By Christopher J. Gulotta, Real Estate Data Shield Inc.
and Bud Walder, DataMotion
These days, it seems that major data breaches, identify theft and data security are continuously in the news – and for good reason.
Computer hackers around the globe, whether organized or individuals, know they can steal with relative impunity from the comfort and safety of their home offices.
Yes – theft is now a work from home opportunity – and a growing one at that. Smart identity thieves and hackers have identified the most vulnerable companies and are now turning their focus to small to mid-sized companies, especially real estate professionals who often hold large amounts of transactional funds in escrow.
While regulation to protect data that is targeted has been aimed first and foremost at financial institutions, it is now being applied to the financial transaction supply chains, other service providers or vendors that handle the data, and in some cases the funds as well.
So let’s talk turkey – in the real estate transaction business, we are talking about mortgage lenders, underwriters, and title and settlement agents.
Of course, real estate professionals are constantly engaging these supply chains – so they are increasingly in the chain of responsibility when it comes to protecting clients’ money and non-public personal information (NPPI) that is coveted by on-line thieves for identity theft scams.
But only now are these smaller real estate settlement service providers beginning to invest in network, physical and administrative security as required by Gramm-Leach Bliley Act and FTC privacy safeguard regulations.
Lenders, regulators, and title underwriters recognize that independent title and settlement agents (ITSAs) play a critical role in the facilitation of mortgage finance transactions.
These mostly small and closely-held companies possess the local knowledge, expertise, efficiency and coverage needed, and provide consumers, lenders, and title underwriters with the ability to consummate such transactions nationwide, with nearly unlimited scalability, on a daily basis.
Beyond ensuring that lenders are primary lien holders, the role of ITSAs requires that they have extensive contact with consumers and lenders, handle highly sensitive NPPI, and receive and disburse huge sums of funds funneled through mortgage disbursement and other escrow accounts.
This requires lenders, consumers and scores of parties involved in such transactions to reach beyond the traditional expertise of ITSAs and to rely upon on their fidelity and adherence to a score of expanding federal and state laws, rules and regulations.
The various regulatory agencies emphasize and generally are in agreement on the following key points and expectations regarding lenders’ risk management of their third-party service providers:
• Lenders are responsible for their third-party service providers: Lenders’ use of service providers does not diminish their responsibility to ensure that all related activities are conducted in a safe and sound manner, consistent with applicable laws and regulations. In fact, service providers are subject to the same risk management, consumer protection and privacy obligations that would be expected if a lender was conducting the activities directly. Service providers are also subject to the same regulatory oversight and scrutiny as lenders.
• Reliance on third-party relationships can significantly increase a lender’s risk profile. In particular, a lender’s strategic, reputation, compliance, and transaction risks are all heightened by the use of third-party service providers.
• To control this risk, lenders should adopt a risk management process (RADDCO). A risk management process should include: (a) A risk assessment to identify the lender’s needs and requirements; (b) proper due diligence to identify and select third-party service providers; (c) written contracts that outline duties, obligations, and responsibilities of the parties involved; and (d) ongoing oversight (monitoring) of the third parties and third-party activities.
• Lenders have flexibility in their oversight of third-party service providers. A lender’s risk management system should reflect the complexity of its third-party service provider activities and the overall level of risk involved. Each lender’s risk profile is unique and requires a tailored risk mitigation approach appropriate for the scale of its particular third-party relationships, the materiality of the risks present and the ability of the lender to manage those risks. Thus, no single system is ideal for every lender or circumstance.
Heightened legal and regulatory compliance requirements are only part of the picture. In addition, leading institutions have become more involved in the regulatory arena, including multiple federal and state regulators, lenders, and the industry trade association, the American Land Title Association (ALTA).
Collectively, these parties aim at rendering the title and settlement process safe and sound and ensuring it is conducted in a manner that best protects consumers. ALTA’s Best Practices provides ITSAs with a tangible list of critical criteria that endeavors to reconcile all regulatory sources and industry mandates.
Compliance with ALTA’s best practices in some areas can be considered common sense in terms of managing sensitive data within the workplace.
Physical tactics and office procedure policy can be employed to ensure data is not easily accessible by theft of equipment or documents. When it comes to protecting against hackers and the on-line theft and abuse of NPPI or transaction funds, it is important to digitally protect data – whether it is in motion or at rest.
The primary (and simplest) method to foil would-be data thieves is through encryption software and services. While this often conjures up complex algorithms and private keys, implementing encryption for stored data is low-cost and easy to implement, and encryption services and solutions for data in motion (via email and file transfer) are similarly low-cost, easy to source and use – even for untrained recipients of encrypted messages.
While the current sensitivity and regulatory environment is not currently focused on the real estate professional’s role in NPPI data exchange security, clearly the “long-tail of compliance” is wagging through the supply-chain that realtors rely upon to get their jobs done. Awareness, as well as professional sensitivity to their need to protect NPPI and transaction funds, is in the best interest of the industry and its valued clients.
And now that regulators, lenders and data thieves are turning their attention to the most vulnerable companies in this “dollar” and “data” supply chain, real estate professionals – real estate brokers, mortgage brokers, title & settlement agents, escrow companies, and all who traffic in highly sensitive non-public personal information and/or transactional proceeds – are on notice that they are being targeted.
Smart real estate professionals will see data security compliance as an opportunity to distinguish their company from competitors and recognize that in this new age of compliance, marketing is indeed the new marketing.