#2021-043 UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY OFFICE OF THE COMPTROLLER OF THE CURRENCY

In the Matter of: ) ) Cenlar FSB ) AA-ENF-2021-45 Ewing, New Jersey ) )

CONSENT ORDER

WHEREAS, the Office of the Comptroller of the Currency (“OCC”) has supervisory authority over Cenlar FSB, Ewing, New Jersey (“Bank”);

WHEREAS, the OCC intends to initiate cease and desist proceedings against the Bank pursuant to 12 U.S.C. § 1818(b), through the issuance of a Notice of Charges, for engaging in unsafe or unsound practice(s), including those relating to the Bank’s internal controls and operational risk management practices;

WHEREAS, in the interest of cooperation and to avoid additional costs associated with administrative and judicial proceedings with respect to the above matter, the Bank, by and through its duly elected and acting Board of Directors (“Board”), consents to the issuance of this Consent Order (“Order”), by the OCC through the duly authorized representative of the Comptroller of the Currency (“Comptroller”); and

NOW, THEREFORE, pursuant to the authority vested in the OCC by Section 8(b) of the Federal Deposit Insurance Act, as amended, 12 U.S.C. § 1818(b), the OCC hereby orders that:

ARTICLE I

JURISDICTION

(1) The Bank is an “insured depository institution” as that term is defined in 12 U.S.C. § 1813(c)(2).

(2) The Bank is a Federal savings association within the meaning of 12 U.S.C. § 1813(q)(1)(C), and is chartered and examined by the OCC. See 12 U.S.C. §§ 1461 et seq., 5412(b)(2)(B).

(3) The OCC is the “appropriate Federal banking agency” as that term is defined in 12 U.S.C. § 1813(q) and is therefore authorized to initiate and maintain this cease and desist action against the Bank pursuant to 12 U.S.C. § 1818(b).

ARTICLE II

COMPTROLLER’S FINDINGS

The Comptroller finds, and the Bank neither admits nor denies, the following:

(1) The Bank’s internal controls and risk management practices do not support the current risk profile and size of the Bank’s mortgage sub-servicing portfolio, which is an unsafe or unsound practice.

(2) The OCC has identified and previously communicated to the Bank the following deficiencies and unsafe or unsound practices with respect to: performance and response to issue(s) identification, remediation, risk oversight, and accountability within first line operations, including default and servicing operations and Bank information technology (“IT”); and internal controls and operational risk management practices, including testing of preventative control processes, self-assessment processes, and leadership and oversight of business operations.

(3) The Bank has failed to take timely corrective actions to remediate its deficiencies and unsafe or unsound practices.

ARTICLE III

COMPLIANCE COMMITTEE

(1) Within thirty (30) days of the effective date of this Order, the Board shall appoint a Compliance Committee of at least three (3) members of which a majority shall be directors who are not employees or officers of the Bank or any of its subsidiaries or affiliates. The Board shall submit in writing to the Assistant Deputy Comptroller, with a copy to the Examiner-in-Charge, the names of the members of the Compliance Committee within ten (10) days of their appointment. In the event of a change of the membership, the Board shall submit in writing to the Assistant Deputy Comptroller, with a copy to the Examiner-in-Charge, within ten (10) days the name of any new or resigning committee member. The Compliance Committee shall be responsible for approving the action plan required under Article IV of this Order, along with monitoring and overseeing the Bank’s compliance with the provisions of this Order. The Compliance Committee shall meet at least quarterly and maintain minutes of its meetings.

(2) Within sixty (60) days of the effective date of this Order, and thereafter within thirty (30) days after the end of each quarter, the Compliance Committee shall submit a written progress report to the Board setting forth in detail:

(a) a description of the corrective actions needed to achieve compliance with each Article of this Order; (b) the specific corrective actions undertaken to comply with each Article of this Order; and (c) the results and status of the corrective actions.

(3) The Board shall forward a copy of each progress report, with any additional comments by the Board, to the Examiner-in-Charge within ten (10) days of the first Board meeting following receipt of such report.

ARTICLE IV

ACTION PLAN

(1) Within sixty (60) days of the effective date of this Order, the Bank shall submit to the Assistant Deputy Comptroller, with a copy to the Examiner-in-Charge, for review and prior written determination of no supervisory objection an acceptable written action plan containing a complete description of the remedial actions required by this Order and the specific actions necessary to achieve compliance with Articles V through VII of this Order (“Action Plan”). The Action Plan, at a minimum, shall specify:

(a) a description of the corrective actions needed to achieve compliance with each Article of this Order; (b) reasonable and well-supported timelines for completion of the corrective actions required by this Order; and (c) the person(s) responsible for completion of the corrective actions required by this Order.

(2) The timelines contained in the Action Plan shall be consistent with any deadlines set forth in this Order, including any modifications to the Order made pursuant to Article XI, Paragraph (5).

(3) In the event the Assistant Deputy Comptroller requires changes to the Action Plan, the Bank shall incorporate the required changes into the Action Plan and submit the revised Action Plan to the Assistant Deputy Comptroller, with a copy to the Examiner-in-Charge, for review and prior written determination of no supervisory objection.

(4) Upon receipt of a written determination of no supervisory objection from the Assistant Deputy Comptroller, the Board shall timely adopt the Action Plan and verify that Bank management has timely implemented all corrective actions required by this Order. Bank management, subject to Board review and ongoing monitoring, shall thereafter ensure adherence to the Action Plan, including the timelines set forth within the Action Plan.

(5) The Bank shall not take any action that will cause a significant deviation from, or material change to, the Action Plan. Where the Bank considers modifications to the Action Plan appropriate, the Bank shall submit a revised Action Plan containing the proposed modifications to the Assistant Deputy Comptroller, with a copy to the Examiner-in-Charge, for prior written determination of no supervisory objection. Upon receipt of written determination of no supervisory objection from the Assistant Deputy Comptroller the Board shall timely adopt the revised Action Plan and verify that Bank management has timely implemented all corrective actions required by this Order. Bank management, subject to Board review and ongoing monitoring, shall thereafter ensure adherence to the revised Action Plan, including the timelines set forth within the revised Action Plan.

(6) By March 31, 2022, and thereafter within ten (10) days after the end of each quarter, the Bank shall prepare, and shall submit to the Board, a written Action Plan progress report setting forth in detail:

(a) the specific corrective actions undertaken to comply with each Article of this Order; (b) the results and status of the corrective actions; and (c) a description of the outstanding corrective actions needed to achieve compliance with each Article of this Order and the party or parties responsible for the completion of outstanding corrective actions.

(7) The Board shall forward a copy of the Action Plan progress report, with any additional comments by the Board, to the appropriate OCC official within ten (10) days of the first Board meeting following the Board’s receipt of such report.

(8) Within one hundred eighty (180) days of receipt of a prior written determination of no supervisory objection to the Action Plan, the Bank’s Internal Audit department shall complete an assessment of the Bank’s progress towards implementing the Action Plan. On a semi-annual basis, Internal Audit must review and communicate that Bank management’s Action Plan progress report is accurate, including the assessment of whether any material changes have occurred that require no supervisory objection. Internal Audit’s findings shall be memorialized in writing and, within thirty (30) days of completing the assessment, Internal Audit shall provide such written findings to the Compliance Committee and the Assistant Deputy Comptroller, with a copy to the Examiner-in-Charge.

(9) In addition to the other requirements of this Article, the Bank shall submit requests for the addition of new subservicing clients to the Assistant Deputy Comptroller, with a copy to the Examiner-in-Charge, for prior written determination of no supervisory objection. The Bank shall incorporate the requirements of this Paragraph into the Action Plan, including appropriate content and timeframes for providing reports and other information to the OCC related to this Paragraph.

(10) At least thirty (30) days prior to any proposed declaration of a dividend or approval of the proposed capital distribution by the Board, the Bank shall submit an application to the Assistant Deputy Comptroller, with a copy to the Examiner-in-Charge, to declare or pay dividends to shareholders for a prior written determination of no supervisory objection, and shall not declare or pay dividends to shareholders until such time as the Bank receives the prior written determination of no supervisory objection.

ARTICLE V

SYSTEM OF INTERNAL CONTROLS

(1) Within the timeframes set forth in the Action Plan required by Article IV and to which the Bank has received no supervisory objection, the Bank shall develop and implement, and thereafter maintain, an effective internal controls program commensurate with the types and complexity of risks associated with all transactions the Bank executes (the “Internal Controls Program”).

(2) The Bank’s Internal Controls Program shall ensure the Bank establishes and implements effective internal controls in first line servicing operations to conduct business in accordance with applicable state and federal laws and regulations and government-sponsored enterprise (“GSE”) requirements.

(3) The Bank’s Internal Controls Program also shall ensure the Bank addresses and corrects all deficient first line servicing operations controls and practices identified in any supervisory or regulatory communication, internal audit report, second line quality testing, and client audit notification.

(4) In addition to satisfying the requirements of Paragraphs (2) and (3) of this Article, the Bank’s Internal Controls Program shall, at a minimum, include internal control policies, processes, and practices that address:

(a) clear delineation of roles and responsibilities, and ownership of risk and controls among the Bank’s three lines of defense; (b) effective issues management processes, including root cause analysis and resolution; (c) effective operational change management controls and processes; (d) first line operations oversight of vendor management controls and performance; (e) meaningful management information systems (“MIS”) and reporting that is timely, complete, and accurate; (f) comprehensive and transparent risk control self-assessments (“RCSAs”) processes; (g) assessment of system capabilities, including automation opportunities that exist, but are not currently utilized, in existing applications; and (h) sufficient first-line business staffing, including: (i) manager and supervisor accountability with measurable performance expectations in connection to risk and control objectives; (ii) sufficient staff levels and qualifications to effectively and timely execute daily operations; (iii) implementation of job-specific training and focus on building in-house expertise; and (iv) implementation of communication and escalation processes supporting employee ability to proactively escalate issues and emerging risks.

(5) The Board shall ensure that the Bank implements and adheres to the Internal Controls Program required by this Article.

ARTICLE VI

DEFAULT OPERATIONS

(1) Within the timeframes set forth in the Action Plan required by Article IV and to which the Bank has received no supervisory objection, the Bank shall develop and implement, and thereafter maintain, an effective default operations program with respect to loss mitigation, foreclosure, and claims activities (the “Default Operations Program”).

(2) The Bank’s Default Operations Program shall ensure the Bank establishes and implements effective loss mitigation, foreclosure and claims activities in accordance with applicable state and federal laws and regulations and GSE requirements.

(3) The Bank’s Default Operation Program shall also ensure the Bank addresses and corrects all deficient default operations identified in any supervisory or regulatory communication, internal audit report, second line quality testing, and client audit notification.

(4) In addition to satisfying the requirements of Paragraphs (2) and (3) of this Article, the Bank’s Default Operations Program shall, at a minimum, include policies, procedures, controls, and processes that ensure the Bank engages in timely, accurate, and complete:

(a) loss mitigation activities, including pre-closing and post-closing functions; (b) borrower communications related to loss mitigation; (c) investor claim filings; (d) reporting that provides the Board and management with information depicting the Bank’s default operations performance; (e) de-activation of loans in the loss mitigation process being transferred to new servicers and delivery of proper documentation to new servicers; and (f) furnishing of required IRS information to all applicable parties.

(5) The Board shall ensure that the Bank implements and adheres to the Default Operations Program required by this Article.

ARTICLE VII

INFORMATION TECHNOLOGY CONTROLS

(1) Within the timeframes set forth in the Action Plan required by Article IV and to which the Bank has received no supervisory objection, the Bank shall develop and implement, and thereafter maintain, a written program to effectively assess and manage the Bank’s IT activities (the “IT Control Program”). Although the Bank may outsource some or all of its IT functions, outsourcing does not change the Board’s responsibility to ensure effective IT controls.

(2) The Bank’s IT Control Program shall ensure the Bank addresses and corrects all deficient IT-related practices identified in any supervisory or regulatory communication, internal audit report, second line quality testing, and client audit notification.

(3) The Bank’s IT Control Program also shall be commensurate with the level of risk and complexity of the Bank’s IT activities and shall, at a minimum, include the following:

(a) an effective IT and Information Security (“IS”) risk governance program that establishes the roles, responsibilities, and accountability of the Board and management; (b) an IT/IS strategic planning process that includes, but is not limited to: (i) short term and long term goals and the allocation of IT resources to achieve them; (ii) alignment of the IT/IS strategic plan with the Bank’s enterprise-wide business plan; (iii) allocated technology budget; (iv) technology refresh forecasting; (v) identification and timelines to address priority items; and (vi) identification of current and future projects that align to the Bank’s business plan objectives. (c) IT asset management policies and standards that: (i) manage the IT asset life cycle; (ii) implement a comprehensive IT asset inventory with a consistent process to maintain integrity of data; and (iii) migrate IT assets near or past end-of-support or end-of-life to supported versions in a reasonable timeframe; and (d) a written operational change management program that: (i) addresses controls over the introduction of changes, in a controlled manner, into the IT environment; (ii) implements effective patch management systems and software to ensure all network components (virtual machines, routers, switches, mobile devices, firewalls, etc.) and application software are timely and appropriately updated; (iii) includes the periodic use of vulnerability scanners to identify vulnerabilities in a timely manner; and (iv) includes timely and effective reporting to the Board and management on the status of outstanding patches, vulnerabilities, and IT-related issues and findings.

(4) The Board shall ensure that the Bank implements and adheres to the IT Control Program required by this Article. The Board shall review the effectiveness of the IT Control Program at least annually, and more frequently if necessary or if required by the OCC in writing.

ARTICLE VIII

GENERAL BOARD RESPONSIBILITIES

(1) The Board shall ensure that the Bank has timely adopted and implemented all corrective actions required by this Order, and shall verify that the Bank adheres to the corrective actions and they are effective in addressing the Bank’s deficiencies that resulted in this Order.

(2) In each instance in which this Order imposes responsibilities upon the Board, it is intended to mean that the Board shall:

(a) authorize, direct, and adopt corrective actions on behalf of the Bank as may be necessary to perform the obligations and undertakings imposed on the Board by this Order and the Action Plan required by Article IV; (b) ensure the Bank has sufficient processes, management, personnel, control systems, and corporate and risk governance to implement and adhere to all provisions of this Order and the Action Plan required by Article IV; (c) require that Bank management and personnel have sufficient training and authority to execute their duties and responsibilities pertaining to or resulting from this Order and the Action Plan required by Article IV; (d) hold Bank management and personnel accountable for executing their duties and responsibilities pertaining to or resulting from this Order and the Action Plan required by Article IV; (e) require appropriate, adequate, and timely reporting to the Board by Bank management of corrective actions directed by the Board to be taken under the terms of this Order and the Action Plan required by Article IV; and (f) address any noncompliance with corrective actions directed by the Board to be taken under the terms of this Order and by the Action Plan required by Article IV in a timely and appropriate manner.

ARTICLE IX

WAIVERS

(1) The Bank, by executing and consenting to this Order, waives:

(a) any and all rights to the issuance of a Notice of Charges pursuant to 12 U.S.C. § 1818; (b) any and all procedural rights available in connection with the issuance of this Order; (c) any and all rights to a hearing and a final agency decision pursuant to 12 U.S.C. § 1818 and 12 C.F.R. Part 19; (d) any and all rights to seek any type of administrative or judicial review of this Order; (e) any and all claims for fees, costs, or expenses against the OCC, or any of its officers, employees, or agents related in any way to this enforcement matter or this Order, whether arising under common law or under the terms of any statute, including, but not limited to, the Equal Access to Justice Act, 5 U.S.C. § 504 and 28 U.S.C. § 2412; (f) any and all rights to assert these proceedings, the consent to and/or the issuance of this Order, as the basis for a claim of double jeopardy in any pending or future proceedings brought by the United States Department of Justice or any other governmental entity; and (g) any and all rights to challenge or contest the validity of this Order.

ARTICLE X

OTHER PROVISIONS

(1) As a result of this Order, the Bank is not:

(a) precluded from being treated as an “eligible bank” for the purposes of 12 C.F.R. Part 5, unless the Bank fails to meet any of the requirements contained in subparagraphs (1) – (4) of 12 C.F.R. § 5.3, Definitions, Eligible bank or eligible savings association, or is otherwise informed in writing by the OCC; (b) subject to the restrictions in 12 C.F.R. § 5.51 requiring prior notice to the OCC of changes in directors and senior executive officers or the limitations on golden parachute payments set forth in 12 C.F.R. Part 359, unless the Bank is otherwise subject to such requirements pursuant to 12 C.F.R. § 5.51(c)(7)(i), (iii); and (c) precluded from being treated as an “eligible bank” for the purposes of 12 C.F.R. Part 24, unless the Bank fails to meet any of the requirements contained in 12 C.F.R. § 24.2(e)(1)-(3) or is otherwise informed in writing by the OCC.

(2) This Order supersedes all prior OCC communications issued pursuant to 12 C.F.R. §§ 5.3, 5.51(c)(7)(ii), and 24.2(e)(4).

ARTICLE XI

CLOSING

(1) This Order is a settlement of the cease and desist proceedings against the Bank contemplated by the OCC, based on the unsafe or unsound practices described in the Comptroller’s Findings set forth in Article II of this Order. The OCC releases and discharges the Bank from all potential liability for a cease and desist order that has been or might have been asserted by the OCC based on the practices described in Article II of this Order, to the extent known to the OCC as of the effective date of this Order. Nothing in this Order, however, shall prevent the OCC from:

(a) instituting enforcement actions other than a cease and desist order against the Bank based on the Comptroller’s Findings set forth in Article II of this Order; (b) instituting enforcement actions against the Bank based on any other findings; (c) instituting enforcement actions against institution-affiliated parties (as defined by 12 U.S.C. § 1813(u)) based on the Comptroller’s Findings set forth in Article II of this Order, or any other findings; or (d) utilizing the Comptroller’s Findings set forth in Article II of this Order in future enforcement actions against the Bank or its institution-affiliated parties to establish a pattern or the continuation of a pattern.

(2) Nothing in this Order is a release, discharge, compromise, settlement, dismissal, or resolution of any actions, or in any way affects any actions that may be or have been brought by any other representative of the United States or an agency thereof, including, without limitation, the United States Department of Justice.

(3) This Order is:

(a) a “cease-and-desist order issued upon consent” within the meaning of 12 U.S.C. § 1818(b); (b) a “cease-and-desist order which has become final” within the meaning of 12 U.S.C. § 1818(e); (c) an “order issued with the consent of the depository institution” within the meaning of 12 U.S.C. § 1818(h)(2); (d) an “effective and outstanding . . . order” within the meaning of 12 U.S.C. § 1818(i)(1); and (e) a “final order” within the meaning of 12 U.S.C. § 1818(i)(2) and (u).

(4) This Order is effective upon its issuance by the OCC, through the Comptroller’s duly authorized representative. Except as otherwise expressly provided herein, all references to “days” in this Order shall mean calendar days and the computation of any period of time imposed by this Order shall not include the date of the act or event that commences the period of time.

(5) The provisions of this Order shall remain effective except to the extent that, and until such time as, such provisions are amended, suspended, waived, or terminated in writing by the OCC, through the Comptroller’s duly authorized representative. If the Bank seeks an extension, amendment, suspension, waiver, or termination of any provision of this Order, the Board or a Board-designee shall submit a written request to the Assistant Deputy Comptroller asking for the desired relief. Any request submitted pursuant to this paragraph shall include a statement setting forth in detail the circumstances that warrant the desired relief or prevent the Bank from complying with the relevant provision(s) of the Order and shall be accompanied by relevant supporting documentation. The OCC’s decision concerning a request submitted pursuant to this paragraph, which will be communicated to the Board in writing, is final and not subject to further review.

(6) The Bank will not be deemed to be in compliance with this Order until it has adopted, implemented, and adhered to all of the corrective actions set forth in each Article of this Order; the corrective actions are effective in addressing the Bank’s deficiencies; and the OCC has verified and validated the corrective actions. An assessment of the effectiveness of the corrective actions requires sufficient passage of time for the Bank to demonstrate the sustained effectiveness of the corrective actions.

(7) This Order is not a contract binding on the United States, the United States Treasury Department, the OCC, or any officer, employee, or agent of the OCC and neither the Bank nor the OCC intends this Order to be a contract.

(8) Each citation, issuance, or guidance referenced in this Order includes any subsequent citation, issuance, or guidance that replaces, supersedes, amends, or revises the referenced cited citation, issuance, or guidance.

(9) This Order applies to the Bank and all its subsidiaries, even though those subsidiaries are not named as parties to this Order. The Bank shall integrate any activities done by a subsidiary into its plans, policies, programs, and processes required by this Order. The Bank shall ensure that its subsidiaries comply with all terms and provisions of this Order.

(10) No separate promise or inducement of any kind has been made by the OCC, or by its officers, employees, or agents, to cause or induce the Bank to consent to the issuance of this Order.

(11) All reports, plans, or programs submitted to the OCC pursuant to this Order shall be forwarded, by overnight mail or via email, to William Russell, Assistant Deputy Comptroller.

(12) The terms of this Order, including this paragraph, are not subject to amendment or modification by any extraneous expression, prior agreements, or prior arrangements between the parties, whether oral or written.