CUNA Regulatory Comment Call
November 9, 2000
Freddie Mac Requests Comment on E-mortgage Guidelines(Important for Mortgage Lenders that Participate in the Secondary Market)
- The Federal Home Loan Mortgage Corporation (Freddie Mac) has released a draft version of guidelines for the use, delivery, storage, and retrieval of electronic mortgages used in connection with mortgages that are offered for sale to Freddie Mac.
- These guidelines are being issued as a result of the recent enactment of the Electronic Signatures in Global and National Commerce Act (E-Sign Act) and the Uniform Electronic Transactions Act (UETA), and also provides specific guidance that goes beyond the general provisions of the E-Sign Act and UETA.
- The guidelines address issues such as consent, execution of the electronic signature, document format and delivery, document integrity, records management, and document access.
- After comments are received, Freddie Mac will issue a revised draft of the guidelines that address the comments and will then issue a final version in early 2001.
Comments on the guidelines are due by November 30, 2000. Please submit your comments to CUNA by November 28, 2000. Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org or to Assistant General Counsel Jeffrey Bloch at email@example.com; or mail them to Mary or Jeff in c/o CUNA's Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005. You may also contact us if you would like a copy of the guidelines or you may access it on the Internet at the following address:
The recent enactment of the E-Sign Act and UETA will facilitate use of electronic mortgages. The E-Sign Act is the federal law permitting the use of electronic signatures and records and became effective on October 1, 2000. UETA is a model state law that has already been passed by many states and has provisions similar to the E-Sign Act.
Freddie Mac is now evaluating the purchasing of mortgage loans using electronic loan documentation instead of written loan documents. However, before proceeding further, Freddie Mac is developing appropriate guidelines and requirements to ensure integrity, authentication, and security. A draft of these guidelines has been completed and Freddie Mac is now requesting comments. A revised draft is expected to be available in December, and a final version is expected to be completed early in 2001.
DESCRIPTION OF THE GUIDELINES
Each party participating in a real estate mortgage loan transaction must expressly consent to the use of electronic records, which must be voluntary and based on accurate information. Incentives to obtain consent may be used. However, coercion, deceptive practices, or misrepresentations are prohibited. Consent must be obtained prior to the first receipt or delivery of electronic records that would otherwise be required in writing.
Those who must consent are parties who: 1) actively participate in the closing of the loan; or 2) will either be executing, relying on, or delivering electronic records. This may include the borrower, property owner, real estate agent or broker, title insurer, flood insurer, hazard insurer, appraiser, home inspector, pest inspector, mortgage insurer, loan aggregator, mortgage broker, originating lender, noteholders, escrow company, title company or closing agent/attorney, seller, servicer, contractor for repairs, credit reporting companies, well inspector, water lab, septic inspector, attorneys for buyer and seller, rent loss insurance carrier, surveyor, credit life insurer, notary, and subordinate lienholders.
Consent from the following parties is not required:
- county recorders
- financial institution regulators
- tax assessors
- parties whose only connection is that they will be relying on the public records resulting from the electronic transaction
- parties not actively participating in the closing and who are not delivering, signing, or relying on the electronic record. This would include, for example, a pest inspector who delivers a written report and has no other role in the closing process.
Consent by consumers must be obtained electronically. (The term "consumer" generally means an individual who obtains a product or service for personal or household purposes.) Consent by non-consumers may be obtained electronically or in writing. The seller is responsible for obtaining the consents. For parties other than consumers who regularly use the electronic record system, the seller may obtain blanket consent for all transactions conducted with the other person.
Consent by a consumer, property owner, or borrower must include the following elements:
- Prior to consent, a disclosure of the following:
- The right to have documents provided in paper.
- The consequences of withdrawing consent, such as costs, fees, and possible termination of the transaction.
- The scope of the transaction covered by consent, such as whether it covers post-closing communications and the projected time period covered by the consent if it is not revoked.
- The type of signature process used.
- How access will be provided to the electronic records.
- Procedure for withdrawing consent.
- Procedure for updating contact information.
- Procedure and fees for obtaining paper copies. There must be: 1) a disclosure of the right to revise fees and how notice is given regarding these revisions; 2) a commitment to provide 30-day notice of a change in fees; and 3) a commitment to provide paper documents without charge at the time of the closing and if there is a later technology change requiring hardware changes or payment of a software license fee (other than for an operating system or Internet browser update).
- The procedure and the hardware/software requirements for accessing, printing, and retaining electronic records.
- Other system rules.
- A clear and express statement that the participant agrees and understands the following:
- That the transaction will be conducted using electronic records and signatures.
- The electronic records will include documents that are required to be in "writing."
- The use of electronic signatures will be legally binding and enforceable against the signer.
- That he or she will be bound by the system rules, as described in the pre-consent disclosure.
- A "reasonable demonstration" of the ability to access the information in the electronic records. The following are examples:
- Delivery by e-mail or by providing links to sample documents on a website, followed by electronic confirmation that these samples were successfully opened and reviewed.
- An automated software-based testing process confirming that the participant's hardware and software system is able to receive, store, and open the documents.
The disclosures described above must be "conspicuous," meaning that they meet all legal requirements, as well as the following minimum requirements:
- No more than 2-3 topics should be covered on a screen, streaming video, or dialog box.
- The viewer should not be required to scroll through text or graphics in order to view the conspicuous information.
- The information should remain on the screen until the viewer takes affirmative action that the review of the information has been completed.
The following are elements of consent for those participants who must provide consent but who are not consumers, property owners, or borrowers:
- A clear statement that the participant agrees to use electronic records and signatures, agrees that the electronic records created by the participant (or on his or her behalf) will comply with applicable laws and regulation with respect to content and format, and agrees to be bound by the system rules established for the transaction.
- Description of the signature process to be used.
- Description of how the participant will be provided access to the records and the level of access to be provided.
- Procedure for updating contact information.
- Procedure for changing the identity and level of authority of individuals authorized to act on behalf of the participant.
If permitted by law, a power of attorney may provide for another person to provide the necessary consent. The seller is responsible for ensuring that the power of attorney is sufficient.
The description of the requirements and procedures must provide enough detail that is reasonably necessary in order to understand the requirements and to comply with the procedures. Descriptions of hardware requirements must include the same type of information provided by mass-market software vendors regarding minimum hardware requirements. General or boilerplate descriptions that refer to other documents are unacceptable.
The process used to execute, or create, an electronic signature must address the following:
- The signer's authority and intent to sign the electronic record.
- Associating or linking the electronic signature to the document being signed.
- The symbol or process being used as an electronic signature.
- The method or process for attributing the signature to the signer.
If a person is signing on behalf of another, the electronic signature must reflect the name of the person signing, the represented person, and the signer's title or capacity. If permitted by law, the documents establishing the authority to sign on behalf or another may also be in the form of an electronic record and may be signed using an electronic signature.
In addition to other legal or commercial requirements, establishing the authority to sign must also include the following:
- For individuals signing on their own behalf, a procedure for establishing the signer's identity and a procedure for establishing that the signer has the legal ability to enter into contracts (for example, ensuring that the signer is not a minor).
- For individuals signing on behalf of another, a procedure for establishing the signer's identity and legal ability to contract, as well as a procedure for establishing the delegated authority for that individual to sign on behalf of another.
The electronic signature process must be designed to demonstrate that the person intended to sign the document. To accomplish this, the signature process must be designed to provide notice to the signer that the electronic signature has been or is about to be affixed to the electronic record. There must also be evidence of the signer's intent to affix the electronic signature on the record.
Here are some examples of acceptable signature processes:
- A statement just above the signature indicating that the signature is associated with the document for purposes of entering into a binding agreement.
- A dialog box or alert either advising that continuing the process will result in an electronic signature or giving the party the opportunity to affirm or cancel if the document has already been signed.
The signer must be provided notice as to the purpose that the signature will serve. These purposes may include the signer's agreement to the terms of the electronic record, the signer's receipt of the electronic record, that the signer had a chance to review the record, or that the signer is the person sending the record.
Each electronic record must be separately presented to the signer for signature. This may include the separate signing of each document or by creating the electronic signature once and then requiring some affirmative act by the signer confirming the intention to sign each electronic record.
When reviewing the signed electronic record, it must be possible to determine the existence of the electronic signature, the type of electronic signature symbol or process used, and the identity of the signer. Here are some possible methods:
- The electronic signature may actually be incorporated into the electronic record itself.
- The electronic signature may be associated through the use of an encryption process that binds the signature to the record, a registry that cross-indexes the signature to the record, or a system that requires use of the electronic signature in order to access the record. For this last option, there must be a statement in the record describing the signature process used to access the record and a statement in the record that the use of this signature process constitutes execution of the record. This must also include a dialog box requesting confirmation or rejection of the signing of the record.
An electronic signature must take the form of either a symbol or a process. Audio recordings or oral statements do not qualify. Examples of symbols include a typed name, a digitized signature, and an e-mail address. Examples of processes include fingerprint or retinal scan; dual key encryption; and use of a personal identification number (PIN), password, token, or other secure procedure along with an affirmation of consent of the record after an opportunity for review.
There must be sufficient evidence that the electronic signature can be attributed to the person that is purported to have signed the document. The following are examples of possible methods to ensure this attribution:
- Selection by the signer of a PIN or password or other procedure that is used as part of the signature process, along with: 1) an agreement by the signer to not disclose this information to others; 2) protections to ensure that other parties to the transaction do not know this information; and 3) a procedure so that the signer may notify others that this information has been compromised.
- Delivery of an encryption key, along with the following:
- Hardware and software security permitting the signer to restrict access to the key.
- Protections against discovery of the key by other parties to the transaction.
- Agreement by the signer to not disclose this information, or deliver the hardware device used with the key, to a third party.
- Procedure so that the signer may notify others that this information has been compromised.
- Capture of the signature as a digitized graphic representation that is associated with the electronic record, along with an encryption key or other system to prevent alteration of the record, the signature, or the link between the two.
These procedures regarding electronic signatures may also be used for notarizations, as long as all information with regard to notarizations is included in the electronic record. Tokens, such as stamps and seals, are not required but the information in these tokens must be in the record. The notary function requires the personal appearance by the signer and this requirement will not change. The notary must also verify that any certificates used in connection with a digital signature are current and enforceable.
Document Format and Delivery
The legal requirements concerning the content, display, or format of written information must be observed with respect to the electronic display and printing of the electronic record. Requirements that must be followed include the use of specific fonts, specific type sizes and styles, the physical location of information, and any requirements regarding the segregation of certain information.
The software file formats, computer operating systems, and printing capabilities must be able to accurately reproduce the fonts, styling, margins, pagination, line spacing, paragraph formatting, numbering, and other physical features. On screen viewing must be possible either through programs such as an Internet browser, or other programs without charge.
The file formats for electronic records must either be non-proprietary or through a non-exclusive license that can be sub- assigned to others who must maintain or view the records. The electronic record must contain all the information necessary so that the record and signatures may be reproduced in order to verify the contents, the method used to sign the record, and the persons signing the record, along with the capacity in which it was signed.
In addition to meeting the current legal requirements regarding the timing and method of delivery, this system of electronic mortgages should be designed to track delivery of records with the ability to prevent completion of the transaction or provide an alert to the responsible parties if the required information has not been delivered. If mailing or hand delivery is required, this must be provided as required by current law, unless it qualifies as an electronic delivery under the E-Sign Act. If mailing or hand delivery is not required, any commercially reasonable method is permitted. Some examples include:
- An e-mail that either contains the records as an attachment or contains a link to where these documents may be found.
- Automated display as part of the online process that is followed by the party completing at least some portion of the transaction.
The electronic records system must track changes or the different versions of the records that are used in the mortgage transaction. The system must be structured so that changes may only be made by those given access to the records and have the authority to make the changes. Histories reflecting the date and time of revisions should be maintained. The content of the revisions does not need to be included in these histories.
Unauthorized alterations must be prevented. Here are possible methods to prevent such alterations:
- "Wrapping" the signed electronic record by using a digital signature or other encryption system using a key held by a trusted third party.
- Requiring joint authorization from the signer and the noteholder in order to access the record for purposes other than viewing.
A loan document, converted to electronic form, may be comprised of more than one electronic record. These must be "associated" so that they are identifiable and accessible as part of the same transaction, although they need not be physically stored on the same storage device, server, or at the same physical location. Here are possible methods to "associate" these documents:
- Use of a registry that identifies and tracks the related electronic records, which must be designed to prevent and detect unauthorized changes or errors in the links between the records.
- "Wrapping" the signed electronic record by using a digital signature or other encryption system using a key held by a trusted third party.
Back-up copies of the "authoritative copy" of an electronic record must be maintained and identified as the back-ups. The authoritative copy is defined as the controlling reference copy of the record. The replacement of a back-up must require the verified authorization of a representative of the noteholder.
There must be a designation of the "authoritative copy." Here are possible methods for making this designation:
- Locating this copy in a file server identified as the repository for authoritative copies. There must also be an agreement by the parties regarding the designation of the authoritative copy and a notice in the record as to the location of the authoritative copy.
- Creation of a unique file identifier for the authoritative copy and a notice attached to other copies that indicates that these are not the authoritative copies, as well as directions as to where the authoritative copy may be found.
There must be a high degree of security regarding the protection of the data, and this should meet or exceed the guidelines contained in the Federal Financial Institutions Examinations Council's Information Systems Examination Handbook. The Freddie Mac Guidelines also refer users to the Electronic Banking Safety and Soundness Examination Procedures published by the Federal Deposit Insurance Corporation.
The physical environment for the electronic records should provide the following:
- The highest level of physical security that addresses such factors as access control, surveillance, fire suppression, and water detection.
- 24 hour, 7 day a week operation.
- Back-up systems; such as power, connectivity, heating/air conditioning, telecommunications, and generators.
The processing environment for ensuring authenticity of the records should include the following.
- Access control; including account administration and set-up, user authentication, transaction logging and audit trail capabilities, version control, authentication control, employee access management, vendor management, and an examination/audit program.
- Transaction control; including authentication, confidentiality, authorization, integrity, non-repudiation, identification of the authoritative copy, and identification of ownership and accountability of a "transferable record," which is the electronic equivalent of a negotiable promissory note.
- Delivery control; including time and date authorization, receipt control, and record of life-cycle tracking.
The technical environment must provide a stable and open platform in order to promote interoperability, connectivity, and performance. This includes the following:
- Network control; including configuration planning and routing integrity, firewalls, intrusion detection, interoperability between networks, upgrade and change planning, adequate vendor/carrier management, usage and response time management, network security and control, redundancy management, disaster recovery planning and management, and testing and utilization management.
- Software control; including virus control, update/change planning and control, software version control and replacement planning, application distribution and control, back-up procedures, and provisions for software escrow.
- Hardware control; including equipment installation, update planning, performance monitoring, and hardware version control and replacement planning.
Mortgage loan transactions may involve a combination of electronic and written records that comprise the mortgage file. In such hybrid transactions, the servicer is responsible for providing the cross references to and from the written and electronic records. The part of the file containing the electronic records must include a listing of the written records, the location of these records, and instructions on how to contact the document custodian. The part of the file containing the written records must include a listing of the electronic records and the process for accessing these records.
A written record that is part of the loan file may be scanned and digitized by the servicer. (Exceptions are the promissory note and any associated modifications, indorsements, allonges containing indorsements, and any unrecorded security instrument or other document filed in the public records.) This must then be noted as an imaged copy, added to the electronic file, and the written record may then be discarded. The note (and any modifications), indorsements, or allonges must never be destroyed without the expressed, signed permission of the noteholder, unless all the obligations under the note have been satisfied.
The system for electronic records should control, track, and monitor access. There should be different levels of access for each party that may request such access. The borrower should have access to all the documents while the seller's access could be restricted after the sale. Here are possible access levels, along with the parties that would have access at each level:
- Viewing electronic records plus monitoring of the ownership of the note obligation and servicing rights - borrower, property owner, seller, servicer, rating agency, prospective servicer or noteholder, and mortgage insurer.
- Viewing these records and depositing certain, completed records - title insurer, hazard insurer, appraiser, surveyor, pest inspector, realtor, and others providing closing services.
- Viewing, depositing, and completing electronic records for the loan document package - closing agent/attorney and the originating lender.
- Creating documents - system administrator, forms provider, and originating lender.
- Viewing electronic records and monitoring of servicing, post-execution alterations, and all activity and version logs, as well as registries and indices - system administrator, seller, servicer, and noteholder.
Access must be provided to all parties who are necessary in order to complete the mortgage transaction. Borrowers must have access before, during, and after closing. After closing, the borrower, noteholder, and servicer must be given access to the authoritative copy or to copies of the authoritative copy. Access includes the ability to view and print the record. This access may be provided by way of the Internet or by direct dial access. Requiring the borrower to travel is not acceptable.
To facilitate access, the records system must provide real-time onscreen help features, as well as instructions and tutorials on using the system. At different stages in the transaction, different parties will be responsible for ensuring access, as follows:
- The seller must agree to ensure access until the loan is sold and transferred to Freddie Mac. The seller must ensure that the mortgage file has been complete and not subject to unauthorized authorizations. The seller must also enter into the necessary agreement regarding its role as a document custodian, as required by Freddie Mac.
- The servicer must be responsible for ongoing access and enter into an agreement regarding its role as custodian, as required by Freddie Mac.
Subcontractors may be used for purposes of providing access, although the designated party will still be responsible. Subcontractors must also enter into the necessary agreement regarding their role as a document custodian, as required by Freddie Mac.
Borrowers must have access from the time the application for a loan is approved until the loan is paid in full or foreclosed, plus seven years. The servicer and noteholder must also have access until the loan is paid in full or foreclosed, plus seven years. Other parties must have access at the time they become associated with the transaction.
The record system and file formats should ensure that the data can be stored on multiple types of media, as well as mass storage devices. The file formats should allow the data to be converted and viewed across multiple operating system platforms. The software and system licenses should include the obligation to support conversion if the software is upgraded.
Representations, Warranties, and Contract Terms
Each vendor providing software or hardware must provide representations and warranties to their contracting party that:
- All software and hardware and services provided by the vendor meet the specifications under these Freddie Mac guidelines.
- The software, hardware, and services comply with applicable legal requirements.
- The vendor has authority to grant perpetual licenses in the software.
Each seller must provide representations and warranties to Freddie Mac and future servicers that:
- All electronic records meet the legal requirements and standards that would otherwise apply if the record was written.
- An electronic record that is a transferable record, and the system for maintaining control over this record, meets the requirements of the E-Sign Act and any applicable state law.
- The process for signature execution meets the legal requirements and standards under the E-Sign Act and any applicable state law.
- The consent process meets the legal requirements and standards under the E-Sign Act and any applicable state law.
- The seller has complied with all of its obligations under these Freddie Mac guidelines and the rules of the electronic system.
A system administrator or document custodian of electronic records must agree to all requirements that are contained in the Freddie Mac Single-Family Seller-Service Guide.
Regardless of any dispute with a servicer or Freddie Mac, or a dispute between a servicer and Freddie Mac, the system administrator or document custodian must agree to deliver to Freddie Mac, on demand, control over the authoritative copies of the electronic records. Failure to do so may be subject to the legal remedy of specific performance.
If there is a dispute with a servicer of Freddie Mac, the system administrator or document custodian cannot prevent a party from obtaining access and printing the electronic record if he or she is entitled to such access. The system administrator and document custodian must agree that they have no property interest in the data and will not use, rent, lease, or sell the data.
As mentioned above, a transferable record serves as an electronic equivalent of a negotiable promissory note. The electronic record system must be designed so that the debt obligation is evidenced by a note that meets the requirements of a transferable record under the E-Sign Act or applicable state law, such as UETA. The transferable record must contain only the terms and conditions permitted in a paper note, must be signed, and the borrowers must agree that it can be treated as a transferable record under the E-Sign Act or applicable state law.
The transferable record must be created, stored, and assigned in the following manner:
- A single authoritative copy exists that is unique, identifiable, and unalterable, except for revisions permitted under the E-Sign Act and UETA.
- The authoritative copy identifies the person asserting control as either the person to whom the transferable record was issued or to whom the record was recently transferred.
- The authoritative copy is communicated to and maintained by the person asserting control, or its designated document custodian.
- Copies or revisions that add or change an assignee can only be made with the consent of the person asserting control.
- Each copy of the authoritative copy is readily identified as not being the authoritative copy.
- Any revision of the authoritative copy is identified as either an authorized or unauthorized revision.
The current ownership and servicer of the debt obligation must be determined either from the electronic record or from a registry associated with the electronic record that is accessible to the servicer, the noteholder, and the borrower. A transfer of ownership rights must require an affirmative action by the noteholder. The noteholder must have access and authority in order to change the identity of the servicer.
QUESTIONS TO CONSIDER REGARDING
THE FREDDIE MAC GUIDELINES
- Do the guidelines contain too little or too much detail?
- Do you have questions that are not answered by these guidelines? What are those questions?
- If you believe the level of detail is too much, what suggestions do you have for streamlining these guidelines?
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Catherine Orr Senior Regulatory Counsel (202) 508-6743 email@example.com