Subdivision 1.Board of directors required.

A covered institution must establish and maintain a board of directors that is responsible for oversight of the covered institution.

Subd. 2.Board of directors; alternative.

If a covered institution has not received approval to service loans by a government-sponsored enterprise or the Government National Mortgage Association, or if a government-sponsored enterprise or the Government National Mortgage Association has granted approval for a board of directors alternative, the covered institution may establish a similar body constituted to exercise oversight and fulfill the responsibilities specified under subdivision 3.

Subd. 3.Board of directors; responsibilities.

The board of directors must:

(1) establish a written corporate governance framework, including appropriate internal controls designed to monitor corporate governance and assess compliance with the corporate governance framework, and must make the corporate governance framework available to the commissioner upon request;

(2) monitor and ensure the covered institution complies with (i) the corporate governance framework; and (ii) sections 58.20 to this section; and

(3) perform accurate and timely regulatory reporting, including filing the mortgage call report.

Subd. 4.Internal audit.

The board of directors must establish internal audit requirements that (1) are appropriate for the size, complexity, and risk profile of the servicer; and (2) ensure appropriate independence to provide a reliable evaluation of the servicer's internal control structure, risk management, and governance. The board-established internal audit requirements and the results of internal audits must be made available to the commissioner upon request.

Subd. 5.External audit.

(a) A covered institution must receive an external audit, including audited financial statements and audit reports, that is conducted by an independent public accountant annually. The external audit must be made available to the commissioner upon request.

(b) The external audit must include, at a minimum:

(1) annual financial statements, including (i) a balance sheet; (ii) a statement of operations and income statement; and (iii) cash flows, including notes and supplemental schedules prepared in accordance with generally accepted accounting principles;

(2) an assessment of the internal control structure;

(3) a computation of tangible net worth;

(4) validation of mortgage servicing rights valuation and reserve methodology, if applicable;

(5) verification of adequate fidelity and errors and omissions insurance; and

(6) testing of controls related to risk management activities, including compliance and stress testing, if applicable.

Subd. 6.Risk management.

(a) Under oversight by the board of directors, a covered institution must establish a risk management program that identifies, measures, monitors, and controls risk commensurate with the covered institution's size and complexity. The risk management program must have appropriate processes and models in place to measure, monitor, and mitigate financial risks and changes to the servicer's risk profile and assets being serviced.

(b) The risk management program must be scaled to the size and complexity of the organization, including but not limited to:

(1) the potential that a borrower or counterparty fails to perform on an obligation;

(2) the potential that the servicer (i) is unable to meet the servicer's obligations as the obligations come due as a result of an inability to liquidate assets or obtain adequate funding; or (ii) cannot easily unwind or offset specific exposures;

(3) the risk resulting from (i) inadequate or failed internal processes, people, and systems; or (ii) external events;

(4) the risk to the servicer's condition resulting from adverse movements in market rates or prices;

(5) the risk of regulatory sanctions, fines, penalties, or losses resulting from the failure to comply with laws, rules, regulations, or other supervisory requirements that apply to the servicer;

(6) the potential that legal proceedings against the institution resulting in unenforceable contracts, lawsuits, legal sanctions, or adverse judgments can disrupt or otherwise negatively affect the servicer's operations or condition; and

(7) the risk to earnings and capital arising from negative publicity regarding the servicer's business practices.

Subd. 7.Risk management assessment.

A covered institution must conduct a risk management assessment on an annual basis. The risk management assessment must conclude with a formal report to the board of directors and must be made available to the commissioner upon request. A covered institution must maintain evidence of risk management activities throughout the year and must include the evidence of risk management activities as part of the report. The risk management assessment must include issue findings and the response or action taken to address the issue findings.