Lately when I talk to mortgage originators, I hear variations of the same questions and concerns: What are the legislators in Washington thinking? Why choose now to introduce potentially restrictive regulations such as RESPA, the Gramm-Leach-Bliley Act, and the “Do Not Fax” rule on the one market segment that has been carrying the sagging U.S. economy for the past 18 months?
Though most of the attention has been focused on RESPA reform, what impacts the future progress and promise of electronic data exchange today is Gramm-Leach-Bliley (GLB). Although it was created with good intentions, the final product is serious, penalty-driven legislation aimed at the financial infrastructure of the mortgage business, as well as other financial institutions. Yes, it protects confidential consumer information, and as technology’s progress develops ever faster and the speed and volume of data exchanged electronically grows exponentially, protecting consumer information is crucial.
It is important to remember, however, that GLB is enforced by the Federal Trade Commission, an agency well known for its willingness to sacrifice the occasional business enterprise to protect consumer interests. If you are not prepared to meet the regulations, you could well be out of tens of thousands of dollars, and possibly, out of business.
Past assumptions of what constitutes a “secure” exchange of information no longer work in an era of massive digital databases, high-speed worldwide networks, and continuous, too often successful hacker attacks. What is important now is preparing for the potential implications of these legislative ramifications and how they will affect the way originators conduct business. Without new technologies, the mortgage industry could have never successfully managed the massive refi boom (that’s sustained our nation’s economy) as it has. But can technology help the mortgage industry negotiate the minefield of emerging regulatory hurdles?
Through technology, the ability to commit fraud with a simple click of the mouse has been introduced, and hackers seem to be one step ahead of many “secure” firewalls and protected databases. In order to address the concerns of borrowers and the requirements of GLB, the mortgage industry must look at current technologies and what changes must be made, specifically in the arena of security.
The GLB Act that Congress produced was not specifically aimed at mortgage brokers when it was originally drafted. It was the FTC that included all mortgage brokers in its definition of “financial institution”—even those who don’t function as correspondent lenders. Because the services included in the FTC’s definition of “financial institution” are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts, and an array of other activities, brokers must take immediate steps to change the way they exchange information.
First, mortgage professionals must have a privacy plan that the FTC approves and ensure that their customers specifically give authorization to exchange their information with “non-affiliated third parties.” The new rules mandate a $10,000 fine for every infraction.
When you figure that e-mailing a normal, unencrypted loan file to anyone at all constitutes an infraction, and multiply that by the number of unsecured borrower e-mails a mortgage company typically exchanges with lenders and settlement service providers, you begin to grasp the tremendous risk to your organization’s financial health that GLB represents.
Brokers can forget about flying under the FTC’s radar on this. This particular federal agency is designed primarily to respond to consumer complaints, and anyone—your competitors included—can present themselves as a consumer.
So, what’s the good news? The same technology revolution that gave us the ability to outstrip existing privacy regulations has also given us the tools to comply with the new ones. Here are some steps I would recommend for developing a GLB compliance plan:
Step 1. If you collect and store information electronically, implement electronic documents that bind data in an encrypted, immutable file. Know what private information you are responsible for protecting and apply security in all formats. GLB applies to “nonpublic personal information” that your company gathers and discloses about customers—in practice, most information connected with loans.
Step 2. If your company operates a computer network, place it and any database you use to store information behind an effective commercial firewall. Many commercial firewall programs are commonly available and the investment is worth it. If your processors and loan originators have individual Internet access, choose the best personal computer firewall program you can afford and supply each of them with a license to install it on their computer and ensure that they do so. It seems obvious, but make sure your office computers are “physically” secure. If not, make it so.
Step 3. Immediately stop e-mailing borrower files or borrower information. Your loan origination system should provide you with a means for securely transferring just the specific information that your lenders, service providers, and GSEs need in order to facilitate your request for products and services. In fact, your LOS should also provide you with a secure process for transferring your borrower files within your own branch or corporate network.
Step 4. If your LOS does not provide these levels of security, in order to continue doing business with outside entities—while staying in compliance with GLB—you will have to add Secure Sockets Layer (SSL) functionality to your network or to each of your employee’s computers. If you are reasonably computer literate, you may be able to do this yourself. If you have any doubts, however, invest in the services of an IT professional to do it for you.
In addition to these technological safeguards, consider developing privacy-protection procedures for employees to use in conducting your company’s day-to-day business. Create a “customer privacy” training course for your staff and make it a mandatory requirement of employment at your firm. Be sure they understand the new legal requirements and how to implement them in real life. How your people handle customer data is the most important link in the chain of responsibility.
Also, summarize your capabilities, supporting technologies, and employee procedures in a single document. This will become your legally required “Privacy Notice” under GLB, defined as “a clear, conspicuous, and accurate statement of the company’s privacy practices,” including “what information the company collects about its customers, with whom it shares the information, and how it protects or safeguards the information.”
In my opinion, only when you have the technology in place to effectively protect your business and comply with the Gramm-Leach-Bliley Act will you be appropriately prepared to face the changes and challenges of the future.