Data security is a tremendous concern these days. It seems like every week we learn about the latest data breach that left countless identities vulnerable to thieves and scammers. The average total cost of a data breach in 2017 in the United States was $7.4 million.
Like many industries, mortgage originators are vulnerable to stolen data. Loan officers benefit from their bank’s security measures, but even those protocols have gaps, as evident by mortgage data breaches like the ones at BMO and Simplii or the Cleveland Federal Reserve.
Consumers want to maintain careful control over their personal and financial information. That includes the information they submit on mortgage applications or send to brokers and lenders.
Homebuyer information is especially attractive to hackers because it includes secondary data points that can be used to qualify targets. Think about what kind of data you capture in a mortgage application:
With just that application, a malicious party could wreak havoc on your clients’ identities for years. Even worse, if a hacker were to obtain and use your clients’ information quickly, it might affect the loan process. This means if you don’t safeguard your clients’ information, you could actually cost yourself the deal.
As a mortgage originator, it’s crucial that you put systems in place to protect your clients from mortgage data breaches, educate them about proper security practices, and notify them in the event of a breach.
Protecting your data isn’t just a good idea. You’re bound by law to safeguard your clients’ private information.
The Consumer Financial Protection Bureau (CFPB) is a federal agency that develops and enforces financial regulations. It was created after the 2008 financial crisis as part of the Dodd-Frank Act to combat deceptive practices in mortgages and other financial products.
The CFPB regulates how you’re supposed to protect the privacy of your clients. It enforces the Gramm Leach Bliley Act, the Fair Credit Reporting Act, and other pieces of legislation and has the ability to penalize companies who violate its regulations with fines up to $1 million per day.
In 2016, the CFPB began to focus on financial data security with an enforcement action against Dwolla, an online payment service for deceiving consumers about its data security practices and the safety of its online payment system.
As a mortgage originator, you must adhere to its regulations regarding how you handle your clients’ Non-Public Information. According to the FTC, Non-Public Information is defined as “any ‘personally identifiable financial information’ that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise ‘publicly available.’”
This includes anything that personally identifies your client, information about their transactions, and anything else that wouldn’t be released to a third party without your client’s consent (court records, credit report, background check, etc.).
Maintaining compliance with the CFPB is only part of your job. You may have to behave according to state and local laws as well. Check with your lawyer and/or accountant for more accurate information in regards to your specific situation.
As you can see, Non-Public Information is a broad category, therefore it’s smartest and safest to assume that anything you know about your clients should be protected.
Encryption is the process of scrambling data using an electronic key. Only parties with the key can decrypt and read the data. Everyone else just sees nonsense.
This technique drastically decreases the chance of malicious parties abusing your clients’ information. Even if a breach of mortgage data were to occur, the thieves wouldn’t be able to read it.
This means that encryption is your first and strongest line of defense. All the information you store and transmit should be encrypted. In fact, failing to encrypt your emails is a violation of the FTC Safeguard Rule.
And yet, many mortgage companies and originators send unsafe emails. According to one investigation, 70% of the mortgage industry permit borrowers to submit applications and loan documents via unencrypted email. Only 12% offer a secure portal for safely transmitting information.
Your emails may already be encrypted, depending on your email provider. It’s important to check. If your emails aren’t encrypted by default, consider using an encryption tool like Virtru, HushMail, or Enlocked.
Keep in mind, however, that encryption doesn’t completely protect you. It only works if you use it all the time. If you or your team forget to turn it on, malicious parties will be able to read your correspondence.
Part of protecting your clients’ data means informing them about what you intend to do with it and giving them an opportunity to refuse or decline. Consumers always have a right to opt out.
For instance, if you share their information with any third parties, you must notify the client beforehand and ask them if they’d like to opt-out. If they don’t want you to share their information with that third-party, you are obliged to follow their wishes.
Generally, it’s best to create a privacy policy that you provide to your clients at the beginning of your relationship. Include your practices and anything they need to know, such as who you’ll share their information with. Then have them sign separate documents that give their express permission to share their data with each third party.
You don’t, however, need to offer opt-out notices for people who work on your team handling paperwork, consumer reporting agencies, or your lawyer.
Like a lot of mortgage originators (and financial professionals), you may assume that your data is safe is in a cloud service like Google Drive or Dropbox. Surely those services have stronger security protocols than you could ever implement on your own, right?
While it’s true that these services invest in security, there’s still a tremendous risk.
According to a study by the Ponemon Institute on the Risk of Insecure File Sharing, cloud storage is the riskiest way to store and share information. (The second riskiest method, by the way, is unencrypted email.)
Even worse – IT teams from the organizations surveyed were asked if they audit or assess whether documents are stored or shared according to the relevant laws and regulations. 64% reported that their companies don’t have any assessment policies. 6% didn’t know if they did.
Furthermore, higher profile organizations pose a bigger target for hackers. Instead of infiltrating independent brokers or small banks, they spend their time attacking sources with the biggest caches of data. Why breach a local mortgage broker when they can go after a trove like Dropbox?
The simplest and safest solution is to store your data on your own devices and backed up at a secondary location. This will ensure you never lose control of your clients’ information.
While there are plenty of security tools and protocols you can put in place, mistakes made by people are the biggest vulnerabilities. Disclosing Non-Public Information to the wrong party, entering the wrong email address in the “to” field, or clicking unknown links in your email are just some of the ways well-meaning mortgage originators expose their clients’ data.
It’s tempting to behave unsafely for the sake of convenience. You want to speed up the application process so you email that application to a lender instead of faxing it, or maybe you like to work in different places, so you store your files on Microsoft’s OneDrive. And rather than ask your clients to submit documents through a secure portal, you request they just attach their files to an email.
Hopefully this helps you understand why you should protect your data and how to get started. Real protection requires constant vigilance. It’s important to ask yourself “Am I being safe?” every time you correspond with a client or access a file. If you take data protection seriously and resist taking shortcuts for the sake of convenience, you’ll never expose your clients.