This page, Bayview Asset Management LLC and Affiliates Consent Order, is offered by
Division of Banks

Consent Order

Consent Order Bayview Asset Management LLC and Affiliates Consent Order

Date:	12/31/2024
Organization:	Division of Banks

Whereas, Lakeview Loan Servicing, LLC is a Delaware limited liability company with headquarters in Coral Gables, Florida and assigned NMLS identifier number of 391521 (“Lakeview”), Pingora Loan Servicing, LLC is a Delaware limited liability company with headquarters in Denver, Colorado and assigned NMLS identifier number 129911(“Pingora”), and Community Loan Servicing, LLC is a Delaware limited liability company with headquarters in Coral Gables, Florida and assigned NMLS identifier number 2469 (“CLS”). For purposes herein, Lakeview, Pingora, and CLS shall be collectively referred to as “Licensed Respondents” and individually as a “Licensed Respondent.” Bayview Asset Management, LLC, is a Delaware limited liability company with headquarters in Coral Gables, Florida and assigned NMLS identifier number 102563(“Bayview”). For purposes herein, Lakeview, Pingora, CLS, and Bayview shall be collectively referred to as “Respondents” and individually as “Respondent.”

Whereas, the States of Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Louisiana, Maine, Maryland, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, Wyoming, the Commonwealths of Kentucky, Massachusetts, Pennsylvania, Puerto Rico, and Virginia, and the District of Columbia (individually, a “Participating State,” and collectively, the “Participating States”) have each agreed, through its respective state mortgage regulatory agency, to negotiate and enter into this Settlement Agreement and Consent Order (hereinafter referred to as the “Agreement” or “Order”).

Whereas, the state mortgage regulators of the Participating States (hereinafter referred to individually as a “State Mortgage Regulator,” and collectively as the “State Mortgage Regulators”) are respective members of the Conference of State Bank Supervisors (“CSBS”) and/or the American Association of Residential Mortgage Regulators (“AARMR”) and have agreed to address enforcement concerns with Respondents in a collective and coordinated manner, working through the Multi-State Mortgage Committee (“MMC”). The State Mortgage Regulators and Respondents are collectively referred to herein as the (“Parties.”)

Whereas, Lakeview, Pingora, and CLS are each licensed as a mortgage broker, lender, and/or servicer, as may be applicable in order to operate their respective businesses, under the respective laws of each Participating State, while Bayview held a Financing Law License issued by the California Department of Financial Protection and Innovation and maintained direct or indirect control over Lakeview, Pingora, and CLS at the time of the Incident described herein. Lakeview, Pingora, and CLS share information technology assets under the control of Bayview.

Whereas, Respondents experienced a cybersecurity event that began on or about October 11, 2021 (the “Incident”), when an employee of the Respondents, in the course of performing job-related duties, unknowingly downloaded malicious software (“malware”) during an internet search. The initial malware remained stationary until launching additional malware on the affected system on or about October 24, 2021. During the period of October 27, 2021, through December 7, 2021, the criminal threat actor was able to extract data, including personally identifiable information, from the Respondents’ network.

Whereas, Respondents conducted an investigation into the Incident and made their initial required consumer notifications over a period of several months after the Incident, ultimately notifying approximately 5.8 million consumers that their personal information may have been compromised. Further, based on its investigation, Respondents provided consumer notifications, rolled out consumer support services, and offered notified consumers the ability to receive free consumer credit and identity theft monitoring.

Whereas, Respondents, upon discovery of the Incident and throughout their investigation into the Incident notified numerous state and federal regulators and key counterparties about the incident. However, of the state mortgage regulators that have independent notification requirements related to the breach of a security system, not all of those state mortgage regulators were provided timely notification of the Incident.
Whereas, on becoming aware of and due to the Incident, on or about April 1, 2022, the State Mortgage Regulators, as coordinated by the MMC, commenced a multi¬state targeted cybersecurity examination (the “Multi-State Cybersecurity Examination”) of Respondents covering the period of January 1, 2020 through September 30, 2022, in order to determine Respondents’ compliance with applicable State and Federal laws and regulations and assess the effectiveness of Respondents’ information technology (“IT”) and cybersecurity program (the “IT and Cybersecurity Program”). The Multi-State Cybersecurity Examination was conducted by the State Mortgage Regulators from the states of California, Florida, Maryland, and Washington. The Multi-State Cybersecurity Examination of Respondents was conducted pursuant to their respective statutory authorities, and in accordance with the protocols established by the CSBS/AARMR Nationwide Cooperative Protocol for Mortgage Supervision as well as the Nationwide Cooperative Agreement for Mortgage Supervision (collectively the “CSBS/AARMR Protocol and Agreement”). The Report of Examination was issued by the MMC to Respondents on May 4, 2023, and identified alleged compliance violations of State and Federal law related to Respondents’ IT and Cybersecurity Program (the “MMC Cybersecurity Report of Examination”).

Whereas, during the course of the Multi-State Cybersecurity Examination, Respondents did not initially fully and completely comply with the examination authority of the State Mortgage Regulators as it related to certain information, including information the Respondents claimed was privileged. Notwithstanding the foregoing, the State Mortgage Regulators recognize that, as of the date of this Order, Respondents represent they have complied with all requests associated with the Multi-State Cybersecurity Examination.

Whereas, The State Mortgage Regulators, pursuant to their respective books and records requirements, are entitled to access privileged and confidential information related to Respondents investigation into the incident, including, but not limited to, assessment and root cause reports (“Incident Investigation Materials”). Further, the State Mortgage Regulators access to such Incident Investigation Materials is an important supervisory function. Such information is treated by the State Mortgage Regulators as confidential supervisory information and thus exempt from disclosure under the Secure and Fair Enforcement for Mortgage Licensing (“SAFE”) Act, applicable state law, and the CSBS/AARMR Protocol and Agreement, and the disclosure of the Incident Investigation Materials does not act to terminate the confidential and privileged nature of the information.

Whereas, the MMC Cybersecurity Report of Examination identified deficient IT and cybersecurity practices, which allegedly constitute violations of certain federal and state-specific compliance laws and regulations. Such deficient IT and cybersecurity practices include, but are not limited to, insufficient IT patch management, insufficient centralized IT vulnerability remediation monitoring and enterprise reporting, insufficient IT inventory tracking, and failure to appropriately encrypt certain personally identifiable information when that data was at rest.

Whereas, nothing in this Agreement should be construed as a finding by the State Mortgage Regulators or a concession by the Respondents that any specific finding identified in the MMC Cybersecurity Report of Examination directly caused the initial intrusion into Respondent’s network resulting in the Incident.

Whereas, the State Mortgage Regulators relied upon documents and records provided by the Respondents, including reports from third parties, in arriving at the findings contained within the MMC Cybersecurity Report of Examination.

Whereas, Respondents enter into this Agreement solely for the purpose of resolving disputes with the State Mortgage Regulators, including concerning the conduct described in the MMC Cybersecurity Report of Examination, and neither admit nor deny any wrongdoing, allegations or implications of fact, and neither admit nor deny any violations of applicable laws, regulations, or rules governing the conduct and operation of its mortgage related business, including related to its IT and Cybersecurity program. Respondents acknowledge that the State Mortgage Regulators have and maintain jurisdiction over the underlying dispute, including all matters referred to in these recitals, and therefore have the authority to fully resolve the matter.

Whereas, the State Mortgage Regulators have legal authority to initiate administrative actions based on the conduct described in the MMC Cybersecurity Report of Examination.

Whereas, the intention of the State Mortgage Regulators in effecting this settlement is to resolve its operational concerns regarding the Respondents and the violations identified in the MMC Cybersecurity Report of Examination and in these recitals, and to close the MMC Cybersecurity Report of Examination. To that end, the State Mortgage Regulators have agreed to the release of certain claims and remedies, as provided for in this Agreement. The State Mortgage Regulators reserve all of their rights, duties, and authority to enforce all statutes, rules, and regulations under their respective jurisdictions against Respondents regarding any licensable related activities outside the scope of this Agreement. Additionally, a State Mortgage Regulator may consider this Agreement and the facts set forth herein in connection with, and in deciding upon, any examination, action, or proceeding under the jurisdiction of that State Mortgage Regulator, if the basis of such examination, action, or proceeding is not a direct result of the specific activity identified in the MMC Cybersecurity Report of Examination; and that this Agreement may, if relevant to such examination, action, or proceeding, be admitted into evidence in any matter before a State Mortgage Regulator.

Whereas, Respondents hereby knowingly, willingly, voluntarily, and irrevocably consent to the entry of this Order, which is being entered pursuant to the authority vested in each State Mortgage Regulator and agree that they understand all of the terms and conditions contained herein. Respondents acknowledge that they have full knowledge of their rights to notice and a hearing pursuant to the laws of the respective Participating States. By voluntarily entering into this Agreement, Respondents waive any right to notice and a hearing, and review of such hearing, and also herein waive all rights to any other judicial appeal concerning the terms, conditions, and related obligations set forth in this Agreement. Respondents further acknowledge that they have had an opportunity to consult with independent legal counsel in connection with their waiver of rights and with the negotiation and execution of this Agreement, and that Respondents have either consulted with independent legal counsel or have knowingly elected not to do so.

Whereas, each Respondent represents that the person signing below is authorized to execute this Agreement and to legally bind each respective Respondent.

Whereas, in that the Parties have had the opportunity to draft, review, and edit the language of this Agreement, the Parties agree that no presumption for or against any party arising out of drafting all or any part of this Agreement will be applied in any action relating to, connected to, or involving this Agreement. Accordingly, the Parties agree to waive the benefit of any State statute, providing that in cases of uncertainty, language of a contract should be interpreted most strongly against the party who caused the uncertainty to exist.

Now, therefore, this Agreement having been negotiated by the Parties in order to resolve the issues identified herein and in the MMC Cybersecurity Report of Examination, without incurring the costs, inconvenience, and delays associated with protracted administrative and judicial proceedings, it is by the State Mortgage Regulators listed below, as coordinated through the CSBS/AARMR Protocol and Agreement, hereby ordered:

Skip table of contents

You skipped the table of contents section.

Jurisdiction

That pursuant to the licensing and supervision laws of the Participating States, the
Participating States have jurisdiction over Respondents as described herein and may enforce the terms of this Agreement thereon unless otherwise stated in this Agreement.

Corporate Governance

Corporate Governance Framework. ¹Each Licensed Respondent, under the supervision
of its board of managers, or other formal body responsible for the corporate governance of a Licensed Respondent, including a formal body located at a parent entity (the “Board of Managers”), shall maintain a documented corporate governance1 framework commensurate with its size, operational complexity, and overall risk profile, and conforming to the standards established by the Conference of State Bank Supervisors’ Model Regulatory Prudential Standards for Nonbank Mortgage Servicers. As it relates to this framework’s coverage of the IT and Cybersecurity Program, each Licensed Respondent’s Board of Managers shall:
1. Maintain a consolidated and comprehensive written Information Security Policy (“ISP”) for the protection of its information systems and nonpublic information stored on those information systems;
2. Review and update (as necessary) the ISP annually and approve these updates, which approval shall be notated within its meeting minutes;
3. Ensure the review of the business continuity plan, on an annual basis at minimum and approve any updates, which approval shall be notated within its meeting minutes;
4. Include within its minutes, or respective meeting package, documentation of review of relevant internal management reports. Reports to be reviewed and/or actions that need to be approved attendant thereto should be documented in a policy or charter document as appropriate;
5. Annually, review, update (as necessary), and approve written policies, procedures and/or standards that address the following:
  1. Asset Management and Classification;
  2. Configuration Management;
  3. Hardening and Standard Build;
  4. Data Handling and Protection;
  5. Identity and Access Management; and
  6. IT Vendor Management Policy, including policies regarding the
    periodic assessment of third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices; and
6. Ensure that the incident response plan continues to include up to date incident related procedures and clarify the roles and relationships of the individuals/groups involved with incident response functions, especially:
  1. Network Operations Center for network and server operational events;
  2. Security Operations Center for security monitoring and security incident detection; and
  3. Security Incident Response Team.
Internal Audit. Each corporate governance framework shall maintain internal audit requirements that are appropriate for the size, complexity, and overall risk profile of the particular Licensed Respondent. Further, internal audit functions shall be performed by employees who report to each Licensed Respondent’s Board of Managers.
Each Licensed Respondents’ internal audit functions shall audit the IT and Cybersecurity Program, and related to these specific audit activities shall:
1. Generally conform with the International Standards for Professional Practice of Internal Auditing;
2. Maintain a defined audit universe, covering all auditable areas, and deploy a formal risk analysis process that is used to set the scope and frequency of the IT focused audits. The business continuity plan shall be a high-risk, auditable area; and
3. Maintain an audit schedule that is prepared on a multi-year basis to ensure that applicable IT risk areas are audited with an appropriate frequency with the objective of auditing critical and high-risk areas of the IT and Cybersecurity Program at least annually.
External Assessments. As each Licensed Respondents continue to receive external assessments from time to time related to their IT and Cybersecurity Program, they shall prioritize reasonable and appropriate corrective actions with respect to identified issues, findings, recommendations, and risks in such audits (collectively, “External Assessment Findings”, and, individually, an “External Assessment Finding”). To the extent the Licensed Respondents disagree with the nature, risk, and/or significance of an External Assessment Finding, including, but not limited to whether the cost of conducting any corrective action outweighs the benefit of such corrective action, the Licensed Respondents may disregard in whole or in-part any External Assessment Finding, and shall document that decision.
Risk Management – IT and Cybersecurity Program. Each Licensed Respondent shall maintain a risk management program that includes the IT and Cybersecurity Program, which shall comply with the provisions of 16 C.F.R. Part 314 (the “Safeguards Rule”) and conform to the standards set forth in 23 NYCRR 500.01-500.16 (the “NY DFS Rule”) as may be amended from time to time. The IT and Cybersecurity Program shall therefore be reasonably tailored to address specific privacy and security risks associated with use of Consumer Information (which has the same meaning as “customer information” as that term is defined in 16 C.F.R. 314.2(d)) and appropriately informed by applicable laws, and industry standards and guidelines, including, but not limited to, the Federal Financial Institutions Examination Council’s (“FFIEC”) Information Security IT Examination Handbook (the “FFIEC Handbook”), the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework (“CSF”), and/or the Center for Internet Security (“CIS”) Controls. The IT and Cybersecurity Program shall have the following core objectives: (1) to ensure the security and confidentiality of Consumer Information; (2) to protect against any reasonably anticipated threats or hazards to the security or integrity of such information; and (3) to protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any consumer. In furtherance of these objectives the IT and Cybersecurity Program shall include the administrative, technical, and physical safeguards applicable to Consumer Information.
As part of the IT and Cybersecurity Program, the Licensed Respondents shall continue to reasonably design and implement its safeguards through:
1. The encryption of Consumer Information held or transmitted by the Licensed Respondents both in transit over external networks and at rest. To the extent a Licensed Respondent determines that encryption of Consumer Information, either in transit over external networks or at rest, is infeasible, that particular Licensed Respondent may instead secure such Consumer Information using effective alternative compensating controls reviewed and approved by that Licensed Respondent’s Chief Information Security Officer (“CISO”) in writing. To the extent that a particular Licensed Respondent utilizes compensating controls as described in this paragraph, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually. The CISO’s review shall document any reason for the infeasibility of encryption and the effectiveness of the compensating controls;
2. Ensuring that administrator accounts are appropriately protected and restricted, and limiting the number of administrator accounts to the amount necessary for business operations;
3. Describing the likelihood of identified risks occurring, the potential impact of identified risks if they were to occur, how identified risks will be mitigated or accepted based on an annual risk assessment, and how the IT and Cybersecurity Program will address those risks;
4. Maintaining a formal methodology to monitor, track, and document all material issues and findings identified through normal risk management activities – such as those identified through the internal audit function, external audits, or regulatory examinations – until either remediation of those material issues and findings has been completed or until those material issues and findings are deemed acceptable within a formal risk acceptance process. This methodology shall include a process for establishing risk-informed target dates for any determined corrective action as it relates to any material issue or finding, and for the documentation of any revisions of said target dates, including the reason for such determination;
5. The monitoring by each Licensed Respondent’s Board of Managers of all material issues, findings, and recommendations identified through normal risk management activities, including through the presentation of documented issue tracking and aging report(s), containing all open material issues from the time of identification to the time of actual resolution, on at least a quarterly basis;
6. The maintenance of a risk-informed, documented, enterprise-wide data loss prevention (“DLP”) program for detecting and preventing the exfiltration of customer data by any reasonable means from each Licensed Respondent’s network, which shall be appropriately integrated with the particular Licensed Respondent’s other security tools and resources, including those supported by third party service providers; and
7. Maintenance of emergency control and change management standards designed to provide for efficient and effective reaction mechanisms that are implemented in a well-controlled manner.
Patch and Vulnerability Management. The Licensed Respondents shall maintain documented policies, procedures, and standards for supporting their patch and vulnerability management functions. Accordingly, each Licensed Respondent is expected to:
1. Identify and document an IT asset inventory that includes hardware (including infrastructure devices), software (including applications and operating systems), location of those assets, criticality of data, and, as applicable, the individual(s) assigned responsibility when such individual is tied to an asset;
2. Update the patch and vulnerability policies and procedures as appropriate to reflect any personnel and procedural changes made as a result of patch and vulnerability management initiatives. Each Licensed Respondent’s Board of Managers must ensure that the patch and vulnerability functions are consistently implemented across each respective Licensed Respondent;
3. Maintain a process that routinely identifies what updates and patches need to be installed. This process must continue to identify the criticality of such updates and patches and the timeframe required for installation. Also, such process must include the required documentation for installation delays of critical and high-risk updates and patches beyond established timelines, along with a reasonable substituted target date; and
4. Maintain a process to identify and promptly decommission any hardware,
  application, or software for which the vendor or service provider of that hardware, application, or software is no longer providing security updates, unless such hardware, application, or software is critical to the business operations of the Licensed Respondent, then use of that hardware, application, or software may continue with the implementation of reasonably equivalent or more secure compensating controls reviewed and approved by that Licensed Respondent’s CISO in writing. To the extent that a particular Licensed Respondent utilizes compensating controls as described in this paragraph, the use of that hardware, application, or software and the effectiveness of the compensating controls shall be reviewed by the CISO at least annually. Should appropriate compensating controls be unavailable, the Licensed Respondent shall prohibit the connection of such hardware, applications, or software to public or uncontrolled networks.
Third-Party Service Provider Risk Management. As part of the IT and Cybersecurity
Program, the Licensed Respondents shall maintain adequate policies, procedures systems, and controls designed to ensure the security of information systems and Consumer Information that are accessible to, or held by, third-party service providers in conformity with the Safeguards Rule and NY DFS Rule. Such policies, procedures, systems, and controls shall be appropriately informed by the annual risk assessment and shall include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers.

¹For purposes herein, “corporate governance” means the management structure of the licensee and the processes by which the business is managed, including the corporate controls, rules, policies, processes, and practices used to oversee and manage the institution.

Agreement Monitoring

Executive Committee. An executive committee comprised of representatives of the State Mortgage Regulators (“Executive Committee”) shall serve as the point of contact between Respondents and the State Mortgage Regulators and shall receive reports and communications from Respondents. The initial member states of the Executive Committee are the State Mortgage Regulators of California, Maryland, North Carolina, and Washington. The Executive Committee may substitute representation, as necessary.
Independent Assessment. Respondents shall engage a qualified, independent, third-party consultant (“Consultant”) to review the Licensed Respondents’ corporate governance framework related to the IT and Cybersecurity Program, and the specific requirements and standards discussed herein, which will be documented in an assessment report. Respondents will provide a copy of this assessment report to the Executive Committee within one hundred and twenty (120) days of this Agreement’s Effective Date. Among other areas, this Consultant will review and report on:
1. The comprehensiveness and adequacy of the Licensed Respondents’ IT and Cybersecurity Program under relevant cybersecurity standards and best practices, including but not limited to the Safeguards Rule and the NY DFS Rule; and
2. Any corrective measures needed to ensure the Licensed Respondents’ IT and Cybersecurity Program reasonably complies with the Safeguards Rule, the NY DFS Rule, and the terms provided for in the Corporate Governance section of this Agreement, along with the relative priority of each measure. Instances in which a specific component of the IT and Cybersecurity Program is deemed by the Consultant to be inadequate to ensure reasonable compliance with the Safeguards Rule, the NY DFS Rule, or the terms of this Agreement provided for in the Corporate Governance section, shall be considered as needing corrective measures.
To the extent the Consultant identifies in its assessment report that corrective measures are needed, Respondents must develop a plan to implement such corrective measures (“Corrective Action Plan”). The Corrective Action Plan must consider and appropriately incorporate the relative priority of each corrective measure as determined by the Consultant and documented in the assessment report. Respondents must provide the Corrective Action Plan to the Executive Committee within sixty (60) days after the assessment report is issued.
Beginning ninety (90) days after the Corrective Action Plan is submitted to the Executive Committee, and continuing every 90 days thereafter until all corrective measures identified in the Corrective Action Plan have been completed, Respondents, in consultation with the Consultant, shall provide a progress report to the Executive Committee on the implementation of the Corrective Action Plan.
Upon Respondents’ determination that the Corrective Action Plan has been completed, the Consultant will conduct a validation assessment of all corrective measures in the Corrective Action Plan and shall document its findings in a validation report. Respondents shall provide a copy of this validation report to the Executive Committee within ten (10) days of its issuance.
Respondents shall, if applicable, within 30 days of the date of the validation report, provide an updated Corrective Action Plan that addresses those specific components of the IT and Cybersecurity Program deemed inadequate to ensure reasonable compliance with the Safeguards Rule and the NY DFS Rule, and shall be subject to the requirements of paragraphs 3 through 5 above.
Upon the request of the Executive Committee, Respondents shall convene a meeting with the Consultant to address the Consultant’s findings, and statements by the Respondents or the Consultant, in any documented report produced pursuant to the requirements of this Agreement, including, but not limited to, the initial assessment report or the validation report. Respondents shall ensure that the Consultant makes available at the meeting personnel with appropriate knowledge and familiarity with the Consultant’s findings and statements in the applicable report(s).
Respondents agree to fully cooperate with the Consultant and support its work by, at minimum, providing the Consultant with access to any and all relevant personnel, third-party service providers, facilities, files, reports, and records.
Ongoing Reporting. In order to monitor the Licensed Respondents’ corporate governance related to the IT and Cybersecurity Program, and the specific requirements and standards discussed herein, Respondents shall provide to the Executive Committee the following documentation and/or information according to the following terms:
1. The Licensed Respondents’ patch and vulnerability management policies, procedures, and standards within 60 days of the Effective Date of this Agreement;
2. The corporate governance framework related to the IT and Cybersecurity Program within sixty (60) calendar days of the Effective Date of this Agreement;
3. Any material written updates or changes to the corporate governance framework related to the enterprise-wide IT and Cybersecurity Program within sixty (60) calendar days of the conclusion of calendar years 2024, 2025, and 2026; and
4. For a period of three (3) years from the Effective Date of this Agreement, any Security Event, as that term is defined in 16 C.F.R. § 314.2(p), within thirty (30) calendar days of any Licensed Respondent’s determination that a Security Event has occurred, including:
  1. The facts of the incident;
  2. The number of consumers impacted, broken down by state;
  3. Amount of harm experienced by consumers, broken down by state;
  4. The steps any applicable Respondent has taken to correct the incident; and
  5. The steps any applicable Respondent has taken to make consumers whole.
Within sixty (60) calendar days of the effective date of this Agreement, Respondents shall submit to the Executive Committee for review a list of all IT and Cybersecurity Program remediation projects planned, in process, or implemented in response to the Incident, along with Respondents’ prioritization of those projects (the “Incident IT and Cybersecurity Enhancements”). The Incident IT and Cybersecurity Enhancements must, at a minimum, fully address recommendations noted in any Incident assessment report issued by a third-party forensic firm. Further, Respondents’ internal audit functions shall conduct a review that assesses and tests all controls relating to the Incident IT and Cybersecurity Enhancements and shall produce a written report associated with this review (“Internal Audit Enhancements Review”). The Internal Audit Enhancements Review shall be furnished to the Executive Committee within twelve (12) months of the effective date of this Agreement.

Consumer Remediation Efforts

State Mortgage Regulators acknowledge that Respondents have engaged in certain
consumer remediation activity, including consumer identification and notification efforts, consumer support services, and the offer of free consumer credit and identity theft monitoring, at a minimum, for the time frames prescribed by applicable law. The State Mortgage Regulators have agreed to resolve all their claims related to consumer remediation associated with the Incident, except for those listed in paragraph 4 of the release section.
State Mortgage Regulators are also aware that Respondents have been named in one or more class action lawsuits related to the Incident in which the claims alleged are related to purported harm to consumers as a result of the Incident, and that these lawsuits may result in orders or settlements addressing certain remediation. To the extent there is a resolution to a class action in which consumer relief is granted by a tribunal, subject to approval by that tribunal, Respondents shall as part of the normal class action resolution notification process include information about a consumer’s right to notify State Mortgage Regulators of any concerns they may have related to the Incident should they choose to opt-out of said class action resolution.

Administrative Costs and Penalty

Administrative Penalty. That Respondents shall pay an Administrative Penalty Nineteen Million, Six Hundred Twenty-nine Thousand, Four Hundred Dollars ($19,629,400) to be prorated among each Participating State as designated in “Appendix A” attached to this Agreement (the “per-state payment”). Respondents shall pay the total Administrative Penalty amount within twenty (20) calendar days following the receipt of payment instructions, by paying each Participating State the per-state payment by the means designated by each State.
Administrative Costs. That Respondents shall pay Administrative Costs of Three Hundred Seventy Thousand, Six Hundred Dollars ($370,600). Each Participating State that also took part in the examination or settlement shall receive an additional payment to cover administrative costs associated with the examination resolution process, with such costs allocated as follows: California, One Hundred Seventy Thousand Dollars ($170,000); Maryland, One Hundred Thirty-five Thousand Dollars ($135,000); North Carolina, Fifteen Thousand, Six Hundred Dollars ($15,600); Washington, Fifty Thousand Dollars ($50,000).
That in the event that Respondents fail to submit any Administrative Penalty or Administrative Costs set forth in this Agreement, in the amounts specified herein and in accordance with the applicable deadlines, or if any transfer of any monetary amount required under this Agreement is voided by a Court Order, including a Bankruptcy Court Order, Respondents agree not to object to a Participating State submitting a claim, nor attempt to defend or defeat such authorized claim, for any unpaid amounts against any surety bond that Respondents may maintain in such Participating State as a condition of maintaining a license under the jurisdiction of that State Mortgage Regulator.
That a State Mortgage Regulator may elect to have its allocation of the Administrative Penalty set forth in Paragraph 1 of this section to be applied towards the respective Participating State’s consumer relief, and/or other such alternatives authorized under the respective Participating State’s law. Should a State Mortgage Regulator elect to apply its allocation of administrative penalties in such an alternative manner, solely for the purpose of ensuring the effective administration of payments pursuant to the terms of this Agreement, that State Mortgage Regulator shall notify the MMC in writing of such election on or before the Effective Date of this Agreement.

Enforcement

General Enforcement Authority. That the terms of this Agreement shall be enforced in accordance with the provisions, terms and authorities provided in this Agreement and under the respective laws and regulations of each Participating State. Nothing in this agreement shall be interpreted to preclude a Participating State from taking emergency enforcement action authorized under applicable state law, however such an action shall not be based solely on a perceived violation of the terms of this Agreement.
No Restriction on Existing Examination and Investigative Authority. That this Agreement shall in no way preclude any State Mortgage Regulator from exercising its examination or investigative authority authorized under the laws of the corresponding Participating State in the instance a determination is made wherein a Respondent is found not to be adhering to the requirements of the Agreement, other than inadvertent and isolated errors – those that would not be deemed to create a critical impact to the confidentiality, integrity, or availability of information systems and data – that are promptly corrected by that Respondent, or involving any unrelated matter not subject to the terms of this Agreement. The Parties agree that the failure of a Respondent to comply with any term or condition of this Agreement with respect to a particular State shall be treated as a violation of an Order of the State and may be enforced as such. Moreover, Respondents acknowledge and agree that this Agreement is only binding on the State Mortgage Regulators and not any other Local, State or Federal Agency, Department or Office.
Notice. Prior to initiating an action to enforce the terms and conditions of this Agreement, a Participating State shall provide written notice to the Executive Committee and Respondents of the basis for the potential action and a description of its allegations, and provide Respondents an opportunity to respond to the allegations.
Sharing of Information and Cooperation. That the State Mortgage Regulators may collectively or individually request and receive any information or documents in the possession of the Executive Committee or the MMC. This Agreement shall not limit the Licensed Respondents’ obligations, as licensees of the State Mortgage Regulators, to reasonably cooperate with any examination or investigation, including but not limited to, any obligation to timely provide requested information or documents to any State Mortgage Regulator.

Release

By their execution of this Agreement, the State Mortgage Regulators release and forever discharge Respondents, Respondents’ current and former parent corporations or other forms of legal entities, direct and indirect subsidiaries, brother or sister corporations or other forms of legal entities, divisions or affiliates, and the predecessors, successors, and assigns of any of them, as well as the current and former directors, officers, and employees (collectively, the “Released Parties”) of any of the foregoing from the following: any civil or administrative claim, of any kind whatsoever, direct or indirect, that a State Mortgage Regulator has or may have or assert, including, without limitation, claims for damages, fines, injunctive relief, remedies, sanctions, or penalties of any kind whatsoever based on, arising out of, or resulting from the Covered Conduct, as defined in this section, occurring between January 1, 2020, and the Effective Date of this Agreement, as well as the findings in the MMC Cybersecurity Report of Examination, except for claims and other actions set forth in Paragraph 4 below.
The Released Parties are released from liability for Covered Conduct due to acts, errors or omissions of their agents or representatives (including, without limitation, third-party vendors). This Release does not release the agents or representatives (including, without limitation, third-party vendors) themselves for any of their acts, errors, or omissions.
For the purposes of this release, the term “Covered Conduct” means all actions, errors or omissions of the Released Parties, arising out of or relating to alleged violations and/or deficient business practices under the Safeguards Rule, the Personal Information Protection Acts the Security Breach Notification Acts, and/or any similar IT, data privacy, or cybersecurity law, rule, regulation, guidance, or pronouncement subject to the jurisdiction of a State Mortgage Regulator, including, but not limited to, the following: (1) The acts and practices identified in the MMC Cybersecurity Report of Examination; (2)The use, conduct or supervision of vendors, agents and contract employees, whether affiliated or unaffiliated related to the IT and Cybersecurity Program; (3) The adequacy of staffing, training, systems, data integrity or security of data that is related to the Respondents business activities; and (4) Quality control, quality assurance, compliance, audit, testing, risk management, oversight, reporting, or certification or registration requirements related to the IT and Cybersecurity Program.
Notwithstanding the foregoing and any other terms of this Agreement, the authority to resolve a consumer complaint brought to the attention of a State Mortgage Regulator is hereby not released, however, any such investigation and associated resolution to a complaint shall be limited solely to the imposition of restitution to the extent affirmatively authorized under that State Mortgage Regulator’s statutory powers.
The release provided for in this section shall become effective immediately upon the occurrence of (a) the Effective Date, and (b) payments of the Administrative Penalty and Administrative Costs as required under Section V.
The release provided for in the section does not release any claims against any entity other than the Released Parties.

General Provisions

Effective Date. That this Agreement shall become effective upon execution by all of
the State Mortgage Regulators for the Participating States and when posted on the NMLS
(the “Effective Date”).
Public Record. That this Agreement shall become public upon the Effective Date.
Binding Nature. That the terms of this Agreement shall be legally binding upon Respondents’ respective officers, owners, directors, employees, heirs, successors, and assigns. The provisions of this Agreement shall remain effective and enforceable except to the extent that, and until such time as, any provisions of this Agreement shall have been modified, terminated, suspended, or set aside, in writing by mutual agreement of the State Mortgage Regulators collectively and Respondents or, with respect to a Licensed Respondent, when that Respondent ceases to be licensed, or with respect to Bayview, as to each Licensed Respondent, when Bayview ceases to be a control affiliate, as defined in the NMLS Policy Guidebook, of such Licensed Respondent.
Standing and Choice of Law. That each State Mortgage Regulator has standing to enforce this Agreement in the judicial or administrative process otherwise authorized under the laws and regulations of the corresponding Participating State. Upon entry, this Agreement shall be deemed a final order of each respective State Mortgage Regulator unless adoption of a subsequent order is necessary under the laws of the corresponding Participating State. In the event of any disagreement between any State Mortgage Regulator and Respondents regarding the enforceability or interpretation of this Agreement and compliance therewith, the courts or administrative agency authorized under the laws of the corresponding Participating State shall have exclusive jurisdiction over the dispute, and the laws of the Participating State shall govern the interpretation, construction, and enforceability of this Agreement.
Adoption of Subsequent Orders to Incorporate Terms. That a State Mortgage Regulator, if deemed necessary under the laws and regulations of the corresponding Participating State, may issue a separate administrative order to adopt and incorporate the terms and conditions of this Agreement. In the event a subsequent order amends, alters, or otherwise changes the terms of the Agreement, the terms of the Agreement, as set forth herein, will control.
Privilege. That this Agreement shall not constitute a waiver of any applicable attorney-client or work product privilege, confidentiality, or any other protection applicable to any negotiations relative to this Agreement. Further, any information or documentation furnished to the Executive Committee pursuant to the terms of the Agreement shall be considered as generated and/or obtained as part of the State Mortgage Regulators’ supervisory authority and thus deemed confidential supervisory information subject to all associated protections and privileges, including, but not limited to, those covered under the SAFE Act, applicable state law, and the CSBS/AARMR Protocol and Agreement.
Titles. That the titles used to identify the paragraphs of this Agreement are for the convenience of reference only and do not control the interpretation of this Agreement.
Final Agreement. That this Agreement is the final written expression and the complete and exclusive statement of all the agreements, conditions, promises, representations, and covenants between the Parties with respect to the subject matter hereof, and supersedes all prior or contemporaneous agreements, negotiations, representations, understandings, and discussions between and among the Parties, their respective representatives, and any other person or entity, with respect to the subject matter covered herein. The Parties further acknowledge and agree that nothing contained in this Agreement shall operate to limit a State Mortgage Regulator’s ability to assist any other Local, State or Federal Agency, Department or Office with any investigation or prosecution, whether administrative, civil, or criminal, initiated by any such Agency, Department or Office against any other person based upon any of the activities alleged in these matters or otherwise.
Waiver. That the waiver of any provision of this Agreement shall not operate to waive any other provision set forth herein, and any waiver, amendment and/or change to the terms of this Agreement must be in writing signed by the Parties.
No Private Right of Action Created. That this Agreement does not create any private rights or remedies against Respondents (or any of its affiliates or subsidiaries), create any liability for Respondents (or any of its affiliates or subsidiaries) or limit defenses of Respondents (or any of its affiliates or subsidiaries) for any person or entity not a party to this Agreement. An enforcement action under this Agreement may be brought solely by a State Mortgage Regulator.
Costs. That except as otherwise agreed to in this Agreement, each party to this Agreement will bear its own costs and attorneys’ fees associated with this enforcement action.
Notices. That any notice to Respondents and/or the State Mortgage Regulators required or contemplated by this Agreement shall be delivered, if not otherwise described herein, by electronic copy to each Respondent through its “Primary Company Contact” for each Respondent listed in the Nationwide Multistate Licensing System (NMLS), or similar contact system, and to the State Mortgage Regulators by direct written notification.
Counterparts. That this Agreement may be executed in separate counterparts, by facsimile or by PDF. A copy of the signed Agreement will be given the same effect as the originally signed Agreement.
That nothing in this Agreement shall relieve Respondents of Their obligations to
comply with applicable State and Federal law.

It is so ordered.

In witness whereof, in consideration of the foregoing, including the recital paragraphs, and with the Parties intending to be legally bound, do hereby execute this Agreement this 31st day of December, 2024.

Downloads

Open PDF file, 310.7 KB, Bayview Asset Management LLC and Affiliates Consent Order (English, PDF 310.7 KB)

Help Us Improve Mass.gov with your feedback

Did you find what you were looking for on this webpage?

Yes

If you have any suggestions for the website, please let us know. How can we improve the page?

Please do not include personal or contact information.

The feedback will only be used for improving the website. If you need assistance, please contact the Division of Banks. Please limit your input to 500 characters.

Please remove any contact information or personal data from your feedback. You will NOT get a response.

If you need assistance, please contact the Division of Banks.

Please let us know how we can improve this page.