
Services, which
includes but is not
limited, to the following :
- Governance
- Foreclosure
- Bankruptcy
- Loss mitigation
(settlements: short
sale, deed in lieu,
forbearance)
- Reage restructures
- Real Estate Owned
- Valuation Review
Group
- Investors
- Charge-off
- Capacity planning
- Incentive
Compensation
- Regulatory
Compliance
- MIS
- Vendor
Management
Enhancements:
• Affidavit execution process
• Notarization process
• Residential Mortgage MIS
presented to the Board of
Directors and Governance
committees – including MIS to
monitor compliance with
regulatory requirements
• Governance framework
• Compliance with state
requirements related to the
identification and assessment
of residential mortgage
servicing compliance risks by
management.
• Employee compensation
practices
• Workloads of servicing,
foreclosure and Loss
Mitigation, and loan
modification personnel,
including Single Point of
Contact (SPOC) personnel
are reviewed and managed as
part of capacity planning
• Legal entity review and
collateral assignment
validation
• Staff qualification assessment
and monitoring of workloads
• Process is in place to locate
and secure all documents
(including original promissory
note) necessary to perform
residential servicing,
foreclosure and loss mitigation
functions.
New audit programs
• Third party attorney oversight
(management of law firms)
• Single Point of Contact
• MERS
Refer to attached AUN Residential
Mortgage Servicing and NRE Default
Page 4
Privileged and Confidential
Restricted
Services Program Summary file (pages 6
through15) for overview of audit
programs coverage. Enhancements and
new controls to prior audit programs are
indicated with bold font.
CML & HMC
CML & HMC
Payments Services
audit(*), which includes
but is not limited to the
following:
x Payment Processing
x Bankruptcy
payments (including
cash)
x Exception
monitoring and
research
x Cash balancing
x Cash management
x Regulatory
compliance
x MIS
x Vendor
Management
Enhancements:
• Verification of payment
posting in accordance with the
underlying note Staff
qualification assessment and
monitoring of workloads
• Compliance with specific
regulatory requirements
Customer Service
audit(*), which includes
but is not limited to the
following:
x Call forecasting and
capacity planning
x VRU and call routing
x Phone inquiries
x Correspondence
and research
x Credit Bureau
disputes
x Complaint resolution
x Escrow and
Insurance
monitoring
x Tax payments
x Monetary, nonmonetary
adjustments and
reages
x Law record change
monitoring
x Payoff, research
Enhancements:
• Compliance with specific
regulatory requirements
• Staff qualification assessment
and monitoring of workloads
Refer to attached AUN Residential
Mortgage Servicing and NRE Default
Services Program Summary file (pages
23 through 26) for overview of audit
programs coverage. Enhancements and
new controls to prior audit programs are
indicated with bold font.
New audit programs:
• Single Point of Contact
(SPOC)
Refer to attached AUN Residential
Mortgage Servicing and NRE Default
Services Program Summary file (pages
26 through 34) for overview of audit
programs coverage. Enhancements and
new controls to prior audit programs are
indicated with bold font.
Page 5
Privileged and Confidential
Restricted
HMC
and lien releases
x Billing statements
x Mailroom
processing
x MIS
x Vendor
Management
Servicing and
Accounting, which
includes but is not
limited, to the following:
- Imaging and
document
administration
- New loan set-up and
lien release
- Investor accounting
- Service by others
portfolio accounting
(e.g. reconciling of
portfolio funds)
Audit of HMC Servicing and
Accounting was last completed in
2009 and has not been completed in
2011 due to strategic initiatives
pending in this area. Based on the
outcome of the strategic initiatives
audit work will be executed in 2012.
.
(*) ARA’s will be revised during the upcoming Themed Audits of Payment Services
(scheduled 4Q11) and Customer Service (scheduled 2012). Both audits will cover CML and
HMC applicable processes.
It is pertinent to note that as of the date of this Action Plan, Residential Mortgage
Servicing management was in the process of finalizing the implementation of Order
requirements pertaining to SPOC and other areas included in the Order (i.e., Vendor
management including management of law firms ). The E&Y independent consultant
risk assessment review did not assess these controls as enhancements were in the
process of implementation.
The Themed review of Front-End Collections and NRE Default Services, Foreclosure
Processing and Bad Debt Recovery, in progress at the time of the completion of this
Action Plan, includes the review of controls not assessed by E&Y as noted above.
Specifically, controls related to:
x Foreclosure
x Vendor management (including management of law firms) SPOC and MERS
Subsequent reviews will be scheduled in 2012 to address any controls not
implemented at the time of the audit.
The audit covers the review of Residential Mortgage Servicing management’s
Page 6
Privileged and Confidential
Restricted
implementation of Action Plans to address Consent Order requirements, including but
not limited, to the following:
• Governance
• Consent Order Project Management including Cost Management Reporting to the
Board of Directors and Compliance Committee
• Foreclosure activities including:
- Foreclosure Review Group
- Foreclosure processing (i.e., affidavit, notarization)
- Foreclosure quality assurance (first line of defense)
• Foreclosure complaint process
• Single Point of Contact (SPOC)
• Third Party Attorney Oversight (management of law firms)
• Mortgage Electronic Registration System (“MERS”)
• MIS implementation
• Capacity Planning and capability assessment
• Incentive Compensation practices
Refer to Front-End Collections and NRE Default Services, Foreclosure Processing
and Bad Debt Recovery audit scope detailed within the Audit Planning Memorandum
(APM) for the audit. Specifically, pages 1 through 4 of the APM include the audit
objectives and scope.
Other controls not tested as part of the E&Y risk assessment conducted pursuant to
the Order (i.e., payments, real estate owned, property preservation) and not included
in the scope of the Front-End Collections and NRE Secured Default Services,
Foreclosure Processing and Bad Debt Recovery audit, will be included in other
upcoming audits as applicable (i.e., Payment Services audit, Back-end RE secure
audit).
Documents to be submitted with the Action Plan
x AUN GAP ANALYSIS – FRB CONSENT ORDERS vs. AUDIT PROGRAMS
x AUN RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE
DEFAULT SERVICES PROGRAM SUMMARY
x AUDIT PLANNING MEMORANDUM - 2011
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 7
Privileged and Confidential
Restricted
Article 16(a)
FRB Order Reference:
Article 16(a)
Corresponding
N/A
OCC Article:
Ensure that the internal audit program encompasses residential mortgage loan
servicing, Loss Mitigation, and foreclosure activities;
Action Plan
Existing Processes / Programs:
The Mortgage Default Servicing Operations Audit is on an annual review cycle
Key operational areas are rotated on
an annual or bi-annual cycle based on risk and transactional volume.
This audit includes the following key areas:
x Front-End Collections and Back-End Default Services
o Front-End Collections and related activities covering accounts in the first 59
days overdue (e.g., Internal Hardship, Collection Queue Management, and
Dialer Strategies)
o Mid-Range Activities covering accounts from 60 to 119 days overdue (e.g.,
Skip Tracing and use of external collection agencies)
o Back-end Default Services – covering operations for accounts beyond 120
days overdue (e.g., Loss Mitigation Strategies, Loan Modifications, Chargeoff, Real Estate Owned and, Foreclosures)
Other residential mortgage servicing audits include:
x Payment Services
x Customer Service
Front End Collections and Back-End Default Services
Audit coverage of the Collection and Default Services includes the review of
collections activities on contractually delinquent accounts serviced by the Mortgage
Servicing Companies and HBUS. Activities included in scope consist of front-end,
mid-range and back-end collections for secured and unsecured loans. Audit
coverage extends to governance and strategy; as well as processes for restructuring
(e.g., modifications and re-ages), bankruptcy, foreclosure, and Loss Mitigation
activities (e.g., short-sales, deed in lieu, forbearance). Dialer management is also
reviewed to ensure that telephonic customer collection dialer setting queues are
systemically restricted to authorized personnel, policies and procedures are adhered
to, and regulatory requirements are considered. The reviews also cover Real Estate
Owned (REO) activities and monitoring of external agencies (e.g., debt
management).
Front-End Collections and Default Services detailed audit scope summary has been
Page 8
Privileged and Confidential
Restricted
included in Article 16 (FRB Order Reference – Article 16). Refer to Front-End
Collections and NRE Secured Default Services Audit (Item #1) and Back-End RE
Secured Default Services Audit (Item #2) included in Article 16 table attachment.
In addition, the AUN Residential Mortgage Servicing and NRE Default Services
Program Summary file – pages 6 - 23 -include an overview of audit programs
coverage.
Payment Services
Audit coverage of Payment Services includes the review of related payment activities
on accounts serviced by the Mortgage Servicing Companies and HBUS.
The Mortgage Servicing Payment Services audit includes the review of activities
related to the receiving, tracking and posting of cash payments, cash exception
processing (i.e., bankruptcy payment processing), verification that payment
algorithms comply with State regulatory requirements, and validation of payment
posting.
Payment Services detailed audit scope summary has been included in Article 16
(FRB Order Reference – Article 16). Refer to Payment Services audit program
coverage included as item #3 in Article 16 table attachment. In addition, the AUN
Residential Mortgage Servicing and NRE Default Services Program Summary file –
pages 23-26 -include an overview of Payment Services audit programs coverage.
Customer Service
The Customer Service audit includes the review of related customer service activities
on accounts serviced by the Mortgage Servicing Companies and HBUS. Customer
Service activities include handling of customer correspondence (whether received by
phone, letter, or e-mail), forecasting call volumes and routing via the Voice Response
Unit (“VRU”), and management of complaints. Responsibilities for maintaining
escrow accounts, monitoring accounts requiring special handling, and maintaining
required property insurance, processing of payoffs and lien releases are also
reviewed as part of this audit.
Customer Service audit scope summary has been included in Article 16 (FRB Order
Reference – Article 16). Refer to detailed audit program coverage included as item
#4 in Article 16 table attachment. In addition, the AUN Residential Mortgage
Servicing and NRE Default Services Program Summary file – (pages 26 through—
34) include an overview of Customer Service audit programs coverage.
Regulatory Compliance Coverage
Review of compliance with the applicable federal and state regulatory requirements
is included in each of the mortgage servicing audits using a standard regulatory
compliance audit program. This program includes, but is not limited, to the following:
• Identification and assessment of regulatory risks by management.
• Identification of new laws and regulations and changes to existing laws and
regulations
• Implementation of appropriate actions to comply with new and modified regulatory
Page 9
Privileged and Confidential
Restricted
requirements
Monitoring of outstanding compliance related issues
Independent testing to ensure compliance with applicable regulatory
requirements
• Complaints monitoring and escalation procedures
Specific regulatory compliance coverage is included in the AUN Residential
Mortgage & NRE Default Services Program Summary – pages 2 and 3 – attached
below.
•
•
In addition, Group Audit North America includes the review of applicable mortgage
servicing activities as part other audits, such as Remittance Processing Center, Loan
Loss Reserve, Business Unit Financial Control, State Regulatory Administration, and
Sarbanes Oxley.
Enhancements to Processes / Programs:
While the above audit programs encompass most activities related to residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities, Group Audit
North America has enhanced and developed new specialized audit programs in light
of the Order. For this purpose, Group Audit North America completed an analysis of
the review and testing that needs to be completed in the areas of mortgage loan
servicing, Loss Mitigation and foreclosure activities in accordance to the
requirements outlined in the Consent Orders. Specialized audit programs have been
enhanced (e.g., deeper review of foreclosure affidavit processing) and new audit
programs have been created for processes outlined in the Consent Order not
covered in prior audits (e.g., SPOC, Third Party Attorney Oversight and MERS).
Further, additional controls identified from the analysis of the E&Y independent
consultant’s risk assessment results have been incorporated in applicable audit risk
assessments defining the scope of the upcoming audits.
A listing of the changes made based on the completion of the GAP analysis and the
results of the independent risk assessment are addressed in Article 16 Action Plans
(FRB Order Reference Article 16).
For specific GAP analysis results, refer to attached AUN GAP Analysis Consent
Orders vs. Audit Programs file, which has separate tabs for OCC and FRB Order
GAP analyses. The column labelled “Gap Analysis” (column E) specifically identifies
enhancements to existent audit programs or new audit programs.
Further, there are two tabs for:
1) ARA – Back End RE Secured Default Services, and
2) ARA – Front End Collections & NRE Secured Default Services
Both ARAs – which define the audit scope - include revised and new controls
identified in the GAP analysis. Specific enhancements and/or new controls included
in ARAs as a result of the Consent Order gap analysis and the analysis of the
independent consultant risk assessment results the ARAs have been highlighted.
Page 10
Privileged and Confidential
Restricted
Furthermore, Group Audit North America audits for 2011 and beyond have been
expanded to monitor the effectiveness of the process improvements in response to
the Order. As such, a limited audit of resumed foreclosure activities was completed
by Group Audit North America in 2Q11. Upon resuming the foreclosure processing in
Florida, Group Audit North America completed transaction walkthroughs and detailed
testing of foreclosure processing, including:
• Foreclosure review (approval process),
• Affidavit completion and processing including notarization procedures, and
• Foreclosure quality control (first line of defense) activities.
The audit also included the review of Law Firm audits completed by external
counsel, on active Florida Law Firms prior to resuming foreclosure activities. A
management letter describing the audit was issued on July 11, 2011. It is pertinent to
note that the audit was completed using the enhanced foreclosure audit program
which incorporates affidavit, notarization and regulatory requirements. Based on the
limited test work performed, Group Audit North America noted that adequate
procedures and controls have been implemented to address the concerns noted by
the OCC and FRB prior to resuming the foreclosure process in Florida.
Refer to Management Letter - Limited Review of Foreclosure Restart Activities
attached below for detailed information.
It is important to mention that the Front-End Collections and NRE Secured Default
Services, Foreclosure Processing and Bad Debt Recovery Operations audit is in
process at the time of the completion of this Action Plan. This audit also covers the
review of Residential Mortgage Servicing management’s implementation of Action
Plans to address Consent Order requirements. Specific scope coverage for this
audit is addressed in Article 16 Action Plans (FRB Order Reference – Article 16).
The existing Group Audit North America scope as well as enhancements in response
to the Order exhibit HNAH’s commitment to timely conduct audits of its mortgage
related functions and ongoing compliance with the Order.
Documents to be submitted with the Action Plan
x AUN GAP ANALYSIS – FRB CONSENT ORDERS vs. AUDIT PROGRAMS
x AUN RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE
DEFAULT SERVICES PROGRAM SUMMARY
x MANAGEMENT LETTER – LIMITED REVIEW OF FORECLOSURE RESTART
ACTIVITIES
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 11
Privileged and Confidential
Restricted
Article 16(b)
FRB Order Reference:
Article 16(b)
Corresponding
N/A
OCC Article:
periodically review the effectiveness of the ECP and ERM with respect to loan
servicing, Loss Mitigation, and foreclosure activities, and compliance with the Legal
Requirements and supervisory guidance of the Board of Governors
Action Plan
As described below, HNAH has processes in place to review the effectiveness of the
ECP and ERM with respect to loan servicing, Loss Mitigation, and foreclosure
activities, and compliance with Legal Requirement and supervisory guidance in
accordance with the requirements of the Order.
Existing Processes / Programs:
Group Audit North America conducts periodic reviews of mortgage servicing business
processes including Default Services, Customer Service, and Payment Services,
which assess the effectiveness of the compliance and risk management processes for
loan servicing, Loss Mitigation, and foreclosure activities. These reviews include
coverage of compliance with the Legal Requirements and supervisory guidance.
Effectiveness of the control functions is currently evaluated through audits of ECP and
ERM functions, which include, North America Compliance Management, North
America ERM governance and oversight, and North America Operational Risk
Management (“ORM”).
Enterprise Compliance Program (ECP)
Group Audit North America provides an annual risk and control assessment of the
adequacy and effectiveness of the ECP to the Audit Committee and Compliance
Committee of the HNAH Board of Directors. Reports are also provided to Chief
Executive Officers, Chief Compliance Officer and other Executives. The annual
compliance risk and control assessment is completed based on the results of the
annual HNAH General Compliance Audit in conjunction with results from audits
performed of the compliance programs relating to AML/KYC/BSA as well as nonAML/KYC/BSA requirements and the review of TRAC (Testing and Risk Assessment
Compliance or second line of defense function). Results from the review and testing
performed of regulatory matters in applicable business-as-usual (BAU) audits are
included in the assessment. Some of the areas covered as part of the annual HNAH
General Compliance audit include:
• Compliance governance and oversight framework
• Reporting (including accuracy of MIS presented to Governance committees)
• Compliance Risk Management Program
• Local Compliance Officer roles and responsibilities
• Regulatory Monitoring and Assessment (RMA) function
• Project Management Office key project initiatives implementation and monitoring
Page 12
Privileged and Confidential
Restricted
•
•
Regulatory complaint process
Regulatory review support group
Refer to attached General Compliance Audit (pages 1 through 27) and 2010 annual
compliance risk and control assessment report (pages 28 through 46) for details.
Identification, implementation and monitoring of new and/or changes to legal
regulatory requirements are reviewed as part of the HNAH General Compliance Audit
where the Regulatory Monitoring and Assessment function is audited. In addition, as
part of the residential mortgage servicing audits, Group Audit North America reviews
operational policies and procedures and verifies that proper review and approval is
obtained from HNAH Legal and/or HNAH Compliance to ensure compliance with
current regulatory requirements. The review also includes verification of
change/control procedures in place.
To ensure adequate coverage of regulatory requirements Group Audit North America
prepares and maintains a matrix of regulatory requirements (e.g., flood, fair lending)
to assist its auditors in identifying key regulations and including them in the scope of
each audit as applicable. The Compliance Risk Assessment completed by HNAH
Compliance is used to update the matrix on a semi-annual basis. Group Audit North
America management ensures that staff identifies and understands the regulations
that apply to the audit they are performing by using the regulatory matrix. Group Audit
North America monitors coverage of compliance risks during the year to ensure that
there is adequate internal audit coverage of compliance risks to support the
assessment at the end of the year.
Further, Group Audit North America completes a regulatory compliance review as part
of every operational audit using a standard regulatory compliance audit program. This
program includes, but is not limited, to the following:
• Identification and assessment of regulatory risks by management.
• Identification of new laws and regulations, changes to existing laws and
regulations
• Implementation of appropriate actions to comply with new and modified regulatory
requirements.
• Monitoring of outstanding compliance related issues
• Independent testing to ensure compliance with applicable regulatory requirements
• Complaints monitoring and escalation procedures
Specific regulatory compliance coverage is included in the AUN Residential Mortgage
& NRE Default Services Program Summary – pages 2 and 3 – attached below.
Second line of defense functions are a critical component of the internal control
framework in HSBC and they are audited on a regular basis. Specifically, the
independent testing units such as Service Delivery Control Assessment (SDCA),
SOX, Credit Review and Risk Identification (CRRI) and TRAC are audited annually.
These are baseline audits which will eventually conclude on their effectiveness and
Page 13
Privileged and Confidential
Restricted
audit’s ability to place reliance on the work performed by them.
It is pertinent to note that an audit of the SDCA function was completed in 2Q2011
where issues were noted with respect to the quality of the reviews executed by the
second line of defense function supporting the Consumer Mortgage Lending (CML)
business line. These issues relate to: failure to identify and perform testing for all
applicable compliance risks; inappropriate management judgment with respect to
scope and coverage in key reviews such as Bankruptcy, REO and Modifications;
inability to provide evidence to support the work performed or rationale for decisions
relating to sample sizes; exclusion of key controls from testing plans; and extended
review periods. Responses including remediation action plans were provided by
SDCA management and have been reviewed by Group Audit North America.
Periodic meetings are held between Group Audit North America and SDCA
management to verify progress of remediation actions implementation. Final
verification procedures will be completed by Group Audit North America following
standard audit practices for tracking and validation of audit issues by November 30,
2011.
Enterprise Risk Management (ERM)
There are two ways in which Group Audit North America covers ERM:
1.ERM is a standalone audit entity by itself and an audit is being performed in 2011
focusing on:
x Governance
x Risk identification
x Risk measuring and monitoring, and
x Risk reporting processes
2. Further, for every audit that is executed, two planning documents are mandatory in
line with HSBC’s methodology; the Audit Planning Memorandum (“APM”) and the
Audit Risk Assessment (“ARA”). The ARA follows the ERM philosophy in the sense
that all risks relevant to the entity under review, including, but not limited to, credit,
operational, compliance, operational and financial risks are considered and
evaluated in line with this philosophy.
It is pertinent to note that as part of every audit, Group Audit North America verifies
the effectiveness of operational risk management activities by assessing whether
management has completed an operational risk assessment and recorded risks in
the
(“
with appropriate
action plans. Any missing or incomplete risks or divergence in risk assessments are
reported to applicable business unit management. Specific operational risk coverage
is included in the AUN Residential Mortgage & NRE Default Services Program
Summary – pages 4 and 5 – attached below.
Group Audit North America’s existing processes to review ECP and ERM with
respect to loan servicing, Loss Mitigation, and foreclosure activities exhibit
management’s commitment to ensuring monitoring of mortgage related functions and
compliance with the Order.
Page 14
Privileged and Confidential
Restricted
Enhancements to Processes / Programs:
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x AUN RESIDENTIAL MORTGAGE SERVICING AND NON REAL ESTATE
DEFAULT SERVICES PROGRAM SUMMARY
x GENERAL COMPLIANCE AUDIT AND 2010 ANNUAL COMPLIANCE RISK AND
CONTROL ASSESSMENT REPORT (GAO GEN 100026)
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 15
Privileged and Confidential
Restricted
Article 16(c)
FRB Order Reference:
Article 16(c)
Corresponding
N/A
OCC Article:
ensure that adequate qualified staffing of the audit function is provided for residential
mortgage loan servicing, Loss Mitigation, and foreclosure activities;
Action Plan
HNAH’s Group Audit North America has existing processes to ensure that adequate
qualified staffing of the audit function is provided for mortgage loan servicing, Loss
Mitigation, and foreclosure activities to comply with the requirement of the Order.
Existing Processes / Programs:
Internal audits of Residential Mortgage Loan Servicing, Loss Mitigation and
foreclosure activities have been led by an experienced Audit Executive for the past
three years. The members of the audit team have also been consistent over the
same period with little turnover. The team consists of eight professionals who have
mortgage industry and business experience, and have served as internal audit
professionals in a variety of accounting firms and financial institutions. Maintaining an
audit team that has the adequate skills and experience to complete the audit plan is
an ongoing priority, and a formal assessment and presentation of skills and
experience of the audit team is made to the Audit Committee on an annual basis and,
beginning in May 2011, to the Compliance Committee of the HNAH Board of
Directors.
Additionally, in accordance with our Group Audit methodology, every auditor is
required to complete at least 40 hours of training per calendar year. This can include
internal or external training courses, online or computer based training, or self-study in
preparation of an approved professional certification. As part of our BAU process, all
training is monitored and tracked on a
database. Sixteen of the 40 hours
must be dedicated to compliance education to keep staff up-to-date with current
regulatory requirements. This is a new requirement for Group Audit North America,
added in 2011 in response to the various consent orders.
As part of the mandatory internal training requirements, auditors are required to
complete training in areas such as fair lending, operational risk and compliance
enterprise risk wide assessment process which impact and/or include residential
mortgage servicing activities.
The Chief Audit Executive of HNAH has overall responsibility for managing all audits
in the region. However, the Chief Audit Executive of HBIO has overall responsibility
for audits of the consumer and mortgage lending business for HBIO and HSBC USA
Inc. (“HUSI”). The HBIO Chief Audit Executive has over 18 years of experience in the
financial services industry and an extensive internal audit background. These
Page 16
Privileged and Confidential
Restricted
experiences include managing internal audits for financial institutions and acting in
auditing and consulting roles with a large accounting firm.
Coverage of the mortgage business unit is also included in Group Audit North
America’s enterprise-wide themed reviews, such as HMDA, Fair Lending, Service
Delivery Control Adherence (formerly known as NAQA), and GLBA Compliance.
The existing processes, as described above, ensure that adequate qualified staffing of
the audit function is provided for residential mortgage loan servicing, Loss Mitigation,
and foreclosure activities and exhibit HNAH’s commitment to ensure reviews are
performed by individuals with appropriate experience and qualifications in accordance
with the requirements of the Order.
Enhancements to Processes / Programs:
In addition, in response to the Order, several core members of the mortgage business
audit team are required to attend a specialized training course or conference related
to the industry this year. A training strategy and plan have been established and is
tracked to completion including quarterly updates to the FRB.
Specialized training includes attendance at:
• Enterprise Risk Management Conferences
• Mortgage Risk Conference
• Compliance and Ethics Academy
• Governance, Risk and Compliance Conference
• Regulatory Compliance Conference (covering foreclosure regulatory expectations)
• MERS Seminar
As of September 30, 2011, the training plan is on target and will be completed by
November 30, 2011.
Refer to AUN Staff Qualification and 2011 Training Programs chart attached hereto.
This chart includes a summary of mortgage business team core member’s
biographies, certifications, 2011 internal and external training plans, as well as status
of training as of September 30, 2011.
Based on Group Audit North America’s analysis of the review and testing that needs
to be completed in the areas of mortgage loan servicing, Loss Mitigation and
foreclosure activities in accordance with our risk-based approach, resource
requirements have been reviewed and resource allocations adjusted where
applicable. This analysis has considered the enhancements being made to
processes and controls by Residential Mortgage Servicing management, additional
compliance risks identified and addressed, and the remediation efforts specifically
undertaken to address the Order, and it has been concluded that there are adequate
number of full-time employees with the required skills and experience at this time.
Group Audit North America assesses the adequacy of its staff levels on an ongoing
basis and changes made as needed. We will consider augmenting with consultancy
resources if deemed necessary at any point. Refer to AUN Staff Assessment and
Page 17
Privileged and Confidential
Restricted
Training Programs document attached for detailed capacity assessment.
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x AUN Staff Qualification and 2011 Training Program Chart
x AUN Staff Assessment and Training Program
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 18
Privileged and Confidential
Restricted
Articles 16(d), 16(e), 16(f)
FRB Order Reference:
Article 16(d)
Corresponding
N/A
OCC Article:
ensure timely resolution of audit findings and follow-up reviews to ensure completion
and effectiveness of corrective measures;
FRB Order Reference:
Article 16(e)
Corresponding
N/A
OCC Article:
ensure that comprehensive documentation, tracking, and reporting of the status and
resolution of audit findings are submitted to the audit committee; and
FRB Order Reference:
Article 16(f)
Corresponding
N/A
OCC Article:
Establish escalation procedures for resolving any differences of opinion between audit
staff and management concerning audit exceptions and recommendations, with any
disputes to be resolved by the audit committee.
Action Plan
HNAH completes follow-up reviews to validate implementation, effectiveness of
corrective measures, comprehensive documentation, tracking, reporting of the status
and resolution of audit findings that are submitted to the Audit Committee. HNAH also
has escalation procedures for resolving any differences of opinion between audit staff
and management concerning audit exceptions and recommendations, with any
disputes to be resolved by the Audit Committee.
Existing Processes / Programs:
Group Audit North America employs a risk-based approach to reporting and
monitoring audit findings, which is designed to ensure critical matters or exposures
are escalated and addressed in a timely and comprehensive manner. For high risk
findings, Group Audit North America verifies implementation of corrective measures
through detailed testing. Low risk audit findings are communicated to management,
and it is the business unit’s responsibility to ensure corrective measures have been
taken and reported. Group Audit North America management conducts on-going
monitoring of aging audit issues – which are restricted to high-and medium-risk issues
– to verify whether findings have been resolved, and it regularly reports stale (greater
than 180 days old) high or medium risk findings to the Audit Committee. Repeat and
partial repeat findings also receive separate reporting and tracking, and management
has scorecard goals to keep both stale and repeat findings at low levels.
Further, issues with multiple target date revisions, aged beyond 365 days, with no
mitigating (interim) controls in place, are also specifically reported and escalated to
Executive and Operational Risk Committees.
Group Audit North America has systems in place to track and monitor the status of the
audit findings and recommendations. These systems facilitate follow-up reviews and
are designed to track timely completion and effectiveness of the corrective measures.
Page 19
Privileged and Confidential
Restricted
For example, the Audit Issues Module includes the following:
x Detailed information about findings, including target date for resolution, next
action date for review by Group Audit North America, management response
and action plan, and commentary supporting actions to date;
x Tracking capabilities designed to ensure the information is accurate and up-todate, and that timely, corrective action of audit findings have been certified by
management;
x Tracking capabilities designed to ensure that all outstanding issues have been
remediated; and
x Email notifications to the responsible individuals when items are due, designed
to ensure timely follow-up on outstanding audit finding.
The Audit Issues Module is utilized to generate exception reports that list issues that
have not been remediated. Group Audit North America submits these reports monthly
to Executive Management as well as quarterly to the internal Operational Risk and
Control Committees and the Audit Committee of the HNAH Board. (See Audit Update
– HNAH Operational Risk and Internal Control Committee (ORIC) in its entirety. The
Audit Update – HNAH Operational Risk and Internal Control Committee (ORIC)
summarizes the audit issues, activities, reports, and risks of HNAH). Please see the
following documents for examples of the reports noted above:
x HBIO High Risk Outstanding Issues (PPT) - this document covers the high risk
issues of HBIO by business line and by resolution date
x HBIO High Risk Outstanding Issues - 30JUN11 (XLS) - this document gives
audit issue information based on status, pending validation, target date and
changes, and monitoring authority
x HBIO Repeat Issues - this document provides information on repeat and partial
repeat issues of HBIO
x HBIO Repeat Issues 2Q11 - this document provides information on the number
of repeat issues for 2Q11 and 1Q11 for HBIO
x HNAH All Medium 30JUN11 - this document provides information on the type
of audit issues encountered, target date, and monitoring authorities.
x HNAH High Risk Issues 30JUN11 (XLS) - this document gives audit issue
information based on status, pending validation, target date and changes, and
monitoring authority
x HNAH High Risk Outstanding Issues (PPT) - this document highlights the
number of high risk outstanding issues by business line and resolution date.
x HNAH-wide including HTSU Repeat Issues - this document provides repeat
and partial repeat issue information for both high and medium risk outstanding
findings
x HNAH Repeat Issues 2Q11 - this document provides information on the
number of repeat issues for 2Q11 and 1Q11 for HNAH
Group Audit North America has procedures to escalate and resolve differences of
opinion between audit staff and management concerning audit exceptions and
recommendations. Upon completion of audit reviews and prior to report issuance,
Group Audit North America holds exit meetings with senior management to discuss
Page 20
Privileged and Confidential
Restricted
audit findings and confirm that no disagreements with the facts of the audit findings
exist. Minutes from these meetings are circulated to the relevant members of
management. Any disagreements and/or concerns are escalated to Executive
Management. While every attempt is made to agree on the factual accuracy of the
audit findings with Management, Group Audit North America is ultimately responsible
for the overall control risk rating and risk rating of findings in the audit report. If a
circumstance should arise where a disagreement is not resolved, it will require
escalation to the Audit Committee and that responsibility is well communicated and
understood by the Chief Auditor.
Responses to findings included in audit reports are provided by management within
eight weeks of report issuance. These responses are reviewed by Group Audit North
America to ensure adequacy of corrective actions. Any disagreement with
management’s responses is provided to executive management for review and
response revision. If disagreement is not resolved, the results/deficiencies noted from
the review of the response are escalated to the Chief Executive Officer and applicable
Risk Committee for final resolution.
It is important to note that Group Audit North America presents a summary of the
status of audits rated below standard (including corrective action implementation) to
the Audit Committee of the Board of Directors on a quarterly basis.
Enhancements to Processes / Programs:
Group Audit North America related processes and procedures are subject to on-going
review in the ordinary course of business. Revisions or enhancements will be made
where determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x Audit Update – HNAH Operational Risk and Internal Control Committee (ORIC)
x HBIO High Risk Outstanding Issues (PPT)
x HBIO High Risk Outstanding Issues - 30JUN11 (XLS)
x HBIO Repeat Issues
x HBIO Repeat Issues 2Q11
x HNAH All Medium 30JUN11
x HNAH High Risk Issues 30JUN11 (XLS)
x HNAH High Risk Outstanding Issues (PPT)
x HNAH-wide including HTSU Repeat Issues
x HNAH Repeat Issues 2Q11
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 21
Privileged and Confidential
Restricted
Article 17
FRB Order Reference:
Article 17
Corresponding
N/A
OCC Article:
Within 60 days of this Order, HBIO shall submit to the Reserve Bank an acceptable
enhanced written internal audit program to periodically review compliance with
applicable the Legal Requirements and supervisory guidance of the Board of
Governors at the Mortgage Servicing Companies that shall, at a minimum, provide for:
Action Plan
Group Audit North America maintains an audit plan which includes periodic reviews of
compliance with the applicable Legal Requirements and supervisory guidance.
Group Audit North America is responsible for all of the internal audit activities of the
U.S. mortgage business, including HBIO and HBUS. This includes audits of the
effectiveness of risk management, control, and governance processes for Residential
Mortgage Loan Servicing, Loss Mitigation, and foreclosure activities. Group Audit
North America has performed a review, based on the Order, of its approach for these
audits and has revised applicable audit programs to ensure adequate coverage of
these activities in accordance to the Order requirements.
Revised audit programs for Default Services, Payment Services and Customer
Service activities have been implemented with enhancements and additions based on
the Order requirements and results of the E&Y independent consultant risk
assessment.
Specific audit program revisions are addressed in the Action Plans for Articles 16 and
Article 16(a).
Effectiveness of the controls functions is evaluated through the audits of ECP and
ERM functions, which include, North America Compliance Management, North
America ERM governance and oversight, and North America ORM.
Group Audit North America provides an annual risk and control assessment of the
adequacy and effectiveness of the ECP to the Audit Committee and Compliance
Committee of the HNAH Board of Directors. Reports are also provided to Chief
Executive Officers, Chief Compliance Officer and other Executives. The annual
compliance risk and control assessment is completed based on the results of the
annual HNAH General Compliance Audit in conjunction with results from audits
performed of the compliance programs relating to AML/KYC/BSA as well as nonAML/KYC/BSA requirements and the review of TRAC (Testing and Risk Assessment
Compliance or second line of defense function). Results from the review and testing
performed of regulatory matters in applicable business-as-usual (BAU) audits are
included in the assessment.
Some of the areas covered as part of the annual HNAH General Compliance audit
include:
Page 22
Privileged and Confidential
Restricted
•
•
•
•
•
•
•
•
Compliance governance and oversight framework
Reporting (including accuracy of MIS presented to Governance committees)
Compliance Risk Management Program
Local Compliance Officer roles and responsibilities
Regulatory Monitoring and Assessment (RMA) function
Project Management Office key project initiatives implementation and monitoring
Regulatory complaint process
Regulatory review support group
Refer to the General Compliance Audit and 2010 annual compliance risk and control
assessment report (attached hereto) for details.
Results of the ECP assessment are summarized in the AUN Regulatory Compliance
Approach Paper. This paper summarizes how Group Audit North America assesses
compliance risk and provides details on compliance coverage as part of the audits
completed during the year. Refer to AUN Regulatory Compliance Approach Paper
attached hereto for details.
To ensure adequate coverage of regulatory requirement, Group Audit North America
prepares and maintains a matrix of regulatory requirements (e.g., flood, fair lending)
to assist its auditors in identifying key regulations and including them in the scope of
each audit as applicable. The Compliance Risk Assessment completed by HNAH
Compliance is used to update the matrix on a semi-annual basis.
Group Audit North America management ensures that staff identifies and understands
the regulations that apply to the audit they are performing by using the regulatory
matrix. In addition, Group Audit North America monitors coverage of compliance risks
during the year to ensure that there is adequate internal audit coverage of compliance
risks to support the assessment at the end of the year.
Identification, implementation and monitoring of new and/or changes to legal
regulatory requirements are reviewed as part of the HNAH General Compliance Audit
where the Regulatory Monitoring and Assessment function is audited. In addition, as
part of the residential mortgage servicing audits, Group Audit North America reviews
operational policies and procedures and verifies that proper review and approval is
obtained from HNAH Legal and/or HNAH Compliance to ensure compliance with
current regulatory requirements. The review also includes verification of
change/control procedures in place.
Further, Group Audit North America completes a regulatory compliance review as part
of every operational audit using a standard regulatory compliance audit program. This
program includes, but is not limited, to the following:
• Identification and assessment of regulatory risks by management.
• Identification of new laws and regulations, changes to existing laws and
regulations.
• Implementation of appropriate actions to comply with new and modified regulatory
Page 23
Privileged and Confidential
Restricted
•
•
requirements. Monitoring of outstanding compliance related issues
Independent testing to ensure compliance with applicable regulatory requirements
Complaints monitoring and escalation procedures
Second line of defense functions are a critical component of the internal control
framework in HSBC and they are audited on a regular basis. Specifically, the
independent testing units such as Service Delivery Control Assessment (SDCA),
SOX, Credit Review and Risk Identification (CRRI) and TRAC are audited annually.
These are baseline audits which will eventually conclude on their effectiveness and
audit’s ability to place reliance on the work performed by them.
It is pertinent to note that an audit of the SDCA function was completed in 2Q2011
Responses including remediation action plans were provided by
SDCA management and have been reviewed by Group Audit North America.
Periodic meetings are held between Group Audit North America and SDCA
management to verify progress of remediation actions implementation. Final
verification procedures will be completed by Group Audit North America following
standard audit practices for tracking and validation of audit issues by November 30,
2011. ERM audit coverage is included as part of Article 16(b) Action Plans.
Enhancements to Processes / Programs:
Group Audit North America related processes and procedures are subject to on-going
review in the ordinary course of business. Revisions or enhancements will be made
where determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x General Compliance Audit and 2010 annual compliance risk and control
assessment report (GAO GEN 100026)
x AUN Regulatory Compliance Approach Paper
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 24
Privileged and Confidential
Restricted
Article 17(a)
FRB Order Reference:
Article 17(a)
Corresponding
N/A
OCC Article:
An annual written, risk-based audit plan approved by the board of directors that
encompasses all appropriate areas of audit coverage;
Action Plan
Group Audit North America’s existing processes require an annual written, risk-based
audit plan which is approved by the HNAH Board’s Audit Committee.
Existing Processes / Programs:
The 2011 Group Audit Plan has been designed to provide holistic risk assurance to
Executive Management, Audit Risk Committees and regulators that material risks are
being managed effectively within the North American region and in line with Group’s
stated risk appetite. Group Audit has evaluated risk assessment results for the audit
universe and its prioritization of areas to be audited on a global basis to account for
changes that have occurred in the US businesses during 2010. With these changes
in mind, the Group audit plan has been designed to provide comprehensive audit
coverage of internal controls in order to mitigate business risks, such as compliance
and operational risk. Consistent with prior years, the audit plan has been compiled
using a risk-based audit approach (See 2011 AUDIT PLAN PRESENTATION
attached below which summarizes the 2011 audit approach, including updates that
reflect global and regional changes in the organization.).
The audits scheduled for 2011 broadly fall into three categories: Group-Wide RiskBased Audits designed to provide clear line-of-sight to the effectiveness of risk
management around key risks; Governance Audits designed to assess the
effectiveness of the oversight process at the Group-level and validate the second line
of defense's work; and Project Audits designed to provide assurance around on-going
flagship change programs across the Group. On an annual basis, the Audit Plan
continues to be reviewed with the Federal Reserve, OCC, and KPMG prior to being
submitted to the HNAH Group Audit Committee for approval (See Board Resolution
for Audit Plan Approval attached below, which documents the formal adoption by the
Audit Committee for the 2011 audit plan). A similar approach will be followed for the
2012 audit plan.
Finally, Group Audit North America will be vigilant to changes in the risk profile of the
region and, accordingly, the audit plan will be risk based, forward looking and dynamic
at all times and will be reflected by changes to the Plan as necessary. These changes
are however communicated to the Audit Committee of the Board.
Enhancements to Processes / Programs:
Page 25
Privileged and Confidential
Restricted
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x 2011 AUDIT PLAN PRESENTATION
x Board Resolution for Audit Plan Approval
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 26
Privileged and Confidential
Restricted
Article 17(b)
FRB Order Reference:
Article 17(b)
Corresponding
OCC Article:
N/A
the scope and frequency of audits;
Action Plan
Group Audit North America maintains an audit plan which includes the scope and
frequency of periodic reviews to ensure compliance with the applicable Legal
Requirements and supervisory guidance.
Existing Processes / Programs:
The scope and frequency of audits is based on the internal audit’s assessment of
risks. The scheduling of audits is an on-going dynamic process reflecting changes in
internal audit’s assessment of the inherent risk of the auditable entities within the audit
population. A risk calculator model is used in the Annual Operating Plan (AOP)
process and on-going scheduling of audits. The risk calculator seeks to identify and
measure entity level risks across the audit population to determine the prioritization of
audits. Resourcing and staffing needs are accordingly adjusted to enable audit
resources be directed to the most appropriate areas. However, the risk calculator is a
guide for senior audit management and does not preclude audits being scheduled
differently. It is pertinent to mention that there are established controls that require
entities with a high risk score to be audited within 12 months. As such, some of the
mortgage business areas are audited on an annual basis (as described below).
We have also attached a copy of the Group Audit Standard Manual which is the
primary instruction manual for Group Audit and details all key policies and
procedures. See THE HSBC GROUP AUDIT STANDARDS MANUAL it’s in entirety.
Key policy and procedure addressed in this paragraph is included in Section 4 – “The
Audit Process – Identification and Planning” which includes audit scheduling
procedures (pages 37 through 45).
The Mortgage Default Servicing Operations audit is reviewed on an annual cycle, with
key activities rotated on an annual or biannual cycle based on risk and transactional
volume (i.e., Collection and Default Services, Payment Services, Customer Service).
However, certain activities, such as loan modifications and foreclosures, are reviewed
every year due to loan volume and regulatory considerations.
In addition, Group Audit North America completes periodic audits of the second line of
defense functions which are a critical component of the internal control framework in
HSBC. Specifically, the independent testing units such as Service Delivery Control
Assessment (SDCA), SOX, Credit Review and Risk Identification (CRRI) and TRAC
are audited annually. These are baseline audits which will eventually conclude on
their effectiveness and audit’s ability to place reliance on the work performed by them.
Group Audit North America also performs ad hoc audits and reviews outside the
Page 27
Privileged and Confidential
Restricted
normal audit activities on behalf of senior management. These include special
reviews of changes in policy, significant initiatives including divestitures, compliance
with new Group or regulatory requirements, consultancy, and investigations at the
request of the Audit Committee and the Chief Executive Officers
It is pertinent to note that coverage of the mortgage business unit is also included in
Group Audit North America’s enterprise-wide themed reviews, such as HMDA, Fair
Lending, Service Delivery Control Adherence (formerly known as NAQA), and Loan
Loss Reserves to name a few.
Supporting documentation:
x The 2011 Audit Plan Presentation - Approved by the Audit Committee includes an
overview of the 2011 audit approach including key themes and regulatory
coverage. Refer to document attached hereto - pages 1 through 7.
x The 2011 AUN Audit Plan – Status - document attached hereto that includes 2011
audits covering residential servicing operations. The summary includes status of
the audits as of September 30, 2011.
Enhancements to Processes / Programs:
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x 2011 AUDIT PLAN PRESENTATION
x 2011 AUN AUDIT PLAN – STATUS
x THE HSBC GROUP AUDIT STANDARDS MANUAL
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 28
Privileged and Confidential
Restricted
Article 17(c)
FRB Order Reference:
Article 17(c)
Corresponding
N/A
OCC Article:
the independence of the internal auditor, audit staff, and audit committee;
Action Plan
Group Audit North America has processes to ensure an independent internal auditor,
audit staff, and Audit Committee provides effective auditing of the mortgage related
functions.
Existing Processes / Programs:
HNAH requires that every employee, including those in Group Audit North America,
go through a Code of Ethics certification that includes independence. Furthermore,
the Audit Committee is comprised completely of independent members or nonemployees.
To provide for independence of Internal Audit, personnel report to the Executive Vice
President (“EVP”) Internal Audit, who functionally reports to the Senior Executive Vice
President (“SEVP”) Internal Audit HNAH and administratively to the Chief Executive
Officer – HBIO. The EVP Internal Audit has unfettered access to Senior Executive
Management and meets periodically with business and corporate function heads to
see that existing and emerging issues across the organization are effectively factored
into the internal audit plan. The EVP Internal Audit also sits as a non-voting member
on key risk management and governance committees established at HNAH. The
SEVP Internal Audit (HNAH) reports to the HSBC’s Group Head of Internal Audit
based in London, as well as to the Chairman of the Audit Committee for
HNAH/HBUS/HBIO.
In addition, the Group Audit Standards Manual (“GASM”) provides a Code of Ethics
for Group Audit, which addresses the concept of independence for every member of
the function:
The duties and responsibilities of the audit function are often highly sensitive and,
accordingly, require an attitude on the part of each auditor that constitutes an independence
of mind and a level of personal integrity greater than that required of personnel at similar
levels of authority in other areas of the Company. All members of the Audit staff have, by
the nature of their role, unique professional obligations to the Company, its customers,
stockholders, directors and the general public. These obligations are met through
adherence to a code of professional ethics (see below), the application of which requires
each auditor to conduct his or her personal and professional activities in a manner that will
not leave their personal and professional integrity open to question. Group Audit work is
expected to be performed with proficiency and due professional care.
Group Audit North America’s current structure creates independence from the entities,
business lines and functions, and systems and processes it audits in accordance with
Page 29
Privileged and Confidential
Restricted
the requirements of the Order. Copies of our Internal Audit and Audit Committee
charter are attached to provide further context on independence.
In addition to the reporting lines organization structure and Group Audit North America
charter, the independence of the audit function is evident through the fact that the
performance evaluation and compensation decisions of the Chief Auditor for HBIO,
HUSI/HNAH are also presented to the Audit Committee of the Board of Directors for
its concurrence.
See the following documents, approved annually including 2011, for additional
information:
x HSBC Finance Corporation (HBIO) Charter of the Audit Committee– this
document outlines the duties and responsibilities of the Audit Committee
appointed by the Board of Directors of HSBC Finance Corporation.
x HSBC Finance Corporation (HBIO) Internal Audit Charter - this document
outlines the mission and scope, accountability, independence, responsibility,
authority, and standards of practice for the HBIO Internal Audit.
x HSBC North America Holdings Inc. (HNAH) Charter of the Audit Committee this document outlines the duties and responsibilities of the Audit Committee
appointed by the Board of Directors of HSBC North America Holdings Inc.
x HSBC North America Holdings Inc. (HNAH) Internal Audit Charter - this
document outlines the mission and scope, accountability, independence,
responsibility, authority, and standards of practice for the HBIO Internal Audit.
Enhancements to Processes / Programs:
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x HSBC FINANCE CORPORATION CHARTER OF THE AUDIT AND RISK
COMMITTEE
x HSBC FINANCE CORPORATION (HBIO) INTERNAL AUDIT CHARTER
x HSBC NORTH AMERICA HOLDINGS INC. CHARTER OF THE AUDIT AND RISK
COMMITTEE
x HSBC NORTH AMERICA HOLDINGS INC. (HNAH) INTERNAL AUDIT
CHARTER
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 30
Privileged and Confidential
Restricted
Articles 17(d) & 17(e)
FRB Order Reference:
Article 17(d)
Corresponding
N/A
OCC Article:
inclusion in the audit scope of reviews of internal controls, MIS, and compliance with
the Mortgage Servicing Companies’ internal policies, procedures, and processes,
including, but not limited to, the Loss Mitigation and foreclosure processes;
FRB Order Reference:
Article 17(e)
Corresponding
N/A
OCC Article:
adequate testing and review of MIS used in servicing, Loss Mitigation, and foreclosure
activities to ensure compliance with the Legal Requirements
Action Plan
Existing Processes / Programs:
The current Group Audit North America scope includes reviews that evaluate the
quality of pertinent MIS. Validation of accuracy and completeness of data included in
MIS reports is the primary objective of these reviews.
Enhancements to Processes / Programs:
Group Audit North America will review and validate key reports to be implemented by
management for foreclosure, Loss Mitigation and loan modification activities as part of
the Front End Collections and NRE Default Services, Foreclosure Processing and
Bad Debt Recovery audit (in process at the time of this action plan). Specific scope
coverage for this audit is addressed in the Action Plans in response to Article 16.
Enhanced MIS audit scope includes, but is not limited, to the following:
• Verification of implementation of comprehensive MIS for the monitoring of
foreclosures (including rescinded foreclosures) and modification activities.
• Implementation of MIS for the monitoring of compliance with applicable Legal
Requirements; as well as for ongoing accuracy of records necessary to establish
ownership of the note and the right to foreclosure.
• User Acceptance Testing completed by management to ensure integrity and
accuracy of MIS changes or new MIS.
• Detailed testing on a sample of enhanced and new MIS to verify data accuracy.
For this purpose, an independent data Audit team generates exception reports and
validates the accuracy and completeness of data and reports used by the
business lines.
In addition, where applicable, integrated audits are performed with the IT Audit Team
to ensure the adequate design and operating effectiveness of technology solutions.
As of the date of this Action Plan, Residential Mortgage Servicing management was in
Page 31
Privileged and Confidential
Restricted
the process of implementing new MIS to address the Consent Order requirements.
Subsequent reviews of key MIS will be scheduled to address any controls not
implemented at the time of the Front-End Collections and NRE Default Services,
Foreclosure Processing and Bad Debt Recovery audit.
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x Not applicable
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 32
Privileged and Confidential
Restricted
Article 17(f)
FRB Order Reference:
Article 17(f)
Corresponding
N/A
OCC Article:
controls to ensure that audits are completed on a timely basis in accordance with the
approved audit plan;
Action Plan
Group Audit North America has controls to ensure that audits are completed on a
timely basis in accordance with the approved audit plan.
Existing Processes / Programs:
Group Audit North America currently has controls in place including key performance
indicators to help track progress and ensure that audits are completed on a timely
basis in accordance with the approved annual audit plan. Executive Management
monitors the status of on-going audits to ensure that fieldwork is completed within a
reasonable period based on scope and that reports are issued to the appropriate
business within thirty days of completion of the fieldwork. The Audit Committee
receives quarterly presentations on the status of the current year audit plan, including
any changes (i.e., additions, cancellations, delays) made to the plan. Any changes to
the audit plan are also communicated to the Chief Auditor of North America. The
Quality Assurance process undertaken by an independent Audit Professional
Practices team also reviews any unapproved audit additions, delays and cancellations
during its reviews.
Further, Group Audit North America meets with U.S. regulatory agencies on a monthly
basis to discuss the results of completed audits. Additionally, an update on scope
and status of the audits currently in progress is provided.
Enhancements to Processes / Programs:
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
Not applicable
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 33
Privileged and Confidential
Restricted
Article 17(g)
FRB Order Reference:
Article 17(g)
Corresponding
OCC Article:
adequate staffing of the audit function by qualified staff;
Action Plan
N/A
As discussed in Article 16(c), HNAH’s Group Audit North America has existing
processes to ensure that adequate qualified staffing of the audit function is provided
for mortgage loan servicing, Loss Mitigation, and foreclosure activities to comply with
the requirement of the Order.
Existing Processes / Programs:
Internal audits of Residential Mortgage Loan Servicing, Loss Mitigation and
foreclosure activities have been led by an experienced Audit Executive for the past
three years. The members of the audit team have also been consistent over the
same period with little turnover. The team consists of eight professionals who have
mortgage industry and business experience, and have served as internal audit
professionals in a variety of accounting firms and financial institutions. Maintaining an
audit team that has the adequate skills and experience to complete the audit plan is
an ongoing priority, and a formal assessment and presentation of skills and
experience of the audit team is made to the Audit Committee on an annual basis and,
beginning in May 2011, to the Compliance Committee of the HNAH Board of
Directors.
Additionally, in accordance with our Group Audit methodology, every auditor is
required to complete at least 40 hours of training per calendar year. This can include
internal or external training courses, online or computer based training, or self-study in
preparation of an approved professional certification. As part of our BAU process, all
training is monitored and tracked on a Lotus Notes database. Sixteen of the 40 hours
must be dedicated to compliance education to keep staff up-to-date with current
regulatory requirements. This is a new requirement for Group Audit North America,
added in 2011 in response to the various consent orders.
As part of the mandatory internal training requirements, auditors are required to
complete training in areas such as fair lending, operational risk and compliance
enterprise risk wide assessment process which impact and/or include residential
mortgage servicing activities.
The Chief Audit Executive of HNAH has overall responsibility for managing all audits
in the region. However, the Chief Audit Executive of HBIO has overall responsibility
for audits of the consumer and mortgage lending business for HBIO and HSBC USA
Inc. (“HUSI”). The HBIO Chief Audit Executive has over 18 years of experience in the
financial services industry and an extensive internal audit background. These
Page 34
Privileged and Confidential
Restricted
experiences include managing internal audits for financial institutions and acting in
auditing and consulting roles with a large accounting firm.
Coverage of the mortgage business unit is also included in Group Audit North
America’s enterprise-wide themed reviews, such as HMDA, Fair Lending, Service
Delivery Control Adherence (formerly known as NAQA), and GLBA Compliance.
The existing processes, as described above, ensure that adequate qualified staffing of
the audit function is provided for residential mortgage loan servicing, Loss Mitigation,
and foreclosure activities and exhibit HNAH’s commitment to ensure reviews are
performed by individuals with appropriate experience and qualifications in accordance
with the requirements of the Order.
Enhancements to Processes / Programs:
In addition, in response to the Order, several core members of the mortgage business
audit team are required to attend a specialized training course or conference related
to the industry this year. A training strategy and plan have been established and is
tracked to completion including quarterly updates to the FRB.
Specialized training includes attendance at:
• Enterprise Risk Management Conferences
• Mortgage Risk Conference
• Compliance and Ethics Academy
• Governance, Risk and Compliance Conference
• Regulatory Compliance Conference (covering foreclosure regulatory expectations)
• MERS Seminar
As of September 30, 2011, the training plan is on target and will be completed by
November 30, 2011.
Refer to AUN Staff Qualification and 2011 Training Programs chart attached hereto.
This chart includes a summary of mortgage business team core member’s
biographies, certifications, 2011 internal and external training plans, as well as status
of training as of September 30, 2011.
Based on Group Audit North America’s analysis of the review and testing that needs
to be completed in the areas of mortgage loan servicing, Loss Mitigation and
foreclosure activities in accordance with our risk-based approach, resource
requirements have been reviewed and resource allocations adjusted where
applicable. This analysis has considered the enhancements being made to
processes and controls by Residential Mortgage Servicing management, additional
compliance risks identified and addressed, and the remediation efforts specifically
undertaken to address the Order, and it has been concluded that there are adequate
number of full-time employees with the required skills and experience at this time.
Group Audit North America assesses the adequacy of its staff levels on an ongoing
basis and changes made as needed. We will consider augmenting with consultancy
resources if deemed necessary at any point. Refer to AUN Staff Assessment and
Page 35
Privileged and Confidential
Restricted
Training Programs document attached for detailed capacity assessment.
Group Audit North America processes and procedures are subject to on-going review
in the ordinary course of business. Revisions or enhancements will be made where
determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x AUN Staff Qualification and 2011 Training Program Chart
x AUN Staff Assessment and Training Program
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 36
Privileged and Confidential
Restricted
Articles 17(h), 17(i), 17(j)
FRB Order Reference:
Article 17(h)
Corresponding
N/A
OCC Article:
timely resolution of audit findings and follow-up reviews to ensure completion and
effectiveness of corrective measures;
FRB Order Reference:
Article 17(i)
Corresponding
N/A
OCC Article:
comprehensive documentation, tracking, and reporting of the status and resolution of
audit findings to the audit committee, at least quarterly
FRB Order Reference:
Article 17(j)
Corresponding
N/A
OCC Article:
establishment of escalation procedures for resolving any differences of opinion
between audit staff and management concerning audit exceptions and
recommendations, with any disputes to be resolved by the audit committee
Action Plan
As discussed in Articles 16(d) through 16(f), HNAH completes follow-up reviews to
validate implementation, effectiveness of corrective measures, comprehensive
documentation, tracking, reporting of the status and resolution of audit findings that
are submitted to the Audit Committee. HNAH also has escalation procedures for
resolving any differences of opinion between audit staff and management concerning
audit exceptions and recommendations, with any disputes to be resolved by the Audit
Committee.
Existing Processes / Programs:
Group Audit North America employs a risk-based approach to reporting and
monitoring audit findings, which is designed to ensure critical matters or exposures
are escalated and addressed in a timely and comprehensive manner. For high risk
findings, Group Audit North America verifies implementation of corrective measures
through detailed testing. Low risk audit findings are communicated to management,
and it is the business unit’s responsibility to ensure corrective measures have been
taken and reported. Group Audit North America management conducts on-going
monitoring of aging audit issues – which are restricted to high-and medium-risk issues
– to verify whether findings have been resolved, and it regularly reports stale (greater
than 180 days old) high or medium risk findings to the Audit Committee. Repeat and
partial repeat findings also receive separate reporting and tracking, and management
has scorecard goals to keep both stale and repeat findings at low levels.
Further, issues with multiple target date revisions, aged beyond 365 days, with no
mitigating (interim) controls in place, are also specifically reported and escalated to
Executive and Operational Risk Committees.
Group Audit North America has systems in place to track and monitor the status of the
audit findings and recommendations. These systems facilitate follow-up reviews and
Page 37
Privileged and Confidential
Restricted
are designed to track timely completion and effectiveness of the corrective measures.
For example, the Audit Issues Module includes the following:
x Detailed information about findings, including target date for resolution, next
action date for review by Group Audit North America, management response
and action plan, and commentary supporting actions to date;
x Tracking capabilities designed to ensure the information is accurate and up-todate, and that timely, corrective action of audit findings have been certified by
management;
x Tracking capabilities designed to ensure that all outstanding issues have been
remediated; and
x Email notifications to the responsible individuals when items are due, designed
to ensure timely follow-up on outstanding audit finding.
The Audit Issues Module is utilized to generate exception reports that list issues that
have not been remediated. Group Audit North America submits these reports monthly
to Executive Management as well as quarterly to the internal Operational Risk and
Control Committees and the Audit Committee of the HNAH Board. (See Audit Update
– HNAH Operational Risk and Internal Control Committee (ORIC) in its entirety. The
Audit Update – HNAH Operational Risk and Internal Control Committee (ORIC)
summarizes the audit issues, activities, reports, and risks of HNAH). Please see the
following documents for examples of the reports noted above:
x HBIO High Risk Outstanding Issues (PPT) - this document covers the high risk
issues of HBIO by business line and by resolution date
x HBIO High Risk Outstanding Issues - 30JUN11 (XLS) - this document gives
audit issue information based on status, pending validation, target date and
changes, and monitoring authority
x HBIO Repeat Issues - this document provides information on repeat and partial
repeat issues of HBIO
x HBIO Repeat Issues 2Q11 - this document provides information on the number
of repeat issues for 2Q11 and 1Q11 for HBIO
x HNAH All Medium 30JUN11 - this document provides information on the type
of audit issues encountered, target date, and monitoring authorities.
x HNAH High Risk Issues 30JUN11 (XLS) - this document gives audit issue
information based on status, pending validation, target date and changes, and
monitoring authority
x HNAH High Risk Outstanding Issues (PPT) - this document highlights the
number of high risk outstanding issues by business line and resolution date.
x HNAH-wide including HTSU Repeat Issues - this document provides repeat
and partial repeat issue information for both high and medium risk outstanding
findings
x HNAH Repeat Issues 2Q11 - this document provides information on the
number of repeat issues for 2Q11 and 1Q11 for HNAH
Group Audit North America has procedures to escalate and resolve differences of
opinion between audit staff and management concerning audit exceptions and
recommendations. Upon completion of audit reviews and prior to report issuance,
Page 38
Privileged and Confidential
Restricted
Group Audit North America holds exit meetings with senior management to discuss
audit findings and confirm that no disagreements with the facts of the audit findings
exist. Minutes from these meetings are circulated to the relevant members of
management. Any disagreements and/or concerns are escalated to Executive
Management. While every attempt is made to agree on the factual accuracy of the
audit findings with Management, Group Audit North America is ultimately responsible
for the overall control risk rating and risk rating of findings in the audit report. If a
circumstance should arise where a disagreement is not resolved, it will require
escalation to the Audit Committee and that responsibility is well communicated and
understood by the Chief Auditor.
Responses to findings included in audit reports are provided by management within
eight weeks of report issuance. These responses are reviewed by Group Audit North
America to ensure adequacy of corrective actions. Any disagreement with
management’s responses is provided to executive management for review and
response revision. If disagreement is not resolved, the results/deficiencies noted from
the review of the response are escalated to the Chief Executive Officer and applicable
Risk Committee for final resolution.
It is important to note that Group Audit North America presents a summary of the
status of audits rated below standard (including corrective action implementation) to
the Audit Committee of the Board of Directors on a quarterly basis.
Enhancements to Processes / Programs:
Group Audit North America related processes and procedures are subject to on-going
review in the ordinary course of business. Revisions or enhancements will be made
where determined to be necessary or appropriate.
Documents to be submitted with the Action Plan
x Audit Update – HNAH Operational Risk and Internal Control Committee (ORIC)
x HBIO High Risk Outstanding Issues (PPT)
x HBIO High Risk Outstanding Issues - 30JUN11 (XLS)
x HBIO Repeat Issues
x HBIO Repeat Issues 2Q11
x HNAH All Medium 30JUN11
x HNAH High Risk Issues 30JUN11 (XLS)
x HNAH High Risk Outstanding Issues (PPT)
x HNAH-wide including HTSU Repeat Issues
x HNAH Repeat Issues 2Q11
Key HSBC Contacts for the Action Plan
x
EVP/Chief Auditor, HBIO
Page 39
Privileged and Confidential
Restricted