CoreLogic and Asset Securitization Report sponsored a Web seminar called Today's Best Practices in RMBS Due Diligence. The event was moderated by Michael Stanton, executive vice president for SourceMedia's capital markets division.

With the RMBS landscape changing, the role of due diligence in this sector has become more crucial. And as the RMBS market comes back to life, there will be many differences in terms of deal transparency and data availability compared with what the market was used to before the crisis.

Driven by regulation and the securitization market's efforts to improve the collateral quality in underlying deals, industry players are developing new tools to help with their due diligence and with finding value in mortgage bonds.

Participants in the roundtable are: Mark Hughes, vice president of due diligence solutions at CoreLogic; Kathy Kelbaugh, vice president and senior analyst at Moody's Investors Service; and Steve Kudenholt, partner and co-chair in the capital markets practice at SNR Denton.

Stanton: I'm going to turn the podium over to Mark who will give us an overview on how due diligence is changing and evolving in the current market.

Hughes: For the purposes of this discussion, I think it's important that we understand that due diligence was employed previously in transactions and is a term that can be defined however anyone wants to define it. What's important is that we're much better at getting to an understanding throughout the marketplace of due diligence, the material that's available and the scope that should be applied so that we can make sure that we can accommodate the risk factors in transactions that we were not paying attention to in the past.

Over the years, due diligence evolved into a necessary evil, which would be a defensive strategy around evaluating a portfolio in line with what the underwriting guidelines that were presented and, beyond that, not looking much further than the file. So initially in underwriting transactions, there was a focus on the three Cs - credit, capacity, and collateral. Over time, it became more of a philosophy of underwriting to the matrix. So originators would put out certain criteria around credit parameters and the underwriting and the due diligence was strictly around validating those data points.

The appraisal review was fairly limited in scope, primarily looking around transactions that were listed on the appraisal at origination, but they weren't accessing any of the public record information or other information available in the marketplace to validate those sales and actually look for other transactions that are available today. In the past, predatory lending compliance interestingly enough was actually an area of focus and that was driven primarily by legislation at the federal, state and local level as well as requirements of the rating agencies for testing and the S&E liability issues that followed those predatory lending issues. Over the years there were certainly developments in fraud detection tools that were employed on the origination side and the capital market side. The marketplace was slower to understand what tools were available, how they might be used and what impact these tools might have on portfolios. So although we did see some increased focus in the 2005-2006 time period on fraud detection tools, there wasn't really an understanding in the marketplace on how to apply them.

So where does that bring us? It's all about rating agency requirements at the loan level. It's important to understand [rating agency] requirements and how these will be employed by due diligence firms.

Kelbaugh: I want to talk about what we would look for in an acceptable reviewer at the due diligence firm - how sampling would occur, the review type, the scope and how we get those results reported. From the criteria perspective, this is a little different. The [Securities and Exchange Commission (SEC)] came out with its new due diligence guidelines. Those guidelines called issuers to do the review. From our perspective, we would much rather have an independent review, a third party that would review all the factors of the loan. I have a detailed list of the seventeen things we would look for, but the key to this is that we have experienced underwriters and project managers that are on the review. They can provide detailed reporting to us on each loan and what they found. Moody's is a little bit different than other rating agencies as we look at this on a per transaction basis. We would like the due diligence firm to be able to say for each deal they've reviewed that they can say yes to all these items.

Again this is different from the sampling perspective. In the past, due diligence was done on an adverse sample selection. So loans that looked to be the highest risk, they were the ones that got reviewed. But for us to really look at a sample and find the results for those, we wanted to understand what that is so we can apply those results to the unsampled portion. To do that, the sample has to be random and we'd like the reviewer to be the one that pools that sample, not the issuer or the sponsor of the deal. When you look at random sampling, when you get under 300 loans in a population, you come close to looking at 100% anyway. We're thinking that each loan in the 300 loans will be reviewed. Just to give you a feel for how random sampling would work out, for new loans we look for 95% confidence level and with seasoned loans we look for a 99% confidence level. That's because the older vintages tend to have weaker, more inaccurate data.

What are the types of reviews that we do? We look at what operationally can effect loan performance. We perform an originator assessment and we have a servicer rating team. Although it's not required to have a rating, we would also do an assessment of the servicer. Both the originator and servicer performance have a big impact on how loans ultimately perform. If you get a loan that looks the same on paper in terms of LTV and DTI compared to another originator's loan, one will perform very different from the other. We believe that comes from the way the originator processes and underwrites loans. So we will do a full operational assessment before we rate a deal.

To get back to loan-level reviews, we bifurcated how we looked at it. For loans that are 18 months or less even, we consider those newly originated loans, we want to review the credit, the collateral, the appraisal and the compliance review. For the credit we want, we need external third-party re-verification of income and assets including credit scores. For stated income loans, if they ever come back, we would like a reasonable check - whether that's Department of Labor statistics or the average income for that type of occupation - and we look for the diligence firm to be able to do that. Finally, we look for the compliance within the guidelines because those are the things that tend to be disclosed to investors.

From a collateral perspective, we effectively look for the appraisal licensing, if the appraisal's completed, the cost to build is completed as well as the comparable value. We expect the diligence firm to look and agree that the appraisal's fully supported in value. If not, we want the diligence firm to go out and pull AVMs, BPOs, best reviews until they get to a point where they feel like the values are supported. In the compliance review, we look at everything from the APRs, right of rescission, good faith estimates and the high cost to restore. We're still concerned about it, but with all the prime loans that we have it's less of a factor these days.

For loans that are more than 18 months old, the credit review changes a bit. As loans get older, underwriting criteria has less to do with the performance of the loan. So what we would like for the diligence firm to do on seasoned loans is to confirm that the updated FICO scores provided to us were correct, validate modification income if there is any information on that and the payment history that's been provided to us. For the collateral review, it's the same as if it were an unseasoned loan. We get some pushback for the compliance review, but a lot of people will say that the truth in lending violations would go away after three years. That is true, a borrower could not bring an affirmative action against the trust or the lender after three years. However, for the life of the loan, that violation can be brought as a defense to foreclosure. It can either take away the ultimate liquidation and/or extend out the foreclosure timeline. So we are still very interested in the regulatory compliance aspect of the loans regardless of its age.

We also look for someone to oversee the pool for the life of the loan and this is to determine if there are breaches in warranty so that the trust doesn't incur losses that we're not getting a true credit risk and rather they were generated by a defective loan.

From a reporting standpoint, we do have strict requirements for our diligence firms. We like to grade on what the scope is. That has to be recorded and we actually will put that out in our reports on the deal. Also, what is considered a defect? How much leeway did we give? We look for loan level findings from pre-deal closing. They need to be submitted to us from the diligence firm before they're vetted with the originator or the sponsor. We just want to understand what the third party really thinks about the loan before they hear the story back from the originator. We will consider whatever feedback there is from the originator before we close out the deal because there obviously can be mistakes by the firm, but we do want to understand from a pure third-party review what they saw. We also expect on every loan what I would call a data delta. So if the originator or sponsor provided us with a value say for LTV, if a third-party diligence firm tells us what the appraised value was, we look for the diligence firm to say what they think the value is and provide us with their best feeling about the LTV or what the actual value is. Finally, from the third-party billers and firms, we actually look for in writing from the officer that there was no coercion from the sponsor, that they're independent from the sponsor and that they did what we wanted them to do according to our criteria and that goes to finding what the defects are.

At the end of the day, things have really changed and we would like to be involved in calls with the sponsor and the originator and the third-party review firm to agree upon what the defects are and what will be reviewed and what will be in scope, how big the sample is. We want to ensure that the third-party diligence is random and pooled by the due diligence firm. For those of you who actually issue securities, if there are going to be two 'Aaa' securities with groups of loans under, to the extent those groups are separate, they would be considered two different pools and that would go to how big the sample size would be needed for each.

So far, the few deals we've rated over the last couple years, the biggest hiccup has been on the regulatory compliance side. We will consider lawyer fees in addition to the statutory and punitive plans to be enforced against the trust and that can get pretty costly and bumps up credit enhancements substantially. It does take quite a bit of time for us to get through and rate an RMBS at this point. The originator assessments tend to take a couple months and the collateral review, structure and diligence takes at least a couple of weeks.

Kudenholt: I want to just go over the legal background of a few third-party diligence practices. Due diligence in some sense is a bit of a misnomer in terms of the nature of disclosure that is required. Originally, third-party diligence services were engaged to help an underwriter establish its due diligence defense for liability for perspective and they served that purpose. That's why they originally became known as due diligence reports, but one of the big weaknesses with practices from the mid part of the last decade was that those reports were not shared or required to be delivered to the rating agencies and they weren't fully disclosed to investors. There were some reasons why those were the practices, but nevertheless that was a weakness in the system. The rating agencies certainly have stepped up to the plate to impose requirements for a third-party diligence and that the results be shared with them. So they've taken the lead on getting involved with that. Also, RMBS issuers have voluntarily started disclosing in their prospectuses the third-party diligence review, in particular the recent Sequoia Mortgage Trust 2011-1 and its predecessor transaction the prior year includes extensive disclosure about the pre-offering review of the mortgage loans, which basically goes around describing the credit compliance review that was done as well as the appraisal review and other steps taken to verify the value of the collateral essentially those diligence requirements that were required by the rating agencies.

Now, we're entering a new phase of disclosure with the SEC's recent final rules on the review of the assets. They were published in January after a comment period from last fall. We were involved in doing a comment later for the [American Securitization Forum (ASF)] on that and these final rules are now effective. They will begin to apply to ABS offerings that are initially issued after the end of 2011. But, what's really important about these rules is that they don't really relate to due diligence. What they really are doing is mandating that a review of the assets be performed to a certain standard and that there be disclosure about the nature and findings of the review. The SEC makes it clear that this is simply disclosure to investors. They are not trying to regulate in these rules the nature of the actions taken by the underwriter to establish their due diligence defense. So it's really just a mandatory review of the assets and disclosure about that review.

There are three elements of the rule that were adopted. There's a new Rule 193, which requires issuers of publicly offered [ABS} to perform a review of the pooled assets to a reasonable assurance standard. A separate requirement is in Regulation AB that requires including disclosure about the nature and the findings of the review that was done in compliance with Rule 193. Then finally, an additional new Regulation AB item, which requires disclosure about exceptions to assets in the pool. Now, these rules as adopted only apply to publicly offered deals and, again, starting in 2012, they do not apply to privately offered transactions. There is actually a separate Dodd-Frank mandate to establish regulations that will require disclosure about third-party reviews for private deals as well, but that is going to be part of the larger credit rating agency rule. That will be coming out later this year. The SEC also indicated in its adopting release for these rules that they in any event should be applied to private deals as well, but they're going to consider that as part of their larger project in which they would impose Regulation AB requirements generally on private placements.

In terms of the Rule 193 review., the issuer is obligated to perform this review. They are allowed to engage a third party to perform part or all of the review.

The disclosure required by 1111(a)(7) requires that the prospectus must state whether or not a third party is engaged but there's really two very different ways to do that disclosure if you are using a third party to perform the review. The issuer can attribute the results of the review, the finding of the review to itself and thereby avoid naming the third party that performed the review in the prospectus. That was actually the approach used in the Redwood Trust deal and that results in the third-party diligence firm not being named and, therefore, not having expert liability for the accuracy of their review. One of the features that goes along with that is that if the issuer is using that approach, they should avoid disclosing in any other offering communication, such as free writing prospectuses the identity of the third-party reviewer.

The other way to do this is to attribute the findings to the third party or name the third party. In that case, the third party must consent to be named in the prospectus and that has the effect of causing them to have expert liability under the '33 Act for the accuracy of the disclosure about their review and that's a big concern. One of the major aspects of the comment process was to push back on expert liability categorically for third-party review services, but those arguments just did not fly. The SEC did give this way to avoid naming a third party if that was going to be essentially commercially mandated. I'm not sure where all the different third-party diligence firms are on this issue. I know some of them have indicated to various people that they would be willing to take on expert liability. Other firms still have or last time I checked with them, had a great reluctance to do that. So we'll have to see how that plays out.

The nature of the review required under Rule 193 is that it must provide a reasonable assurance that the disclosure in the prospectus regarding the pooled assets is accurate in all material respects. It does not really include a mission standard. It's more what is said is accurate. The issuer cannot rely on a review by an unaffiliated originator for purposes of that review, but what they can do is if the issuer aggregates the loans over a period of time prior to securitization and they do this review some months prior to securitization or at the time of purchase, for example, they can use those reviews for this purpose. What parts of the prospectus are covered by this requirement? Because the rule is really saying whatever is the disclosure about the pool assets, you have to do a review and describe the review as well as the results of the review. It's broader than the diligence that is conducted today. It's not a specification limited to credit and compliance reviews. It's not specifically limited to data integrity or the value of the assets. It's more general than that. The release discusses this, talks about what the review should include, information about the credit quality and the underwriting of the assets but it also indicates that the disclosure required by Item 1111 of Reg AB, the mandatory disclosure about the pool assets is generally a disclosure that must be covered by this review. So, for example, all of the statistical data about the pool, the stratification, the LTVs, and debts and DTIs and so forth, all of that tabular information is definitely included in what should be covered by the review. Narrative information about the assets should also be covered. Generally, it's pretty much the entire description of the mortgage pool section prospectus, the description of the underwriting criteria as well. We don't really think that every single aspect of Item 1111 is scoped in, however. So aspects of Item 1111 that don't specifically relate to disclosure about the assets but relate to other things, we don't think really have to be covered. Descriptions about the contractual reps and warranties, the servicing procedures, risk factors, those don't appear to be covered.

Is sampling permitted? The rule definitely embraces and allows the concept of sampling, subject to a general reasonableness standard. It depends very much on loan size and concentration. It probably would not be appropriate for a CMBS transaction, for example, that has a small number of relatively large loans but very much seems appropriate for RMBS transactions. The new Item 1111(a)8 requires that exceptions be disclosed. This is something that we're also starting to see appear in disclosures on a voluntary basis. The Redwood deal identified the number of loans that were exceptions to the underwriting criteria and has a table at the end of the description that describes specific exception types, like LTV exceeds program guidelines and indicates what the compensating factors categorically were. That's the kind of disclosure that we'll be seeing on a mandatory basis from this element of the rule. The rule will also require that the entity that decided that asset should be included in the pool notwithstanding those exceptions has to be identified.

Finally, how will practices change under Rule 193? Disclosures about third-party diligence reviews will continue, but may or may not be attributed to the third party.

Issuer review procedures for the pool description have to be essentially formalized. Maybe issuers will have to establish written procedures and guidelines under which they conduct that review of the disclosure so that they can describe the review in the prospectus.

An important aspect of this is accountant's comfort letters. Normally in these transactions accounting firms are engaged to provide an agreed-upon procedures letter in which they verify the tabular numerical information about the pool in the prospectus. For technical reasons that slightly elude me, the accountants are very uncomfortable with disclosure about their [Acceptable Use Policy] letters. They are not comfortable with their letter being shared publicly, particularly if it is required to reach a reasonable assurance standard, which has a specific meaning within accounting literature. So we believe that categorically it'll simply be impossible to disclose the accounting firm and that they did the review in this disclosure. But the disclosure will have to talk about the issuer having conducted some review through the accounting firm and describing the nature and results of that in the disclosure through attribution to the issuer.

Hughes: We need to revisit what due diligence is for loan level reviews with respect to RMBS transactions. We're seeing a similar push regardless of whether it's a structured transaction or a whole loan sale to meet these requirements. Primarily it's around four key points, which includes an evaluation as credit, compliance, collateral and fraud. Based on the type of product and transaction, the weight that you assign those may change or in some seasoned transactions, credit may not apply but primarily this is what you're looking for, certainly in a new transaction or new product. There are tools available in the market for understanding in addition to looking at the contents of the loan file. There is also public record information and other databases to drive your due diligence process and give you data points outside of the loan file to validate that information and those decisions. These enables the creation of customized workflows that will be specific to the product and the transaction that you're looking at - less of a boilerplate static process and a much more dynamic process that will vary from deal to deal and, in the end, create due diligence as a value added service to all participants in the RMBS transaction, whether they be a sponsor of the due diligence firm, the rating agency that's relying on those results or, in the end, the most important aspect here really is the investor.

So what do we mean when we talk about comprehensive and customized workflow solutions for due diligence? We mean essentially having loan level results that are data oriented both based on information that's supplied by the loan file as well as information that you can obtain outside of the loan file using data sources that are available to expand the scope, to comprehensively look at all the important risk factors, to be flexible enough in how you construct that solution so that based on exceptions that you may find in the course of your review you can expand certain aspects of that review - at least around certain data points or potentially expand your sample if you're finding more exceptions than you were anticipating - and to be able to have event-driven results so that all users of that information understand the information and how you arrived at that information and they can make the decisions they need to based on that.

In credit underwriting, with information you have in the data file you should be able to reconstruct the income, data and asset picture for that borrower and have the credit score and have access to the credit report. But, you also need to understand there are third-party sources you can go to outside of those data files to verify some of that information and look for reasonableness testing on stated-income loans or even loans that are documented to be able to go outside the documentation that was provided in the file and give you some level of comfort as to whether that's reasonable or this other data source would conflict with information in the file. We have often times seen verifications of income and employment in the file as well as credit reports that were not accurate and had been doctored either by the borrower or potentially by the lender.

Compliance testing, which is getting away from subprime and has been less of an issue in more recent times, is still an important aspect. You need to make sure you have a robust predatory lending compliance engine incorporated into this system or the service provider that you use so that you're accurately identifying any of those issues around federal, state or local predatory lending requirements. With the new disclosure and RESPA requirements that came out last year, the compliance picture has actually gotten much more complex over the last year or so. So it's important to make sure that you're incorporating that into your review. Generally we imply an escalated valuation process and we recommend that for most clients. You may start out with an AVM, which certainly on the type of collateral we're talking about and the Redwood deals and others is a good indicator, but often times based on the type of collateral or properties that are in your deal, that's not always going to give you the best picture of the value. You may need to go through a more escalated valuation review that may employ an appraiser looking again at the property or sample of properties based on variance testing with AVM values relative to original appraised values. Through public record information, you can access openly and search information to identify undisclosed debts on the property as well as incorporate that into your valuation review to understand your true LTV on the property as driven by all outstanding liens and today's value on that property. That's something you'll want to check against the LTV value that was presented on the tape. Probably most important in the process was having a robust fraud detection tool. There is a tool that we use in our process that helps identify areas of risk around identity, income, occupancy, and valuation that can help drive your review to be more efficient. Lastly, on the servicing results mostly for seasoned transactions whether they're structured or not, it is important to access the information in that public record information for your review.

The Loan Safe Risk Manager is a CoreLogic tool that identifies areas of risk around collateral value, as well as this borrower identity income and property issues. Primarily it is a risk score-driven product that identifies this particular product as having a score of 1 to 999 - a higher score meaning higher risk product. Often times it's used upfront in the due diligence process to identify higher risk loans around any of these attributes. Generally, the most effective use is not necessarily just using the score but a combination of the high-risk score and individual risk alerts that drive you to particular areas that you need to investigate further in your due diligence process. Any effective and efficient process is going to require directing your due diligence resources in the most effective manner, which means for loans that have potentially high risk around property, you want to make sure that you have a more expanded review process for areas where identity is a potential issue or there is a disconnect on the stated income of the loan relative to the borrower. Those are things that you need to make sure in your loan level review that you're digging deeper into whether that's a true risk or not. A tool like this will help you do that in your process.

Through a risk tool like this, you can accesses public record information and do a check of the social security number that you have on the tape versus the information that the tool can test based on access to databases that they have. Another example of an issue that can be uncovered with a good fraud detection tool is around owner occupancy. You need to be able to access information on the loans that are represented to be primary residence for the borrower outside the loan file, not just rely on the application in the loan file where the borrowers state whether they intend to occupy the property or not but to be able to access public record information and look at other properties that borrowers own. At the same time, you should be able to dig deeper beyond just the number of properties, and look at characteristics such as the value of the different properties that borrowers own. You'll generally find that the property that is the highest value and the largest is the primary residence and other properties that have lower value and smaller are generally investment properties. You also want to be able to access information where tax bills are sent.

Income misrepresentation is obviously an important issue here, whether loans or stated income. Although we are not seeing many of those loans today, we still need to understand whether the income is stated income or is it validated to some extent in the file. You need to be able to check outside data sources as a reasonable check against that volume and that value. You'll need to look at the documentation in the file to look at the verifications that are in the file to look at the supporting documentation, but you'll also want to access tools that are out there.

On the valuation side, you want to be able to access clearly through public records a lot of information out there around property transactions. On this particular tool you can compare the input value of a property versus a median value in a particular area. Through analytics involving the transactions in an area, you can see at the same point in time that the average market decline in the area has been. Through accessing this tool you can see the transaction history for this property.

Although we have some clarity around the regulatory issues and the rating agency requirements, there are still some issues to be resolved in the due diligence here. The liability of third-party providers is certainly an issue in terms of how they're going to do deal with expert professional liability and certainly firms have weighed in one way or the other on how they feel about it. But, the market is really going to have to accommodate the fact that this is a requirement of providers if they're named in the prospectus. How they're going to handle that will certainly require that there'll be probably contractual arrangements in place and certainly the cost of doing due diligence will be changing markedly to accommodate for the broader scope of the review to capture these compliance issues as well as to account for the liability.

A couple of thoughts on due diligence. There's a lot of focus on the two Redwood transactions that have been done in the last two years and how much value is there to extensive loan-level due diligence when the credit quality of what you're looking at is so high? Certainly we need to understand that that's the case on a couple of transactions that we've seen and, of course, when the market restarts, it is going to start with the highest quality loans but we were involved in one of those transactions and we're involved in many other transactions that were not necessarily securitized but are new origination where we are still finding many many exceptions to underwriting guidelines versus what's represented. We expect to see, based on the compliance thresholds and a return to competitiveness in the origination market, that there will still be many cases where underwriting guidelines are being pushed or expanded and there will be originators fighting for market share in that environment. Everyone needs to understand that you cannot rely necessarily on what has been represented on a tape. You really need to not only look at the contents of the file but also be able to understand what new tools are out there and available for use right now that were potentially not available in the past and to be able to incorporate that into your process.

Stanton: Looking at the due diligence process, one of the issues in securitization is loans are initially selected randomly. Is there anything in the new regulatory structure or other due diligence processes that can help investors get comfortable with this happening even before the securitization is built?

Kelbaugh: I think the SEC rules don't require any specific type of review. So they have gone out of their review to say that it's okay to have an adverse sample or a random sample. From Moody's perspective, for us to be able to rate the deal, we would look for a random sample.

Stanton: So are you saying Moody's won't rate a deal if adverse samples have been used in the diligence?

Kelbaugh: Right now we're looking at it only at random because we cannot take what was pooled on an adverse selection and apply it to the rest of the pool. So, the answer right now is no. Although we don't mind if there's a random sample done and then an additional adverse sample. We'd love to see the results of that as well, but we do require a random sample.

Stanton: Do the requirements under Dodd-Frank regarding the disclosure of the review apply to just MBS/ABS or does that also extend to other sectors?

Kudenholt: Yeah, it applies to any type of [ABS] using the broad definition of an [ABS} that Dodd-Frank enacted. It's not even limited to Reg AB-timed [ABS]. It can be broader. Although, as I noted, it's limited to publicly offered deals.

Stanton: Kathy, will Moody's offer ongoing surveillance services to make sure the reps and warranties are not violated? And if not, what kind of firms are likely to get into that business?

Kelbaugh: Moody's does not do that. We do surveillance on our ratings. What we look for within the documents themselves is for a reliable party to do those forensic reviews. For example, a trustee may have to do it or a credit risk manager. In some cases in deals that we have rated, the way it worked out was the investors were able to get the file and do the review themselves. So Moody's will not provide that service but we would look for someone to be obligated to do that within the preliminary service interview.

Subscribe Now

Access to a full range of industry content, analysis and expert commentary.

30-Day Free Trial

No credit card required. Access coverage of the securitization marketplace, including breaking news updated throughout the day.