Hardly a day goes by without the revelation of another information security breach leaving thousands of consumers’ private information exposed to hackers and for sale to the highest bidders. Major retailers, financial institutions and educational institutions continue to be favorite targets of cyber criminals. As was seen in the recent breech with mega-retailer Target Corporation, hackers have found it easier to focus on less secure business partners to gain access. In the Target case, the retailer was compromised through a third-party vendor with access to Target systems. It’s also a scary fact that this may be the case with your financial institution as well.
According to the Office of the Comptroller of the Currency (OCC), a division of the U.S. Treasury, the risk of cyber threats is growing and electronic bank fraud is increasing. The OCC reports cyber threats are growing in sophistication and frequency, and require heightened awareness and appropriate resources to identify and mitigate the associated risks. “The costs and resources needed to manage the risks continue to increase; at the same time, the tools and knowledge to conduct the attacks are more readily available. Additionally, institutions’ early adoption of new technology and their growing reliance on third-party providers may expand the overall system’s vulnerabilities to these attacks,” the OCC reports.
What can homebuyers do?
In this environment of increasing risk, what can you as a homebuyer do when purchasing a new home or refinancing to ensure that your private information is well protected? Is all the information the bank or lender asked for protected? What about all of the other people involved in the transaction? After all, loan documents contain every possible piece of sensitive information about you and your spouse. Just imagine if that data fell into the wrong hands.
You can take some comfort that new, recently-adopted federal rules with large penalties for non-compliance and industry best practices are intended to help protect you. However, you would be well-advised to ask whether your providers – lenders, banking partners, etc. – are complaint with these rules because not all are and you need to protect yourself and your data as best as possible.
In 2010, the Dodd–Frank Wall Street Reform and Consumer Protection Act created the Consumer Financial Protection Bureau (CFPB) and provided authority for the CFPB to supervise financial institutions for compliance with federal consumer financial laws, including existing laws intended to protect your non-public personal information or NPI. Providing real estate settlement services to one of these regulated financial institutions (like your bank or mortgage lender) is deemed to be providing financial products or services under the Act. As a result, the CFPB can bring enforcement actions directly against a real estate settlement services provider (such as your title insurance agent) for a violation of a consumer financial protection law – if they fail to protect your documents and security information.
Title Companies and ‘Best Practices’
In response, the American Land Title Association (ALTA) created a detailed program of industry “best practices” intended to put settlement service providers (title agencies and escrow firms) in compliance with the CFPB regulations. On July 19, 2013, ALTA published its version 2.0 of “Title Insurance and Settlement Company Best Practices,” setting forth industry guidelines for business procedures and service levels. The best practices address seven main areas ranging from internal controls regarding trust accounts to protecting customers’ personal information and responding to complaints. However, Best Practice No. 3 deals specifically with protecting Non-Public Personal Information or NPI. In addition, Best Practice No. 3 includes requirements and procedures for physical security of computers, “clean desk” policies, risk management, disaster recovery, information security practices and methods for the encryption of private data.
For instance, loan and closing documents emailed to you containing NPI must be encrypted. Collectively, these practices are a means for settlement service providers to address the need for increased lender oversight and to ensure necessary safeguards to protect consumers. The implementation of the Best Practices is voluntary but an important means to ensure reduction of risk in the overall financial system and to protect against identity fraud. Banks, including large national institutions like Wells Fargo, have embraced the Best Practices Program.
Under the ALTA Best Practice Program, settlement service providers perform a detailed review and assessment of their operations — typically using an experienced third-party expert. The resulting “Best Practice Certification Package” is then used to certify to consumers, mortgage originators and mortgage servicers that the assessment found the firm to be in compliance with the ALTA Best Practices in all material respects and represent that the firm will remain in compliance for the next two years.
So back to the original question – what can you do to ensure that your mortgage loan data is kept safe and secure? One thing you can do is to ask your title agency about its participation in the ALTA Best Practice program and whether it has undergone a Best Practices Review. If not, you may want to ask for another title agency.
Chuck Matthews is a 30-year veteran of the banking and real estate industries. He is the Chairman and CEO of WGM Associates LLC, a Scottsdale-based information technology and security consultancy.
