In addition to being in the top tier of regulations whose framers worked extra hard to come up with a pronounceable and relevant acronym (right up there with E-SIGN and the USA PATRIOT Act), the Secure and Fair Enforcement for Mortgage Licensing Act, a.k.a. SAFE Act, is also in the top tier of regulations with some of the most common violations that can be readily avoided.
Having looked over a large number of SAFE Act programs of financial institutions over the years, I’ve compiled a list of the five most common violations of the SAFE Act I’ve observed from these audits.

Error #5—Not making unique loan identifiers available to consumers through multiple means.

Each individual who registers with the National Mortgage Licensing System Registry receives a unique identifying number. This identifier will remain the individual’s for life and allows Mortgage Loan Originators (MLOs) to be tracked as they change employers or locations.
In order for this number to be useful for consumers, MLOs must provide it upon request. As a best practice, MLOs should make their identifier available to consumers through several different means, such as loan program descriptions, advertisements, business cards, stationery, etc. The regulation also requires institutions to make MLO identifiers available to customers or members in a reasonable way. For example, your institution could maintain a list of registered MLOs and their identifiers on your website or post the information prominently in your branches. Your SAFE Act Policy should address the details of how you will provide the MLO unique identifiers.

Error #4—Failing to consistently update the Registry.

For the Registry to serve its purpose, it must be accurate. The information to be kept updated—which is the same information that must be submitted to the Registry in order for an MLO to obtain their “unique identifier” in the first place—includes things like: identifying information, financial service employment history, disclosure of regulatory actions taken against the employee, etc.
Should changes occur to any of this information, the registry should be updated within 30 days of the change. To ensure that this happens at your institution, your SAFE Act Policy should specifically state by name whom you wish to be responsible for updating the registry.

Error #3—Neglecting to track and perform due diligence for third-party mortgage loan originators.

Although many institutions use a third-party mortgage loan originator (because doing so is often beneficial for smaller institutions), they often neglect due diligence or fail to note the fact that they use a third party for this purpose in their policy. If you use a third-party MLO, make sure your institution‘s policy includes this fact and what due diligence procedures you have in place.

Error #2—Not mentioning the de minimis exception in your policy.

The de minimis (a Latin expression meaning too minor to merit consideration) exception excludes the need to register employees of covered financial institutions who have acted as an MLO in fewer than six residential mortgage loans in a 12-month period. However, regardless of whether or not the exception is applicable to your institution, you should clearly state in your SAFE ACT Policy if you wish to apply it or if you don’t. This is crucial, because the SAFE Act prohibits financial institutions from evading the registration requirement, and not mentioning it in your policy may give the appearance of potential evasion or not being aware of the regulation.

Error #1—Employing an MLO as the system administrator.

The SAFE Act states that your system administrator must not be a Mortgage Loan Originator (MLO), but that is the most common mistake we see in an institution’s SAFE Act policy. However, an institution may be exempt from this regulatory requirement if it has 10 or fewer full-time employees and is not a subsidiary. Although it seems obvious, it’s surprising how often this requirement slips through the cracks. Unless your institution has 10 or fewer full-time employees and is not a subsidiary, make sure it identifies in its SAFE Act policy a system administrator who is not an MLO.
Because these processes, which should all be part of an institution’s SAFE Act policy, are so easily overlooked, it can be a sound business practice to have an outside party review all aspects of your SAFE Act Policy. AffirmX offers this service alone or as part of its basic compliance package. If you would like more information about AffirmX’s SAFE Act Review, please contact Alberto Gamez at or 888.972.3624.