§ 53-244.144.  Corporate governance.

(a) Board of Directors Required. - Except as otherwise provided by subsection (b) of this section, a covered institution shall establish and maintain a board of directors responsible for oversight of the covered institution.

(b) Alternative to Board of Directors. - For covered institutions that are not approved to service loans by a GSE or Ginnie Mae, or if these federal agencies have granted approval for a board alternative, a covered institution may establish a similar body constituted to exercise oversight and fulfill the board of directors' responsibilities in this section.

(c) Board of Directors' Responsibilities. - The board of directors is responsible for all of the following:

(1) Establishing a written corporate governance framework, including appropriate internal controls designed to monitor corporate governance and assess compliance with the corporate governance framework, available to the Commissioner upon request.

(2) Monitoring and ensuring institution compliance with the corporate governance framework and this Part.

(3) Accurate and timely regulatory reporting, including the requirements for filing the Mortgage Call Report.

(d) Internal Audit. - The board of directors shall establish internal audit requirements that are appropriate for the size, complexity, and risk profile of the mortgage servicer, with appropriate independence to provide a reliable evaluation of the mortgage servicer's internal control structure, risk management, and governance. Internal audit requirements and the results of internal audits shall be made available to the Commissioner upon request.

(e) External Audit. - A covered institution shall receive an external audit, including audited financial statements and audit reports conducted by an independent public accountant annually. The external audit shall be available to the Commissioner upon request and include, at a minimum, all of the following:

(1) Annual financial statements including a balance sheet, statement of operations, income statement, and cash flows, including notes and supplemental schedules prepared in accordance with Generally Accepted Accounting Principles.

(2) Assessment of the internal control structure.

(3) Computation of tangible net worth.

(4) Validation of MSR valuation and reserve methodology, if applicable.

(5) Verification of adequate fidelity and errors and omissions (E&O) insurance.

(6) Testing of controls related to risk management activities, including compliance and stress testing, where applicable.

(f) Risk Management. - A covered institution shall establish a risk management program under the oversight of the board of directors and available to the Commissioner upon request that identifies, measures, monitors, and controls risk sufficient for the level of sophistication of the mortgage servicer. The risk management program shall have appropriate processes and models in place to measure, monitor, and mitigate financial risks and changes to the risk profile of the mortgage servicer and assets being serviced. The risk management program shall be scaled to the complexity of the organization but shall be sufficiently robust to manage risks in several areas, including all of the following:

(1) Credit risk: The potential that a borrower or counterparty will fail to perform on an obligation.

(2) Liquidity risk: The potential that the mortgage servicer will be unable to meet its obligations as they become due because of an inability to liquidate assets or obtain adequate funding or that it cannot easily unwind or offset specific exposures.

(3) Operational risk: The risk resulting from inadequate or failed internal processes, people, and systems or from external events.

(4) Market risk: The risk to the mortgage servicer's condition resulting from adverse movements in market rates or prices.

(5) Compliance risk: The risk of regulatory sanctions, fines, penalties, or losses resulting from failure to comply with laws or other supervisory requirements applicable to the mortgage servicer.

(6) Legal risk: The potential that actions against the institution that result in unenforceable contracts, lawsuits, legal sanctions, or adverse judgments can disrupt or otherwise negatively affect the operations or condition of the mortgage servicer.

(7) Reputation risk: The risk to earnings and capital arising from negative publicity regarding the mortgage servicer's business practices.

(g) Risk Management Assessment. - A covered institution shall conduct a risk management assessment on an annual basis concluding with a formal report to the board of directors available to the Commissioner upon request. Evidence of risk management activities throughout the year shall be maintained and made part of the report, including findings of issues and the response to address those findings.  (2025-43, s. 1.)