The SAFE Act requires annual "independent testing for compliance with this part" per 1007.104 "Policies and Procedures". Does this mean that as long as we review the policies and procedures to ensure all parts of 1007.104 are covered that is sufficient for the annual independent test? OR, does the annual independent testing requirement mean that we are required to test all parts of the Act each year (for example: every year we must test for the use of the unique identifier, to ensure all MLOs are properly registered, the annual renewal process, etc.)? I'm unclear exactly how in-depth we must test to meet the annual independent testing requirements. Any suggestions or resources would be helpful. Thanks!

My opinion only, but reviewing policies and procedures for coverage isn't testing. Learned the hard way - just because the procedures say it happens, doesn't mean it does.

We compare internal reports with the NMLS data report (location/phone/NMLS/nicknames/etc.), validated LOS access abilities and required training, tested NMLS holders for email signatures/replies containing their NMLS (including users that had email on their phones), compared hire/fire reports for updating NMLS, etc. If you have good reporting and a decent excel user, it isn't that bad.

Any audit (or independent testing) should be risk based, based on the size and complexity of the organization. That said, I agree with Monster that looking only at the written policies and procedures without conducting actual testing for compliance wouldn't be enough.

To back this up, look at the CFPB's SAFE Act exam procedures here: https://files.consumerfinance.gov/f/201203_cfpb_update_SAFE_Act_Exam_Procedures.pdf. You will see that the exam procedures specifically say this: "If the institution has failed to adopt policies and procedures and to perform annual independent compliance tests, the examiners should address the violation in the examination report and require corrective action." As you can see, they specifically call it "compliance tests" rather than "a review of policies and procedures."

The exam procedures would also be a great starting point for you to base your annual independent review.

Thank you!

FWIW I do my review based on the Examination Procedures in the FDIC Compliance Examination Manual section V-15.1

Thank you, Dan. This is what is confusing me...how much of the compliance testing is required to meet the annual independent testing requirement? For example, do we have to conduct compliance testing for each item in the exam procedures fully or maybe we can limit it to a small sample size. Basically, I am trying to identify the minimum requirements for testing. This is a pretty simple audit, and I've done it in a couple days at small banks. However, in a larger bank with a formal audit process and GRC system, there is still a lot of work (mainly documentation) for each workpaper we do so I'm trying to see if there is anything we can cut and still meet the annual independent testing requirements.

I address each question but we are a small institution. Below are a couple of examples.

1) Determine whether the financial institution, or any of its subsidiaries, has one or more MLO employees. For those institutions without any MLO employees, these examination procedures do not need to be completed. (12 CFR 1007.103(a)(2))

The Peoples State Bank currently has thirty (30) employees designated as a MLO with one pending registration.


b) Require that all employees of the financial institution who are MLOs be informed of the registration requirements of the SAFE Act and the SAFE Act regulation and be instructed on how to comply with such requirements and procedures; (12 CFR 1007.104(b))

Administration of the SAFE Act requirements for the bank is the responsibility of the Human Resource Director. The HR director informs all existing MLOs of any applicable changes to the registration process and renewals when they come due. The HR director also goes over the SAFE Act requirements with any MLO new hire.

The following employees were added as a MLO after the July 2021 review:

Name NMLS#
XXXX XXXXXXX

The following employees were terminated after the July 2021 review;

Name NMLS#
XXXXX XXXXX

All required re-registrations have been properly acknowledged by NMLS-Notification.

c) Establish procedures to comply with the unique identifier requirements in Section 105 of the SAFE Act regulation; (12 CFR 1007.104(c))

.105 (a) - The NMLS numbers are maintained by the HR Director.
.105(b) (1) (2) & (3) – It is the bank’s procedure for each MLO to provide a consumer upon request their business card which displays the MLO’s NMLS number. In addition each time a consumer applies for a mortgage loan transaction they are provided an application packet with the MLO’s business card. All written correspondence which includes paper and electronic communication includes the MLO’s NMLS number.


The HR Director provides me with documentation for new and renewed MLO registrations. Once the HR director provides me the documentation I can generally finalize the review within a day's time.