Servicing orgs hit with $20 million penalty

California, Maryland, North Carolina and Washington state entities led an extensive group of regulators in an action imposing a $20 million penalty on three affiliated servicing organizations on Wednesday.

In total, more than 50 regulators acted against Bayview Asset Management LLC and three affiliates, citing deficiencies in the way the companies handled a 2021 data breach affecting 5.8 million people, according to the Conference of State Bank Supervisors.

The settlement and consent order, which follows a series of legal and regulatory developments related to the breach, is the first coordinated servicing action taken by state regulators in some time. It includes corrective responses by the entities involved.

"Lenders and servicers have a responsibility to protect consumer data and work with state regulators when a breach, intentional or otherwise, occurs," said KC Mohseni, acting commissioner at the California Department of Financial Protection in Innovation.

The servicing entities named in the multistate action have agreed to ensure their cybersecurity efforts comply with federal and New York State Department of Financial Services standards, and will have them independently assessed in addition to providing three years of additional reporting to the states.

"This settlement relates to an investigation into an incident that occurred more than three years ago, where a criminal threat actor gained unauthorized access to our systems. We are pleased to put this matter behind us," Bayview spokesperson said in an emailed statement.

Bayview affiliates Lakeview Loan Servicing, Pingora Holdings and Community Loan Servicing were named in the multistate action. Mr. Cooper later acquired some CLS assets from Bayview.

Both Mr. Cooper and CSBS confirmed the former acquired the assets after the 2021 Bayview data breach and were not involved in the related settlement. Mr. Cooper has faced legal action over a separate data breach. Such cybersecurity incidents are a growing industry concern.

CSBS reports indicate the way Bayview and its affiliates responded to its breach warranted coordinated state action because the information technology and cybersecurity used in their response fell short of federal and state requirements. 

"Furthermore, the Bayview companies delayed the supervisory process by failing to comply with state requests in a timely and complete manner in the early stages of the examination," according to the CSBS.

The last multistate servicing action of this scale occurred in 2017 against Ocwen, when regulators cited the company for not doing enough to address issues involving its handling of distressed loans and escrows, in part due to shortcomings in its proprietary system.

Ocwen was able to settle the allegations over time and rebranded as Onity last year.

A broader multistate servicing settlement targeting larger industry concern that emerged in the Great Financial Crisis occurred in 2014. That settlement received more attention recently during Vice President Kamala Harris' run for office because she helped broker it.

With the election shortly bringing more Republicans into federal office who are considered likely to deregulate, there has been a lot of anticipation that states could be more active.

The regulatory body Mohseni currently heads in California could play a key role in this as it has been described as a smaller version of the federal Consumer Financial Protection Bureau. Many pundits have said the CFPB will be less active following the changeover in Washington.

The bureau has called upon the states to do more to subject financial institutions to privacy laws. It also has been working to institute a national nonbank mortgage registry that some say largely duplicates the CSBS's. The bureau was not part of the state settlement with Bayview.